# Improving Security in Ciphertext-Policy Attribute-Based Encryption with Hidden Access Policy and Testing.

1. IntroductionAs one of the research hotspots of public key encryption, attribute-based encryption (ABE) [1] is considered an effective way to achieve fine-grained access control of encrypted data in Cloud storage. In ABE schemes, access policies are represented by attribute sets, and it can be specified by data owners to allow those users whose attribute set satisfies the specified policy to access the encrypted data.

Generally speaking, the ABE schemes can be divided into two types: key-policy attribute-based encryption and ciphertext-policy attribute-based encryption, abbreviated as CP-ABE and KP-ABE respectively. In the KP-ABE schemes [2-4], ciphertexts are associated with attributes set, and users' secret keys are related to access structures. Conversely, in the CP-ABE schemes [5-7], attributes are associated with secret keys and access structures are related to the ciphertexts. In particular, this paper only focus on CP-ABE.

In traditional CP-ABE schemes [5-7], access policies are sent to users as a part of the ciphertext. It means that any user, whether he/she is legal or not, can know the access policy as long as he/she gets the ciphertexts. In some cases, however, the access policy itself is the sensitive information. For instance, Alice shares her encrypted data and sets the access policy so that the mental health counselor will be able to decrypt her health records. So, the attributes "mental health" and "counselor" included in the access policy. And anyone, although he or she cannot decrypt the ciphertext, may guess that Alice is suffering some mental health problems.

In order to further prevent users from revealing their privacy, the concept of ABE with partially hidden policy was introduced by Nishide et al. in [10]. They presented two schemes to hide the policy of CP-ABE. In these schemes, a decryptor neither decrypt the data nor guess the access policy information, if the decryptor's attributes set do not satisfy the ciphertext policy. In addition, their schemes have proved to be selective security. Since then, some other CP-ABE schemes with policy hidden have been proposed one after another. In [11], under composite order group, the authors constructed a ciphertext-policy hiding CP-ABE scheme. This scheme is fully security and supports AND-gate access policy. In order to enhance the flexibility of access policy, Wang and He [12] proposed a hidden policy scheme with LSSS matrix access structure. Recent works in this area focused on constructing more efficient ciphertext-policy hidden CP-ABE with short ciphertext size [13-14], developing schemes with additional applications such as keyword search [15-16].

However, in the ciphertext-policy hiding CP-ABE proposals, users need to do excessive calculation for decryption no matter their attribute sets match the ciphertext-policy or not, which makes the users do too many useless computations when their attribute sets do not match the hidden policy. To enhance the efficiency of previous schemes, a novel access policy hidden CP-ABE scheme was introduced in [17]. In their scheme, users can test whether their attributes match the ciphertext-policy or not before performing the decryption operation. Furthermore, the consumption of test operation is much less than that of decryption calculation. Unfortunately, we found that their scheme cannot hide the access policy. In particular, any adversary can use public parameters, such as public keys and ciphertexts, to get attribute information about access policy, easily.

1.1 Our Contributions

In this paper, there are two main contributes. Firstly, a detailed security analysis of the literature [17] is given to illustrate that access policy hidden cannot be realized in this scheme. Secondly, an improved access policy hidden scheme is constructed to solve the shortcomings of literature [17]. In our scheme, the problem of user privacy leakage can be avoided by hiding the access policy. In addition, the security of the proposed scheme is reduced to DBDH assumption under the standard model. Security analyses and performance comparison show that our scheme not only realizes users' privacy protection, but also has higher efficiency than the original one.

1.2 Organization

Some preliminaries are given in section 2. The security analysis of the scheme in [17] is given in section3. Section 4 proposes the improved CP-ABE with policy hidden. Security proof and some comparisons between our scheme and previous works are introduced in section 5 and 6, respectively. The conclusions are given in section 7 finally.

2. Preliminaries

2.1 Bilinear Mapping

Let G and [G.sub.T] be cyclic groups of prime order p. g is the random generator of the group G. e: G x G [right arrow] [G.sub.T] is called a bilinear mapping if the following properties are satisfied:

(i) Bilinearity: for all g, h [member of] G and a, b[member of] [Z.sub.N], e([g.sup.a], [h.sup.b]) = e[(g, h).sup.ab];

(ii) Non-degeneracy: e(g, g) [not equal to] 1;

(iii) Computability: [for all]g,h[member of] G, there are efficient algorithms to compute e(g,h).

2.2 Hardness Assumption

Let a, b, c, z[[member of].sub.R][Z.sub.p], and g [[member of].sub.R] G be a generator. The decisional bilinear Diffie-Hellman (DBDH) assumption holds in group G: if no probabilistic polynomial-time algorithm can distinguish the tuple [g, [g.sup.a], [g.sup.b], [g.sup.c], e[(g, g).sup.abc] ] from [g, [g.sup.a], [g.sup.b], [g.sup.c], e[(g, g).sup.z]] with non-negligible advantage.

2.3 Access Policy

Following [11], the access structure type of our construction is AND-gate with multi-valued attributes. This access policy is described as follows.

Let [??] = {[att.sub.1],[att.sub.2], ...,[att.sub.n]} be an attributes set. [mathematical expression not reproducible] are all possible values of attribute [att.sub.i] [member of] [??]. Let L = [[L.sub.1],[L.sub.2], ...,[L.sub.n]] be user's attribute list where [L.sub.i] [member of] [S.sub.i]. The access policy W = [[W.sub.1], [W.sub.2], ..., [W.sub.n]], where [W.sub.i] [member of] [S.sub.i]. In this paper, we use L |= W to represent that L satisfies W, and |[not equal to] indicates unsatisfactory symbol.

2.4 Definition of CP-ABE with Hidden Access Policy and Testing

The formal definition of CP-ABE with hidden access policy and testing scheme is given as follows. There are four algorithms in this scheme.

-Setup([1.sup.[lambda]]): Taking security parameter [1.sup.[lambda]] as inputs, then this algorithm generates public key PK and master secret key MSK.

-KeyGen(PK, MSK, L): The KeyGen takes as inputs PK, MSK as well as user attribute set L, and generates the attribute list L's auxiliary information and some other secret keys.

-Encrypt(PK, M, W): It inputs the message M, public parameter PK and policy W and outputs the corresponding ciphertexts [CT.sub.W]. Here the access policy W's auxiliary information is a part of the ciphertext [CT.sub.W].

-Decrypt(PK, [CT.sub.W], [SK.sub.L]): This algorithm consists of two phases: access policy testing and decryption phase. This algorithm takes as inputs the public parameter PK, ciphertexts [CT.sub.W] as well as the secret key [SK.sub.L]. It first runs the Testing phase to check whether user attributes set satisfies the ciphertext- policy about [CT.sub.W] or not. If the testing matches well, this algorithm runs the Decryption phase and outputs M.

2.5 Security Model

Similar to literature [21], the following is the definition of the indistinguishability against selective ciphertext-policy and chosen-plaintext attacks (IND-sCP-CPA) model. This model is simulated between adversary A and a challenger B.

Initial: A chooses challenge policies [W.sub.0]* and [W.sub.1]* and submits them to B.

Setup: The challenger picks a security parameter [1.sup.[lambda]], and runs Setup algorithm to get a master secret key MSK and public parameter PK. The challenger reserves MSK and sends PK to the adversary.

Phase 1: A submits an attribute list L for the KeyGen query. B returns [SK.sub.L] to A only if L|[not equal to] [W.sub.0]* [and]L|[not equal to] [W.sub.1]*. Otherwise, it outputs [??].

Challenge: A submits two equal length messages [M.sub.0]* and [M.sub.1]* to the challenger on which it wishes to challenge with respect to [W.sub.0]* and [W.sub.1]*. B picks a random bit p [member of] {1,0} and sends CT = Encrypt(PK, [M.sub.[rho]]*, [W.sub.[rho]]*) to A.

Phase 2: It is similar to Phase 1.

Guess. Finally, the adversary outputs its guess [rho]' [member of] {1,0}, and wins the game if [rho]' = [rho].

The advantage of adversary in this game can be defined |pr[[rho]' = [rho]]-1/2|.

Definition 1. A hidden access policy CP-ABE scheme is secure against selectively chosen plaintext attack if all polynomial time adversaries have a negligible advantage in the above game.

3. Review and Security Analysis of Li et al.'s Scheme

3.1 Review of Li et al.'s Scheme

The following is a brief review of the scheme in [17], and it contains four algorithms as follows.

-Setup([1.sup.[lambda]]): It takes as inputs the security parameter [1.sup.[lambda]] and outputs a bilinear mapping e and two cyclic groups G and [G.sub.T]. The trusted authority (TA) picks [alpha], [beta] [[member of].sub.R] [Z.sub.p] and [a.sub.i,j] [[member of].sub.R] [Z.sub.p] where i [member of] [1, n], j [member of] [1, [n.sub.i]]. TA computes Y = e[(g, g).sup.[alpha]], X = [g.sup.[beta]] and [mathematical expression not reproducible], where i [member of] [1, n], j [member of] [1, [n.sub.i]]. The public parameters PK and the master secret key MSK are are published as follows:

PK = < e, G, [G.sub.T], g, Y, X, {[T.sub.i,j]} i[member of][1,n],j[member of][1,[n.sub.i]] >,

MSK = < [alpha], [beta], {[a.sub.i,j]} i[member of][1,n],j[member of][1,[n.sub.i]]>.

-KeyGen(PK, MSK, L): Taking the master secret key MSK, public key PK, and a set of attributes L = [[L.sub.1], [L.sub.2], ..., [L.sub.n]] as inptus, this algorithm performs the following computing: The trusted authority chooses u, r* [[member of].sub.R] [Z.sub.p], and [[lambda].sub.i] [[member of].sub.R] [Z.sub.p] for the user, where 1 [less than or equal to] i [less than or equal to] n. then trusted authority computes [D.sub.0] = [g.sup.[alpha]+[beta]u], [mathematical expression not reproducible], [mathematical expression not reproducible] for decryption. Furthermore, the trusted authority computes [D.sub.i]* = [T.sub.i,j.sup.r]*, i [member of] [1, n], [D.sub.0]* = [g.sup.r]*, which are used to test whether users' attribute set L satisfies the policy W or not. Finally, this algorithm delives the secret key [SK.sub.L] to user.

[SK.sub.L] = <[D.sub.0],{[D.sub.i,1] [D.sub.i,2], [D.sub.i]*}1 [less than or equal to] i [less than or equal to] n, [D.sub.0]*>.

-Encrypt(PK, M, W): This algorithm takes as inputs the public key PK, a message M [member of] [G.sub.T] and access policy W = [[W.sub.1], [W.sub.2], ... [W.sub.n]]. The encryptor randomly chooses s, s* [member of] [Z.sub.p], then it computes [??] = [MY.sup.S], [C.sub.0] = [g.sup.s], [C.sub.0]* = [g.sup.s]*. The encryptor picks up random values [S.sub.i] [member of] [Z.sub.p] such that s = [[summation].sup.n.sub.1] [S.sub.i] and computes [mathematical expression not reproducible] where i [member of] [1, n]. If [v.sub.i,j] [member of] [W.sub.i], the encryptor computes [mathematical expression not reproducible] and [C.sub.i,j] = [T.sup.s.sub.i,j]; else [v.sub.i,j] [??] [W.sub.i], [C.sub.i,j,2] and [C.sub.i,j]* are randomly chosen elements in group G. Finally, this algorithm outputs the corresponding ciphertext [CT.sub.W],

[CT.sub.W]= <[??], [C.sub.0], [C.sub.0]*, {{[C.sub.i,1]}, {[C.sub.i,j,2], [C.sub.i,j]*} j[member of][1,[n.sub.i]]}i[member of][1,n]>.

-Decrypt(PK, [CT.sub.W], [SK.sub.L]): Taking PK, [CT.sub.W], and [SK.sub.L] as inputs, the decryptor runs the following operations:

(i) Testing phase: The user checks whether attribute list L satisfies policy W or not. L |= W if and only if e([C.sub.0]*, [[PI].sup.n.sub.i=1] [D.sub.i]*) = e([D.sub.0]*, [C.sub.i,j]*) holds. If L|[not equal to]W, it returns [??] and terminates. If L|= W, it enters into the decryption operation.

(ii) Decryption phase: Users decrypt the ciphertext to get the massage M by the following eqution.

M=[??] [[PI].sup.n.sub.i=1] e([C.sub.i,1], [D.sub.i,1])/e([C.sub.0], [D.sub.0]) [[PI].sup.n.sub.i=1] e([C.sub.i,j,2], [D.sub.i,2])

3.2 Security Analysis of Li et al.'s Scheme

In literature [17], authors have introduced a CP-ABE scheme, in which the policy is hidden. In order to enhance the decryption efficiency, their scheme adds the testing phase before the decryption procedure. However, we found that the ciphertext components used for testing phase disclose the underlying ciphertext access policy, in other words, their scheme will leak ciphertext receivers' identity privacy. Next, we explain why the above scheme cannot realize access policy hidden.

Suppose there is an adversary who has knowledge of universe of attributes. The adversary can employ some parts of public parameters and ciphertexts to check if a guess access policy is encrypted in ciphertext, successfully. More concretely, let [T.sub.i,j], X, [C.sub.i,1] and [C.sub.i,j]* be a decisional Diffie-Hellman (DDH) tuple, the adversary runs the following DDH test attack to determine whether the guess policy W* is same as the access policy W used in ciphertext or not.

e{[C.sub.i,1], [[PI].sub.w]* [T.sub.i,j]) [??] e(X, [[PI].sub.w] [C.sub.i,j]*)

If the above equation holds, the adversary can conclude that W (*) = W. That is to say, the DDH test attack works successfully due to ciphertext components [C.sub.i,1] and [C.sub.i,j]*.

4. The Proposed Scheme

This section will present a novel ciphertext-policy hidden CP-ABE scheme.

4.1 Construction

-Setup([1.sup.[lambda]]): To generate the system parameters, the setup algorithm takes the security parameters [1.sup.[lambda]] as inputs and outputs a bilinear mapping as well as two cyclic groups of prime order p, G and [G.sub.T]. This algorithm randomly chooses a generator g in group G, and elements [alpha], [tau] [[member of].sub.R] [Z.sub.p] and [[member of].sub.R] [Z.sub.p] where i [member of] [1,n], j [member of] [1,[n.sub.i]]. Finally, it computes [g.sub.1] = [g.sup.[tau]], Y = e[(g,g).sup.[alpha]] and [mathematical expression not reproducible], where i [member of] [1,n], j [member of] [1, [n.sub.i]].

PK = < e, G, [G.sub.T], g, [g.sub.1], Y, {[T.sub.i,j]} i[member of][1,n],j[member of][1,[n.sub.i]] >,

MSK = < [alpha], [tau],{[a.sub.i,j]}i[member of][1,n], j[member of][1,[n.sub.i]] >.

-KeyGen(PK, MSK, L): To get the secret keys, user U submits his/her attribute list L = [[L.sub.1], [L.sub.2], ..., [L.sub.n]]. This algorithm inputs PK, MSK as well as the user attributes set L. Then it outputs secret keys fou U as follows.

Firstly, the KeyGen algorithm randomly picks [beta] [member of] [Z.sub.p] and [[alpha].sub.k], [[beta].sub.k] [[member of].sub.R] [Z.sub.p] (k [member of] [1, t]). This algorithm computes [D.sub.0] = [g.sub.[alpha]-[beta]] and [mathematical expression not reproducible]. Furthermore, for all [L.sub.i] [member of] L, we assume that [L.sub.i] = [L.sub.i,1][L.sub.i,2] ... [L.sub.i,l] where each [L.sub.i,m] [member of] {0,1} (m [member of] [1,l]). Therefore, the user attributes list L = [[L.sub.1], [L.sub.2], ..., [L.sub.n]] can be described by a binary array L = [[L.sub.1,1] ... [L.sub.1,l] ... [L.sub.n,1] ... [L.sub.n,l]]. For convenience, we set L = [[l.sub.1][l.sub.2] ... [l.sub.t]] ([l.sub.k] [member of] {0,1}). Let [h.sub.0] = g, for i = 1 to t, and the KeyGen algorithm computes [mathematical expression not reproducible] and sets the attribute list L's auxiliary information [h.sub.L] = [h.sub.t]. Finally, this algorithm computes D* = [h.sup.[tau].sub.L] and outputs user U's secret keys [SK.sub.L],

[mathematical expression not reproducible]

-Encrypt(PK, M, W): Firstly, the data owner randomly selects r [member of] [Z.sub.p], [S.sub.i] [member of] [Z.sub.p] and sets s = [[summation].sup.n.sub.1][S.sub.i]. Then he/she runs the encrypt algorithm and encrypts the message M [member of] [G.sub.T] with aeecss policy W = [[W.sub.1], [W.sub.2], ... [W.sub.n]] as follows:

[??] = [MY.sup.S], [C.sub.0] = [g.sup.s], [C.sub.0]* = [g.sup.r] and [C.sub.1]* = e[([g.sub.1], [h.sub.w]).sup.r].

And for [v.sub.i,j] [member of] W, the encryptor computes [mathematical expression not reproducible]. Finally he outputs the ciphertexts as

[mathematical expression not reproducible]

-Decrypt(PK, [CT.sub.W], [SK.sub.L]): To decrypt the ciphertext, decryptor inputs its secret key [SK.sub.L] and some other public parameters and runs the following operations.

(i) Testing phase: The decryptor computes the following equation to check whether its attirbutes satisfy the ciphertext policy.

e([C.sub.0]*, D*) = [C.sub.1]* (1)

If the above equation does not hold, then the decryption calculations terminate. Otherwise, the decryptor continues the next phase.

(ii) Decryption phase: The decryptor recovers the message M as follows.

[mathematical expression not reproducible]

4.2 Correctness of the Proposed Construction

If attribute list L satisfies the ciphertext-policy, it means that [L.sub.i] = [W.sub.i] and [h.sub.L] = [h.sub.W] hold. We first show that the Eq.(1) holds as follows.

e([C.sub.0]*, D*)

= e([g.sup.r], [h.sup.[tau].sub.L])

= e[([g.sub.1], [h.sub.L]).sup.r]

= e[([g.sub.1], [h.sub.w]).sup.r] = [C.sub.1]*

Then the message M can be computed by the following equation.

[mathematical expression not reproducible]

[mathematical expression not reproducible]

[mathematical expression not reproducible]

= M/e[(g,g).sup.[beta]s] * e[(g,g).sup.[beta]] [[summation].sup.n.sub.i=1] [s.sub.i] = M

4.3 Access Policy Hiding

Next, we will expound that the proposed scheme achieves access policy hiding. Suppose there is an adversary who has knowledge of universe of attributes. The adversary wants to employ public parameters and ciphertexts to check whether a guess access policy is encrypted in ciphertexts or not.

Suppose the adversary is given ciphertexts [mathematical expression not reproducible], which is the outputs of the encryption algorithm under an access policy W. Then it makes a guess W* of W. The DDH-like test is e([C.sub.0]*, [h.sub.W]*) [??] [C.sub.1]*, it can also be represented as e([C.sub.0]*, [h.sub.W]*)/[C.sub.1]* [??] 1. Because [e([C*.sub.0],[h.sub.W*])/[C*.sub.1]] = [e([g.sup.r],[h.sub.W*])/e[([g.sup.[tau]],[h.sub.W]).sup.r]] = [e[(g,[h.sub.W*]).sup.r]/e[(g,[h.sub.W]).sup.[tau]*r]] and [tau] is one of the master secret key in the scheme. In this case, no matter whether W* = W or not, e([C*.sub.0],[h.sub.W*])/[C*.sub.1] [not equal to] 1. Thus, the adversary can not determine which access policy is used in the ciphertexts and our proposed construction preserves access policy hiding.

5. Security Analysis

This section will prove that the proposed scheme is selective security under the DBDH assumption.

[Game.sub.0] is the original game. [Game.sub.1] is like [Game.sub.0] expect the challenge ciphertexts. In this game, [??] is selected randomly from [G.sub.T] when the attribute list L |[not equal to] [W*.sub.0] [and] L| [not equal to] [W*.sub.1], and the other ciphertexts are created normally. When L |= [W*.sub.0] [and] L|= [W*.sub.1], the challenge ciphertexts are generated correctly. That is, [Game.sub.0] = [Game.sub.1] in this case.

Theorem 1. If there is an adversary that is able to distinguish [Game.sub.0] and [Game.sub.1] with the advantage [epsilon], then we can simulate an algorithm that can solve the DBDH assumption with the advantage [epsilon].

Proof:

Init: A submits two challenge policies [W*.sub.0] and [W*.sub.1], and the challenger B chooses a random bit [rho] [member of] {1,0}.

Setup: To generate PK, the challenger picks x* [[member of].sub.R] [Z.sub.p] at random sets [alpha] = ab + x*, then Y = e[(g, g).sup.ab]. The challenger B picks [tau] [[member of].sub.R] [Z.sub.p] at random and computes [g.sub.1] = [g.sup.[tau]]. For any attributr [v.sub.i,j], B picks random elements [k.sub.i,j] [[member of].sub.R] [Z.sub.p] where i [member of] [1, n], j [member of] [1, [n.sub.i]]. If [v.sub.i,j] [member of] [W*.sub.[rho],i], then [mathematical expression not reproducible]; if [v.sub.i,j] [??] [W*.sub.[rho],i], then [mathematical expression not reproducible]. Finaly, the challenger sends the [mathematical expression not reproducible] to A.

Phase 1: Firstly, the adversary A with an attribute set L = [[L.sub.1], [L.sub.2],***,[L.sub.n]] makes the secret key query. In this Here, the case L |[not equal to] [W*.sub.0] [and] L |[not equal to] [W*.sub.1] is only consided. Because, by our definition, if L |= [W*.sub.0] [and] L|= [W*.sub.1], then [Game.sub.0] = [Game.sub.1]. Therefore, in this case, B terminates the game and takes a random guess. When L |[not equal to] [W*.sub.0] [and] L|[not equal to] [W*.sub.1], there must be i* [member of] {1, ***,n} such that [mathematical expression not reproducible]. The challenger random selects [beta], [[alpha].sub.k], [[beta].sub.k] [[member of].sub.R] [Z.sub.p] (k [member of] [1, t]).

The component [D.sub.0] and D* are computed as [D.sub.0] = [g.sup.[alpha]-[beta]] and D* = [h.sup.[tau].sub.L]. For i = i*, the challenger random picks [beta]* [[member of].sub.R] [Z.sub.p] and sets [beta] = ab + [beta]*b, then it computes [D.sub.0] = [g.sup.x* - [beta]*b] = [g.sup.[alpha]-ab-[beta]*b] and [mathematical expression not reproducible]; for i [not equal to] i*, B computes [D.sub.0] = [g.sup.[alpha]-[beta]] and [mathematical expression not reproducible].

Challenge: After receiving two equal length messages [M*.sub.0] and [M*.sub.1] from A, the challenger sets [C.sub.0] = [g.sup.c] and [??] = [M*.sub.[rho]] * e[(g, g).sup.[alpha]c] which implies s = c. In addition, the challenger picks randomly r [[member of].sub.R] [Z.sub.p] and computes [C*.sub.0] = [g.sup.r] and [mathematical expression not reproducible]. For [for all]i [member of] [1, n], i [not equal to] i*, the challenger selects randomly [S.sub.i] [[member of].sub.R] [Z.sub.p]; for i = i*, the challenger computes [S.sub.i*] = c - [[SIGMA].sup.n.sub.i=1,i[not equal to]i*] [S.sub.i]. The rest of ciphertexts is generated as follows.

* For i = i*, the challenger computes [mathematical expression not reproducible].

* For i [not equal to] i*, the challenger computes [mathematical expression not reproducible].

Finally the challenger sends the challenge ciphertext [mathematical expression not reproducible] to the adversary A.

Phase 2: It is similar to Phase 1.

Guess: A outputs a guess [rho]' of [rho]. Then the challenger B outputs 1 if [rho]' = [rho] and 0 otherwise.

When Z = e[(g, g).sup.abc], A is in [Game.sub.0]; when Z is random, A is in [Game.sub.1]. Therefore, challenger has advantage [epsilon] in the DBDH game.

6. Performance Comparison

Some comparisons between our scheme and some previous schemes will be given in this section, all of them are ciphertext-policy hiding CP-ABE schemes.

Some previous policy hiding CP-ABE schemes are compared with ours in storage cost, computational cost and security properties in Table 1, 2 and 3, respectively. For convenience, let [??] = {[att.sub.1], [att.sub.2], ***, [att.sub.n]} be a attributes set, and n is the number of attributes in universe. [n.sub.i] is the number of [att.sub.i]. Set N = [[product].sup.n.sub.i=1][n.sub.i] and let it expresse the total number of possible values of all attributes. |PK|, |SK| and |CT| are used to denote the length of publick parameter, secret key and ciphertext. Let the notation [kTE.sub.G] and [kTE.sub.GT] be k-times calculations over the group G and group [G.sub.T]. TP means the time for one pairing.

From Table 1, 2 and 3, it is easy to see that the proposed scheme is efficient in the size of public parameters, secret keys and ciphertexts. Although the efficiency of scheme in [11] looks just as good as ours, there is no testing phase in their scheme and it is constructed in groups of composite order.

In particular, the computation cost of our testing phase is just [TP+TE.sub.GT], which means that the user only needs to perform one pairing computation if his/her attribute list does not satisfy the ciphertext-policy. It is an efficient way to avoid excessive computations before decryption and improve the efficiency for the decryptor.

7. Conclusion

This paper, firstly expounds that Li's scheme has disadvantages under the DDH-test attack, and their scheme cannot realize access policy hidden. Subsequently, a novel and improved scheme is proposed to resist the DDH-test attack. In this novel scheme, a testing phase is added before decryption. The cost of its testing phase is only one pairing. In addition, our scheme can be reduced to the standard assumptions.

References

[1] A. Sahai and B. Waters, "Fuzzy identity-based encryption," in Proc. of 24th annual international conference on Theory and Applications of Cryptographic Techniques (EUROCRYPT'05), pp. 457-473, May 22-26, 2005. Article (CrossRef Link)

[2] V. Goyal, O. Pandey, A. Sahai and B. Waters, "Attribute-based encryption for fine-grained access control of encrypted data," in Proc. of 13th ACM conference on Computer and Communications Security (CCS'06), pp. 89-98, October 30 - November 03, 2006. Article (CrossRef Link)

[3] N. Attrapadung, B. Libert and E.D. Panafieu, "Expressive key-policy attribute-based encryption with constant-size ciphertexts," in Proc. of 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography (PKC'11), pp. 90-108, March 06-09, 2011. Article (CrossRef Link)

[4] C. Ge, W. Susilo, J. Wang, Z. Huang, L. Fang and Y. Ren, "A key-policy attribute-based proxy re-encryption without random oracles," Computer Journal, vol. 59, no. 7, pp. 970-982, July, 2016. Article (CrossRef Link)

[5] J. Bethencourt, A. Sahai and B. Waters, "Ciphertext-policy attribute-based encryption," in Proc. of 2007 IEEE Symposium on Security and Privacy (SP'07), pp. 321-334, May 20-23, 2007. Article (CrossRef Link)

[6] B. Waters, "Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization," in Proc. of 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography (PKC'11), pp. 53-70, March 06-09, 2011. Article (CrossRef Link)

[7] L. Zhang and Y. Hu, "New constructions of hierarchical attribute-based encryption for fine-grained access control in cloud computing," Ksii Transactions on Internet and Information Systems, vol. 7, no. 5, pp. 1343-1356, May, 2013. Article (CrossRef Link)

[8] X. Boyen and B. Waters, "Anonymous hierarchical identity-based encryption (without random oracles)," in Proc. of 26th Annual International Cryptology Conference (CRYPTO'06), pp. 290-307, August 20-24, 2006. Article (CrossRef Link)

[9] L. Zhang, Y. Mu and Q. Wu, "Compact anonymous hierarchical identity-based encryption with constant size private keys," Computer Journal, vol. 59, no. 4, pp. 452^461, April, 2016. Article (CrossRef Link)

[10] T. Nishide, K. Yoneyama and K. Ohta, "Attribute-based encryption with partially hidden encryptor-specified access structures," in Proc. of 6th international conference on Applied cryptography and network security (ACNS'08), pp. 111-129, June 03-06, 2008. Article (CrossRef Link)

[11] J. Lai, R.H. Deng and Y. Li, "Fully secure cipertext-policy hiding CP-ABE," in Proc. of 7th international conference on Information security practice and experience (ISPEC11), pp. 24-39, May 30 - June 01, 2011. Article (CrossRef Link)

[12] Z. Wang and M. He, "CP-ABE with hidden policy from Waters efficient construction," International Journal of Distributed Sensor Networks, vol. 12, no. 1, pp. 1-8, January, 2016. Article (CrossRef Link)

[13] N. Doshi and D. Jinwala, "Hidden access structure ciphertext policy attribute based encryption with constant length ciphertext," in Proc. of 2011 international conference on Advanced Computing, Networking and Security (ADCONS'11), pp. 515-523, December 16-18, 2011. Article (CrossRef Link)

[14] C. Jin, X. Feng and Q. Shen, "Fully secure hidden ciphertext policy attribute-based encryption with short ciphertext size," in Proc. of 6th International Conference on Communication and Network Security (ICCNS '16), pp. 91-98, November 26-29, 2016. Article (CrossRef Link)

[15] P. Xu, Q. Wu, W. Wang, W. Susilo, J. Domingo-Ferrer and H. Jin, "Generating searchable public-key ciphertexts with hidden structures for fast keyword search," IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1993-2006, September, 2015. Article (CrossRef Link)

[16] S. Qiu, J. Liu, Y. Shi and R. Zhang, "Hidden policy ciphertext-policy attribute-based encryption with keyword search against keyword guessing attack," Science China Information Sciences, vol. 60, no. 5: 052105, May, 2017. Article (CrossRef Link)

[17] J. Li, H. Wang, Y. Zhang and J. Shen, "Ciphertext-policy attribute-based encryption with hidden access policy and testing," Ksii Transactions on Internet and Information Systems, vol. 10, no. 7, pp. 3339-3352, July, 2016. Article (CrossRef Link)

[18] J. Lai, R.H. Deng and Y. Li, "Expressive CP-ABE with partially hidden access structures," in Proc. of 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS '12), pp. 18-19, May 02-04, 2012. Article (CrossRef Link)

[19] X. Li, D. Gu, Y. Ren, N. Ding and K. Yuan, "Efficient ciphertext-policy attribute based encryption with hidden policy," in Proc. of 5th international conference on Internet and Distributed Computing Systems (IDCS'12), pp. 146-159, November 21-23, 2012. Article (CrossRef Link)

[20] T.V.X. Phuong, G. Yang and W. Susilo, "Hidden ciphertext policy attribute-based encryption under standard assumptions," IEEE Transactions on Information Forensics and Security, vol. 11, no. 1, pp. 35-45, January, 2016. Article (CrossRef Link)

[21] M. Padhya and D. Jinwala, "A novel approach for searchable CP-ABE with hidden ciphertext-policy," in Proc. of 10th International Conference on Information Systems Security (ICISS'14), pp. 167-184, December 16-20, 2014. Article (CrossRef Link)

[22] K. Emura, A. Miyaji, A. Nomura, K. Omote and M. Soshi, "A ciphertext-policy attribute-based encryption scheme with constant ciphertext length," International Journal of Applied Cryptography, vol. 2, no. 1, pp. 46-59, July 2010. Article (CrossRef Link)

[23] S. Liu, W. Fu, L. He, J, Zhou and M. Ma, "Distribution of primary additional errors in fractal encoding method," Multimedia Tools & Applications, vol. 76, no. 4, pp. 5787-5802, February, 2017. Article (CrossRef Link)

[24] M. Abdalla, D. Catalano and D. Fiore, "Verifiable random functions from identity-based key encapsulation," in Proc. of 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques (EUROCRYPT '09), pp. 554-571, April 26-30, 2009. Article (CrossRef Link)

[25] L. Zhang, Q. Wu, Y. Mu and J. Zhang, "Privacy-preserving and secure sharing of PHR in the cloud," Journal of Medical Systems, vol. 40, no. 12, pp. 1-13, December, 2016. Article (CrossRef Link)

[26] S. Liu, Z. Pan and X. Cheng, "A novel fast fractal image compression method based on distance clustering in high dimensional sphere surface," Fractals-Complex Geometry Patterns and Scaling in Nature and Society, vol. 25, no. 4, pp. 1740004, June, 2017. Article (CrossRef Link)

[27] K. Yang, Q. Han, H. Li, K. Zheng, Z. Su and X. Shen, "An efficient and fine-grained big data access control scheme with privacy-preserving policy," IEEE Internet of Things Journal, vol. 4, no. 2, pp. 563-571, April, 2017. Article (CrossRef Link)

[28] H. Yin and L. Zhang, "Security analysis and improvement of an anonymous attribute-based proxy re-encryption," in Proc. of 10th International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage (SpaCCS'17), pp. 344-352, December 12-15, 2017. Article (CrossRef Link)

[29] M. Hattori, T. Hirano, T. Ito, N. Matsuda, T. Mori, Y. Sakai and K. Ohta, "Ciphertext-policy delegatable hidden vector encryption and its application to searchable encryption in multi-user setting," in Proc. of 13th IMA international conference on Cryptography and Coding (IMACC'11), pp. 190-209, December 12-15, 2011. Article (CrossRef Link)

[30] J. Li, W. Yao, Y. Zhang, H Qian and J. Han, "Flexible and fine-grained attribute-based data storage in cloud computing," IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 785-796, September-October, 2017. Article (CrossRef Link) [31] S. Liu, Z. Pan and H Song, "Digital image watermarking method based on DCT and fractal encoding," Iet Image Processing, vol. 11, no. 10, pp. 815-821, October, 2017. Article (CrossRef Link)

Hongjian Yin received the master degree in applied mathematics from Xidian University, China, in 2018. He is currently working toward the Ph.D. degree in University of Science and Technology Beijing, China. His current research interests include information security and cryptography.

Leyou Zhang is a professor in the school of mathematics and statistics at Xidian University, Xi'an China. He received his Ph.D. from Xidian University in 2009. From Dec. 2013 to Dec. 2014, he is a research fellow in the school of computer science and software engineering at the University of Wollongong. His current research interests include network security, computer security, and cryptography.

Yilei Cui received the BS degree in mathematics in 2016 from the Henan Normal University, China. Currently, he is working toward the Ph.D. degree in Applied Mathematics in Xidian University, China. His current interests include applied cryptography and cloud security.

Hongjian Yin, Leyou Zhang (*), Yilei Cui

School of Mathematics and Statistics, Xidian University Xi'an, Shaanxi 710171 - China

[e-mail: honjanyin@163.com, lyzhang@mail.xidian.edu.cn, CYL_Study@163.com]

(*) Corresponding author: Leyou Zhang

Received February 28, 2018; revised September 20, 2018; accepted November 3, 2018; published May 31, 2019

http://doi.org/10.3837/tiis.2019.05.029

Table 1. Storage Cost of Different Schemes Scheme |PK| |SK| |CT| Pairing Testing Decryption Phase Phase Nishide O(2N) O(3n) O(2n) -- O(3n) et al. [10] Lai et al. [11] O(N) O(n) O(n) -- O(n) Phuong O(8n) O(4n) O(4n) -- O(n) et al. [20] Ours O(N) O(n) O(n) O(1) O(n) Table 2. Computational Cost of Different Schemes Scheme Setup KeyGen Encryption Nishide et al. (2N)[TE.sub.G] (5n+1)[TE.sub.G] (2n+1)[TE.sub.G] [10] +TP+[TE.sub.GT] +2[TE.sub.GT] Lai et al. [11] (2N+1)[TE.sub.G] (n+1)[TE.sub.G] (2n+2)[TE.sub.G] +TP+[TE.sub.GT] +2[TE.sub.GT] Phuong (8n+4)[TE.sub.G] (21n+1)[TE.sub.G] (20n+2)[TE.sub.G] et al. [20] +TP +2[TE.sub.GT] Ours (2N+1)[TE.sub.G] (2n+2)[TE.sub.G] TP+3[TE.sub.GT] +TP+ [TE.sub.GT] +(n+2)[TE.sub.G] Scheme Decryption Decryption Testing Phase Phase Nishide et al. -- (3n+1)TP [10] +(3n+3)[TE.sub.GT] Lai et al. [11] -- (n+1)TP +(n+2)[TE.sub.GT] Phuong -- nTP et al. [20] +(n+3)[TE.sub.GT] Ours TP+[TE.sub.GT] (n+1)TP +(n+2)[TE.sub.GT] Table 3. Security Comparison among Different Schemes Scheme Order of Security Model Hardness With Testing Bilinear Groups Nishide p Selective DBDH No et al. [10] D-Linear Lai et al. [11] pqr Full Subgroup No Assumption Phuong p Selective DBDH No et al. [20] D-Linear Ours p Selective DBDH Yes

Printer friendly Cite/link Email Feedback | |

Author: | Yin, Hongjian; Zhang, Leyou; Cui, Yilei |
---|---|

Publication: | KSII Transactions on Internet and Information Systems |

Geographic Code: | 9CHIN |

Date: | May 1, 2019 |

Words: | 6109 |

Previous Article: | PreBAC: a novel Access Control scheme based Proxy Re-Encryption for cloud computing. |

Topics: |