A Key-Policy Attribute-Based Broadcast Encryption

444

The International Arab Journal of Information Technology, Vol. 10, No. 5, September 2013

A Key-Policy Attribute-Based Broadcast Encryption Jin Sun1,2, Yupu Hu1, and Leyou Zhang1 Department of Application Mathematics, Xi’an University of Technology, China 2 Key Lab of Computer Network and Information Security, Xidian University, China 1

Abstract: According to the broadcast encryption scheme with wide applications in the real world without considering its security and efficiency in the model simultaneously an “unbounded”, Key-Policy Attribute-Based Broadcast Encryption scheme(KP-ABBE) was proposed by combining with waters dual system encryption, attribute-based encryption and broadcast encryption system. Based on the standard model, the scheme can achieve constant-size public parameters, the public parameters do not impose additional limitations on the functionality of the systems (unbounded) and either a small universe size or a bound on the size of attribute sets avoid to fixed at setup. The scheme is proved by using the dual system encryption argument and the four static assumptions which do not depend on the number of queries the attacker makes. The analysis results show that the scheme of this paper is selective secure. Keywords: Attribute-based encryption, broadcast encryption, dual system, KP-ABBE, provably secure. Received March 21, 2011; accepted June 13, 2013; published online August 5, 2012

1. Introduction The concept of the broadcast encryption was introduceed by Fiat and Naor [8] firstly, allowing a sender who wants to send a message to a dynamically chosen subset S of users and to construct a ciphertext so that only users in S can describe. Then, the sender can safely transmit this ciphertext over a broadcast channel to all users. It has become a new hot spot of the cryptology promptly. Many broadcast encryption schemes [1, 2, 6, 7, 10, 11, 22] with special purpose were proposed consecutively. However, these schemes had some deficiency obviously, for example, their security was based on the strong assumption or non standard cryptographic assumption; the scheme only guaranteed chosen plaintext security or selective-ID security; the scheme was designed under the random oracle model, etc. Recently, a new public-key primitive called Attribute-Based Encryption (ABE), also called fuzzy identity based encryption [4, 9, 14] has been given much attentions which has significant advantage over the traditional PKC primitives, thus it is envisioned as an important tool for addressing the problem of secure and fine-grained data sharing and access control. In ABE scheme, the sets of descriptive attributes (the characteristic of identity, for example: “Faculty”, “CS Dept.”, “Tenured”, etc.,) defined for the system users are labeled with the encryption keys and/or ciphertexts, and a particular user’s private key can decrypt a particular ciphertext only if the two match. Key-Policy Attribute-Based Encryption (KP-ABE) system [9], is one of the ABE systems, in which users with secret keys

are associated with access policies over a universe (the some set with some added features) of attributes and ciphertexts are associated with sets of attributes. In the ABE setting, the particular access policies and attribute sets may change over time, however, in the standard model, once the public parameters (public key) have been set, current constructions do not allow complete versatility in the choice of attributes and policies.

1.1. Our Contribution In this work, we make the following contributions: 1. Present the definition of KP-ABBE scheme and the security model for them. 2. By combining with Waters dual system encryption, KP-ABE and the broadcast encryption, we propose an “unbounded", key-policy attribute-based broadcast encryption scheme. Based on the standard model, the scheme can achieve constant-size public parameters, impose no bound on the size of attribute sets used for encryption and has a large attribute universe. It supports LSSS matrices [17], as access structures, and provides delegation capabilities to users additionally. To overcome the limitations of previous constructions by employing a secretsharing technique and introducing fresh “local” randomness for the keys and ciphertexts, we will create many samples each of which has new randomness, avoiding the insecurity of the previous approach described above. 3. Prove the selective security for our KP-ABBE scheme from the same static, and generically secure assumptions in Composite order bilinear groups.

A Key-Policy Attribute-Based Broadcast Encryption

1.2. Related Work There are two kinds of settings of broadcast encryption in the literature: the private key setting and the public key setting. The Public Key Broadcast Encryption (PKBE) overcomes a shortcoming of the private key broadcast encryption, which the center may be a single point of failure. By the work of Dodis and Fazio [7], using the Hierarchical Identity-Based Encryption (HIBE) scheme, some broadcast encryption schemes in the private key broadcast encryption could be transformed into schemes in the public key broadcast encryption. Boneh et al. [1], improve their method by applying the HIBE scheme, which results in PKBE schemes with O(r) ciphertexts and O(log2n) private keys. Recently, Boneh et al. [2], proposed an efficient PKBE scheme for large n users. More recently, Delerablee et al. [6], suggested a new PKBE scheme that features O(r) ciphertexts and O(1) private keys at the expense of computation cost on decryption and public key size. ABE is proposed by Sahai and Waters [20] firstly. To reduce the trust of attribute authority, Chase [5] proposed a multi- authority attribute-based encryption scheme in which each authority controls some of the attributes. There are two methods for access control based on ABE: Key-Policy ABE (KP-ABE) where each attribute private key is associated with an access structure and each ciphertext is labeled with a set of attributes and Ciphertext-Policy ABE (CP-ABE) where ciphertexts are associated with access policies and keys are associated with sets of attributes. Both notions are proposed by Goyal et al. in [9], the first KP-ABE construction [9] can realize the monotonic access structures for key policies. To enable more flexible access policy, Ostrovsky et al. [18], presented the first KP-ABE system that supports the expression of nonmonotone formulas in key policies. Recently, fully secure constructions were provided by Lewko et al. [14], and Okamoto and Takashima [19] proposed a predicate encryption scheme based on the primitive called hidden vector encryption further studied in [12, 13]. The methodology of dual system encryption was introduced by Waters [21] and later used in [15, 16] to obtain adaptive security for IBE, HIBE, and ABE systems. Except that we do not consider leakage resilience and also provide only selective security in the ABE case, the abstractions we provide for dual system encryption in the HIBE and ABE settings are similar to the abstractions provided in [15].

445

• LSSS: A secret sharing scheme L over a set of parties S is called linear (over Zp ) if: 1. The shares for each party form a vector over Zp. 2. There exists a matrix Am×n called the share-generating matrix for L. The ith row of A is labeled by a party f(i) ( f is a function from {1,…,m} to S) for all i=1,…,m. Av
is the vector of m shares of the secret s according
to L for the column vector v = ( s , r2 ,⋯ , rn ) , where s∈Zp is the secret to be shared and r2,…rn∈Zp are randomly chosen, and it belongs to party f(i). We note the linear reconstruction property: let L denote an LSSS for access structure A. We define U⊂{1,…,m} as U={i|f(i)∈ S }, and let S denote an authorized set. Then there exist constants {λi∈Zp}i∈U such that ∑i∈U λiτ i = s for any valid shares {τ}i of a secret s according to L. These constants {λi} can be found in time polynomial in the size of the sharegenerating matrix A.

2.2. Composite Order Bilinear Groups Composite order bilinear groups were used in cryptographic construction in [3]. We use groups of order product of three primes and a generator G which takes as input security parameter λ and outputs a description of (N=p1 p2 p3,G,GT,e), where p1, p2, p3 are distinct primes, G and GT are cyclic groups of order N, and e:G×G→GT is a map with the following properties: 1. Bilinearity: ∀g, h∈G, a, b∈ZN, e(ga, hb)=e(g, h)ab. 2. Non-degeneracy: ∃g∈G such that e(g, g) has order N in GT. Furthermore, for a,b∈{1, p1, p2, p3}we denote by Gab the subgroup of order ab. From the fact that the group is cyclic, it is simple to verify that if h1 and h2 are group elements of different order (and thus belonging to different subgroups), then e(h1,h2)=1. To see this, suppose h1∈GP1 and h2∈GP2. We let g denote a p p generator of G. Then g 1 2 generates G p , g p1 p3 3

generates G p , and g

p2 p3

generates Gp1 . Hence, for

α1

p p α and h2 = ( g 1 3 ) 2 , we note:

2

some α1,α2 , h1 = ( g

p 2 p3

)

e( h1 ,h2 ) = e( g p2 p3 α1 , g p1 p3α2 ) = e( g α1 , g p3α2 ) p1 p2 p3 = 1. This is

called the orthogonality property and is a crucial tool in our constructions.

2.3. Complexity Assumptions

2. Preliminaries 2.1. Linear Secret-Sharing Schemes Our construction will employ Linear Secret-Sharing Schemes (LSSS) [17], which was defined in the following:

We use the notation x←G to express that x is chosen uniformly randomly from the finite set G. • Assumption 1: For a generator G returning bilinear settings of order product of three primes, we define the following distribution. First pick a random bilinear setting Г=(N=p1 p2 p3,G, GT, e) by running

446

The International Arab Journal of Information Technology, Vol. 10, No. 5, September 2013

D = (Γ, g ) , G(1λ) and then pick g ←Gp1 , T1 ←Gp1p2 , T2 ←Gp1 , We define the advantage of an algorithm A in breaking Assumption 1 to be: Adv1A ( λ ) := Pr[ A( D ,T1 ) = 1 ] − Pr[ A( D ,T2 ) = 1 ]

(1)

• Definition 1: We say that Assumption 1 holds for generator G if for all probabilistic polynomial-time algorithms A, Adv1A (λ ) is a negligible function of λ. • Assumption 2: For a generator G returning bilinear settings of order product of three primes, we define the following distribution. First pick a random bilinear setting Г=(N=p1p2p3,G,GT,e) by running G(1λ) and then pick g←Gp1 , g2 , X 2 ,Y2 ← Gp , g3 ←Gp3 , 2

α，s←ZN , D = (Γ, g, g2 , g3 , g X 2 , g Y2 ) , T1 = e( g , g )αs , α

s

T2 ← GT . We define the advantage of an algorithm

A in breaking Assumption 2 to be: (2)

• Definition 2: We say that Assumption 2 holds for generator G if for all probabilistic polynomial-time algorithms A, Adv 2 A (λ ) is a negligible function of λ. • Assumption 3: For a generator G returning bilinear settings of order N product of three primes, we define the following distribution. First we pick a random bilinear setting Г=(N=p1p2p3,G,GT,e) by running G(1λ) and then pick g, X1 ← Gp1 , g2 ←Gp2 , g3 ←Gp3 , D = (Γ, g, g2 , X1X3 ) , T1 ←Gp1 , T2 ←Gp1p3 .

We define the advantage of an algorithm A in breaking Assumption 3 to be: A dv 3 A ( λ ) : = Pr[ A ( D ,T1 ) = 1 ] − Pr[ A ( D ,T 2 ) = 1 ]

(3)

• Definition 3: We say that Assumption 3 holds for generator G if for all probabilistic polynomial-time algorithms A, Adv3 A (λ ) is a negligible function of λ. • Assumption 4: For a generator G returning bilinear settings of order N product of three primes, we define the following distribution. First we pick a random bilinear setting Г=(N=p1p2p3,G,GT,e) by running G(1λ) and then pick g, X1 ← Gp1 , X2,Y2 ←Gp , 2

D=(Г,g,g3,X1X2X3,Y2Y3),

A Dual System Encryption (KP-ABBE) scheme consists of the following algorithms. Because the algorithms EncryptF and KeygenF will not be used in the normal operation of the system and only needed for the security proof, they need not run in polynomial time. • Setup(1λ,U): The setup algorithm takes in the security parameter 1λ and the attribute universe description U. It outputs the public parameters Pk and a master secret key Mk. • KeyGen(Mk,A): The key generation algorithm takes in the master secret key Mk, an access structure A, and the public parameters. It outputs a secret key Sk. • KeyGenF(Mk,A): The semi-functional key generation algorithm takes in the master secret key Mk, the public parameters, an access structure A, and an
attribute vector x ∈{0,1}n . It outputs a semi~

A dv 2 A ( λ ) : = Pr[ A ( D ,T 1 ) = 1 ] − Pr[ A ( D ,T 2 ) = 1 ]

g3,Y3 ←Gp3 ,

2.4. The Definition of Dual System Encryption KP-ABBE

T1 ←Gp1p3 ,

T2 ← G . We define the advantage of an algorithm A in breaking Assumption 3 to be: Adv 4 A ( λ ) : = Pr[ A( D ,T1 ) = 1 ] − Pr[ A( D ,T 2 ) = 1 ]

(4)

• Definition 4: We say that Assumption 3 holds for generator G if for all probabilistic polynomial-time algorithms A, Adv 4 A (λ ) is a negligible function of λ.

functional secret key S k .
• Encrypt(Pk,{ x } ,M): Takes as input the public key

parameters Pk, attribute assemblage {x | x ∈ {0,1}n } and message M from the associated message space, and returns ciphertext C.
• EncryptF(Pk,{ x } ,M): The semi-functional encryption algorithm takes in a set of attributes

{x | x ∈ {0,1}n } , the public parameters Pk, and a ~ message M. It outputs a semi-functional ciphertext C . • Decrypt(Pk,C,Sk): The algorithm takes in a ciphertext

encrypted under a set of attributes {x | x ∈ {0,1}n } and a secret key for an access structure A. It will output the message M if the key and ciphertext are not both

semi-functional, and {x | x ∈ {0,1}n } satisfies A.

2.5. Selective Security Definition for KP-ABBE We let U denote the attributes universe. Later, we will refer to this as GameKP-ABBE with delegation. We assume that the universe of attributes is known by the attacker in the initialization phase. • Initialization: The attacker chooses a set S’⊆U of attributes which it will attack, and gives this to the challenger. • Setup: The challenger obtains the public parameters Pk by running the Setup algorithm, then gives it to the attacker. It also initializes a set Φ=φ. • Phase 1: The attacker can make many queries such as: create queries, delegate queries, reveal queries [17]. • Challenge: The attacker declares two equal length messages M0 and M1. The challenger encrypts Mb under S to produce ciphertext C by flipping a random coin b∈{0,1}. It gives C to the attacker.

A Key-Policy Attribute-Based Broadcast Encryption

447

• Phase 2: The attacker again makes create, delegate, and reveal queries, subjecting to the same constraints as in Phase 1. • Guess: Finally, the attacker outputs a guess b’ for b and wins the game if b=b’. The advantage of an attacker A in this game is defined as: Adv AKP −ABBE ( λ ) = Pr[ b = b'] − 12

(5)

Next, we define three security properties for a dual system encryption KP-ABBE scheme. We first define GameC to be the same as GameKP-ABBE, except that the challenger will create a semi-functional ciphertext by calling EncryptF in the challenge phase instead of calling Encrypt. Also we define GameF to be the same as GameKP-ABBE, except that the challenger inputting the

set {x | x ∈ {0,1}n } * initially provided by the attacker and responds to all key requests by calling KeyGenF. • Semi-functional Ciphertext Invariance: For a dual system encryption KP-ABBE scheme Ω=( Setup, KeyGen, KeyGenF, Encrypt, EncryptF, Decrypt) and any PPT attacker ℑ, if the advantage of ℑ in GameC is negligibly close to the advantage of ℑ in GameKP-ABBE, we say it has semi-functional ciphertext invariance. We denote this by: Adv ℑKP − ABBE ( λ ) − Adv ℑC ( λ ) = negl ( λ )

(6)

• Semi-Functional Key Invariance: For any PPT attacker ℑ and a dual system encryption KP-ABBE scheme Ω=(Setup, KeyGen, KeyGenF, Encrypt, EncryptF, Decrypt), if the advantage of ℑ in GameF is negligibly close to the advantage of ℑ in GameC, we say it has semi-functional key invariance. We denote this by: Adv ℑC ( λ ) − Adv ℑF ( λ ) = negl ( λ )

(7)

• One semi-functional key invariance: For a dual system encryption KP-ABBE scheme Ω=( Setup, KeyGen, KeyGenF, Encrypt, EncryptF, Decrypt) and any PPT attacker ℑ, if the advantage of ℑ in Game0 is negligibly close to the advantage of ℑ in Game1, we say it has one semi-functional key invariance. We denote this by: A d v ℑ0 ( λ ) − A d v ℑ1 ( λ ) = n e g l ( λ )

(8)

• Definition 5: For a key-policy attribute-based broadcast encryption system with delegation, if all polynomial time attackers have at most a negligible advantage in the above security game and with three security properties, we say it is selectively secure.

3. Constructing Key-Policy Attribute-Based Broadcast Encryption 3.1. Our Scheme In this section we describe our construction for a keypolicy attribute-based broadcast encryption scheme. In our system, a constant number of elements from a bilinear group of Composite order N consist in the public parameters, and the attribute universe is ZN. Secret keys are associated with LSSS access matrices, while ciphertexts are associated with sets of attributes. Without loss of generality, we share a value a, one
employs a vector a with first coordinate equal to a, and the shares are obtained by multiplying the rows of the LSSS matrix. A subset of rows is capable of reconstructing the shared secret if and only if their span includes the vector (1,0,…,0). We let gi denote a generator of the subgroup G pi for i=1, 2, 3. • Setup(1λ): The setup algorithm chooses a description of a bilinear group Г=(N=p1p2p3,G,GT,e) by running a generator algorithm G on input 1λ. The setup algorithm chooses uniformly random g,h,u,v,w∈ G p and a∈ZN, then the public parameters 1

are pk={Г,g,h,u,v,w,e(g,g)a} and the master secret key is mk=a. • KeyGen(mk,(A,f)): Let (A,f) is a LSSS matrix, where A is a m×n matrix over ZN, and f is a map from each row of A to an attribute in ZN. The key generation
algorithm chooses random a = (a,∗,...,∗) ∈ Z Nn and random values a1,…,am,β1,…,βm∈ZN. For i∈{1,…,m}, the algorithm use Ai denotes the ith row of A and use f(i) denote that attribute associated with
this row by the mapping f. We let τ i = Ai ⋅ a denote the share associated with the row Ai of A. The secret τ β key is formed as: d i1 = g i w i , d i 2 = g βi , d i 3 = v βi (u f ( i ) h)α i , d i 4 = g αi .

• KenGenF(mk,(A,f), Z ' N ): When the semi- functional key generation algorithm is called first time, it chooses two random values γ,θ∈ZN which it stores and uses on all subsequent calls. Each time it is called, the semi-functional key generation algorithm first calls the normal key generation algorithm KenGen to obtain a normal secret key d i = { d ' i 1 ,d i' 2 ,d i' 3 ,d i' 4 , ∀i = { 1 ,… , m }}. It forms the semi-functional key as: ∀i={1,…,m} ' ' ' ' • if f (i ) ∈ Z N , then d i1 = d i1 , d i 2 = d i 2 , d i 3 = d i 3 , d i 4 = d i'4 .

• if f (i) ∉ Z N' , algorithm chooses a random value ~

βi ∈ Z N ,

and

set ~

~

d i1 = d i'1 ⋅ ( g 2 g 3 ) γβ i , ~

' d i 2 = d i' 2 ⋅ ( g 2 g 3 ) β i , d i 3 = d i'3 ⋅ ( g 2 g 3 )θβi , d i 4 = d i 4 .

448

The International Arab Journal of Information Technology, Vol. 10, No. 5, September 2013

• Encrypt(mk,{k}): In order to send a message M∈GT ~ to the receiver collection {k|k∈ZN ,K = 1,…,l}(l≤ m), the encryption algorithm takes in a message M, a set of ~ attributes Z N , and the public parameters. We let l ~ ~ denote the size of the set Z N and z1 ,… , z l ∈ Z N ~ denote the elements of Z N . The encryption algorithm chooses random s,r1,…,rl∈ZN and creates the ciphertext as: C = ( C0 ,C1 ,C 2 ,C3 ,C4 ) l

l

∑rk

∑ rk

l

= ( Me( g , g ) , g ,w v k =1 , g k =1 , ∏( u z k h ) rk ) as

s

s

(9)

k =1

• EncryptF(M,{k|k∈ZN}): In order to send a message to the receiver collection M∈GT ~ {k|k∈ZN ,K = 1,…,l}(l≤ m) , the semi-functional encryption algorithm first calls the normal encryption algorithm Encrypt to obtain a normal ~ ciphertext C = (C0' , C1' , C2' , C3' , C4' , ∀{k | k ∈ Z N }) . Then, it chooses two random values ησ∈ZN and forms the semi-functional ciphertext as follows: C0 = C0' , C1 = C1' gη2 , C2 = C2' g 2σ , C3 = C3' , C4 = C4' . • Decrypt: Upon receiving a ciphertext C=(C0,C1,C2,C3,C4), any legitimate user’ with attribute k, check if the attributes of the ciphertext satisfy the policy of the secret key. If not, refuse to decrypt, otherwise it computes constants λk such that ∑f ( k )∈Zɶ λk Ak = (1,0,…,0 ). It then computes: N

∏

e ( g , g ) as =

(

~ f ( k )∈Z N

e(C1 , d k 1 )e (C3 , d k 3 ) λk ) e (C 2 , d k 2 ) e (C 4 , d k 4 )

(10)

then we can own the message M=C0/e(g,g)as.

3.2. Correctness Let C=(C0,C1,C2,C3,C4) is legitimate ciphertext，then the correctness can be easily verified by the following equality: e(C1, dk1 )e(C3 , dk 3 ) λk ) 2 k 2 )e(C4 , dk 4 )

∏ ( e(C , d

~ f ( k )∈ZN

l

=

∏(

~ f ( k )∈Z N

τk

s

βk

e( g , g w )e(g

∑rk

k =1

l

∑rk

s k =1

e(w v

, vβk (u f ( k ) h)αk )

)λk

l

βk

∏(u

, g )e(

zk

rk

αk

h) , g )

k=1

∑f ( k )∈Z~N λk

= (e( g, g)sτk )

∑f ( k )∈Z~N λkτk

= (e(g, g)s )

= e(g, g)as

3.3. Efficiency

bound on the size of attribute sets used for encryption and has a large attribute universe. It supports LSSS matrices as access structures, and provides delegation capabilities for users additionally. Encrypt algorithm does not require the bilinear pair computation where e(g,g) can be pre-computed, and Decrypt algorithm need four bilinear pair computation and l multiplications in group G. The selective security of our scheme is proved by using static, generically secure assumptions in Composite order bilinear groups, which do not depend on the number of queries the attacker makes. In the course of proving, by introducing a nested dual system encryption approach, the scheme overcomes the main obstacle which the low amount of entropy provided by the short public parameters. Furthermore, the analysis results indicated that it has less implementation complexity without the increase of computing efforts.

4. Security Analysis • Theorem: If a dual system KP-ABBE scheme Ω=(Setup, KeyGen, KeyGenF, Encrypt, EncryptF, Decrypt) has semi-functional ciphertext invariance, semi-functional key invariance, and semi-functional security, then Ω=(Setup, KeyGen, Encrypt, Decrypt) is a selectively secure KP-ABBE scheme.

4.1. Semi-Functional Ciphertext Invariance • Lemma 1: Our KP-ABBE scheme with dual system has semi-functional ciphertext invariance under Assumption 1. • Proof: Assume there exist a PPT attacker ℑ such that ℑ can achieve a non-negligible difference in advantage between GameC and GameKP-ABBE. Then we will create a PPT algorithm ℜ with nonnegligible advantage to breaks Assumption 1. ℜ is given g ∈ G p1 and T, receives the set Z N' from ℑ, and then he chooses x, y, z, t, a∈ZN randomly. It gives the public parameters pk={Г,g,h=gx, u=gy, v=gz, w=gt, e(g,g)a} to ℑ. Since ℜ knows the master secret key a, it can respond toℑ's key requests by calling the key generation algorithm. Some time, A provides two messages M0, M1 and requests the challenge ciphertext for Z N' . We use l to ' denote the size of Z N' , and we let z1,…, zl ∈ZN denote

the elements of Z N' . ℜ forms the ciphertext as follows: It chooses randomly r1,…rl∈ZN, b∈{0,1} and sets: l

The key-policy attribute-based broadcast encryption scheme combined with Waters dual system encryption, attribute-based encryption and broadcast encryption system. Based on the standard model, the scheme can achieve constant-size public parameters, imposes no

a

t

C0 = Mbe( g ,T ) ,C1 =T ,C2 =T v l

C4 = ∏(u h) , ∀k ∈{1,…,l } zk

k =1

rk

∑rk k =1

l

,C3 = g

∑rk

k =1

(11)

A Key-Policy Attribute-Based Broadcast Encryption

449

This implicitly sets gs equal to the G p part of T. If 1

T ∈ G p1 , then this is a well-distributed normal

ciphertext, and ℜ has properly simulated GameKP-ABBE; If T ∈ G p1 p2 , then this is a well-distributed semifunctional ciphertext, and ℜ has properly simulated GameC. Thus, simulator ℜ can use the output of ℑ to achieve a non-negligible advantage against Assumption 1.

4.2. Semi-Functional Security • Lemma 2: Our KP-ABBE scheme with dual system has semi-functional security under Assumption 2. • Proof: Suppose there exists a PPT attacker ℑ who achieves a non-negligible advantage in GameF, and then we will create a PPT algorithm ℜ which has a non-negligible advantage against Assumption 2. Simulator ℜ receives g, g2, g3, gaX2, gsY2, T, and Z N' from ℑ. It chooses x,y,z,t,a∈ZN randomly and gives the public parameters pk={Г,g,h=gx, u=gy, v=gz, w=gt, e(g, gaX2)} to ℑ. (Note that ℜ does not know the master secret key a.) In response to a KeyGen query for a m×n LSSS matrix (A,f), ℜ will create a semifunctional key as follows: It chooses a random vector
u ∈ Z Nn up to the constraint that the first coordinate is zero, random values α1,…,αm, β'1 ,…, β'm ∈ZN , and a uniformly chosen vector v
∈ Z Nn which are orthogonal ' to all rows Ai of A, where f (i)∈ZN and have first entry


equal to 1, ℜ will implicitly set a = av + u that this is distributed as a uniformly random vector with first entry equal to a. It also chooses random values fi∈ZN ' for each i such that f (i)∉ZN . Then the semi-functional key is formed as: ∀i∈{1,…,m}:

• If

f (i) ∈ Z N' ,




'

d i1 = g Ai µ w βi ,

then

'

d i 2 = g βi ,

α

'

d i 3 = v β i (u f ( i ) h )α i , d i 4 = g i .

~

' • If f (i) ∉ ZN , algorithm chooses a random value βi ∈ZN ,


and

set '




'

d i1 = g Ai µ ⋅ ( g a X 2 ) ( t +1) Aiv ⋅ w β i ⋅ ( g 2 g 3 ) ( t +1) fi ,


di2 = gβi (ga X2 )Aiv ⋅ (g2g3) fi ,

'




zAiv i di3 =vβ（ ga X2） ⋅(g2g3)zfi (uf (i)h)αi ,

d i 4 = g αi .

This is a properly distributed semi-functional key with γ=t+1 mod p2,p3, θ=z mod p2,p3, βi=β`i β' mod p1 for i ' ' all i s.t. f (i ) ∈ Z N , βi = aAi ⋅ v + βi mod p1 for all i s.t. f (i ) ∉ Z N' . Some time, ℑ provides ℜ with two messages M0,M1. We use l to denote the size of Z N' , and we let

z1,…, zl ∈ZN' denote the elements of Z N' . ℜ forms the

challenge ciphertext as follows. It chooses randomly r1,…,rl,σ’∈ZN, b∈{0,1} and sets: l

s

s

t

∑rk

l

σ'

∑rk

C0 = MbT ,C1 = g Y 2 ,C2 = ( g Y 2 ) v k =1 ⋅ g2 ,C3 = g k =1 , l

(12)

C4 = ∏(u z k h) rk , ∀k ∈{1,…,l } k =1

If T=e(g,g)as, it is a well-distributed semifunctional encryption of Mb with η equal to log g 2 Y2 and σ equal

σ' . to t times this discrete log plus σ ' Where randomizes this so that there is no correlation with t mod p2. Hence, from the exponents modulo p2 of the semi-functional keys, this is uncorrelated. In this case, ℜ has properly simulated GameF. If T∈GT is a random element, then this is a semi-functional encryption of a random message, so the ciphertext contains no information about b, and hence the advantage of ℑ must be zero. ℜ can use the output of ℑ to obtain a non-negligible advantage against Assumption 2 because the advantage of ℑ is non-negligible in GameF. 4.3 Semi-Functional Key Invariance Using a hybrid argument over the following sequence of games, we will prove one semi-functional key invariance of our dual system ABBE scheme instead of semi-functional key invariance [22]. We begin with Game0 and end with Game1. To get from Game0 to Game1, we define the following intermediary games，the distribution of the requested normal and semi-functional keys are the same as in Game0 and Game1 among these games, but the distributions of the challenge key and ciphertext vary. • Game'0 : This game is exactly like Game0, except with the added restriction: for the challenge key, the attacker cannot produce an access matrix (A,f) such ' that f (i ) ∉ Z N for some i, but when both are reduced modulo p3, f(i) is equal to some element of Z N' . • Gameki : In this game, we retain the added modular restriction from the previous game except that the ciphertext is semi-functional, and the challenge key is now ephemeral semi-functional with index i. • GameCi : In this game, we retain the added modular restriction except that the ciphertext is ephemeral semi-functional and the challenge key is ephemeral semi-functional with index i. • GameFi : In this game, we retain the added modular restriction except that the ciphertext is semifunctional, and the challenge key semi-functional with index i. • Game'1 : This game is exactly like Game1 , except with the added modular restriction.

450

The International Arab Journal of Information Technology, Vol. 10, No. 5, September 2013

In these games, we will transit their order as follows: We begin with Game0 and move to Game'0 . We then move to Gamek1 , then GameC1 , then GameF1 , then Gamek2 , GameC2 , GameF2 , and so on, until we

exist a value of i∈{1,…,l} such that ℑ achieves a non- negligible advantage between one of the following pairs of games: GameFi −1 and Gameki , Gameki and GameCi , or GameCi and GameFi .

parameters pk={Г, g, h, u, v, w, e(g,g)a} to ℑ. Since ℜ knows a, he can responds by using the usual key generation algorithm when ℑ requests a normal key. When ℑ requests a semi-functional key for some access matrix (A,f), ℜ creates one as follows. It chooses random values α1 , … , α m , β '1 , … , β 'm ∈ Z N and a
random vector a ∈ Z Nn with first entry equal to a, we
let τ i = Ai ⋅ a for each row Ai of A. ℜ forms the key as: ∀i∈{1,…,m}: • If

' N

f (i ) ∈ Z , β i'

d i 3 = v (u

f (i )

βi'

d i1 = g w ,

then

h) , d i 4 = g αi

τi

αi

α

'

'

' τ β • If f (i)∉ZN ∧i ≠ ij , algorithm set di1 = g i ⋅ (wβ (g2g3)βγ ) i ,

βi'

di 2 = g ,

'

'

di3 = (v β ( g2 g3 ) βθi ) βi (u f (i) h)αi

d i 2 = ( gg 2 g 3 ) ββ i ,

,

αi

di 4 = g . If

ℜ

has

properly

GameFi −1 ，then

simulated

(T1,T2,T3,T4) will be distributed as (wβ ' , g β ' ,vβ ' (u j h)α , gα ) for α , β '∈ Z N randomly chosen, and so this will be a properly distributed normal key. If ℜ has properly simulated Gameki or GameCi ，then (T1,T2,T3,T4) will be distributed as ( w β ' , g β ' , v β ' (u j h)α X 2 X 3 , g α Y2Y3 ) , where α , β '∈ Z N , X 2 , Y2 ∈ G p2 , and X 3 , Y3 ∈ G p3 are chosen randomly, and so this will be a properly distributed ephemeral semi-functional key. If ℜ has properly simulated GameFi ，then (T1,T2,T3,T4) will be distributed

We assume that ℜ initially obtain the group elements g , h, u, v , w , g s g 2η , w β ( g 2 g3 ) βγ , ( gg 2 g3 ) β , v β ( g 2 g3 ) βθ from its oracle. It chooses random a ∈ Z N , and gives the public

'

d i 2 = g βi ,

d i 3 = v β i (u f ( i ) h )α i , d i 4 = g i .

arrive at GameFl , which is the same as Game'1 . Finally, we transit to Game1. • Lemma 3: Our KP-ABBE scheme with dual system has one semi-functional key invariance under Assumption 3 and 4. • Proof: By the above transitions, we will assume that ℑ achieve a non-negligible difference in advantage between Game'0 and Game'1 . Since at most a polynomial number of steps in our hybrid sequence of games between GameF0 and GameF1 , there must

'

d i1 = g τ i w β i ,

f (i ) ∈ Z N' , then

• If

β’

as

( g 2 g 3 ) β ’γ ,

( gg 2 g 3 ) β ’ ,

α , β '∈ Z N where are randomly chosen, and so this will be a properly distributed semi-functional key. When ℑ requests the challenge ciphertext for ' messages M0,M1 and Z N = {z1 ,…, zl } , ℜ makes a ciphertext-type query to the oracle for each zj (We recall the value f(ij) from the challenge key cannot be equal to any of these values zj modulo p3.) In response to each query for z j , ℜ receives three group elements, v β ’ ( g 2 g 3 ) β ’θ ( u j h ) α , g α ,

which we denote by (T1 j ,T2j ,T3j ) . ℜ chooses b∈{0,1} randomly and forms the ciphertext as: l

C 0 = M b e( g s g η2 , g ) a , C1 = g s g η2 , C 2 = ∏T1 j , j =1

l

l

(13)

C 3 = ∏T 2 , C 4 = ∏T 3 , ∀j ∈{ 1 ,… ,l } j

.

j

j =1

j =1

βi'

' • If f (i ) ∉ Z N , algorithm set di1 = gτi ⋅ (wβ ( g2 g3 )βγ ) , '

'

α di2 = (gg2 g3 )ββi , di3 =(vβ (g2g3)βθ)βi (uf (i)h)αi , d i 4 = g i .

When ℑ requests the challenge key for some access matrix (A,f), ℜ makes a challenge key-type query to the oracle with input value f (i j ) ∈ Z N , where ij∈{1,…,n} is the index of the jth row Ai in A such that f (i j ) ∉ Z ' N . ℜ receives from its oracle four group elements in response, which we will denote by (T1,T2,T3,T4). ℜ chooses random values α j , β j' ∈ Z N , for all j∈{1,…,n} such that j≠ij. It also chooses a
n random vector a ∈ Z N with first entry equal to a, and




we set τ i = Ai ⋅ a . ℜ forms the challenge key as: ∀i∈{1,…,m}:

If ℜ has properly simulated GameFi −1 ， Gameki or GameFi ，then (T1 j , T2 j , T3 j ) will be distributed as r

r

z

r

( w s g 2σ v j , g j , (u j h) j ) ，where rj∈ZN is randomly chosen, so this will be a properly distributed semifunctional ciphertext. If ℜ has properly simulated GameCi ，then (T1 j , T2j , T3 j ) will be distributed as r

θr

r

r

z

r

r ( yz j + x )

( w s g 2σ v j g 2 j , g j g 2j , (u j h) j g 2 j

)

for rj∈ZN, x' , y '∈ Z N are randomly chosen and do not vary with j. In this case, ℜ has produced a properly distributed ephemeral semi-functional ciphertext. Thus, since ℑ must achieve a non-negligible difference of advantage between at least one of these pairs of games, ℜ will be able to distinguish the corresponding pair of oracles with non-negligible

A Key-Policy Attribute-Based Broadcast Encryption

advantage. So, our dual system encryption KP-ABBE scheme has one semi-functional key invariance under Assumptions 3 and 4.

451

[5]

5. Conclusions Although ABE has been applied extensively to the area of access control, existing constructions for ABE in the standard model either a small universe size or a bound on the size of attribute sets had to be fixed at setup. Taking into consideration the broadcast encryption scheme with wide applications in the real world simultaneously, a key-policy attribute-based broadcast encryption was proposed by combining with Waters dual system encryption, attribute-based encryption and broadcast encryption system. Based on the standard model, the scheme can achieve constant-size public parameters, imposes no bound on the size of attribute sets used for encryption and has a large attribute universe. It supports LSSS matrices as access structures, and provides delegation capabilities to users additionally. The selective security of our scheme is proved by using static, generically secure assumptions in Composite order bilinear groups which do not depend on the number of queries the attacker makes. The analysis results indicated that it has less implementation complexity without increasing of computing efforts.

[6]

[7]

[8]

[9]

[10]

Acknowledgements This research was financed by the National Natural Science Foundation of China under Grants 61173192 and 60873268, and the Scientific Research Foundation of Education Department of Shaanxi Provincial Government of China (Grant No. 2013JK1116).

[11]

[12]

References [1]

[2]

[3]

[4]

Boneh D., Boyen X., and Goh E., “Hierarchical Identity Based Encryption with Constant Size Ciphertext,” in Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Denmark, pp. 440-456, 2005. Boneh D., Gentry C., and Waters B., “Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys,” in Proceedings of the 25th Annual International Cryptology Conference, USA, pp. 258-275, 2005. Boneh D., Goh E., and Nissim K., “Evaluating 2DNF Formulas on Ciphertexts,” in Proceedings of the 2nd Conference on Theory of Cryptography, USA, pp. 325- 342, 2005. Charef C., Taibi M., and Vincent N., “Fuzzy and Neuro-Fuzzy Modeling of a Fermentation Process,” The International Arab Journal of

[13]

[14]

[15]

Information Technology, vol. 6, no. 4, pp. 378385, 2009. Chase M., “Multi-Authority Attribute Based Encrypt-Ion,” in Proceedings of the 4th Conference on Theory of Cryptography, Berlin, pp. 515-534, 2007. Delerablée C., Paillier P., and Pointcheval D., “Fully Collusion Secure Dynamic Broadcast Encrypt-Tion with Constant-Size Ciphertexts or Decryption Keys,” in Proceedings of the 1st International Conference on Pairing-Based Cryptography, Japan, pp. 39-59, 2007. Dodis Y. and Fazio N., “Public Key Broadcast Encryption Secure Against Adaptive Chosen Cipher-Text Attack,” in Proceedings of the 6th International Workshop on Practice and Theory in Public Key Cryptography Miami, USA, pp. 100-115, 2002. Fiat A. and Naor M., “Broadcast Encryption,” in Proceedings of the 13th Annual International Cryptology Conference Santa Barbara, USA, pp. 480-491,1993. Goyal V., Pandey O., Sahai A., Waters B., “Attribute-Based Encryption for Fine-Grained Access Control for Encrypted Data,” in Proceedings of the 13th Conference on Computer and Communications Security, pp. 89-98, 2006. Hu L., Liu Z., and Cheng X., “Efficient IdentityBased Broadcast Encryption without Random Oracles,” Journal of Computers, vol. 5, no. 3, pp. 331-336, 2010. Kalpana G. and Punithavalli M., “Reliable Broadcasting using Efficient Forward Node Selection for Mobile Ad hoc Networks,” The International Arab Journal of Information Technology, vol. 9, no. 4, pp. 299-305, 2012. Li J., Ren K., and Kim K., “A2BE: Accountable Attribute Based Encryption for Abuse Free Access Control,” available at: http://eprint.iacr.org/2009 /118, last visited 2009. Li J., Ren K., Zhu B., and Wan Z., “PrivacyAware Attribute Based Encryption with User Accountability,” in Proceedings of the 12th International Conference on Information Security, Italy, pp. 347-362, 2009. Lewko A., Okamoto T., Sahai A., Takashima K., and Brent W., “Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption,” in Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French, pp. 62-91, 2010. Lewko A., Rouselakis Y., and Waters B., “Achieving Leakage Resilience through Dual System Encryption,” in Proceedings of the 8th Conference on Theory of Cryptography, USA, pp. 70-88 2011.

452

The International Arab Journal of Information Technology, Vol. 10, No. 5, September 2013

[16] Lewko A. and Waters B., “New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts,” in Proceedings of the 7th Conference on Theory of Cryptography, Switzerland, pp. 455-479, 2010. [17] Lewko A. and Waters B., “Unbounded HIBE and Attribute-Based Encryption,” available at: http:// eprint.iacr.org/2011/049.pdf, last visited 2011. [18] Ostrovsky R., Sahai A., and Waters B., “Attribute-Based Encryption with NonMonotonic Access Structures,” in Proceedings of the 14th ACM Conference on Computer and Communications Security, New York, pp. 195203, 2007. [19] Okamoto T. and Takashima K., “Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption,” in Proceedings of the 30th Conference on Annual in Cryptology, pp.191-208, 2010. [20] Sahai A. and Waters B., “Fuzzy identity based encryption,” in Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Denmark, pp.457-473, 2005. [21] Waters B., “Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions,” in Proceedings of the 29th Conference on Annual International Cryptology, USA, pp. 619-636, 2009. [22] Zhang L., Hu Y., and Mu N., “Identity-Based Broadcast Encryption Protocol for Ad-hoc Networks,” in Proceedings of the 9th International Conference for Young Computer Scientists, Hunan, pp. 1619-1623, 2009. Jin Sun received her BA’s and MA’s degrees in mathematics from the Shaanxi Normal University, xi’an, China, in 2000 and from Xi’an University of Technology, Xi’an, China, in 2005 respectively. Since 2008, she has been a PhD degree candidate in cryptography from Xidian University, Xi’an, China. Her current research interests include the designs for PKE scheme and broadcast encryption scheme.

Yupu Hu is a professor and PhD supervisor in Key Laboratory of Computer Networks and Information Security of Ministry of Education, Xidian University, China. He held PhD degree in cryptography from Xidian University in1999. He is a member of China Institute of Communications. His current research interests include information security, stream cipher, block cipher, digital signature and network security. Leyou Zhang received his PhD from the Xidian University in 2009. Currently, he is an associate professor in the Department of Mathematical science of Xidian University. His current research interests include network security, computer security, and cryptography.

A Key-Policy Attribute-Based Broadcast Encryption

453