Server-Aided Revocable Attribute-Based Encryption Revised: Multi-User Setting and Fully Secure

Abstract

Attribute-based encryption (ABE) is a promising cryptographic primitive achieving fine-grained access control on encrypted data. However, efficient user revocation is always essential to keep the system dynamic and protect data privacy. Cui et al. (ESORICS 2016) proposed the first server-aided revocable attribute-based encryption (SR-ABE) scheme, in which an untrusted server manages all the long-term transform keys and update keys generated by key generation center (KGC) in order to achieve efficient user revocation. So, there’s no need for any user to communicate with KGC to update his/her decryption key regularly. In addition, the most part of computational overhead of decryption is outsourced to the server and user keeps a small size of private key to decrypt the final ciphertext. Then, Qin et al.’s (CANS 2017) extended Cui et al.s’ work to be decryption key exposure resistant (DKER).

Unfortunately, current SR-ABE schemes could only be provably secure in one-user setting, which means there’s only one “target user” \(id^*\) with an attribute set \(S_{id^*}\) satisfying the access structure \((\mathbb {M}^*, \rho )\) in the challenge ciphertext, i.e., \(S_{id^*}\vDash (\mathbb {M}^*, \rho )\). However, a more reasonable security model, i.e., multi-user setting, requires that any user id in the system can be with an attribute set \(S_{id}\vDash (\mathbb {M}^*, \rho )\), and the adversary is allowed to query on any user’s private key \(SK_{id}\) and his/her long-term transform key \(PK_{id,S_{id}}\) as long as his/her identity id is revoked at or before the challenge time \(t^*\). How to construct a SR-ABE secure in multi-user setting is still an open problem.

In this paper, we propose the first SR-ABE scheme provably secure in multi-user setting. In addition, our SR-ABE is fully secure and decryption key exposure resistant. Our scheme is constructed based on dual system encryption methodology and novelly combines a variant of Lewko et al.’s work in EUROCRYPT 2010 and Lewko et al.’s work in TCC 2010. As a result, we solve the remaining open problem.

Appendices

A Proof of Lemma 2

Proof

\(\mathcal {B}\) is given \((g, X_3, T)\) and simulates \(\mathbf {Game}_{Restricted}\) or \(\mathbf {Game}_{0}\) with \(\mathcal {A}\). It sets the public parameters as follows. It randomly picks \(a, \alpha ,a_0,a_1,b_0,b_1 \in \mathbb {Z}_N\) and \(s_i \in \mathbb {Z}_N\) for each attribute i in the system, then sets \(u=g^{a_1},h=g^{b_1},u_0=g^{a_0},h_0=g^{b_0}\), returns the public parameters to \(\mathcal {A}\) as:

$$\begin{aligned} PK=\left\{ N, g, g^a,u,h,u_0,h_0, e(g, g)^{\alpha }, \{T_i = g^{s_i}, \forall i \}\right\} , \end{aligned}$$

(27)

and keeps \(MSK=\{\alpha , X_3\}\) as secret. In this case, \(\mathcal {B}\) can answer any normal key query (including Create(id,S), Corrupt(id), TKeyUp(t), DecKG(id,t)) from \(\mathcal {A}\) by running the corresponding key generation algorithm with MSK.

\(\mathcal {A}\) sends \(\mathcal {B}\) two messages \((M_0, M_1)\), a challenge access matrix \((\mathbb {M}^*, \rho )\) and a challenge time \(t^*\). To generate the challenge ciphertext \(CT^*\), \(\mathcal {B}\) will implicitly set \(g^s\) to be the \(G_{p_1}\) part of T (T is the product of \(g^s\) and possible an element of \(G_{p_2}\)). It randomly chooses \(v_2', \ldots , v_n' \in \mathbb {Z}_N\), \(r_i'\in \mathbb {Z}_N\) for \(i\in [1,l]\), \(\beta \in \{0, 1\}\) and sets \(\vec {v}'=(1,v_2', \ldots , v_n')^{\perp }\). Finally, \(\mathcal {B}\) generates the challenge ciphertext \(CT^*\) as:

$$\begin{aligned} CT^*=\left\{ \begin{aligned}&C=M_{\beta }\cdot e(g^{\alpha },T), \quad C_0=T,\quad C_t=T^{a_0t^*+b_0}\\&C_{i}=T^{a\mathbb {M}_{i}^* \vec {v}'}T^{-r_i's_{\rho (i)}},\quad D_i=g^{r_i'} \quad \forall i \end{aligned} \right\} . \end{aligned}$$

(28)

We note that this implicitly sets \(\vec {v} = (s, sv_2',\ldots , sv_n')\) and \(r_i=sr_i'\). Modulo \(p_1\), v is a random vector with first coordinate s and \(r_i\) is a random value. Thus, if \(T \in G_{p_1}\), \(CT^*\) is a properly distributed normal ciphertext. Otherwise, \(T \in G_{p_1p_2}\), we let \(g_{2}^c\) as the \(G_{p_2}\) part of T (i.e. \(T=g^sg_{2}^c\)). We then have a semi-functional ciphertext with \(z_{t^*}=a_0t^*+b_0\), \(u=ca\vec {v}'\), \(\gamma _{i}=-cr_i'\), and \(z_{\rho (i)}=s_{\rho (i)}\). By the Chinese Remainder Theorem, \(a_0,b_0,a, v_2', \ldots , v_n', r_i', s_{\rho (i)}\) modulo \(p_2\) are uncorrelated from these values modulo \(p_1\), so \(CT^*\) is a properly distributed semi-functional ciphertext. Therefore, \(\mathcal {B}\) can break Assumption 1 with advantage \(\epsilon \) by the output of \(\mathcal {A}\).    \(\square \)

B Proof of Lemma 4

Proof

\(\mathcal {B}\) is given \(( g, X_1X_2, X_3, Y_2Y_3, T)\) and simulates \(\mathbf {Game}_{k,1}\) or \(\mathbf {Game}_{k,2}\) with \(\mathcal {A}\). It randomly picks \(a, \alpha ,a_0,a_1,b_0,b_1 \in \mathbb {Z}_N\) and \(s_i \in \mathbb {Z}_N\) for each attribute i in the system, then sets \(u=g^{a_1},h=g^{b_1},u_0=g^{a_0},h_0=g^{b_0}\) and returns the public parameters \(PK=\left\{ N, g, g^a,u,h,u_0,h_0, e(g, g)^{\alpha }, \{T_i = g^{s_i}, \forall i \}\right\} \) to \(\mathcal {A}\).

The first \(k-1\) semi-functional keys of type 2, the normal keys \(> k\), and the challenge ciphertext are all constructed the same as the above lemma. Hence, the ciphertext is sharing the value ac in the \(G_{p_2}\) subgroup. However, this will not be correlated with the \(k^{th}\) key any way, so the value is random modulo \(p_2\). To answer the \(k^{th}\) key request, \(\mathcal {B}\) choose a random element \(R_3'\in G_{p_3}\) and set

• \(SK_{id}=g^{\alpha }T^{a_1id+b_1} \cdot R_3'\);

• For each \( x \in \mathsf {Path}(\mathsf {BT},\theta )\), fetch \(g_x\) from the node x, choose random elements \(t_x\in \mathbb {Z}_N\), \(R_{x,0}',\bar{R}_{x,0}', \{R_{x,i}'\}_{i\in S} \in G_{p_3}\), and an additional \(h_x \in \mathbb {Z}_N\), set

  $$\begin{aligned} \begin{aligned}&K_{x}=g^{\alpha }T^{a t_x}(T^{a_1id+b_1}/g_x)\cdot R_{x,0}' \cdot (Y_2Y_3)^{h_x},\qquad L_x=T^{t_x}\cdot \bar{R}_{x,0}',\\&K_{x,i}=T^{s_i t_x}R_{x,i}' \quad \forall i\in S; \end{aligned} \end{aligned}$$

  (29)

• For each \( x \in \mathsf {KUNodes}(\mathsf {BT},\mathsf {RL},t)\), fetch \(g_x\) from the node x, choose random elements \(\hat{R}_{x,3},\bar{R}_{x,3} \in G_{p_3}\) and \(s_x' \in \mathbb {Z}_N\), set

  $$\begin{aligned} \begin{aligned}&Q_{x,0,t}=g^{\alpha }g_x\cdot (T^{a_0t+b_0})^{s_x'}\hat{R}_{x,3}, \quad Q_{x,1,t}=T^{s_x'}\bar{R}_{x,3}. \end{aligned} \end{aligned}$$

  (30)

Note that we add the \((Y_2Y_3)^{h_x}\) term. This randomizes the \(G_{p_2}\) part of \(K_x\), so the key is no longer nominally semi-functional. If we use the \(k^{th}\) key to decrypt the semi-functional ciphertext, the decryption would fail.

Thus, if \(T \in G_{p_1p_3}\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{k,2}\). Otherwise, \(T \in G\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{k,1}\). Therefore, \(\mathcal {B}\) can use the output of \(\mathcal {A}\) to gain advantage to \(\epsilon \) in breaking Assumption 2.    \(\square \)

C Proof of Lemma 5

Proof

\(\mathcal {B}\) is given \(( g, g^{\alpha }X_2, X_3, g^sY_2,Z_2, T)\) and simulates \(\mathbf {Game}_{q,2}\) or \(\mathbf {Game}_{Final}\) with \(\mathcal {A}\). It randomly picks \(a, ,a_0,a_1,b_0,b_1 \in \mathbb {Z}_N\) and \(s_i \in \mathbb {Z}_N\) for each attribute i in the system, then sets \(u=g^{a_1},h=g^{b_1},u_0=g^{a_0},h_0=g^{b_0}\) and returns \(PK=\left\{ N, g, g^a,u,h,u_0,h_0, e(g, g^{\alpha }X_2)=e(g,g)^{\alpha }, \{T_i = g^{s_i}, \forall i \}\right\} \) to \(\mathcal {A}\).

To make semi-functional keys of type 2, randomly choose \(f, r, z_{id},d', z_{t} \in \mathbb {Z}_N\), \(R_3'\in G_{p_3}\) and set

• \(SK_{id}=g^{\alpha }(u^{id}h)^r \cdot R_3' \cdot Z_2^{fz_{id}}\);

• For each \(x \in \mathsf {Path}(\mathsf {BT},\theta )\), fetch \( g_x\) from the node x, randomly choose \(t_x\in \mathbb {Z}_N\), \(R_{x,0}',\bar{R}_{x,0}, \{R_{x,i}\}_{i\in S} \in G_{p_3}\), set

  $$\begin{aligned} \begin{aligned}&K_{x}=g^{\alpha +at_xr }((u^{id}h)^r/g_x)\cdot R_{x,0}'\cdot Z_2^{d't_x+fz_{id}},\quad L_x=g^{t_xr}\cdot \bar{R}_{x,0}',\\&K_{x,i}=T_i^{t_x r}R_{x,i}' \quad \forall i\in S; \end{aligned} \end{aligned}$$

  (31)

• For each \( x \in \mathsf {KUNodes}(\mathsf {BT},\mathsf {RL},t)\), fetch \(g_x\) from the node x, randomly choose \(\ s_x,\gamma _x' \in \mathbb {Z}_N\) and \(\hat{R}_{x,3}',\bar{R}_{x,3}' \in G_{p_3}\), set

  $$\begin{aligned} \begin{aligned}&Q_{x,0,t}=g^{\alpha }g_x\cdot (u_0^th_0)^{s_x}\hat{R}_{x,3}' \cdot Z_2^{\gamma _x' z_{t}}, \quad Q_{x,1,t}=g^{s_x}\bar{R}_{x,3}'\cdot Z_2^{\gamma _x' }. \end{aligned} \end{aligned}$$

  (32)

\(\mathcal {A}\) sends \(\mathcal {B}\) two messages \((M_0, M_1)\), a challenge access matrix \((\mathbb {M}^*, \rho )\) and a challenge time \(t^*\). \(\mathcal {B}\) chooses \(u_2, \ldots , u_n, r_i' \in \mathbb {Z}_N\), a random bit \(\beta \in \{0, 1\}\) and sets \(\vec {u}'=(a,u_2, \ldots , u_n)\). Finally, \(\mathcal {B}\) generates the challenge ciphertext \(CT^*\) as:

$$\begin{aligned} CT^*=\left\{ \begin{aligned}&C=M_{\beta }\cdot T, C_0=g^sY_2, C_t=(g^sY_2)^{a_0t^*+b_0}\\&C_{i}=(g^sY_2)^{\mathbb {M}_{i}^* \vec {u}'}(g^sY_2)^{-r_i's_{\rho (i)}}, D_i=(g^sY_2)^{r_i'} \quad \forall i \end{aligned} \right\} . \end{aligned}$$

(33)

We set \(Y_2=g_2^c\), \(\vec {v} = sa^{-1}\vec {u}'\) and \(\vec {u}=c\vec {u}'\) (i.e., \(u_1=ac\)), so s is shared in the \(G_{p_1}\) and ca is shared in the \(G_{p_2}\). This implicitly sets \(u_1=ca\), \(r_i=sr_i'\) and \(\gamma _i=-cr_i'\).

Thus, if \(T =e(g,g)^{\alpha s}\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{q,2}\) and \(CT^*\) is a semi-functional ciphertext with encryption of \(M_{\beta }\). Otherwise, \(T \in G_T\), then \(\mathcal {B}\) has properly simulated \(\mathbf {Game}_{Final}\) and \(CT^*\) is a semi-functional ciphertext with encryption of a random message in \(G_T\). Therefore, \(\mathcal {B}\) can use the output of \(\mathcal {A}\) to gain advantage to \(\epsilon \) in breaking Assumption 3.    \(\square \)