A New User Revocable Ciphertext-Policy Attribute-Based Encryption with Ciphertext Update

,e revocable ciphertext-policy attribute-based encryption (R-CP-ABE) is an extension of ciphertext-policy attribute-based encryption (CP-ABE), which can realize user direct revocation and maintain a short revocation list. However, the revoked users can still decrypt the previously authorized encrypted data with their old key.,e R-CP-ABE scheme should provide a mechanism to protect the encrypted data confidentiality by disqualifying the revoked users from accessing the previously encrypted data. Motivated by practical needs, we propose a new user R-CP-ABE scheme that simultaneously supports user direct revocation, short revocation list, and ciphertext update by incorporating the identity-based and time-based revocable technique. ,e scheme provides a strongly selective security proof under the modified decisional q-parallel bilinear Diffie–Hellman Exponent problem, where “strongly” means that the adversary can query the secret key of a user whose attribute set satisfies the challenge ciphertext access structure and whose identity is in the revocation list.


Introduction
As a special kind of public key encryption (PKE), attributebased encryption (ABE) is a one-to-many cryptographic primitive that can offer a fine-grained access control. In general, there are two types of ABE schemes, key-policy attribute-based encryption (KP-ABE) [1][2][3][4] and ciphertextpolicy attribute-based encryption (CP-ABE) [5][6][7][8]. In the KP-ABE scheme, secret key is associated with an access structure, and ciphertext is labeled with a set of attributes. While in the CP-ABE scheme, secret key is related to a set of attributes, and ciphertext is associated with an access structure. Compared with the traditional method of access control system, ABE has many advantages so that it satisfies many applications for network such as cloud storage systems [9][10][11][12] and medical e-healthcare systems [13][14][15][16][17][18].
However, providing an efficient and practical revocation mechanism is very important in ABE since it can prevent a user from accessing encrypted data in cryptosystems by revoking the access authority. ere are mainly two methods to revoke users in ABE, namely, direct revocation and indirect revocation. e indirect revocation [19,20] requires an authority to update key only for the nonrevoked users so that they can continue to decrypt the encrypted data. e revoked users cannot decrypt any newly generated ciphertext since their keys were not updated. However, we cannot implement user instant revocation by using this approach. Suppose an employee's access to the encrypted data is revoked some day before the key update time, he could still decrypt any newly generated encrypted data until the key is updated. If we update the key as soon as a user is revoked to realize user instant revocation, it will be a bottleneck and not practical for a large organization where there may be an army of revoked users. Moreover, the revoked users can still have access to the previously generated encrypted data. e direct revocation [21,22] allows a public revocation list to be specified directly during encryption so that the ciphertext cannot be decrypted by those users who are in the revocation list even if their attributes/policies satisfy the policies/attributes related to the ciphertext. Ciphertext can only be decrypted by users who are not in the revocation list and whose attributes satisfy the access policy. is method can implement user instant revocation and does not need to update the secret key, while the disadvantage is that the revocation list gets longer over time. It will be inefficient for encryption and decryption, especially for a large system.

Related Work.
Many schemes [23][24][25][26][27][28] are presented to deal with the revocation in attribute-based access control. Boldyreva et al. in [19] proposed a revocable KP-ABE. In their scheme, the authority stores a revocation list and executes key update algorithm for the nonrevoked users who are not in the revocation list. Using the key update approach, Yu et al. in [25] put forward a revocable CP-ABE. e revoked users cannot decrypt the updated ciphertext, but access policies rarely support logical AND in their contribution. In 2012, Sahai et al. in [20] proposed a concept of revocable-storage ABE. In the scheme, they added a ciphertext delegation and ciphertext updating algorithm so that ciphertext can be decrypted only if the encryption time t < t′, where t ′ is the key expiry time. In detail, the third party server can update stored ciphertext without any interaction with data owners as long as the revocation event happens and the re-encrypted ciphertext cannot be recovered by the revoked users any longer. Using the direct revocation, Balu et al. in [26] put forward a revocable CP-ABE. eir model, however, is weak that the adversary can only query the secret key of a user whose attribute set does not satisfy the challenge ciphertext access policy and whose identity is not in the revocation list.
Wang et al. in [23] proposed a new revocable CP-ABE that incorporates ID-based revocation ability. In their security definition, the adversary can query the secret key of a user whose attribute set satisfies the challenge ciphertext access structure and whose identity is in the revocation list. Nevertheless, the size of the ciphertext is linear with the number of users in the revocation list, which gets longer as time goes by. Liu et al. in [29] proposed a revocable CP-ABE by using direct approach. ey put forward a secret key time validation technique to address the issue of growth of the revocation list. Users can decrypt the ciphertext if and only if the validity time period of the secret key completely covers the validity time period of the ciphertext. e size of the ciphertext is only related to the embedded policy, while the size of the secret key is not only linear with the maximum length of the revocation list but also the number of attributes of the user. eir scheme can implement user direct revocation and maintain a short revocation list. However, the revoked users can still decrypt the previously authorized ciphertext with their old key. We take this issue into account where users' access authority changes with time and ciphertext is stored by a third party.

Our Contribution.
We propose a R-CP-ABE scheme that can implement user direct revocation, maintain a short revocation list, and update ciphertext by incorporating the identity-based and time-based revocable technique. e main contributions of this paper can be summarised as follows: (1) User direct revocation. We have a public revocation list that contains the identity of a user who is revoked before the intended expiry time. is revocation list is embedded into the ciphertext by the encryptor to achieve user direct revocation. Users in the revocation list cannot decrypt any newly generated ciphertext even if their attribute set satisfies the access policy. (2) Short revocation list. Once the validity time expires, the users' keys become invalid as they are unable to decrypt any newly generated ciphertext. e revoked users whose keys are expired can be removed from the revocation list after the expiry date of their keys. erefore, we can maintain a short revocation list. (3) Ciphertext update. In the scheme, the ciphertext can be updated periodically using only publicly available information, and after the update process, all stored encrypted data (no matter how old) become inaccessible to the revoked users. (4) Strongly selective security. Our scheme provides a strongly selective security proof under the modified decisional q-parallel bilinear Diffie-Hellman Exponent problem, where "strongly" means that the adversary can query the secret key of a user whose attribute set satisfies the challenge ciphertext access structure and whose identity is in the revocation list.

Bilinear Pairings.
Let G 1 and G 2 be two cyclic multiplicative groups of prime order p, and g be a generator of G 1 . A bilinear map is a function e: G 1 × G 1 ⟶ G 2 with the following properties: (i) Bilinearity: e(aP, bQ) � e(P, Q) ab for all P, Q ∈ G 1 and all a, b ∈ Z p (ii) Nondegeneracy: e(g, g) ≠ 1 (iii) Computability: there is a polynomial time algorithm to compute e(P, Q) for any P, Q ∈ G 1 2.2. Access Structure. Let a set of parties be P 1 , P 2 , . . . , P n . A collection A ⊆ 2 P 1 ,P 2 ,...,P n { } is monotone if ∀B, C. If B ∈ A and B ⊆ C, then C ∈ A. An access structure A is a collection of nonempty subsets of P 1 , P 2 , . . . , P n , i.e., A ⊆ 2 P 1 ,P 2 ,...,P n { } \ ∅ { }. For an access structure A, the sets in A are defined as authorized sets. Otherwise, the sets are defined as unauthorized sets.

Linear Secret-Sharing Schemes (LSSS).
An LSSS can represent an access control policy (M, ρ), where M with l rows and n columns is called the share-generating matrix and the function ρ defines the party labeling row i as ρ(i) for all i � 1, . . . , l. A secret-sharing scheme Π over a set of parties is linear over Z p if satisfies the following two conditions: (i) e shares of each parties form a vector over Z p . (ii) e column vector v � (s, r 2 , r 3 , . . . , r n ) is the secret to be shared, where s ∈ Z p and r 2 , r 3 , . . . , r n ∈ Z p are chosen randomly. According to Π, M v is the vector of l shares of the secret s and the share (M v ) i belongs to party ρ(i).
Our definition is adopted from [30], and it showed that every linear secret-sharing scheme enjoys the linear reconstruction property: (i) Suppose that Π is an LSSS for the access structure A.
Let any authorized set S ∈ A and en, there exist constants ω i ∈ Z p i∈I such that i∈I ω i λ i � s for valid shares λ i of any secret s, and we can find these constants ω i in polynomial time.
We use the convention that the vector (1, 0, 0, . . . , 0) is the target vector for any linear secret-sharing scheme. e target vector (1, 0, 0, . . . , 0) is in the span of I for any satisfying set of rows I in M. For any unauthorized set of rows I, the target vector is not in the span of I. A vector w exists such that w · (1, 0, 0, . . . , 0) � −1.

Security Assumption.
e modified decisional q-parallel bilinear Diffie-Hellman Exponent problem (M-q-parallel-BDHE) is defined as follows. Given y � g, g s , g a , . . . , g a q ( ) , g a q+2 ( ) , . . . , g a 2q ( ) , where G 1 is a group of prime order p with a random generator g and the random exponents a, s, b 1 , b 2 , . . . , b q ∈ Z p , in order to distinguish e(g, g) a q+1 s ∈ G 2 from a random element R ∈ G 2 . e advantage of solving the M-q-parallel-BDHE problem in G 1 with algorithm B is ε if the following equation holds: (2) e M-q-parallel-BDHE assumption holds if the advantage ε of any probabilistic polynomial time (PPT) algorithm to solve the M-q-parallel-BDHE problem is a negligible function of the security parameter.

Time Period.
Similar to the definition of time period in [29], our time period is hierarchical that we use a hierarchical tree to represent the time period for year, month, and day. Let T be the depth of the hierarchical tree, the first level represents the year, the second level represents the month, and the third level represents the day. Every node has z children, and each node (except the root node) represents a time period in the tree. We assume that all users agree on how to divide time and how to specify each time period. A time period τ � (τ 1 , τ 2 , . . . , τ k ), where the j-th component corresponds to the time period at level j. For example, we use 2020.08.22 to represent a day, 2020.08 to represent a month and so on.
A secret key validity time for a user is a time period from a starting date to an ending date. For example, a user joins the organization on 2019.12.30 and ends on 2020.12.31, and then his secret key validity time is from 2019.12.30 to 2020.12.31. A decryptable time period is a time period set by the encryptor so that only users with validity time completely covers the period can decrypt. For example, suppose the decryptable time period is 2019.12 and the secret key validity of a user is only limited to 2019.12.31. is secret key is unable to decrypt as it does not have a complete cover for the decryptable time period. However, if the decryptable time period is 2019.12.31 and the secret key validity of a user is 2019.12, then it is able to decrypt as it has a complete cover for the decryptable time period.

Algorithms of R-CP-ABE.
e R-CP-ABE scheme consists of five PPT algorithms: Setup, KeyGen, Encrypt, Decrypt, and CTUpdate:  Note that compared to the algorithms of R-CP-ABE scheme [29], we add a ciphertext update algorithm to prevent the revoked users from accessing the previously authorized encrypted data. We do not explicitly propose a key update algorithm as its function can be covered by the Security and Communication Networks KeyGen algorithm. We run the KeyGen algorithm to generate a new secret key with a new time period for the nonrevoked users during a reasonable period (e.g., employees that renew their contracts when they expire).

Security Model.
Due to the updated ciphertext has the same distribution as the original ciphertext, we only consider the security of the original ciphertext. e security model is described by the following a game between a challenger C and an adversary A. In the game, A needs to submit an access structure A * , a revocation list R * , and a decryptable time period T * c to C before seeing the public parameters PK. A can query any private key at any time that cannot be used to decrypt the challenge ciphertext, which derives from the security definitions for identity-based revocation framework in [31] and general CP-ABE systems in [7]. In the security definition, we consider a strong adversary who can query the secret key of a user whose attribute set satisfies the challenge ciphertext access structure and whose identity is in the revocation list.
(i) Init: the adversary A submits the challenge access structure A * , the challenge revocation list R * , and the challenge decryptable time period T * c to the challenger C.
(ii) Setup: C launches the Setup algorithm to generate the system parameters. It keeps the master key MK and sends the public parameters PK to A. (iii) Phase1: A makes private key queries repeatedly corresponding to the identity ID, the attribute set S, and the range of time periods T such that, for any single returned secret key SK (ID,S,T) , at least one of the following requirements is satisfied: (i) S satisfies the access structure A * and the corresponding identity ID ∈ R * (ii) T * c is not completely covered in T (iv) Challenge: A submits two equal length messages M 0 and M 1 to C. And then, C flips a random coin b ∈ 0, 1 { } and encrypts M b under the access structure A * , the revoked set R * , and the time period T * c to obtain a ciphertext CT * . Finally, C sends the ciphertext CT * to A.
(v) Phase2: this phase is completely same as the Phase 1.
(i) Definition: if no adversary has a nonnegligible advantage to win the above game in polynomial time, then the revocable ciphertext-policy attribute-based encryption scheme is secure.

4.1.
Overview. Based on the scheme [23] and the secret key time validation technique in [29], we propose the R-CP-ABE scheme with ciphertext update. We incorporate identity and time period to the generating process of the secret key. e size of the revocation list can be reduced by incorporating validity time period technique. e identity of a user who is revoked before his intended expiry date is embedded into the revocation list by the encryptor to realize user direct revocation. Users in the revocation list cannot decrypt any newly encrypted data. In order to disqualify the revoked users from accessing the previously encrypted data, we provide a ciphertext update mechanism. Finally, our scheme can implement user direct revocation, maintain a short revocation list, and update ciphertext.

Technique
Construction. Similar to the validity time technique in [29] from the hierarchical IBE (HIBE) scheme [13], we represent time period by using a hierarchical tree, which can shorten the size of the secret key. In this hierarchical tree, each node has a corresponding time period associated with the secret key, and the secret key of any node can derive the secret key for children of that node. For example, a user with secret key validity time period for the whole year can derive the key with validity time period for the underlying months of that year. We select the minimum number of nodes that can represent all the validity time periods by using the set-cover approach. Suppose a user joins the organization on 2019. 12 I is the identity set. e algorithm chooses a bilinear group G 1 of prime order p with a random generator g and U random group elements h 1 , h 2 , . . . , h U ∈ G 1 . It also randomly chooses α, b ∈ Z p and V 0 , V 1 , . . . , V T ∈ G 1 . It outputs: and MK � α, b { }. (ii) KeyGen(MK, ID, S, T): S is the set of attributes of a user with identity ID ∈ I. T is the time period for the user ID. T is denoted as the set-cover to represent T which consists of some time elements τ � (τ 1 , τ 2 , . . . , τ k τ ) ∈ 1, z { } k τ for any τ ∈ T. e algorithm randomly chooses t, v τ ∈ Z p for any τ ∈ T and computes e algorithm also chooses random μ 1 , . . . , μ r ∈ Z p such that μ � μ 1 + μ 2 + · · · + μ r . It computes en, CT � C 0 , C 0 ′ , C 0 ″ , C i,j , C i,j ′ along with a description of the revoked set R, the access structure A � M, ρ, and the time periods T c . (iv) Decrypt( CT, R, SK (ID,S,T) ): the decryption algorithm takes as input a ciphertext CT with access structure (M, ρ), the revocation list R, and the private key SK (ID,S,T) . If the following requirements occurs, output ⊥: (i) S satisfies the access structure A and the corresponding identity ID ∈ R (ii) T c is not completely covered in T, that is, τ c and all its prefixes are not in T Otherwise, we have ID ∉ R, and S satisfies the access structure A � (M, ρ).
ere exists a set of constants ω i ∈ Z p i∈I such that i∈I ω i λ i � s, if λ i are valid shares of any secret s according to M. It computes i∈I r j�1 e( C i,j ′ , D 0 ) · e( C i,j , K ρ( i ) ) Security and Communication Networks 5 Denote A � e(D 1,τ , C 0 ′ ). Finally, it computes e process is as follows: It also chooses random c such that μ ′ � μ 1 ′ , . . . , μ r ′ , . . . , μ r+r′ ′ ∈ Z p and computes en, CT ′ � C 0 , C 0 ′ , C 0 ″ , C i,j , C i,j ′ along with a description of the revoked set R, the access structure A � (M, ρ), and the time periods T c .

Security Analysis
Our construction security is based on the modified decisional q-parallel-BDHE assumption. It is apparent that the updated ciphertext has the same distribution as the original ciphertext, so we only prove the security associated with the original ciphertext.
Theorem1. Suppose the modified decisional q-parallel-BDHE assumption holds. en, no PPT adversary can selectively break our system in with a challenge matrix of size l * × n * , where l * , n * < q, a challenge revocation list R * where R * < q − 2 and a challenge time T * c with z-ary representation τ * � (τ * 1 , . . . , τ * k * ) for some k * < T such that T < q.
Proof. Suppose there is an adversary A with nonnegligible advantage ε � Adv A against our scheme in the selective security game. en, simulator B can solve the modified decisional q-parallel-BDHE problem with nonnegligible advantage.
(i) Init: the simulator B takes in a modified decisional q-parallel-BDHE problem challenge y, T : y � g, g s , g a , . . . , g a q ( ) , g a q+2 ( ) , . . . , g a 2q ( ) , and decides if T � T � e(g, g) s·a q+1 using the adversary A. en, the adversary A declares the challenge time T * c with z-ary representation τ * � (τ * 1 , . . . , τ * k * ) for some k * ≤ T and the challenge revocation list R * , where |R * | ≤ q − 2. and lets e(g, g) α � e(g, g) α′ e(g a , g a q ) to implicitly set α � α ′ + a q+1 . Moreover, it also implicitly sets b � a by computing the public parameters as To embed the revocation identification ID c and the challenge access structure into the public parameters h 1 , h 2 , . . .
If X is an empty set, it sets h b x � g z x . And the simulator B also randomly chooses ξ 0 , ξ 1 , . . . , ξ T ∈ Z p and defines V j � g ξ j a q−j+1 as the public key and sends it to A. We observe that the public parameters are distributed randomly as the real system and both the revoked identification and the challenge matrix are reflected in the simulation's contribution of the parameter h b x . (i) Phase1: adversary A makes repeated private keys queries corresponding to the tuple of identity, attributes, and time (ID, S, T) such that at least one of the following requirements is satisfied: (i) e attributes set S * satisfies the access structure A * and the corresponding identity ID ∈ R * (ii) T * c and all its prefixes are not in T, the set-cover of T We separate into two cases: (i) Case 1: the attributes set S * satisfies the access structure A * and the corresponding identity ID ∈ R * . Since each M i is in the span of M * 1 and e is not in the span of M * 1 , we can still find a vector ω with ω 1 � −1 and ω · M i � 0, where 1 ≤ i ≤ l * . e simulator B chooses a random value r ′ and computes the private key as which implicitly sets the random t as t � r ′ + ω · v � r ′ + ω 1 a q− 1 + ω 1 a q− 2 + · · · + ω n a q− n * , where v � (a q− 1 , a q− 2 , . . . , a q− n * +2 ). So, it can cancel out the unknown term of the form g q+1 in g α when creating the K component in the private key as K � g α′ g a 2 r′ n−2 i�0 g a q+i ω i . (14) Next, it performs this by setting In order to prevent the appearance of the term of the form g a q+1 , it sets the private component K x as B randomly chooses v τ ∈ Z p and sets D 0,τ � g v τ for all τ � (τ 1 , . . . , τ k τ ) ∈ T. en, it computes B also computes L j,τ � V v τ j j�k τ +1,...,T,τ∈T . (ii) Case 2: T * c and all its prefixes are not in T, the setcover of T. For all τ�(τ � (τ 1 , . . . , τ k τ ) ∈ T), first define τ k τ+1 � · · · � τ q � 0 and τ * k * +1 � · · · � τ * q � 0. ere exists a smallest index k ′ ≤ k * such that τ k′ ≠ τ * k′ . Simulator B randomly selects v τ ∈ Z p and implicitly defines v τ � (a k′ /ξ k′ (τ * k′ − τ k′ )) + v τ . It performs this by setting (18) B then chooses a random element t ∈ Z p and sets D 0,τ � g t . For all τ, it computes Simulator B also computes K x and (iii) Challenge: adversary A submits two equal length messages M 0 and M 1 with the matrix M * of dimension at most n columns to B. B flips a random coin b and encrypts M b under the access structure A * , the revocation list R * , and the time T * c with z-ary representation τ * . It chooses random values μ 1 , μ 2 , . . . , μ r such that μ � μ 1 + μ 2 + · · · + μ r and creates the ciphertext components For C 0 ″ , observe that since the challenge time is (τ * 1 , ..., τ * k * ), the g a i terms in V i are cancelled out. en, it sets C 0 ″ � (g s ) ξ 0 . B also chooses random value y 2 ′ , y 3 ′ ,..., y n * ′ ∈ Z p and shares the secret s using the vector x � (s, y 2 ′ ,y 3 ′ , ..., y n * ′ ) ∈ Z n p . Next, it calculates And it generates the ciphertext component C i.j as (i) For k � 1, 2, . . . , n, it defines X k as the set of the index i such that ρ(i) � ρ(k). Finally, B builds the ciphertext component C * i,j as (ii) Phase 2: this phase is completely the same as the Phase 1. (iii) Guess: the adversary A will finally output a guess b ′ of b. B outputs 0 to guess T � e(g, g) a q+1 s if b ′ � b; otherwise, it outputs 1. When T is a tuple, B gives a perfect simulation, so we have that the advantage of the simulator B is the same as the advantage of the adversary A. erefore, we have Pr B y, T � e(g, g) a q+1 s � 0 � 1 2 + Adv A . (25) e message M b is completely hidden from the adversary when T is a random group element, so we have Pr[B(y, T � R) � 0] � (1/2). erefore, if A could attack scheme with nonnegligible advantage, then B can also play the modified decisional q-parallel-BDHE game with nonnegligible advantage.

Performance Analysis
In this section, we first give a functional comparsion between our scheme and other schemes [23,29] in Table 1.
Our scheme can implement user direct revocation, maintain a short revocation list, and update ciphertext. Compared with [23], our scheme can maintain a short revocation list and update ciphertext. Compared with [29], our scheme can update ciphertext. e ciphertext update can provide the encrypted data confidentiality by disqualifying the revoked users' access to the encrypted data, especially that generated previously. We can periodically run a ciphertext update algorithm and do not need to execute a key update algorithm frequently because users have a reasonable validity time.
Next, we mainly analyze the efficiency of the proposed scheme compared with [23,29] in Table 2.
As shown in Table 2, the efficiency of the proposed scheme is a little lower than scheme [23], but we can reduce the size of ciphertext by maintaining a short revocation list. In addition, the efficiency of our scheme is lower than scheme [29] in terms of the ciphertext size and the decryption time of pairing, but our scheme is more efficient in the size of PK and SK.
e number of exponentiation operations in the KenGen algorithm in the scheme [29] is R times more than our scheme, and the number of exponentiation operations in the Encrypt algorithm in the scheme [29] is r times more than our scheme. Our scheme is practical that it can revoke users immediately, maintain a short revocation list, and update ciphertext, but loses the advantage of efficiency in the ciphertext size and the decryption time.

Conclusion
In this work, we propose a user R-CP-ABE scheme with ciphertext update. e scheme can implement user direct revocation, maintain a short revocation list, and update ciphertext by incorporating the identity-based and timebased revocable technique. We provide a ciphertext update mechanism, using only publicly available information, to disqualify the revoked users from accessing previously encrypted data. Our scheme supports the key update function for the nonrevoked users when their validity time expires. Once the validity time expires, the user's key becomes invalid and cannot decrypt any newly generated ciphertext after the expiry date. e security is based on the modified decisional q-parallel bilinear Diffie-Hellman Exponent problem. In the security model, we consider a strong adversary that can query the secret key of a user whose attribute set satisfies the challenge ciphertext access policy and whose identity is in the revocation list. In the future research, we will consider a more efficient mechanism for the user revocation and ciphertext update.   [23] (|U| + 3)G 1 + G 1 (|S| + 2)G 1 (2lR + 1)G 1 + G 2 2|I|R + 1 [29] (|U| + R + T + 3)G 1 + G 2 (|S| + Z + R + 1)G 1 (l + 3)G 1 + G 2 2|I| + 4 Our (|U| + T + 3)G 1 + G 2 (|S| + Z + 1)G 1 (2lR′ + 1)G 1 + G 2 2|I|R′ + 2 U: the max number of attributes in the system, G 1 : number of G 1 elements, G 2 : number of G 2 elements, S: the set of attributes created for a specific user, l: the number of attributes involved in the encryption process, I: the identity set defined in the system, R: the max number of the revoked users, R′: the length of the revocation list, T: the depth of the time tree, Z: best case Z � 2, and worst case Z � (T(T + 2)/2).

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.