COMMENTS
VOL. 24,
NO. 11,
INTRODUCTION
Manuscript received 28 July 2012; revised 2 Nov. 2012; accepted 6 Nov. 2012;
published online 28 Nov. 2012.
Recommended for acceptance by W. Lou.
For information on obtaining reprints of this article, please send e-mail to:
tpds@computer.org, and reference IEEECS Log Number TPDS-2012-07-0681.
Digital Object Identifier no. 10.1109/TPDS.2012.328.
Published by the IEEE Computer Society
pi ai;j
ti;j
ei .
with
AU \ A
for ai;j 2
Encryption. Taking as inputs a message M 2 G
GT , the
system parameters params and a set of attributes
AC fA1C ; A2C ; . . . ; AN
C g, the encrypter randomly chooses
s2Z
Z
,
and
outputs
the ciphertext as follows: C1
p
Q
M
eg; gi s ; C2 gs ; C3
C
Q i2I
i s
s
i
e
i2IC g ,fCi;j Ti;j gai;j 2AC , where AC AC \ Ai , and IC is
the index set of the authority Ai such that AiC 6 f;g, for
i 1; . . . ; N.
Decryption. To decrypt the ciphertext C C1 ; C2 ;
C3 ; fCi;j gai;j 2AC , the user computes
AiU
2319
_____________________________________________________________________________________________________
NOVEMBER 2013
AiU
i2IC
Fi
eDi;j ; Ci;j
4a
i 0
i;j ;AC
ai;j 2AiC
Q
f o r e a c h i 2 IC , a n d M C1 V E 1 i2IC Fi . H e r e ,
the Lagrange coefficient for i in S is i;S x
Q
j2S;j6i x j = i j.
2320
p0 ai;j
i
ti;j
We first compute
D00i
D00i;j
Di
D0i
u
Di;j
D0i;j
1
1 u2
!u
1
1 u2
h1 i
p00 ai;j
i
ti;j
REFERENCES
[3]
;
[4]
ri r0i
pi xp0i x
where r00i u1 u2 and p00i x u1 u2 . Note that p00i 0 r00i , and
fp00i ai;j gai;j 2Ai Ai also consist of valid interpolation points of
U1
U2
p00i 0 according to Observation 3. Now, we use D00i and D00i;j to
generate secret keys associated with attribute sets AiU~ AiU1 AiU2
in respect to the authority Ai for any unauthorized user U~ with the
identifier u~. Concretely,
~ i Di D00 u~u1 gi hri hu1 i h~uu1 r00i h~uu1 i
D
i
1
1
00
pi ai;j
ti;j
h
~
uu1 p00 ai;j
i
ti;j
where r~i ri ~
u u1 r00i and p~i x pi x ~
u u1 p00i x. It is
00
~
~
easy to check that Di ; fDi;j gai;j 2Ai are valid secret keys for the
U~
CONCLUSION
ACKNOWLEDGMENTS
00
hri h1 i ;
NOVEMBER 2013
[2]
ri r0
i
u1 u2
NO. 11,
user U~ (the identifier u~) with random r~i and polynomial p~i x for
the attribute set AiU~ .
Thus, by using this new key, two authorized users U1 ; U2 at Ai
with ki ; ni -threshold access ability (but not authorized by Aj ),
and a user U3 who is authorized to have kj ; nj -threshold access
ability at Aj (but not authorized by Ai ) can collude to decrypt a
ciphertext intended for users who simultaneously have ki ; ni threshold access ability at Ai and kj ; nj -threshold access ability at
Aj . This is very dangerous, because none of the users U1 ; U2 ; U3
satisfies the requirements alone, which also shows our collusion
attack can be launched successfully.
Moreover, at most 2N users are needed, among which there are
at least two different users have all the attributes at each authority
Ai (thus, we can transfer their access ability to any other
~ to create a super user U~ such that it
unauthorized user, e.g., U),
can decrypt all the ciphertexts in the system.
[1]
VOL. 24,
[5]
VOL. 24,
NO. 11,
NOVEMBER 2013
2321
. For more information on this or any other computing topic, please visit our
Digital Library at www.computer.org/publications/dlib.