Abstract
We propose a hidden ciphertext-policy attribute-based proxy re-encryption scheme. A data owner can delegate the capability of transforming a ciphertext under an access policy to another one with the same plaintext but different access policy to a semi-trusted proxy. Compared with traditional schemes, our scheme can hide the user’s attributes information in the encryption and re-encryption process, which can obtain a better protection of the user’s privacy. We also prove our scheme to be fully secure under standard assumptions using the dual system technique. As far as we know, this is the first scheme to achieve all these properties simultaneously.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Attribute-based Encryption (ABE) which provides fine grained access control is a good solution to the secure sharing of cloud data. There are mainly two types of ABE schemes: the Key-Policy ABE (KP-ABE), where the ciphertexts are associated with sets of attributes while the keys are associated with access policies; the Ciphertext-Policy ABE (CP-ABE), where the keys are associated with sets of attributes and the ciphertexts are associated with access policies.
Attribute-based proxy re-encryption (AB-PRE) is an application of proxy cryptography in ABE [4, 15, 19, 26]. AB-PRE schemes allow the data owner to delegate the capability of re-encryption to the semi-trusted proxy. In this way, the proxy is capable of running the re-encryption operation, which reduces the computation cost of the data owner. An authorized user is able to decrypt the re-encrypted data just using his/her own secret key and no additional component is needed. Moreover, no sensitive data can be revealed by the proxy. However, there exists a problem in current ciphertext-policy attribute-based proxy re-encryption (CP-AB-PRE) schemes [4, 15, 19, 27]. In these schemes, the ciphertext policy which consists of the user’s attributes is exposed to the proxy, thus, the proxy can get some information of attributes about both the owner and the user. A user’s attributes may contain his/her sensitive information. These data relate to user privacy and should not be exposed to a third party.
To solve the problem mentioned above, we borrow the concept of hidden policy appeared in schemes [9, 12, 13, 21, 22] to propose a hidden ciphertext policy attribute-based proxy re-encryption scheme. By using our scheme, the proxy can obtain little sensitive data or privacy information of the user.
Our Contributions. By employing the AND-gates policy we propose the first fully secure hidden CP-AB-PRE scheme which can make a better protection of the user’s privacy. Our scheme has the following properties:
-
Unidirectionality (A ciphertext CT is able to be transformed to \(CT^{'}\) but it cannot be transformed from \(CT^{'}\)).
-
Non-Interactivity (The data owner is able to generate the re-encryption key by himself without any participation of the untrusted third party).
-
Multi-use (The encrypted data can be re-encrypted for multiple times).
-
Master key security (The proxy or the user doesn’t need to obtain the data owner’s secret key during the re-encryption and decryption process).
-
Re-encryption control (The data owner can determine whether the encrypted data can be re-encrypted).
-
Collusion resistant (Users are not able to combine their keys to obtain the plaintext which belongs to none of them).
Table 1 shows the comparison between our CP-AB-PRE scheme and other schemes on the main features.
Related Work. Proxy re-encryption was first proposed by Blaze et al. [2], which can transform a key with the ciphertext into another key without revealing the secret key and the plaintext of the ciphertext. But there should be an unrealistic level of trust in the proxy to achieve the delegation because the sensitive information can be revealed during the re-encryption process. To solve this problem, Ateniese et al. proposed a new proxy re-encryption scheme in 2005 [1]. Green and Ateniese presented an identity-based proxy re-encryption (IB-PRE) scheme in 2007 [5], but it only proved to be secure in the random oracle model. Then many improved IB-PRE schemes were proposed [3, 7, 16, 20, 23]. After ABE scheme was introduced, Guo et al. proposed the first AB-PRE scheme [26], which is also the first key-policy AB-PRE scheme, but this scheme exists in bidirectional property. Then Liang et al. proposed the first CP-AB-PRE scheme [15] and realized the Multi-use property, but as the times of re-encryption increases, the size of the encrypted ciphertext grows linearly. In 2010, Luo et al. presented a CP-AB-PRE scheme [19] which allows the data owner to decide whether re-encrypting the ciphertext or not. In the same year, Yu et al. introduced a new property of Data confidentiality in their paper [27], but their scheme has a problem of Collusion Attack. Do et al. proposed a new AB-PRE scheme to support the Collusion resistant property in 2011. There were also some other AB-PRE schemes proposed in 2011 [4, 6, 8, 25]. After that, Liu et al. added the timestamp and proposed two AB-PRE schemes [17, 18] which can prevent the revoked users to get access to the encrypted data. Later in 2012, Seo et al. introduced an AB-PRE scheme with a constant number of paring operations to save the computation cost [24]. However, none of the above schemes achieved fully security. In 2014, Liang et al. proposed a fully secure CP-AB-PRE scheme by integrating the dual system encryption technology [14], then in 2016, Li et al. proposed another fully secure scheme under the same system [11]. Until now, none of the previous CP-AB-PRE schemes has obtained the property of Hidden Policy. Therefore, we focus on this problem in this work.
Organization. This paper is organized as follows. We first give the relevant access structure, complexity assumptions and security model about CP-AB-PRE in Sect. 2. In Sect. 3, we introduce the construction of our hidden policy CP-AB-PRE scheme. In Sect. 4, we prove the full security of our scheme. Then in Sect. 5, we give a conclusion of our work.
2 Access Structure and Complexity Assumptions
2.1 Access Structure
We take AND-gates as the basic access policy in our scheme, where negative attributes and wildcards are supported. A negative attribute denotes a user shouldn’t have this attribute and a wildcard means this attribute is out of consideration. Multi-valued attribute is also supported in our scheme.
We use the notation such as \(W=[W_1,\,\cdots ,\,W_n] = [1, 0, *, *, 0]\) where \(n = 5\) to specify the ciphertext policy. The wildcard * in the ciphertext policy means “not care” value, which can be considered as an AND-gate on all the attributes. For example, the above ciphertext policy means that the recipient who wants to decrypt must have the value 1 for \(W_1\), 0 for \(W_2\) and \(W_5\), and the values for \(W_3\) and \(W_4\) do not matter in the AND-gate. A recipient with policy [1, 0, 1, 0, 0] can decrypt the ciphertext, but a recipient with policy [1, 1, 1, 0, 1] can not.
To support multi-valued attribute, we use the following notation. Given an attribute list \(L=[v_{1,t_1},v_{2,t_2},\,\cdots ,\,v_{n,t_n}]\) where \(t_i\) means the \(t_i^{th}\) attribute in attribute set \(L_i\). For a ciphertext policy \(W = [W_1, W_2, \cdots , W_n]\), L satisfies W if for all \(i = 1, \cdots , n\), \(v_{i,t_i} \in W_i\) or \(W_i=*\), otherwise L does not satisfy W. We use the notation \(L\,\models \,W\) to mean that L satisfies W.
2.2 Complexity Assumptions
The Basic Generic Group Assumption. Given a group generator \(\mathcal {G}\), we define the following distribution:
We define the advantage of an algorithm \(\mathcal {A}\) in breaking this assumption to be:
The General Subgroup Decision Assumption. We let \(\mathcal {G}\) denote a group generator and \(Z_0,Z_1,Z_2,\,\ldots ,\,Z_k\) denote a collection of non-empty subsets of \(\{1,2,3\}\) where each \(Z_i\) for \(i\ge 2\) satisfies \(\mathbb {G}=(N=p_1p_2p_3,G,G_T,e)\xleftarrow []{R} \mathcal {G}.\)
The Three Party Diffie-Hellman Assumption in a Subgroup. Given a group generator \(\mathcal {G}\), we define the following distribution:
We define the advantage of an algorithm \(\mathcal {A}\) in breaking this assumption to be:
We say that \(\mathcal {G}\) satisfies The Three Party Diffie-Hellman Assumption if \(Adv_{\mathcal {G},\mathcal {A}}^{3DH}(\lambda )\) is a negligible function of \(\lambda \) for any PPT algorithm \(\mathcal {A}\).
The Source Group \({\varvec{q}}\)-Parallel BDHE Assumption in a Subgroup. Given a group generator \(\mathcal {G}\) and a positive integer q, we define the following distribution:
The adversary will be given:
We additionally define \(T_0=g_2^{dc^{q+1}}, \ T_1 \in G_{p_2}\).
We define the advantage of an algorithm \(\mathcal {A}\) in breaking this assumption to be:
We say that \(\mathcal {G}\) satisfies The Source Group q-Parallel BDHE Assumption in a Subgroup if \(Adv_{\mathcal {G},\mathcal {A}}^q(\lambda )\) is a negligible function of \(\lambda \) for any PPT algorithm \(\mathcal {A}\).
2.3 Security Model
The definition of full security for the CP-ABE system is described by a security game between a challenger and an attacker, which proceeds as follows:
-
Setup. The challenger runs the Setup algorithm and sends the public parameters PP to the attacker and the challenger knows the master key MSK.
-
Phase 1. The attacker adaptively makes queries for private keys corresponding to sets of attributes \(S_1,\,\ldots ,\,S_{Q_1}\) to the challenger. Each time, the challenger responds with a secret key obtained by running \(KeyGen(MSK,PP,S_k)\). The attacker may also requests the re-encryption keys for access policies \(W^{\prime }\), and the challenger will run the \(RKGen(SK_L,W^{\prime })\) algorithm to respond.
-
Challenge. The attacker selects two messages \(M_0\) and \(M_1\) with the same length and an access structure W. The challenger flips a random coin \(b\in \{0,1\}\) and encrypts \(M_b\) under W to generate CT. It sends CT to the attacker.
-
Phase 2. Phase 2 is similar to Phase 1 except that the attacker requests private keys corresponding to sets of attributes \(S_{Q_1+1},\,\ldots ,\,S_Q\) adaptively. Notice that none of the attributes should satisfy the access structure W in the challenge phase.
-
Guess. The attacker outputs a guess \(b^{'}\) for b.
The advantage of an attacker in this game is defined to be \(Pr[b=b^{'}]-\frac{1}{2}\).
3 Our Construction
\({{\varvec{Setup}}{} \mathbf (1 ^{{\varvec{k}}}, {\varvec{n}}}{} \mathbf ). \) A trusted authority generates a tuple \(G=[p,G,G_T,g \in G,e]\) and random \(w \in \mathbb {Z}_p^*\). For each attribute i where \(1\le i \le n\), the authority generates random values \(\{a_{i,t},b_{i,t} \in \mathbb {Z}_p^*\}_{1\le t \le n_i}\) and random points \(\{A_{i,t} \in G\}_{1 \le t \le n_i}\). It computes \(Y=e(g,g)^w\). The public key PK and the master key MK is
\({{\varvec{KeyGen}}\mathbf{( }{\varvec{MK,L}} \mathbf{). }}\) Let \(L=[L_1,L_2,\,\ldots ,\,L_n]=[v_{1,t_1},v_{2,t_2},\,\ldots ,\,v_{n,t_n}]\) be the attribute list for the user who obtains the corresponding secret key. The trusted authority picks up random values \(s_i,\lambda _i \in \mathbb {Z}_p^*\) and random elements \(R,R_0,R_1,R_2 \in G_{p_3}\). For \(1 \le i \le n\), sets \(s=\sum _{i=1}^{n}s_i\), and computes \(D_0=g^{w-s}R\). For \(1 \le i \le n\), the authority computes \(D_{i,0}=g^{s_i}(A_{i,t_i})^{a_{i,t_i}b_{i,t_i}\lambda _i}R_0, D_{i,1}=g^{a_{i,t_i}\lambda _i}R_1, D_{i,2}=g^{b_{i,t_i}\lambda _i}R_2\). The secret key \(SK_L\) is formed as: \(SK_L=\{ D_0,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n} \}\).
\({{\varvec{Encrypt}}\mathbf{( }{\varvec{PK,M,W}}\mathbf{) .}}\) An encryptor encrypts a message \(M\in G_T\) under a ciphertext policy \(W=[W_1,W_2,\,\ldots ,\,W_n]\). It picks up a random value \(r \in \mathbb {Z}_p^*\) and sets \(\tilde{C}=MY^r,C_0=g^r\), then picks up a random value \(h \in \mathbb {Z}_p^*\) and computes \(C_0^{'}=h^r\). For \(1 \le i \le n\), it picks up random values \(\{r_{i,t} \in \mathbb {Z}_p^*\}_{1 \le t \le n_i}\) and computes \(C_{i,t,1}, C_{i,t,2}\) as follows: if \(v_{i,t} \in W_i\), \(C_{i,t,1}=(A_{i,t}^{b_{i,t}})^{r_{i,t}}, C_{i,t,2}=(A_{i,t}^{a_{i,t}})^{r-r_{i,t}}\) (well-formed); if \(v_{i,t} \notin W_i, C_{i,t,1}, C_{i,t,2}\) are random (mal-formed). The ciphertext CT is: \(CT=\{ \tilde{C}, C_0, C_0^{'}, \{\{C_{i,t,1},C_{i,t,2}\}_{1 \le t \le n_i} \} _{1 \le i \le n} \}\).
\({{\varvec{RKGen}}\mathbf{( }{\varvec{SK}}_{{\varvec{L}}}{{\varvec{,W}}}\mathbf{). }}\) Let \(SK_L\) denote a valid secret key and W an access policy. To generate a re-encryption key for W, choose \(d \in \mathbb {Z}_p\) and compute \(g^d\), \(D_{i,0}^{'}=D_{i,0}h^d\). Set \(D_0^{'}=D_0,D_{i,1}^{'}=D_{i,1}, D_{i,2}^{'}=D_{i,2}\), and compute \(\mathbb {C}\) which is the ciphertext of \(E(g^d)\) under the access policy W, i.e., \(\mathbb {C}=Encrypt(PK,E(g^d),W)\). The re-encryption key for W is \(RK_{L \rightarrow W}=\{ D_0^{'},\{\{D_{i,j}^{'}\}_{1 \le j \le 2}\}_{1 \le i \le n}, \mathbb {C} \}\).
\({\varvec{Re-encrypt}}\mathbf{( }{{\varvec{RK}}}_{{\varvec{L}} \rightarrow {\varvec{W}}^{'}},{\varvec{CT}}_{\varvec{W}}\mathbf{). }\) Let \(RK_{L\rightarrow W^{'}}\) be a valid re-encryption key for access policy \(W^{'}\) and \(CT_W\) a well-formed ciphertext \(\tilde{C}, C_0, C_0^{'}, \{\{C_{i,t,1},C_{i,t,2}\}_{1 \le t \le n_i} \} _{1 \le i \le n}\), for \(1 \le i \le n\), compute \(E_i=\frac{e(C_0,D_{i,0}^{'})}{e(C_{i,t,1},D_{i,1}^{'})e(C_{i,t,2},D_{i,2}^{'})}=e(g,g)^{rs_i}e(g,h)^{rd}\) then compute \(\bar{C}=e(C_0,D_0^{'})\prod _{i=1}^nE_i=e(g,g)^{wr}e(g,h)^{nrd}\), the re-encrypted ciphertext is formed as \(CT^{'}=\{ \tilde{C},C_0^{'},\bar{C},\mathbb {C} \}\).
\({\varvec{Decrypt}}\mathbf{( }{{\varvec{CT}}}_{{\varvec{W}}}{\varvec{,SK}}_{{\varvec{L}}}\mathbf{). }\) The recipient tries decrypting the CT without knowing W using his/her \(SK_L\) as follows:
Assume \(L=[L_1,L_2,\,\ldots ,\,L_n]=[v_{1,t_1},v_{2,t_2},\,\ldots ,\,v_{n,t_n}]\) is the user’s attribute list.
-
If CT is an original well-formed ciphertext, then for \(1 \le i \le n\), \(C_{i,1}^{'}=C_{i,t,1},\ C_{i,2}^{'}=C_{i,t,2}\) where \(L_i=v_{i,t_i}\), \(M=\frac{\tilde{C}\prod _{i=1}^ne(C_{i,1}^{'},D_{i,1})e(C_{i,2}^{'},D_{i,2})}{e(C_0,D_0)\prod _{i=1}^ne(C_0,D_{i,0})}\).
-
Else if CT is a re-encrypted well-formed ciphertext, then
-
1.
Decrypt \(E(g^d)\) from \(\mathbb {C}\) using the secret key \(SK_L\) and decode it to \(g^d\).
-
2.
\(M=\tilde{C}\cdot e(C_0^{'},g^d)^n/\bar{C}\).
-
1.
4 Security Proof
We prove our scheme fully secure using the dual system [10] under the general subgroup decision assumption, the three party Diffie-Hellman assumption in a subgroup, and the source group q-parallel BDHE assumption in a subgroup.
Let \(Game_{real}\) denote the real security game defined in Sect. 2.3. We assume \(g_2 \in G_{p_2}\) and give the definition of semi-functional keys and semi-functional ciphertexts.
-
Semi-function Keys. Let \(L=[L_1,L_2,\cdots ,\,L_n]=[v_{1,t_1},v_{2,t_2},\cdots ,\,v_{n,t_n}]\) be an attribute list. We first run the normal KeyGen algorithm to produce a normal key \(D_0,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\). Then we choose a random element \(W \in G_{p_2}\) and generate the semi-functional key: \(D_0W,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\).
-
Semi-functional Ciphertexts. Then we produce the semi-functional ciphertexts, we first run the normal Encrypt algorithm to produce a normal ciphertext which is formed as \(\tilde{C},C_0,C_0^{'},C_{i,t,1},C_{i,t,2}\). We assume \(A_{i,t}=g^{u_{i,t}}\), so \(C_{i,t,1}=(g^{u_{i,t}b_{i,t}})^{r_{i,t}}, C_{i,t,2}=(g^{u_{i,t}a_{i,t}})^{r-r_{i,t}}\). Then we choose random exponents \(r^{'},r_{i,t}^{'} \in \mathbb {Z}_p^*\) and the semi-functional ciphertext is formed as:
$$\tilde{C},C_0g_2^{r^{'}},C_0^{'}g_2^{r^{'}},C_{i,t,1}g_2^{u_{i,t}^{'}b_{i,t}^{'}r_{i,t}^{'}},C_{i,t,2}g_2^{u_{i,t}^{'}a_{i,t}^{'}(r^{'}-r_{i,t}^{'})}.$$ -
Game \(_k\). Let Q denote the total number of key queries from the attacker. In this game, the ciphertext given to the attacker is semi-functional as well as the first k keys. The remaining keys are normal.
We define some transitions to complete our security proof. At the beginning, we transit from \(Game_{real}\) to \(Game_0\), then from \(Game_0\) to \(Game_1\), and so on. We finally get the transition of \(Game_{Q-1}\) to \(Game_Q\). The ciphertext as well as all the keys given to the attacker are semi-functional in \(Game_Q\). We then transit from \(Game_Q\) to \(Game_{final}\). \(Game_{final}\) is similar to \(Game_Q\) except that the ciphertext given to the attacker is a semi-functional encryption of a random message.
To complete the transition from \(Game_{k-1}\) to \(Game_k\), we define another two types of semi-functional keys as follows:
-
Nominal Semi-functional Keys. The nominal semi-functional keys share the values \(a_{i,t_i}^{'},b_{i,t_i}^{'},u_{i,t_i}^{'}\) with the semi-function ciphertext. Then choose random exponents \(s^{'}\) and \(s_i^{'}\). The nominal semi-functional keys are formed as:
$$D_0g_2^{-s^{'}},D_{i,0}g_2^{s_i^{'}+u_{i,t_i}^{'}a_{i,t_i}^{'}b_{i,t_i}^{'}\lambda _i^{'}},D_{i,1}g_2^{a_{i,t_i}^{'}\lambda _i^{'}},D_{i,2}g_2^{b_{i,t_i}^{'}\lambda _i^{'}}.$$ -
Temporary Semi-functional Keys. The temporary semi-functional keys share the values \(a_{i,t_i}^{'},b_{i,t_i}^{'},u_{i,t_i}^{'}\) with the semi-function ciphertext. Then choose random \(W \in G_{p_2}\) and random exponents \(s^{'}\) and \(s_i^{'}\). The temporary semi-functional keys are formed as: \(D_0W,D_{i,0}g_2^{s_i^{'}+u_{i,t_i}^{'}a_{i,t_i}^{'}b_{i,t_i}^{'}\lambda _i^{'}},D_{i,1}g_2^{a_{i,t_i}^{'}\lambda _i^{'}},D_{i,2}g_2^{b_{i,t_i}^{'}\lambda _i^{'}}.\)
For any k (\(1 \le k \le Q\)), we give the definition of \(Game_k^N\) and \(Game_k^T\):
-
Game \(_k^N\). \(Game_k^N\) is similar to \(Game_k\), except that the \(k^{th}\) key given to the attacker is a nominal semi-functional key.
-
Game \(_k^T\). \(Game_k^N\) is similar to \(Game_k\), except that the \(k^{th}\) key given to the attacker is a temporary semi-functional key. To achieve the transition from \(Game_{k-1}\) to \(Game_k\), we first transit from \(Game_{k-1}\) to \(Game_k^N\), then from \(Game_k^N\) to \(Game_k^T\) and finally from \(Game_k^T\) to \(Game_k\).
Then we give the following lemmas to realize our proof.
-
Lemma 1. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_{real}\) and \(Game_0\).
We prove this lemma under the general subgroup decision assumption.
-
Proof. Given a PPT attacker \(\mathcal {A}\) achieving a non-negligible difference in advantage between \(Game_{real}\) and \(Game_0\), we will create a PPT algorithm \(\mathcal {B}\) to break the general subgroup decision assumption. \(\mathcal {B}\) is given \(g_1\) which is a random element of \(G_{p_1}\), \(g_3\) which is a random element of \(G_{p_3}\), and T which is either a random element of \(G_{p_1}\) or a random element of \(G_{p_1p_2}\). Due to the different values of T, \(\mathcal {B}\) will simulate either \(Game_{real}\) or \(Game_0\) with \(\mathcal {A}\).
\(\mathcal {B}\) first runs the Setup algorithm and generates the public parameters:
$$\begin{aligned} N,p,G,G_T,g_1,e,Y=e(g_1,g_1)^w,\{\{A_{i,t}^{a_{i,t}}=g_1^{u_{i,t}a_{i,t}},A_{i,t}^{b_{i,t}}=g_1^{u_{i,t}b_{i,t}}\}_{1\le t \le n_i}\}_{1 \le i \le n}. \end{aligned}$$\(A_{i,t},w,u_{i,t},a_{i,t},b_{i,t}\) are selected randomly by \(\mathcal {B}\), and the master key is known to \(\mathcal {B}\). \(\mathcal {B}\) sends the public parameters to \(\mathcal {A}\). When \(\mathcal {A}\) requests a secret key, or a re-encryption key, \(\mathcal {B}\) runs the normal KeyGen algorithm or the normal RKGen algorithm to generate the requested one.
On the other hand, \(\mathcal {A}\) is allowed to request a challenge ciphertext. \(\mathcal {A}\) first selects two messages \(M_0\) and \(M_1\) with the same length, and an access policy W, then sends them to \(\mathcal {B}\). \(\mathcal {B}\) flips coin to choose a random bit b and then encrypts \(M_b\ (b \in \{0,1\})\) under W as follows. It implicitly sets \(g^r\) equal to the \(G_{p_1}\) part of T. It also chooses \(\tilde{r}_{i,t}, r^{''} \in \mathbb {Z}_N, \forall t \in [1,n_i], \forall i \in [1,n]\) and implicitly sets \(r\tilde{r}_{i,t}=r_{i,t}\). The ciphertext is formed as:
$${\tilde{C}=Me(g_1,T)^w},C_0=T,C_0^{'}=T^{r^{''}},C_{i,t,1}=(T^{u_{i,t}b_{i,t}})^{\tilde{r}_{i,t}},C_{i,t,2}=(T^{u_{i,t}a_{i,t}})^{1-\tilde{r}_{i,t}}.$$If \(T \in G_{p_1}\), this is a properly distributed normal ciphertext, and \(\mathcal {B}\) has properly simulated \(Game_{real}\) with \(\mathcal {A}\). If \(T\in G_{p_1p_2}\), then this is a semi-functional ciphertext, where \(g_2^{r^{'}}\) is the \(G_{p_2}\) part of T, \(u_{i,t}^{'}\) is equal to the value of \(u_{i,t}\) modulo \(p_2\), \(a_{i,t}^{'}\) is equal to the value of \(a_{i,t}\) modulo \(p_2\), \(b_{i,t}^{'}\) is equal to the value of \(b_{i,t}\) modulo \(p_2\), and \(r^{'}-r_{i,t}^{'}\) is equal to the value of \(1-\tilde{r}_{i,t}\) modulo \(p_2\). Then \(\mathcal {B}\) has properly simulated \(Game_0\) with \(\mathcal {A}\).
-
Lemma 2. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_{k-1}\) and \(Game_k^N\) for any \(k \in [1, Q]\).
We prove this lemma under the general subgroup decision assumption.
-
Proof. Given a PPT attacker \(\mathcal {A}\) achieving a non-negligible difference in advantage between \(Game_{k-1}\) and \(Game_k^N\) for some k between 1 and Q, we will create a PPT algorithm \(\mathcal {B}\) to break the general subgroup decision assumption. \(\mathcal {B}\) is given \(g_1, g_3, X_1X_2, Y_2Y_3, T\) where \(g_1, X_1\) are generators of \(G_{p_1}\), \(X_2\) is a generator of \(G_{p_2}\), \(g_3, Y_3\) are generators of \(G_{p_3}\), and T is either a random element of \(G_{p_1}G_{p_3}\) or a random element of \(G_{p_1p_2p_3}\). Due to the different values of T, \(\mathcal {B}\) will simulate either \(Game_{k-1}\) or \(Game_k^N\) with \(\mathcal {A}\).
\(\mathcal {B}\) first runs the Setup algorithm and generates the public parameters:
$$\begin{aligned} N,p,G,G_T,g_1,e,Y=e(g_1,g_1)^w,\{A_{i,t}^{a_{i,t}}=g_1^{u_{i,t}a_{i,t}},A_{i,t}^{b_{i,t}}=g_1^{u_{i,t}b_{i,t}}\}_{1\le t \le n_i}\}_{1 \le i \le n}. \end{aligned}$$\(A_{i,t},w,u_{i,t},a_{i,t},b_{i,t}\) are selected randomly by \(\mathcal {B}\), and the master key is known to \(\mathcal {B}\). \(\mathcal {B}\) sends the public parameters to \(\mathcal {A}\). When \(\mathcal {A}\) requests a secret key or a re-encryption key, \(\mathcal {B}\) runs the normal KeyGen algorithm or the normal RKGen algorithm to generate the requested one.
In response to \(\mathcal {A}\)’s first \(k-1\) key queries, \(\mathcal {B}\) produces semi-functional keys as follows. It first runs the normal KeyGen algorithm to produce a normal key \(D_0,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\), and then it chooses a random exponent \(\tau \in \mathbb {Z}_N\) and the semi-functional key is formed as: \(D_0(Y_2Y_3)^{\tau },\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\).
Then \(\mathcal {B}\) runs the RKGen algorithm and generates the re-encryption key:
$$D_0(Y_2Y_3)^{\tau },\{D_{i,0}h^r,D_{i,1},D_{i,2}\}_{1 \le i \le n}.$$Here h is a random element of \(G_{p_1}\), and r is a random element of \(\mathbb {Z}_p^*\).
Then \(\mathcal {B}\) generates the semi-functional challenge ciphertext as in Lemma 1, which is the ciphertext of \(M_b\) under policy W. It chooses random exponents \(\tilde{r}_{i,t},\ \forall i \in [1,n],\ t \in [1,n_i]\) and implicitly sets \(g^r=X_1\), and \(r\tilde{r}_{i,t}=r_{i,t}\). It chooses a random exponent \(r^{\prime \prime }\), the semi-functional ciphertext is:
$$\begin{aligned}&\tilde{C}=Me(g_1,X_1X_2)^w,\ C_0=X_1X_2,\ C_0^{'}=(X_1X_2)^{r^{''}},\\&C_{i,t,1}=(X_1X_2)^{u_{i,t}b_{i,t}\tilde{r}_{i,t}},\ C_{i,t,2}=(X_1X_2)^{u_{i,t}a_{i,t}(1-\tilde{r}_{i,t})}. \end{aligned}$$We implicitly set \(g_2^{r^{'}}=X_2\), \(u_{i,t}^{'}\) is equal to the value of \(u_{i,t}\) modulo \(p_2\), \(a_{i,t}^{'}\) is equal to the value of \(a_{i,t}\) modulo \(p_2\), \(b_{i,t}^{'}\) is equal to the value of \(b_{i,t}\) modulo \(p_2\), and \(r^{'}-r_{i,t}^{'}\) is equal to the value of \(1-\tilde{r}_{i,t}\) modulo \(p_2\).
To produce the \(k^{th}\) requested key for an attribute list L, \(\mathcal {B}\) randomly chooses exponent \(\tilde{\lambda }_i \in \mathbb {Z}_N\) and elements \(R,R_0,R_1,R_2 \in G_{p_3}\). It sets:
$$D_0=g^wT^{-s}R,D_{i,0}=T^{s_i}T^{u_{i,t}a_{i,t}b_{i,t}\tilde{\lambda _i}}R_0,D_{i,1}=T^{a_{i,t_i}\tilde{\lambda }_i}R_1,D_{i,2}=T^{b_{i,t_i}\tilde{\lambda }_i}R_2.$$ -
Lemma 3. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_k^N\) and \(Game_k^T\) for any \(k\in [1,Q]\).
We prove this lemma under the three party Diffie-Hellman assumption.
-
Proof. Given a PPT attacker \(\mathcal {A}\) achieving a non-negligible difference in advantage between \(Game_k^N\) and \(Game_k^T\) for some k between 1 and \(Q_1\), we will create a PPT algorithm \(\mathcal {B}\) to break the three party Diffie-Hellman assumption in a subgroup. \(\mathcal {B}\) is given \(g_1,g_2,g_3,g_2^x,g_2^y,g_2^z,T\) where T is either \(g_2^{xyz}\) or a random element of \(G_{p_2}\). Due to the different values of T, \(\mathcal {B}\) will simulate either \(Game_k^N\) or \(Game_k^T\) with \(\mathcal {A}\).
\(\mathcal {B}\) first runs the Setup algorithm and generate the public parameters:
$$\begin{aligned} N,p,G,G_T,g_1,e,Y=e(g_1,g_1)^w,\{A_{i,t}^{a_{i,t}}=g_1^{u_{i,t}a_{i,t}},A_{i,t}^{b_{i,t}}=g_1^{u_{i,t}b_{i,t}}\}_{1\le t \le n_i}\}_{1 \le i \le n}. \end{aligned}$$\(A_{i,t},w,u_{i,t},a_{i,t},b_{i,t}\) are selected randomly by \(\mathcal {B}\), and the master key is known to \(\mathcal {B}\). \(\mathcal {B}\) sends the public parameters to \(\mathcal {A}\). When \(\mathcal {A}\) requests a secret key, or a re-encryption key, \(\mathcal {B}\) runs the normal KeyGen algorithm or the normal RKGen algorithm to generate the requested one.
In response to \(\mathcal {A}\)’s first \(k-1\) key requests, \(\mathcal {B}\) generates semi-functional keys by first run the normal KeyGen algorithm and then multiplying \(D_0\) by a random element of \(G_{p_2}\).
To generate the \(k^{th}\) key query by \(\mathcal {A}\), \(\mathcal {B}\) first run the normal KeyGen algorithm to generate a normal key \(D_0,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\). It then chooses random exponents \(s_i^{'},u_{i,t}^{'},a_{i,t}^{'},b_{i,t}^{'},\lambda _i^{'} \in \mathbb {Z}_N\), the key is formed as:
$$D_0T,D_{i,0}g_2^{s_i^{'}+u_{i,t}^{'}a_{i,t}^{'}b_{i,t}^{'}\lambda _{i}^{'}},D_{i,1}g_2^{a_{i,t_i}^{'}\lambda _i^{'}},D_{i,2}g_2^{b_{i,t_i}^{'}\lambda _i^{'}}.$$Then \(\mathcal {B}\) runs the RKGen algorithm and generates the re-encryption key:
$$D_0T,D_{i,0}g_2^{s_i^{'}+u_{i,t}^{'}a_{i,t}^{'}b_{i,t}^{'}\lambda _{i}^{'}}h^r,D_{i,1}g_2^{a_{i,t_i}^{'}\lambda _i^{'}},D_{i,2}g_2^{b_{i,t_i}^{'}\lambda _i^{'}}.$$If \(T=g_2^{xyz}\), this will be a properly distributed nominal semi-functional key, and when T is random in \(G_{p_2}\), this will be a properly distributed temporary semi-functional key.
To generate the semi-functional challenge ciphertext for message \(M_b\) and access policy W. \(\mathcal {B}\) first runs the normal Encrypt algorithm to generate a normal ciphertext \(\tilde{C}, C_0, C_0^{'}, \{\{C_{i,t,1},C_{i,t,2}\}_{1 \le t \le n_i} \}_{1 \le i \le n}\). It then chooses random exponents \(r^{'},r_{i,t}^{'} \in \mathbb {Z}_p^*\). The semi-functional ciphertext is formed as:
$$\tilde{C}=Me(g,g)^{wr},C_0g_2^{r^{'}},C_0^{'}g_2^{r^{'}},C_{i,t,1}g_2^{u_{i,t}b_{i,t}r_{i,t}^{'}},C_{i,t,2}g^{u_{i,t}a_{i,t}r_{i,t}^{'}}.$$ -
Lemma 4. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_k^T\) and \(Game_k\) for any k from 1 to Q. We prove this lemma under the general subgroup decision assumption.
-
Proof. The proof of this lemma is similar to Lemma 2, except that \(\mathcal {B}\) uses \(Y_2Y_3\) to place a random \(G_{p_2}\) component on the \(D_0\) part of the \(k^{th}\) key to make it a semi-functional key in the case that T has no \(G_{p_2}\) component.
-
Lemma 5. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_Q\) and \(Game_{final}\).
We prove this lemma under the basic generic group assumption.
-
Proof. Given a PPT attacker \(\mathcal {A}\) achieving a non-negligible difference in advantage between \(Game_Q\) and \(Game_{final}\), we will create a PPT algorithm \(\mathcal {B}\) to break the basic generic group assumption. \(\mathcal {B}\) is given \(g_1,g_2,g_3,g_1^wX_2,g_1^rY_2,T\) where T is either \(e(g_1,g_1)^{wr}\) or a random element of \(G_{p_2}\). Due to the different values of T, \(\mathcal {B}\) will simulate either \(Game_Q\) or \(Game_{final}\) with \(\mathcal {A}\).
\(\mathcal {B}\) first runs the Setup algorithm and generate the public parameters:
$$\begin{aligned} N,p,G,G_T,g_1,e,Y=e(g_1,g_1)^w,\{A_{i,t}^{a_{i,t}}=g_1^{u_{i,t}a_{i,t}},A_{i,t}^{b_{i,t}}=g_1^{u_{i,t}b_{i,t}}\}_{1\le t \le n_i}\}_{1 \le i \le n}. \end{aligned}$$In response to \(\mathcal {A}\)’s requests for a key under an attribute list L, \(\mathcal {B}\) generates the semi-functional key as follows. It chooses random exponents \(r^{'},\tilde{r}_{i,t}\) and random elements \(R,R_0,R_1,R_2 \in G_{p_3}\). The semi-functional key is formed as:
$$D_0=(g_1^wX_2)g_1^{-s}Rg_2^{r^{'}},D_{i,0}=g_1^{s_i}g_1^{u_{i,t}a_{i,t}b_{i,t}\lambda _i}R_0,D_{i,1}=g^{a_{i,t_i}\lambda _i}R_1,D_{i,2}=g^{b_{i,t_i}\lambda _i}R_2.$$Then \(\mathcal {B}\) runs the RKGen algorithm and generates the re-encryption key:
$$D_0\!=\!(g_1^wX_2)g_1^{-s}Rg_2^{r^{'}},D_{i,0}=g_1^{s_i}g_1^{u_{i,t}a_{i,t}b_{i,t}\lambda _i}h^rR_0,D_{i,1}=g^{a_{i,t_i}\lambda _i}R_1,D_{i,2}=g^{b_{i,t_i}\lambda _i}R_2.$$To generate the semi-functional ciphertext for \(M_b\) under access policy W, \(\mathcal {B}\) chooses random exponents \(\tilde{r}_{i,t},r^{'}\) and implicitly sets \(r=r^{'}\tilde{r}_{i,t}\), the semi-functional ciphertext is formed as:
$$\begin{aligned}&\tilde{C}=M_bT,C_0=g_1^{r^{'}}Y_2,C_0^{'}=h^{r^{'}}Y_2,\\&C_{i,t,1}=(g_1^{r^{'}}Y_2)^{u_{i,t}b_{i,t}\tilde{r}_{i,t}},C_{i,t,2}=(g_1^{r^{'}}Y_2)^{u_{i,t}a_{i,t}(1-\tilde{r}_{i,t})}. \end{aligned}$$In this semi-functional ciphertext, \(g_2^{r^{'}}\) equals \(Y_2\), \(u_{i,t}^{'}\) equals \(u_{i,t}\), \(a_{i,t}^{'}\) equals \(a_{i,t}\), \(b_{i,t}^{'}\) equals \(b_{i,t}\), \(1-\tilde{r}_{i,t}\) equals \(r-r_{i,t}\) for each i, t modulo \(p_2\). If \(T=e(g_1,g_1)^{\alpha s}\) this is a properly distributed semi-functional encryption of \(M_b\), and \(\mathcal {B}\) has properly simulated \(Game_q\). If T is a random element of \(G_T\), then this is a properly distributed semi-functional encryption of a random message, and \(\mathcal {B}\) has properly simulated \(Game_{final}\).
5 Conclusion
In this work, we propose a hidden ciphertext-policy attribute-based proxy re-encryption scheme, which solves the problem of privacy leaking during the re-encryption process. In addition, we further prove our scheme to be fully secure in the standard model. In the future work, we intend to design a new CP-AB-PRE scheme to reduce the computation cost of the re-encryption process and provide a more expressive ability.
References
Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9(1), 1–30 (2006)
Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054122
Chu, C.-K., Tzeng, W.-G.: Identity-based proxy re-encryption without random oracles. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 189–202. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75496-1_13
Do, J.M., Song, Y.J., Park, N.: Attribute based proxy re-encryption for data confidentiality in cloud computing environments. In: First ACIS/JNU International Conference on Computers, Networks, Systems and Industrial Engineering, pp. 248–251 (2011)
Green, M., Ateniese, G.: Identity-based proxy re-encryption. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 288–306. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_19
Green, M., Hohenberger, S., Waters, B.: Outsourcing the decryption of ABE ciphertexts. In: Usenix Conference on Security, pp. 34–34 (2011)
Hohenberger, S., Rothblum, G.N., Shelat, A., Vaikuntanathan, V.: Securely obfuscating re-encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 233–252. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_13
Hur, J., Noh, D.K.: Attribute-based access control with efficient revocation in data outsourcing systems. IEEE Trans. Parallel Distrib. Syst. 22(7), 1214–1221 (2011)
Lai, J., Deng, R.H., Li, Y.: Fully secure cipertext-policy hiding CP-ABE. In: Bao, F., Weng, J. (eds.) ISPEC 2011. LNCS, vol. 6672, pp. 24–39. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21031-0_3
Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_12
Li, H., Pang, L.: Efficient and adaptively secure attribute-based proxy reencryption scheme. Int. J. Distrib. Sens. Netw. 12, 1–12 (2016)
Li, J., Ren, K., Zhu, B., Wan, Z.: Privacy-aware attribute-based encryption with user accountability. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 347–362. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04474-8_28
Li, X., Gu, D., Ren, Y., Ding, N., Yuan, K.: Efficient ciphertext-policy attribute based encryption with hidden policy. In: Xiang, Y., Pathan, M., Tao, X., Wang, H. (eds.) IDCS 2012. LNCS, vol. 7646, pp. 146–159. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34883-9_12
Liang, K., Man, H.A., Liu, J.K., Susilo, W., Wong, D.S., Yang, G., Yu, Y., Yang, A.: A secure and efficient ciphertext-policy attribute-based proxy re-encryption for cloud data sharing. Future Gener. Comput. Syst. 52(C), 95–108 (2015)
Liang, X., Cao, Z., Lin, H., Shao, J.: Attribute based proxy re-encryption with delegating capabilities. In: AISACCS Pages, pp. 276–286 (2009)
Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. IEEE Trans. Inf. Theory 57(3), 1786–1802 (2011)
Liu, Q., Tan, C.C., Wu, J., Wang, G.: Reliable re-encryption in unreliable clouds. In: Global Communications Conference, GLOBECOM 2011, 5–9 December 2011, Houston, Texas, USA, pp. 1–5 (2011)
Liu, Q., Wang, G., Wu, J.: Time-based proxy re-encryption scheme for secure data sharing in a cloud environment. Inf. Sci. 258(3), 355–370 (2014)
Luo, S., Hu, J., Chen, Z.: Ciphertext policy attribute-based proxy re-encryption. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 401–415. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17650-0_28
Matsuo, T.: Proxy re-encryption systems for identity-based encryption. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 247–267. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73489-5_13
Nishide, T., Yoneyama, K., Ohta, K.: Attribute-based encryption with partially hidden encryptor-specified access structures. In: Bellovin, S.M., Gennaro, R., Keromytis, A., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 111–129. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68914-0_7
Phuong, T.V.X., Yang, G., Susilo, W.: Hidden ciphertext policy attribute-based encryption under standard assumptions. IEEE Trans. Inf. Forensics Secur. 11(1), 35–45 (2015)
Ran, C., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, pp. 185–194, October 2007
Seo, H.J., Kim, H.: Attribute-based proxy re-encryption with a constant number of pairing operations. J. Inf. Commun. Converg. Eng. 10(1), 53–60 (2012)
Seo, H., Kim, H.: Zigbee security for visitors in home automation using attribute based proxy re-encryption. In: IEEE International Symposium on Consumer Electronics, pp. 304–307 (2011)
Guo, S., Zeng, Y., Wei, J., Xu, Q.: Attribute-based re-encryption scheme in the standard model. Wuhan Univ. J. Nat. Sci. 13(5), 621–625 (2008)
Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable, and fine-grained data access control in cloud computing. In: Conference on Information Communications, pp. 534–542 (2010)
Acknowledgement
This work is supported by the National Natural Science Foundation of China under Grant No. 61672062, 61232005, and the National High Technology Research and Development Program (“863” Program) of China under Grant No. 2015AA016009.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Feng, X., Li, C., Li, D., Fang, Y., Shen, Q. (2018). Fully Secure Hidden Ciphertext-Policy Attribute-Based Proxy Re-encryption. In: Qing, S., Mitchell, C., Chen, L., Liu, D. (eds) Information and Communications Security. ICICS 2017. Lecture Notes in Computer Science(), vol 10631. Springer, Cham. https://doi.org/10.1007/978-3-319-89500-0_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-89500-0_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-89499-7
Online ISBN: 978-3-319-89500-0
eBook Packages: Computer ScienceComputer Science (R0)