Flexible attribute-based proxy re-encryption for efficient data sharing

Information Sciences 511 (2020) 94–113

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Flexible attribute-based proxy re-encryption for efficient data sharing Hua Deng a,∗, Zheng Qin a, Qianhong Wu b, Zhenyu Guan b,∗, Yunya Zhou c a

College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China School of Cyber Science and Technology, Beihang University, Beijing 100083, China c State Grid Hunan Maintenance Company, Changsha 410004, China b

a r t i c l e

i n f o

Article history: Received 10 December 2018 Revised 19 September 2019 Accepted 23 September 2019 Available online 24 September 2019 Keywords: Data security Cryptographic access control Access policy flexibility Proxy re-encryption Attribute-based encryption

a b s t r a c t An increasing number of people are sharing their data through third-party platforms. Attribute-based encryption (ABE) is a promising primitive that allows enforcing finegrained access control on the data to be shared. An issue in ABE is that a priori access policies should be determined during the system setup or encryption phase, but these policies will become obsolete over time. Another issue is that the decryption of ABE generally requires complicated and expensive computations, which may be unaffordable for resource-limited users (e.g., mobile-device users). To address these issues, we propose a new paradigm called hybrid attribute-based proxy re-encryption (HAPRE). In HAPRE, a semitrusted proxy can be authorized to convert ciphertexts of an ABE scheme into ciphertexts of an identity-based encryption (IBE) scheme without letting the proxy know the underlying messages. With these features, HAPRE enables resource-limited users to efficiently access the data previously encrypted by ABE. We construct two HAPRE schemes by utilizing a compact IBE scheme and a key rerandomization technique, and then we prove that the schemes are semantically secure and collusion resistant. Theoretical and experimental analyses demonstrate the efficiency of the HAPRE schemes. © 2019 Elsevier Inc. All rights reserved.

1. Introduction With the rapid growth in internet and mobile computing technology, an increasing number of people are outsourcing their data to a third-party platform (e.g., a cloud storage server) such that the data can be accessed by clients from any location and at any time. To protect data privacy, attribute-based encryption (ABE, [13,28,42]) has been widely employed to achieve fine-grained access control on the outsourced data in many useful applications, such as big data [50], informationcentric networking [21], and cloud computing [12]. A property of ABE is that a priori access policies should be determined for different ciphertexts during the encryption phase (in ciphertext-policy ABE, i.e., CP-ABE) or for different users during the system setup phase (in key-policy ABE, i.e., KP-ABE), but the policies will eventually become obsolete. Another property is that the complexity of ABE decryption increases linearly in the number of attributes, which incurs a large amount of computations that would be unaffordable for resource-limited users, e.g., mobile-device users. These properties may render ABE insufficient for some complicated applications.

∗

Corresponding authors. E-mail addresses: [email protected], [email protected] (H. Deng), [email protected] (Z. Guan).

https://doi.org/10.1016/j.ins.2019.09.052 0020-0255/© 2019 Elsevier Inc. All rights reserved.

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

95

Fig. 1. An example of sharing ABE-encrypted data with an IBE user.

We consider the following scenario. A company deploys a cloud storage system to manage the data outsourced by its employees. Before outsourcing, employees are required to use ABE to encrypt their data by specifying the attributes that the intended users should possess. For instance, a sensitive project document is encrypted by an access policy “(‘Project Manager’ AND ‘IT Department’) OR (‘Software Engineer’ AND ‘IT Department’)”, which indicates that only the employees with attributes (“Project Manager”, “IT Department”) or (“Software Engineer”, “IT Department”) can access the document. Suppose that Alice is a matching employee and has implemented ABE in her PC to decrypt the encrypted document (see Fig. 1). Bob is an employee from a different department (e.g., marketing department) and works outside his office by using a mobile device, e.g., a smartphone or tablet. Bob is also identified by a unique identifier (ID), such as his phone number or email address. From time to time, Alice would like to consult Bob about some marketing issues related to the project. Hence, Bob needs to access the document from his mobile device. Unfortunately, Bob comes from a different department and does not possess the required attributes. Thus, Bob is unable to decrypt the encrypted document by himself. A trivial solution may be to let Alice decrypt the document and then encrypt it for Bob. This approach, however, would pose great inconveniences and computational costs on Alice. The existing ABE schemes have some problems in the above scenario. In ABE, the sensitive data are encrypted by an access policy, and users with attributes meeting the access policy can recover the data. In the above scenario, however, Bob does not have the required attribute “IT Department” because he is from the marketing department. Therefore, to share the document with Bob, Alice should hand over her secret decryption key to Bob. Then, Bob can implement the ABE instance on his mobile device and decrypt the document as Alice does. However, this requires Bob to be fully trusted because he is given Alice’s secret key. If Bob discloses Alice’s secret key to other employees or to someone outside the company, then the company’s confidential business data would be exposed. Moreover, there are a number of expensive computations to be performed in the ABE decryption, which appear to be unaffordable for Bob’s resource-constrained mobile device. ABE with outsourcing decryption [15] is an approach that is able to reduce the computations in ABE decryption for resource-limited users. This technique provides a re-encryption mechanism that transforms the complicated ABE ciphertexts into simple ElGamal-type ciphertexts that have a low cost to decrypt for resource-limited users. A main problem with this approach is that it does not permit a change in the access policy, which means that only the users specified by the access policy of the ABE ciphertext can decrypt the transformed ciphertext. Nevertheless, in the motivating scenario, the employee Bob is not a specified user but still needs to access the document encrypted by ABE. Hence, it is necessary to change the access policy to allow the users who were not previously specified to decrypt the transformed ciphertext. Attribute-based proxy re-encryption (ABPRE) [12,30,32,34] is a cryptographic tool that provides a re-encryption mechanism in ABE settings and that allows changes to the access policy. In ABPRE, a delegator can authorize a proxy to convert a ciphertext generated under an access policy (in CP-ABE) or a set of attributes (in KP-ABE) into a ciphertext under a new access policy or a new set of attributes, while the underlying message will not be altered or revealed. Unfortunately, there are some efficiency problems when applying ABPRE to the motivating scenario. First, in most ABPRE schemes (e.g., [12,30,32,34]), the size of the public parameters is linear in the total number of attributes, which will use much of the clients’ storage space. Second, the delegator needs to compute a new key component for each of his attributes in the reencryption key generation, even if the target delegatee has only one attribute. This requirement may lead to considerable computations for the delegator and thus slow the re-encryption process. The major obstacle for existing solutions in the motivating scenario is that it is difficult to convert ABE ciphertexts into ciphertexts of some efficient encryption system while simultaneously allowing modifications to the access policy. To practically address the above motivating scenario, we need an efficient encryption scheme, i.e., identity-based encryption (IBE), to be deployed on mobile devices to achieve cost-effective encryption and decryption. Moreover, we demand a novel re-encryption paradigm that can transform an ABE ciphertext into an IBE ciphertext such that a mobile user (who is not specified in the ABE access policy) can access the underlying data at a low cost.

96

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

1.1. Our work In this paper, we propose a novel cryptographic primitive named hybrid attribute-based proxy re-encryption (HAPRE). The goal of HAPRE is to provide ciphertext re-encryption from a complicated encryption system, i.e., ABE, to an efficient encryption system, i.e., IBE. In the application of HAPRE to the motivating scenario, Alice can deploy an ABE scheme on her PC to achieve fine-grained access control on outsourced data. Alternatively, Bob working outside his office can implement an IBE scheme on his mobile device to achieve efficient encryption/decryption. Hence, Bob is equipped with an IBE secret key and cannot access the data encrypted by ABE. However, when deciding to share encrypted documents with Bob, Alice (serving as the delegator) can generate a re-encryption key with the identifier (e.g., email address) of Bob and then outsource the key to a proxy server. With such a key, the proxy can convert the document encrypted by ABE into an IBE ciphertext that can be decrypted by Bob, i.e., the delegatee. At a high level, a HAPRE system employs a private key generator (PKG) to generate public keys and secret keys of ABE and IBE. The delegator generates a re-encryption key by using her own secret key and the identity of the delegatee. The proxy then uses the re-encryption key to convert the original ciphertext into an IBE ciphertext for the delegatee, without having knowledge about the message encrypted in the ciphertext. We require that the re-encryption should not require extra work from the PKG or participation of the delegatee. We present the HAPRE model and define two types of security definitions for HAPRE, i.e., semantic security and collusion resistance. The semantic security captures the attacks from unauthorized users, and the collusion resistance captures the attacks from the proxy colluding with the delegatees. We construct two HAPRE schemes (i.e., ciphertext-policy HAPRE and key-policy HAPRE) in prime-order bilinear groups and prove their semantic security and collusion resistance. Theoretical and experimental analyses are conducted to demonstrate the efficiency of the schemes. 1.2. Related work IBE is an efficient cryptographic primitive where any recognizable strings can serve as public keys and secret keys are extracted from a trusted key generation party. Boneh and Franklin [5] proposed the first IBE scheme based on bilinear groups. Since its seminal introduction, IBE schemes [4,48] have been discussed extensively as in this new cryptographic notion, the certificates of traditional public-key systems are no longer required. Due to its efficient key management and encryption, IBE has been adopted in different data-protection applications, such as IoT [49] and mobile clouds [28]. Blaze et al. [3] first introduced the notion of proxy re-encryption (PRE), where a proxy can transform a ciphertext designated for one user into a ciphertext designated for another without having knowledge about the underlying message. As stated in [1], the PRE scheme [3] is bidirectional in the sense that a re-encryption key can transform a ciphertext from Alice to Bob and vice versa. Hence, this scheme does not protect the security of the delegatee’s data. Ivan and Dodis [18] and Ateniese et al. [1] presented unidirectional PRE schemes that allow re-encryption of a ciphertext only from Alice to Bob. Since then, many useful unidirectional PRE schemes have been proposed [8,17,44,45]. Inspired by IBE, Green and Ateniese [14] proposed the concept of identity-based PRE (IBPRE). Compared with traditional PRE, IBPRE enjoys the advantage of avoiding heavy certificate management problems. Thus, many IBPRE schemes have been proposed. Chu and Tzeng [10] proposed a multiuse IBPRE scheme in which a ciphertext can be re-encrypted multiple times. Wang et al. [47] proposed a unidirectional, multiuse and chose-ciphertext-attack (CCA)-secure IBPRE scheme, which closes an open problem presented in [14]. Unfortunately, Shao and Cao [43] noted that these three IBPRE schemes [10,14,47] cannot resist collusion attacks, i.e., the proxy and the delegatee may collude to recover the secret key of the delegator. Han et al. [16] proposed a collusion-resistant identity-based data storage scheme for cloud computing. Recently, Paul et al. [38] also presented a collusion-resistant IBPRE scheme with adaptive CCA security proven in the random oracle model. Although IBE eliminates the need for public-key certificates, it requires the sender to explicitly specify the identity of the receiver for a ciphertext, which is not always feasible in practice. Sahai and Waters [42] proposed a cryptographic primitive called ABE that allows a set of descriptive attributes to identify a user. Goyal et al. [13] classified ABE into two categories: CP-ABE and KP-ABE. In a CP-ABE system, a user can formulate an access policy for a ciphertext, indicating the attributes that an authorized user should possess. Alternatively, users in KP-ABE are associated with access policies and can decrypt the ciphertexts that satisfy their policies. Many efforts have been made to improve ABE in terms of security, efficiency and functionality. Brakerski and Vaikuntanathan [7] leveraged the circuits technique to construct a KP-ABE scheme that supports attributes of unbounded polynomial length and achieves semiadaptive security. Chen et al. [9] then presented an adaptively secure unbounded KP-ABE scheme. To resist various side-channel attacks against the secret information about an ABE system, Li et al. [26,27] proposed KP/CP-ABE schemes with leakage resilience. Given that the decryption of ABE requires a number of complicated cryptographic operations, Green et al. [15] proposed ABE with outsourcing decryption to offload the decryption computations to a third party (e.g., a cloud server). Li et al. [29] proposed a multiauthority CP-ABE scheme that achieves decryption outsourcing. Li et al. [23] presented an ABE scheme with full verifiability that enables both authorized and unauthorized users to test whether the third party honestly executes the outsourced decryption computations. In ABE, a trusted third party is usually employed to distribute secret keys for users, which would incur efficiency issues when the number of users is large. To address this issue, Wan et al. [46] constructed a hierarchical attribute-set-based encryption, and Deng et al. [11] also proposed a hierarchical ABE. Attribute/user revocation is a security mechanism that revokes some users or attributes from

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

97

the system. Qian et al. [39] realized a user/attribute revocation in health record systems to prevent revoked doctors from accessing patients’ health records. Li et al. proposed efficient attribute revocation [24] and user revocation [25] in ABE by managing attributes and users in groups, respectively. To achieve secure keyword search on ABE ciphertexts, Miao et al. [36] presented an attribute-based searchable encryption scheme. Li et al. [22] also proposed an outsourced ABE with keyword search function to achieve both decryption outsourcing and keyword search in ABE systems. By combining the notions of ABE and PRE, Liang et al. [32] proposed the attribute-based PRE (ABPRE) primitive, where a ciphertext generated under an access policy can be converted into a ciphertext of a new access policy. Based on CP-ABE, they constructed a unidirectional and multiuse ciphertext-policy ABPRE (CP-ABPRE) scheme that provides an AND-gate policy on positive and negative attributes. Later, Luo et al. [34] extended the CP-ABPRE scheme [32] to support an AND-gate policy over multivalue and negative attributes. Liang et al. [31] stated the limitation of the AND-gate policy in both schemes [32,34] and proposed an improved CP-ABPRE scheme supporting more expressive access policies. The proposed scheme was proven to be CCA secure in the random oracle model. By utilizing the dual system encryption technology first presented by Waters [48] and then introduced by Lewko and Waters [20] to composite order groups, Liang et al. [30] proposed an adaptive CCA-secure CP-ABPRE scheme in the standard model. Following the same technology, Ge et al. [12] presented the first adaptive CCA-secure KP-ABPRE scheme in the standard model. Despite composite order groups facilitating the achievement of adaptive security in the standard model, the basic group operations (e.g., exponentiations, pairings) are several orders of magnitude slower than in prime order groups for the same security level, as noted by Rouselakis and Waters [41]. Since we mainly consider re-encryption for resource-limited users, we concentrate on the more efficient prime order groups. As ABE is more generic than IBE, one may regard IBE as a special case of ABE by taking one attribute as an encryption identity. However, an efficient IBE scheme cannot be trivially obtained from an ABE scheme. The first reason is that an ABE scheme usually requires a longer system public key and longer secret keys in order to support distinct attributes. Even a secret key contains only one attribute (which can be viewed as an identity in IBE), the size of the key is larger than that of an ordinary IBE secret key. The second reason is that to realize access trees or access structures in ABE, some techniques, such as linear secret sharing scheme, are required to split a secret random value. This generally results in a longer ciphertext even when encrypting with only one attribute/identity. Therefore, it is still an interesting and important work to devise reencryption from ABE to IBE. Mizuno and Doi [37] proposed the first ABE-IBE proxy re-encryption based on CP-ABE, where a ciphertext generated in a CP-ABE scheme can be transformed into a ciphertext of an IBE scheme. While this is similar to the idea of HAPRE, MizunoDoi’s model has some significant differences from ours. First, in the re-encryption, the delegator needs to know a part of the delegatee’s secret key. This requires the delegator to interact with the delegatee to obtain the necessary information, which would undermine the model’s practicability. Second, the delegator (in ABE) has to additionally store the public parameters of IBE for re-encryption, which introduces some obstacles for the introduction of re-encryption to the users who have already deployed an ABE scheme. Third, Mizuno-Doi’s scheme only supports an AND-gate policy over attributes, which results in a limitation of expressiveness. To the best of our knowledge, there is currently no noninteractive proxy re-encryption scheme that can transform ABE ciphertexts into IBE ciphertexts and simultaneously support any monotonic access structure. There are also some other proposals achieving the ciphertext transformation mechanism. Matsuo [35] proposed a hybrid PRE scheme that can convert a PKI-based ciphertext into an IBE scheme, although this scheme also requires the delegator to interact with the delegatee in each re-encryption. Jiang et al. [19] presented a cross-domain encryption switching mechanism that can transform a PKI-based ciphertext into an IBE one, and vice versa. This mechanism requires a trusted third party to generate a transformation key for each switching request, which would incur an efficiency problem when many switching service requests are simultaneously made. Liu et al. [33] proposed an efficient privacy-preserving outsourced calculation framework with multiple keys (EPOM) to support commonly used integer operations on the data encrypted under different public keys. Although EPOM and our HAPRE both achieve secure calculations on encrypted data, our HAPRE achieves a reencryption mechanism that allows users in the IBE system to access the data encrypted by a different encryption system (i.e., ABE), which has not been provided in EPOM. 1.3. Paper organization Section 2 reviews some background knowledge about bilinear maps, the access structures, the linear secret sharing scheme, IBE and ABE. In Section 3, the HAPRE systems (including ciphertext-policy HAPRE and key-policy HAPRE) are presented, and formal security definitions are given. We introduce the main idea of HAPRE constructions and propose semantically secure and collusion-resistant CP-HAPRE and KP-HAPRE schemes in Section 4. Section 5 analyzes the HAPRE schemes both theoretically and experimentally. Section 6 concludes the paper. 2. Preliminaries 2.1. Bilinear maps Let G and GT be two cyclic groups of prime order p. Let g be a generator of G and e : G × G → GT be a map with two properties: (i) Bilinearity: for all u, v ∈ G and all a, b ∈ Z p , e(ua , vb ) = e(ub , va ) = e(u, v )ab ; and (ii) Non-degeneracy: e(g,

98

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

g) = 1. We say that G is a bilinear group if the group operations in G and the bilinear map e : G × G → GT are both efficiently computable. We assume that there is an efficient algorithm G for generating bilinear groups. The algorithm G takes as input a security parameter  and outputs a tuple ( p, g, G, GT , e ). 2.2. Access structures [2] Definition 1. Let {P1 , P2 , , Pn } be a set of parties. A collection A ⊆ 2{P1 ,P2 ,··· ,Pn } is monotonic if for ∀B, C, we have that C ∈ A holds if B ∈ A and B⊆C. An access structure (respectively, monotonic access structure) is a collection (respectively, monotonic collection) A of nonempty subsets of {P1 , P2 , ..., Pn }, i.e., A ⊆ 2{P1 ,P2 ,··· ,Pn } \{∅}. The sets in A are called authorized sets, and the sets not in A are called unauthorized sets. 2.3. Linear secret sharing schemes [2] Definition 2. A secret-sharing scheme  over a set of parties P is called linear (over Z p ) if 1. The shares for each party form a vector over Z p . 2. There exists a matrix A called the share-generating matrix for , where A has l rows and n columns. For all i = 1, . . . , l, the ith row of A is labeled by a party ρ (i), where ρ is a function from {1, . . . , l } to P. When we consider the column vector v = (s, r2 , . . . , rn ), where s ∈ Z p is the secret to be shared, and r2 , . . . , rn ∈ Z p are randomly chosen, then Av is the vector of l shares of the secret s according to . Let Ai denote the ith row of A; then, λi = Aiv is the share belonging to party ρ (i). Every LSSS defined above enjoys the linear reconstruction property. Suppose that  is an LSSS for access structure A. Let S be an authorized set in A, i.e., S ∈ A. Let I = {i : ρ (i ) ∈ S} ⊆ {1, . . . , l }. The linear reconstruction states that there must  exist constants {ωi ∈ Z p } such that for valid shares {λi } of s, i∈I ωi λi = s holds. The time of finding {ωi } is polynomial in the size of the matrix A. 2.4. Identity-based encryption An IBE allows a sender to use any recognizable string to encrypt messages, and a PKG is responsible for issuing secret keys for the receivers associated with the strings. Typically, an IBE scheme involves the following algorithms. (PKIBE , MSKIBE ) ← SetupIBE (1 ): PKG takes as input a security parameter  and outputs the public key PKIBE and the master secret key MSKIBE . SKID ← KeyGenIBE (PKIBE , MSKIBE , ID): PKG takes as input an identity string ID, the public key PKIBE and the master secret key MSKIBE . It outputs a secret key SKID for ID. CTID ← EncryptIBE (PKIBE , ID, M): A sender takes as input a message M, an identity ID and the public key PKIBE , and it outputs a ciphertext CTID for ID. M/⊥ ← DecryptIBE (PKIBE , CTID , SKID ): A receiver takes as input the public key PKIBE , a ciphertext CTID and a secret key SKID . It outputs the message M or a false symbol ⊥. The selective security of IBE against a chosen-plaintext attacker states that for an adversary that declares an identity to be challenged, the ciphertexts generated under the challenge identity are indistinguishable, provided that the adversary does not have the correct decryption key. More details about the IBE security definition can be found in [4]. 2.5. Attribute-based encryption We first review CP-ABE. In CP-ABE, a sender generates a ciphertext CTA by using an access structure A; a receiver associated with a set S of attributes can decrypt CTA if and only if S satisfies A. Formally, a CP-ABE is described as follows. (PKCP , MSKCP ) ← SetupCP (1 ): PKG takes as input a security parameter  and outputs the public key PKCP and the master secret key MSKCP . SKS ← KeyGenCP (PKCP , MSKCP , S): PKG takes as input a set S of attributes, the public key PKCP and the master secret key MSKCP . It outputs a secret key SKS for S. CTA ← EncryptCP (P KCP , A, M ): A sender takes as input a message M, an access structure A and the public key PKCP . It outputs a ciphertext CTA for A. M/⊥ ← DecryptCP (P KCP , CTA , SKS ): A receiver takes as input the pubic key PKCP , a ciphertext CTA , and a secret key SKS . If S satisfies A, it outputs the message M; otherwise, it outputs a false symbol ⊥. KP-ABE is defined exactly the same as CP-ABE except that the ciphertext is generated with attribute sets, while secret keys are created by using access structures. Formally, KP-ABE is described as follows. (PKKP , MSKKP ) ← SetupKP (1 ): PKG takes as input a security parameter  and outputs the public key PKKP and the master secret key MSKKP .

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

99

SKA ← KeyGenKP (P KKP , MSKKP , A ): PKG takes as input an access structure A, the public key PKKP and the master secret key MSKKP . It outputs a secret key SKA for A. CTS ← EncryptKP (PKKP , S, M): A sender takes as input the public key PKKP , attribute set S and a message M. It outputs a ciphertext CTS for S. M/⊥ ← DecryptKP (P KKP , CTS , SKA ): A receiver takes as input the pubic key PKKP , a ciphertext CTS , and a secret key SKA . It outputs the message M if S satisfies A and a false symbol ⊥ otherwise. 3. Modeling HAPRE We now model our HAPRE, which integrates two separate encryption schemes: an ABE scheme and an IBE scheme. In a HAPRE system, a PKG is responsible for generating and publishing the system public keys of ABE and IBE. The users (e.g., desktop users) who have relatively strong computing capability and large storage space can choose ABE to secure data, while an IBE scheme is supposed to be utilized by resource-limited users (e.g., mobile users). Consider the case in which an ABE user has already encrypted his outsourced data via ABE and may not preserve the data locally. When deciding to share some data with a user of IBE, the ABE user (serving as the delegator) generates a re-encryption key by using his secret key and the identity of the IBE user (i.e., the delegatee). Given such a re-encryption key, a proxy server can transform the ABE-encrypted data into IBE ciphertexts that can be decrypted by the delegatee. We require that during the re-encryption, the proxy has no knowledge of the data encrypted in the ABE/IBE ciphertexts or the secret key of the delegator. 3.1. Scheme definition The HAPRE system involves an ABE scheme, an IBE scheme, and necessary algorithms for re-encryption. We classify HAPRE into two categories, CP-HAPRE and KP-HAPRE, based on CP-ABE and KP-ABE, respectively. In a CP-HAPRE system, an original ciphertext CTA is generated with an access structure A, and a delegator generates a re-encryption key RKS → ID , where S is the attribute set associated with the delegator and ID is the identity of the delegatee. The proxy can re-encrypt the ciphertext CTA to a ciphertext CTID of ID if and only if S satisfies A. The delegatee can decrypt CTID using his secret IBE key. Formally, the CP-HAPRE system involves the following algorithms. (PK, MSK) ← Setup(1 ): On input security parameter , PKG runs the setup algorithms of the IBE scheme and the CP-ABE scheme. It outputs the system public key PK and master secret key MSK, where PK involves PKIBE and PKCP , and MSK involves MSKIBE and MSKCP . SKID ← KeyGenIBE (PKIBE , MSKIBE , ID): The IBE secret key generation algorithm. SKS ← KeyGenCP (PKCP , MSKCP , S): The CP-ABE secret key generation algorithm. CTA ← EncryptCP (P KCP , A, M ): The CP-ABE encryption algorithm that outputs the original ciphertext CTA . RKS → ID ← RKGen(PK, SKS , ID): The delegator takes as input the public key PK, the secret key SKS associated with an attribute set S, and the identity ID of the delegatee. It outputs a re-encryption key1 RKS → ID . CTID ← ReEnc(P K, RKS→ID , CTA ): The proxy takes as input the public key PK, the re-encryption key RKS → ID , and a ciphertext CTA . If S satisfies A, the proxy outputs a ciphertext CTID for ID. M/⊥ ← Decrypt(P K, (CT , SK ) ∈ {(CTA , SKS ), (CTID , SKID )} ): When (CT , SK ) = (CTA , SKS ), the decryption algorithm works the same as in the CP-ABE scheme. When (CT , SK ) = (CTID , SKID ), the algorithm outputs M. Correctness. The correctness of CP-HAPRE states that, for all (PK, MSK) ← Setup(1λ ), all SKS ← KeyGenCP (PKCP , MSKCP , S), all SKID ← KeyGenIBE (PKIBE , MSKIBE , ID), all CTA ← EncryptCP (P KCP , A, M ), and all CTID ← ReEnc(P K, RKS→ID , CTA ), where RKS → ID ← RKGen(PK, SKS , ID), Decrypt(PKIBE , CTID , SKID ) outputs M and Decrypt(P KCP , CTA , SKS ) outputs M if S ∈ A. In the KP-HAPRE system, the original ciphertext CTS is generated with a set S of attributes, and a re-encryption key RKA→ID is created using the delegator’s secret key SKA and the identity ID of the delegatee. The re-encryption key can reencrypt CTS if S satisfies A. The KP-HAPRE system is formally defined as follows. (PK, MSK) ← Setup(1 ): On input security parameter , PKG runs the setup algorithms of the IBE scheme and the KP-ABE scheme. It outputs the system public key PK and master secret key MSK, where PK involves PKIBE and PKKP , and MSK involves MSKIBE and MSKKP . SKID ← KeyGenIBE (PKIBE , MSKIBE , ID): The IBE key generation algorithm. SKA ← KeyGenKP (P KKP , MSKKP , A ): The KP-ABE key generation algorithm. CTS ← EncryptKP (PKKP , S, M): The KP-ABE encryption algorithm that outputs ciphertext CTS . RKA→ID ← RKGen(P K, SKA , ID ): The delegator takes as input the public key PK, the secret key SKA , and the identity ID of the delegatee. It outputs a re-encryption key2 RKA→ID . 1 As we consider CP-ABE with a monotonic access structure, the secret key SKS can create a re-encryption key for subset S ⊆S. However, for simplicity, we assume that the re-encryption is created for the same set S = S. 2 A re-encryption key can be created for access structure A , which is equivalent to or more restrictive than A due to the monotonic feature. For simplicity, we assume that A = A.

100

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

CTID ← ReEnc(P K, RKA→ID , CTS ): The proxy takes as input the public key PK, the re-encryption key RKA→ID , and a ciphertext CTS . If S satisfies A, the proxy outputs a ciphertext CTID for ID. M/⊥ ← Decrypt(P K, (CT , SK ) ∈ {(CTS , SKA ), (CTID , SKID )} ): When (CT , SK ) = (CTS , SKA ), the decryption algorithm works the same as in the KP-ABE system. When (CT , SK ) = (CTID , SKID ), the algorithm outputs M. Correctness. The correctness of KP-HAPRE states that, for all (PK, MSK) ← Setup(1λ ), all SKID ← KeyGenIBE (PKIBE , MSKIBE , ID), all SKA ← KeyGenKP (P KKP , MSKKP , A ), all CTS ← EncryptKP (PKKP , S, M), and all CTID ← ReEnc(P K, RKA→ID , CTS ), where RKA→ID ← RKGen(P K, SKA , ID ), Decrypt(PKIBE , CTID , SKID ) outputs M and Decrypt(P KKP , CTS , SKA ) outputs M if S ∈ A. 3.2. Security definitions In HAPRE systems, we consider the practical attacks from unauthorized access attempts and the collusion of the proxy and authorized delegatees. We define the semantic security and the collusion resistance to capture these attacks, respectively. The semantic security states that any unauthorized user cannot recover the message encrypted in any ciphertext. The collusion resistance states that the collusion of the proxy and the delegatee designated by the delegator cannot obtain the delegator’s private key. 3.2.1. Semantic security We first present the semantic security definition of the CP-HAPRE system. Because it consists of a CP-ABE scheme and an IBE scheme, the security of CP-HAPRE includes the standard security of CP-ABE and IBE. In the selective security definition of CP-HAPRE, we consider realistic attacks launched by unauthorized users (in both ABE and IBE) who may collude with the proxy in an attempt to recover the messages encrypted in ciphertexts. Thus, we model an adversary that gains access to the system public key and secret keys of both ABE and IBE. Moreover, the adversary can query re-encryption keys for attribute sets and identities of its choice. The semantic security of CP-HAPRE states that two ciphertexts generated under the access structure challenged by the adversary are indistinguishable in the adversary’s view, on the premise that the adversary cannot trivially decrypt the challenge ciphertext or the ciphertexts that are converted from the challenge one. Formally, the selective security of the CP-HAPRE system is defined as follows. Init: The adversary A outputs an access structure A∗ and an identity ID∗ . Setup: The challenger proceeds to run the setup algorithm and give the resulting public key PK to A. Phase 1: The adversary A makes the following queries: RevealIBE (ID). A queries the IBE secret key for identity ID = ID∗ . The challenger responds by running algorithm KeyGenIBE (PKIBE , MSKIBE , ID) and giving the output secret key SKID to A. RevealCP (S). A queries the CP-ABE secret key for attribute set S ∈ A∗ . The challenger responds by running KeyGenCP (PKCP , MSKCP , S) and giving the output secret key SKS to A. RKReveal(S → ID). A queries the re-encryption key for an attribute set S and an identity ID. The challenger responds by running RKGen(PK, SKS , ID) and giving the resulting re-encryption key RKS → ID to A, where SKS ← KeyGenCP (PKCP , MSKCP , S). Challenge: Once A decides that Phase 1 is finished, it outputs two equal length messages M0 and M1 , with the restrictions that (1) A has never queried RevealCP (S) for S ∈ A∗ , and (2) for any ID and any S ∈ A∗ , if A has already queried RKReveal(S → ID), then it has never queried RevealIBE (ID), or if A has already queried RevealIBE (ID), then it has never queried RKReveal(S → ID). The challenger selects a random bit β ∈ {0, 1} and generates the ciphertext CTA∗ of Mβ under A∗ . It sends CTA∗ as the challenge to A. Phase 2: The adversary A continues to make queries as in Phase 1 with the added restrictions described above. Guess: Finally, A outputs a guess β  ∈ {0, 1} and wins this game if β  = β . We define the advantage of A in this game as AdvSS = | Pr[β = β  ] − 1/2|. A,CP −HAP RE We note that the declaration of ID∗ at the Init phase is required by the selective security of IBE, but the adversary has not been additionally challenged with the IBE ciphertext of ID∗ . The reason is that the adversary can query the re-encryption key from any S to ID∗ and then use the key to convert a CP-ABE ciphertext satisfied by S into the IBE ciphertext of ID∗ . Definition 3. We say that a CP-HAPRE system is selectively CPA-secure if for all polynomial-time adversaries A, the advantage AdvSS in the above game is negligible. A,CP −HAP RE Similarly, the selective security of the KP-HAPRE system is defined as follows. Init: The adversary A outputs a set S∗ of attributes and an identity ID∗ . Setup: The challenger proceeds to run the setup algorithm and give the resulting public key PK to A. Phase 1: The adversary A makes the following queries: RevealIBE (ID). A queries the IBE secret key for identity ID = ID∗ . The challenger responds by running KeyGenIBE (PKIBE , MSKIBE , ID) and giving the output secret key SKID to A. RevealKP (A). A queries the KP-ABE secret key for an access structure A, where S∗ ∈ A. The challenger responds by running KeyGenKP (P KKP , MSKKP , A ) and giving the output secret key SKA to A.

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

101

RKReveal(A → ID). A queries the re-encryption key for an access structure A and an identity ID. The challenger responds by running RKGen(P K, SKA , ID ) and giving the output re-encryption key RKA→ID to A, where SKA ← KeyGenKP (P KKP , MSKKP , A ). Challenge: Once A decides that Phase 1 is finished, it outputs two equal length messages M0 and M1 , with the restrictions that (1) A has never queried RevealKP (A), where S∗ ∈ A, and (2) for any ID and any A such that S∗ ∈ A, if A has already queried RKReveal(A → ID), then it has never queried RevealIBE (ID), or if A has already queried RevealIBE (ID), then it has never queried RKReveal(A → ID). The challenger selects a random bit β ∈ {0, 1} and generates the ciphertext CTS∗ of Mβ under S∗ . It sends CTS∗ as the challenge to A. Phase 2: The adversary A continues to make queries as in Phase 1 with the added restrictions described above. Guess: Finally, A outputs a guess β  ∈ {0, 1} and wins this game if β  = β . We define the advantage of A in this game as AdvSS = | Pr[β = β  ] − 1/2|. A,KP −HAP RE Similarly, since the adversary can query the re-encryption key from any A to ID∗ and then use the key to convert a KP-ABE ciphertext satisfying A into the IBE ciphertext of ID∗ , the adversary has not been challenged with an IBE ciphertext. Definition 4. We say that a KP-HAPRE system is selectively CPA-secure if for all polynomial-time adversaries A, the advantage AdvSS in the above game is negligible. A,KP −HAP RE 3.2.2. Collusion resistance In HAPRE systems, collusion attacks may arise from the proxy and the delegatees. Specifically, the proxy and a delegatee designated by the delegator may collude to obtain useful information about the delegator’s secret key by combining the re-encryption key and the delegatee’s secret key. The collusion resistance of HAPRE withstands such a collusion attack and guarantees the safety of the delegator’s secret key. This collusion resistance would be very useful in practice. Note that there are original ABE ciphertexts and re-encrypted ciphertexts in HAPRE systems, and the original ones can only be decrypted by using delegators’ secret keys. The collusion resistance of HAPRE can protect the original ABE ciphertexts well even in the event that the proxy and the delegatees collude. We first define the collusion resistance of CP-HAPRE. To capture the collusion between the proxy and delegatees, we define an adversary that is entitled to obtain the public key, secret keys and re-encryption keys. Then, for an adversary that holds the re-encryption key RKS∗ →ID and the secret key SKID , the collusion resistance states that the adversary is unable to recover the delegator’s secret key SKS∗ . Formally, the collusion resistance of CP-HAPRE is defined as follows. Setup: The challenger starts the game by running the setup algorithm and giving the resulting public key PK to A. Query: A makes re-encryption key queries for (S∗ , IDi ). The challenger responds as follows. • If S∗ has not been queried before, it first creates a secret key SKS∗ by calling KeyGenCP (PKCP , MSKCP , S∗ ). It then uses SKS∗ to create the re-encryption key RKS∗ →IDi by calling RKGen(P K, SKS∗ , IDi ). In addition, the challenger runs KeyGenIBE (PKIBE , MSKIBE , IDi ) to obtain SKIDi for IDi . Then, the challenger gives (RKS∗ →IDi , SKIDi ) to A. Challenge: Once the adversary A decides that the Query phase is over, it outputs a secret key SK . A wins the game if SK  = SKS∗ . We define the advantage of A in this game as AdvCR = |SK  = SKS∗ |. A,CP −HAP RE Definition 5. We say that a CP-HAPRE system is collusion resistant if for all polynomial-time adversaries A, the advantage AdvCR in the above game is negligible. A,CP −HAP RE The collusion resistance of KP-HAPRE is defined as follows. Setup: The challenger starts the game by running the setup algorithm and giving the resulting public key PK to A. Query: The adversary A makes re-encryption key queries for (A∗ , IDi ). The challenger responds as follows. • If A∗ has not been queried before, it first creates a secret key SKA∗ by calling KeyGenKP (P KKP , MSKKP , A∗ ). Then, it uses SKA∗ to create the re-encryption key RKA∗ →IDi by calling RKGen(P K, SKA∗ , IDi ). In addition, the challenger runs KeyGenIBE (PKIBE , MSKIBE , IDi ) to obtain SKIDi for IDi . Then, the challenger gives (RKA∗ →IDi , SKIDi ) to A. Challenge: Once the adversary A decides that the Query phase is over, it outputs a secret key SK . A wins the game if SK  = SKA∗ . We define the advantage of A in this game as AdvCR = |SK  = SKA∗ |. A,KP −HAP RE Definition 6. We say that a KP-HAPRE system is collusion resistant if for all polynomial-time adversaries A, the advantage AdvCR in the above game is negligible. A,KP −HAP RE 4. Our constructions 4.1. Basic ideas In the constructions of HAPRE, one challenge lies in the different ciphertext formats between ABE and IBE. In particular, the ciphertexts of ABE are created under the ABE system’s parameters and are unable to be converted into the ciphertexts

102

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

generated under the different IBE system’s parameters. To overcome this issue, we propose a compact IBE scheme that is derived from the Boneh-Boyen IBE scheme [4] and that has similarities with the practical ABE schemes [40]. The public parameters of our IBE scheme are fewer than those of the Boneh-Boyen IBE scheme, which saves users’ local storage space. Moreover, the system parameters of our IBE scheme are all included in the parameters of the ABE schemes [40]. Hence, ABE users are not required to store additional parameters for re-encryption, and more importantly, it is feasible for them to produce functional re-encryption keys that can transform ABE ciphertexts into IBE ones. Another challenge in the constructions is how to realize collusion resistance. It is very likely that the proxy and the delegatee may collude in an attempt to recover the delegator’s secret key in some way. To address this issue, we propose a novel key rerandomization technique to protect the delegator’s secret key. Specifically, in the re-encryption key generation, the delegator randomizes his secret key by a blind factor and takes the blind factor as an exponent to perform an exponentiation; then, the delegator encrypts the exponentiation result to the delegatee via IBE. The re-encryption algorithm will partially decrypt the original ciphertext and obtain an IBE ciphertext of the underlying message blinded by the factor. The delegatee executes the normal IBE decryption to obtain the exponentiation result and then uses it to finally recover the message. In this way, the delegator’s secret key is well protected by the blind factor and will not be revealed to the proxy or the delegatee. 4.2. Functional Boneh-Boyen IBE scheme We now propose a compact IBE scheme derived from Boneh-Boyen IBE [4]. To obtain a compact IBE scheme compatible with the ABE schemes in [40], we drop one random group element from the public parameters of the IBE scheme [4]. We note that the public key of the IBE scheme is completely involved in the public key of the CP(KP)-ABE scheme in [40]. The IBE scheme is described as follows. SetupIBE (1 ): On input security parameter , PKG runs the bilinear generator G to obtain a tuple of bilinear groups and map, i.e., ( p, g, G, GT , e ). PKG chooses random elements α ∈ Z∗p and u, h ∈ G. It then sets the public key and master secret key as

P KIBE = (g, u, h, e(g, g)α ), MSKIBE = α . KeyGenIBE (P KIBE , MSKIBE , ID ∈ Z p ): PKG chooses a random r ∈ Z p and outputs the secret key for ID as

 



r

SKID = gα uID h , gr . EncryptIBE (P KIBE , ID, M ∈ GT ): A sender selects a random element s ∈ Z p and outputs the ciphertext of M as CTID = (C0 , C1 , C2 ), where

C0 = M · e(g, g)α s ,



s

C1 = uID h ,

C2 = gs .

DecryptIBE (PKIBE , CTID , SKID ): For a ciphertext CTID = (C0 , C1 , C2 ), a receiver uses the secret key SKID = (K0 , K1 ) to compute

C0

 e(K0 , C2 ) = M. e(K1 , C1 )

Note that

e(K0 , C2 ) = e(K1 , C1 )

 

r

e gα uID h , gs



e

gr ,



uID h



αs s  = e(g, g) .

The following theorem shows the selective security of our IBE scheme, and the proof is given in Appendix A. Theorem 1. The above IBE scheme is selectively secure against chosen-plaintext attacks in the standard model if the DBDH assumption holds. 4.3. The CP-HAPRE construction We propose a CP-HAPRE scheme based on the CP-ABE scheme in [40] and our IBE scheme. Setup(1 ): PKG first obtains a tuple ( p, g, G, GT , e ) by running the bilinear group generator G (1 ). It selects random elements α ∈ Z p and u, h, w, v, f ∈ G. In addition, PKG chooses an encoding function F : GT → G. It then outputs the system public key and master secret key as

P K = (g, u, h, w, v, f, e(g, g)α , F ),

MSK = α .

The IBE public key is P KIBE = (g, u, h, e(g, g)α , F ). The CP-ABE public key is identical to PK. Note that for IBE users, only PKIBE needs to be stored. KeyGenIBE (PKIBE , MSK, ID): The same as the key generation algorithm of the IBE scheme.

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

103

KeyGenCP (P KCP , MSK, S = {att1 , . . . , att|S| } ⊆ Z p ): First, PKG chooses a random r ∈ Z p and computes

K0 = gα wr , K1 = gr . |S|

Then, for the attribute set S with cardinality |S|, PKG chooses |S| random elements {ri }i=1 ∈ Z p and for all i = 1, . . . , |S|, computes

Ki,2 = gri , Ki,3 = (uatti h )ri v−r . |S|

PKG outputs the secret key for attribute set S as SKS = (K0 , K1 , {Ki,2 , Ki,3 }i=1 ). EncryptCP (P KCP , A, M ): To encrypt M ∈ GT with access structure A, the algorithm generates an LSSS (A, ρ ), where A is an l × n matrix and ρ : [l] → Z p maps each row of A to an attribute. Then, it selects a random element s ∈ Z p and forms a vector v = (s, y2 , . . . , yn ), where y2 , . . . , yn are randomly selected in Z p . For the ith row Ai of A, compute its share as λi = Aiv. Then, choose l random elements t1 , t2 , . . . , tl ∈ Z p and calculate

C = Me(g, g)α s , C0 = gs ,



Ci,1 = wλi vti , Ci,2 = uρ (i ) h

−ti

, Ci,3 = gti ,

where i = 1, 2, . . . , l. Additionally, compute C4 = f s . Then, output the ciphertext for the access structure A with LSSS (A, ρ ) as





CTA = C, C0 , {Ci,1 , Ci,2 , Ci,3 }li=1 , C4 . We stress that if the component C4 is not involved, the ciphertext CTA is the same as the CP-ABE ciphertext in [40]. Therefore, the CP-HAPRE offers users two choices for encrypting their data: if they only want to share data with authorized users and do not allow re-encryption, they just compute (C, C0 , {Ci,1 , Ci,2 , Ci,3 }li=1 ) without C4 in the encryption algorithm; otherwise, if they feel that some data would be queried by other users in the future, they encrypt the data by additionally computing C4 . This component C4 is unnecessary for ABE decryption but will be needed for re-encryption. In CP-HAPRE, we focus on the ciphertext including C4 since only this type of ciphertext supports re-encryption. |S| RKGen(PK, SKS , ID): Given SKS = (K0 , K1 , {Ki,2 , Ki,3 }i=1 ) and the identity ID of the delegatee, the delegator chooses random elements t  , s ∈ Z p and computes 

d0 = K0 · f t ,

S| {di,2 = Ki,2 , di,3 = Ki,3 }|i=1 .

d1 = K1 ,

and 







d4 = F (e(g, g)α s ) · gt , d5 = (uID h )s , d6 = gs . Set RKS→ID = (d0 , d1 , {di,2 , di,3 }, d4 , d5 , d6 ) and give it to the proxy. |S|

ReEnc(P K, RKS→ID , CTA ): Parse RKS→ID = (d0 , d1 , {di,2 , di,3 }i=1 , d4 , d5 , d6 ) and CTA = (C, C0 , {Ci,1 , Ci,2 , Ci,3 }li=1 , C4 ). Assume that CTA is associated with an LSSS (A, ρ ). If the set S satisfies A, then for I = {i : ρ (i ) ∈ S}, the proxy can compute the  constants {ωi ∈ Z p }i∈I such that i∈I ωi Ai = (1, 0, . . . , 0 ). Then, the proxy computes



B=  i∈I

e(C0 , d0 ) e(Ci,1 , d1 ) · e(Ci,2 , d j,2 ) · e(Ci,3 , d j,3 )

ωi

where j is the index of the attribute ρ (i) in S. Then, it sets

C  = C/B, C0 = d4 , C1 = d5 , C2 = d6 , C3 = C4





 = C , C , C , C , C . The proxy finally outputs the re-encrypted ciphertext C TID 0 1 2 3 Decrypt(PK, CT, SK): The decryption algorithm works in two cases:

(1) If (CT , SK ) = (CTA , SKS ) is a pair of ciphertext and secret key   of ABE, the algorithm proceeds as follows. Parse CTA =





|S|

C, C0 , {Ci,1 , Ci,2 , Ci,3 }li=1 , C4 and SKS = K0 , K1 , {K j,2 , K j,3 } j=1 . If S satisfies A, for I = {i : ρ (i ) ∈ S}, the constants {ωi ∈  Z p }i∈I can be computed such that i∈I ωi Ai = (1, 0, . . . , 0 ). The algorithm computes

M =  i∈I



e(C0 , K0 ) e(Ci,1 , K1 ) · e(Ci,2 , K j,2 ) · e(Ci,3 , K j,3 )

ωi

where j is the index of the attribute ρ (i) in S. Then, output M = C/M .   = C  , C  , C  , C  , C  . The delegatee ID uses the secret key SK = (2) If CT is a re-encrypted ciphertext, let C T = C TID ID 0 1 2 3

   (KID,0 , KID,1 ) = gα (uID h )r , gr to compute e(KID,0 , C2 )  = e(g, g)α s e(KID,1 , C1 ) 





and gt = C0 /F (e(g, g)α s ). Finally, the delegatee recovers M = C  · e(gt , C3 ).

104

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

Correctness. We first show the correctness of decryption for the normal ciphertexts of CP-ABE, which has been stated in  [40]. For a ciphertext CTA and a secret key SKS , if S satisfies A, we have that i∈I ωi λi = s. Therefore,

M =  =

 

i∈I s

e(gs , gα wr )

 

 

e wλi vti , gr · e (uρ (i ) h )−ti , gr j · e gti , (uρ (i ) h )r j v−r

e(g , gα ) · e(gs , wr ) e(w, g)r



i∈I

ωi λi

ωi

= e(g, g)α s .

It follows that M = C/M = Me(g, g)α s /M . We next show the correctness of decryption for the re-encrypted ciphertext. If the set S of the re-encryption key RKS → ID satisfies the access structure A of the original ABE ciphertext, then the proxy can compute



B=  =

i∈I s

 

e gs , gα wr f t

 





 

e wλi vti , gr · e (uρ (i ) h )−ti , gr j · e gti , (uρ (i ) h )r j v−r

e(g , gα ) · e(gs , wr ) e(w, g)

r



i∈I

ωi λi

Then, the proxy can compute

ωi



= e(g, g)α s · e(gs , f t ).









C  = C/B = Me(g, g)α s / e(g, g)α s · e(gs , f t ) = M/e(gs , f t ). In the decryption algorithm, the delegatee can compute

e(KID,0 , C2 ) e(gα (uID h )r , gs )  = = e(g, g)α s  e(KID,1 , C1 ) e(gr , (uID h )s ) 



and 









C0 /F (e(g, g)α s ) = F (e(g, g)α s ) · gt /F (e(g, g)α s ) = gt . 





It follows that M = C  · e(gt , C3 ) = M/e(gs , f t ) · e(gt , f s ). Semantic Security. We prove the selective security of the CP-HAPRE scheme by proving the following theorem. Theorem 2. The CP-HAPRE scheme is selectively secure in the standard model if the CP-ABE scheme [40] and the IBE scheme are both selectively secure. Proof. Suppose that an adversary A has a non-negligible advantage in the security game against the CP-HAPRE scheme. We construct an algorithm B that uses A to break the security of the CP-ABE scheme [40] or the IBE scheme. Init: A outputs an access structure A∗ and an identity ID∗ . B initiates two tables LRK = (Si , IDi , RKSi →IDi ) and LSK = (IDi , SKIDi , ), which store related information about the re-encryption keys and IBE secret keys queried by A, respectively. Setup: First, B runs the setup algorithm of the CP-ABE scheme [40] to obtain public key P KCP = (g, w, v, u, h, e(g, g)α ). Then, it selects a random δ ∈ Z p and computes f = gδ . Additionally, B chooses an encoding function F : GT → G. It gives the public key P K = (g, u, h, w, v, f, e(g, g)α , F ) to A. Phase 1: The adversary A makes queries as follows. • RevealIBE (IDi ). For IDi = ID∗ , if (IDi , SKIDi ) already exists in table LSK , B returns SKIDi to A; otherwise, B produces the valid IBE secret key as in the proof of the functional IBE scheme. Then, B records (IDi , SKIDi ) in table LSK and gives SKIDi to A. • RevealCP (Si ). For Si = A∗ , algorithm B produces the valid CP-ABE secret key by querying the key generation algorithm of the CP-ABE scheme [40]. • RKReveal(Si → IDi ). For a re-encryption key query on Si and IDi , if (Si , IDi , RKSi →IDi ) already exists in table LRK , B returns RKSi →IDi to A; otherwise, B responds as follows. First, it generates a secret key SKSi of CP-ABE; then, it uses the secret key to generate the re-encryption RKSi →IDi . However, if Si ∈ A∗ , the CP-ABE scheme cannot output the secret key since the security of CP-ABE forbids such a key query. Therefore, we elaborate B’s responses into two cases: |Si | - Si ∈ A∗ : B first obtains a secret key SKSi = (K0 , K1 , {K j,2 , K j,3 } j=1 ) of CP-ABE. Then, B selects random t  , s ∈ Z∗p and computes 

d0 = K0 · f t ,

d1 = K1 , 



Si | {d j,2 = K j,2 , d j,3 = K j,3 }|j=1 , 



d4 = F (e(g, g)α s ) · gt , d5 = (uIDi h )s , d6 = gs . B gives RKSi →IDi = (d0 , d1 , {d j,2 , d j,3 }, d4 , d5 , d6 ) to A and records (Si , IDi , RKSi →IDi ) in table LRK .

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

105

- Si ∈ A∗ : B generates a random re-encryption key as follows. It chooses random elements d0 ∈ G, r, r1 , . . . , r|Si | , t  , s ∈ Z∗p and computes Si | {d j,2 = gr j , d j,3 = (uatt j h )r j v−r }|j=1 ,

d1 = gr ,









d4 = F (e(g, g)α s ) · gt , d5 = (uIDi h )s , d6 = gs . B gives RKSi →IDi = (d0 , d1 , {d j,2 , d j,3 }, d4 , d5 , d6 ) to A and records (Si , IDi , RKSi →IDi ) in table LRK . Challenge: A outputs messages M0 and M1 . If there are two records (Si ∈ A∗ , IDi , RKSi →IDi ) in LRK and (IDi , SKIDi ) in LSK , B aborts. Otherwise, it gives the challenge (A∗ , M0 , M1 ) to the encryption algorithm of CP-ABE and receives the resulting ciphertext CTA ∗ = (C, C0 , {Ci,1 , Ci,2 , Ci,3 }li=1 ), where C0 = gs . B computes C4 = C0δ = f s and returns C TA∗ = (C TA ∗ , C4 ) to A. Phase 2: Phase 1 is repeated except for the unallowed queries. Guess: Finally, A outputs a guess b ∈ {0, 1}. We first discuss the probability of A distinguishing a random re-encryption key from a well-formed one. In the case  where Si ∈ A∗ , B chooses a random d0 ∈ G. For such d0 , there must exist a random t  ∈ Z p such that d0 = gα wr f t . Then,  we can write the random re-encryption key as RKS →ID =



i

 gα wr f t , gr ,

{g , ( u rj

att j

h)

r j −r

v

i

  }, F (e(g, g)αs ) · gt ,

  (uIDi h )s , gs .

The well-formed re-encryption for such (Si , IDi ) should be RKSi →IDi =















gα wr f t , gr , {gr j , (uatt j h )r j v−r }, F (e(g, g)α s ) · gt , (uIDi h )s , gs . 















Thus, A has to distinguish the part (F (e(g, g)α s ) · gt , (uIDi h )s , gs ) from the part (F (e(g, g)α s ) · gt , (uIDi h )s , gs ) in distin guishing a random re-encryption key from a well-formed one. These two parts are encryptions of the IBE scheme for gt  and gt , respectively. Then, the advantage of A in distinguishing the random and well-formed keys is identical to the advantage AdvA,IBE . We note that in the whole game, B successfully simulates the CP-HAPRE system for adversary A except with probability no more than q · AdvA,IBE , where q is the total number of re-encryption keys queried by A. Thus, if A successfully breaks the security of CP-HAPRE with advantage AdvSS , then B breaks the security of the CP-ABE scheme with advantage A,CP −HAP RE AdvA,CP−ABE = AdvSS · (1 − q · AdvA,IBE ). A,CP −HAP RE In sum, the CP-HAPRE scheme is secure if the CP-ABE scheme [40] and the IBE scheme are both secure.



Collusion Resistance. We now show the collusion resistance of the CP-HAPRE scheme. The following theorem states that the CP-HAPRE scheme is collusion resistant if the CDH assumption holds. Theorem 3. The CP-HAPRE scheme is collusion resistant if the computational Diffie–Hellman (CDH) assumption [6] holds. Proof. For an adversary A breaking the collusion resistance of the CP-HAPRE scheme, we build an algorithm B interacting with A as follows. Setup: B selects random g, u, h, w, v ∈ G and random elements a, α ∈ Z∗p to compute f = ga and e(g, g)α . It also chooses an encoding function F : GT → G. B gives the public key P K = (g, u, h, w, v, f, e(g, g)α , F ) to A. Query: For a secret key query on IDi , B can generate SKIDi since it has the master secret key α . For a re-encryption key query on (S∗ , IDi ), if S∗ has never been queried before, B first generates the private key SKS∗ = (K0 , K1 , {Ki,2 , Ki,3 } ).   Then, choose random t  , s ∈ Z p and compute the re-encryption key as RKS∗ →IDi = (K0 · f t , K1 , {Ki,2 , Ki,3 }, F (e(g, g)α s ) · 





gt , (uIDi h )s , gs ). Challenge: Finally, A outputs a key SK and wins the game if SK  = SKS∗ .      Note that in the re-encryption key, the part (F (e(g, g)α s ) · gt , (uIDi h )s , gs ) is actually an IBE encryption of gt with  t the identity IDi . By using the secret key of IDi , the adversary A can recover g from the part by performing IBE decryption     once. To recover SKS∗ from RKS∗ →IDi , A needs to further compute f t that blinds SKS∗ . Given gt , f = ga , computing f t = gat is identical to solving the CDH problem. Therefore, as long as the CDH assumption holds, the CP-HAPRE system is collusion resistant.  4.4. The KP-HAPRE construction The KP-HAPRE scheme can be constructed in a similar way to the CP-HPARE construction. The main difference between the CP-HAPRE and KP-HAPRE constructions lies in the approach for protecting the blind factor that randomizes the delegator’s secret key. In KP-ABE, a secret key is associated with an LSSS that is used to share the master secret key, while in CP-ABE, the secret key is only related to distinct attributes. Hence, the manner of hiding the blind factor between CP-HAPRE and KP-HAPRE is different. To ensure that the proxy can properly transform the KP-ABE ciphertext, we let the delegator generate shares of the blind factor according to the same LSSS of his secret key and assign each share to a corresponding attribute. In the re-encryption phase, the blind factor will be reconstructed and recovered as an exponent along with the

106

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

reconstruction of the master secret key. In this way, the blind factor randomizing the secret key of the delegator is well protected. The KP-HAPRE scheme is described as follows. Setup(1 ): PKG obtains a tuple ( p, g, G, GT , e ) by running the bilinear group generator G (1 ). It selects random elements α ∈ Z p and u, h, w, f ∈ G. In addition, it chooses an encoding function F : GT → G. Output the system public key and master secret key as

P K = (g, u, h, w, f, e(g, g)α , F ),

MSK = α .

The public key of IBE is P KIBE = (g, u, h, e(g, g)α , F ), and the public key of KP-ABE is P KKP = P K. KeyGenIBE (PKIBE , MSK, ID): The same as the IBE key generation algorithm in the IBE scheme. KeyGenKP (P KKP , MSK, A ): For the access structure A, PKG generates an LSSS (A, ρ ), where A is an l × n matrix and ρ : [l] → Z p . It chooses a vector v = (α , y2 , . . . , yn ) with randomly chosen y2 , . . . , yn ∈ Z p . For each i from 1 to l, it computes the ith share for row Ai of A as λi = Aiv. Then, PKG chooses l random elements r1 , r2 , . . . , rl ∈ Z p and, for all i = 1, . . . , l, computes



Ki,0 = gλi wri , Ki,1 = uρ (i ) h



−ri



, Ki,2 = gri .

Output SKA = {Ki,0 , Ki,1 , Ki,2 }li=1 . EncryptKP (P KKP , M, S = {att1 , . . . , att|S| } ⊆ Z p ): For the attribute set S, the encryption algorithm chooses |S| + 1 random elements s, t1 , t2 , . . . , t|S| ∈ Z p , where |S| is the cardinality of the set S. Compute C = Me(g, g)α s , C0 = gs and



ti

Ci,1 = gti , Ci,2 = uatti h w−s where i = 1, 2, . . . , |S|. Additionally, it computes C3 = f s . Output |S|

CTS = (C, C0 , {Ci,1 , Ci,2 }i=1 , C3 ). Similar to the encryption algorithm of CP-HAPRE, the component C3 is unnecessary for ABE decryption but will be needed in the re-encryption. The users who do not allow re-encryption are not required to compute C3 in the encryption algorithm. Conversely, those users who feel that some of their data would be queried by other users in the future could encrypt the data by additionally computing C3 in the encryption algorithm. In KP-HAPRE, we focus on the ciphertext including C3 since only this type of ciphertext supportsre-encryption.  RKGen(P K, SKA , ID ): Parse SKA = {Ki,0 , Ki,1 , Ki,2 }li=1 . Suppose that the LSSS for the secret key is (A, ρ ). The delegator chooses random elements t  , s ∈ Z p and forms a vector v = (t  , y2 , . . . , yn ) using randomly chosen y2 , . . . , yn ∈ Z p . According to the l × n matrix A, compute μi = Aiv for all i = 1, 2, . . . , l. Then, the delegator computes

di,0 = Ki,0 · f μi , di,1 = Ki,1 , di,2 = Ki,2 . and 







d3 = F (e(g, g)α s ) · gt , d4 = (uID h )s , d5 = gs .





Output the re-encryption key as RKA→ID = {di,0 , di,1 , di,2 }li=1 , d3 , d4 , d5 .

ReEnc(P K, RKA→ID , CTS ): Parse the re-encryption key RKA→ID = ({di,0 , di,1 , di,2 }li=1 , d3 , d4 , d5 ) and the original ciphertext |S|

CTS = (C, C0 , {Ci,1 , Ci,2 }i=1 , C3 ). If S satisfies A, for all rows {Ai }i ∈ I of matrix A, the proxy computes the constants {ωi ∈ Z p }i∈I  such that i∈I ωi Ai = (1, 0, . . . , 0 ), where i ∈ I = {i : ρ (i ) ∈ S}. Compute

B=





e(C0 , di,0 ) · e(C j,1 , di,1 ) · e(C j,2 , di,2 ) ωi

i∈I

where j is the index of the attribute ρ (i) in S. Then, set

C  = C/B, C0 = d3 , C1 = d4 , C2 = d5 , C3 = C3 .





 = C , C , C , C , C . The proxy finally outputs the re-encrypted ciphertext C TID 0 1 2 3 Decrypt(PK, CT, SK): The decryption algorithm works in two cases:

(1) If (CT , SK ) = (CTS , SKA ) is a pair of a ciphertext and a secret key of KP-ABE, the algorithm proceeds as follows. Parse |S| CTS = (C, C0 , {Ci,1 , Ci,2 }i=1 , C3 ) and SKA = ({Ki,0 , Ki,1 , Ki,2 }li=1 ). If S satisfies A, define I = {i : ρ (i ) ∈ S}; then, for all rows  {Ai }i ∈ I , compute the constants {ωi ∈ Z p }i∈I such that i∈I ωi Ai = (1, 0, . . . , 0 ). Calculate

M =



e(C0 , Ki,0 ) · e(C j,1 , Ki,1 ) · e(C j,2 , Ki,2 )

ωi

i∈I

where j is set as the index of the attribute ρ (i)in S. Then, output M = C/M .  r  α ID r  = (C  , C  , C  , C  , C  ), (2) For a pair of a secret key SKID = (KID,0 , KID,1 ) = g (u h ) , g and a re-encrypted ciphertext C TID 0 1 2 3 the delegatee computes

e(KID,0 , C2 )  = e(g, g)α s e(KID,1 , C1 ) 





and gt = C0 /F (e(g, g)α s ). Finally, the delegatee recovers M = C  · e(gt , C3 ).

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

107

Correctness. We first show the correctness of decryption for the ciphertext of KP-ABE, which has been stated in [40].  For a ciphertext CTS and a secret key SKA , if S satisfies A, we have that i∈I ωi λi = α and

M =



e(gs , gλi wri ) · e(gt j , (uρ (i ) h )−ri ) · e((uρ (i ) h )t j w−s , gri )

i∈I

= e(g, g)s

 i∈I

ωi

ωi λi = e (g, g)α s .

It follows that M = C/M = Me(g, g)α s /M . We next show the correctness of decryption for the re-encrypted ciphertext. For a ciphertext CTS and a re-encryption   key RKA→ID , if S satisfies A, the proxy computes {ωi ∈ Z p }i∈I such that i∈I ωi λi = α and i∈I ωi μi = t  . It then computes

B=



 





e gs , gλi wri f μi · e gt j , uρ (i ) h

i∈I

= e(g, g)s

 i∈I

ωi λi · e (g, f )s

Then, the proxy has

 i∈I

−ri 

·e



uρ ( i ) h

t j

w−s , gri

ωi

ωi μi = e (g, g)α s · e (g, f )t  s .









C  = C/B = Me(g, g)α s / e(g, g)α s · e(gs , f t ) = M/e(gs , f t ). In the decryption algorithm, the delegatee computes

e(KID,0 , C2 ) e(gα (uID h )r , gs )  = = e(g, g)α s  e(KID,1 , C1 ) e(gr , (uID h )s ) 



and 









C0 /F (e(g, g)α s ) = F (e(g, g)α s ) · gt /F (e(g, g)α s ) = gt . 





It follows that M = C  · e(gt , C3 ) = M/e(gs , f t ) · e(gt , f s ). Semantic Security. We prove the selective security of the KP-HAPRE scheme by proving the following theorem. The proof is similar to that of Theorem 2 with the difference being the simulation of the re-encryption keys. Since a re-encryption key of KP-HAPRE is associated with an access policy rather than a set of attributes, we have to simulate a properly distributed re-encryption key according to the access policies without knowing the master secret key. Theorem 4. The KP-HAPRE scheme is selectively secure in the standard model if the KP-ABE scheme [40] and the IBE scheme are both selectively secure. Proof. Since the simulator B can directly query the key generation and encryption algorithms of the KP-ABE and the IBE schemes, the same proof techniques can be applied here. Suppose that an adversary A breaks the KP-HAPRE scheme. We build an algorithm B to break the security of the KP-ABE [40] or the IBE scheme. Init: A outputs a set S∗ of attributes and an identity ID∗ . B initiates two tables LRK = (Ai , IDi , RKAi →IDi ) and LSK = (IDi , SKIDi , ), which store related information about the re-encryption keys and IBE secret keys, respectively. Setup: B calls the setup algorithm of the KP-ABE scheme [40] to obtain P KKP = (g, u, h, w, v, e(g, g)α ). Next, B chooses a random δ ∈ Z p to compute f = gδ ; in addition, B chooses an encoding function F : GT → G. Then, B defines the public key P K = (g, u, h, w, v, f, e(g, g)α , F ) and gives PK to A. Phase 1: A makes key queries as follows. • RevealIBE (IDi ). B responds the same as in the proof of Theorem 2. • RevealKP (Ai ). For Ai that does not contain S∗ , algorithm B produces the valid secret key by querying the key generation algorithm of KP-ABE [40]. • RKReveal(Ai → IDi ). For a re-encryption key query on access structure Ai and an identity IDi , if (Ai , IDi , RKAi →IDi ) already exists in table LRK , B returns RKAi →IDi to A; otherwise, B responds as follows. First, it generates a secret key SKAi of KP-ABE; then, it uses SKAi to generate the re-encryption key RKAi →IDi . However, if S∗ ∈ Ai , the KP-ABE cannot output the secret key since the security of KP-ABE forbids such a key query. Therefore, we elaborate B’s responses into two cases: - S∗ ∈ Ai : B first obtains a secret key SKAi = ({K j,0 , K j,1 , K j,2 }lj=1 ), where l is the number of attributes in Ai . Suppose that (A, ρ ) is the LSSS associated with SKAi . Then, B selects random t  , s , y2 , . . . , yn ∈ Z∗p to compute μ j = A jv , where v = (t  , y2 , . . . , yn ) and Aj is the jth row (with n entries) of A. Finally, B computes d j,0 = K j,0 · f μ j , d j,1 = 







K j,1 , d j,2 = K j,2 , and d3 = F (e(g, g)α s ) · gt , d4 = (uIDi h )s , d5 = gs .B gives RKAi →IDi = ({d j,0 , d j,1 , d j,2 }, d3 , d4 , d5 ) to A and records related information in table LRK . - S∗ ∈ Ai : B generates a random re-encryption key as follows. It chooses random elements R ∈ G, r1 , . . . , rl , t  , s ∈ Z∗p , where l is the number of attributes in Ai . B generates an LSSS (A, ρ ) for Ai , where A is an l × n matrix and the jth row is A j = (a j,1 , a j,2 , . . . , a j,n ). It also selects random elements y2 , . . . , yn , y2 , . . . , yn ∈ Z p . Then, B computes 



d j,0 = Ra j,1 · ga j,2 y2 +···+a j,n yn · f a j,2 y2 +···+a j,n yn · wr j ,

108

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

d j,1 = (uρ ( j ) h )−r j , d j,2 = gr j , 







d4 = F (e(g, g)α s ) · gt , d5 = (uIDi h )s , d6 = gs . B gives RKAi →IDi = ({d j,0 , d j,1 , d j,2 }, d3 , d4 , d5 ) to A and records related information in table LRK . Challenge: A outputs messages M0 and M1 . If there are two records (S∗ ∈ Ai , IDi , RKAi →IDi ) in table LRK and (IDi , SKIDi ) in table LSK , B aborts. Otherwise, B gives (S∗ , M0 , M1 ) to the encryption algorithm of the KP-ABE scheme, which outputs |S| CTS∗ = (C, C0 , {Ci,1 , Ci,2 }i=1 ), where C0 = gs . B computes C3 = C0δ = f s and returns C TS∗ = (C TS∗ , C3 ) to A. Phase 2: Phase 1 is repeated except for the unallowed key queries. Guess: Finally, A outputs a guess b ∈ {0, 1}. We first discuss the probability of A in distinguishing a random re-encryption key from a well-formed one. In the case  Si ∈ A∗ , B chooses a random element R ∈ G. For such R, there must exist a random t  ∈ Z p such that R = gα f t . Then, we can write the component dj,0 in the random re-encryption key as 





d j,0 = (gα f t )a j,1 · ga j,2 y2 +···+a j,n yn · f a j,2 y2 +···+a j,n yn · wr j 

= gA jv · f A jv · wr j = gλ j wr j f μ j , 

where v = (α , y2 , . . . , yn ) and v = (t  , y2 , . . . , yn ). We note that λj and μj are the jth shares of α and t , respectively. Then,

in the random re-encryption key, the part ({dj,0 , dj,1 , dj,2 }) is a valid ABE secret key blinded by t , and the part (d3 , d4 , d5 ) 

is an IBE encryption of gt . In contrast, in a well-formed re-encryption key, for the same ({dj,0 , dj,1 , dj,2 }), the part (d3 , d4 , 

d5 ) should be an IBE encryption of gt . Therefore, to differentiate a random re-encryption key from a well-formed one, the   adversary A has to distinguish IBE ciphertexts of gt and gt under IDi , which is identical to breaking the security of the IBE scheme. We note that B successfully simulates the KP-HAPRE scheme for adversary A except with probability no more than q · AdvA,IBE , where q is the total number of re-encryption keys queried by A. Thus, if A successfully distinguishes the message encrypted in the challenge ciphertext with advantage AdvSS , then B breaks the security of the KP-ABE scheme with A,KP −HAP RE the advantage AdvA,KP−ABE = AdvSS · (1 − q · AdvA,IBE ). A,KP −HAP RE In sum, the KP-HAPRE scheme is secure if the KP-ABE scheme [40] and the IBE scheme are both secure.



Collusion Resistance. We now prove the collusion resistance of the KP-HAPRE scheme by proving the following theorem. Theorem 5. The KP-HAPRE scheme is collusion resistant. Proof. We apply the same proof technique used in the proof of Theorem 3. Thus, we only provide a proof sketch here. Suppose that an adversary A has access to the system public key, the re-encryption key RKA∗ →IDi and the secret key SKIDi of 



delegatee IDi . It is easy for A to recover gt from RKA∗ →IDi since RKA∗ →IDi contains the IBE encryption of gt under IDi . The re-encryption key RKA∗ →IDi also involves the blinded delegator’s secret key ({Ki,0 f μi , Ki,1 , Ki,2 } ). Thus, A has to compute f μi

      from RKA∗ →IDi to obtain the delegator’s secret key SKA∗ = ({Ki,0 , Ki,1 , Ki,2 } ). Parse f μi = f Ai (t ,y2 ,...,yn ) = f ai,1 t · f ai,2 y2 · · · f ai,n yn ,   where y2 , . . . , yn are randomly selected in Z p and Ai = (ai,1 , ai,2 , . . . , ai,n ) is the ith row of the sharing matrix. Since Ai is 









known to A, computing f μi is reduced to computing all f t , f y2 , . . . , f yn . Given gt and f, computing f t is identical to solving   the CDH problem. Moreover, f y2 , . . . , f yn are hard to compute since y2 , . . . , yn are information-theoretically hidden in A’s ∗ view. Therefore, A could recover SKA with a negligible advantage, which implies that the KP-HAPRE scheme is collusion resistant.  5. Performance evaluation 5.1. Theoretical analysis Table 1 shows the computational overhead of each algorithm of the HAPRE schemes. We mainly consider the most expensive group operations, i.e., exponentiation and pairing. The times consumed by these operations are denoted by te and tp , respectively. We do not discriminate exponentiation operations in G and GT . We let x denote the number of attributes involved in the respective algorithm. As shown in Table 1, the computation tasks of ABE decryption are mostly outsourced to the proxy that performs the reencryption algorithm, and only a constant number of computations (i.e., 3 pairing operations) are left for a user to decrypt a re-encrypted ciphertext (Re-CT). The computational complexity of the encryption algorithm is linear in the number of attributes, which is as efficient as most ABE schemes. In the CP-HAPRE scheme, the delegator takes a constant number of exponentiations to compute a re-encryption key, while in the KP-HAPRE scheme, the computational complexity of reencryption key generation is linear in the number of attributes. This is because the delegator in KP-HAPRE needs to generate shares of the blind factor according to his access policy to protect his secret key from being recovered by the proxy or the delegatee.

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

109

Table 1 Computation. Algorithm

Computational overhead CP-HAPRE

KP-HAPRE

Setup Key Generation

1tp IBE: 4te ABE: (4 + 3x )te ( 3 + 5x )te 6te ( 1 + 3x )t p + xte ABE CT: (1 + 3x )tp + xte Re-CT: 3tp

1tp IBE: 4te ABE: 5xte ( 4 + 3x )te ( 5 + x )te 3xtp + xte ABE CT: 3xtp + xte Re-CT: 3tp

Encryption Re-Key Generation Re-Encryption Decryption

Table 2 Comparison: Overheads at Delegator Side. Delegator Scheme

LHC10 [34] LFW-15 [31] LAL-15 [30] GSF-18 [12] MD09 [37] Our HAPRE

PK storage

SK storage

CT bandwidth

RK Generation computation

O ( u2 )|G p | O ( 1 )|G p | O ( u )|G p1 | +O ( 1 )|G N | O ( u )|G p1 | +O ( 1 )|G N | O ( u )|G p | O ( 1 )|G p |

O ( u )|G p | O ( a )|G p | O ( a )|G p1 p3 |

O ( u )|G p | O ( s )|G p | O ( s )|G p1 | +O ( 1 )|G N | O ( s )|G p1 | +O ( 1 )|G N | O ( u )|G p | O ( s )|G p |

O ( u )te O ( a )te + O ( s )te O ( a )ce + O ( s )ce

O ( a )|G p1 p3 | O ( u )|G p | O ( a )|G p |

O ( a )ce + O ( s )ce O ( u )te CP: O (1 )te KP: O (a )te

Table 3 Comparison: Overheads at Delegatee Side. Delegatee Scheme

LHC10 [34] LFW-15 [31] LAL-15 [30] GSF-18 [12] MD09 [37] Our HAPRE

PK storage

SK storage

CT bandwidth

CT Decryption computation

O ( u2 )|G p | O ( 1 )|G p | O ( u )|G p1 | +O ( 1 )|G N | O ( u )|G p1 | +O ( 1 )|G N | O ( 1 )|G p | O ( 1 )|G p |

O ( u )|G p | O ( a )|G p | O ( a )|G p1 p3 |

O ( u )|G p | O ( s )|G p | O ( s )|G p1 | +O ( 1 )|G N | O ( s )|G p1 | +O ( 1 )|G N | O ( 1 )|G p | O ( 1 )|G p |

O ( u )tp O ( d )te + O ( d )tp O ( d )ce + O ( d )cp

O ( a )|G p1 p3 | O ( 1 )|G p | O ( 1 )|G p |

O ( d )ce + O ( d )cp O ( 1 )tp O ( 1 )tp

Tables 2 and 3 compare our HAPRE schemes with other PRE schemes in attribute-based settings in terms of public key (PK) and secret key (SK) storage costs, ABE ciphertext (CT) and re-encrypted ciphertext (CT ) bandwidth overheads, reencryption key (RK) generation and CT decryption overheads of delegator and delegatee, respectively. Let u be the total number of attributes in the system, a be the number of attributes associated with a user, s be the number of attributes associated with an original ciphertext, s be the number of attributes involved in a re-encrypted ciphertext, and d be the number of matching attributes in the decryption. Let |G p | be the size of the bilinear group of prime order p. Let |GN | be the size of the bilinear group of composite order N = p1 p2 p3 , where p1 , p2 , p3 are three distinct primes; G p1 and G p1 p3 denote the subgroups of order p1 and p1 p3 , respectively. Let (te , tp ) (resp. (ce , cp )) be the time consumed by the exponentiation operation and the time consumed by the bilinear pairing operation in group G p (resp. in GN ). As shown, only our HAPRE schemes achieve a constant public key storage cost for both the delegator and delegatee and a constant secret key storage cost, constant re-encrypted ciphertext bandwidth and decryption overheads for the delegatee. Moreover, the number of exponentiation operations in the RK generation is constant in the CP-HAPRE scheme. In contrast, in other schemes, the computational cost of RK generation increases linearly with the total number u of attributes or the sum of the number of attributes associated with the delegator and the number of attributes in the new access policy, which confirms that the existing attribute-based PRE schemes cannot trivially yield an efficient HAPRE scheme. Table 4 compares our HAPRE schemes with others in terms of functionality and security. Our HAPRE schemes support a large universe ABE system, which means that any string can be used as an attribute and attributes need not be enumerated in the system setup. Moreover, our schemes support any monotonic access policy and provide multiuse re-encryption functionality, which enables the delegatee to further authorize others to decrypt the re-encrypted ciphertext. The noninter-

110

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113 Table 4 Comparison: Functionality and Security. Scheme

Largeuniverse

Noninteraction

Multiuse

Access policy

Security/ no RO

LHC10[34] LFW-15[31] LAL-15[30] GSF-18[12] MD09[37] Our HAPRE

×  × × × 

    × 

 × × × × 

AND-gate Any monotonic Any monotonic Any monotonic AND-gate Any monotonic

CPA/ CCA/ × CCA/ CCA/ CPA/ CPA/

Table 5 Running time of the IBE scheme.

IBE

Setup

Key generation

Encryption

Decryption

116.53 ms

47.64 ms

46.9 ms

43.78 ms

Fig. 2. Execution Time of ABE Key Generation and ABE Encryption in HAPRE Schemes.

action functionality means that the delegator does not need to interact with the proxy or the delegatee when generating a re-encryption key. The schemes in [12,30,31] achieve CCA security by using random oracle (RO) or composite-order bilinear groups. As prime-order groups provide more efficient group operations and shorter group elements, we are more interested in constructions in prime-order groups. Thus, we leave a prime-order HAPRE construction with stronger CCA security in the standard model as an interesting open problem. 5.2. Experimental analysis We conducted a series of experiments to evaluate the performance of the HAPRE schemes in practice. The schemes were implemented on a Windows 10 PC platform with a 2.2 GHz Intel Core i5-5200U CPU and 4 GB RAM. The bilinear cryptographic operations were performed using the Stanford PBC library (http://crypto.stanford.edu/pbc/) in the C programming language. The order p of groups G and GT is a prime of length 160 bits. In the HAPRE schemes, both ABE ciphertext/secretkey size and decryption time are related to the complexity of the access policy. Hence, we conducted experiments with an access policy of the form (A1 AND A2  AND Ai ) for ABE encryption, key-generation and decryption algorithms, where i increases from 1 to 30. We also tested the performance of our IBE scheme. Table 5 shows the running time of each algorithm of the IBE scheme. Fig. 2 shows the time consumed by the key generation and the encryption algorithms of CP-ABE and KP-ABE. The time consumed by these two algorithms increases linearly with the number of attributes involved in a secret key or a ciphertext. Fig. 2 (a) shows that the time consumed by the key generation algorithm of KP-ABE grows faster than that of CP-ABE. This is because the linear secret sharing scheme (LSSS) is involved in the key generation and more exponentiation operations are required to realize an LSSS. Similarly, the LSSS is realized in the encryption algorithm of CP-ABE, and more exponentiation operations are executed. Hence, the time cost of this algorithm is slightly greater than that of KP-ABE, as shown in Fig. 2 (b). Fig. 3 shows the time consumed by the re-encryption key (RK) generation and the re-encryption algorithms of both CP-HAPRE and KP-HAPRE. Fig. 3 (a) shows an interesting result: the time consumed by the RK generation algorithm of CPHAPRE is fixed, while in KP-HAPRE, the time consumed by the algorithm increases linearly with the number of attributes. The reason is that the secret key of the delegator in KP-HAPRE involves multiple attributes, and exponentiations must be run for each attribute. In contrast, the time costs by the re-encryption algorithm of CP-HAPRE and KP-HAPRE are very close to each other (shown in Fig. 3 (b)), as both execute a “partial” decryption for the ABE ciphertext in the re-encryption. Given

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

111

Fig. 3. Execution Time of RK Generation and Re-Encryption in HAPRE Schemes.

Fig. 4. Execution time of decryption for ABE ciphertexts and re-encrypted ciphertexts.

these properties, the CP-HAPRE scheme is recommended for those who desire an efficient delegation of access rights, and the KP-HAPRE scheme is suggested for the applications (e.g., TV programs subscription) where access policies are required to be designated for users. Fig. 4 shows the execution time of the decryption for (CP/KP-)ABE ciphertexts and re-encrypted ciphertexts. As shown, the time consumed by the decryption for ABE ciphertexts increases linearly with the number of attributes since in the decryption of CP-ABE or KP-ABE, the number of pairing and exponentiation operations is linear in the number of attributes. The HAPRE schemes greatly reduce the time cost to decrypt ABE ciphertexts by introducing the re-encryption mechanism. Moreover, the time consumed in decrypting a re-encrypted ciphertext is independent of the number of attributes and thus much less than that of decryption for an ABE ciphertext. This means that for users with limited resources (e.g., mobile users), the complicated operations of decryption for ABE ciphertexts can be mostly outsourced to a third party (i.e., the proxy), and the users themselves can take very few costs to recover the underlying messages. 6. Conclusion We proposed a new primitive referred to as hybrid attribute-based proxy re-encryption (HAPRE), which bridges attributebased encryption (ABE) and identity-based encryption (IBE). The HAPRE system connects independent ABE and IBE schemes by providing a re-encryption mechanism that can transform ciphertexts of ABE into ciphertexts of IBE. The re-encryption of HAPRE does not require the interaction between delegators and delegatees or extra work of PKG. In addition, the reencryption does not disclose the delegators’ secret keys or the underlying messages. These features make HAPRE properly suitable for applications where ABE has been already enforced to secure data while a secret key of IBE is subsequently required to recover the data encrypted by ABE. We presented concrete CP-HAPRE and KP-HAPRE schemes and proved their semantical security and collusion resistance. Theoretical and experimental analyses demonstrate the efficiency of our HAPRE schemes. Declaration of Competing Interest We declare that we do not have any commercial or associative interest that represents a conflict of interest in connection with the work submitted.

112

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113

Acknowledgments The authors thank the anonymous reviewers for their insightful comments and helpful suggestions. This paper is supported by the National Natural Science Foundation of China under projects 61902123, 61972058, 61872130, 61772191, 61702028, 61772538, 61672083, 61532021, 61300217 and 91646203; by the Science and Technology Key Projects of Hunan Province through projects 2015TP1004, 2016JC2012 and 2018TP1009; by the Science and Technology Key Projects of Changsha City through projects kq1801008 and kq1804008; by the National Key Research and Development Program of China through projects 2017YFB0902900 and 2017YFB0802500; by the National Cryptography Development Fund through project MMJJ20170106; by the Aeronautical Science Foundation of China through project 2017ZC51038; and by the Foundation of Science and Technology on Information Assurance Laboratory through project 61421120305162112006. Appendix A. Proof of Theorem 1 We now prove the selective security of our IBE scheme. Suppose that an adversary A has an advantage AdvA,IBE in breaking the IBE scheme. We build an algorithm B to solve the DBDH problem. Given the DBDH tuple (g, ga , gb , gc , T), B decides whether T = e(g, g)abc or T is a random element of GT . Init: A outputs an identity ID∗ . ∗ Setup: B selects a random γ ∈ Z p and sets u = ga , h = (ga )−ID gγ , e(g, g)α = e(ga , gb ). This implies that gα = gab , which B does not know. B defines the public key as P KIBE = (g, u, h, e(g, g)α ) and sends it to A. Phase 1: For a query on ID = ID∗ , B selects a random r ∈ Z p and computes



γ

r

1

K0 = (gb ) ID∗ −ID uID h , K1 = (gb ) ID∗ −ID gr . Then, algorithm B returns SKID = (K0 , K1 ) to A. Note that by defining r = r  − bγ



r 

bγ



r

K0 = g ID∗ −ID uID h = g ID∗ −ID uID h



= gα uID h

r

uID h

− ID∗b−ID

b



−b

b ID∗ −ID ,

we have that



K1 = g ID∗ −ID gr g ID∗ −ID = gr .

−bγ

gab g ID∗ −ID

,

This means that SKID is a valid IBE secret key. Challenge: Given messages (M0 , M1 ), B selects a random bit β ∈ {0, 1} and sets

C0 = Mβ T ,

C1 = (uID h )s = (gγ )s = gcγ , ∗

C2 = gs = gc .

B sends CTID∗ = (C0 , C1 , C2 ) to A. If T = e(g, g)abc , the ciphertext CTID∗ is properly distributed. If T is a random element of GT , then Mβ is well randomized by T and A cannot tell the correct value of β with a probability higher than 1/2. Phase 2: A continues to make key queries except for ID∗ . Guess: A outputs a guess β  ∈ {0, 1}. B outputs 0 to guess T = e(g, g)abc if β  = β ; otherwise, outputs 1 to guess that T is a random element of GT . Therefore, the advantage of B in solving the DBDH problem is identical to AdvA,IBE , which is the advantage of A in the above game. References [1] G. Ateniese, K. Fu, M. Green, S. Hohenberger, Improved proxy re-encryption schemes with applications to secure distributed storage, ACM Trans. Inf. Syst. Secur. (TISSEC) 9 (1) (2006) 1–30. [2] A. Beimel, Secure Schemes for Secret Sharing and Key Distribution, Technion-Israel Institute of technology, Faculty of Computer Science, 1996. [3] M. Blaze, G. Bleumer, M. Strauss, Divertible protocols and atomic proxy cryptography, in: Proceedings of the EUROCRYPT, Springer Berlin Heidelberg, 1998, pp. 127–144. [4] D. Boneh, X. Boyen, Efficient selective-id secure identity-based encryption without random oracles, in: Proceedings of the EUROCRYPT, Springer Berlin Heidelberg, 2004, pp. 223–238. [5] D. Boneh, M. Franklin, Identity-based encryption from the weil pairing, in: Proceedings of the CRYPTO, Springer Berlin Heidelberg, 2001, pp. 213–229. [6] D. Boneh, B. Lynn, H. Shacham, Short signatures from the weil pairing, in: Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Springer, 2001, pp. 514–532. [7] Z. Brakerski, V. Vaikuntanathan, Circuit-ABE from LWE: unbounded attributes and semi-adaptive security, in: Proceedings of the CRYPTO, Springer, 2016, pp. 363–384. [8] Z. Cao, H. Wang, Y. Zhao, Ap-pre: autonomous path proxy re-encryption and its application, IEEE Trans. Depend. Secure Comput. 16 (5) (2017) 833–842. [9] J. Chen, J. Gong, L. Kowalczyk, H. Wee, Unbounded abe via bilinear entropy expansion, revisited, in: Proceedings of the EUROCRYPT, Springer, 2018, pp. 503–534. [10] C.K. Chu, W.G. Tzeng, Identity-based proxy re-encryption without random oracles, in: Proceedings of the ISC, Springer Berlin Heidelberg, 2007, pp. 189–202. [11] H. Deng, Q. Wu, B. Qin, J. Domingo-Ferrer, L. Zhang, J. Liu, W. Shi, Ciphertext-policy hierarchical attribute-based encryption with short ciphertexts, Inf. Sci. 275 (2014) 370–384. [12] C. Ge, W. Susilo, L. Fang, J. Wang, Y. Shi, A CCA-secure key-policy attribute-based proxy re-encryption in the adaptive corruption model for dropbox data sharing system, Des. Codes Cryptogr. 86 (11) (2018) 2587–2603. [13] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute-based encryption for fine-grained access control of encrypted data, in: Proceedings of the 13th ACM conference on Computer and communications security, Acm, 2006, pp. 89–98.

H. Deng, Z. Qin and Q. Wu et al. / Information Sciences 511 (2020) 94–113 [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50]

113

M. Green, G. Ateniese, Identity-based proxy re-encryption, in: Proceedings of the ACNS, Springer Berlin Heidelberg, 2007, pp. 288–306. M. Green, S. Hohenberger, B. Waters, Outsourcing the decryption of abe ciphertexts, in: Proceedings of the USENIX Security Symposium, 2011,3. J. Han, W. Susilo, Y. Mu, Identity-based data storage in cloud computing, Future Generation Computer Systems 29 (3) (2013) 673–681. T. Isshiki, M.H. Nguyen, K. Tanaka, Proxy re-encryption in a stronger security model extended from CT-RSA2012, in: Proceedings of the Cryptographers’ Track at the RSA Conference, Springer, 2013, pp. 277–292. A. Ivan, Y. Dodis, Proxy cryptography revisited, in: Proceedings of the NDSS, 2003. P. Jiang, J. Ning, K. Liang, C. Dong, J. Chen, Z. Cao, Encryption switching service: securely switch your encrypted data to another format, IEEE Trans. Serv. Comput. (2018). A. Lewko, B. Waters, New techniques for dual system encryption and fully secure HIBE with short ciphertexts, in: Proceedings of the Theory of Cryptography Conference, Springer, 2010, pp. 455–479. B. Li, D. Huang, Z. Wang, Y. Zhu, Attribute-based access control for ICN naming scheme, IEEE Trans. Depend. Secure Comput. 15 (2) (2018) 194–206. J. Li, X. Lin, Y. Zhang, J. Han, KSF-OABE: outsourced attribute-based encryption with keyword search function for cloud storage, IEEE Trans. Serv. Comput. 10 (5) (2017) 715–725. J. Li, Y. Wang, Y. Zhang, J. Han, Full verifiability for outsourced decryption in attribute based encryption, IEEE Trans. Serv. Comput. (2017). J. Li, W. Yao, J. Han, Y. Zhang, J. Shen, User collusion avoidance CP-ABE with efficient attribute revocation for cloud storage, IEEE Syst. J. 12 (2) (2018) 1767–1777. J. Li, W. Yao, Y. Zhang, H. Qian, J. Han, Flexible and fine-grained attribute-based data storage in cloud computing, IEEE Trans. Serv. Comput. 10 (5) (2017) 785–796. J. Li, Q. Yu, Y. Zhang, Hierarchical attribute based encryption with continuous leakage-resilience, Inf. Sci. 484 (2019) 113–134. J. Li, Q. Yu, Y. Zhang, J. Shen, Key-policy attribute-based encryption against continual auxiliary input leakage, Inf. Sci. 470 (2019) 175–188. J. Li, Y. Zhang, X. Chen, Y. Xiang, Secure attribute-based data sharing for resource-limited users in cloud computing, Comput. Secur. 72 (2018) 1–12. Q. Li, J. Ma, R. Li, X. Liu, J. Xiong, D. Chen, Secure, efficient and revocable multi-authority access control system in cloud storage, Comput. Secur. 59 (2016) 45–59. K. Liang, M.H. Au, J.K. Liu, W. Susilo, D.S. Wong, G. Yang, Y. Yu, A. Yang, A secure and efficient ciphertext-policy attribute-based proxy re-encryption for cloud data sharing, Future Gen. Comput. Syst. 52 (2015) 95–108. K. Liang, L. Fang, D.S. Wong, W. Susilo, A ciphertext-policy attribute-based proxy re-encryption scheme for data sharing in public clouds, Concurr. Comput. Pract. Exper. 27 (8) (2015) 2004–2027. X. Liang, Z. Cao, H. Lin, J. Shao, Attribute based proxy re-encryption with delegating capabilities, in: Proceedings of the ASIACCS, ACM, 2009, pp. 276–286. X. Liu, R.H. Deng, K.R. Choo, J. Weng, An efficient privacy-preserving outsourced calculation toolkit with multiple keys, IEEE Trans. Inf. Forens. Secur. 11 (11) (2016) 2401–2414. S. Luo, J. Hu, Z. Chen, Ciphertext policy attribute-based proxy re-encryption, in: Proceedings of the ICICS, Springer Berlin Heidelberg, 2010, pp. 401–415. T. Matsuo, Proxy re-encryption systems for identity-based encryption, in: Pairing, Springer Berlin Heidelberg, 2007, pp. 247–267. Y. Miao, X. Liu, K.R. Choo, R.H. Deng, J. Li, H. Li, J. Ma, Privacy-preserving attribute-based keyword search in shared multi-owner setting, IEEE Trans. Depend. Secure Comput. (2019), doi:10.1109/TDSC.2019.2897675. T. Mizuno, H. Doi, Hybrid proxy re-encryption scheme for attribute-based encryption, in: Proceedings of the International Conference on Information Security and Cryptology, Springer, 2009, pp. 288–302. A. Paul, V. Srinivasavaradhan, S.S.D. Selvi, C.P. Rangan, A CCA-secure collusion-resistant identity-based proxy re-encryption scheme, in: Proceedings of the International Conference on Provable Security, Springer, 2018, pp. 111–128. H. Qian, J. Li, Y. Zhang, J. Han, Privacy preserving personal health record using multi-authority attribute-based encryption with revocation, Int. J. Inf. Secur. 14 (6) (2015) 487–497. Y. Rouselakis, B. Waters, Practical constructions and new proof methods for large universe attribute-based encryption, in: Proceedings of the ACM SIGSAC Conference on Computer & Communications Security, ACM, 2013, pp. 463–474. Y. Rouselakis, B. Waters, Efficient statically-secure large-universe multi-authority attribute-based encryption, in: Proceedings of the International Conference on Financial Cryptography and Data Security, Springer, 2015, pp. 315–332. A. Sahai, B. Waters, Fuzzy identity-based encryption, in: Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 2005, pp. 457–473. J. Shao, Z. Cao, Multi-use unidirectional identity-based proxy re-encryption from hierarchical identity-based encryption, Inf. Sci. 206 (2012) 83–95. J. Shao, Z. Cao, X. Liang, H. Lin, Proxy re-encryption with keyword search, Inf. Sci. 180 (13) (2010) 2576–2587. F. Tang, H. Li, J. Chang, Multi-hop unidirectional proxy re-encryption from multilinear maps, IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 98 (2) (2015) 762–766. Z. Wan, J. Liu, R.H. Deng, HASBE: a hierarchical attribute-based solution for flexible and scalable access control in cloud computing, IEEE Trans. Inf. Forens. Secur. 7 (2) (2012) 743–754. H. Wang, Z. Cao, L. Wang, Multi-use and unidirectional identity-based proxy re-encryption schemes, Inf. Sci. 180 (20) (2010) 4042–4059. B. Waters, Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions, in: Advances in Cryptology-CRYPTO, Springer, 2009, pp. 619–636. J. Xiong, J. Ren, L. Chen, Z. Yao, M. Lin, D. Wu, B. Niu, Enhancing privacy and availability for data clustering in intelligent electrical service of IoT, IEEE Internet Things J. 6 (2) (2018) 1530–1540. K. Yang, X. Jia, K. Ren, Secure and verifiable policy update outsourcing for big data access control in the cloud., IEEE Trans. Parallel Distrib. Syst. 26 (12) (2015) 3461–3470.