3.1 Introduction
In this Chapter, we propose a new CP-ABE scheme, named as BK-CP-
ABE, which allows to encrypt data under an access policy, specied as a logical
combination of attributes. Such ciphertexts can be decrypted by anyone with a set of
attributes that satisfy the access policy. We construct the scheme based on a recent
secret sharing method called Linear Integer Secret Sharing Scheme (LISS). Waters [8]
proposed the rst CP-ABE scheme based on a Linear Secret Sharing Scheme(LSSS).
In 2006, Damgard et al [21] introduced the notion of Linear Integer Secret Sharing
(LISS) scheme. The following are the advantages of LISS over LSSS.
1. The computations in LISS are done directly over the Integer, while LSSS is
done over a nite eld.
2. In LISS, there is no limit for the number of occurrences of a particular variable(attribute)
in the access structure, where as in [8] there is a bound for the occurrence.
3. In LISS, the secret reconstruction method is very simple.
4. In LISS, a simple standard procedure is available to convert the access structure
into an access matrix.
5. In LISS, a surjective function is used to allocate the rows of the access matrix
to the corresponding attributes.
33
The above advantages motivate us to construct a CP-ABE based on LISS and because
of that any access policy can be expressed very eectively using the Boolean operators
such as AND, OR, of(threshold).
3.1.1 Main Idea
vector ρ and the secret can be split by M · ρ. Secret shares can be distributed by the
surjective function to the corresponding attributes present in the access policy. Next,
we encrypt the message then we use the shares to encrypt the attributes present in
the access policy. If any one satisfy the access policy then he is able to decrypt the
ciphertext. We prove BK-CP-ABE scheme in the selective secure model under the
Decisional Bilinear Die-Hellman assumption.
3.1.2 Related Work
Attribute Based Encryption (ABE) was introduced by Sahai and Waters [59].
The rst CP-ABE was proposed by Bethencourt et al [5] uses threshold secret sharing
to enforce the policy in the encryption phase. T be a tree representing an access
structure. Each non-leaf node of the tree represents a threshold gate, described by
its children and a threshold value. If num is the number of children of a node x and
x
34
is an OR gate and when k = num , it is an AND gate. Each leaf node x of the
x x
35
bound on the size of the access tree is chosen at the time of the system setup and is
represented by a tuple(d,num) where d represents the maximum depth of the access
tree and num represents the maximum number of children each non-leaf node of the
tree might have. Any access tree satisfying these upper bounds on the size can be
dynamically chosen by the encryptor and provide the security proof based on the
standard DBDH assumption.
Ibraimi [38] proposed a CP-ABE scheme in which the secret s can be split
by Shamir's Secret Sharing scheme or by Unanimous consent control by modular
addition scheme. The access tree is an n-ary tree represented by ∧, ∨ and of nodes.
Lewko et al.[39] proposed the rst full secure CP-ABE scheme by adapting the dual
system encryption techniques of [9] to the ABE case.
In a dual encryption system, keys and ciphertexts can take on one of two
forms: normal and semi-functional. A normal key can decrypt both normal and
semi-functional ciphertexts, while a semi-functional key can only decrypt normal
ciphertexts. The semi-functional keys and the ciphertexts are not used in the real
system, only in the proof of security. The proof employs a hybrid argument over a
sequence of security games. The rst is the real security game, with normal keys
and ciphertext. In the second game , the ciphertext is semi-functional and the keys
remain normal. In the subsequent games, the keys requested by the attacker are
changed to semi-functional one by one. By the nal game, none of the keys given out
36
are actually useful for decrypting a semi-functional ciphertext, and proves security
becomes relatively easy.
3.2 Denition and Security Model
Denition 8 Access structure Let {1, 2, ...n} be a set of parties. A collection Γ ⊆
2{1,2,...,n} is monotone if ∀B, C : if B ∈ Γ and B ⊆ C then C ∈ Γ. An access
The decryption algorithm takes as input the ciphertext CT, which contains
an access structure P , and a private key SK, which is a private key for a set S of
attributes. If the set S of attributes satises the access structure P then the algorithm
will decrypt the ciphertext and return a message m.
3.2.1 Security Model for BK-CP-ABE
The adversary chooses the challenge access policy τ and gives it to the
∗
challenger.
Setup
The challenger runs the Setup algorithm and gives the public parameters, PK
to the adversary.
38
Phase1
The adversary makes a secret key request to the KeyGen oracle for any
attribute set ω = {a /a ∈ U } with the restriction that ω 2 τ . The Challenger
j j
∗
The adversary submits two equal length messages M and M . The Challenger
0 1
ips a random coin d, and encrypts M under τ . The ciphertext CT is given to the
d
∗ ∗
adversary.
Phase 2
The adversary can continue querying KeyGen with the same restriction as
during Phase1.
Guess
39
3.3 Main Construction
In BK-CP-ABE construction, it is required to convert the access policy into
a distribution matrix M. The matrix M can be formulated using the three rules in
LISS method[21]. After constructing the distribution matrix M, the secret s can be
selected from the interval −2 , 2 , then we choose the distribution vector ρ and
` `
the secret can be split by M · ρ. Secret shares can be distributed by the surjective
function to the corresponding attributes present in the access policy. Message m will
be encrypted and then the attributes present in the access policy are encrypted using
the corresponding attribute shares. Any one that satises the access policy is able to
decrypt the ciphertext.
Setup (1k )
The Public Key is PK = (g, y, T (1 ≤ j ≤ n)) and the Master Secret Key is MK =
j
(α, t (1 ≤ j ≤ n)).
j
KeyGen (MK, S)
This algorithm takes as input the master secret key and a set S of attributes
and performs the following:
40
a) Select random values a, r ∈ Z and compute d
p 0 = g α−ar
Encrypt(PK, P , m)
distribution matrix constructed by the above method for the access policy P . Choose
ρ = (s, ρ , ..., ρ ) , where ρ s are uniformly random chosen integers in −2
0
.
T
`0 +k `0 +k
2 e i ,2
Step 2:
a) Compute M · ρ = (s , ..., s )
1 d
T
0
b) C = m · y s = m · e(g, g)αs
41
Decrypt(CT,SK)
0
C !
e(Ci ,(di )λi )
Q
e(C0 ,d0 )
=
i∈A
m.e(g,g)αs
λ !!
i
s α−ar
Q si art−1
e(g ,g ) e Ti , g i
=
i∈A
m.e(g,g)αs
!!
−1 λi
e(g s ,g α−ar ) e g ti si , g arti
Q
=
i∈A
m.e(g,g)αs !
s α−ar
Q arsi λi
e(g ,g ) e(g,g)
=
i∈A
m.e(g,g)αs !
e(g s ,g α−ar ) e(g,g)ars
Q
=
i∈A
m.e(g,g)αs
(e(g s ,g α−ar )e(g,g)ars )
=m
3.4 Security Analysis
Theorem 3.1 Suppose the DBDH assumption holds, then no polynomial adversary
can selectively break BK-CP-ABE system.
42
A to build a simulator B that is able to solve the DBDH assumption. The Challenger
Init. The adversary chooses the challenge access policy (M 0 , p∗ ) and gives it to the
simulator.
Phase 1 A makes secret key requests for any set of attributes ω = {aj /aj ∈ U }
with the restriction that aj 2 p∗ . On each request B chooses a random variable v ∈ Zp ,
and nds a vector k = (k1 , k2 , .., ke )T ∈ Z e such that M 0 · k = 0 with k1 = 1. By
the denition of Sweeping vector such a vector must exist. Simulator sets r value as
v + kj b.
43
0 0
d0 = g a A−v , dj = AvMj qj , ∀aj ∈ ω are sent to the adversary.
The simulator will choose uniformly random integers z2 , ..., zh in −2`0 +k , 2`0 +k and
Guess A outputs a guess d0 of d. The simulator then outputs 0 to the guesses that
D = e(g, g)abs if d = d; otherwise, it outputs 1 to indicate that it believes D is
0
When D is random group element the message md is completely hidden from the
adversary and we have P r [B (ρ, D = R) = 0] = 21 .
44
3.5 Implementation and Eciency Analysis
Implementation Details
45
All Charm routines use formally asymmetric groups ( although the underlining
groups might be symmetric) and therefore we translated our schemes to the asymmetric
setting. Namely, we have three groups G , G , G and the pairing e is a function from
1 2 T
In Table 1, we give the comparison with Goyal et al [27], Waters [8] and
BK-CP-ABE method in terms of Ciphertext size (CT), Private Key Size (PKS),
Encryption time(EN), Decryption time (DE) based on DBDH assumption. Let n be
the number of attributes present in the access policy, A be the number of attributes in
user's key, T be the number of nodes satised by a user's attributes, U be the number
46
Table 1: Comparison of CP-ABE Schemes
Method CT PKS EN DE Complexity
GJPS[27] Θ(U.n 3.42
max ) Θ(A.n3.42
max )
3.42
Θ(U.nmax 3.42
) Θ(U.nmax DBDH
Waters[8] Θ(n ) 2
Θ(kmax .A + nmax ) Θ(n2 ) Θ(n.T ) DBDH
BK-CP-ABE Θ(n) Θ(A) Θ(n) Θ(T ) DBDH
of attributes dened in the system, nmax be the bound on the size of the access
formula, kmax be the maximum number of times a single attribute will appear in a
particular formula. BK-CP-ABE method achieves signicantly better performance
than Waters [8], GJPS [27] method.
In Table 2 we show the number of operations in the respective groups for
each algorithm of the schemes as counted by the Charm benchmarking utility. The
group operations refer to the number of arithmetic operations in Z , G , G and G .
p 1 2 T
"`MNT 224"' elliptic curve group have been used to deploy the algorithm. Gop.
denotes the number of group operations and Exp. denotes the exponentiations in
Groups G , G , G . By comparing the BK-CP-ABE scheme with Water[8] method,
1 2 T
Online personal health record (PHR) enables patients to manage their own
medical records in centralized way, which greatly facilitates the storage, access and
sharing of personal health data. With the emergence of cloud computing, it is
47
Table 2: Group Operation BenchMarks
BK-CPABE Z G G G Pairings
Gop Exp Gop Exp Gop Exp Gop EXp
p 1 2 T
Setup 0 0 0 0 0 1 0 1 1
KeyGen 1 9 5 8 0 5 0 0 0
Encrypt 12 12 3 2 0 5 1 1 0
Decrypt 3 5 0 0 0 0 5 2 5
Waters[8] Z G G G Pairings
Gop Exp Gop Exp Gop Exp Gop EXp
p 1 2 T
Setup 0 0 0 1 0 0 0 1 1
KeyGen 0 0 9 10 0 5 0 0 0
Encrypt 12 12 8 16 0 5 1 1 0
Decrypt 4 10 0 0 0 0 8 2 7
attractive for the PHR service providers to shift their PHR applications and storage
into the cloud, in order to enjoy the elastic resources and reduce the operational cost.
However, by storing PHRs in the cloud, the patients lose physical control to their
personal health data, which makes it necessary for each patient to encrypt their PHR
data before uploading to the cloud servers. BK-CP-ABE scheme is suitable to achieve
ne-grained access control to PHR data in scalable and ecient way.
Online Social Networks
49