Enhanced Dual-Policy Attribute-Based Encryption for Secure Data Sharing in the Cloud

Wang, Ti; Zhou, Yongbin; Ma, Hui; Zhang, Rui

doi:https://doi.org/10.1155/2022/1867584

Security and Communication Networks

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 1867584 | https://doi.org/10.1155/2022/1867584

Enhanced Dual-Policy Attribute-Based Encryption for Secure Data Sharing in the Cloud

Ti Wang,^1,2Yongbin Zhou ,^1,2,3Hui Ma,^1,2and Rui Zhang^1,2

Academic Editor: Jinguang Han

Received10 Jan 2022

Accepted25 Feb 2022

Published20 May 2022

Abstract

As a promising service paradigm, cloud computing has attracted lots of enterprises and individuals to outsource big data to public cloud. To facilitate secure data using and sharing, dual-policy attribute-based encryption (DP-ABE) is a suitable solution. It allows two access control mechanisms over encrypted data at the same time: one involves access policies over subjective attributes ascribed to user credentials, and the other involves policies over objective attributes ascribed to data. In this work, we are exploring methods to make DP-ABE more flexible, more efficient, and more secure for deployments in cloud scenes. Our proposal features the following achievements simultaneously: (1) beyond the access control mechanisms of DP-ABE, it also supports two flexible features called encryption and key generation in single-policy modes; (2) most operations of key generation, encryption, and decryption are securely outsourced to cloud servers, leaving extremely low overheads for the PKG, data owners, and users; and (3) it realizes the strongest security notion of public-key encryption schemes, namely, CCA security. We formalize the security definition and formally prove its security in the random oracle model. Moreover, we implement the proposed schemes using the Charm framework. The experiment results demonstrate that our schemes are efficient and practical.

1. Introduction

As a promising service paradigm, cloud computing has attracted great interest of the industrial world due to its powerful computation and storage capabilities. To avoid maintaining specialized data centers, a growing number of enterprises and individuals choose to outsource huge amounts of data to public cloud, based on which they can store, manage, and share the data conveniently. Since cloud servers are owned by third parties (such as Amazon S3) and not fully trusted, data should be outsourced in encrypted forms to protect security. In 2005, Sahai and Waters [1] introduced the primitive of Attribute-based encryption (ABE), which is formally refined by Goyal et al. [2]. ABE is a suited solution for secure data sharing in the cloud, since it can realize fine-grained access control over encrypted data using access policies and attribute sets among secret keys and ciphertexts. Particularly, ABE comes in two flavors, called Ciphertext-Policy ABE (CP-ABE) and Key-Policy (KP-ABE).

In CP-ABE [3, 4], every participant is assigned a secret key, which contains a set of attributes based on his/her role. A data owner encrypts data associated with an access policy before uploading to the cloud, and a data user can decrypt it only if the attribute set of the secret key satisfies the access policy of the ciphertext. Take the electronic medical record (EMR) system as an example. If a nurse encrypts a record under (“Cardiology” and (“Chief Physician” or “Associate Chief Physician”)), a doctor with the secret key corresponding to {“Cardiology,” “Chief Physician”} can decrypt the ciphertext. In summary, attributes in CP-ABE are used to annotate the data users’ credentials, which are called subjects since users are to decrypt.

While, in KP-ABE [2, 5], secret keys are associated with access policies and ciphertexts are associated with attribute sets. Attributes are used to annotate data, which are called objects since they are to be encrypted. For example, a secret key corresponding to ((“Male” or “Female”) and “Blood Pressure”) can decrypt a record encrypted under {“Male,” “Blood Pressure”}.

As pointed by Attrapadung and Imai [6], a drawback of the above two types of ABE is that we must choose whether attributes will be used as subjects or objects, and after setup we must also stick with such a condition throughout the entire application. This is pretty inconvenient, since if we are using KP-ABE, the encrypted record can only be ascribed by objective attributes. Thus, the nurse station, as the encryptor, could not directly specify subjective access policies of doctors, i.e., who can or cannot decrypt. The same inconvenience happens also for CP-ABE, complimentarily.

To solve this, Dual-Policy ABE (DP-ABE) is proposed [6]. Basically, DP-ABE is a conjunctively combined scheme between CP-ABE and KP-ABE, where the CP-ABE (resp. KP-ABE) component deals with subjective (resp. objective) attribute universe. The decryption can be done if and only if the subjective (resp. objective) attribute set satisfies the subjective (resp. objective) access policy, respectively, at the same time. Due to its flexible access control abilities, DP-ABE can be useful in general-purpose applications.

In this paper, we advance the state of the art on secure data sharing by providing more flexible, more efficient, and more secure dual-policy attribute-based encryption schemes. To the best of our knowledge, our proposal is the first structured DP-ABE scheme that achieves flexibility enhanced access control mechanisms, fully outsourced computation, and the security against chosen ciphertext attack (CCA), simultaneously. Our techniques may help develop other practical encryption schemes for secure data sharing in cloud scenes.

1.1. Related Work

1.1.1. Dual-Policy ABE

The first DP-ABE scheme was proposed by Attrapadung and Imai [6] in 2009. Since this scheme was constructed based on the underlying KP-ABE [2] and CP-ABE [7], it supported monotone LSSS access structures and selective security. To reduce the size of ciphertext of Ref. [6], Miyaji and Tran [8] proposed a DP-ABE scheme with short ciphertext where access structures were expressed as all AND gates type. However, Rao and Dutta [9] pointed out there was a mistake in the decryption algorithm of Ref. [8], so they proposed a new DP-ABE scheme in which the size of ciphertext was only related to subjective attributes.

Okamoto and Takashima [10] proposed a fully secure dual-policy functional encryption for general relations using the concept of dual pairing vector spaces [11]. By extending the pair encodings primitive [12], Attrapadung and Yamada [13] provided a generic conversion that converts ABE into its dual-policy variant, and obtained the first realizations of fully secure DP-ABE for formulae, unbounded DP-ABE for formulae, and DP-ABE for regular languages. Attrapadung [14] proposed a prime-order version of Ref. [12], and constructed an efficient DP-ABE with large universe in prime-order groups. Recently, Xu et al. [15] presented a generic construction of DP-ABE by introducing the El-Gamal type cryptosystem. They also gave an instantiation of DP-ABE based on CP-ABE [16] and KP-ABE [2]. Han et al. [17] applied DP-ABE in blockchain scenarios.

1.1.2. ABE with Outsourced Computation

In most of the ABE schemes, the size of ciphertext and operations of decryption are linear with the number of attributes in the access policy. In 2011, Green et al. [18] introduced the technique of outsourced decryption for attribute-based encryption. A proxy can use the transformation key to convert any original ABE ciphertext to a short ciphertext. However, the proxy can learn nothing about the plaintext during the operation. Finally, to recover the plaintext, the data user only needs to conduct one exponentiation easily.

Hohenberger and Waters [19] developed new “connect and correct” techniques for ABE that split the computation for key generation and encryption into two phases: a preparation phase that does the vast majority of the work to generate a secret key or encrypt a message, and a second phase can then rapidly assemble an ABE secret key or ciphertext when the specifics become known. Subsequently, based on this concept, Ma et al. proposed an online/offline ABE with cryptographic reverse firewalls [20], a ciphertext-policy attribute-based proxy re-encryption (CP-AB-PRE) [21], and efficient CP-ABE [22, 23] with outsourced computation for various applications.

1.1.3. CCA Secure ABE

CCA is the strongest notion for a public-key encryption, while the security against chosen plaintext attacks (CPA) can only provide basic data confidentiality. Goyal et al. [2] proposed a generic conversion making a CPA-secure KP-ABE CCA-secure. Yamada et al. [24] presented CCA conversions for KP-ABE and CP-ABE.

The attribute-based encryption with outsourced decryption (OD-ABE) schemes [18] could achieve replayable CCA security [25]. Zuo et al. [26] and Wang et al. [27] proposed constructions of selectively and fully CCA-secure OD-ABE, respectively. Liang et al. [28] proposed a CCA-secure CP-AB-PRE scheme for cloud data sharing. To the best of our knowledge, Ref. [10] is the only scheme in the dual-policy setting that achieves CCA security in the literature.

1.2. Our Contribution

In this work, we are exploring methods to make DP-ABE more flexible, more efficient, and more secure for secure data sharing in the cloud. Specially, our contribution is fourfold:(1)Flexibility-Enhanced Access Control Mechanisms. Firstly, a monotone LSSS-realizable large-universe DP-ABE scheme is proposed based on prime-order asymmetric pairing groups. In order to support more flexible access control functionalities in real-world deployments, we further design two practical features for our scheme, called encryption and key generation in single-policy modes. The scheme is proven selectively CPA-secure under two modified -type assumptions.(2)Low Computation Cost. Secondly, by utilizing the outsourced computation technique [23], we construct a more computationally efficient scheme, called fully outsourced dual-policy attribute-based encryption (FO-DP-ABE). The scheme securely outsources almost all expensive computation during key generation, encryption, and decryption to cloud servers, leaving extremely low overheads for the PKG, data owners, and users.(3)High-Level Security. Thirdly, to realize the strongest security notion of public-key encryption schemes, we make our FO-DP-ABE scheme CCA-secure by applying the Canetti-Halevi-Katz [31] and the Fujisaki-Okamoto [32] transformations without efficiency compromise. We formalize the security definition and formally prove its security in the random oracle model.(4)Thorough Performance Evaluations. Finally, we give detailed theoretical comparisons with several practical DP-ABE schemes. Also, we implement our DP-ABE and FO-DP-ABE schemes using a rapidly prototyping tool called Charm [33], and conduct extensive experiments to evaluate performance. The results show that our schemes are sufficiently efficient to be applied for limited-resource devices.

Table 1 compares the functions in our proposed schemes with those in some related work. Our schemes are more suitable from the practicality and security aspects.

1.3. Paper Organization

The rest of this paper is arranged as follows. In Section 2, we introduce the necessary background knowledge. In Section 3, we give the formal definition and security model of DP-ABE, and present a basic CPA-secure construction. In Section 4, we describe the single-policy modes of our DP-ABE. In Section 5, we propose our FO-DP-ABE scheme, and give the details of security proof in the proposed security model. In Section 6, we make detailed performance evaluations. Section 7 presents a brief conclusion.

2. Preliminary

In this section, we review some notations and definitions.

2.1. Notations

denotes that is obtained by running an algorithm on inputs . For , . We denote the size of a set , and the operation of choosing an element uniformly at random from . denotes the th row of a matrix , and denotes the th element of . denotes a negligible function, i.e., , , s.t., , .

The acronyms used in this paper are given in Table 2.

2.2. Definitions

Definition 1 (Bilinear Maps). Let GroupGen be a probabilistic polynomial-time (PPT) algorithm that takes as input a security parameter and outputs a tuple , where , , and are cyclic groups of the same prime-order , are generators of , respectively, and is a bilinear map satisfying that:(1)Bilinearity: , and , we have .(2)Nondegeneracy: , whenever are not identities of , respectively.(3)Computability: , there is an efficient algorithm to compute .Following the standard terminology, we refer to as pairing. Pairings fall into three basic types:(i)Type-I: ;(ii)Type-II: but there is an efficiently computable isomorphism ;(iii)Type-III: and there is no efficiently computable isomorphism between and .As summarized in Ref. [34], Type-I is “symmetric,” since it is simpler and the complexity assumptions can be weaker. Type-I groups have serious security issues [35]. Type-II and Type-III are “asymmetric,” in which Type-III is typically the most efficient choice for implementation [36]. We use only Type-III throughout the paper.

Definition 2 (Access Structure [37]). Let be a set of parties. A collection is monotone for and , if and , then . An access structure is a collection of nonempty subsets of , i.e., . The sets in are called the authorized sets, and the sets not in are called unauthorized sets.

Definition 3 (Linear Secret Sharing Schemes (LSSS) [37]). Let be a prime. A secret sharing scheme with domain of secrets realizing access structures on the attribute universe is linear over if:(1)The shares of the parties form a vector over ;(2)For each access structure on , there exists a matrix , called the share-generating matrix, and a function , that labels the rows of with attributes from . During the generation of the shares, we consider the column vector , where . Then, the vector of shares of the secret according to is equal to . The share belongs to attribute .Lewko and Waters [38] gave a method to transform any monotone access structure into an LSSS . Specially, each entry in is 0, 1 or , and we can choose coefficients that are 0 or 1 for the resulting .

2.3. Assumptions

The KP-ABE and CP-ABE schemes [16] are secure under two -type assumptions on prime-order asymmetric pairing groups. To construct our DP-ABE in single-policy modes, we will use the following modified -type assumptions.

Definition 4 (Modified -1 Assumption). An asymmetric pairing group generator GroupGen satisfies the modified -1 assumption if for all adversaries , there exists negl such that:where , , , , , and contains the following terms:

Definition 5. (Modified -2 Assumption). An asymmetric pairing group generator GroupGen satisfies the modified -2 assumption if for all adversaries , there exists negl such that:where , , , , , and contains the following terms:Compared with the original assumption [16], the modified -1 assumption is slightly stronger, since adversaries can obtain two additional elements . Nevertheless, it is trivially secure in the generic group model [39]. Since is randomly chosen from , adversaries with the help of would have no additional advantage to distinguish or . Similarly, the modified -2 assumption is secure.

3. Dual-Policy Attribute-Based Encryption

In this section, we propose our dual-policy attribute-based encryption (DP-ABE) scheme.

3.1. Syntax

Define the function if the attribute set satisfies the access structure . A dual-policy attribute-based encryption (DP-ABE) for access structure space contains the following algorithms:(i)Setup. The setup algorithm takes a security parameter and a universe description as input, and outputs the public parameters and the master secret key .(ii). The key generation algorithm takes the public parameters , the master secret key , an objective access structure , and a subjective attribute set as input, and outputs a secret key corresponding to .(iii)Encrypt. The encryption algorithm takes the public parameters , a message from the message space , an objective attribute set , and a subjective access structure as input, and outputs a ciphertext encrypted under .(iv)Decrypt or . The decryption algorithm takes the public parameters , a secret key corresponding to , and a ciphertext encrypted under as input, and outputs the decryption result if it holds that the objective attribute set satisfies the objective access structure , i.e., , and that the subjective attribute set satisfies the subjective access structure , i.e., . Otherwise, it outputs .

Correctness. It requires that for all , all , all , all , all , all , all , and all :

3.2. Security Model

We use the security model in Ref. [6]. Let be a DP-ABE scheme for access structure space , and consider the following experiment for an adversary .

The DP-ABE experiment :

Init. declares the challenge objective attribute set and the challenge subjective access structure .

Setup. The challenger runs to obtain and sends to .

Phase 1. can adaptively ask for secret keys for pairs of objective access structure and subjective attribute set such that or . sends to .

Challenge. submits two equal length messages and as the challenge. picks and sends to .

Phase 2. Phase 1 is repeated.

Guess. outputs a guess of . The output of the experiment is 1 if .

Definition 6. A DP-ABE is selectively IND-CPA secure if for all adversaries , there exists such that:

3.3. Construction

(i)Setup. Call to obtain . The attribute universe is . Choose and . Output and .(ii)KeyGen. Let be an LSSS access structure with and . Choose where . The vector of the shares of is . For choose and compute

Set .

Let be an attribute set. Choose and compute , . For choose and compute

Set .

Output .(iii)Encrypt . Choose and compute .

Let be an attribute set. For choose and compute

Set .

Let be an LSSS access structure with and . Choose where . The vector of the shares of is . For choose and compute

Set .

Output .(iv)Decrypt. Parse the key and ciphertext:

If , calculate and the constants such that . Let denote the index of the attribute in . Compute

Parse the key and ciphertext:

If , calculate and the constants such that . Let denote the index of the attribute in . Compute

Output .

Correctness: If and , we have that , . Therefore:

3.4. Security Analysis

Theorem 1. Suppose that the KP-ABE and CP-ABE schemes [16] are selectively IND-CPA secure, then the proposed DP-ABE scheme is selectively IND-CPA secure.

Proof. Our DP-ABE scheme is a generic construction according to El-Gamal type schemes [15]. Suppose there is an adversary that can attack the proposed DP-ABE scheme. We can construct an algorithm to break the KP-ABE and CP-ABE schemes [16].
Init. runs , who chooses the challenge pair where is of size , and is of size . passes on to the challenger of the KP-ABE scheme, and passes on to the challenger of the CP-ABE scheme.
Setup. receives from , and from . By the definition of El-Gamal type schemes, we have
returns to .
Phase 1. queries the secret key corresponding to the pair where is of size , and is of size . acts as follows:
(i)If , then we must have . Let . Choose where . The vector of the shares of is . For choose and computeSet .
Let . Call the key generation oracle of on to obtainSet .
Return .(ii)Else, . Call the key generation oracle of on to obtainLet . Choose where . The vector of the shares of is .
Set .
Let . Choose and compute , . For choose and computeSet .
Return .
Challenge. submits two messages from the message space . passes on to to obtain , and passes on to to obtain .
By the definition of El-Gamal type schemes, we have returns to .
Phase 2. Phase 1 is repeated.
Guess. outputs a bit . outputs as its guess.
It is clear that from the view of , the simulation is indistinguishable from the real experiment. Therefore, we obtain the theorem.

4. Single-Policy Modes of DP-ABE

In this section, we describe two features of our DP-ABE called encryption in single-policy modes and key generation in single-policy modes.

Suppose that a DP-ABE scheme has been setup already, which means that the the public parameters PK is chosen and published. The single-policy encryption modes allow a data owner to still encrypt messages as if it were a KP-ABE or CP-ABE on-the-fly, and the single-policy key generation modes allow the PKG to still generate secret keys as if it were a KP-ABE or CP-ABE on-the-fly.

To describe single-policy modes, we define two special symbols and , where for , and for .

4.1. Encryption in Single-Policy Modes

When a message is encrypted in KP-ABE mode (we will refer to both the ciphertext as well as the encryption mode by KP-CT) with the objective attribute set and the subjective access policy , any data user can decrypt it with a secret key corresponding to if . Analogously, when a message is encrypted in CP-ABE mode (denoted by CP-CT) with the subjective access policy and the objective attribute set , any data user can decrypt it with a secret key corresponding to if .

Generic Construction. Attrapadung and Imai [6] proposed a simple generic conversion from any DP-ABE scheme to a new DP-ABE scheme that admits single-policy encryption modes. The idea is to use dummy attributes: one for objective and one for subjective attribute.

Specially, is the same as except that it additionally chooses a special objective attribute and a special subjective attribute , and adds them into the public parameters PK. Both will not be used as attributes in . Next we define

Direct Construction. When applying the above generic conversion to our proposed DP-ABE, the resulting scheme involves using the dummy attributes in all secret keys. Thus, we present a direct construction as follows.

To encrypt a message in KP-ABE mode, we remove all elements involving attributes in the ciphertext , such that any secret key can decrypt it. Set , and remain exactly the same as in the DP-ABE.

Similarly, to encrypt a message in CP-ABE mode, we remove all elements involving attributes in the ciphertext , such that any secret key can decrypt it. Set , and remain exactly the same as in the DP-ABE.

4.2. Key Generation in Single-Policy Modes

When a secret key is generated in KP-ABE mode (denoted by KP-SK) with the objective access policy and the subjective attribute set , a data user with it can decrypt any ciphertext encrypted under if . Analogously, when a secret key is generated in the CP-ABE mode (denoted by CP-SK) with the subjective attribute set and the objective access policy , a data user with it can decrypt any ciphertext encrypted under if .

Generic Construction. We can also use the idea of dummy attributes to convert from any DP-ABE scheme to a new DP-ABE scheme that admits single-policy key generation modes.

Specially, is the same as except that it additionally chooses a special objective attribute and a special subjective attribute , and adds them into the public parameters PK. Both will not be used as attributes in . Next we define

Direct Construction. When applying the above generic conversion to our proposed DP-ABE, the resulting scheme involves using the dummy attributes in all ciphertexts. Thus, we present a direct construction as follows.

To generate a secret key in KP-ABE mode, we set , and directly use the master secret key to generate . Specially, choose where . The vector of the shares of is . For choose and compute

Set .

To generate a secret key in CP-ABE mode, we set , and directly use the master secret key to generate . Specially, choose and compute , . For choose and compute

Set .

4.3. Decryption Cases and Security Analysis

Encryption and key generation in single-policy modes are orthogonal from the functional aspect, so they can be used simultaneously in the whole system, which leads to three kinds of ciphertexts and three kinds of secret keys, namely, in KP/CP/DP-ABE modes, respectively.

For the generic constructions, dummy attributes are introduced in the attribute set and access policy, which do not change the structures of ciphertexts or secret keys, so the decryption can be done exactly in the same way as in the dual-policy setting. While, for the direct constructions, the decryption algorithms are different. We discuss 9 kinds of decryption cases in Table 3.

Theorem 2. Suppose that the modified (resp. ) assumption holds, then the proposed DP-ABE scheme with encryption in CP-ABE (resp. KP-ABE) mode is selectively IND-CPA secure against all adversaries with a challenge access policy of size , where (resp. attribute set of size , where ).

Proof. Here we prove the security of CP-CT. The proof of KP-CT is similar.
Suppose there is an adversary that can attack the DP-ABE scheme with encryption in CP-ABE mode. We can construct an algorithm to attack the modified assumption.
Init. runs , who chooses the challenge pair where , and is of size , where .
Setup. According to the strategy in the proof of CP-ABE scheme [16], uses the modified assumption instance to generate , and implicitly sets . Then, it chooses , and returns to .
Phase 1. queries the secret key corresponding to the pair where is of size , and is of size . Since , we have . acts as follows:
Let . Choose where . The vector of the shares of is . For choose and computeSet .
Let . According to the strategy in the proof of CP-ABE scheme [16], use the modified assumption instance to generateSet .
Return . Challenge. submits two messages from the message space . According to the strategy in the proof of CP-ABE scheme [16], uses the modified assumption instance to generate and . Finally, it returns to . Phase 2. Phase 1 is repeated. Guess. outputs a bit . outputs as its guess.From the view of , the simulation is indistinguishable from the real experiment. Also note that in a secret key , can be used to recover from , and the distribution of is the same as that of a secret key generated by using in CP-ABE scheme [16]. Therefore, the challenge ciphertext is actually , which is the same as in CP-ABE scheme [16]. We obtain the theorem.

Theorem 3. Suppose that the KP-ABE and CP-ABE schemes [16] are selectively IND-CPA secure, then the proposed DP-ABE scheme with key generation in CP-ABE (or KP-ABE) mode is selectively IND-CPA secure.

Proof. We present the security sketch of key generation in CP-ABE mode. The security in KP-ABE mode is similar.
We use the strategy in the proof of Theorem 1. The only difference is that, is also allowed to ask for any secret key corresponding to where , and . For this kind of query, can directly call the key generation oracle of on to obtain , set , and return to .

5. Fully Outsourced DP-ABE

In this section, we propose our fully outsourced dual-policy attribute-based encryption (FO-DP-ABE) scheme.

5.1. System Model

As illustrated in Figure 1, five entities are involved in system, namely, the private key generator (PKG), data owner (DO), data user (DU), cloud server 1 (CS1), and cloud server 2 (CS2). A data owner can also be a data user in the system, and vice versa. Specifically.(i)Private Key Generator is responsible to setup the system parameters and to distribute all cryptographic keys to other entities.(ii)Data Owner encrypts data and uploads ciphertext to the cloud.(iii)Data User downloads ciphertext from the cloud and decrypts it to recover data.(iv)Cloud Server 1 is deployed to provide outsourced computation (key generation, encryption, and decryption) service and data storage service.(v)Cloud Server 2 is deployed to provide outsourced computation (key generation and encryption) service.

As shown in Figure 2, the system process is as follows:(1)System Initialization. The PKG generates the public parameters PK and the master secret key MSK, broadcasts PK to all entities, and keeps MSK locally.(2)User Registration. The PKG continuously requests intermediate keys IKs from two cloud servers. For each data user, the PKG assigns an objective access structure and a subjective attribute set , and uses IK1, IK2 to generate a transformation key TK and a retrieval key RK. TK is sent to the cloud server 1 and RK is send to the user.(3)Data Encryption. The data owner continuously requests intermediate ciphertext ITs from two cloud servers. To encrypt the message msg, the owner uses IT1, IT2 to generate a ciphertext CT under an objective attribute set and a subjective access structure . CT is uploaded to the cloud server 1.(4)Data Decryption. The cloud server 1 executes outsourced decryption on CT with TK to generate a transformed ciphertext TCT. The user downloads TCT and decrypts it with RK to recover the message msg.

The channels that transmit TK, RK, IKs, ITs should be secure, because the secret keys are always distributed privately, and the intermediate computation results cannot be accessed by outsiders.

5.2. Syntax

An FO-DP-ABE for access structure space contains the following algorithms:(i)Setup. The setup algorithm takes a security parameter and a universe description as input, and outputs the public parameters and the master secret key .(ii). The outsourced key generation algorithm takes the public parameters as input, and outputs an intermediate key .(iii). The local key generation algorithm takes the public parameters , the master secret key , an objective access structure , a subjective attribute set , and two intermediate keys as input, and outputs a transformation key and a retrieval key corresponding to .(iv)Encrypt.out. The outsourced encryption algorithm takes the public parameters as input, and outputs an intermediate ciphertext .(v)Encrypt.owner. The local encryption algorithm takes the public parameters , a message from the message space , an objective attribute set , a subjective access structure , and two intermediate ciphertexts as input, and outputs a ciphertext encrypted under .(vi)Decrypt.out or . The outsourced decryption algorithm takes the public parameters , a transformation key corresponding to , and a ciphertext encrypted under as input, and outputs a transformed ciphertext if it holds that the objective attribute set satisfies the objective access structure , i.e., , and that the subjective attribute set satisfies the subjective access structure , i.e., . Otherwise, it outputs .(vii)Decrypt.user . The local decryption algorithm takes the public parameters , a retrieval key , and a transformed ciphertext as input, and outputs the decryption result .

Correctness. It requires that for all , all , all , all , all , all , all , all , all , and all :

5.3. Security Model

Let be an FO-DP-ABE scheme for access structure space , and consider the following experiments for an adversary .

The FO-DP-ABE experiment against the Type-1 adversary :

Init. declares the challenge objective attribute set and the challenge subjective access structure .

Setup. The challenger runs to obtain and sends to .

Phase 1. initializes an empty table and an integer . Proceeding adaptively, can repeatedly make any of the following queries:(i): sets . It runs twice to obtain , runs to obtain and stores the entry in table .(ii): retrieves the th entry in table and returns to .(iii): retrieves the th entry in table and returns to . Note that the th entry does not satisfy and simultaneously.(iv): runs to obtain and returns to .(v): runs to obtain and returns to .(vi): retrieves the th entry in table and returns the output of to .(vii): retrieves the th entry in table and returns the output of to . Note that it simply returns if is not generated from .

Challenge. submits two equal length messages and as the challenge. picks , runs twice to obtain , runs to obtain , and returns to .

Phase 2. Phase 1 is repeated with the restrictions that the adversary cannot query:(i) that the th entry in table satisfies and simultaneously.(ii) that the th entry in table satisfies and simultaneously.(iii) that the th entry in table satisfies and simultaneously, and , where is of the th entry in table .

Guess. outputs a guess of . The output of the experiment is 1 iff .

The FO-DP-ABE experiment against the Type-2 adversary :

Same as the above experiment, except that cannot query . Besides, the query is replaced by , and the query is replaced by .

Definition 7. An FO-DP-ABE is selectively IND-CCA secure if for all adversaries , there exists such that:

Remark. The security model covers the situations of encryption and key generation in single-policy modes. If the challenge objective attribute set is , or the challenge subjective access structure is , the adversary cannot make queries which may trivially break the security of .

5.4. Construction

First, we present some intuitions of the construction. We apply the outsourced computation technique [23] on the proposed DP-ABE, and transform it to be secure against the chosen ciphertext attack. (1) The key generation and encryption are split into two phases: an outsourced computation phase in which two cloud servers create intermediate keys or ciphertexts offline, and the second phase in which the PKG or the data owner can rapidly compute the “correction factors” and assemble a key or ciphertext online. (2) To make the scheme CCA-secure, the Canetti-Halevi-Katz transformation [31] is applied to make CT non-malleable. The data owner generates a one-time signature of the ciphertext, which allows the cloud server (we explicitly compute the randomness , which is used to demonstrate that and, are well-formed. In a real system, the PKG does not need to correct locally. Thus, the attribute key module would not contain . We consider this in the performance evaluations (Section 6)). Publicly verify it before the outsourced decryption. Then, the data user can verify TCT according to the Fujisaki-Okamoto transformation [32].

The constructions of single-policy modes of FO-DP-ABE are omitted, which can be achieved in a manner similar to that given in Section 4.

The Setup algorithm is similar as our DP-ABE scheme, except that the public parameters includes a key derivation function and three hash functions , , . Other algorithms are as follows:(i)KeyGen.out. Choose and compute

Set .

Choose and compute

Set , .

Output .(ii)KeyGen.pkg . Choose . Let be an LSSS access structure with and . Select and assemble

For compute

Choose where . The vector of the shares of is . For compute

Set .

Let be an attribute set. Select and assemble

Compute (we explicitly compute the randomness , which is used to demonstrate that and, are well-formed. In a real system, the PKG does not need to correct locally. Thus, the attribute key module would not contain . We consider this in the performance evaluations (Section 6)).

For compute

Set .

Output , .(iii)Encrypt.out . Choose and compute

Set .

Choose and compute .

Choose and compute

Set , .

Choose and compute

Set .

Output .(iv)Encrypt.owner . Select and assemble

Choose and compute

Set .

Let be an attribute set. Select and assemble

Compute

For compute

Set .

Let be an LSSS access structure with and . Select and assemble

For compute

Choose where . The vector of the shares of is . For compute

Set .

Compute

Output .(v)Decrypt.out (we give the details about how to verify the correctness of CT, and how to outsource decrypt it with TK. Actually, the cloud server 1 can execute the verification and precalculation on just after receiving it. Thus, the complexity of Decrypt.out is the same as that of Decrypt in our DP-ABE. We consider this in the performance evaluations (Section 6)). Compute .

Parse . Output if

Parse .

Parse the key and ciphertext:

If , output . Otherwise, calculate and the constants such that . Let denote the index of the attribute in . Output if that

Otherwise, compute

Parse the key and ciphertext:

If , output . Otherwise, calculate and the constants such that . Let denote the index of the attribute in . Output if

or that

Otherwise, compute

Compute , . Output .(vi)Decrypt.user . Parse and . Compute

If , and , output . Otherwise, .

Correctness: Can be easily verified.

5.5. Security Analysis

Theorem 4. Suppose that the proposed DP-ABE is selectively IND-CPA secure, then the proposed FO-DP-ABE scheme is selectively IND-CCA secure in the random oracle model.

Proof. In the security model, the Type-1 adversary gets more information (i.e., all transformation keys) than the Type-2 adversary, so we only prove the security against the former.
Suppose there is an adversary that can attack the proposed FO-DP-ABE in the selective CCA security model. We can construct an algorithm to break the proposed DP-ABE in the selective CPA security model.
Init. runs , who chooses the challenge pair where is of size , and is of size . passes on them to the challenger of the DP-ABE scheme.
Setup. receives the public parameters from , and returns them to .
Phase 1. initializes an empty table , an integer , and three empty lists . It answers the queries from as follows:(i)Random Oracle: If there is an entry in , return . Otherwise, choose , record in , and return .(ii)Random Oracle: If there is an entry in , return . Otherwise, choose , record in , and return .(iii)Random Oracle: If there is an entry in , return . Otherwise, choose , record in , and return .(iv): Suppose is of size , and is of size . Set and act as follows:(1)If and , then choose , run twice to obtain , and run to obtain . Set , . Otherwise, or . Call the key generation oracle of on to obtain , where Choose . For choose and compute Set . Choose and compute For choose and compute Set . Set .(2)Store in .(v): Retrieve the th entry in and return .(vi): Retrieve the th entry in and return .(vii): Parse and act as follows:(1)Retrieve the th entry in .(2)Parse . Output if Parse the key and ciphertext: If , output . Otherwise, calculate and the constants such that . Let denote the index of the attribute in . Output if that Parse the key and ciphertext: If , output . Otherwise, calculate and the constants such that . Let denote the index of the attribute in . Output if or that(3)Search the pairs in , in and in . These pairs should satisfy(4)If zero matches are found, return . If more than one matches are found, abort the simulation. Otherwise, return .(viii): Parse and act as follows:(1)Retrieve the th entry in .(2)Search the pairs in , in and in .If and , then . These pairs should satisfyOtherwise, or , then . These pairs should satisfy
(3)If zero matches are found, return . If more than one matches are found, abort the simulation. Otherwise, return .Challenge. submits two messages from the message space . acts as follows:(1)Choose random “messages” and pass on to to obtain , where(2)Choose and . Compute Set . Choose . For choose and compute Set . For choose and compute Set . Compute(3)Return .Phase 2. Almost the same as Phase 1, but with the specified restrictions.
Guess. Eventually, must either output a bit or abort, either way ignores it. Next, searches through lists , , and to see if the values or appear as the first element of any entry, i.e., that issued a query of the form , , or . If neither or both values appear, outputs a random bit as its guess. If only value appears, outputs as its guess.
It is clear that from the view of , the simulation is indistinguishable from the real experiment. According to the analysis in Ref. [32], the simulation will abort with a negligible probability. The above is the security proof of FO-DP-ABE in dual-policy mode. In single-policy modes, the proof can be conducted similarly. The algorithm obtains secret keys and ciphertexts from the challenger (running in single-policy modes), and re-randomizes them with correction factors. Therefore, we obtain the theorem.

6. Performance Evaluations

In this section, we analyze the performance our DP-ABE and FO-DP-ABE. The costs of one cloud server are evaluated in FO-DP-ABE, because the two cloud servers run in parallel.

6.1. Theoretical Analysis

We compare the computation and communication costs in our DP-ABE, FO-DP-ABE and those in related work [6, 15].

Comparison of Computation Cost. Tables 4 and 5 compare the number of modular exponentiations and pairing operations in each algorithm. In Refs. [6, 15] and our DP-ABE, the computation cost of each algorithm grows linearly with the complexity of attribute set and/or access policy. Our FO-DP-ABE outsources almost all expensive computation to cloud servers, leaving constant operations for the PKG, data owners, and users. In particular, the data owner executes one modular exponentiation in to generate a one-time signature; the data user executes one modular exponentiation in to decrypt TCT, and one modular exponentiation in and two modular exponentiations in to verify TCT. The signature generation and ciphertext verification are necessary to realize CCA security.

Comparison of Communication Cost. Tables 6 and 7 show the communication cost in each algorithm. In Refs. [6, 15] and our DP-ABE, the communication cost of each algorithm is linearly with the complexity of attribute set and/or access policy. While, in our FO-DP-ABE, the online communication costs of KeyGen.pkg and Encrypt.owner are almost the same as those in our DP-ABE in dual-policy mode, except that in the former several elements are transmitted for the correction of secret keys and ciphertexts. The online communication cost of Decrypt.user is reduced to constant, i.e., only one element in and three elements in .

6.2. Experimental Analysis

We choose the BN254 elliptic curve in the Charm [33] to evaluate the performance of DP-ABE and FO-DP-ABE. We use a MacBook Pro laptop with an Intel i5 CPU @2.3 GHz and 8 GB RAM running Python 3.7.4.

Experiment Setting. (1) In DP-ABE in single-policy modes, the overheads are linear with only one value (i.e., the number of attributes in objective/subjective access policy or objective/subjective attribute set). We use access policies of type and attribute sets of type , with increasing from 5 to 100. (2) In DP-ABE in dual-policy mode and FO-DP-ABE, the overheads are related to two values. We use the above access policies and attribute sets for subjective (resp. objective) attributes, with the sizes of access policies and attribute sets for objective (resp. subjective) attributes fixed to 5 or 100, to simulate the minimum or maximum overhead. (3) The test data to be encrypted is an element in . Access policies are converted into LSSS by Ref. [38]. Instances are independent to each other, and are repeated 20 times for accuracy.

Execution Time. As depicted in Figures 3(a)–3(j), we show the execution time of each algorithm. (1) In Figures 3(a)–3(c), the time of KeyGen in single-policy modes is about 43–925 ms, about a half of that in the dual-policy mode. Since cloud servers take the vast majority of key generation, the time of KeyGen.out in FO-DP-ABE is almost the same as the time of KeyGen in DP-ABE in dual-policy mode, which is about 84–1731 ms. The computation of the PKG is reduced to constant, which always takes less than 50 ms to execute KeyGen.pkg. (2) Similarly, in Figures 3(d)–3(f), the time of Encrypt in single-policy modes is about 59–947 ms, about a half of that in the dual-policy mode. Since cloud servers take the vast majority of encryption, the time of Encrypt.out in FO-DP-ABE is almost the same as the time of Encrypt in DP-ABE in dual-policy mode, which is about 101–1730 ms. The computation of the data owner is reduced to constant, which always takes less than 75 ms to execute Encrypt.owner. (3) In Figures 3(g) and 3(h), the time of Decrypt in single-policy modes is constant in two cases (KP-CT with CP-SK, CP-CT with KP-SK), about 144 ms. In other cases, the time is 795–14456 ms. (4) In Figures 3(i) and 3(j), since the cloud server 1 takes the vast majority of decryption, the time of Decrypt.out in FO-DP-ABE is almost the same as the time of Decrypt in DP-ABE in dual-policy mode, which is about 795–28894 ms. The computation of the data user is reduced to constant, which always takes less than 80 ms to execute the Decrypt.user.

(a)

(b)

(c)

(d)

(e)

(f)

(g)

(h)

(i)

(j)

(k)

(l)

(m)

(n)

(o)

(p)

(q)

(r)

(s)

(t)

Transfer Size. Figures 3(k)–3(t) illustrate the transfer size of each algorithm. (1) In Figures 3(k)–3(m), the sizes of SK in single-policy modes are 372–8300 bytes, about a half of those in the dual-policy mode. The sizes of IK and SK in FO-DP-ABE are larger than the sizes of SK in DP-ABE in dual-policy mode, since the former contains correction factors. (2) Similarly, in Figures 3(n)–3(p), the sizes of CT in single-policy modes are 612–8602 bytes, about a half of those in the dual-policy mode. The sizes of IT and CT in FO-DP-ABE are larger than the sizes of CT in DP-ABE in the dual-policy mode, since the former contains correction factors. (3) In Figures 3(q) and 3(r), in single-policy modes during decryption, the sizes of CT are always , 302 bytes in two cases (KP-CT with CP-SK, CP-CT with KP-SK). In other cases the sizes are 591–8602 bytes. (4) In Figures 3(s) and 3(t), in DP-ABE in the dual-policy mode, the sizes of CT during decryption are exactly the same as those during encryption. In FO-DP-ABE, the sizes of TCT are always , 761 bytes.

denote a modular exponentiation in and a pairing computation, respectively. indicate the number of attributes in , respectively. In decryption, and indicate the number of objective and subjective attributes, respectively.

denote the size of an element in , respectively. Also, refer to the acronyms of Table 4. We omit the communication overheads of access structures.

7. Conclusion

In this work, we resisted dual-policy attribute-based encryption (DP-ABE) for secure data sharing in the cloud. In particular, we propose two monotone LSSS-realizable large-universe DP-ABE schemes based on prime-order asymmetric pairing groups. The first one is a basic CPA-secure scheme, based on which we demonstrate the two enhanced-flexible access control features, namely, encryption and key generation in single-policy modes. The second one realizes fully outsourced computation and CCA security, which is more efficient and secure for practical deployments. The experimental results show the efficiency of our schemes.

Data Availability

All data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

The authors thank the “16th International Conference on Information Security and Cryptology (Inscrypt 2020).” This work was supported in part by National Natural Science Foundation of China (Nos. U1936209 and 62002353), China Postdoctoral Science Foundation (No. 2021M701726), and Yunnan Provincial Major Science and Technology Special Plan Projects (No. 202103AA080015).

References

A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the EUROCRYPT 2005, vol. 3494, pp. 457–473, Springer, Aarhus, Denmark, May 2005.
View at: Publisher Site | Google Scholar
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the ACM CCS 2006, pp. 89–98, ACM, Alexandria, VA, USA, October 2006.
View at: Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE S&P 2007, pp. 321–334, IEEE Computer Society, Oakland, CA, USA, May 2007.
View at: Publisher Site | Google Scholar
J. K. Liu, T. H. Yuen, P. Zhang, and K. Liang, “Time-based direct revocable ciphertext-policy attribute-based encryption with short revocation list,” in Proceedings of the ACNS 2018, vol. 10892, pp. 516–534, Springer, Leuven, Belgium, July 2018.
View at: Google Scholar
J. Hayata, M. Ishizaka, Y. Sakai, G. Hanaoka, and K. Matsuura, “Generic construction of adaptively secure anonymous key-policy attribute-based encryption from public-key searchable encryption,” IEICE - Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E103.A, no. 1, pp. 107–113, 2020.
View at: Publisher Site | Google Scholar
N. Attrapadung and H. Imai, “Dual-policy attribute based encryption,” in Proceedings of the ACNS 2009 Paris-Rocquencourt, vol. 5536, pp. 168–185, France, June 2009.
View at: Google Scholar
B. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” in Proceedings of the PKC 2011, vol. 6571, pp. 53–70, Springer, Taormina, Italy, March 2011.
View at: Publisher Site | Google Scholar
A. Miyaji and P. V. X. Tran, “Constant-ciphertext-size dual policy attribute based encryption,” in Proceedings of the CSS 2012, vol. 7672, pp. 400–413, Springer, Melbourne, Australia, December 2012.
View at: Publisher Site | Google Scholar
Y. S. Rao and R. Dutta, “Computationally efficient dual-policy attribute based encryption with short ciphertext,” in Proceedings of the ProvSec 2013, vol. 8209, pp. 288–308, Springer, Melaka, Malaysia, October 2013.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Fully secure functional encryption with general relations from the decisional linear assumption,” in Proceedings of the CRYPTO 2010, vol. 6223, pp. 191–208, Springer, Santa Barbara, CA, USA, August 2010.
View at: Google Scholar
T. Okamoto and K. Takashima, “Hierarchical predicate encryption for inner-products,” in Proceedings of the ASIACRYPT 2009, vol. 5912, pp. 214–231, Springer, Tokyo, Japan, December 2009.
View at: Google Scholar
N. Attrapadung, “Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more,” in Proceedings of the EUROCRYPT 2014, vol. 8441, pp. 557–577, Springer, Copenhagen, Denmark, May 2014.
View at: Google Scholar
N. Attrapadung and S. Yamada, “Duality in ABE: converting attribute based encryption for dual predicate and dual policy via computational encodings,” in Proceedings of the CT-RSA 2015, vol. 9048, pp. 87–105, Springer, San Francisco, CA, USA, April 2015.
View at: Google Scholar
N. Attrapadung, “Dual system encryption framework in prime-order groups via computational pair encodings,” in Proceedings of the ASIACRYPT 2016, vol. 10032, pp. 591–623, ser. LNCS, Hanoi, Vietnam, December 2016.
View at: Google Scholar
S. Xu, Y. Zhang, Y. Li, X. Liu, and G. Yang, “Generic construction of elgamal-type attribute-based encryption schemes with revocability and dual-policy,” in Proceedings of the SecureComm 2019, vol. 305, pp. 184–204, Springer, Orlando, FL, USA, October 2019.
View at: Google Scholar
Y. Rouselakis and B. Waters, “Practical constructions and new proof methods for large universe attribute-based encryption,” in Proceedings of the ACM CCS 2013, pp. 463–474, ACM, Berlin, Germany, November 2013.
View at: Google Scholar
D. Han, J. Chen, L. Zhang, Y. Shen, X. Wang, and Y. Gao, “Access control of blockchain based on dual-policy attribute-based encryption,” in Proceedings of the IEEE HPCC/SmartCity/DSS 2020, pp. 1282–1290, IEEE, Yanuca Island, Cuvu, Fiji, December 2020.
View at: Google Scholar
M. Green, S. Hohenberger, and B. Waters, “Outsourcing the decryption of ABE ciphertexts,” in Proceedings of the USENIX 2011, USENIX Association, San Francisco, CA, USA, August 2011.
View at: Google Scholar
S. Hohenberger and B. Waters, “Online/offline attribute-based encryption,” in Proceedings of the PKC 2014, vol. 8383, pp. 293–310, Springer, Buenos Aires, Argentina, March 2014.
View at: Google Scholar
H. Ma, R. Zhang, G. Yang, Z. Song, S. Sun, and Y. Xiao, “Concessive online/offline attribute based encryption with cryptographic reverse firewalls - secure and efficient fine-grained access control on corrupted machines,” in Proceedings of the ESORICS 2018, vol. 11099, pp. 507–526, Springer, Barcelona, Spain, September 2018.
View at: Google Scholar
H. Ma, R. Zhang, G. Yang, Z. Song, K. He, and Y. Xiao, “Efficient fine-grained data sharing mechanism for electronic medical record systems with mobile devices,” IEEE Transactions on Dependable and Secure Computing, vol. 17, no. 5, pp. 1026–1038, 2020.
View at: Publisher Site | Google Scholar
H. Ma, R. Zhang, Z. Wan, Y. Lu, and S. Lin, “Verifiable and exculpable outsourced attribute-based encryption for access control in cloud computing,” IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 6, pp. 679–692, 2017.
View at: Publisher Site | Google Scholar
R. Zhang, H. Ma, and Y. Lu, “Fine-grained access control system based on fully outsourced attribute-based encryption,” Journal of Systems and Software, vol. 125, pp. 344–353, 2017.
View at: Publisher Site | Google Scholar
S. Yamada, N. Attrapadung, G. Hanaoka, and N. Kunihiro, “Generic constructions for chosen-ciphertext secure attribute based encryption,” in Proceedings of the PKC 2011, vol. 6571, pp. 71–89, Springer, Taormina, Italy, March 2011.
View at: Google Scholar
R. Canetti, H. Krawczyk, and J. B. Nielsen, “Relaxing chosen-ciphertext security,” in Proceedings of the CRYPTO 2003, vol. 2729, pp. 565–582, Springer, Santa Barbara, CA, USA, August 2003.
View at: Google Scholar
C. Zuo, J. Shao, G. Wei, M. Xie, and M. Ji, “Chosen ciphertext secure attribute-based encryption with outsourced decryption,” in Proceedings of the ACISP 2016, vol. 9722, pp. 495–508, Springer, Melbourne, VIC, Australia, July 2016.
View at: Google Scholar
T. Wang, Y. Zhou, H. Ma, Y. Liu, and R. Zhang, “Fully secure ABE with outsourced decryption against chosen ciphertext attack,” in Proceedings of the Inscrypt 2020, vol. 12612, pp. 83–103, Springer, Guangzhou, China, December 2020.
View at: Google Scholar
K. Liang, M. H. Au, J. K. Liu et al., “A secure and efficient ciphertext-policy attribute-based proxy re-encryption for cloud data sharing,” Future Generation Computer Systems, vol. 52, pp. 95–108, 2015.
View at: Publisher Site | Google Scholar
A. Guillevic, “Comparing the pairing efficiency over composite-order and prime-order elliptic curves,” in Proceedings of the ACNS 2013, vol. 7954, pp. 357–372, Springer, Banff, AB, Canada, June 2013.
View at: Google Scholar
D. M. Freeman, “Converting pairing-based cryptosystems from composite-order groups to prime-order groups,” in Proceedings of the EUROCRYPT 2010, vol. 6110, pp. 44–61, Springer, Monaco French, May 2010.
View at: Google Scholar
R. Canetti, S. Halevi, and J. Katz, “Chosen-ciphertext security from identity-based encryption,” in Proceedings of the EUROCRYPT 2004, vol. 3027, pp. 207–222, Springer, Interlaken, Switzerland, May 2004.
View at: Google Scholar
E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and symmetric encryption schemes,” Journal of Cryptology, vol. 26, no. 1, pp. 80–101, 2013.
View at: Publisher Site | Google Scholar
J. A. Akinyele, C. Garman, I. Miers et al., “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013.
View at: Publisher Site | Google Scholar
J. A. Akinyele, C. Garman, and S. Hohenberger, “Automating fast and secure translations from type-i to type-iii pairing schemes,” in Proceedings of the ACM CCS 2015, pp. 1370–1381, ACM, Denver, CO, USA, October 2015.
View at: Google Scholar
A. Joux, “A new index calculus algorithm with complexity l(1=4+o(1)) in small characteristic,” in Proceedings of the SAC 2013, vol. 8282, pp. 355–379, Springer, Burnaby, BC, Canada, August 2013.
View at: Google Scholar
S. D. Galbraith, K. G. Paterson, and N. P. Smart, “Pairings for cryptographers,” Discrete Applied Mathematics, vol. 156, no. 16, pp. 3113–3121, 2008.
View at: Publisher Site | Google Scholar
A. Beimel, “Secure schemes for secret sharing and key distribution,” Faculty of Computer Science, Technion-Israel Institute of Technology, Haifa, Israel, 1996, Ph.D. dissertation.
View at: Google Scholar
A. B. Lewko and B. Waters, “Unbounded HIBE and attribute-based encryption,” in Proceedings of the EUROCRYPT 2011, vol. 6632, pp. 547–567, Springer, Tallinn, Estonia, May 2011.
View at: Google Scholar
V. Shoup, “Lower bounds for discrete logarithms and related problems,” in Proceedings of the EUROCRYPT 1997, vol. 1233, pp. 256–266, Springer, Konstanz, Germany, May 1997.
View at: Google Scholar

Copyright

Copyright © 2022 Ti Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies