A N E NHANCED A PPROACH FOR CP-ABE WITH P ROXY R E - ENCRYPTION IN I O T P ARADIGM

at


INTRODUCTION
In this IoT era, encryption techniques are playing vital role to achieve security and confidentiality.In a conventional symmetric key-based encryption scheme, sender and receiver possess the same key for communication.So, if one of the users compromised, then the entire scheme is compromised.To resolve this problem, [1] proposed the public key or asymmetric key encryption scheme, in which the receiver gives his/her public key to the sender for the encryption of the message, so only the receiver is able to decrypt the message.But, this scheme does not support the efficient multicast because a multicast sender has to encrypt the message a number of times equal to the number of receivers.The other problem is that the sender requires to remember the public key of the receiver.To overcome this problem, in [2] authors propose the Identity-based Encryption (IBE) in which the sender encrypts the message based on the receiver's unique id, like SSN, email id, …etc.But, this scheme also does not support multicast; so in [3], the authors propose the Fuzzy IBE system in which user with id X can only be able to decrypt the ciphertext entitled for X' if and only if | − '| > , where  is the initial threshold value.
In research, the idea of IBE is generalized to solve the computation overhead during multicast and is called Attribute-based Encryption (ABE).ABE is classified into two variants; i.e., Key Policy Attributebased Encryption (KP-ABE) [4] and Ciphertext Policy Attribute-based Encryption (CP-ABE) [5].As the names suggest, in KP-ABE, policy of attributes is attached with secret key, whereas in CP-ABE, policy of attributes is attached with ciphertext.Indeed, CP-ABE gives more control to the sender in terms of selecting the intended recipients.In this research, we are focusing on the CP-ABE.In [5], the authors have proposed the single authority-based approach in which authority will generate the entire secret key of users.
As the existing approaches deal with single authority, they suffer from issues viz.(i) key escrow: authority can regenerate the secret key on behalf of any user (ii) computation overhead on the authority to generate the entire secret key of all system users.To deal with this issue, in [6]- [10], the authors have proposed various approaches based on multi-authority systems.In IoT, this will be helpful to design the decentralized approaches based infrastructure.
All the approaches mentioned so far requires sender to re-encrypt the same message for different policies.This leads to computation overhead which can be mitigated by proxy-based cloud systems.In proxy re-encryption, the proxy will re-encrypt without any knowledge of the secret key of the user.In [11]- [15], the authors have proposed various approaches to deal with proxy-based re-encryption mechanism.In IoT, this will be helpful to reduce the computation overhead on IoT devices.
All the approaches mentioned so far deal with variable-length ciphertext; i.e., length of the ciphertext increases with the number of attributes.This will lead to communication overhead as well as computation overhead on the receiver side.In IoT paradigm, we required energy efficient-approaches as to run on the deployed sensors in the field.To deal with this issue, in [16]- [19], the authors have proposed approaches based on constant-length ciphertext.More details on these approaches are given in the next section.

Our Contribution
Amidst of the above concerns, research will lead to the need of one system having all features.On the other side, we have schemes to give either of the features as reported in literature [20]- [29].Thus, in this paper, we propose the collusion-resistant CP-ABE scheme which provides the proxy re-encryption to make our scheme applicable in the scenario where compromised users' leaked decryption keys can be traced and nullified.Our scheme works for the threshold case; i.e., the attributes in the ciphertext must be equal to the subset of user's attributes in his/her secret key.We proposed new protocol to address this problem and show the efficiency compare to the existing protocols.The security of this protocol is based on DBDH assumptions as their predecessors.

Paper Organization
The rest of the paper is organized as follows.Section 2 deals with a literature review in this field.Section 3 deals with the hardness problems used for the security of the proposed work.Section 4 showcases the proposed work.Section 5 deals with the security and computation analysis.The conclusion and references are presented at the end.

LITERATURE REVIEW
In this section, we conduct a literature survey on the various approaches in CP-ABE.

Multi-authority
The original CP-ABE scheme [5] is dealing with single-authority environment.A single-authority system requires the entire trust on the same authority, so if authority-compromised or behaves maliciously, then the entire system will be compromised.In addition, it deals with computation overhead on authority as to generate the entire secret keys of all system users.To overcome these issues, in [6], the authors firstly propose the idea of multi-authority systems.In a multi-authority system, there is one central authority (CA) and multiple attribute authorities (AAs).As we observed, this scheme requires mutual trust between AAs and the CA must be present to manage the attribute authorities and add new AAs.The CA is able to decrypt any ciphertext, which can harm the system.In [7]- [10], [30]- [31], the authors proposed different approaches to deal with the multi-authority system.

Proxy Re-encryption (PRE)
It's a technique in which an untrusted proxy server will translate a ciphertext encrypted under Alice's public key to a ciphertext encrypted under bob's public key.This can be useful in email forwarding applications.For PRE, Alice can generate a PRE key, which she can give to proxy, so there is no need to store it at the user side.Proxy can get no information regarding secret of Alice from PRE key.Upon incoming ciphertext, proxy can apply the PRE key to get the required ciphertext.In [32], the authors introduced the notion of PRE.In [33], the authors proposed the bidirectional PRE scheme.In [34], the authors proposed the first unidirectional PRE scheme.In [35], the authors proposed the IBE-PRE scheme which converts ciphertext encrypted under Alice's identity to one encrypted under bob's identity.Their scheme is secure under random Oracle.In [36], the authors proposed the IBE-PRE in standard model.In [37], the authors proposed the first AB-PRE scheme which is bidirectional and based on key policy scheme.In [38], the authors proposed the first CP-ABE-PRE scheme.In [39], the authors proposed the variable-length CP-ABE-PRE scheme.In [40], the authors proposed the constant ciphertext length for CP-ABE-PRE scheme, but they required the same number of attributes in policy as in secret key.In [11]- [15], the authors have proposed various approaches for improving the existing schemes.

Ciphertext Length
All the approaches mentioned so far deal with the variable-length ciphertext approach; i.e., length of the ciphertext increases with the number of attributes.This will increase the computation overhead on the receiver due to access amount of operations during decryption.In [41], the authors firstly introduced the concept of constant-length ciphertext using the (, ) threshold system.As mentioned, it requires the same set of attributes in ciphertext as well as in secret key for successful decryption.This makes the scheme of [41] usable in limited scenarios.In [42], the authors proposed the constant-length ciphertext in threshold ABE based on the dynamic threshold encryption scheme from [43].In [16]- [19], the authors have proposed various schemes to improve constant-length ciphertext.
Based on our literature survey, we have schemes available for the multi-authority or constant-length ciphertext.However, none of the approach available in research provides all features in a single scheme.In addition, to use a different scheme for each feature can be an overhead on the system users.Thus, in this paper, we have proposed a single scheme to provide all these features.

PRELIMINARIES
In this section, we present the preliminaries as well as the hardness problems that will be utilized throughout the paper.

Bilinear Group
The security of the proposed system is based on the algebraic group called the bilinear groups based on a bilinear map.As we are using bi-linear map function for pairing operations, we have taken Decisional Bilinear Diffie Hellman hardness problem.
Definition 1 (Bilinear map).Consider cyclic multiplicative group  1 ,  2 and  3 of prime order  and generators  1 ,  2 and  3 , respectively, as well as a deterministic bilinear map function :  1 ×  2 →  3 with the following requirements.
Definition 2 (Discrete Logarithm Problem (DLP)).Find an integer  ∈   , such that ℎ =   whenever such integer exists given two group elements  and ℎ.

Proposed Construction
The proposed scheme consists of a number of polynomial algorithms as follows. Decrypt: It runs by the receiver to get the plaintext from the ciphertext if the access policy is satisfied; else a random message will be given.

THE PROPOSED SCHEME
The proposed scheme(s) consists of the following polynomial algorithms.The schematic diagram of the proposed scheme is given in Figure 1.

Keygen (MSK,u) :
It runs by the CA to create the secret key (SK) for user u.L denotes the attributes' list.It is exemplified from this algorithm that CA is responsible for the generic parameters, not the attributes of the users.Thus, compromising the CA cannot compromise the system; i.e., the system is secure against key escrow.Also, due to the unique  value in the user's secret key, the proposed scheme is secure against collusion attack.As can be seen from the above steps, we have five components only irrespective of the set of attributes in the final ciphertext.This will achieve the constant-length ciphertext approach.If CT is a re-encrypted ciphertext, then the user will follow the below:

ANALYSIS
As we discussed, ABE has actually evolved from IBE.The security of ABE schemes is also typically modeled on the lines of security of the IBE schemes.The scheme that we propose here is inspired by the one in [4], in which the authors first proposed a scheme for ABE.The scheme is described in a setup that involves a security game amongst an attacker and a challenger, along with a simulator.
The simulator generates an initial parameter and gives it to the challenger.Based on this security game, the ABE schemes can broadly be categorized into two categories viz.selective secure and fully secure.
In selectively secure schemes, the attacker announces the target policy ahead of the game, so that the simulator can bind the hardness of the problem with the attributes mentioned in the policy.In fully secure schemes, the attacker is not required to announce the target policy initially, as there are sequences of games played between the attacker and the challenger.Figure 2 depicts the security game between the challenger (CA+AAs) and the attacker.
As one can see, the attacker announces the target policy before seeing the public parameters, which makes the proposed scheme a selectively secure model.

Security Analysis
Theorem 1: The proposed scheme is secure under the DBDH assumption for message indistinguishability.
Proof: Assume that the adversary A gains the advantage  in the security game.Therefore, a simulator The challenger gives (,   ,   ,   , ) ∈  4  and re-computes SKL as follows: Therefore, SKL becomes a correct secret key as follows: , since  guesses  ′ = 1 when ′ ≠ .From case 1 and case 2, X is having the following advantage in this DBDH game:

Performance Analysis
In this sub-section, we present the comparative analysis based on the size of various parameters in Table 1 as well as computation time in Table 2.In Table 1, " − " represents that a particular parameter is not required.We assume that each authority is responsible for only one attribute.As one can see from Table 1, the proposed scheme supports a constant-length ciphertext.In addition, from Table 2, one can see that the pairing operations also remain constant due to the constant-length ciphertext approach.In Table 3, we give the feature-based comparative analysis for the proposed scheme against existing schemes.Our scheme

CONCLUSION AND FUTURE WORK
CP-ABE is the efficient technique for the multicasting feature in the security.However, the basic CP-ABE scheme suffers from various important features like ciphertext length.In research, authors have proposed different schemes for each of the features, but none of the schemes provided all of these features.Thus, in this paper, we have proposed a scheme to provide all-in-one features, which makes the proposed scheme applicable in many scenarios as compared to its predecessors.In the future, one can extend the scheme using proxy-based mechanism to make it suitable for cloud-based environments.One can also extend the proposed scheme for the constant-length secret key to reduce the complexity.


Setup: It runs by central authority (CA) to generate the private and public parameters of the system.   Setup: It runs by the respective Attribute Authority (AA) to generate the parameters of authority. KeyGen: It runs by the CA to generate part of the secret keys of the users.It consists of the following-sub algorithms.o RKGen: It runs by the user to generate re-encryption key for the proxy servers. RequestAttributeSK: It runs by AA to give the secret component respective to the attribute in the user's secret key. Encrypt: It runs by the sender to convert the plaintext into ciphertext based on the access policy.It consists of the following sub-algorithms.o ReEncrypt: It runs by the proxy server to convert ciphertext from one policy to another policy.
×  1 to X. Now, A provides target policy  * * ] to X. X sets the parameter  = (

Table 1 .
Size of parameters for multi-authority ABE schemes.