Two-Party Attribute-Based Key Agreement Protocol with Constant-Size Ciphertext and Key

1College of Mathematics and Informatics, Fujian Normal University, Fuzhou 350117, Fujian, China 2College of Computer and Information, Hohai University, Nanjing 211100, Jiangsu, China 3Jiangsu Key Laboratory of Big Data Security & Intelligent Processing, Nanjing University of Posts and Telecommunications, China 4Mathematics and Computer Science Department, Gannan Normal University, Ganzhou 341000, Jiangxi, China


Introduction
Key agreement (KA) protocol is an important component in cryptography.By establishing a session key, KA protocol provides security services of confidentiality, integrity, and availability for open communication on the network node.Recently, the two-party attribute-based key agreement protocol (TP-AB-KA) was first proposed in [1].In TP-AB-KA protocol, the attribute-based encryption (ABE) was adopted for exchanging secret messages from two participants.This kind of protocol carries out negotiating session key based on the mutual authentication of participants' attribute information.Sahai and Waters [2] first proposed ABE, which was used for fine-grained access control for cloud storage.User identity is determined by his/her attributes.ABE is often applied in a one-to-many encryption situation, where data encrypted with certain attributes policy is correctly decrypted by any users whose attributes satisfy that access structure.TP-AB-KA protocol inherits the advantages of ABE schemes, such as using attributes to describe one user and realize the protection of user's identity.This also enables the TP-AB-KA protocols to meet the needs of some specific application scenarios where participants' attributes act as critical factor for mutual authentication.
For example, in an electronic project review system, a reviewer wants to make inquiries for some bidders.Suppose there are  attribute characters in this scene.The role information is described with certain attribute sequence < . . ., *  , * +1 , . . .>, which includes  elements in total.The subscripts ,  + 1 stand for the corresponding locations in the sequence, where we use  location to denote "reviewer" role and  + 1 location to denote "bidder" role.If a role  1 is a reviewer, its attribute sequence is instantiated with < . . ., 0  , 1 +1 , . . .>, where "0" shows "having" certain attribute character and "1" shows "not having".So < . . ., 0  , 1 +1 , . . .> shows that  1 is a reviewer and not a bidder. 1 obtains the corresponding private key generated by the trusted authority (TA) according to  1 's attribute sequence.In the same way, 2 Security and Communication Networks the authentication policy based on attributes is also described in such way.For instance, there are some qualifications about bidders, such as ": more than 2 grade enterprise qualification", ": more than 10 years warranty", etc.Those qualifications are written into a sequence form, that is, < . . ., *  , * +1 , . . .> ( ̸ = ).,  + 1 locations stand for  and  qualifications, respectively.If  1 wants to talk with a bidder with  and  qualifications,  1 gives out the corresponding authentication policy   =< . . ., 0  , 0 +1 , . . .>. Two "0" show having  and  qualifications together.
Based on above attribute description, the inquiry procedure of electronic review system is done as follows: Before voting, the reviewers need to ask some inquiry for some related bidders without revealing their real identities.Suppose that a reviewer  1 with attribute sequence < . . ., 0  , 1 +1 , . . .> wants to inquire for bidders, such as  2 with ": more than 2 grade enterprise qualification" and ": more than 10 years warranty" qualifications.If  2 satisfies   and  1 satisfies  ReV =< . . ., 0  , 1 +1 , . . .> specified by  2 , then  1 can consult a session key with  2 to achieve secure communication by using a TP-AB-KA protocol.
With the increasing popularity and application of mobile devices, more and more applications are migrated from PCs to mobile devices, such as smart phones.Above example also happens in mobile environment.Since most mobile devices are resource constrained, it is more important to improve the performance of TP-AB-KA protocol by reducing computation cost and communication cost.However, the existing TP-AB-KA protocols are not so good in performance because the length of ciphertext and key grows linearly with the number of related attributes.
1.1.Our Motivation and Contribution.ABE scheme has finegrained data access control, which can be well applied to many scenes where KA protocols are used.As shown in above example, ABE scheme was adopted for attribute authentication between the participants in the protocol and did not reveal their identities.More and more KA protocols introduce ABE schemes to construct TP-AB-KA protocols.However, the length of key and ciphertext in those TP-AB-KA protocols grows linearly with the number of attributes which participants own or are embedded in access policies.Obviously, those TP-AB-KA protocols are unfit for the lightweight applications.For example, mobile devices have become the primary devices in open cloud setting, which are resource constrained and require the protocols with high performance.In order to solve above problem, we first propose a twoparty attribute-based key agreement protocol with constantsize ciphertext and key based on the CP-ABE scheme [3].
Our protocol adopts an AND-gate access structure based on the whole attribute universe.A polynomial function  ⇀ (, ⋅) embedded in the exponent location of a group element is defined to express the attribute character of one participant.
One factor  +  1 () in  ⇀ (, ⋅) is one secret value, which reflects the th attribute of the participant, where  1 (⋅) is a hash function.The polynomial function  ⇀ (, ⋅) = ∏ ∉Ω ( +  1 ()) is used to describe all attributes of the participant, where Ω is the index set of the corresponding items in attribute sequence.Similarly, one data access policy is also described with polynomial function.When  in  ⇀ (, ⋅) is substituted with the master key of the trusted authority (ΤΑ), the polynomial functions  ⇀ (, ⋅) is computed into a constant-size value, based on which both the key and the ciphertext in our protocol can be calculated into some values, respectively, which are irrelevant to the number of corresponding attributes.By using this method, we can generate the constant-size key and ciphertext.
The proposed protocol is proved secure in AB-BJM model [4] based on the difficult problem of the augmented multisequence of exponents decisional Diffie-Hellman (aMSE-DDH) hypothesis [5] in standard model.The public key parameters and specific oracle queries S(⋅), C(⋅), ReVeal(⋅) are simulated successfully.The challenge task of aMSE-DDH hypothesis is embedded in the communication ciphertexts.Compared with the existed TP-AB-KA protocols, our protocol's computation and communication costs are largely reduced.The constant-size key and chipertext improve the implementation efficiency and make our protocol be more suitable for the application of lightweight level.

Organization.
The related work is introduced in Section 2. The preliminaries are introduced in Section 3. In Section 4, a TP-AB-KA protocol is proposed.TP-AB-KA protocol is proved to be secure in Section 5. Subsequently, we give the performance comparison between the protocol [4] and our protocol in Section 6.We conclude our paper in Section 7.

Related Work
The key agreement (KA) protocol is used to establish secure communication between two or more parties and authenticate entities in an open environment.With the emerging of identity-based cryptography, Smart [6] presented the first two-party identity-based key agreement protocol (ID-KA) which adopted the IBE scheme [7].Since then, lots of ID-KA protocols have successively been put forward [1,[8][9][10][11].Those ID-KA protocols were proved security in various models, respectively, such as the BJM model [12], the BR4 model, the CK model, etc. Huang and Cao [13] provided the first ID-AK protocol which was provable security in eCK [14] model.Based on the BJM model [12], Chen et al. [9] proposed the ID-BJM model and constructed identity-based key agreement protocols.In order to implement fine-grained access control, session keys are negotiated based on mutual authentication of participants' attribute information.many attribute-based key agreement (AB-KA) protocols [15][16][17][18][19][20] are presented.In AB-KA protocols, attribute-based encryption (ABE) plays important role in protecting secret messages used to generate session keys.ABE [21] was mainly divided into two categories called ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE).In CP-ABE, data owner chooses an access structure on attributes and encrypts data with the corresponding attribute public key.Access structure is embedded in the ciphertext, while the secret key is produced according to the attribute set of data user.If the attributes held by a user satisfy access structure embedded in the ciphertext, then he/she decrypts such ciphertext [22].KP-ABE scheme is inverse.The encryptor selects the descriptive attributes to encrypt data.Recently, Li et al. [23,24] presented two CP-ABE schemes with efficient attribute revocation, which resists the user collusion attack and supports fine-grained access control.There are some privacy-preserving decentralized CP-ABE [25][26][27] schemes, in which the size of the ciphertext grows linearly with the number of attributes embedded in access policy.In order to improve efficiency, Emura et al. [28] presented a CP-ABE scheme with constant ciphertext size.Many ABE schemes [29][30][31][32][33][34][35][36][37][38] were presented in various application domains, such as ABE with outsourced data decryption [29,30,37], ABE with efficient attribute revocation [31], ABE with full verifiability [30], ABE with keyword search function [29,31], traceable ABE [32,33], ABE with leakage resilience [34][35][36], auditable ABE [38], etc.In order to solve key escrow problem, Li et al. [39,40] presented two certificate-based encryption schemes with leakage resilience.ABE schemes have wide application in cloud storage [41,42], mobile social networks [43] and smart grid [44].The original AB-AK protocol [1] gave a secret handshake mechanism based on attributes.Later, lots of AB-KA protocols [15][16][17][18][19][20] were presented.Wang et al. [18] presented a variant of AB-KA protocol based on ABE scheme.But this protocol did not realize mutual authentication on the basis of participants' attributes.Yoneyama [20] put forward two rounds of AB-KA protocol by using a design technique of the NAXOS protocol and gave the security proof in the modified eCK model.Recently, Wei et al. [4] proposed an AB-KA protocol which is proved secure in the modified BJM model under the decisional bilinear Diffie-Hellman assumption in the standard model.But the length of communication messages and decryption key in [4] increased linearly with the number of attributes and was unsuitable for the resource constrained application.

Preliminaries
3.1.Access Structure.Suppose that  = { 1 ,  2 , . . .,   } includes  attributes in our system.An access structure is a nonempty subset A ⊆ 2 { 1 , 2 ,...,  } \ {⌀}.In particular, for a collection A is monotone if If a user with a set in A then he/she is authorized to access some resources.

Bilinear Maps.
G, G T are two multiplicative cyclic groups with prime order . is the generator of G and  is bilinear map  : G × G → G T .The bilinear map  satisfies the following properties: (1) Bilinearity: for all ,  ∈ Z  , (  ,   ) = (, )  .
Trusted authority(TA) Figure 1: System model of our TP-AB-KA protocol.[5].The aMSE-DDH assumption is defined as follows.Let Γ = {G 1 , G 2 , G T , , } be the pairing group, and let  → (),  →  () be polynomials with coprimes.Let  0 , ℏ 0 be the generators of G 1 , G 2 , respectively. is a random element of Z  and  is selected  and , then we claim that the aMSE-DDH assumption holds with the advantage

aMSE-DDH Assumption
where  is a negligible function.( Re ,  Re ) →  ≫Re ,  Re≫ .This is an interactive procedure.Firstly,  sends  Re to Re and Re sends  Re to , respectively.Secondly,  decrypts  Re and Re decrypts  Re by using  algorithm, respectively.Thirdly,  and Re compute the session key  ≫Re and  Re≫ , respectively, where  ≫Re =  Re≫ .[4].We employ the attribute-based BJM model to prove the security of our TP-AB-KA protocol.There are many protocol participants, which are all formalized as oracles.An attacker Ã can access those oracles by issuing some specified queries: S(⋅), C(⋅), ReVeal(⋅).An oracle Π   1 , 2 represents the -th instance of a participant  1 involved with another participant  2 in a session. 1 ,  2 have the corresponding attribute sequences and the private keys, respectively.Some key messages in AB-KA protocol are encrypted or decrypted based on a certain kind of ABE scheme.

AB-BJM Model
The security of the protocol ∏ is described via a game with two phases.
(1) The First Phase.Ã is allowed to launch the below queries in any order.does not exit, it is created as an initiator if  = (the security parameter), or as a responder otherwise.
(2) The Second Phase.Once Ã finishes the first phase works, it begins the second phase by selecting a fresh oracle Π  , which has matched a conversation to

TP-AB-KA Protocol
A TP-AB-KA protocol with constant-size key and ciphertext is first given in this paper.We embed the ABE scheme [3] into the key agreement protocol.Two parties in our protocol make agreement of the session key based on the exchanged secret messages.Suppose that two participants  1 , 2 encrypt their own secret messages into the ciphertexts according to the access policies proposed by each other, respectively. 1 acts as an initiator and  2 acts as a responder.So long as the attributes of  1 ,  2 satisfy mutual access policies, they can obtain the partner's secret messages, respectively. 1 ,  2 use the corresponding secret messages to calculate the same session key.The protocol is showed in Figure 2. Our TP-AB-KA protocol includes three stages: ,  and ℎ.The concrete construction is described as below.

Security Analysis
Theorem 3. Provided that the augmented multisequence of exponents decisional Diffie-Hellman (aMSE-DDH) [5] assumption holds, our protocol TP-AB-KA protocol is secure in the AB-BJM model.In detail, if there is an adversary Ã who attacks our protocol successfully at the advantage  under the condition involving   participants and   sessions, a simulator B can be constructed to solve the aMSE-DDH problem at the advantage /( 2  ⋅   ).
Proof.Suppose an adversary Ã involves   participants in the protocol and establishes   sessions.B chooses  * ∈ (0,  ) and two participants  1 ,  2 arbitrarily.B guesses that Ã launches the T(⋅) query to the participant Π  *  1 , 2 .Ã provides the access policies . .   > where    = 0 denotes "having the th attribute value" and    = 1 denotes "not having the th attribute value".
, ℏ  0 ,  >.B receives the challenge (, , G, G T ,  → , ( 0 , ℏ 0 ) f() , , f(), θ(), Ã *  1 , 2 ) and the task of B is to differentiate ( 0 , ℏ 0 ) f() from . .B implicitly sets  as the master key which is used in the aMSE-DDH challenge instance.B simulates the public parameters as below.B randomly chooses  1 ,  2 ∈ Z  and implicitly sets   is not the protocol participant guessed by B during the initialization phase, then B terminates the simulation.Otherwise, B returns the session key or the matched protocol participants having sessions with participant Π   1 , 2 do not be issued the T(⋅) query to, B terminates simulation.Otherwise, B returns the corresponding session key value through accessing the query list   .
Output.when Ã completes all inquiries in Phase 1, Ã continues to ask the 3 inquiries: C(⋅), ReVeal(⋅), S(⋅), which are not allowed to break the freshness of participants receiving the test inquiry.Once Ã decides to complete the inquiry, Ã outputs a bit   as the stochastic value of the session key which is a conjecture and is used by B to distinguish ( 0 , ℏ 0 )  f() from .
Analysis.In the whole simulation process, the simulator B does not terminate the simulation with the probability of at least 1/( 2  ⋅  ).When the simulation of B is not terminated, Ã does not distinguish the security game simulated by B from the real security game.Therefore, if the advantage of guessing for Ã is , then that of guessing for B in the simulated security game is /( 2  ⋅   ).If  = ( 0 , ℏ 0 )  f() , the security game simulated by B is perfect.We get |Pr Besides, we suppose there exists a benign adversary Ã who faithfully conveys messages.If  1 ,  2 execute the protocol in accordance with the protocol, they correctly receive messages from each other.Therefore, the two participants in the protocol finally calculate the same session key distributed over the key space uniformly.So it satisfies the conditions shown in Definition 2 (1).

Efficiency Analysis
6.1.Theoretical Analysis.We give a performance comparison between attribute-based key agreement protocols in [4] and our protocol.Some symbols are defined as follow:   is denoted by the number of the attributes, which are involved in the system.Ó   is the number of the related attributes in the private key.The comparison of computation cost is given in Table 1.
Our protocol has better performance in the  algorithm than that of [34].The comparison of communication cost is given in Table 2.
In the protocols, we denote | Ã *  1 , 2 | as the length of all data access structures, which are supposed to be 16 bits for every protocol.If Ó   ≥ 3, our protocol has better performance in communication cost than that of [4].

Experimental Simulation.
We conduct a simulation experiments on Windows 7 system with Intel(R) Core(TM) i7 CPU at 2.3GHZ and 4 GB RAM.The protocol is implemented by using the pairing-based cryptography library(PBC) library [45].We use a symmetric elliptic curve a-curve, where the base field size is 512-bit.The a-curve has a 160-bit group order, i.e.,  is a 160-bit length prime.
To compare above protocol in actual operation, we run each protocol ten times, respectively, and compute the average values.We code all the algorithms by using c language under the default condition that each protocol contains   100 attributes in total, 50 attributes in access policy, 50 attributes in participants' attribute set.The running results are shown in Figure 3, from which we find out that the computation performance of our protocol being better than that of protocol in [4] overall.From Figure 4, our protocol has obvious advantage in the performance of communication if the number of attributes in data access structure is bigger than 3 (demarcation point).Our protocol is more practical in the resource constrained smart media and mobile environments.
The theoretical analysis and simulation results are consistent, and our protocol achieves a high performance with good properties.

Conclusion
Compared with protocol [4], our protocol has advantages in security and efficiency.The constant-size key and ciphertext make our protocol be more suitable for the application of lightweight level.We design the key agreement protocol between two principals based on attribute-based encryption.We prove its security under the AB-BJM model in the standard model.Our protocol has better computation and communication performance than that of existed protocols.A future research is trying to weaken the security assumption that the attacker is passive in AB-BJM model.Namely, one attacker does not have to execute the protocol faithfully to provide the messages for satisfying the requirement of the honest participator in a running of protocol.Such scene is closer to the true environment.In addition, it is an interesting topic to research the relation between the ABE and broadcast encryption [46,47].

𝑈 1 ,𝑈 2 ,
).Ã initiates a session or sends messages to the participants.On receiving the message , oracle Π   1 , 2 implements the protocol and responds with an outgoing message m, or a decision to indicate accepting or rejecting the session.If Π   1 , 2

Ó
G T , Ó  G are exponentiation operation time on an element in group G T and that in group G, respectively.Ó  is the pairing operation time.Ó   is the number of the related attributes in the data access policy.

Figure 3 :
Figure 3: Running time of each algorithm in both protocols.

Figure 4 :
Figure 4: Communication costs of both protocols.
This algorithm takes as input a security parameter  and outputs master secret key  and public parameters .() →  1 .This algorithm is implemented by trusted authority (ΤΑ).It takes as input attribute sequence  of a participant  and outputs 's private key  1 .Similarly, for another participant Re with the attribute sequence Re, ΤΑ outputs his/her private key  2 by calling  algorithm.( Re≥ ,   ) →  Re .This algorithm takes as input the plaintext   and the data access policy  Re≥ , which is proposed by  and the attributes of the participant Re can satisfy.This algorithm outputs the ciphertext  Re according to  Re≥ .Similarly, Re selects data access policy  ≥ of which 's attributes can satisfy Security and Communication Networks and encrypts plaintext  Re into the ciphertext  Re according to  ≥ by calling this algorithm.( Re ,  1 ) →   .This algorithm takes as input the ciphertext  Re and 's private key  1 and outputs the message   .By calling this algorithm, Re decrypts  Re into  Re by using the private key  2 .
TP-AB-KA Protocol.We give a twoparty attribute-based key agreement (TP-AB-KA) protocol.There are 3 roles, trusted authority (ΤΑ) and two participants (initiator  and responder Re).ΤΑ is a trusted role who monitors the participants' attributes and issue private keys for them.Two participants,  and Re, make key agreement as Figure1.()→ , .
2is fresh, B randomly chooses  ∈ {0, 1}.It responds with the session key if  = 0, otherwise, a random sample from the distribution of the session keys.Ã continues to query the oracles except that it does not reveal the test oracle Π  , and it does not corrupt the participant  2 .At last the adversary outputs a guess   for .If  =   , we claim that the adversary wins.The advantage of the adversary is defined as V Ã() = max{0, Pr [ Ã ] − 1/2}.A secure key agreement protocol ∏ is defined as below.Definition 2. Protocol ∏ is a secure key agreement protocol if (1) the adversary faithfully conveys messages.Both Π  are always accepted and hold the same session key which is distributed uniformly on {0, 1}  ; (2) V Ã() is negligible.

Table 1 :
The comparison of computation cost.

Table 2 :
The comparison of communication cost.