Shorter Decentralized Attribute-Based Encryption via Extended Dual System Groups

Decentralized attribute-based encryption (ABE) is a special form of multiauthority ABE systems, in which no central authority and global coordination are required other than creating the common reference parameters. In this paper, we propose a new decentralized ABE in prime-order groups by using extended dual system groups. We formulate some assumptions used to prove the security of our scheme. Our proposed scheme is fully secure under the standard k-Lin assumption in random oracle model and can support any monotone access structures. Compared with existing fully secure decentralized ABE systems, our construction has shorter ciphertexts and secret keys. Moreover, fast decryption is achieved in our system, in which ciphertexts can be decrypted with a constant number of pairings.


Introduction
Attribute-based encryption (ABE), which enables finegrained access control, was first introduced by Sahai and Waters [1].Subsequently, Goyal et al. [2] classified ABE as key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE).In KP-ABE, ciphertexts are associated with a set of attributes and secret keys are associated with access policies, while the opposite is true for CP-ABE.The ciphertext can be decrypted by secret keys if and only if the attributes satisfy the access policy.
Over the past decade, there have been a number of ABE schemes [3][4][5][6][7][8][9] proposed for supporting fairly expressive policies.However, the classical ABE system has only a single authority, which manages all attributes and issues private keys for all users.This may be unable to meet the requirements of some applications due to the lack of flexibility.There are three major aspects that impact the application value of single authority ABE systems.First, the single authority system failed to achieve the collaboration between different institutions since it cannot verify attributes across different organizations.Second, there exists key escrow problem in single authority system.The authority must be highly trustworthy as it can decrypt any ciphertext.Finally, key generation for all users that relied on a single authority is a huge workload and can easily become a performance bottleneck in the system.Furthermore, failure of the authority affects the whole system.
Multiauthority or decentralized ABE [10,11] systems are put forward to address this issue.Lewko and Waters [11] provided the first fully secure decentralized ABE system.In their system, any party can become an authority by creating a public key.Authorities can issue private keys independently, and some authorities that go wrong will only affect the attributes in their domain and not the system as a whole.In addition, the scheme in [11] supports any monotone access structures.
Though the Lewko-Waters decentralized ABE scheme is expressive, the construction is based on composite-order bilinear group.The current research [12] showed that primeorder bilinear groups outperform composite-order groups in terms of both time efficiency and space efficiency.To be specific, elements with 3072 or 3248 bits are required for a 128-bit security level in composite-order groups according to NIST or ECRYPT II recommendations, while elements with 2 Security and Communication Networks 256 bits are sufficient in prime-order groups for the same security level.As for the time efficiency, [12] indicated that a pairing over an elliptic curve of composite order is 254 times slower than over a prime-order elliptic curve for the 128-bit security level.For the above reasons, it is preferable to design schemes on prime-order groups.In a subsequent work by Okamoto and Takashima [13], a decentralized ABE system on prime-order groups was presented by using dual pairing vector spaces [5].The construction improves the efficiency of decentralized ABE systems, but there is still a significant performance penalty due to the required size of the vectors.Hence, it is worth constructing a more compact decentralized ABE system in prime-order setting.
We present a new construction of decentralized ABE by using extended dual system group (EDSG).Our proposed scheme is built on prime-order groups with better space and time efficiency and can be proved fully secure under standard -Lin assumption in the random oracle model.
To prove that full security of decentralized ABE system is a challenging job, even using the powerful dual system encryption methodology [14,15], [11] used two subgroups for semifunctional space.The first subgroup is used to hide nominal semifunctionality from the attacker's view by appending blinding factors to each key at a time.The second subgroup is used to avoid leakage of information about the first one by switching the semifunctional components from the first subgroup to it.
Dual system groups (DSG) [16] are an attractive tool for simulating composite-order groups in the prime-order setting.In contrast to prior works [17][18][19], which attempted to maximize the properties satisfied by both composite-order and prime-order groups, the dual system groups seek to investigate the minimal properties needed for the application to dual system encryption.The benefit is that we can obtain more efficient and compact schemes, and that is why our scheme can reduce the size of ciphertext compared with previous work [13].Unfortunately, we observe that dual system groups in [16] are insufficient for constructing fully secure decentralized ABE since it only has one semifunctional space.To overcome this, we extend the basis of dual system groups from 2 × 2 matrix to 3 × 3 matrix inspired by [20].The first -dimension subspace is the normal space, the next -dimension subspace is used to construct type 1 semifunctional secret keys, and the last -dimension subspace is used to construct type 2 semifunctional secret keys.In addition, we also realize the left subgroup indistinguishability, right subgroup indistinguishability 1, and right subgroup indistinguishability 2. These assumptions are used to mimic the effect of the subgroup decision assumption in composite-order groups.
The paper is organized as follows.In Section 2, we introduced the related works.In Section 3, a brief summary of the relevant concepts in multiauthority CP-ABE and primeorder bilinear groups was presented.In Section 4, we gave our revised definition of dual system groups and realized it in the prime-order setting in Section 5.In Section 6, we gave our decentralized CP-ABE system, outlined the security proof, and discussed its efficiency.In Section 7, we concluded the paper.

Related Works
Attribute-based encryption was introduced by Sahai and Waters [1], which can encrypt a message for multiple receivers by their attributes, rather than designating recipient in advance.Subsequently, Goyal et al. [2] extended this idea and classified ABE system into two categories: key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE).The first fully secure ABE system was presented by Lewko et al. [4]; all ABE systems can only be proved to be selective secure ones before that.In addition, several variants of ABE have been proposed.Ostrovsky et al. [21] showed how to realize negation by incorporating specific revocation schemes into the construction of [2].Lewko et al. [22] provided a fully secure ABE system which is resilient to continual leakage.With regard to the public parameter optimization problems, large universe ABE system, in which the size of the attribute universe can be exponentially large, was proposed in [23,24].The first multiauthority ABE system was introduced in [10] by Chase, which has one central authority (CA) and multiple attribute authorities (AAs).Subsequently, Chase and Chow [25] removed the CA by using a distributed pseudorandom function.Both of [10,25] can only support AND-gates policy.A multiauthority ABE that supports threshold policy was provided by Lin et al. [26].CA is not required for their system.However, the authorities are fixed and they must interact with each other during setup.The multiauthority ABE proposed in [10,25,26] looked only at the KP-ABE setting.Müller et al. [27] proposed the first multiauthority CP-ABE supported policies written in disjunctive normal form (DNF) with one CA and multiple AAs.The system can be only proved to be secure in generic group model.In addition, all these above systems can only defend selective attacks; that is, the attacker must commit to a target access structure before setup phase.Lewko and Waters [11] first obtained a fully secure multiauthority CP-ABE by using dual system encryption technique [14,15].Their system is decentralized; that is, the authorities are equal and with no need for CA and can support any monotone access structures.They proved security under static assumptions in the random oracle model.Liu et al. [28] proposed a multiauthority CP-ABE where there are multiple CAs and AAs.In their system, all of the CAs must work together to issue an identity-related key to the user.They used (, ) threshold policy to distribute the master secret to prevent the authority decrypting ciphertexts independently.The system can be proved fully secure in the standard model.Scheme [11] is built on the composite-order group, which resulted in low efficiency of the systems.An improvement design was carried out in prime-order bilinear groups in [13].Recently, Rouselakis and Waters [29] proposed an efficient large universe decentralized ABE system.However, the scheme only achieved static security, in which all queries (about both ciphertexts and secret keys) done by the attacker should be sent to the challenger immediately after seeing the global parameters.
In addition, some extension researches on multiauthority ABE have been proposed.Ma et al. [30] presented a multiauthority ABE with traitor tracing.The system is not practical due to infeasible large sizes of public key and ciphertext.Li et al. [31] proposed a multiauthority CP-ABE scheme with accountability, which allows tracing the identity of a misbehaving user who leaked the decryption key to others.The system supported AND-gates policy.A large universe decentralized KP-ABE scheme was proposed in [32].The system supported any monotone access policy and can be proved as selectively secure in the standard model.Gorasia et al. [33] presented a multiauthority CP-ABE with fast decryption, which only supports threshold policy.Zhong et al. [34] proposed a decentralized CP-ABE scheme with hidden policy.It also supported user revocation but only achieved selective security.An adaptively secure multiauthority CP-ABE scheme with verifiable outsourced decryption was given in [35].

Preliminaries
Notation.We use  ←   to denote that  is picked randomly from a set .We denote probabilistic polynomial-time by PPT.

Prime-Order Bilinear Groups and Computational Assumptions
Prime-Order Bilinear Groups.
Assumption 1 (-Lin: the -linear assumption in  1 ).For any PPT adversary A, the advantage of A is negligible in : where ( Assumption 2 ((, ℓ)-LLin: the (, ℓ)-lifted linear assumption in  1 ).For any PPT adversary A, the advantage of A is negligible in : where Lemma 3 (see [20]).For any PPT adversary A, there exists an adversary B such that . (5)

Multiauthority CP-ABE
3.2.1.Definition.In this paper, we used the definition of multiauthority CP-ABE and security model presented in [11].
We let   denote the attribute set managed by AA  and  = ⋃   denote the universe of attributes.For  ̸ = , we assume that   ∩   = Φ.A multiauthority CP-ABE system consists of the following five algorithms: GlobalSetup(1  ) → GP.This algorithm takes as input a security parameter  and outputs the global public parameters GP.
Authority Setup(GP) → APK  , ASK  .This algorithm is run by attribute authority AA  .It takes as input global parameters GP and outputs its own public key APK  and secret key ASK  .
KeyGen(GP, GID, ASK  ,   ) → SK , .This algorithm is run by AA  .It takes as input GP, ASK  , an identity GID and an attribute att  belonging to AA  and returns a secret key SK GID, .

Extended Dual System Groups
The first four algorithms are used for normal ciphertexts and secret keys in the real system, while the remaining are only used for semifunctional ones in the security proof.We use SampG 0 to indicate the first element of  →  , that is,  0 .
Correctness.It needs to meet the following conditions.
(H-Subgroup).The output of SampH(pp) is distributed uniformly over a subgroup of H +1 .
(Left Subgroup Indistinguishability).For any PPT adversary A, the advantage of A is negligible in : where (Right Subgroup Indistinguishability 1).For any PPT adversary A, the advantage of A is negligible in : where (Right Subgroup Indistinguishability 2).For any PPT adversary A, the advantage of A is negligible in : where (Parameter Hiding).The following two distributions are identical: where

Instantiating EDSG
We let   (⋅),   (⋅) and   (⋅) be functions mapping from a 3× 3 matrix to its left-most  columns, the middle  columns, and the right-most  columns, respectively.
(Projective).For all ) . ( Security.We check the following security properties. (Orthogonality) (Nondegeneracy) With overwhelming probability, the inner product is distributed uniformly over   , and the same is true for (H-Subgroup).This follows from the fact that Z 3  is an additive group.

Security and Communication Networks
Then we can compute Simulating the Challenge.B simulates the challenge as ) . ( If  + = 0,  = 1, . . ., 2, that is, otherwise, the output is Similarly, we can proof Hence, right subgroup indistinguishability 2 is true. Lemma 8 (parameter hiding).The following are identically distributed: ; R is a random full-rank diagonal matrix in Z 3  whose bottom-right entry is a 2-dimensional unit matrix: Security and Communication Networks 13 Observe that Hence, (i) If û = ũ = 0, then we obtain the first distribution.
(ii) If û , ũ ← Z  , then we obtain the second distribution.

Our Scheme
This section presents our decentralized CP-ABE system.
Recall that   (⋅),   (⋅), and   (⋅) are functions mapping from a 3 × 3 matrix to its left  columns, middle  columns, and right  columns, respectively.We use the left -dimension subspaces to generate the normal ciphertexts and secret keys.
The next two ones are only used in the security proof.The hash function  maps global identities to random elements in H, which is used as a random oracle in the security proof.

Construction
Authority Setup(GP).For each attribute att  belonging to the authority, the authority samples Enc({APK}, GP, (M, ), ).Input a message , a matrix M ∈ Z ×   with  (in our system, we restrict the fact that  is injective) mapping its rows to attributes, the global parameters, and the public keys of the relevant authorities.Pick U 2 , . . ., KeyGen(GP, GID, ASK  ,   ).Compute a key for GID for attribute att  belonging to authority AA  as follows: Dec(GP, SK GID, , CT).The secret keys {SK GID, } correspond to a subset of rows Then, compute (73) 6.2.Security Proof.We define the semifunctional ciphertext and secret key as follows.
Semifunctional Ciphertext.We let   ,   0 ,   1, ,   2, denote the normal ciphertext.The semifunctional ciphertext takes the following form: where Semifunctional Secret Key.There are two types of semifunctional keys.Type 1 semifunctional key takes the following form: Type 2 semifunctional key takes the following form: When a semifunctional key is used to decrypt a semifunctional ciphertext, the additional terms (i) type 1 semifunctional key: ( (i) Game 0 : it is the real security game.
(ii) Game 1 : there is no difference with Game 0 except that challenge ciphertext becomes semifunctional.
(iii) Game 2,,1 for  = 1, . . ., : there is no difference with Game 1 except that the first  − 1 keys revealed to A become semifunctional of type 2, and the   th key becomes semifunctional of type 1.
(v) Game 3 : there is no difference with Game 2,,2 except that we generate a semifunctional ciphertext of a random message   ∈ G  as the challenge ciphertext.
Lemma 9 (from Game 0 to Game 1 ).For any PPT adversary A, there exists an adversary B such that |Adv Proof.The adversary B gets input Challenge.Upon receiving (M, ),  0 , and  1 , B can compute the ciphertext by using  →  .We note that the ciphertext is properly distributed except  2, , which take the following forms: where  →  , →  , →  ←  Z   , U 2 , . . ., U   ←  Z 3×3  .We must argue that there is no difference in A's view.
By parameter hiding, it suffices to show that )) .
Key Queries.We let GID  denote the th identity queried by A.
Key Queries.We let GID  denote the th identity queried by A.
B creates secret keys as follows: Challenge.Upon receiving (M, ),  0 , and  1 , B computes the ciphertext as follows: which means they leak no information whatsoever about   (B).→  is uniformly distributed over G  .This implies the challenge ciphertext is identically distributed to a semifunctional encryption of a random message in G  , as in Game 3 .

Performance Discussions.
In this section, we provided analysis regarding the space and computation cost of the proposed scheme by comparing it with existing decentralized ABE schemes.
As shown in Table 1, [11] is built on composite-order groups.We recall that composite-order elements are 12 times larger than prime-order ones and pairing is 250 times slower in composite-order groups than in prime-order ones [12].Though [29] is efficient, the scheme can be only proved static security under a -type assumption.Both [13] and ours are based on prime-order groups; the secret key size and the ciphertext size in ours are reduced by about 40% compared with [13] under the same assumption (DLIN).We will see further improvement if we instantiate our construction under the SXDH assumption.In addition, the ciphertexts in our setting can be decrypted with a constant number of pairings at the cost of increasing some exponentiations.We believe that this is a good deal since pairing is about 5 times slower than group exponentiation according to [29].The advantage of decryption performance in our scheme will become more and more obvious as the number of attributes used for decryption increases.

Conclusions
In this paper, we presented a fully secure decentralized CP-ABE scheme under the standard -Lin assumptions in prime-order groups.To prove the security of our scheme, we extended the basis of dual system groups from 2 × 2 matrix to 3 × 3 matrix and realized some assumptions to mimic the effect of the subgroup decision assumption in compositeorder groups.Our scheme achieved lower computational cost thanks to decryption which only needs constant number of pairing operations.We discussed the performance of our scheme from the theoretical points of view.Compared with other existing decentralized CP-ABE schemes, our scheme is more compact to implement and can provide better efficiency in terms of the communication and computation cost.

( i )
SampP(1  , 1  ): output: (a) Public parameter, pp, contains group description(G, H, G  ), a nondegenerate bilinear map  : G × H → G  , a linear map  defined on H, and some additional parameters for SampG and SampH.
Model.The security of multiauthority CP-ABE is defined by the following game run between a challenger B and an adversary A. Setup.The challenger B executes GlobalSetup and Authority Setup algorithm.It gives GP and {APK  } to the adversary A. For corrupt authorities, B also gives the corresponding {ASK  } to A. Guess.A outputs a guess   for .The adversary's advantage is defined to be | Pr[  = ] − 1/2|.Definition 4. A multiauthority CP-ABE scheme is secure if, for all PPT adversaries, the advantage is negligible in the above security game.

Table 1 :
Comparing among existing decentralized CP-ABE schemes.|APK|,|SK|, and |CT| represent the size of authority's public keys, user's secret keys, and ciphertexts.is the number of attributes present in authority or secret keys.ℓ is number of rows in the access matrix.Dec represents decryption cost, "Pair" and "Exp" represent the number of pairings and exponentiations in groups.ℓ  is the number of attributes used during decryption.||indicates the group order, "P" is for prime, and "C" is for composite order, respectively."Assu."and"Secu."areabbreviation of assumption and security, respectively.Upon receiving (M, ),  0 , and  1 , B computes the semifunctional ciphertext of  0 or  1 .Observe that  1, =  ( 1 ,  2 )   ( 1 ,  2 ) ⋅  ( 1 ,  2 ) ⊤    (B)