Owner Specified Excessive Access Control for Attribute Based Encryption

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
Owner Specified Excessive Access Control for

Attribute Based Encryption
Fawad Khan, Hui Li, Member, IEEE, and Liangxuan Zhang
AbstractAttribute Based Encryption (ABE) has emerged as entitled to view all data while students have limited access
a promising solution for access control to diverse set of users in to data) using policy named Simple defined as: University
cloud computing systems. Policy can just specify whether (or (Professor OR Student), for users with attributes University
not) any specific user should be given access to data, but it
lacks to provide data owner the privilege to specify (how much) and Professor , University and Student to retrieve the data.
fraction, or (which) specific chunk from that data to be accessed We tag this policy as Simple, because in rest of paper we will
or decrypted. In this paper, we address this issue, and propose a refer to this specific policy using its tag. Policy can just define
scheme that will give data owner excessive access control, so that here that any user with attributes can access the data, but it
he can specify specific chunk out of total data to be accessed by fails to define that out of those user attributes, which attributes
user depending on his attributes. In our scheme, a data owner
can encrypt data over attributes specified in a policy, but even if allows access to which fraction (chunk) of data. We further
users attributes satisfy the policy; he can decrypt data (partially elaborate it by the scenario; lets consider a video provider is
or fully) fractionally based on his attributes specified by owner. encrypting a video for attributes F reeU ser , and P aidU ser .
Owner can also prioritize users access based on his designation, If the policy is defined to be: (F reeU ser OR P aidU ser ),
or hierarchal role in a specific organization. We also address to then individual users having attributes either F reeU ser , or
resolve the issue of attributes repetition, due to which the cost
of computations in encryption by owner and ciphertext size is P aidU ser can decrypt the video. Although, user with any
reduced. Furthermore, we achieve it with a single ciphertext over (one) of these attributes will have access to data, but now
policy for entire data, and proof our scheme to be secure in the the owner wants to restrict the user with F reeU ser attribute
generic group and random oracle model. Theoretical comparisons to decrypt and view just starting five minutes of video, and
of computations with existing constructions, and performance of user with P aidU ser attribute to decrypt and view the whole
the scheme evaluated in Charm simulator is reasonable enough
to be adopted in practice. video. Although, both attributes satisfy the policy and have
access to data, but now they differ in the data being accessed
Index TermsAttribute, Partial, Full, Encryption, Decryption,
using them. In other words, video provider in this case has
Symmetric key, Chunk, Excessive Access, Repetition, Fractional.
restricted the access of F reeU ser to a fraction of video instead
of whole video.
I. I NTRODUCTION
This is an important issue, which should be addressed to
TTRIBUTE Based Encryption (ABE) has evolved as an
A access control mechanism for large target community.
Cloud storage is a service of cloud computing [30], utilized
give the data owner more privileges, so that he can specify
how much (fraction) of data can be accessed by users using
their attributes. To differentiate, there are two things; one is
by data owners to outsource their data to the servers. ABE is users attributes that qualify it for data access, if they satisfy
considered as a promising solution for data access in cloud the policy specified by owner, while the other thing is how
computing. much fraction of data can be accessed by using those attributes.
As cloud servers are not trust worthy, so owner undertakes For Simple policy, as Student and Professor have access to
the responsibility to encrypt its data before outsourcing it to the dissimilar variant of data; hence, we list them under different
server. Owner defines an access policy for specific attributes attribute set Wi in policy, where Wi is a set of attributes in
that it wishes to be mandatory for data access, and then sends policy providing access to different variants of data. Another
it along with ciphertext to the server. If attributes of user key issue, to be addressed is the repeated attribute (University in
satisfy the policy specified in ciphertext; user then can decrypt Simple policy) appearing in multiple attribute sets Wi leading
ciphertext correctly to get data. In ABE, for example, the to more computation cost in encryption operation at data
University can share an examination notice, or provide access owner.
to particular data placed on its server (where professors are
This work was supported by the National Natural Science Foundation of Although, for both the scenarios (Simple and Video
China under Grant U1401251 and Grant 61272457. Provider policy); which we explained above can be dealt with
F. Khan is with the State Key Laboratory of Integrated Service Net- by defining two separate policies over ciphertexts (based on
works, School of Cyber Engineering and with the School of International
Education, Xidian University, Xian, Shaanxi 710071, P.R. China (e-mail: attribute-sets Wi ), with different symmetric decryption keys
fawad.khan.xdu@gmail.com). for fractional data access; we argue that it should be done with
H. Li and L. Zhang are with the State Key Laboratory of Inte- a single ciphertext over one policy with no attributes repetition.
grated Service Networks, School of Cyber Engineering , Xidian Univer-
sity, Xian, Shaanxi 710071, P.R. China (e-mail: lihui@mail.xidian.edu.cn, Throughout the paper, we will use words fractional, variant,
lxzhaang@foxmail.com ). and partial interchangeably for referring to a chunk of data.
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2632132, IEEE Access
A. This Work then proposed the first decentralized multi-authority ABE in

In this paper, we address the issue of providing more access which all the authorities were independent from each other and
control to data owner, and also propose a technique to resolve hence required no coordination. Several other works [13], [14],
an issue of attributes repetition in Linear Secret Sharing [15], [16], [17], [35] were proposed to cater different issues
Scheme (LSSS) access matrix, which arise due to provision regarding ABE but still the issue of giving more privileges
of excessive access. Removal of repeated attributes from to data owner, so that it can restrict user to (full or partial)
access matrix leads to reduced computations in encryption fractional access of data based on its attributes is un addressed.
operation and ciphertext size. Our proposed scheme, will allow To give different access rights to users; the data cannot
owner to encrypt data under one policy and single ciphertext be encrypted with a single symmetric encryption key, but
over attributes, and can specify (how much) fraction of data rather with different chunk keys. The idea of chunk based
can be accessed by user using his individual attributes or encryption [18], [27], [20], [26] is not new. In chunk based
combination of his attributes. User on retrieving the ciphertext encryption, data is divided into several chunks and each one
will check that if his attributes satisfy the policy specified is encrypted using a different symmetric key. In [18], it is
in ciphertext, then he can get access to either fraction-of or utilized for providing confidentiality and integrity to data in a
full data depending on his attributes as specified by owner in cloud computing system while the authors in [20], utilized it
ciphertext. Moreover, owner can prioritize users data access for revocable data access control.
based on his hierarchal role in an organization. In this work, Access hierarchies [22], [19], [25] play an important role in
the conformation of users attributes to satisfy ciphertext policy granting access to users based on their roles. In this approach,
does not lead to entire data access, but a part of it; unless several chunk keys are derived from the parent node key with
specified by owner. the condition that chunk keys are derived only in the top-
down manner, i.e., from the parent nodes to its descendant
child nodes. To grant hierarchal access to users; keys are given
B. Paper Organization
to users in hierarchal order, i.e., the user having parent node
The rest of this paper is organized as follows. Related work key will have access to all data; in contrast the user having
is detailed in Section II, followed by Section III containing key with no descendant node has the access to only a part of
a brief overview of access structures, linear secret sharing data. A good construction of this is proposed by Atallahs et
scheme and multi-authority ABE. Section IV details our pro- al. [22], which has been proven secure against collusion. In
posed scheme, while section V gives the performance analysis [19], the authors proposed multi key encryption approach to
and security proof of our scheme. Section VI concludes the give different access rights to users by adopting the scheme
paper. proposed in [22]. Several works in which the concept is
utilized are: enforcing access for users on published XML
II. R ELATED W ORK documents [21], various variants of video quality provision
In this section, we will review attribute based encryption, [23], encrypted database access control [24], and cloud storage
access hierarchies, and chunk based encryption. framework [29].
Attribute based encryption [11], [2], [12], [4], [3], [32], [36],
[37] has emerged as a valuable tool for access control in cloud III. P RELIMINARY BACKGROUND
computing systems. ABE find applications in places, where
In the section, we will briefly discuss about access struc-
there are multiple sets of users in need to access different
tures, Linear Secret Sharing Scheme (LSSS) and multi author-
pieces of data. In order to comply with it, owner encrypts
ity CP-ABE.
data over a ciphertext embedded with a policy of attributes;
defining which individual attributes or their combination can
help decrypt data from ciphertext. There are two types of ABE. A. Access Structures
The first one named as Key-Policy ABE (KP-ABE). The first Definition 3.1: Access Structure [7]. We let P1 , ..., Pn
construction of KP-ABE was made by Goyal et al. [11]. In represent a set of parties. A collection X 2{P1 ,...,Pn } is
KP-ABE, the ciphertext is associated to attributes while the monotone if Y, Z : if Y X and Y Z, then Z X.
user decryption key is linked to access policy. To correctly Access structure specifically monotone will be a collection
decrypt, the policy in user key must conform to the attributes of non-empty subsets of P1 , ..., Pn . The sets in X are called
in ciphertext. The second type of ABE is Ciphertext-Policy authorized sets.
ABE (CP-ABE). In CP-ABE [2], ciphertext is related to policy In our work, we let attributes similar to parties and we consider
while attributes correspond to user decryption key. User can only monotone access structures.
decrypt properly to get data if attributes in user key satisfy the
policy in ciphertext. In single authority ABE schemes, a single
certification authority is responsible for managing attributes, B. Linear Secret Sharing Scheme
key generation and key distribution to users. This poses issues Our construction utilizes linear secret sharing scheme. We
like Quality of Service (QoS) and scalability. To cater these adapt the definition from [7]. Q
problems, the foremost multi-authority ABE was proposed by Definition 3.2: Secret sharing scheme over a set of
Chase [8], but the scheme required a central authority for parties P is linear if:
coordination between all authorities. Lekwo and Waters [4] 1. Combination of shares from all parties forms a vector over
Zp . Q same model has been used by Chase and Chow [9], and
2. A share generating matrix A exists for . Matrix A Chase [8] respectively. In our model, we give more powers to
has m rows and n columns. For x = 1 to m each xth attacker, that he can choose public keys of corrupt authorities
row of A corresponds to a party P (x). We let a column by himself; instead given to him by challenger at the start of
vector v = {s, v2 , ..., vn } be a sharing vector; where game.
s is the secret to be shared is selected from Zp , and We let S denote the set of all the authorities in system and
v2 , ..., vn Zp . Then A.v is the vector of m shares of s U denote the attributes universe. Each attribute belongs to
Q
according to . The share i = (A v )i belongs to party p(i). one authority.
Setup: The global setup algorithm is run. The attacker
We let S denote the set of attributes. Define L {1, ..., m} specifies a set of corrupt (S0 S) authorities to the
as L = {x|p(x) S}. There exists a vector (1,0,...,0) in the challenger. Challenger then obtains the public and private
span of Ax indexed by L, where Ax represent rows of A. keys of uncorrupt (S S0 ) authorities by running the
For linear reconstruction, we have constants of the form { authority setup algorithm. Finally, challenger reveals the
wx Zp }xL acquired public keys to the attacker.
Q such that, if x are valid shares ofP secret s
according to , then s can be reconstructed by xL wx Phase 1: The attacker queries challenger for key pairs
x = s. (i, GID) corresponding to attribute i of good authority and
user identity GID. The challenger replies to the queries by
sending out the key pairs of the form Ki,GID to the attacker.
C. Multi-authority EAC CP-ABE
For attributes in corrupt authority, the attacker can generate
We briefly describe the algorithms that are part of the multi decryption keys by himself.
authority Excessive Access Control (EAC) CP-ABE scheme. Challenge Phase: Attacker then specifies two equal length
Global Setup() GP : The algorithm takes as input the messages under the access structure (A, ). Moreover,
security parameter and outputs the global parameters GP specifies for each attribute in that it belongs to which
for the system. attribute set Wi . Let V denote the subset of rows of access
Authority Setup(GP ) SK, P K: In this algorithm, matrix A controlled by corrupt authorities. We denote VGID
the input is global parameters of the system and output as the subset of rows of A for which the attacker can acquire
corresponds to secret SK / public P K keys of the the keys (i, GID) corresponding to attribute i and identity
authorities. GID for uncorrupt authorities. The constraint on access
Encrypt(S, (A, ), GP, P K) CT : Encrypt algorithm takes matrix is that the subspace spanned by V U VGID should
as input the message S (symmetric keys for data chunks), not include (1,0,...,0) in its span for any of attribute set Wi .
access matrix (A, ) , global parameters and the public keys In other words, the attacker cannot ask for those specific
of authorities to output the ciphertext CT. keys which he can combine with keys of corrupt authorities
KeyGen (GID, GP, i, SK) Ki,GID : KeyGen algorithm to allow successful decryption for specific attribute and
takes as input the user identity GID, specific attribute i, identity GID. Also the attacker gives public keys of corrupt
GP and secret key of corresponding authority to generate a authorities attributes to challenger which appears in the image
decryption key Ki,GID for user. . Challenger flips a random coin = {0, 1} and encrypts a
Decrypt (CT, GP, Ki,GID ) S: To decrypt the ciphertext, message M according to access policy.
this algorithm takes as input CT, GP and the set of user Phase 2: Attacker makes further key queries (i, GID) but
attribute keys. For successful decryption the user attribute keys under the constraint that queries dont violate the challenge
should correctly satisfy the access matrix in the ciphertext. matrix (A, ) .
Guess: Attacker submits a guess 0 for . Attacker wins the
Definition 3.3: A multi authority EAC CP-ABE scheme is game if 0 = . The advantage of attacker in the security
correct if the GP is obtained from global setup algorithm, CT game is Pr[ 0 = ] 1/2.
from encrypt algorithm, keys Ki,GID corresponding to specific
attributes of user GID are generated using keygen algorithm Definition 4.1: A multi authority ciphertext policy attribute
and message (S) is obtained from CT using decrypt algorithm, based encryption scheme with excessive access control is
if the set of attributes in key satisfy the access matrix in CT. secure (against static corruption of authorities) if all polyno-
mial time adversaries have at most a negligible advantage in
IV. O UR C ONSTRUCTION security game.
In this section, we will provide a detailed construction of
our scheme. B. System Model
We let a multi-authority cloud storage system as shown
A. Security Model in Fig.1. It consists of owners, users, server, and attribute
We define the security game for EAC CP-ABE system authorities (AA).
between challenger and attacker in the following way. We Owner An entity who wants to publish data on the server
assume that the adversary can corrupt authorities statically to be retrieved later by other users based on their attributes.
but can make queries adaptively till the end of game. This For publishing data it will first split the data into chunks and
encrypt each chunk with a new symmetric key followed by

defining a decryption policy based on attributes.
Server It is an entity used for outsourcing owners data and
Fig. 3. Fractional Data Access of Attributes Sets
their attributes. We define an excessive access control policy

named Complex as: {(University Student) OR (Hospital
Patient)} OR {(University Professor) OR (Hospital
Nurse)} OR {Company (HR OR Marketing OR Finance)}
OR {(Hospital Doctor) OR (Company Boss)}. The first
glance of this Complex policy shows that any individual with
specific set of attributes will have provision to same and all
data, but here owner wants to give different access rights to
Fig. 1. System Model users.
We use this {} notation to indicate that attributes enclosed
providing data access to users. in these refer to an attribute set Wi . Each Wi contains a
User It can request ciphertext from server, but can decrypt diverse set of users havingPaccess to same data chunk. With
only when his decryption keys satisfy the access policy in in an attribute set Wi , if cx x = qi ; then user can have
ciphertext. access to data. For Complex policy we have four attribute
Attribute Authority Each Attribute Authority (AA) generates sets as: (1). W1 = {(University Student) OR (Hospital
a public, private key pair for itself. Moreover, it undertakes the Patient)}, (2). W2 = {(University Professor) OR (Hospital
responsibility for managing attributes and generating keys for Nurse)}, (3). W3 = {Company (HR OR Marketing OR
users based on their attributes handled by AA. Authorities Finance)}, and (4). W4 = {(Hospital Doctor) OR (Company
work in a decentralized fashion; hence no coordination is Boss)}; where Wi is an attribute set. Fig.3 shows the data
required between them. access for each attribute set Wi . The point worth noting here
is that attributes University, Hospital, and Company appear
C. Idea of our Construction in more than one attribute sets because users besides their
In many situations, owner does not want to give access of attributes need these to access data. Like in this policy, Stu-
entire data, but a part or fraction of it. To provide owner dent belonging to W1 and Professor from W2 both needs
more privileges, so that he can specify how much fraction University attribute to access their data variant. Excessive
of data can be accessed by user based on his attributes; data control can be enforced in this case, via partitioning the data
needs to be divided into chunks, and encrypted using different into three parts and encrypting chunks with three different
symmetric keys as shown in Fig.2, where m1 is data chunk symmetric keys. Next, for enforcing excessive data access, we
1 encrypted with symmetric key K1 , m2 is data chunk 2 compare and contrast the two approaches mentioned below.
encrypted with symmetric key K2 and so on for other data Basic Scheme In, Traditional-ABE (T-ABE) schemes, all
chunks. users have access to one and only single data encrypted using a
symmetric key enclosed in M . Moreover, this M is encrypted
using a secret s raised to a pairing in the form of M e(g, g)s .
The secret s is shared among users attributes in ciphertext
Fig. 2. Data Chunks Encryption using LSSS matrix shares x . Using T-ABE schemes, in-order
for owner to give different data access to users for Complex
To enforce, fractional or partial access of data, one chal- policy; it will have to break the policy into 4 individual
lenge is that owner must encrypt data using only one policy attribute sets Wi policies and then compute the ciphertext for
and ciphertext for all individual data chunks encrypted with each of the policy. This is due to the fact that for T-ABE
different symmetric keys. schemes we cannot have more than one secret s in a ciphertext
for policy. As mentioned earlier, three attributes University,
We define a scenario to illustrate our idea. Lets consider Hospital and Company repeats in attribute sets Wi , or in
a research being carried out by university for designing other words these are shared by other attributes to access data.
disease measuring equipment for a hospital in collaboration For Complex policy, there are overall 12 distinct attributes,
with some company. People from three different domains but due to repetition the overall number is 16. This repetition
hospital, university, and company are involved in work and increases the computational effort while computing ciphertexts
they have access to different fractions of data based on in encryption operation by owner and moreover, elongates its
size. Authority Setup(GP ) SK, P K: Each authority selects

Our Scheme We propose our method, in which the owner can for itself a random value t Zp . For each attribute i that
enjoy the privilege of excessive access control by defining a belongs to authority, it chooses a random value i Zp . It
single policy over one ciphertext with no attributes repetition. keeps values {t, i i} as secret key, SK and publishes {g t ,
Moreover, users having access to various different chunks of e(g, g)i i} as public key, PK.
data will all have to satisfy that just one policy. To do so, the Encrypt(S, (A, ), GP, P K) CT : The owner first
excessive access Complex policy should be rewritten with takes data M = [m1 , m2 , ..., mk ] encrypted with S =
no-attributes repetition for our scheme in its compact form [S1 , S2 , ..., Sk ], where Si corresponds to the chunk mi and
as: (University (Professor OR Student)) OR (Hospital S corresponds to M . After that, he defines an excessive
(Patient OR Doctor OR Nurse)) OR (Company (HR OR access policy W = [W1 OR W2 OR...OR Wk OR Wk+1 ],
Marketing OR Finance OR Boss)). The LSSS matrix for the where Wi corresponds to symmetric chunk key Si , and Wk+1
compact complex policy is also constructed. In our approach, corresponds to symmetric key S. Then, he rewrites the policy
instead of defining separate policies like in traditional ABE without attributes repetition and forms an LSSS matrix A
schemes; we define different secrets qi to be shared for at- of size m x n. The algorithm takes as input; a message S
tribute sets Wi . The sharing vectors for secrets qi are evaluated (symmetric keys for data chunks), global parameters, an access
by the formed LSSS matrix with distinct attributes, but due matrix A of size m x n with containing a map of its rows
to repetition of attributes between multiple Wi ; shares x for to attributes, and PKs from relevant authorities. To proceed, it
repeated attributes are also multiple. For Complex policy, we will first choose random values qi , vi,2 , ..., vi,n Zp to form
have 16 evaluated x shares for attributes belonging to four 4 a sharing vector vi = {qi , vi,2 , ..., vi,n }; where qi is secret to
attribute sets. We remove the repeated attributes x shares, be shared for each attribute set Wi . Further, it computes x =
so that they correspond exactly to 12 distinct attributes, Ax vi for Ax Wi where Ax is xth row of A. Moreover,
and also conform to secrets qi by employing our proposed it will choose a random vector w Zp of length n with 0 as
methodology mentioned in section IV - D of this paper. its first entry. Compute wx = Ax w. Then it will use the
algorithm in section D to remove the repeated values of shares
D. Eliminating Repeated Attributes x , so that attributes are not repeated, and finally it computes
the ciphertext as:
Based on the fact that summation Pof attributes shares x CT = {Ci = Si e(g, g)qi , C1,x = e(g, g)x e(g, g)(x) wx ,
leads to secret reconstruction, i.e., cx x = qi in Wi if the
C2,x = g twx for (x) Wi |i = 1, 2, ..., k + 1 }.
attributes Wi form a span of (1,0,...0). We exploit this secret
The owner then sends CT, (A, ) for compact policy along
re-construction property to eliminate the repeated attributes
with excessive access policy W = [W1 OR, ..., OR Wk+1 ]
shares appearing across multiple Wi . We have two types of
to the server. Ciphertext Ci values correspond to attribute sets
attributes namely: Oattr and Rattr .
Wi in access policy.
Oattr , represents other attribute appearing with repeated one
KeyGen (GID, GP, i, SK) Ki,GID : To create a key
in policy, cO denotes coefficient of other attribute share, Rattr
for user GID corresponding to an attribute i of authority, it
for repeated attribute appearing multiple times, and cR is the
computes Ki,GID = g i /t H(GID)1/t .
coefficient of repeated attribute share. cO , and cR correspond
P Decrypt (CT, GP, {Ki,GID }) S: For decryption, the
to values cx for which cx x = qi (secret reconstruction).
primary assumption is that the ciphertext is encrypted un-
For Simple policy, Rattr corresponds to University while
der access matrix (A, ) . The user will determine his
Oattr represents Student and Professor. For eliminating the
attributes belonging to particular attribute set using excessive
repeated attributes we utilize the following equation:
access policy W , the span (1, 0, ..., 0) and exact ciphtertext
(Oattr ) = (1/cO ){(qi ) (cR )(Rattr )} corresponding to his keys using (A, ). If the decryption
user keys {K(x),GID } can form a span (1, 0, ..., 0) over
Where qi denotes secret to be shared for an attribute set
the subset of access matrix rows Ax P Wi , then user
Wi . Elimination is done by putting all values in equation, and
will choose constants ux Zp , so that x ux Ax =
by fixing the value of repeated attribute Rattr share; there by
(1, 0, ..., 0) where A x W i , and then will decrypt as follows:
obtaining the values for other attributes Oattr shares. We refer Q ux qi
x (C 1,x /e(C 2,x , K(x),GID )) = e(g, g) .
reader to Appendix A, for an example of using this method
After correctly finding e(g, g)qi user will divide this by value
for eliminating the repeated attributes.
of Ci (corresponding to his attribute set Wi ) to obtain Si which
is symmetric chunk key for mi .
E. Proposed Scheme
In our construction, policy is defined over the ciphertext
only once for all data chunks with no attribute repetition by F. Correctness
employing the methodology as stated above. The proposed excessive access control scheme is correct.
Global Setup() GP : In global setup, a bilinear group G To decrypt, the user will first choose constants ux Zp , so
of prime order p is chosen. Global parameters are set to p, g, P
that x ux Ax = (1, 0, ..., 0); then will decrypt as follows:
e(g, g) and H; where g is a generator of group G and H is a
hash function that maps global identities GID to elements in Y
(C1,x /e(C2,x , K(x),GID ))ux
G. We will model H as random oracle for security proof.
x
TABLE I TABLE II
C OMPARISON WITH EXISTING WATER S CONSTRUCTIONS . C OMPARISON OF COMPUTATIONS FOR SIMPLE AND COMPLEX POLICY.
Sch SM KeyGen Encrypt Decrypt P olicy Scheme KeyGen Encrypt Decrypt

[2] FS (2m + 2)E (2n + 2)E (2z + 1)P + 2zE [2] 12E 12E 10P + 8E
[3] SS (m + 2)E (3n + 2)E (2z + 1)P + zE [3] 8E 16E 10P + 4E
[4] FS (2m)E (5n + 1)E (2z)P + zE Simple [4] 8E 22E 8P + 4E
[5] SS (3m + 4)E (5n + 2)E (3z + 1)P + zE [5] 20E 24E 14P + 4E
[6] FS (l + 2m)E (6n + 1)E + P (3z)P + zE [6] 12E 26E + 2P 12P + 4E
Ours FS (2l + m)E (3n + W )E zP + zE Ours 12E 11E 4P + 4E
[2] 40E 40E 45P + 36E
[3] 24E 56E 45P + 18E
Y Complex [4] 32E 84E 36P + 18E
= (e(g, g)x e(g, g)(x) wx /e(g twx , g (x) /t H(GID)1/t ))ux [5] 64E 88E 63P + 18E
x [6] 40E 100E + 4P 54P + 18E
Y Ours 32E 40E 18P + 18E
= (e(g, g)x e(g, g)(x) wx /e(g, g)(x) wx e(g, H(GID))wx )ux
x TABLE III
Y AVERAGE RUNNING TIME IN MILLISECONDS (ms) OF OUR SCHEME FOR
= (e(g, g)x /e(g, H(GID))wx )ux (S), (C) P OLICY WITH PARAMETERS .
x
P GS AS KG Enc Dec Attr U V
= e(g, g)qi S 10.12 12.19 31.78 20.97 9.84 3 2 2
C 10.85 52.87 146.64 69.20 74.9 12 9 4
V. A NALYSIS OF THE S CHEME

In this section, we will analyze the performance of our We have implemented our scheme in Charm [31], [34],
scheme, and give a security proof for our construction. which is a cryptographic tool for defining and evaluating pair-
ing based constructions. It is based on a high level language
python and utilizing [28], pairing based cryptography libraries.
A. Performance Evaluation All charm routines work on underlying asymmetric groups,
We will first compare the theoretical computations and secu- even if the basic constructions are in symmetric groups. So, we
rity model of our scheme with existing Waters constructions need to convert our scheme to its asymmetric version although
BSW07 [2], W09 [3], LBW11 [4], RW13 [5], and RW15 [6], it reduces efficiency; now we have three multiplicative cyclic
and then we will demonstrate with the help of two policies the groups G1 , G2 and GT of prime order p, and the bilinear map
effect of attributes repetition on the performance of schemes. e : G1 x G2 GT is between them. All our simulations are
Finally, we will present our scheme running time performance. executed on a (3 GB allocated Ram) Hyper-V Virtual Machine
In TABLE I, the notations used for various entities are: SM , running (Ubuntu 14.04, Python3.4.3 and Charm-Crypto-0.43)
SS, F S for security model, selective and full security, l for on dell inspiron laptop Intel(R) Core(TM) i5-3337U CPU@
the number of authorities, m for number of user attributes, n 1.80GHz with 8 GB Ram.
for number of attributes in access structure, W for attribute In TABLE III, we give the running time (ms) of global
sets in access structure, and z for number of users attributes setup: GS, authority setup: AS, key generation: KG, en-
utilized for satisfying the policy. Moreover, we represent E for cryption: Enc, decryption: Dec algorithms for our scheme
exponential and P for pairing operation. TABLE I contains evaluated in Charm for Simple and Complex policies. The
the operations carried out by various constructions in key notations Attr, U and V represent number of attributes, users
generation, encryption and decryption operations. As seen and data variants for policy P in TABLE III. In prior one,
from the table our scheme has comparable computations in there are two (2) users having access to different variants
terms of key generation and encryption but it surpasses all of data, while in Complex policy there are nine (9) users
other schemes in decryption by utilizing just one pairing and having access to four (4) variants of data. Decryption time
exponential operation per attribute. evaluated for Simple policy includes time of both Student
Now, we will demonstrate the effect of attributes repetition and Professor to get their share of symmetric key. Similarly it
on the performance of schemes. For traditional ABE schemes, applies for Complex policy containing nine users from four
in-order to provide excessive access; the owner needs to different attribute sets.
divide the policy based on the attributes sets Wi , and then
encrypt separate ciphertexts for those policies due to which B. Security Proof
attributes shared with in multiple Wi are repeated. In our We proof our scheme to be secure using generic bilinear
scheme, attributes are not repeated; hence the ciphertext size group model previously employed in [1], [2], [10], and [4].
is short, and fewer computations have to be performed in We will model H (hash function) as a random oracle. Security
encryption operation by owner. Moreover, we achieve it with a model assures that adversary cannot succeed to break our
single ciphertext over one policy. TABLE II lists computations scheme given only black box access to group operations and
performed by the all schemes for Simple and Complex H.
policy. Our scheme has less computational operations for both We describe the generic bilinear group model as described
the policies in encryption and decryption algorithms. in [1]. We let 0 and 1 are two random encodings of additive
group Zp . Each of 0 and 1 is an injective map from Zp to hence, he cannot gain non negligible advantage in real security
{0, 1}m for m > 3log(p). Formally, we represent the groups game.
as: G0 = {0 (x) : x Zp } and G1 = {1 (x) : x Zp }. We condition on attackers queries to input values, as the
Assume that we have access to oracles for evaluating the group values given to attacker during simulation, or the values which
operations in G0 and G1 . Moreover, we have the oracle to he received in response of previous queries which he made to
compute the non-degenerate bilinear map e : G0 G0 G1 . oracles. The event occurs with greater probability. As 0 and
In the security game, the attacker has to distinguish between 1 are random injective maps from Zp into a set with greater
Ci = M0 e(g, g)qi and Ci = M1 e(g, g)qi . We now consider than p3 elements; to guess an element appearing in image of
a modification in the game [2], where the attacker must 0 , 1 occurs with negligible probability which has not been
distinguish between Ci = M0 e(g, g)qi and Ci = M0 e(g, g)ai , attained before.
where ai Zp is selected for each attribute set Wi . We Under aforementioned condition, attacker can query as a
simplify the notations that we use as: g denote 0 (1), g x multi variate polynomial in variables ai , j ,t,x ,wx ,hGID ,
denote 0 (x), e(g, g) denote 1 (1) and e(g, g)y denote 1 (y). where j stands for uncorrupted authorities, x ranges over
We now simulate the modified security game in generic rows of challenge access matrix and GID ranges over
bilinear group model, where Ci is set to e(g, g)ai . Moreover, allowed identities. We take x as the linear combination
S represents the set of authorities and U represents the of variables (qi , vi,2 , ..., vi,n ) for attribute sets Wi and wx
set of attributes universe. Simulator runs the global setup = (0, w2 , ..., wn ). Further, we state that for each different
algorithm and gives g to the attacker. Attacker then specifies pair of queries responding to unlike polynomials, attacker
a set S 0 S of corrupt authorities, and discloses it to the receives different answers. Difference is non-zero for random
simulator. Simulator randomly chooses t Zp for uncorrupted assignment of values to variables for two query polynomials.
authorities, and i Zp where i U corresponds to attributes This event occurs with greater probability which we can
that are controlled by uncorrupted authorities; queries group realize using union bound and Schwartz-Zippel lemma as the
oracles for evaluating g t , e(g, g)i and gives these values to polynomials have at most degree 4.
attacker. We see that ai only appears as e(g, g)ai , so the queries
Attacker then requests H(GID) for the first time. Simulator attacker can make about ai will be of the form cai + other
chooses a random value hGID Zp , queries group oracles terms, where c is constant. Attackers view can change only
for g hGID and sends it to attacker. Also, the simulator keeps when it makes two different polynomial queries, f and f 0
a copy of the sent value, so that the requested GID value in into G1 but if it replace ai = qi ; the result will be same (one)
future will be dealt with the same evaluated value. Attacker polynomial. This implies that, f f 0 = cai cqi for some
then requests a key Ki,GID for an attribute i belonging to a constant c. We conclude that attacker can query cqi .
particular authority and identity GID. In response, simulator Now we will show that a query cqi cannot be made by
computes g i /t H(GID)1/t by querying the group oracles, attacker, and hence we arrive at a contradiction. We can see
and send it back to the attacker. After some time, attacker will the possible queries attacker can make in TABLE IV. By
specify an access matrix (A, ) for challenge ciphertext with inspecting we came at a conclusion that attacker can only
attributes specified for attributes sets Wi . Moreover, values make queries of the form which are linear combinations of
of corrupt authority attributes that appear in (corresponding 1, ai and other terms appearing in TABLE IV.
to rows of A) of access matrix will be sent by attacker to We remind that attacker knows the values of i , t for
simulator. Simulator confirms the validity of these attributes corrupted authorities; thats why the linear combinations of
by querying group oracles. these values can appear in TABLE IV .
Simulator will now produce the challenge ciphertext. To Recall that qi can be constructed by x = Ax vi where
follow up, it will first choose random values qi , vi,2 , ..., vi,n vi = (qi , vi,2 , ..., vi,n ) for attribute set Wi . Hence the only
Zp to form a sharing vector vi = {qi , vi,2 , ..., vi,n }; where appearance of qi in TABLE IV can be constructed using the
qi is secret to be shared for each attribute set Wi . Further, linear combination of x . To order query of the P form cqi ;
it computes x = Ax vi for Ax Wi where Ax is xth attacker needs to choose constants x such that x x = cqi
row of LSSS matrix A with no repeated attributes. Moreover, by asking for query (x +(x) wx ) to form x (x +(x) wx ).
selects a vector w = {0, w2 , ..., wn } where each w2 , ..., wn For corrupt authorities attributes, attacker can construct poly-
is selected randomly from Zp and evaluates wx = Ax w . nomials of the form x (x) wx to cancel out this term for
Simulator will give x shares values to elimination algorithm the above polynomial. For uncorrupted authorities attributes,
for removal of repeated attributes. Finally it will select random attacker needs to query ((x) wx + hGID wx ) this; in-order
values ai Zp for Wi . With the help of group oracles the to cancel out x (x) wx , which leaves an extra term of
simulator now computes the ciphertext as: x hGID wx . We note that attacker can access this term
{C0 = e(g, g)ai , C1,x = e(g, g)x e(g, g)(x) wx , C2,x = ((x) wx + hGID wx ) if it requests for a key corresponding to
g twx x }. a particular attribute (x) and identity GID.
The challenge ciphertext is given to the attacker. We argue The gathering of these terms for each identity GID will
that by all, but with negligible probability, an attacker view cancel this term only if the span (1,0,...,0) of length n vector
regarding if Ci is set to e(g, g)ai in place of e(g, g)qi is is in the rows Ax Wi of A belonging to corrupt authorities,
identical in simulation. This illustrates that attacker cannot or uncorrupted ones for which he acquired the keys for
attain non negligible advantage in modified security game; ((x), GID). Under this condition, the attacker has broken
TABLE IV c3 = 1. Combination of either Professor or Student share with

P OSSIBLE Q UERY T ERMS University share will lead to re-construction of secret in Fig.4
i t (a).
hGID i /t + hGID /t For excessive access control, we need to share 2 secrets
x + (x) wx twx q1 , q2 accordingly for W1 , W2 . Hence, we encounter a problem
i wx + hGID wx hGID /t
that attribute University appears in each of the LSSS matrix
hGID i /t + hGID hGID 0/t i /tj + hGID /ti tj
hGID hGID 0 (twx )(t0wx 0) as seen in Fig.4 (b), (c) for W1 and W2 . To solve this problem,
(i /ti + hGID /ti )(j /tj + hGID 0/tj ) ti tj we use our proposed approach mentioned in section IV - D of
paper. The equations for determining the shares of Professor
and Student are:
the rules of security game and requested for a set of keys
for an identity GID with which he is capable to decrypt the P rof essor, 2 = (1/c2 ){(q1 ) (c1 )(1 )}
challenge ciphertext.
Therefore, we have presented that attacker cannot construct Student, 3 = (1/c3 ){(q2 ) (c1 )(1 )}
a query of the form cqi for some constant c. Hence, under these
conditions that hold with all but with negligible probability,
we state that the attackers view when ai is random is identical
to when ai = qi . This proves that the attacker cannot attain a
non-negligible advantage in the security game.
VI. C ONCLUSION
In this paper, we have proposed an excessive access control
scheme for data owner using a single ciphertext over policy
without attributes repetition. The owner can enjoy limiting the
users access to just specified chunks of data, instead of whole
data. Moreover, owner can also grant privileged data access to
users based on their hierarchal role in a specific organization.
Comparison, in contrast to traditional approaches depicts its
effectiveness in terms of providing variant data access in a
single policy over ciphertext, and by less computations in
encryption and decryption operation. Our proposed scheme Fig. 4. LSSS Matrix (a) Shares of secret s for all attributes, (b). Shares of
is proven secure in generic group and random oracle model. secret q1 for attribute set W1 , (c). Shares of secret q2 for attribute set W2 ,
(d). Shares of q1 &q2 for all attributes with no repetition.
Performance evaluation of scheme in Charm simulator is good
to adopt it in practice. We will try to further enhance its
Take any random value of 1 Zp (here its taken as
performance in future, and extend it to other types of access
10), putting values of q1 , q2 , c1 , c2 and c3 , we get values of
structures besides LSSS.
2 , 3 as seen in Fig.4 (d). We note here, that the users
having attributes (either Professor, OR Student) if combine
A PPENDIX A their shares 2 , 3 with 1 corresponding to University; this
R EMOVING R EPEATED ATTRIBUTES FROM LSSS MATRIX will lead to one of the secret recovery either q1 or q2 . Different
Here, we demonstrate how to remove the repeated attributes secret reconstruction will lead to a variant data decryption key.
from LSSS matrix. Suppose the data owner wants to share The attribute shares in Fig.4 (d) will be used for evaluating the
fractional access of data using the Simple policy University ciphertext by owner. Finally, comparing Fig.4 (a), (d) we see
(Professor OR Student). For this policy, the attribute sets that in-contrast to a single secret being shared in prior one,
are W1 = (University Professor) and W2 = (University we can share multiple secrets over same set of attributes and
Student). Using T-ABE schemes, this policy is broken down policy with no repetition.
based on the attribute sets Wi , and a separate ciphertext will
be evaluated for both Wi . Attribute University appears in both R EFERENCES
Wi ; hence, it will be evaluated for both the ciphertexts.
For Our proposed scheme, the data owner will write this [1] Boneh, Dan, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based
encryption with constant size ciphertext. Advances in CryptologyEURO-
policy in its compact form with no attributes repetition as: CRYPT 2005. Springer Berlin Heidelberg, 2005. 440-456.
University (Professor OR Student). For this compact policy [2] Bethencourt, John, Amit Sahai, and Brent Waters. Ciphertext-policy
the LSSS matrix M based on AND-OR gates [4], [33] is attribute-based encryption. Security and Privacy, 2007. SP07. IEEE
Symposium on. IEEE, 2007.
shown in Fig.4 (a). For demonstration purpose (to have an idea [3] Waters, Brent. Ciphertext-policy attribute-based encryption: An expres-
regarding secret sharing and its re-construction), the shares of sive, efficient, and provably secure realization. Public Key Cryptogra-
secret s are calculated as 1 , 2 and 3 . For re-construction phyPKC 2011. Springer Berlin Heidelberg, 2011. 53-70.
[4] Lewko, Allison, and Brent Waters. Decentralizing attribute-based en-
the users based Pon their attributes will find the coefficients ci cryption. Advances in CryptologyEUROCRYPT 2011. Springer Berlin
by the relation ci Mi = (1,0,...,0). In this case c1 = c2 = Heidelberg, 2011. 568-588.
[5] Rouselakis, Yannis, and Brent Waters. Practical constructions and new [29] Huang, RuWei, et al. Research on privacy-preserving cloud storage
proof methods for large universe attribute-based encryption. Proceedings framework supporting ciphertext retrieval. Network Computing and
of the 2013 ACM SIGSAC conference on Computer & communications Information Security (NCIS), 2011 International Conference on. Vol. 1.
security. ACM, 2013. IEEE, 2011.
[6] Rouselakis, Yannis, and Brent Waters. Efficient statically-secure large- [30] Mell, Peter, and Tim Grance. The NIST definition of cloud computing.
universe multi-authority attribute-based encryption. International Con- (2011): 20-23.
ference on Financial Cryptography and Data Security. Springer Berlin [31] http://www.charm-crypto.com/
Heidelberg, 2015. [32] Lewko, Allison, et al. Fully secure functional encryption: Attribute-
[7] Beimel, Amos. Secure schemes for secret sharing and key distribution. based encryption and (hierarchical) inner product encryption. Advances
Technion-Israel Institute of technology, Faculty of computer science, in CryptologyEUROCRYPT 2010. Springer Berlin Heidelberg, 2010. 62-
1996. 91.
[8] Chase, Melissa. Multi-authority attribute based encryption. Theory of [33] Liu, Zhen, Zhenfu Cao, and Duncan S. Wong. Efficient Generation of
cryptography. Springer Berlin Heidelberg, 2007. 515-534. Linear Secret Sharing Scheme Matrices from Threshold Access Trees.
[9] Chase, Melissa, and Sherman SM Chow. Improving privacy and security [34] Akinyele, Joseph A., et al. Charm: a framework for rapidly prototyping
in multi-authority attribute-based encryption. Proceedings of the 16th cryptosystems. Journal of Cryptographic Engineering 3.2 (2013): 111-
ACM conference on Computer and communications security. ACM, 2009. 128.
[10] Shoup, Victor. Lower bounds for discrete logarithms and related [35] Odelu, Vanga, et al. Pairing-based CP-ABE with constant-size cipher-
problems.Advances in CryptologyEUROCRYPT97. Springer Berlin Hei- texts and secret keys for cloud environment. Computer Standards &
delberg, 1997. Interfaces(2016).
[11] Goyal, Vipul, et al. Attribute-based encryption for fine-grained access [36] Odelu, Vanga, and Ashok Kumar Das. Design of a new CPABE
control of encrypted data. Proceedings of the 13th ACM conference on with constantsize secret keys for lightweight devices using elliptic curve
Computer and communications security. Acm, 2006. cryptography. Security and Communication Networks (2016).
[12] Lewko, Allison, et al. Fully secure functional encryption: Attribute- [37] Chatterjee, Santanu, and Ashok Kumar Das. An effective ECCbased
based encryption and (hierarchical) inner product encryption. Advances user access control scheme with attributebased encryption for wireless
in CryptologyEUROCRYPT 2010. Springer Berlin Heidelberg, 2010. 62- sensor networks. Security and Communication Networks 8.9 (2015):
91. 1752-1771.
[13] Li, Jin, et al. Privacy-aware attribute-based encryption with user ac-
countability. Information Security. Springer Berlin Heidelberg, 2009.
347-362.
[14] Lai, Junzuo, Robert H. Deng, and Yingjiu Li. Fully secure cipertext-
policy hiding CP-ABE. Information Security Practice and Experience.
Springer Berlin Heidelberg, 2011. 24-39.
[15] Doshi, Nishant, and Devesh Jinwala. Hidden access structure ciphertext Fawad Khan received his B.S. (2010) and M.S.
policy attribute based encryption with constant length ciphertext. Ad- (2014) in Electrical Engineering from UET Pe-
vanced Computing, Networking and Security. Springer Berlin Heidelberg, shawar, and CECOS University, respectively. He has
2011. 515-523. served in NUCES-FAST as Lab Engineer from 2011
[16] Li, Xiaohui, et al. Efficient ciphertext-policy attribute based encryp- to 2015. Currently he is pursuing his PhD in School
tion with hidden policy. Internet and Distributed Computing Systems. of Cyber Engineering at Xidian University. His
Springer Berlin Heidelberg, 2012. 146-159. research interests include content centric networks,
[17] Zhang, Yinghui, et al. Anonymous attribute-based encryption support- information security and machine learning.
ing efficient decryption test. Proceedings of the 8th ACM SIGSAC sym-
posium on Information, computer and communications security. ACM,
2013.
[18] Virvilis, Nikos, Stelios Dritsas, and Dimitris Gritzalis. A cloud
provider-agnostic secure storage protocol. Critical Information Infras-
tructures Security. Springer Berlin Heidelberg, 2010. 104-115.
[19] Di Vimercati, Sabrina De Capitani, et al. A data outsourcing archi-
tecture combining cryptography and access control. Proceedings of the
2007 ACM workshop on Computer security architecture. ACM, 2007. Hui Li received his B.S. (1990) from Fudan Uni-
[20] Yang, Kan, and Xiaohua Jia. Expressive, efficient, and revocable data versity, and M.S. (1993) and Ph.D (1998) from
access control for multi-authority cloud storage. Parallel and Distributed Xidian University, respectively. Currently, he is a
Systems, IEEE Transactions on 25.7 (2014): 1735-1744. professor at the School of Cyber Engineering, Xidian
[21] Miklau, Gerome, and Dan Suciu. Controlling access to published data University. In 2009, he was with Department of
using cryptography. Proceedings of the 29th international conference on Electrical and Computer Engineering (ECE), Univer-
Very large data bases-Volume 29. VLDB Endowment, 2003. sity of Waterloo, as a visiting scholar. His research
[22] Atallah, Mikhail J., et al. Dynamic and efficient key management interests include the areas of cryptography, security
for access hierarchies. ACM Transactions on Information and System of cloud computing, wireless network security, and
Security (TISSEC) 12.3 (2009): 18. information theory. He served as TPC co-chair of
[23] Ma, Tien-Yan, Ting-Wei Hou, and Shau-Yin Tseng. Hierarchical key ISPEC 2009 and IAS 2009, general cochair of E-
management of scalable video coding. Intelligent Information Hiding and Forensic 2010, ProvSec 2011 and ISC 2011. He is a member of the IEEE.
Multimedia Signal Processing, 2007. IIHMSP 2007. Third International
Conference on. Vol. 1. IEEE, 2007.
[24] Damiani, Ernesto, et al. Key management for multi-user encrypted
databases. Proceedings of the 2005 ACM workshop on Storage security
and survivability. ACM, 2005.
[25] Di Vimercati, Sabrina De Capitani, et al. Over-encryption: management Liangxuan Zhang received his B.S. (2014) in Math-
of access control evolution on outsourced data. Proceedings of the 33rd ematics from Xiangtan University. Since 2014 he
international conference on Very large data bases. VLDB endowment, is currently working towards his master degree in
2007. School of Cyber Engineering at Xidian University.
[26] Wang, Weichao, et al. Secure and efficient access to outsourced His current research interests include security and
data.Proceedings of the 2009 ACM workshop on Cloud computing privacy issues in cloud computing and applied cryp-
security. ACM, 2009. tography.
[27] Yun, Aaram, Chunhui Shi, and Yongdae Kim. On protecting in-
tegrity and confidentiality of cryptographic file system for outsourced
storage.Proceedings of the 2009 ACM workshop on Cloud computing
security. ACM, 2009.
[28] https://crypto.stanford.edu/pbc/

Owner Specified Excessive Access Control for Attribute Based Encryption

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Owner Specified Excessive Access Control for Attribute Based Encryption

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Owner Specified Excessive Access Control for

A. This Work then proposed the first decentralized multi-authority ABE in

encrypt each chunk with a new symmetric key followed by

Fig. 3. Fractional Data Access of Attributes Sets

their attributes. We define an excessive access control policy

size. Authority Setup(GP ) SK, P K: Each authority selects

Sch SM KeyGen Encrypt Decrypt P olicy Scheme KeyGen Encrypt Decrypt

V. A NALYSIS OF THE S CHEME

TABLE IV c3 = 1. Combination of either Professor or Student share with

You might also like