A Universal Cloud User Revocation Scheme With Key-Escrow ...

A Universal Cloud User Revocation Scheme With Key-Escrow Resistance for Ciphertext-Policy Attribute-Based Access Control Nazatul Haque Sultan

Ferdous Ahmed Barbhuiya

Nityananda Sarma

IIIT Guwahati, India [email protected]

IIIT Guwahati, India [email protected]

Tezpur University, India [email protected]

ABSTRACT Cloud storage service allows its users to store and share data in a cloud environment. To secure the data from unauthorized entities while sharing, cryptographic mechanisms are used. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is one such mechanism, which has been widely used to achieve fine-grained access control over encrypted data. However, user revocation and key-escrow, in CP-ABE, are still remaining as challenging problems. In this paper, we propose a keyescrow resistant CP-ABE based access control scheme to provide efficient user revocation. The security analysis of the scheme has been done using Information Theory Tools. The security analysis establishes that it is unconditionally secure and provides any-wise revocation capability. Moreover, comparison with the other notable works in the area shows that it outperforms them in terms of computational and communication overheads.

CCS CONCEPTS • Security and privacy → Security services; • Security services → Authorization; Access Control;

KEYWORDS Cloud data access control; user revocation; key-escrow resistance; attribute-based encryption; CP-ABE; data outsourcing

1

INTRODUCTION

Cloud computing provides storage platform to its users for storing and outsourcing their personal data [1]. Typically, cloud storage is maintained by a third party entity called Cloud Service Provider (CSP). In the CSP once the data is stored by a data owner (who owns the data), it takes full control on the stored data which leaves the data owner to trust the CSP blindly for safe keeping of the data. However, it is not wise to fully trust the CSP, as misuse of the stored data may happen [1]. In addition, malicious entities may try to get useful information from the stored data. Data confidentiality thus has become very much essential. Cryptographic encryption methods are considered as a suitable solution to achieve data confidentiality [2]. However, traditional cryptographic encryption methods, like symmetric key encryption and public key encryption, cannot achieve Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s). XX, 2017 © 2018 Copyright held by the owner/author(s). ACM ISBN XXXXXXXX.

efficient access control over encrypted data [1, 3]. CiphertextPolicy Attribute-Based Encryption (CP-ABE) [4] is a recently developed encryption method which has been widely used to achieve fine-grained access control over encrypted data in a cloud storage. In CP-ABE, the data owner can choose access policy which can be embedded in the ciphertexts itself. The user who possesses sufficient attributes (or qualified decryption keys1 ) that satisfy the access policy can decrypt. It thus gives the data owner more direct control on access policies, which avoids dependency of the data owner on the CSP for managing access control. Although CP-ABE is widely used to achieve access control, user revocation still remains as a challenging problem to solve. In CP-ABE, each attribute is shared by multiple users [5], so revocation of a user affects non-revoked users with whom the revoked user shares attributes. It is because, in user revocation, all attributes of the user need to be revoked. Normally, a user revocation operation consists of two sub-operations, namely, ciphertext re-encryption and key re-distribution. In ciphertext re-encryption operation, all ciphertexts related with the revoked attributes are re-encrypted, so that the revoked user cannot decrypt; while key re-distribution operation updates decryption key components, related with the revoked attributes, of the non-revoked users, so that they can decrypt the re-encrypted ciphertexts. But, ciphertext reencryption and key re- distribution operations involve high computational and communicational overheads [6], which may degrade performance. It may also result in a bottleneck during key re-distribution operations if frequent user revocations occur. Another important challenge in CP-ABE schemes is keyescrow problem, where a Key Generation Centre (which is commonly known as Attribute Authority) can decrypt every ciphertext using its system secret key. Most of the single authority CP-ABE schemes2 [4, 5] suffer from key escrow problem. It is not desirable as the data owner may not want to share his or her sensitive and confidential data with anyone except the authorized users.

1.1

Related Works

Ciphertext-policy attribute-based encryption (CP-ABE) is a variant of attribute-based encryption (ABE) [7]. It is a suitable cryptographic encryption method for data sharing in cloud storage, as it enables the owner to control his or her data by choosing appropriate access policies without depending on the CSP. In recent years, many CP-ABE based access control schemes[4–6, 8–12] have been proposed for 1

In CP-ABE, attributes are associated with the decryption key. In a single authority CP-ABE scheme, a third party called as Attribute Authority (AA) manages the system secret key and issues decryption keys to its users using the system secret key. 2

different purpose. However, the existing schemes unable to address user revocation and key-escrow problems efficiently. A brief survey of the existing schemes related to user revocation and the key-escrow problems is presented below. User revocation: In [4], Bethencourt et al. tried to addressed the user revocation by associating each attribute with a time limit. On the expiration of the time limit, the user attributes are automatically revoked from the system. A similar approach can be found in [8]. However, all these schemes have not addressed on demand user revocation (known as immediate user revocation). Moreover, these schemes cannot provide forward and backward secrecy [10]. In immediate user revocation, attributes of a user can be revoked at any time by initiating both ciphertext re-encryption and key re-distribution operations. In [13], Ostrovsky et al. proposed an immediate user revocation scheme in CP-ABE. The scheme can revoke a user by conjunctively adding AND of the negation of revoked user identities, where the identities are considered as attributes. However, it increases the decryption key size by a multiplicative factor of log 𝑚, where 𝑚 is the maximum number of attributes. Some more immediate revocation schemes have been proposed, for example [5, 10– 12]. In [5], Yu et al. proposed an attribute revocation scheme, where a proxy server performs ciphertext re-encryption and key re-distribution operations. Similarly, in [10] and [11], Hur and Yang et al. respectively proposed attribute revocation schemes, where CSP re-encrypts the ciphertexts. While key re-distribution is performed by the CSP in [10] and by the AA in [11]. In [12], Ruj et al. tried to address the user revocation problem, where the data owner initiates the ciphertext reencryption and key re-distribution operations. Thus, it can be seen that all these schemes [5, 10–12] incur high communication and computational costs due to ciphertext re-encryption and key re-distribution operations. Recently, Horvath [6] and Zhang et al. [14] proposed user revocation schemes which do not require ciphertexts re- encryption and key re-distribution operations. The schemes integrate identity-based user revocation feature into CP-ABE. These schemes include revoked user identities in the ciphertext itself so that the users whose identities are present in the ciphertext cannot decrypt it even if their attributes satisfy the access policy. However, these schemes do not perform well when the user revocations occur frequently, as cost for integrating identity-based user revocation features into CPABE is high. Also, in both the schemes data owner has to know about the revoked users prior to data encryption. The schemes have not addressed explicitly how to revoke a fresh user after the data has been encrypted and how to permit an already revoke user to access data. Key-escrow : In single authority CP-ABE systems, AA has full control on the system. Since it manages system secret key related with the user attributes, it can compute decryption keys for every user in the system. AA can thus decrypt every ciphertext by generating the corresponding decryption key on behalf of a user. Some examples of recent CP-ABE based access control schemes which suffer from the key-escrow problem are [4, 5, 11]. In [15], Zhang et al. tried to addressed the key-escrow problem in CP-ABE. In the scheme, a user can compute a

decryption key by combining two separate decryption key components, where one component is received from the AA and the other from a trusted third party. But, the scheme uses a restrictive access policy, which consists of only AND gates. Also, it cannot be applied to the existing single authority CP-ABE based access control schemes, like [4, 5, 11]. Hur and Wang et al. tried to address the key-escrow problem in their works [10, 16] and [17] respectively. The schemes rely on a secure two-party communication protocol (2PC) between the AA and the CSP to generate decryption keys for the users. The 2PC protocol ensures that neither AA nor CSP could generate decryption key alone. However, the AA and the CSP need to collaborate before issuing every decryption key to the users, which is not feasible when the AA and CSP are from different trust domains.

1.2

Contribution

From the related works discussed earlier, it can be observed that user revocation and key-escrow problems in CP-ABE, still remain as challenging problems to be addressed. This paper proposes a CP-ABE based access control scheme, which addresses both user revocation and key-escrow problems. The main contributions are as follows: ∙ The user revocation is achieved using identity-based settings in CP-ABE, while retaining attribute-based properties. ∙ A user is revoked in the ciphertext itself based on his or her unique identity. It avoids removing the user completely from the system, or revoking some of his or her attributes. This in turn avoids communication and computationally expensive operations, like ciphertexts re-encryption and key re-distribution. ∙ Data owners are given privilege to revoke specific users, which is a desirable property for an attribute-based access control system [18]. ∙ Relatively expensive user revocation tasks are delegated to the CSP, which reduces overheads on the data owners. ∙ Key-escrow problem is resolved. It ensures that AA cannot decrypt any ciphertext. It is to be noted that the proposed scheme is integrated with the Benthencourt et al.’s scheme [4]. To the best of our knowledge, the proposed scheme is the only scheme which can be integrated with all other CP-ABE schemes (for example [11–13], and so on) to enhance their security and efficiency, which makes the proposed scheme Universal. The organization of the paper is as follows. Section 2 presents preliminaries which we use. The proposed cloud and security model is shown in Section 3. Section 4 presents the proposed scheme in details. Analysis of the proposed scheme is done in Section 5. Finally, we conclude the paper in Section 6.

2

PRELIMINARIES

This section presents a brief overview of some properties of bilinear pairing, access tree, and conditions to satisfy access tree. It also presents the security model of the proposed scheme. It is to be noted that the security model and security proof of the proposed scheme is based on the concept of Information Theory Tools [19], especially entropy, conditional 2

Table 1: NOTATIONS

re

ec

ls

Update requests

ss

ce

na rso

ac

Pe

CSP

ta Da

E Re ncr vo yp ke ted us da er ta lis , t

Cloud storage servers

Description a large prime number a field of integer modulo 𝑞 additive and multiplicative cyclic subgroup of 𝐹𝑞 respectively a multiplicative cyclic subgroup of 𝐹𝑞 generator of 𝐺1 cryptographic hash functions: 𝐻1 : {0, 1}* → 𝐺1 , 𝐻2 * {0, 1}* → 𝑍𝑞

𝑖 𝐻𝑥 , 𝐻𝑥

one-way keyed hash function using key 𝑥 and continuously hash operation 𝑖 times respectively set of all users in the system total number of users in the system set of revoked users in the 𝑗 𝑡ℎ user revocation operation identity of 𝑖𝑡ℎ user

ts

Notation 𝑞 𝐹𝑞 𝐺1 , 𝐺2 𝐺𝑇 𝑔 𝐻1 , 𝐻2

Owners

Decryption keys

Public parameter

Users

𝒰 |𝒰 | 𝑗 ℛ 𝒰 𝐼𝐷𝑖

AA

Figure 1: Proposed Cloud Model

𝒜𝒮 𝑖 𝑗 𝑆𝑐 𝑖 𝐻(.)

entropy, and joint entropy of information theory tools. More detail on these information theoretic concepts can be found in Section II in [20]. The notations used in the rest of the paper are shown in Table 1.

2.1

𝒫𝑗 (𝑥) 𝑢𝑐 𝑡𝑐 𝑘𝑗

Bilinear Map

Access Tree [4]

Tree access structure or access tree 𝒜𝒯 is one of the many forms of an access policy or access structure. The access tree consists of leaf nodes and non-leaf nodes. The nodes can be represented using AND or OR gates. A non-leaf node, say 𝑥, of an access tree, consists of two components, namely, total number of children 𝑡𝑜𝑡𝑎𝑙𝑥 and threshold value 𝑘𝑥 of a node 𝑥. The OR gate is represented by 𝑘𝑥 = 1 and AND gate is represented by 𝑘𝑥 = 𝑡𝑜𝑡𝑎𝑙𝑥 , where 1 ≤ 𝑘𝑥 ≤ 𝑡𝑜𝑡𝑎𝑙𝑥 . Further, a leaf node of the access tree is represented by an attribute with 𝑘𝑥 = 1. The notation parent(x) and index(x) means the parent and the index of the node 𝑥 respectively.

2.3

Satisfying an Access Tree [4]

Let 𝒜𝒯 be an access tree with root at node 𝑟. Let 𝒜𝒯 𝑥 denotes sub tree of 𝒜𝒯 with root at node 𝑥, which implies that 𝒜𝒯 𝑟 = 𝒜𝒯 . If an access tree 𝒜𝒯 𝑥 is satisfied by an attribute set 𝒜𝒮 𝑖 , then it is represented as 𝒜𝒯 𝑥 (𝒜𝒮 𝑖 ) = 1. To compute 𝒜𝒯 𝑥 (𝒜𝒮 𝑖 ), a recursive method is used and it is as follows: If 𝑥 is a non-leaf node, then compute 𝒜𝒯 𝑥′ (𝒜𝒮 𝑖 ) for each child node 𝑥′ of 𝑥. If at least 𝑘𝑥 children return 1, then 𝒜𝒯 𝑥 (𝒜𝒮 𝑖 ) = 1. If 𝑥 is a leaf node (i.e. the leaf node represents an attribute), then 𝒜𝒯 𝑥 (𝒜𝒮 𝑖 ) = 1 if and only if all leaf nodes are in 𝒜𝒮 𝑖 .

3

3.2

total number of user revocation operation maximum number of revoked users 𝑗 𝑡ℎ random secret for 𝒫𝑗 (𝑥)

Proposed Security Model

The security model of the proposed scheme is adopted from [21],[22]. The following definitions aim to provide unconditional security using entropy function. Definition 3.1. Let, 𝑡𝑐 be a positive integer. Let 𝒰 = {𝐼𝐷1 , 𝐼𝐷2 , ..., 𝐼𝐷|𝒰 | } and 𝑗𝑐 = {1, 2, ..., 𝑢𝑐 }. Let, 𝒰𝒮𝑗𝑐 be the set of users who have qualified attributes to access data in the 𝑗𝑐𝑡ℎ user revocation operation, where 𝒰𝒮𝑗𝑐 ⊂ 𝒰 . Suppose 𝑗𝑐 𝑗𝑐 ′ ℛ𝑗𝒰𝑐 = {𝐼𝐷1′ , 𝐼𝐷2′ , ..., 𝐼𝐷|ℛ and 0 ≤ 𝑗𝑐 }, where ℛ𝒰 ⊂ 𝒰𝒮 |

PROPOSED MODEL

This section first presents our proposed cloud model, followed by its security model.

3.1

attribute set of 𝑖𝑡ℎ user 𝑗 𝑡ℎ personal secret of 𝑖𝑡ℎ user entropy function of information theory [19] 𝑗 𝑡ℎ revocation polynomial

from the encrypted data as much as possible. The AA maintains the system secret key and public parameter. It issues decryption keys to the users according to their attributes. AA also sends an update request to the CSP when a new user joins the system. More details about the update request is described in Section 4.2.2. The CSP is responsible for storing owners’ encrypted data and provides data access services to the users. It also issues personal secrets for each registered user. Moreover, the CSP is responsible for performing the proposed user revocation on owner’s approval. The owner stores his or her data in the cloud storage servers after encrypting it using an access policy. To perform user revocation, the owner sends a revoke user list to the CSP. A user can access the plaintext data if he possesses sufficient attributes to satisfy the access policy of the ciphertext and also if he has a valid personal secret. Like the previous schemes [5, 10], we assume that the CSP and the AA do not collude since they are honest. It is assumed that the AA and the CSP have public-key certificates from Certificate Authorities through which secure channels, e.g. SSL/TLS channels, can be established for secure communication. It is also assumed that each entity have a unique identity.

Let, 𝐺1 be a cyclic additive group and 𝐺𝑇 be a cyclic multiplicative group of a large prime number 𝑞. Let, 𝑔1 and 𝑔2 be the generators of 𝐺1 , then 𝑒ˆ : 𝐺1 × 𝐺1 → 𝐺𝑇 is a bilinear map such that 𝑒ˆ(𝑥𝑔1 , 𝑦𝑔2 ) = 𝑒ˆ(𝑔1 , 𝑔2 )𝑥𝑦 , ∀ 𝑔1 , 𝑔2 and ∀ 𝑥, 𝑦 ∈ 𝑍𝑞* . The map is called nondegenerate, ∀ 𝑔1 , 𝑔2 𝑒ˆ(𝑔1 , 𝑔2 ) = 1, if and only if 𝑔1 = 𝑔2 and 𝑒ˆ(𝑔1 , 𝑔2 ) is efficiently computable for all 𝑔1 , 𝑔2 ∈ 𝐺1 .

2.2

:

𝒰

|ℛ𝑗𝒰𝑐 | ≤ 𝑡𝑐 . To revoke users, in the proposed scheme, the CSP seeks to share a random secret 𝑘𝑗𝑐𝑐 ∈ 𝑍𝑞* with each non-revoked user in (𝒰𝒮𝑗𝑐 ∖ ℛ𝑗𝒰𝑐 ) using a user revocation polynomial 𝒫𝑗𝑐 (𝑥). 1. The proposed scheme can provide user revocation, if a) a non-revoked user in (𝒰𝒮𝑗𝑐 ∖ ℛ𝑗𝒰𝑐 ), can recover 𝑘𝑗𝑐𝑐 from 𝒫𝑗𝑐 (𝑥) using his or her personal secret 𝑆𝑐𝑗𝑖𝑐 . On the other hand, a user in ℛ𝑗𝒰𝑐 cannot recover 𝑘𝑗𝑐𝑐 from 𝒫𝑗𝑐 (𝑥) using his

Proposed Cloud Model

Figure 1 shows the proposed cloud model. It consists of Attribute Authority (AA), Data Owners (owners), Data Users (users), and Cloud Service Provider (CSP). The AA and CSP are both honest-but-curious entities. They both honestly perform the tasks, but may try to gain additional information 3

or her personal secret 𝑆𝑐′𝑗𝑖𝑐 . That is 𝑐 𝑗 𝐻(𝑘𝑗 |𝒫𝑗𝑐 (𝑥), 𝑆𝑐𝑐 ) 𝑐 𝑖

=

4.2

𝑐 ′𝑗 0; 𝐻(𝑘𝑗 |𝒫𝑗𝑐 (𝑥), 𝑆𝑐 𝑐 ) 𝑐 𝑖

=

b) The users in 𝒰 cannot learn any information about 𝑘𝑗𝑐𝑐 either from the user revocation polynomials (i.e., 𝒫1 (𝑥), 𝒫2 (𝑥), ..., 𝒫𝑢𝑐 (𝑥)) or the personal secrets (i.e., 𝑆𝑐𝑗1𝑐 , 𝑆𝑐𝑗2𝑐 , ..., 𝑐 𝑆𝑐𝑗|𝒰 for 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐 ) alone. That is, | 𝑐 𝑐

𝑗∈𝒜𝒮 𝑖 ,𝑗̸=𝑖

𝑐 𝑐

𝐻(𝑘𝑗 |𝒫1 (𝑥), 𝒫2 (𝑥), ..., 𝒫𝑢𝑐 (𝑥)) = 𝐻(𝑘𝑗 ) =

𝑐 𝑗 𝑗 𝑗 𝐻(𝑘𝑗𝑐 |𝑆𝑐𝑐 , 𝑆𝑐𝑐 , ..., 𝑆𝑐𝑐 ), 1 2 |𝒰 |

elements. The proposed scheme consists of five phases, namely, System Setup, KeyGen, Encrypt, User Revocation, and Decrypt phases, which are described below in details.

for 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐

2) (any-wise revocation capability) The proposed user revocation scheme has any-wise revocation capability if all users in (𝒰 ∖ 𝒰𝒮𝑗𝑐 ) ∪ ℛ𝑗𝒰𝑐 cannot recover 𝑘𝑐𝑗𝑐 from 𝒫𝑗𝑐 (𝑥) even if they collude. That is

4.2.1 System Setup. This phase generates system secrets and public parameters. It can be divided into two sub-phases, namely, AA Setup and CSP setup. The AA Setup phase is initiated by the AA to generate a system secret key 𝑆𝐾, and public parameter 𝑃 𝐾. CSP Setup phase is run by the CSP to choose a 𝑡𝑐 -degree secret polynomial ℎ𝑐 (𝑥, 𝑦). AA Setup: AA chooses bilinear groups 𝐺1 and 𝐺𝑇 with a large prime order 𝑞, a bilinear map 𝑒ˆ : 𝐺1 × 𝐺1 → 𝐺𝑇 , a generator 𝑔 ∈ 𝐺1 , random numbers 𝛿 and 𝜂 ∈ 𝑍𝑞* , and hash functions 𝐻1 , 𝐻2 , 𝐻𝑥 . It generates public parameter 𝑃 𝐾 as 𝑃 𝐾 =< 𝑔, 𝐺1 , 𝐺𝑇 , 𝑒 ^, ℎ = 𝑔 𝜂 , 𝑒 ^(𝑔, 𝑔)𝛿 , 𝐻1 , 𝐻2 , 𝐻𝑥 > and system secret 𝑆𝐾 as 𝑆𝐾 =< 𝜂, 𝑔𝛿 >. AA also initializes 𝒢. CSP Setup: The CSP chooses a positive integer 𝑡𝑐 . It then chooses a 𝑡𝑐 -degree secret polynomial, called as user polynomial, ℎ𝑐 (𝑥, 𝑦) = 𝑎0,0 + 𝑎1,0 𝑥 + 𝑎0,1 𝑦 + ... + 𝑎𝑡𝑐 ,𝑡𝑐 𝑥𝑡𝑐 𝑦 𝑡𝑐 , where 𝑎0,0 , 𝑎1,0 , 𝑎0,1 , ..., 𝑎𝑡𝑐 ,𝑡𝑐 ∈ 𝐹𝑞 [𝑥, 𝑦]. It also chooses a secret key 𝒦 and two secret random initial seed values 𝑠𝑖𝑑0𝑐1 and 𝑠𝑖𝑑0𝑐2 . It keeps the user polynomial ℎ𝑐 (𝑥, 𝑦), secret key 𝒦, and the two seed values in a secure place. Moreover, CSP initializes 𝒢 with the help of AA3 .

′𝑗 ′

′𝑗

𝑐

𝑐 𝐻(𝑘𝑗 |𝒫𝑗𝑐 (𝑥), {𝑆𝑐 𝑐 } 𝑗 ∪ {𝑆𝑐𝑖 } 𝑗 𝑗 ) 𝑐 𝑖 𝐼𝐷 ′ ∈(𝒰 ∖𝒰 𝑐 )∪ℛ 𝑐 𝐼𝐷 ′ ∈ℛ 𝑐 𝑐

= 𝐻(𝑘𝑗𝑐 ), where 1 ≤

𝑖 ′ 𝑗𝑐

𝒰

𝑖

𝒮

𝒰

′

≤ 𝑢𝑐 and 𝑗𝑐 ̸= 𝑗𝑐

Definition 3.2 (Key-escrow resistance). Let 𝑗𝑐 ∈ {1, 2, ..., 𝑢𝑐 }. Let 𝒰𝒮𝑗𝑐 be the set of users, who have qualified attributes to access data, in the 𝑗𝑐 𝑡ℎ user revocation operation and ℛ𝑗𝒮𝑐 be set of revoked users, where 𝒰𝒮𝑗𝑐 ⊂ 𝒰 , ℛ𝑗𝒮𝑐 ⊂ 𝒰𝒮𝑗𝑐 , and 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐 . The proposed scheme provides key-escrow resistant if AA cannot gain any knowledge about 𝑗𝑐𝑡ℎ personal secret 𝑆𝑐𝑗𝑖𝑐 of any user in (𝒰𝒮𝑗𝑐 ∖ ℛ𝑗𝒮𝑐 ) and the random secrets 𝑘𝑗𝑐𝑐 for 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐 . That is 𝑗

𝐻({𝑆𝑎𝑐 }

𝑖 𝐼𝐷𝑖 ∈(𝒰 𝑗𝑐 ∖ℛ𝑗𝑐 ) 𝒮 𝒮

|𝒫𝑗𝑐 (𝑥))

𝑗

= 𝐻({𝑆𝑎𝑐 } ), for 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐 𝑖 𝐼𝐷𝑖 ∈(𝒰 𝑗𝑐 ∖ℛ𝑗𝑐 ) 𝒮 𝒮 𝑐 𝑐 𝐻(𝑘𝑗𝑐 |𝒫𝑗𝑐 (𝑥)) = 𝐻(𝑘𝑗𝑐 ), for 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐

It is to be noted that AA does not collude with any users in the system, as AA is assumed to be honest. Similarly, CSP does not collude with any revoked users in the system, like in [5, 10].

4

4.2.2 KeyGen. In this phase, AA generates decryption keys for the users. When a user, say 𝐼𝐷𝑖 ∈ 𝒰, initially joins the system, it assigns an attribute set 𝒜𝒮 𝑖 to the user and computes decryption key 𝐷𝐾 using its system secret key 𝑆𝐾. It selects random numbers 𝑟 and {𝑟𝑦 }∀𝑦∈𝒜𝒮 𝑖 , where the random numbers are in 𝑍𝑞* . The 𝐷𝐾 is as follows:

THE PROPOSED SCHEME

This section presents the proposed scheme in details. First a brief overview of it is given, followed by its construction.

4.1

Scheme Construction

Let 𝒰𝒜 = {𝐴𝑡𝑡1 , 𝐴𝑡𝑡2 , 𝐴𝑡𝑡3 , ..., 𝐴𝑡𝑡|𝒰𝒜 | } be the set of all attributes in the system, where |𝒰𝒜 | represents total number of attributes. Let, 𝒢𝐴𝑡𝑡𝑦 ⊂ 𝒰 be a set of users who possesses attribute 𝐴𝑡𝑡𝑦 , which is referred to as an attribute group. Let, 𝒢 = {𝒢𝐴𝑡𝑡1 , 𝒢𝐴𝑡𝑡2 , ..., 𝒢𝐴𝑡𝑡|𝒰𝒜 | } be the universe of attribute groups. Suppose, ∆𝑖,𝒜𝒮 𝑖 denotes the Lagrange coefficient, ∏︀ 𝑥−𝑗 where Δ𝑖,𝒜𝒮 𝑖 = , 𝑖 ∈ 𝑍𝑞* and 𝒜𝒮 𝑖 is a set of 𝑍𝑞* 𝑖−𝑗

𝑐 𝐻(𝑘𝑗 ) 𝑐

𝐷𝐾 = < 𝐷 = 𝑔

Scheme Overview

′ 𝐷𝑦

The proposed scheme revokes a user in the ciphertext itself without removing him or her completely from the system or revoking some of his or her attributes. The main idea of the proposed scheme is to integrate identity-based user revocation features into CP-ABE without affecting attributebased features. To do so, owner embeds revoked user identities in the ciphertext in such a way that the users, whose identities are present in the ciphertext, cannot decrypt even if their attributes satisfy the access policy. At the same time, nonrevoked users can easily decrypt using their decryption keys. To achieve it, a polynomial, called user revocation polynomial, is constructed using the revoked user identities and a masking polynomial. The user revocation polynomial is added to the ciphertext as an additional component, which is also used to solve the key-escrow problem. The details are discussed in the following sections. It is to be noted that the owner delegates relatively expensive operations to the CSP to reduce overheads on him/her.

=𝑔

𝑟𝑦

(𝛿+𝑟) 𝜂

𝑟 𝑟 , {𝐷𝑦 = 𝑔 · 𝐻1 (𝐴𝑡𝑡𝑦 ) 𝑦 ,

}∀𝑦∈𝒜𝒮

𝑖

>

Now, AA sends the decryption key 𝐷𝐾 to the user 𝐼𝐷𝑖 using a secure channel. In addition, AA adds newly joined user’s identity in the attributes group 𝒢𝐴𝑡𝑡𝑦 if 𝐴𝑡𝑡𝑦 ∈ 𝒜𝒮 𝑖 , for all 𝐴𝑡𝑡𝑦 ∈ 𝒜𝒮 𝑖 . Moreover, AA sends the updated attribute groups to the CSP in an update request. 4.2.3 Encrypt. In this phase, owner encrypts data. The owner chooses an access tree 𝒜𝒯 and encrypts the plaintext data 𝑀 ∈ 𝐺𝑇 using the public parameter 𝑃 𝐾. The owner selects a random number 𝑠 ∈ 𝑍𝑞* and then chooses a 𝑑𝑥 = 𝑘𝑥 − 1 degree polynomial 𝑞𝑥 for each node 𝑥 in the access tree 𝒜𝒯 . Next, the owner computes 𝑞𝑟 (0) = 𝑠 for the root node and 𝑑𝑟 random points of the polynomial 𝑞𝑟 to define it completely. 3

Since AA maintains users and their attributes, AA can send attribute groups information to the CSP. CSP needs to maintained the attribute groups to prevent collusion attack between non-revoked users, who do not have qualified attributes to satisfy access trees of the ciphertexts, and revoked users. It will be discussed in the rest of this paper in details.

4

˜ 𝑘(𝑗𝑐 +1)/𝑘𝑗𝑐 , where 𝑘𝑗𝑐 is the previous random as follows: 𝐶 secret.

Further, he computes 𝑞𝑥 (0) = 𝑞𝑝𝑎𝑟𝑒𝑛𝑡(𝑥) (𝑖𝑛𝑑𝑒𝑥(𝑥)) for any other nodes in the access tree and selects other 𝑑𝑥 points randomly to define 𝑞𝑥 completely. Let, 𝑌 be the set of all leaf nodes in 𝒜𝒯 . The computed ciphertext is as follows: 𝛿·𝑠

𝐶𝑇 =< 𝒜𝒯 , 𝐶 = 𝑀 · 𝑒 ^(𝑔, 𝑔)

′

𝑠

, 𝐶 = ℎ , {𝐶𝑦 = 𝑔

𝑞𝑦 (0)

4.2.5 Decrypt. In this phase, a user decrypts re-encrypted ciphertext 𝐶𝑇 ′ , which is received from the CSP. The decryption procedure is explained below. When the user 𝐼𝐷𝑖 wants to access data, he or she sends a request to the CSP. After authenticating the user 𝐼𝐷𝑖 , CSP issues a 𝑗𝑐𝑡ℎ personal secret 4 to the user 𝐼𝐷𝑖 if and only if he or she is a member of the attribute groups corresponding to the attributes associated with the requested ciphertext5 . Otherwise CSP aborts the request. The 𝑗𝑐𝑡ℎ personal secret is given by 𝑆𝑐𝑗𝑖𝑐 = 𝑠𝑖𝑑𝑗𝑐𝑐1 · ℎ𝑐 (𝐻2 (𝐼𝐷𝑖 ), 𝑠𝑖𝑑𝑗𝑐𝑐2 ), where 𝑠𝑖𝑑𝑗𝑐𝑐1 = 𝑗𝑐 𝑗𝑐 𝐻𝒦 (𝑠𝑖𝑑0𝑐1 ), 𝑠𝑖𝑑𝑗𝑐𝑐2 = 𝐻𝒦 (𝑠𝑖𝑑0𝑐2 ), and ℎ𝑐 (𝑥, 𝑦) is the secret user polynomial of the CSP. The CSP sends 𝑆𝑐𝑗𝑖𝑐 along with the requested re-encrypted ciphertext 𝐶𝑇 ′ to the user 𝐼𝐷𝑖 using a secure channel6 . Upon receiving 𝐶𝑇 ′ and 𝑆𝑐𝑗𝑖𝑐 , the user 𝐼𝐷𝑖 initiates actual decryption process. Let, the decryption key of the user

,

𝑞 (0) ′ 𝐶𝑦 = 𝐻1 (𝐴𝑡𝑡𝑦 ) 𝑦 }∀𝑦∈𝑌 >

Now, the owner sends the ciphertext 𝐶𝑇 to the CSP and CSP stores the received ciphertext 𝐶𝑇 in its storage servers. 4.2.4 User Revocation. In this phase, CSP revokes users on behalf of an owner. When an owner wants to revoke one or more users, having required attribute sets, he or she sends a revoke user list to the CSP. The list contains identities of the revoked users. Upon receiving the list, the CSP first authorizes the owner. After successful authorization, it initiates this phase to revoke users in the revoke user list. The revocation procedure is explained below. Suppose, the owner wants to prevent users in the revoke user list ℛ𝑗𝒰𝑐 from decrypting the ciphertext 𝐶𝑇 , where 𝑗𝑐 ′ ℛ𝑗𝒰𝑐 = {𝐼𝐷1′ , 𝐼𝐷2′ , ..., 𝐼𝐷|ℛ 𝑗𝑐 } for a positive integer |ℛ𝒰 | |

(𝛿+𝑟)

𝐼𝐷𝑖 be 𝐷𝐾 =< 𝐷 = 𝑔 𝜂 , {𝐷𝑦 = 𝑔 𝑟 · 𝐻1 (𝐴𝑡𝑡𝑦 )𝑟𝑦 , 𝐷𝑦′ = 𝑔 𝑟𝑦 }∀𝑦∈𝒜𝒮 𝑖 > and 𝐶𝑇 ′ be

𝒰

such that 0 ≤ |ℛ𝑗𝒰𝑐 | ≤ 𝑡𝑐 . The CSP computes a polynomial ℛ𝑗𝑐 (𝑥) using the user identities in ℛ𝑗𝒰𝑐 . Now, it uses ℛ𝑗𝑐 (𝑥) and its secret user polynomial ℎ𝑐 (𝑥, 𝑦) to construct an another polynomial 𝒫𝑗𝑐 (𝑥), called as user revocation polynomial, where 𝑗𝑐 represents 𝑗𝑐 𝑡ℎ user revocation operation. It is to be noted that 𝑗𝑐 = 1 for the initial user revocation operation. The constructed user revocation polynomial 𝒫𝑗𝑐 (𝑥) is given by:

𝑗 ′ ˜ = 𝐶 𝑘𝑗𝑐 , 𝐶 ′ = ℎ𝑠 , 𝐶𝑇 =< 𝒜𝒯 , ℛ𝒰𝑐 , 𝑗𝑐 , 𝒫𝑗𝑐 (𝑥), 𝐶 𝑞 (0) ′ 𝑞 (0) {𝐶𝑦 = 𝑔 𝑦 , 𝐶𝑦 = 𝐻1 (𝐴𝑡𝑡𝑦 ) 𝑦 }∀𝑦∈𝑌 >

The decryption is performed as follows: First, user 𝐼𝐷𝑖 recovers random secret 𝑘𝑗𝑐 from the user revocation polynomial 𝒫𝑗𝑐 (𝑥) using his or her 𝑗𝑐 𝑡ℎ personal secret 𝑆𝑐𝑗𝑖𝑐 = 𝑠𝑖𝑑𝑗𝑐𝑐1 · ℎ𝑐 (𝐻2 (𝐼𝐷𝑖 ), 𝑠𝑖𝑑𝑗𝑐𝑐2 ) and then recovers the original ciphertext 𝐶𝑇 from 𝐶𝑇 ′ , followed by decryption of the original ciphertext 𝐶𝑇 using the decryption key 𝐷𝐾. The user 𝐼𝐷𝑖 recovers the random secret key 𝑘𝑗𝑐 as follows:

𝑗 𝑗 𝑗 𝒫𝑗𝑐 (𝑥) = 𝑘𝑗𝑐 · ℛ 𝑐 (𝑥) + 𝑠𝑖𝑑𝑐𝑐 · ℎ𝑐 (𝑥, 𝑠𝑖𝑑𝑐𝑐 ) 1

2

where, 𝑘𝑗𝑐 is a random secret in 𝑍𝑞* , ℛ𝑗𝑐 (𝑥) = ∏︀ 𝑗𝑐 (𝑥 − 𝐻2 (𝐼𝐷𝐴𝐴 )) (𝑥 − 𝐻2 (𝐼𝐷𝑖′ )), 𝑠𝑖𝑑𝑗𝑐𝑐1 = 𝐻𝒦 (𝑠𝑖𝑑0𝑐1 ), 𝑗

𝐼𝐷𝑖′ ∈ℛ𝒰𝑐

𝑠𝑖𝑑𝑗𝑐𝑐2

𝑘𝑗𝑐 =

𝑗𝑐 𝐻𝒦 (𝑠𝑖𝑑0𝑐2 ),

= and 𝐼𝐷𝐴𝐴 represents unique identity of the AA. It is to be noted that 𝒦, and 𝑠𝑖𝑑0𝑐1 and 𝑠𝑖𝑑0𝑐2 , are the secret key and initial secret seed values respectively, which are known to the CSP only. Moreover, 𝑠𝑖𝑑𝑗𝑐𝑐1 · ℎ𝑐 (𝑥, 𝑠𝑖𝑑𝑗𝑐𝑐2 ) acts as a masking polynomial in 𝒫𝑗𝑐 (𝑥). Now, CSP re-encrypts the ciphertext 𝐶𝑇 as follows: 𝐶𝑇

′

𝒫𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 )) − 𝑆𝑐𝑗𝑐 𝑖

ℛ𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 ))

Since ℛ𝑗𝒰𝑐 is known from 𝐶𝑇 ′ , the user can easily com1 ˜ 𝑘𝑗𝑐 = (𝑀 · pute ℛ𝑗𝑐 (𝑥). Now, the user computes 𝐶 = 𝐶 𝑒ˆ(𝑔, 𝑔)𝛿·𝑠 ) Proof :

𝑘𝑗𝑐 · 𝑘1

𝑗𝑐

𝑘𝑗𝑐 =

𝑗 ˜ = 𝐶 𝑘𝑗𝑐 , 𝐶 ′ = ℎ𝑠 , = < 𝒜𝒯 , ℛ𝒰𝑐 , 𝑗𝑐 , 𝒫𝑗𝑐 (𝑥), 𝐶 𝑞𝑦 (0) ′ 𝑞 (0) {𝐶𝑦 = 𝑔 , 𝐶𝑦 = 𝐻1 (𝐴𝑡𝑡𝑦 ) 𝑦 }∀𝑦∈𝑌 >

=

It is to be noted that for each user revocation operation 𝑗𝑐 is increased by one. CSP can keep the previous hashed chain val(𝑗 −1) (𝑗 −1) ues, i.e. 𝑠𝑖𝑑𝑐1𝑐 and 𝑠𝑖𝑑𝑐2𝑐 to compute the current hashed (𝑗 −1) (𝑗 −1) 𝑗𝑐 chains, i.e. 𝑠𝑖𝑑𝑐1 = 𝐻𝒦 (𝑠𝑖𝑑𝑐1𝑐 ) and 𝑠𝑖𝑑𝑗𝑐𝑐2 = 𝐻𝒦 (𝑠𝑖𝑑𝑐2𝑐 ). It replaces the stored previous hashed chain values by the cur(𝑗 −1) (𝑗 −1) rent hashed chain values, i.e. 𝑠𝑖𝑑𝑐1𝑐 by 𝑠𝑖𝑑𝑗𝑐𝑐1 and 𝑠𝑖𝑑𝑐1𝑐 𝑗𝑐 by 𝑠𝑖𝑑𝑐1 .

=

= 𝑀 · 𝑒ˆ(𝑔, 𝑔)𝛿·𝑠 .

𝒫𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 )) − 𝑆𝑐𝑗𝑐 𝑖

ℛ𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 )) 𝑗𝑐 𝒫𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 )) − 𝑠𝑖𝑑𝑗𝑐𝑐 · ℎ𝑐 (𝐻2 (𝐼𝐷𝑖 ), 𝑠𝑖𝑑𝑐 ) 1

2

ℛ𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 )) 𝑘𝑗𝑐 · ℛ𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 )) ℛ𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 ))

where, 𝒫𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 )) = 𝑘𝑗𝑐 ·ℛ𝑗𝑐 (𝐻2 (𝐼𝐷𝑖 ))+𝑠𝑖𝑑𝑗𝑐𝑐1 ·ℎ𝑐 (𝐻2 (𝐼𝐷𝑖 ), 𝑠𝑖𝑑𝑗𝑐𝑐2 ). The recovered original ciphertext 𝐶𝑇 is𝑠 as follows: 𝛿·𝑠 ′ 𝑞𝑦 (0) 𝐶𝑇 =< 𝒜𝒯 , 𝐶 = 𝑀 · 𝑒 ^(𝑔, 𝑔)

, 𝐶 = ℎ , {𝐶𝑦 = 𝑔

,

′ 𝑞 (0) 𝐶𝑦 = 𝐻1 (𝐴𝑡𝑡𝑦 ) 𝑦 }∀𝑦∈𝑌 >

Now, the original ciphertext 𝐶𝑇 is taken by the user for further decryption. The decryption process consists of a recursive algorithm of 𝐷𝑒𝑐𝑁 𝑜𝑑𝑒(𝐶𝑇, 𝐷𝐾, 𝑥), where 𝑥 is a

Remark 4.1. An owner may want to revoke users at any time. When the owner wants to revoke some fresh users or to permit some already revoke users to access his or her data, the owner sends a fresh revoke user list to the CSP. Let, until now, 𝑗𝑐 number of user revocation operations had been taken place. Upon receiving the list, CSP increases 𝑗𝑐 by one and computes a fresh user revocation polynomial 𝒫(𝑗𝑐 +1) (𝑥) as described in Section 4.2.4. It chooses a fresh random secret 𝑘(𝑗𝑐 +1) , where ˜ components of 𝐶𝑇 ′ 𝑘(𝑗𝑐 +1) ∈ 𝑍𝑞* . Moreover, it re-encrypts 𝐶

CSP knows the 𝑗𝑐 value from the requested ciphertext 𝐶𝑇 ′ . This is required to prevent collusion attack between the non-revoked users, who do not have qualified attribute sets, and revoked users (who have qualified attribute sets). As CSP maintains 𝒢, it can check whether the requesting user has a qualified attribute set or not. 6 Like Yu et al.’s scheme [23], the proposed scheme enables CSP to send personal secret to the requester (user) along with requested data (re-encrypted ciphertext). 4

5

5

node in the access tree 𝒜𝒯 . The decryption procedure can be divided into two phases. Phase 1 : If 𝑥 is a leaf node Let, 𝐴𝑡𝑡𝑥 represents leaf node 𝑥, which is an attribute and 𝑤 = 𝐴𝑡𝑡𝑥 . The decryption is performed as follows: if 𝑤 ∈ 𝒜𝒮 𝑖 𝑒 ^(𝐷𝑤 , 𝐶𝑥 )

𝐷𝑒𝑐𝑁 𝑜𝑑𝑒(𝐶𝑇, 𝐷𝐾, 𝑥) =

=

ciphertext, number of attributes associated with 𝐶𝑇 , and number of attributes associated with a user respectively.

5.1

This section shows that the proposed scheme is secure in the security model as described in Section 3.2.

𝑒 ^(𝑔 𝑟 𝐻1 (𝑤)𝑟𝑤 , 𝑔 𝑞𝑥 (0) )

′ , 𝐶′ ) 𝑒 ^(𝐷𝑤 𝑥 𝑟·𝑞𝑥 (0)

𝑒 ^(𝑔 𝑟𝑤 , 𝐻

𝑞 (0) ) 1 (𝑤) 𝑥

Theorem 5.1. The proposed scheme is unconditionally secure and has any-wise revocation capability.

=𝑒 ^(𝑔, 𝑔)

Otherwise return 𝑁 𝑈 𝐿𝐿. Phase 2 : If 𝑥 ̸=leaf node, Recursively call 𝐷𝑒𝑐𝑁 𝑜𝑑𝑒(𝐶𝑇, 𝐷𝐾, 𝑥𝑐ℎ𝑖𝑙𝑑 ) for all children 𝑥𝑐ℎ𝑖𝑙𝑑 of 𝑥. It stores the result as 𝑅𝑥𝑐ℎ𝑖𝑙𝑑 . Let, 𝒜𝒮 𝑖𝑥 represents an arbitrary 𝑘𝑥 -sized set of child nodes 𝑥 such that 𝑅𝑥 ̸= 𝑁 𝑈 𝐿𝐿. The value 𝑅𝑥𝑐ℎ𝑖𝑙𝑑 ̸= 𝑁 𝑈 𝐿𝐿, if ∃𝒜𝒮 𝑖𝑥 of size 𝑘𝑥 set of 𝑥𝑐ℎ𝑖𝑙𝑑 (child nodes). Otherwise 𝐷𝑒𝑐𝑁 𝑜𝑑𝑒(𝐶𝑇, 𝐷𝐾, 𝑥𝑐ℎ𝑖𝑙𝑑 ) returns 𝑁 𝑈 𝐿𝐿. 𝑅𝑥 is computed as follows: Δ

𝑅𝑥 =

∏︁

𝑅𝑥

𝑥𝑐ℎ𝑖𝑙𝑑 ∈𝒜𝒮 𝑖 𝑥

=

𝑖,𝒜𝒮 ′ 𝑖𝑥

Proof. The theorem can be proved by showing that the proposed scheme supports all the conditions presented by the Definition 3.1. 1. a) Suppose a user wants to access data which has been reencrypted in the 𝑗𝑐𝑡ℎ user revocation operation, as described in Section 4.2.4. The CSP issues 𝑗𝑐𝑡ℎ personal secret 𝑆𝑐𝑗𝑖𝑐 = 𝑠𝑖𝑑𝑗𝑐𝑐1 · ℎ𝑐 (𝐻2 (𝐼𝐷𝑖 ), 𝑠𝑖𝑑𝑗𝑐𝑐2 ) for a requested user, say 𝐼𝐷𝑖 , if and only if he or she possesses qualified attributes (i.e., 𝐼𝐷𝑖 ∈ 𝒰𝒮𝑗𝑐 ). If the user’s identity 𝐼𝐷𝑖 does not present in the 𝑗𝑐 𝑡ℎ user revocation polynomial 𝒫𝑗𝑐 (𝑥) (i.e., 𝐼𝐷𝑖 ∈ (𝒰𝒮𝑗𝑐 ∖ ℛ𝑗𝒰𝑐 )), then he or she can recover the random secret 𝑘𝑗𝑐𝑐 from 𝒫𝑗𝑐 (𝑥) using 𝑆𝑐𝑗𝑖𝑐 , as described in Section 4.2.5. On the other hand, a user (say 𝐼𝐷𝑖′ ) in ℛ𝑗𝒰𝑐 cannot recover the random secret 𝑘𝑗𝑐𝑐 using his or her 𝑗𝑐 𝑡ℎ personal secret 𝑆𝑐′𝑗1𝑐 = 𝑠𝑖𝑑𝑗𝑐𝑐1 · ℎ𝑐 (𝐻2 (𝐼𝐷𝑖′ ), 𝑠𝑖𝑑𝑗𝑐𝑐2 ), as described in Section 4.2.5. Thus, we have

(0)

𝑐ℎ𝑖𝑙𝑑

(︁ )︁Δ𝑖,𝒜𝒮 ′ (0) 𝑠·𝑞 (0) 𝑖𝑥 𝑒 ^(𝑔, 𝑔) 𝑥𝑐ℎ𝑖𝑙𝑑

∏︁ 𝑥𝑐ℎ𝑖𝑙𝑑 ∈𝒜𝒮 𝑖 𝑥

=

(︁ )︁Δ𝑖,𝒜𝒮 ′ (0) 𝑟·𝑞𝑝𝑎𝑟𝑒𝑛𝑡(𝑥 𝑖𝑥 𝑐ℎ𝑖𝑙𝑑 )(𝑖𝑛𝑑𝑒𝑥(𝑥𝑐ℎ𝑖𝑙𝑑 )) 𝑒 ^(𝑔, 𝑔)

∏︁ 𝑥𝑐ℎ𝑖𝑙𝑑 ∈𝒜𝒮 𝑖 𝑥

=

𝑟·𝑞𝑥 (𝑖)Δ (0) 𝑖,𝒜𝒮 ′ 𝑖𝑥

∏︁

Security Analysis

𝑒 ^(𝑔, 𝑔)

𝑟·𝑞𝑥 (0)

=𝑒 ^(𝑔, 𝑔)

𝑐 𝑗 𝑐 𝑖 𝑐 ′𝑗 𝐻(𝑘𝑗 |𝒫𝑗𝑐 (𝑥), 𝑆𝑐 𝑐 ) 𝑐 𝑖

𝐻(𝑘𝑗 |𝒫𝑗𝑐 (𝑥), 𝑆𝑐𝑐 ) = 0

𝑥𝑐ℎ𝑖𝑙𝑑 ∈𝒜𝒮 𝑖 𝑥

where 𝑖 = 𝑖𝑛𝑑𝑒𝑥(𝑥𝑐ℎ𝑖𝑙𝑑 ) and 𝒜𝒮 ′𝑖𝑥 = {𝑖𝑛𝑑𝑒𝑥(𝑥𝑐ℎ𝑖𝑙𝑑 ) : 𝑥𝑐ℎ𝑖𝑙𝑑 ∈ 𝒜𝒮 𝑖𝑥 }. If 𝒜𝒮 𝑖 satisfies the access tree, 𝐷𝑒𝑐𝑁 𝑜𝑑𝑒(𝐶𝑇, 𝐷𝐾, 𝑟𝑜𝑜𝑡) provides 𝑒ˆ(𝑔, 𝑔)𝑟·𝑠 . Thus, the original data 𝑀 can be computed as follows: 𝛿·𝑠 𝑀 =

𝑌 =

=

𝐶

𝑌

=

𝑀 ·𝑒 ^(𝑔, 𝑔) 𝑌

=

𝐷𝑒𝑐𝑁 𝑜𝑑𝑒(𝐶𝑇, 𝐷𝐾, 𝑟𝑜𝑜𝑡) 𝑒 ^(𝑔 𝜂·𝑠 , 𝑔

(𝛿+𝑟) 𝜂

𝑒 ^(𝑔, 𝑔)𝑟·𝑠

)

1. b) The 𝑘𝑗𝑐𝑐 is randomly picked by the CSP and it is masked with a secret polynomial 𝑠𝑖𝑑𝑗𝑐𝑐1 ·ℎ𝑐 (𝑥, 𝑠𝑖𝑑𝑗𝑐𝑐2 ) in the 𝑗𝑐 𝑡ℎ user revocation polynomial 𝒫𝑗𝑐 (𝑥). Thus, the user revocation polynomial s alone cannot leak any information about 𝑘𝑗𝑐𝑐 . Further, 𝑘𝑗𝑐𝑐 is independent of the personal secret of a user, as 𝑆𝑐𝑗𝑖𝑐 = 𝑠𝑖𝑑𝑗𝑐𝑐1 · ℎ𝑐 (𝐻2 (𝐼𝐷𝑖 ), 𝑠𝑖𝑑𝑗𝑐𝑐2 ). So, personal secrets also alone cannot give any information about 𝑘𝑗𝑐𝑐 . Thus, we have

, where

𝑒 ^(𝐶 ′ , 𝐷)

𝑒 ^(ℎ𝑠 , 𝑔

(𝛿+𝑟) 𝜂

)

𝑒 ^(𝑔, 𝑔)𝑟·𝑠

𝑐

𝑐

𝐻(𝑘𝑗 |𝒫1 (𝑥), 𝒫2 (𝑥), ..., 𝒫𝑢𝑐 (𝑥)) = 𝐻(𝑘𝑗 ) 𝑐 𝑐

𝛿·𝑠

=𝑒 ^(𝑔, 𝑔)

𝑐 𝑐

𝑗 1

𝑗 2

𝑗 ), |𝒰 |

= 𝐻(𝑘𝑗 |𝑆𝑐𝑐 , 𝑆𝑐𝑐 , ..., 𝑆𝑐𝑐

𝐼𝐷𝑖′

ℛ𝑗𝒰𝑐 𝑗𝑐

for 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐

ℛ𝑗𝒰

2. Any user in cannot recover 𝑘𝑗𝑐𝑐 from 𝒫𝑗𝑐 (𝑥) using his or her personal secret 𝑆𝑐′𝑗𝑖𝑐 = 𝑠𝑖𝑑𝑗𝑐𝑐1 ·ℎ𝑐 (𝐻2 (𝐼𝐷𝑖′ ), 𝑠𝑖𝑑𝑗𝑐𝑐2 ), as discussed earlier. To recover 𝑘𝑗𝑐𝑐 from 𝒫𝑗𝑐 (𝑥), a user in ℛ𝑗𝒰𝑐 must have knowledge about personal secret 𝑆𝑐𝑗𝑖𝑐 = 𝑠𝑖𝑑𝑗𝑐𝑐1 ·ℎ𝑐 (𝐻2 (𝐼𝐷𝑖 ), 𝑠𝑖𝑑𝑗𝑐𝑐2 ) of a user in (𝒰𝒮𝑗𝑐 ∖ℛ𝑗𝒰𝑐 ). Any coalition among the users in ℛ𝑗𝒰𝑐 can get at most 𝑡𝑐 number of points over the 𝑡𝑐 -degree masking polynomial 𝑠𝑖𝑑𝑗𝑐𝑐1 · ℎ𝑐 (𝑥, 𝑠𝑖𝑑𝑗𝑐𝑐2 ). To compute 𝑆𝑐𝑗𝑖𝑐 , the coalition needs at least (𝑡𝑐 + 1) number of points over the 𝑡𝑐 -degree masking polynomial 𝑠𝑖𝑑𝑗𝑐𝑐1 · ℎ𝑐 (𝑥, 𝑠𝑖𝑑𝑗𝑐𝑐2 ), according to Lagrange’s interpolation theorem. Therefore, it is impossible for the users in ℛ𝑗𝒰𝑐 to compute 𝑆𝑐𝑗𝑖𝑐 using the available 𝑡𝑐 -points. Further, the users, who do not possess qualified attributes (i.e., users in (𝒰 ∖ 𝒰𝒮𝑗𝑐 )), do not receive the required 𝑗𝑐𝑡ℎ personal secrets from the CSP. But, the users in (𝒰 ∖ 𝒰𝒮𝑗𝑐 ) ∪ ℛ𝑗𝒰𝑐 may have personal secrets associated with a different user revocation operations, i.e., they may have ′ ′ ′ {𝑆𝑐′𝑗 = 𝑠𝑖𝑑𝑗𝑐 ℎ𝑐 (𝐻2 (𝐼𝐷𝑖′ ), 𝑠𝑖𝑑𝑗𝑐𝑐 )} for 1 ≤ 𝑗𝑐 ′ ≤ 𝑢𝑐 𝑗 𝑗 1 2 𝑖 𝐼𝐷 ′ ∈(𝒰 ∖𝒰 𝑐 )∪ℛ 𝑐

Note that any revoked user in cannot gain any knowledge to the random secret 𝑘𝑗𝑐 , as ℛ (𝐻2 (𝐼𝐷𝑖′ )) = 0.

5

𝑐 𝑐

= 𝐻(𝑘𝑗 )

ANALYSIS

The security analysis and comprehensive analysis of the proposed user revocation scheme are presented in this section. In the comprehensive analysis, the proposed scheme is compared with the existing CP-ABE based user revocation schemes, e.g. [5, 10–12] and CP-ABE based key-escrow resistant schemes, e.g. [10, 15, 17]. It then presents performance analysis, where the proposed scheme is compared to Horvath’s scheme [6] and Zhang et al.’s scheme [14] in terms of computation cost and storage overheads, followed by a comparison of computation time. It is to be noted that the security proofs of the original Bethencourt et al.’s scheme are well established and it can be found in [4]. To make the analysis more readable following notations are used: 𝑇𝑚𝑢𝑙𝐺1 and 𝑇𝑚𝑢𝑙𝐺𝑇 represent computation time of one exponentiation/scalar multiplication operation on 𝐺1 and 𝐺𝑇 respectively. 𝑇𝑝 denotes computation time of one pairing operation. |𝑍𝑞* |, |𝐺1 | and |𝐺𝑇 | represent size of 𝑍𝑞* , 𝐺1 , and 𝐺𝑇 elements respectively. 𝐶𝑇, 𝑛𝑐 , and 𝑛𝑢 denote

𝑖

𝒮

𝒰

′𝑗

𝑗

and 𝑗𝑐 = ̸ 𝑗𝑐 ′ . But, two personal secrets 𝑆𝑐𝑖𝑐 1 = 𝑠𝑖𝑑𝑐𝑐11 · 𝑗 ′𝑗 𝑗 𝑗 ℎ𝑐 (𝐻2 (𝐼𝐷𝑖′ ), 𝑠𝑖𝑑𝑐𝑐21 ) and 𝑆𝑐𝑖𝑐 2 = 𝑠𝑖𝑑𝑐𝑐12 · ℎ𝑐 (𝐻2 (𝐼𝐷𝑖′ ), 𝑠𝑖𝑑𝑐𝑐22 ) 𝑗𝑐 1 𝑗 can be combined if and only if 𝑗𝑐 1 = 𝑗𝑐 2 , since 𝑠𝑖𝑑𝑐1 ̸= 𝑠𝑖𝑑𝑐𝑐12 6

Table 2: Comparison of the proposed scheme to [6] and [14]

User revocation cost

Encryption time in milliseconds

CT size Secret key size

350

Horvath's scheme

315

Zhang et al. 's scheme Proposed scheme

280 245 210 175 140 105

Zhang et al.’s scheme [14] 𝑗 (3𝑛𝑐 + 3|ℛ 𝑐 | + 1)𝑇𝑚𝑢𝑙 + 2𝑇𝑚𝑢𝑙 𝒰 𝐺1 𝐺𝑇

520

Horvath's scheme

468

Zhang et al. 's scheme

416

Proposed scheme

5

10 15 Number of revoked user

𝑗 (3𝑛𝑐 + 2|ℛ 𝑐 | + 1)|𝐺1 | + |𝐺𝑇 | 𝒰 2(𝑛𝑢 + 1)|𝐺1 |

*| (2𝑛𝑐 + 1)|𝐺1 | + |𝐺𝑇 | + 𝑡𝑐 |𝑍𝑞 (2𝑛𝑢 + 1)|𝐺1 |

364 312 260 208 156

5

20

(a) Encrypt

𝐺1

𝑇𝑚𝑢𝑙 𝐺1

52

35

2𝑛𝑢 𝑇𝑝 + 𝑇𝑚𝑢𝑙

𝑗 (𝑛𝑐 + 3|ℛ 𝑐 |)𝑇𝑚𝑢𝑙 𝒰 𝐺1

104

70

The proposed scheme (2𝑛𝑐 + 1)𝑇𝑚𝑢𝑙 + 2𝑇𝑚𝑢𝑙 𝐺1 𝐺𝑇

𝑗 𝑗 (4𝑛𝑢 + 3|ℛ 𝑐 | + 1)𝑇𝑚𝑢𝑙 + (3𝑛𝑢 + 2|ℛ 𝑐 | + 1)𝑇𝑝 𝒰 𝒰 𝐺𝑇

User revocation time in milliseconds

Decryption cost

Horvath’s scheme [6] 𝑗 (4𝑛𝑐 + 4|ℛ 𝑐 |)𝑇𝑚𝑢𝑙 + (3𝑛𝑐 + 2)𝑇𝑚𝑢𝑙 𝒰 𝐺1 𝐺𝑇 𝑗𝑐 𝑗 (4𝑛𝑢 + 3|ℛ | − 1)𝑇𝑚𝑢𝑙 + (2𝑛𝑢 + 2|ℛ 𝑐 |)𝑇𝑝 𝒰 𝒰 𝐺𝑇 𝑗 (2𝑛𝑐 + 4|ℛ 𝑐 |)𝑇𝑚𝑢𝑙 𝒰 𝐺1 𝑗 (2𝑛𝑐 + 2|ℛ 𝑐 |)|𝐺1 | + (𝑛𝑐 + 1)|𝐺𝑇 | 𝒰 (𝑛𝑢 + 1)|𝐺1 |

Decryption time in milliseconds

Encryption cost

10 15 Number of revoked user

(b) Decrypt

20

300 285 270 255 240 225 210 195 180 165 150 135 120 105 90 75 60 45 30 15

Horvath's scheme Zhang et al. 's scheme Proposed scheme

5

10 15 Number of revoked user

20

(c) User Revocation

Figure 2: Comparison of computation time 𝑗 𝑠𝑖𝑑𝑐𝑐21

𝑗 𝑠𝑖𝑑𝑐𝑐22

and ̸= if 𝑗𝑐 1 ̸= 𝑗𝑐 2 . Thus the users, who are revoked in the same user revocation operation, can combine their personal secrets. However, maximum 𝑡𝑐 number of users can be revoked per user revocation operation, which implies that coalition among the users in (𝒰 ∖ 𝒰𝒮𝑗𝑐 ) ∪ ℛ𝑗𝒰𝑐 cannot gain any knowledge of 𝑆𝑎𝑗𝑐𝑖 . Thus, we have ′𝑗 ′

′𝑗

𝑐

the proposed scheme stores an additional revocation polynomial of size 𝑡𝑐 |𝑍𝑞* | per ciphertext along with the identities of the revoked users in the cloud storage servers. It is to be noted that the storage overhead incurs due to the revoked user identities can be ignored as the identities can be selected from a small finite field [20]. Similarly, unlike the existing key-escrow resistant schemes [10] and [17], the proposed scheme does not need any collaboration between the entities of the cloud environment to achieve key-escrow resistance, which makes it more feasible. Further, unlike [15], the proposed scheme uses a more expressive access policy which consists of AND and OR gates. Moreover, the proposed scheme can be applied to any other CP-ABE schemes to enhance their security.

𝑐 𝐻(𝑘𝑗 |𝒫𝑗𝑐 (𝑥), {𝑆𝑐 𝑐 } 𝑗 ∪ {𝑆𝑐𝑖 } 𝑗 𝑗 ) 𝑐 𝑖 𝐼𝐷 ′ ∈ℛ 𝑐 𝐼𝐷 ′ ∈(𝒰 ∖𝒰 𝑐 )∪ℛ 𝑐 𝑐 𝑐

= 𝐻(𝑘𝑗 ), where 1 ≤

𝑖 ′ 𝑗𝑐

𝒰

𝑖

𝒮

𝒰

′

≤ 𝑢𝑐 and 𝑗𝑐 ̸= 𝑗𝑐

 Theorem 5.2. The proposed scheme is key-escrow resistant. Proof. Here we will show that the proposed scheme fulfils all the conditions defined in Definition 3.2. To recover 𝑘𝑗𝑐𝑐 , the AA must have the 𝑗𝑐 𝑡ℎ personal secret 𝑗𝑐 𝑆𝑐𝑖 = 𝑠𝑖𝑑𝑗𝑐𝑐1 · ℎ𝑐 (𝐻2 (𝐼𝐷𝑖 ), 𝑠𝑖𝑑𝑗𝑐𝑐2 ) of a user 𝐼𝐷𝑖 in (𝒰𝒮𝑗𝑐 ∖ ℛ𝑗𝒮𝑐 ), where 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐 . Since AA is an honest entity, it does not collude with any users (according to our assumption which has been defined in Section 2). However, it may get personal secrets of the users in ℛ𝑗𝒮𝑐 from 𝒫𝑗𝑐 (𝑥), where 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐 . But, it does not give enough information to compute 𝑆𝑐𝑗𝑖𝑐 , as |ℛ𝑗𝒮𝑐 | ≤ 𝑡𝑐 , according to the Theorem 5.1. Therefore, we can conclude that the proposed scheme is key-escrow resistant. Thus, we have 𝑗

5.3

𝐻({𝑆𝑎𝑐 }

|𝒫𝑗𝑐 (𝑥)) 𝑖 𝐼𝐷𝑖 ∈(𝒰 𝑗𝑐 ∖ℛ𝑗𝑐 ) 𝒮 𝒮 𝑗

= 𝐻({𝑆𝑎𝑐 }

), 𝑖 𝐼𝐷𝑖 ∈(𝒰 𝑗𝑐 ∖ℛ𝑗𝑐 ) 𝒮 𝒮 𝑐 𝑐 𝐻(𝑘𝑗 |𝒫𝑗𝑐 (𝑥)) = 𝐻(𝑘𝑗 ), for 𝑐 𝑐

for 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐 1 ≤ 𝑗𝑐 ≤ 𝑢𝑐



5.2

Performance Analysis

To the best of our knowledge, Horvath’s scheme[6] and Zhang et al.’s scheme [14] are the only two schemes similar with the proposed scheme. We compare the performance of the proposed scheme with Horvath’s scheme [6] and Zhang et al.’s scheme [14] in Table 2. The performance is shown in asymptotic upper bound in the worst cases. Table 2 presents computation costs of encryption, decryption, and user revocation in terms of number of exponentiation and pairing operations. Storage overheads, i.e., ciphertext size and secret key sizes are shown in terms of group element size. From the table, it can be observed that encryption, decryption, and user revocation costs of the proposed scheme are considerably less than the others. The ciphertext size of the proposed scheme is also comparable to [6] and [14]. The proposed scheme embeds the revoked user identities in the ciphertext using a 𝑡𝑐 -degree revocation polynomial in form of 𝑍𝑞* elements; while in [6] and [14], revoked user identities are embedded in the ciphertext in form of 𝐺1 elements. It seems that in the proposed scheme, the secret key size is more than [6]. But, the proposed scheme does not require any additional secret key compared with [4]. The personal secrets are sent along with the requested (re-encrypted ciphertexts) data to the users, so the users do not need to store the keys and it reduces storage overhead on the users. It is to be noted

Comprehensive Analysis

Unlike the traditional user revocation schemes [5, 10–12], the proposed scheme revoked a user based on the revoked user’s unique identity. It does not affect other non-revoked users, which in turn avoids costly operations like key redistribution and all ciphertexts re-encryption. The proposed scheme, thereby reduces overheads on the system. However, 7

that CSP generates personal secrets using computationally less expensive hash operations (cost of hash operations is presented in Section 5.3.1). Therefore, generation of personal secret incurs minimal overhead on the CSP. 5.3.1 Computation Time Comparison. To compare the computation time of the proposed scheme to Horvath’s scheme [6] and Zhang et al.’s scheme [14], PBC library [24] is used. In PBC library (which is a C-library run over GMP library [25]), the computation time of one pairing, exponentiation on 𝐺1 , and exponentiation on 𝐺𝑇 operations are 3.366 milliseconds (ms), 2.722 ms, and 0.399 ms respectively in the supersingular curve 𝑦 2 = 𝑥3 + 𝑥 with embedding degree 2. A commodity Laptop Computer with Ubuntu 15.04 operating system having Intel Core i3 processor with 3.40 GHz clock speed and 4 GB RAM is used for computing the computation time. The base field size and group order are 512 bits and 160 bits respectively in the chosen curve. Also, the computation time of one multiplication between two same group elements and hash operation take 0.003 ms and 0.009 ms respectively, which are negligible. Figure 2 shows the comparison of computation time in Encrypt, Decrypt, and User Revocation phases of the proposed scheme to [6] and [14]. In the figure, the number of attributes is fixed at 10. From the Figures 2a, 2b, and 2c, it can be observed that the proposed scheme takes considerably less time compared to [6] and [14].

6

[4] J. Bethencourt, A. Sahai, and B. Waters. Ciphertext-policy attribute-based encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP ’07, pages 321–334, 2007. [5] S. Yu, C. Wang, K. Ren, and W. Lou. Attribute based data sharing with attribute revocation. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’10, pages 261–270, 2010. [6] M. Horv´ ath. Attribute-based encryption optimized for cloud computing. In Procedings of the 41st International Conference on Current Trends in Theory and Practice of Computer Science, SOFSEM, pages 566–577, Jan. 2015. [7] A. Sahai and B. Waters. Fuzzy identity-based encryption. In Proceedings of the 24th Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’05, pages 457–473, 2005. [8] M. Pirretti, P. Traynor, P. McDaniel, and B. Waters. Secure attribute-based systems. In Proceedings of the ACM Conference on Computer and Communications Security, CCS ’06, pages 99–112, 2006. [9] M. Chase. Multi-authority attribute based encryption. In Proceedings of the 4th Conference on Theory of Cryptography, TCC’07, pages 515–534, 2007. [10] J. Hur. Improving security and efficiency in attribute-based data sharing. IEEE Transactions on Knowledge and Data Engineering, 25(10):2271–2282, Oct 2013. [11] K. Yang, X. Jia, and K. Ren. Attribute-based fine-grained access control with efficient revocation in cloud storage systems. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS ’13, pages 523–528, 2013. [12] S. Ruj, M. Stojmenovic, and A. Nayak. Decentralized access control with anonymous authentication of data stored in clouds. IEEE Transactions on Parallel and Distributed Systems, 25(2):384–394, Feb 2014. [13] R. Ostrovsky, A. Sahai, and B. Waters. Attribute-based encryption with non-monotonic access structures. In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pages 195–203, 2007. [14] P. Zhang, Z. Chen, K. Liang, S. Wang, and T. Wang. A cloudbased access control scheme with user revocation and attribute update. In Proceedings of the 21st Australasian Conference Information Security and Privacy, ACISP, pages 525–540, July 2016. [15] G. Zhang, L. Liu, and Y. Liu. An attribute-based encryption scheme secure against malicious kgc. In Procedings of the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pages 1376–1380, June 2012. [16] J. Hur, D. Koo, S. O. Hwang, and K. Kang. Removing escrow from ciphertext policy attribute-based encryption. Computers and Mathematics with Applications: Advanced Information Security, 65(9):1310–1317, 2013. [17] S. Wang, K. Liang, J. K. Liu, J. Chen, J. Yu, and W. Xie. Attribute-based data sharing scheme revisited in cloud computing. IEEE Transactions on Information Forensics and Security, 11(8):1661–1673, Aug 2016. [18] M. Sookhak, F. R. Yu, M. K. Khan, Y. Xiang, and R. Buyya. Attribute-based data access control in mobile cloud computing. Future Generation Computer Systems, 72(C):273–287, July 2017. [19] T. Cover and J. Thomas. Elements of Information Theory. John Wiley and Sons, Inc., 1991. [20] R. Dutta and S. Mukhopadhyay. Improved self-healing key distribution with revocation in wireless sensor network. In Procedings of the IEEE Wireless Communications and Networking Conference, WCNC 2007, pages 2963–2968, March 2007. [21] J. Staddon, S. Miner, M. Franklin, D. Balfanz, M. Malkin, and D. Dean. Self-healing key distribution with revocation. In Proceedings 2002 IEEE Symposium on Security and Privacy, pages 241–257, 2002. [22] D. Liu, P. Ning, and K. Sun. Efficient self-healing group key distribution with revocation capability. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS ’03, pages 231–240, 2003. [23] S. Yu, C. Wang, K. Ren, and W. Lou. Achieving secure, scalable, and fine-grained data access control in cloud computing. In Proceedings of the 29th Conference on Information Communications, INFOCOM’10, pages 534–542, 2010. [24] PBC (Pairing-Based Cryptography) library. http://crypto. stanford.edu/pbc/ [Online accessed: 15-Jan.-2017]. [25] GMP (GNU Multiple Precision) arithmetic library. http://gmplib. org/ [Online accessed: 15-Jan.-2017].

CONCLUSION AND FUTURE WORKS

In this paper, we proposed a CP-ABE based access control scheme for data outsourcing in a cloud environment. The proposed scheme addresses both user revocation and key-escrow problems efficiently by integrating identity-based features into CP-ABE. It provides an efficient user revocation mechanism without involving costly operations, like key redistribution and all ciphertext re-encryption. Also, it enables the owner to revoke users and to permit already revoked users to access his or data at any time with the cost of one exponentiation operation, which makes the proposed scheme the most computationally efficient scheme till date. The keyescrow problem is also addressed without any collaboration between the entities in the cloud environment. In addition, it can be integrated into any CP-ABE scheme. Further, the security analysis shows that the proposed scheme is unconditionally secure and provides any-wise revocation capability. Furthermore, comparison to the similar existing works shows that the proposed scheme outperforms the notable works in the area in terms of computation and communication costs. Extends this work to achieve attribute revocation is left as a part of future work.

REFERENCES [1] Z. Qin, H. Xiong, S. Wu, and J. Batamuliza. A survey of proxy re-encryption for secure data sharing in cloud computing. IEEE Transactions on Services Computing, PP(99), 2016. [2] S. Kamara and K. Lauter. Cryptographic cloud storage. In Procedings of the 14th International Conference on Financial Cryptograpy and Data Security, FC’10, pages 136–149, 2010. [3] N. H. Sultan and F. A. Barbhuiya. A secure re-encryption scheme for data sharing in unreliable cloud environment. In Procedings of the 12th IEEE World Congress on Services, SERVICES 2016, pages 75–80, June 2016. 8