Flexible ciphertext-policy attribute-based encryption supporting AND-gate and threshold with short ciphertexts

Abstract

Ciphertext-policy attribute-based encryption (CP-ABE) is a very promising cryptographic primitive that allows a data owner to encrypt messages and manage access policies themselves. Most of the existing CP-ABE schemes suffer from efficiency drawbacks due to long ciphertexts, which impacts their adoption in applications where data are shared and stored. In this work, we aim to address this gap by proposing a CP-ABE which features constant-size ciphertext and supports access policies of an AND-gate and a threshold, which make ciphertext policies more expressive and applicable to many practical applications. Prior CP-ABE schemes with short ciphertexts such as that of Herranz et al. (in: Public key cryptography—PKC, Springer, 2010) only allow access policies to be a single AND-gate or a single threshold only. Combinations between these short CP-ABE constructions will result in systems insecure against collusion attacks, which makes the effort to enable access policies with an AND-gate and a threshold gate at the same time becomes very challenging. We present such a scheme that solves this drawback. Our scheme is efficient, expressive and secure. In our construction, the encryptor chooses two subsets of a certain universe of attributes \(S_1\), \(S_2\) with a threshold value \(t_1\) that only users who have at least \(t_1\) attributes in \(S_1\) and all attributes in \(S_2\) can decrypt the ciphertext. The scheme is proven secure against selective chosen plaintext attacks in the standard model by reduction to the augmented multi-sequence of exponents decisional Diffie–Hellman (aMSE-DDH) problem.

Appendix: Proof of Theorem 1

Proof

We now give the details of the simulation. From now on, we will denote by \(W_S\) the subset \(W\cap S\).

Init \(\mathcal {B}\) defines an attribute universe \(\mathcal {U}=\{A_{1},\dots , A_{n}\}\) of cardinal n. \(\mathcal {A}\) gives \(\mathcal {B}\) the challenge access structure \(\mathbb {A}^*\) defined by an AND-gate and a threshold policy \((S_1,t_1)\wedge (S_2)\) where \(S_1, S_2\subset \mathcal {U}\) of respective cardinal \(s_1\), \(s_2\) and a threshold value of cardinal \(1\le t_1\le s_1\). Here we assume \(S_1=\{A_{n-s_1-s_2+1},\dots , A_{n-s_2}\}\) and \(S_2=\{A_{n-s_2+1}, \dots , A_{n}\}\).

Setup The algorithm \(\mathcal {B}\) defines \(g\,{:=}\,g_0^{f(\gamma )\cdot g_2(\gamma )}\), \(h\,{:=}\,h_0^{g_1(\gamma )}\), \(\eta \,{:=}\,\zeta \cdot \frac{g_2(\gamma )}{g_1(\gamma )}\); thus, \(g'=g^\frac{1}{\eta }=g_0^\frac{f(\gamma )g_1(\gamma )}{\zeta }\), \(h'=h^\eta =h_0^{\zeta \cdot g_2(\gamma )}\). \(\mathcal {B}\) then can compute

• The value \(u=g^{\alpha \gamma }=g_0^{\alpha \gamma \cdot f(\gamma )g_2(\gamma )}\) with line (1.2) of its input values, since the exponent \(\alpha \cdot \gamma \cdot f(\gamma ) g_2(\gamma )\) is a linear combination of \(\{g_2(\gamma )\cdot \alpha , \dots , g_2(\gamma )\cdot \alpha \cdot \gamma ^{n-s_1-s_2+1}\}\) and \(\mathcal {B}\) knows the coefficients of the exponent polynomial.

• The value \(u'={g'}^{\alpha \gamma }=g_0^\frac{\alpha \gamma \cdot f(\gamma )g_1(\gamma )}{\zeta }\) with line (1.5), in the same way as computing u.

• The value

  $$\begin{aligned} v&=e(g,h)^\alpha =e\left( g_0^{f(\gamma )g_2(\gamma )},h_0^{g_1(\gamma )}\right) ^\alpha \\&=e(g_0^{\alpha \cdot f(\gamma )g_2(\gamma )}, h_0^{g_1(\gamma )}) \end{aligned}$$

  with line (1.2) for \(g_0^{\alpha \cdot f(\gamma )g_2(\gamma )}\) and line (1.7) for \(h_0^{g_1(\gamma )}\).

• Elements in \(\{h^{\alpha \gamma ^i}=h_0^{\alpha \cdot g_1(\gamma )\cdot \gamma ^i}\}_{i=0,\dots ,2n-1}\) with line (1.8).

• Elements in \(\{{h'}^{\alpha \gamma ^i}=h_0^{\zeta \alpha \cdot g_2(\gamma )\cdot \gamma ^i}\}_{i=0,\dots ,2n-1}\) with line (1.11).

  To complete the setup phase, \(\mathcal {B}\) needs to define the encoding of attributes \(\tau (A_i)\) and the values of set \(\mathcal {D}\).

• The encoding \(\tau \) is defined as \(\tau (A_i)=x_i\) for \(i=1,\dots , n\). It can be seen that the encodings of the first \(n-s_1-s_2\) elements are the opposite of the roots of f(X), the encodings of the attributes in \(S_1\) are the opposite of roots of \(g_1(X)\), and the encodings of the attributes in \(S_2\) are the opposite of roots of \(g_2(X)\).

• The set \(\mathcal {D}=\{d_1, \dots , d_n-1\}\) is defined as \(d_i=x_{n+i}\) for \(i=1, \dots , n-1-s_1+t_1\) following \(d_j\) for \(j=n-s_1+t_1, \dots , n-1\) is picked uniformly at random in \(\mathbb {Z}_p\) repeatedly until it is distinct from \(\{x_1, \dots , x_{2n-1-s_1+t_1}\), \(d_{n-s_1+t_1}, \dots , d_{j-1}\}\).

(We note the values of \(d_1, \dots , d_{n-1-s_1+t_1}\) are the opposite of roots of \(h_1(X)\).)

Finally, \(\mathcal {B}\) sends to \(\mathcal {A}\) the simulated public parameters:

$$\begin{aligned} \left( u,u',v,\{h^{\alpha \gamma ^i},{h'}^{\alpha \gamma ^i}\}_{i=0,\dots ,2n-1}, \mathcal {D},\tau \right) . \end{aligned}$$

Phase 1 The adversary \(\mathcal {A}\) makes private key queries. To respond to a query on attribute set \(W\subset \mathcal {U}\), where \(W\not \models \mathbb {A}^*\), the algorithm \(\mathcal {B}\) must produce a tuple of the form

$$\begin{aligned} \left( \{g^\frac{r_1}{\gamma +\tau (A_i)}, {g'}^\frac{r_3}{\gamma +\tau (A_i)}\}_{A_i\in W},\{h^{r_1\gamma ^i}\}_{i=0,\dots ,n-2}, h^\frac{r_1-r_2}{\gamma } \right) . \end{aligned}$$

Observe that since \(W\not \models \mathbb {A}^*\) all allowed queries must satisfy \(|W_{S_1}|<t_1\) or \(|W_{S_2}|< s_2\). \(\mathcal {B}\) defines the polynomials for \(i=1,2\),

$$\begin{aligned} Q_{W_{S_i}}(X)={\left\{ \begin{array}{ll}1&{}\quad |W_{S_i}|=0\\ \lambda _i\cdot \prod _{A\in \omega _{S_i}}(X+\tau (A))&{}\quad |W_{S_i}|>0\end{array}\right. }, \end{aligned}$$

where \(\lambda _i=\left( \prod _{A\in \omega _{S_i}}\tau (A)\right) ^{-1}\) and simulates a private key for W according to the following cases:

If \(|W_{S_1}|<t_1\): \(\mathcal {B}\) picks at random \(y_{1c}, y_{3c}\) in \(\mathbb {Z}_p\) and defines

$$\begin{aligned}&r_1\,{:=}\,(1+\omega y_{1c}\gamma ) Q_{W_{S_1}}(\gamma ),\\&r_2\,{:=}\,1-\omega y_{3c}\gamma Q_{W_{S_2}}(\gamma ),\\&r_3\,{:=}\,\omega y_{3c}\gamma Q_{W_{S_2}}(\gamma ). \end{aligned}$$

\(\mathcal {B}\) then computes the elements for \(sk_W\):

• For any attribute \(A\in W\),

  $$\begin{aligned} {g'}^\frac{r_3}{\gamma +\tau (A)}={g_0^{\frac{\omega \gamma y_{3c}}{\zeta }\cdot \frac{f(\gamma )g_1(\gamma )Q_{W_{S_2}}(\gamma )}{\gamma +\tau (A)}}}. \end{aligned}$$

  Since an attribute \(A\in W\) must be in \(W_{S_2}\), \(S_1\) or \(\mathcal {U}\setminus (S_1\cup S_2)\), \((\gamma +\tau (A))|f(\gamma )g_1(\gamma )Q_{W_{S_2}}(\gamma )\). The element can be computed with line (1.6) as its exponent polynomial is then a linear combination of \(\{\frac{\omega }{\zeta }, \dots , \frac{\omega \gamma ^{n}}{\zeta }\}\) of degree at most n in \(\gamma \).

• For any attribute \(A\in W\),

  $$\begin{aligned} {g}^\frac{r_1}{\gamma +\tau (A)}={g_0^{{\omega \gamma y_{1c}}\cdot \frac{f(\gamma )g_2(\gamma )Q_{W_{S_1}}(\gamma )}{\gamma +\tau (A)}}}\cdot {g_0^{\frac{f(\gamma )g_2(\gamma )Q_{W_{S_1}} (\gamma )}{\gamma +\tau (A)}}}. \end{aligned}$$

  Since an attribute \(A\in W\) can be in \(W_{S_1}\), \(S_2\) or \(\mathcal {U}\setminus (S_1\cup S_2)\), \((\gamma +\tau (A))|f(\gamma )g_2(\gamma )Q_{W_{S_1}}(\gamma )\). The first factor can be computed with line (1.3) as its exponent is a polynomial in \(\gamma \) of degree at most \(n-1\), and the second factor can be computed with line (1.1) as its exponent is a polynomial in \(\gamma \) of degree at most \(n-2\).

• The value

  $$\begin{aligned} h^\frac{r_1-r_2}{\gamma }=h_0^{\omega g_1(\gamma )\cdot (y_{1c}Q_{W_{S_1}}(\gamma ) +y_{3c}Q_{W_{S_2}}(\gamma ))}\cdot {h_0^{g_1(\gamma )\frac{Q_{W_{S_1}} (\gamma )-1}{\gamma }}}, \end{aligned}$$

  where the first factor can be computed from line (1.9) and the second factor can be computed from line (1.7), since \(Q_{W_{S_1}}(\gamma )\) is a polynomial with independent term 1 by its definition; thus, \(g_1(\gamma )\frac{Q_{W_{S_1}}(\gamma )-1}{\gamma }\) is a linear combination of \(\{g_1(\gamma ), g_1(\gamma )\cdot \gamma , \dots , g_1(\gamma )\cdot \gamma ^{t_1-1}\}\).

• Elements in \(\{{h}^{r_1{\gamma ^i}}\}_{i=0,\dots ,n-2}\) can be computed as

  $$\begin{aligned} {h}^{r_1{\gamma ^i}}=h_0^{g_1(\gamma )\omega y_{1c}Q_{W_{S_1}}(\gamma )\cdot {\gamma ^{i+1}}}\cdot h_0^{g_1(\gamma )Q_{W_{S_1}}(\gamma )\cdot {\gamma ^{i}}} \end{aligned}$$

  where the first factor can be computed from line (1.9) and the second factor can be computed from line (1.7).

If \(|W_{S_2}|< s_2\): \(\mathcal {B}\) picks at random \(y_{1c}, y_{3c}\) in \(\mathbb {Z}_p\) and defines

$$\begin{aligned}&r_1{:}=\omega y_{1c}\gamma Q_{W_{S_1}}(\gamma ),\\&r_2{:}=1-\omega y_{3c}\gamma Q_{W_{S_2}}(\gamma )-\zeta \cdot h_1(\gamma )\cdot {Q_{W_{S_2}}(\gamma )},\\&r_3{:}=\omega y_{3c}\gamma Q_{W_{S_2}}(\gamma )+\zeta \cdot h_1(\gamma )\cdot {Q_{W_{S_2}}(\gamma )}. \end{aligned}$$

\(\mathcal {B}\) then computes the elements for \(sk_W\):

• For any attribute \(A\in W\),

  $$\begin{aligned} {g'}^\frac{r_3}{\gamma +\tau (A)}={g_0^{\frac{\omega \gamma y_{3c}}{\zeta }\cdot \frac{f(\gamma )g_1(\gamma )Q_{W_{S_2}}(\gamma )}{\gamma +\tau (A)}}}\cdot {g_0^{\frac{f(\gamma )Q_{W_{S_2}}(\gamma )g_1(\gamma )\cdot h_1(\gamma )}{\gamma +\tau (A)}}}. \end{aligned}$$

  Since an attribute \(A\in W\) must be in \(W_{S_2}\), \(S_1\) or \(\mathcal {U}{\setminus }(S_1\cup S_2)\), thus \((\gamma +\tau (A))|f(\gamma )g_1(\gamma )Q_{W_{S_2}}(\gamma )\). The first factor can be computed from line (1.6) as its exponent is a polynomial in \(\gamma \) of degree at most \(n-1\), and the second factor can be computed from line (1.1) as its exponent is a polynomial in \(\gamma \) of degree at most \(2n-s_1+t_1-3\).

• For attribute \(A\in W\),

  $$\begin{aligned} \quad \quad {g}^\frac{r_1}{\gamma +\tau (A)}={g_0^{{\omega \gamma y_{1c}}\cdot \frac{f(\gamma )g_2(\gamma )Q_{W_{S_1}}(\gamma )}{\gamma +\tau (A)}}}. \end{aligned}$$

  Since an attribute \(A\in W\) must be in \(W_{S_1}\), \(S_2\) or \(\mathcal {U}\setminus (S_1\cup S_2)\), \((\gamma +\tau (A))|f(\gamma )g_2(\gamma )Q_{W_{S_1}}(\gamma )\). It can be computed from line (1.3).

• Elements in \(\{{h}^{r_1{\gamma ^i}}\}_{i=0,\dots ,n-2}\) can be computed as

  $$\begin{aligned} \quad \quad {h}^{r_1{\gamma ^i}}=h_0^{g_1(\gamma )\omega y_{1c}Q_{W_{S_1}}(\gamma )\cdot {\gamma ^{i+1}}}, \end{aligned}$$

  which can be computed from line (1.9).

• Finally, \(\mathcal {B}\) needs to compute the value of \(h^\frac{r_1-r_2}{\gamma }\) from

  $$\begin{aligned} \left\{ \begin{array}{ll} J_1=h_0^{\omega g_1(\gamma )(y_{1c}Q_{W_{S_1}}(\gamma )+y_{3c}Q_{W_{S_2}}(\gamma ))}\\ J_2={h_0^{\zeta g_1(\gamma )h_1(\gamma )\frac{Q_{W_{S_2}}(\gamma )-1}{\gamma }}}\\ J_3={h_0^{g_1(\gamma )\frac{\zeta h_1(\gamma )-1}{\gamma }}}\\ h^\frac{r_1-r_2}{\gamma }=J_1\cdot J_2\cdot J_3 \end{array} \right. \end{aligned}$$

  where \(J_1\) can be computed from line (1.9); \(J_2\) can be computed from line (1.10) since \(\gamma |Q_{W_{S_2}}(\gamma )-1\) by the definition of \(Q_{W_{S_2}}(\gamma )\); and \(J_3\) is given from line (1.12).

Challenge Once \(\mathcal {A}\) sends to \(\mathcal {B}\) the two messages \(M_0\) and \(M_1\), \(\mathcal {B}\) flips a coin \(\beta \in \{0, 1\}\), and sets

$$\begin{aligned} C^*_4 = T_0 \cdot M_\beta . \end{aligned}$$

To simulate the rest of the challenge ciphertext, \(\mathcal {B}\) implicitly defines the randomness for the encryption as \(\kappa ^* = \kappa /\alpha \), and sets

$$\begin{aligned} C^*_2 = h^{\kappa \cdot g_1(\gamma )h_1(\gamma )}= h_0^{\kappa \cdot g^2_1(\gamma )h_1(\gamma )} \end{aligned}$$

which is given in line (1.7), and

$$\begin{aligned} C^*_3 = {h'}^{\kappa \cdot g_2(\gamma )}={h_0}^{\zeta \cdot \kappa \cdot g^2_2(\gamma )} \end{aligned}$$

which is given in line (1.12). To complete the ciphertext, B computes

$$\begin{aligned} C^*_1 =u^{-\kappa '}=g_0^{-\kappa \gamma f(\gamma )g_2(\gamma )} \end{aligned}$$

from line (1.1), and

$$\begin{aligned} {C_1'}^*={u'}^{-\kappa '}=g_0^\frac{-\kappa \gamma f(\gamma )g_1(\gamma )}{\zeta } \end{aligned}$$

from line (1.4). \(\mathcal {B}\) gives \(\mathcal {A}\) the challenge ciphertext \(CT^*=(C_1^*, {C_1'}^*, C_2^*, C_3^*, C_4^*)\).

Phase 2 After the challenge, step \(\mathcal {A}\) may make other key extraction queries, which are answered as before.

Guess \(\mathcal {A}\) outputs a \(\beta '\). If \(\beta '=\beta \), \(\mathcal {B}\) outputs 0; otherwise \(\mathcal {B}\) outputs 1.

Perfect Simulation: When \(b=0\),

$$\begin{aligned} T_0=e(g_0, h_0)^{\kappa \cdot f(\gamma )g_1(\gamma )g_2(\gamma )}\in \mathbb {G}_T, \end{aligned}$$

observe the challenge ciphertext

$$\begin{aligned} C^*_4&=M_\beta \cdot e(g_0, h_0)^{\kappa \cdot f(\gamma )g_1(\gamma )g_2(\gamma )}\\&=M_\beta \cdot e\left( g_0^{\alpha \cdot f(\gamma )g_1(\gamma )}, h_0^{ g_2(\gamma )}\right) ^{\kappa }\\&=M_\beta \cdot v^{k^*}. \end{aligned}$$

Thus, \(CT^*\) is a valid ciphertext for \(\mathbb {A}^*\), and challenge ciphertext issued by \(\mathcal {B}\) comes from a distribution identical to that in the actual construction; however, we must still show that the public parameters and private keys issued by \(\mathcal {B}\) are appropriately distributed. But this follows from the fact that the unknown random numbers \(\gamma , \kappa , \omega , \zeta , \alpha \) are chosen uniformly random in \(\mathbb {Z}_p\) as well as other group elements from the input.

Probability Analysis:

Let \(\mathcal {I}=(\overrightarrow{x}_{2n-1-s_1+t_1}, \gamma , \kappa , \omega , \alpha , T_b, T_{1-b})\) be the input of the algorithm \(\mathcal {B}\) and the adversary \(\mathcal {A}\) break our CP-ABE scheme with advantage \(\mathsf {Adv}^{\mathsf {IND}\text{- }\mathsf {sCPA}}_{\mathcal {A}}(\lambda )\). If \(b=0\), then the simulation is perfect, \(\mathcal {A}\) will guess the bit \(\beta \) correctly with its advantage, and

$$\begin{aligned} \quad \quad \left| \mathrm {Pr}[\mathcal {B}(\mathcal {I})=0|b=0]-\frac{1}{2}\right| =\mathsf {Adv}^{\mathsf {IND}\text{- }\mathsf {sCPA}}_{\mathcal {A}}(\lambda ). \end{aligned}$$

Else, \(b=1\) and \(T_0\) is uniformly random in \(\mathbb {G}_T\), thus \(C^*_4\) is uniformly random and independent in \(\mathbb {G}_T\) as well. In this case, the value of \(\beta \) is independent from \(\mathcal {A}\)’s view,

$$\begin{aligned} \mathrm {Pr}[\mathcal {B}(\mathcal {I})=0|b=1]=\frac{1}{2}. \end{aligned}$$

Thus, we have that

$$\begin{aligned}&\mathsf {Adv}^{\mathsf {aMSE}\text{- }\mathsf {DDH}}_{\mathcal {B}}(\lambda )\\&\quad =\left| \mathrm {Pr}[\mathcal {B}(\mathcal {I})=0|b=0]-\mathrm {Pr}[\mathcal {B}(\mathcal {I})=0|b=1]\right| \\&\quad \ge \mathsf {Adv}^{\mathsf {IND}\text{- }\mathsf {sCPA}}_{\mathcal {A}}(\lambda ). \end{aligned}$$

This concludes the proof of Theorem. \(\square \)