Cite this paper as: Wang C., Li W., Li Y., Xu X. (2013) A Ciphertext-Policy Attribute-Based Encryption Scheme Supporting Keyword Search Function. In: Wang G.
A Ciphertext-Policy Attribute-Based Encryption Scheme Supporting Keyword Search Function Changji Wang1,2 , Wentao Li1 , Yuan Li1 , and Xilei Xu1 1
2
School of Information Science and Technology, Sun Yat-sen University, Guangzhou 510006, China Research Center of Software Technology for Information Service South China Normal University, Guangzhou 501631, China
Abstract. With the advent of cloud computing, more and more individuals and companies are motivated to outsource their data and services to clouds. As for the privacy and security reasons, sensitive data should be encrypted prior to outsourcing. However, encrypted data will hamper efficient query processing and fined-grained data sharing. In this paper, we propose a new cryptographic primitive called ciphertext-policy attributebased encryption scheme with keyword search function (KSF-CP-ABE) to simultaneously solve above issues. When a data owner wants to outsource sensitive data in the public cloud, he/she encrypts the sensitive data under an access policy and also build a secure index for the set of keywords. Only authorized users whose credentials satisfy the access policy can retrieve this encrypted data through keyword search and decrypt the ciphertext. We also present a concrete KSF-CP-ABE construction from bilinear pairings and proved that the proposed KSF-CP-ABE scheme is secure against both outer attacks and inner attacks. What’s more, cloud service provider can perform partial decryption task delegated by data user. Keywords: cloud computing, ciphertext-policy attribute-based encryption, public key encryption with keyword search, bilinear pairings.
1
Introduction
Cloud computing is a revolutionary computing paradigm which enables ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [1]. Cloud computing attracts considerable attention from both academia and industry. Gartner forecasts the public cloud services market will grow 18.5% in 2013 to total $131 billion worldwide [2]. But there can be potential risks when relying on a third party to provide infrastructure, platform, or software as a service. The risks of data security and privacy remain significant barriers to cloud adoption for many enterprises. G. Wang et al. (Eds.): CSS 2013, LNCS 8300, pp. 377–386, 2013. c Springer International Publishing Switzerland 2013 �
378
C. Wang et al.
To protect data security and privacy, encryption technology seems like an obvious solution. However, encryption functionality alone is not sufficient as data owners often have also to enforce fine-grained access control on the sensitive data for sharing. Traditional server-based access control methods are no longer suitable for cloud computing scenario because cloud server cannot be fully trusted by data owners. To address the problem of secure and fine-grained data sharing and decentralized access control, Sahai and Waters [3] first introduced the concept of attribute-based encryption (ABE) by extending identity-based encryption [4]. Compared with identity-based encryption, ABE has significant advantage as it achieves flexible one-to-many encryption instead of one-to-one. ABE have drawn extensive attention from both academia and industry, many ABE schemes have been proposed [5,7,6,8,9,10,11,12] and several cloud-based secure systems using ABE schemes have been developed [13, 14, 15]. There are two types of ABE depending on which of private keys or ciphertexts that access policies are associated with. In KP-ABE system, ciphertexts are labeled by the sender with a set of descriptive attributes, while users’ private key are issued by the trusted attribute authority captures an policy that specifies which type of ciphertexts the key can decrypt. In CP-ABE system, when a sender encrypts a message, they specify a specific access policy in terms of access structure over attributes in the ciphertext, stating what kind of receivers will be able to decrypt the ciphertext. Users possess sets of attributes and obtain corresponding secret attribute keys from the attribute authority. Such a user can decrypt a ciphertext if his/her attributes satisfy the access policy associated with the ciphertext. Thus, CP-ABE mechanism is conceptually closer to traditional role-based access control method. Traditional data utilization services based on plaintext keyword search will become difficult because the data are encrypted. Boneh et al. [16] proposed the concept of Public key Encryption with Keyword Search (PEKS) to to address the problem of searching on encrypted data. Although PEKS schemes provide some approaches to search over the encrypted data by keyword, they cannot support flexible access control policies on encrypted data. In this paper, we organically integrate PEKS with CP-ABE and propose a new cryptographic primitive called ciphertext-policy attribute-based encryption scheme with keyword search function (KSF-CP-ABE). When a data owner wants to outsource his/her sensitive data in the public cloud, he/she encrypts the sensitive data under an access policy and builds a corresponding secure index for keywords. Only authorized users whose credentials satisfy the access policy can retrieve this encrypted data through keyword search and decrypt the ciphertext. We also present a concrete KSF-CP-ABE construction from bilinear pairings, which can ensure the security with fine-grained access control on shared sensitive data, and provide keyword search service for data users without leaking their privacy of queries and breaking confidentiality of data contents. Moreover, cloud service provider can perform partial decryption task delegated by query users.
A KSF-CP-ABE Scheme
379
The rest of this paper is organized as follows. Some necessary preliminary works are introduced in Section 2. The syntax and security notions of KSF-CPABE scheme are given in Section 3. A concrete KSF-CP-ABE construction and analysis are described in Section 4. We conclude our work in Section 5.
2
Preliminary Works
We first introduce some notations. If S is a set, then x ∈R S denotes the operation of picking an element x uniformly at random from S. Let Ω = {attr1 , . . . , attrn } be the universe of possible attributes, where each attri denotes an attribute and n is the total number of attributes. Let Λ = {kw1 , . . . , kwl } be the universe of possible keywords, where each kwi denotes a keyword and l is the total number of keywords. 2.1
Bilinear Pairings
Let G1 and G2 be two cyclic groups of prime order p. Let g be a generator of G1 . A bilinear pairing eˆ : G1 × G1 → G2 satisfies the following properties: – Bilinearity: For a, b ∈R Zp , we have eˆ(g a , g b ) = e(g, g)ab . – Non-degeneracy: eˆ(g, g) �= 1, where 1 is the identity element of G2 . – Computability: There is an efficient algorithm to compute eˆ(u, v) for u ∈R G1 and v ∈R G1 . Decision q-parallel Bilinear Diffie-Hellman Exponent Assumption. Let (p, G1 , G2 , g, eˆ) be a description of the bilinear group of prime order p. The decision q-parallel bilinear Diffie-Hellman exponent assumption is that if the challenge values R ∈ G2 and q
y = g, g s , g a , . . . , g (a ) , g (a g s·bj , g a/bj , . . . , g (a g
a·s·bk /bj
,...,g
q
q
/bj )
q+2
, g (a
(a ·s·bk /bj )
)
, . . . , g (a
q+2
/bj )
2q
)
, . . . , g (a
2q
/bj )
, ∀1 ≤ j ≤ q
, ∀1 ≤ j �= k ≤ q,
are given for unknown a, s, b1 , . . . , bq ∈R Zp , there is no polynomial time q+1 algorithm A can decide whether eˆ(g, g)a s = R with more than a negligible advantage [9]. 2.2
Access Structure and Linear Secret Sharing Scheme
Let P = {P1 , P2 , . . . , Pn } be a set of parties and let 2P denote its power set. A collection A ⊆ 2P is monotone if for every B and C, if B ∈ A and B ⊆ C then C ∈ A. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of non-empty subsets of P, i.e. P \ ∅. The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets.
380
C. Wang et al.
Let M�×k be a � × k matrix and ρ : {1, 2, . . . , �} → P be a function that maps a row to a party for labeling. A secret sharing scheme Π for access structure A over a set of parties P is a linear secret sharing scheme (LSSS) in Zp and is represented by (M�×k , ρ) if it consists of two efficient algorithms: – Share((M�×k , ρ), s): The share algorithm takes as input s ∈ Zp which is to be shared. The dealer randomly chooses β2 , . . . , βk ∈R Zp , and defines β = (s, β2 , . . . , βk ). It outputs M�×k · β as the vectors of � shares. The share λi = M i , β belongs to party ρ(i), where M i is the i-th row of M�×k . – Recon((M�×k , ρ), S): The reconstruction algorithm takes as input an access set S� ∈ A. Let I = {i | ρ(i) ∈ S}. It outputs a set of constants {μi }i∈I such that i∈I μi · λi = s. In our context, the role of the parties is taken by the attributes. Thus, the access structure A will contain the authorized sets of attributes. As in most relevant literatures [5, 7, 6], we will restrict ourselves to monotone access structures.
3
Definitions for KSF-CP-ABE Scheme
We consider a multi-user cryptographic cloud storage system supporting both fine-grained access control and keyword search on encrypted data. The system architecture is illustrated as Figure 1, which involves four participants. Trusted Authority (TA). This is the key generation center, which is fully trusted by all other participants in the system. The responsibility of TA is to initialize system parameters, to generate attribute private keys and to generate keyword search keys for users. Cloud Services Provider (CSP). This is an entity that provides data storage and retrieval service, and auxiliary decryption function for subscribing users. It stores the data content outsourced by the data owner. This content is searchable and downloadable to intended receivers who have sufficient credentials. We assume that the CSP is semi-trusted, which means that it follows the protocol specified in the system. However, it is assumed that it seeks to learn the information in the encrypted content during the query and response processes as much as possible with malicious intent. Data Owner (DO). This is the cloud storage subscriber who wants to upload its data content anonymously to the cloud storage system after encryption. The encrypted content can be shared with intended receivers who have sufficient credentials as specified by the data owner. The responsibility of data owner is to create encrypted data, and to choose keywords to build secure index. Data User (DU). This is another cloud storage subscriber which queries the CSP for encrypted data in the cloud storage system. Only retrievers who have legal rights satisfying the access policy specified by the data owner can access the encrypted content and restore the original message from it. The responsibility of data users is to choose keywords to create trapdoor for search, to initiate search requests, and to decrypt data.
A KSF-CP-ABE Scheme
381
Access policy
Ciphertext
Plaintext
3. Data Encryption & Indexing
KeyWords
Owners
Index Upload Ciphertext and Index
1. System Init 4. Keyword Search
TA 2. Key Generation
CSP Request
Response
Private keys
Attributes
Search by Trapdoor
Users Download Ciphertext
5. Data Decryption
Trapdoor
Private keys
Keywords
Fig. 1. System architecture and workflow
In our setting, a user will be identified by a pair (id, w), where id denotes the user’s identity and w ⊆ Ω is a set of attributes. A KSF-CP-ABE scheme consists of five polynomial-time algorithms described as follows. Setup. The setup algorithm is run by TA, which takes a security parameter κ. It outputs the master key msk and some public system parameters params which include the description of attribute universe and keyword universe. TA publishes params and keeps msk secret. We describe it as Setup(1κ ) → (params, msk). ABE-KeyGen. The attribute private key generation algorithm is an interactive protocol implemented between DU and TA. The public input to TA and
382
C. Wang et al.
DU consists of the system public parameters params, the user’s identity id and a set w of attributes owned by DU. The private input to TA is the master secret key msk. In addition, a sequence of random coin tosses may be used by TA and DU as private inputs. At the end of the protocol, DU can extract an attribute private key did,w . We describe it as ABE-KeyGen(params, msk, id, w) → did,w . KSF-KeyGen. The query private key generation algorithm is an interactive protocol implemented between DU and TA. The public input to TA and DU consists of the system public parameters params, the user’s identity id. The private input to TA is the master secret key msk. In addition, a sequence of random coin tosses may be used by TA and DU as private inputs. At the end of the protocol, DU can extract a query private key qid . We describe it as KSF-KeyGen(params, msk, id) → qid . Encrypt. The encryption algorithm is run by DO, which takes as input the system public parameters params, an access structure A over the universe of attributes and a message msg. The algorithm will encrypt msg and produce a ciphertext ct. We will assume that the ciphertext implicitly contains A. We describe it as Encrypt(params, A, msg) → ct Index. The encrypted index creation algorithm is run by DO, which takes as input system parameters params and a set kw = {kwi }li=1 of keywords corresponding to a message msg. The algorithm outputs a secure index IX(kw) for keyword set kw, which will be associated with a ciphertext ct. We describe it as Index(params, kw, msg) → IX(kw). Trapdoor. The trapdoor generation algorithm is run by DU, which takes as input system parameters params, DU’s query private key qid and DU’s attribute private key did,w , and a keyword kw. It outputs trapdoor Tkw corresponding to the keyword kw. We describe it as Trapdoor(params, qid , did,w , kw) → Tkw . Test. The keyword test algorithm is run by CSP, which takes as input system parameters params, a trapdoor Tkw corresponding to the keyword kw from a DU, the index IX(kw) for keyword set kw. It outputs an intermediate result Qct of the decipherment if kw ∈ kw, which means that the ciphertext ct contains the keyword kw in the trapdoor Tkw . Otherwise, it outputs 0. We describe it as Test(params, Tkw , IX(kw)) → Qct or 0. Decrypt. The decryption algorithm is run by DU. The algorithm takes as input system parameters params, the searched ciphertext ct with corresponding intermediate decryption data Qct , and DU’s attribute private key did,w . It outputs plaintext msg if the set w of attributes in the attribute private key did,w satisfies the access policy associated with the ciphertext. Otherwise, it outputs ⊥. We describe it as Decrypt(params, ct, Qct , did,w ) → msg or ⊥. We have a basic consistency requirement that for any w ⊆ Ω, kw ∈ Λ, msg ∈ {0, 1}∗, (params, msk) ← Setup(1κ ), IX(kw) ← Index(params, kw, msg), did,w ← ABE-KeyGen(params, msk, id, w), qid ← KSF-KeyGen(params, msk, id), Tkw ← Trapdoor(params, qid , did,w , kw) and ct ← Encrypt(params, A, msg), where w satisfies A and kw ∈ kw, we have Qct ← Test(params, Tkw , IX(kw))
A KSF-CP-ABE Scheme
383
and msg ← Decrypt(params, ct, Qct , did,w ) with probability 1 over the randomness of all the algorithms. We can obtain security definitions for KSF-CP-ABE similar to security model for CP-ABE [9] and security model for PEKS [16]. Due to space limitations, we omit the description of security definitions for KSF-CP-ABE here, and we will explain them in detail in the extended version.
4
A KSF-CP-ABE Construction
The proposed KSF-CP-ABE construction from bilinear pairings is described as follows. Setup. TA chooses (a, α) ∈R Z∗2 p , a cryptographic secure hash function H and message authentication code function F , respectively. TA publishes system parameters params as (Ω, Λ, G1 , G2 , eˆ, g, g a , eˆ(g, g)α , F, H), while keeps the master secret key msk = (g α , a) secret. ABE-KeyGen. To generate attribute private keys for a DU with (id, w), the following protocol will be executed between DU and TA. – DU sends a request for attribute private key along with credentials corresponding to the set w of attributes to TA. – TA first validates the credentials presented by DU, outputs ⊥ if fails. Otherwise, TA chooses t ∈R Z∗p , generates the attribute private keys for DU corresponding to the set w of attributes as did,w = (K = g α g at , L = g t , {(Kx = H(x)t }x∈w ). – TA adds an entry (id, g at ) in the user list. – Finally, TA securely distributes the attribute private keys did,w to DU. KSF-KeyGen. To generate a query private key for a DU with identity id, the following protocol will be executed between DU and TA. – DU sends a request for query private key along with his identity id to TA. – TA checks whether the identity id in the user list exists or not. If the identity id does not exist, outputs ⊥. Otherwise, TA sends a response accepting the request back to DU. – DU chooses u ∈R Z∗p , and provides a commitment qu = g u with an interactive witness indistinguishable proof of knowledge of the u to TA. In addition, DU retains u. – TA verifies the proof of knowledge, outputs ⊥ if fails. Otherwise, TA retrieves g at according to id, generates a query private key qid = g at quα for the user. – Finally, TA securely distributes the query private key qid to DU. Encrypt. To encrypt a message msg under an access policy described by (M, ρ), DO first chooses a vector v = (s, y2 , . . . , yn ) ∈R Znp and r1 , r2 , . . . , r� ∈R Zp , where s represents the secret exponent to be shared. DO then calculates λi = M i , v for i = 1 to � and outputs the ciphertext ct = (C = msg · eˆ(g, g)αs , C � = g s , {Ci , Di }�i=1 ) along with a description of (M, ρ), where Ci = g aλi H(ρ(i))−ri and Di = g ri .
384
C. Wang et al.
Index. To generate a secure index for a set kw of keywords, DO fist chooses a random bit strings ti for each keyword kwi ∈ kw, computes the key ki used for the message authentication code corresponding to keyword kwi as e(g, H(kwi ))s . DO then outputs the secure index as IX(kw) = ki = eˆ(g, g)αs ·ˆ {(ti , F (ki , ti ))}kwi ∈kw . Finally, DO uploads the ciphertext ct along with the index IX(kw) to CSP for sharing. Trapdoor. To generate a trapdoor for a keyword kw, DU first computes Tq (kw) = 1/u 1/u H(kw)qid , L� = L1/u , and Kx� = Kx for all x ∈ w. DU then set trapdoor for the keyword kw as Tkw = (Tq (kw), L� , {Kx� }x∈w ). Test. To perform keyword test, the following protocol will be executed between DU and CSP. – DU initiates a keyword search request by sending the trapdoor Tkw for the keyword kw along with the description of the set w of attributes related to DU’s attribute private keys to CSP. – CSP searches for the correspondence ciphertext ct with the desired keyword kw against each tuple (ct, IX(kw)) in the storage. CSP verifies whether the submitted w satisfies the access policy (M, ρ) embedded in a ciphertext ct. of constants defined – Suppose that w satisfies (M, ρ). Let {μ �i }i∈I be a set � in Section 2.2. CSP computes Qct = i∈I [ˆ e(Ci , L� ) · eˆ(Di , Kρ(i) )]μi , and kkw = eˆ(C � , Tq (kw))/Qct . – CSP checks each index IX(kw) related to the ciphertext ct in the scope satisfying F (ti , kkw ) = F (ti , ki ). Finally, CSP sends the search result that include ciphertext ct and partial decryption data Qct to DU. e(C � , K). Decrypt. DU can recover the plaintext by computing msg = C · Quct /ˆ Theorem 1. The proposed KSF-CP-ABE construction is correct. Proof. The correctness can be verified as follows. � � 1/u � Qct = [ˆ e(Ci , L� ) · eˆ(Di , Kρ(i) )]μi = [ˆ e(Ci , L1/u ) · eˆ(Di , Kρ(i) )]μi i∈I
i∈I
� � = [ˆ e(Ci , L) · eˆ(Di , Kρ(i) )]μi /u = ·ˆ e(g, g)atλi μi /u = eˆ(g, g)ats/u i∈I
kkw
i∈I
eˆ(C � , Tq (kw)) eˆ(g s , g α g at/u H(kw)) = = = eˆ(g, g)αs · eˆ(g, H(kw))s Qct eˆ(g, g)ats/u
msg · eˆ(g, g)αs · [ˆ C · Quct e(g, g)ats/u ]u = = msg � s α eˆ(C , K) eˆ(g , g g at ) Theorem 2. Suppose the decisional q-parallel decisional bilinear Diffie-Hellman exponent assumption holds, then there is no polynomial time adversary can selectively break the proposed KSF-CP-ABE construction with a challenge matrix of size �∗ × n∗ , where �∗ , n∗ ≤ q. Proof. The security proof is similar to that of Waters CP-ABE scheme [9], we omit here due to space limits, we will give the detailed security proof in the extended version.
A KSF-CP-ABE Scheme
385
In the proposed KSF-CP-ABE construction, keyword search scope is restricted to DUs’ decryptable data group. CSP will determine whether the DU has permission to decrypt the ciphertext first, and then perform keyword search. The search process automatically excludes the ciphertext that the user can not decrypt to reduce unnecessary keyword search computation. The Decrypt algorithm just require one bilinear pairing operations for each ciphertext. The Test algorithm seems to require a non-constant 2|I| + 1 bilinear pairing operations for each trapdoor, it only needs 3 bilinear pairing operations in fact by observing that � � � � � � Qct = [ˆ e(Ci , L� ) · eˆ(Di , Kρ(i) )]μi = eˆ( Ciμi , L� ) · eˆ( Diμi , (Kρ(i) )μi ) i∈I
5
i∈I
i∈I
i∈I
Conclusions
In this paper, we propose a new cryptographic primitive called ciphertext-policy attribute-based encryption scheme with keyword search function, and present a concrete construction from bilinear pairings. The proposed KSF-CP-ABE construction is very efficient, cloud service provider only need to perform three bilinear pairing operations for each keyword search and partial decryption, and the data user only need to perform one bilinear pairing operation for each decryption. We will further study CP-ABE scheme supporting conjunctive keyword searchable, which enables one to search encrypted documents by using more than one keyword. Acknowledgments. This work was supported by National Natural Science Foundation of China ( Grant No. 61173189) and Guangdong Province Information Security Key Laboratory Project.
References 1. Mell, P., Grance, T.: The NIST Definition of Cloud. NIST Special Publication 800-145 (2011) 2. Gartner report: Forecast: Public Cloud Services, Worldwide and Regions, Industry Sectors. Report 2009–2014, http://www.gartner.com/resId=1378513 3. Sahai, A., Waters, B.: Fuzzy Identity Based Encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005) 4. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 5. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute Based Encryption for FineGrained Access Conrol of Encrypted Data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006) 6. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security & Privacy, pp. 321–334 (2007)
386
C. Wang et al.
7. Ostrovsky, R., Sahai, A., Waters, B.: Attribute-Based Encryption with NonMonotonic Access Structures. In: ACM Conference on Computer and Communications Security, pp. 195–203 (2007) 8. Cheung, L., Newport, C.: Provably Secure Ciphertext Policy ABE. In: ACM Conference on Computer and Communications Security, pp. 456–465 (2007) 9. Waters, B.: Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011) 10. Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010) 11. Lewko, A., Waters, B.: Decentralizing attribute-based encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 568–588. Springer, Heidelberg (2011) 12. Wang, C.J., Luo, J.F.: An Efficient Key-Policy Attribute-Based Encryption Scheme with Constant Ciphertext Length. Mathematical Problems in Engineering 2013 Article ID 810969, 7 (2013) 13. Pirretti, M., Traynor, P., McDaniel, P., Waters, B.: Secure attribute-based systems. Journal of Computer Security (18), 799–837 (2010) 14. Wang, C.J., Liu, X., Li, W.T.: Implementing a Personal Health Record Cloud Platform Using Ciphertext-Policy Attribute-Based Encryption. In: Fourth International Conference on Intelligent Networking and Collaborative Systems, pp. 8–14 (2012) 15. Li, M., Yu, S.C., Zheng, Y., Ren, K., Lou, W.J.: Scalable and Secure Sharing of Personal Health Records in Cloud Computing using Attribute-based Encryption. IEEE Transactions on Parallel and Distributed Systems 24(1), 131–143 (2013) 16. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004)
