An Efficient Key-Policy Attribute-Based Encryption Scheme with Constant Ciphertext Length

There is an acceleration of adoption of cloud computing among enterprises. However, moving the infrastructure and sensitive data from trusted domain of the data owner to public cloudwill pose severe security and privacy risks. Attribute-based encryption (ABE) is a new cryptographic primitivewhich provides a promising tool for addressing the problemof secure and fine-grained data sharing and decentralized access control. Key-policy attribute-based encryption (KP-ABE) is an important type of ABE, which enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most existing KP-ABE scheme, the ciphertext size grows linearly with the number of attributes embedded in ciphertext. In this paper, we propose a new KP-ABE construction with constant ciphertext size. In our construction, the access policy can be expressed as anymonotone access structure.Meanwhile, the ciphertext size is independent of the number of ciphertext attributes, and the number of bilinear pairing evaluations is reduced to a constant. We prove that our scheme is semantically secure in the selective-set model based on the general Diffie-Hellman exponent assumption.


Introduction
Cloud computing is a model for enabling ubiquitous, convenient, and on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [1].There are two main categories of cloud infrastructure: public cloud and private cloud.To take advantage of public clouds, data owners must upload their data to commercial cloud service providers which are usually considered to be semitrusted, that is, honest but curious [2].That means the cloud service providers will try to find out as much secret information in the users' outsourced data as possible, but they will honestly follow the protocol in general.
Traditional access control techniques are based on the assumption that the server is in the trusted domain of the data owner, and therefore an omniscient reference monitor can be used to enforce access policies against authenticated users.However, in the cloud computing paradigm this assumption usually does not hold, and therefore these solutions are not applicable.There is a need for a decentralized, scalable, and flexible way to control access to cloud data without fully relying on the cloud service providers.
Data encryption is the most effective in regard to preventing sensitive data from unauthorized access.In traditional public key encryption or identity-based encryption systems, encrypted data is targeted for decryption by a single known user.Unfortunately, this functionality lacks the expressiveness needed for more advanced data sharing.To address these emerging needs, Sahai and Waters [3] introduced the concept of attribute-based encryption (ABE).Instead of encrypting to individual users, in ABE system, one can embed an access policy into the ciphertext or decryption key.Thus, data access is self-enforcing from the cryptography, requiring no trusted mediator.
ABE can be viewed as an extension of the notion of identity-based encryption in which user identity is generalized to a set of descriptive attributes instead of a single string specifying the user identity.Compared with identity-based encryption [4], ABE has significant advantage as it achieves flexible one-to-many encryption instead of one-to-one; it is envisioned as a promising tool for addressing the problem of secure and fine-grained data sharing and decentralized access control.
There are two types of ABE depending on which of private keys or ciphertexts that access policies are associated with.
In a key-policy attribute-based encryption (KP-ABE) system, ciphertexts are labeled by the sender with a set of descriptive attributes, while user's private key is issued by the trusted attribute authority captures an policy (also called the access structure) that specifies which type of ciphertexts the key can decrypt.KP-ABE schemes are suitable for structured organizations with rules about who may read particular documents.Typical applications of KP-ABE include secure forensic analysis and target broadcast [5].For example, in a secure forensic analysis system, audit log entries could be annotated with attributes such as the name of the user, the date and time of the user action, and the type of data modified or accessed by the user action.While a forensic analyst charged with some investigation would be issued a private key that associated with a particular access structure.The private key would only open audit log records whose attributes satisfied the access policy associated with the private key.The first KP-ABE construction was provided by Goyal et al. [5], which was very expressive in that it allowed the access policies to be expressed by any monotonic formula over encrypted data.The system was proved selectively secure under the Bilinear Diffie-Hellman assumption.Later, Ostrovsky et al. [6] proposed a KP-ABE scheme where private keys can represent any access formula over attributes, including nonmonotone ones, by integrating revocation schemes into the Goyal et al.KP-ABE scheme.
In a ciphertext-policy attribute-based encryption (CP-ABE) system, when a sender encrypts a message, they specify a specific access policy in terms of access structure over attributes in the ciphertext, stating what kind of receivers will be able to decrypt the ciphertext.Users possess sets of attributes and obtain corresponding secret attribute keys from the attribute authority.Such a user can decrypt a ciphertext if his/her attributes satisfy the access policy associated with the ciphertext.Thus, CP-ABE mechanism is conceptually closer to traditional role-based access control method.The first CP-ABE scheme was proposed by Bethencourt et al. in [7], but its security was proved in the generic group model.Cheung and Newport [8] gave a CP-ABE construction under the Bilinear Diffie-Hellman assumption, but policies are restricted to a single AND gate.Later, Goyal et al. proposed a generic transformational approach to transform a KP-ABE scheme into a CP-ABE scheme using universal access tree in [9].Their construction can support access structures which can be represented by a bounded size access tree with threshold gates as its nodes, and its security proof is based on the standard Decisional Bilinear Diffie-Hellman assumption.Unfortunately, in general this methodology would yield a ciphertext blowup of ( 3.42 ) group elements for a Boolean formula of size , which limits its usefulness in practice.The most efficient CP-ABE schemes in terms of ciphertext size and expressivity were proposed by Waters in [10], the size of a ciphertext depending linearly on the number of attributes involved in the specific policy for that ciphertext.
ABE has drawn extensive attention from both academia and industry, many ABE schemes have been proposed, and several cloud-based secure systems using ABE schemes have been developed [11,12].Most research work on ABE has focused on the design of expressive schemes, where access structures can implement as complex Boolean formulas as possible.Almost all existing ABE schemes that admit reasonably expressive decryption policies produce ciphertexts whose size depends at least linearly on the number of attributes involved in the policy.Emura et al. [13] proposed the first CP-ABE scheme with constant-size ciphertext, but policies are restricted to a single AND gate.Later, Herranz et al. [14] proposed the first CP-ABE scheme supporting threshold access structure with constant-size ciphertext.Recently, Attrapadung et al. [15] proposed a CP-ABE scheme with constant-size ciphertext for threshold access policies and where private keys remain as short as in previous systems.They also showed that a class of identity-based broadcast encryption schemes with linearity property generically yields monotonic KP-ABE systems in the selective-set model, at the expense of longer private keys of size ( × ) elements, where  denotes the maximal number of attributes embedded in the ciphertext and  is the number of attributes in the access structure.Thus, this transformation provides us with monotonic KP-ABE schemes with constant-size ciphertexts by using identity-based broadcast encryption schemes with linearity property and constant ciphertext size.However, we notice that most of existing identity-based broadcast encryption schemes with constant-size ciphertext do not satisfy the linearity property, and it is not a necessary condition for constructing a KP-ABE schemes with constant-size ciphertext.In this paper, we propose a new KP-ABE construction with constant ciphertext size by adopting the idea of the Delerablee identity-based broadcast encryption scheme [16].In our construction, the access policy can be expressed as any monotone access structure.Meanwhile, the ciphertext size is independent of the number of ciphertext attributes, and the number of bilinear pairing evaluations is reduced to a constant.We prove that our scheme is semantically secure in the selective-set model based on the general Diffie-Hellman exponent assumption.
The rest of this paper is organized as follows.Some necessary background knowledge about bilinear pairings, access structure and linear secret sharing scheme, and Delerablee identity-based broadcast encryption scheme are introduced in Section 2. The syntax and security notions of KP-ABE are given in Section 3. A concrete KP-ABE construction with constant-size ciphertext and its security argument will be presented in Section 4. We conclude our work and present our future work in Section 5.

Preliminary Works
We first introduce some notations.If S is a set, then  ∈  S denotes the operation of picking an element  uniformly random from S. For a set U, we define its power set as be two row vectors; we denote the standard inner product by ⟨u, k⟩.A function () is negligible if for every  > 0, there exists a   , such that () < 1/  for all  >   .

Access Structure and Linear Secret Sharing Scheme
Definition 2. Let P = { 1 ,  2 , . . .,   } be a set of parties.A collection A ⊆ 2 P is monotone if, for two sets B and C, B ∈ A and B ⊆ C, then C ∈ A. An access structure (resp., monotone access structure) is a collection (resp., monotone collection) A of nonempty subsets of P. The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets.Definition 3. Let P be a set of parties,  ℓ× an ℓ× matrix, and  : {1, 2, . . ., ℓ} → P a function that maps a row to a party for labeling.A secret sharing scheme Π for access structure A over a set of parties P is a linear secret sharing scheme (LSSS) in Z  and is represented by ( ℓ× , ) if it consists of two efficient algorithms.In our context, the role of the parties is taken by the attributes.Thus, the access structure will contain the authorized sets of attributes.As in most relevant literatures [5,6,10], we will restrict ourselves to monotone access structures.In general, access policies can be described in terms of the monotonic Boolean formulas.There are standard techniques to convert any monotonic Boolean formula into a corresponding LSSS matrix [17].

The Delerablee Identity-Based Broadcast Encryption
Scheme.Delerablee proposed the first identity-based broadcast encryption scheme with constant-size ciphertexts and private keys [16], which is described as follows.

Syntax and Security Notions for KP-ABE Scheme
Let U = {attr 1 , . . ., attr  } be the universe of possible attributes, where each attr  denotes an attribute and  is the total number of attributes.A KP-ABE scheme is parameterized by a universe of possible attributes U and consists of the following four polynomial-time algorithms.
(i) Setup(1  , U): this probabilistic algorithm is run by the trusted attribute authority, which takes as input the security parameter  and the attribute universe U.It outputs some public parameters params and the master secret key msk.The trusted attribute authority publishes params and keeps msk secret.
(ii) KeyGen(params, msk, and A): this probabilistic algorithm is run by the trusted attribute authority, which takes as input the public parameters params, the master secret key msk, and an access structure A which is assigned by the trusted attribute authority to the user.It outputs a decryption key SK A .
(iii) Encrypt(params, W, and ): this probabilistic algorithm is run by the sender, which takes as input the public parameters params, a set of descriptive attributes W, and a message  ∈ {0, 1} with probability 1 over the randomness of all the algorithms.
The property of indistinguishability for KP-ABE scheme under chosen plaintext and attribute-set attack is called selective-set model [5], which is defined in the following game between a challenger and an adversary.
(i) Initialization: the adversary declares the set of attributes W that he wishes to be challenged on.
(ii) Setup: the challenger runs the Setup algorithm of KP-ABE scheme and gives the public parameters to the adversary.
(iii) Phase 1: the adversary is allowed to issue queries for private keys with access structure A  at most   times with the restriction that W ∉ A  for all .
(iv) Challenge: the adversary submits two messages  0 and  1 with equal length.The challenger flips a random coin  and encrypts message   with W. The ciphertext is then sent to the adversary.
(vi) Guess: the adversary outputs his guess   of .
The advantage of an adversary in the above game is defined as |Pr [  = ] − 1/2|.Definition 6.A KP-ABE scheme is secure in the selectiveset model if all polynomial-time adversaries have at most a negligible advantage in the selective-set game.
The model can easily be extended to handle chosen ciphertext attacks by allowing for decryption queries in Phase 1 and Phase 2.

Our Construction
In this section, we present a new KP-ABE scheme with constant-size ciphertexts by adopting the idea of the Delerablee identity-based broadcast encryption scheme.The proposed KP-ABE construction is described as follows.
(i) Setup(1  , U): given the security parameter , the trusted attribute authority chooses three cyclic groups G 1 , G 2 , and G  of prime order  with a bilinear pairing ê : Then the trusted attribute authority chooses two generators  ∈ G 1 and ℎ ∈ G 2 as well as a secret value ∈  Z *  and a cryptographic hash function  : {0, 1} * → Z *  .The security analysis will view  as a random oracle.The master secret key is defined as msk = (, ).The public parameters are params = (, V, ℎ, ℎ  , . . ., ℎ   ), where  =   and V = ê(, ℎ).
Proof.Assume  is well formed, which means  is encrypted under the set of attributes W = {  }  =1 ; thus ⋅ê(, ℎ) = (ê(, ℎ) So we have This ends the proof.(v) Guess: the adversary A returns the guess   to the simulator B, and then the simulator B sends it to the challenger C.
According to the observation of the attacker A, the private keys he obtained from the simulator B are indistinguishable to those of obtained from the KeyGen algorithm.Thus, if the adversary A can attack the proposed KP-ABE scheme in the selective-set model with nonnegligible advantage, then  [15] proposed a CP-ABE and KP-ABE scheme with constant-size ciphertexts, respectively; we denote them as [15]-1 scheme and [15]-2 scheme, respectively.
Comparisons are made in terms of private key size, ciphertext size, and the number of pairing evaluations upon encryption and decryption.In the table, we denote by  the number of attributes in the attributes universe,  the number of attributes in the access structure that describe the private key for KP-ABE scheme,  the number of attributes that describe the private key for CP-ABE scheme, and  the number of pairing evaluations.

Conclusion
In this paper, we have constructed a new KP-ABE scheme supporting any monotonic access structure with constantsize ciphertext and proved that the proposed scheme is semantically secure in selective-set model based on the general Diffie-Hellman exponent assumption.The downside of the proposed KP-ABE scheme is that private keys have multiple size growths in the number of attributes in the access structure.One interesting open problem would be to construct a KP-ABE scheme with constant-size ciphertexts that is secure under a more standard assumption or which achieves a stronger full security notion.Another challenging problem is to construct a KP-ABE scheme with constant ciphertext size and constant private key size.

( 3 )
At last, B returns sk (,) = {  } =1,...,ℓ to the adversary A. (iv) Challenge: the adversary A randomly chooses two messages  0 and  1 with equal length and sends them to the simulator B. The simulator B then sends them to the challenger C. The challenger C randomly encrypts   with the attributes set W * and returns   to the simulator B. Finally, the simulator B sends it to the adversary A.

Theorem 8 .
The proposed KP-ABE scheme is secure in the selective-set model under the (, , )-GDDHE assumption.Proof.Suppose that there exists a polynomial-time adversary A that can attack the above KP-ABE scheme in the selectiveset model with nonnegligible advantage.Then we can build a simulator B that can attack the Delerablee identity-based broadcast encryption scheme in the selective-ID model with nonnegligible advantage.The simulation proceeds as follows.(i) Initialization: the adversary A chooses the set of attributes W * which it wants to be challenged upon and sends W * to the simulator B. Then the simulator B sends this challenged attributes to the challenger C in the selective-ID model for the Delerablee identitybased broadcast encryption scheme.They treat each attribute as an ID in the Delerablee identity-based broadcast encryption.The challenger C will computes and returns the private key sk   corresponding to   to B. Finally, the simulator sets the private key part   = (sk     , {ℎ     } =1,..., ).
(ii) Setup: the challenger C generates params and msk and sends params to the simulator B; then B transfers them to the adversary A.(iii) Phase 1: the adversary A adaptively makes queries for private keys for access structure (, ) that cannot be satisfied by W * .The simulator B picks vector  = ( 1 ,  2 , ...,   ) ⊺ at random and calculates   = ⟨M  ,  ⊺ ⟩.(1)If () ∈ W * , then the simulator B picks   ∈  Z *  and submits the private key query   to the challenger C. (2) If () ∉ W * , then the simulator B submits the private key query () to the challenger C.After the simulator B obtains the private key sk () corresponding to () from the challenger C, the simulator sets the private key part   = (sk   () , {ℎ     } =1,..., ).