Sage Journals: Discover world-class research

Abstract

Ciphertext-policy attribute-based encryption is a promising mechanism with fine-grained access control for cloud storage system. However, there is a long-lasting problem of key abuse that a user may share its decryption key and a semi-honest authority may illegally issue decryption keys for unauthorized users for profits. To address this problem, we propose an accountable ciphertext-policy attribute-based encryption scheme. In our construction, there are two authorities to issue keys for users, but they cannot decrypt any ciphertexts without collusion. A shared key can be effectively traced, and if the traced identity claims that it is innocent, an auditor can publicly audit who will be responsible for the shared key. Compared with existing accountable ciphertext-policy attribute-based encryption schemes, the proposed scheme is more practical from the two aspects: (1) a user can normally request for a decryption key along with a short signature, and no additional interaction between users and authorities is needed; and (2) the complexity of tracing a masked secret key is reduced to $| U |$ exponent computation, where $| U |$ denotes the number of users in the system. At last, we give the security and experimental analysis.

Keywords

Ciphertext-policy attribute-based encryption key escrow traceability accountability cloud computing

Introduction

Cloud storage is one of the most important services of cloud computing. More and more individuals (enterprises) are moving their private data to the cloud either for ease of sharing or for cost saving. While people enjoy the convenience of this new information technology (IT) architecture, their concerns about data security and privacy also arise.

Naturally, people want their sensitive data only accessible to authorized users. However, the cloud is semi-trusted, it cannot provide a fully trusted data access control service. To achieve access control on untrusted cloud servers, the data owner usually needs to encrypt the data before outsourcing, and only users holding decryption keys can recover the data. Traditional encryption schemes are no longer applicable to cloud systems, because there will be multiple encrypted copies of the same data for users with different keys and this will incur high computation overhead for the data owner and high storage overhead for the cloud.

Attribute-based Encryption (ABE), introduced by Sahai and Waters,¹ is a suitable solution for fine-grained access control in cloud storage systems. Generally, ABE can be classified into two main types:² (1) key-policy attribute-based encryption (KP-ABE): a user’s secret key is related to an access policy, while a ciphertext is labeled by a set of attributes; (2) ciphertext-policy attribute-based encryption (CP-ABE): a ciphertext is associated with an access policy, while the user’s decryption key is identified with a set of descriptive attributes.

In CP-ABE scheme, an authority manages the attribute universe and is responsible for issuing secret key for users according to attributes. The data owner defines an access policy and encrypts data under the access policy. A user can decrypt the ciphertexts if and only if the attributes related to its secret key satisfy the access policies in ciphertexts.

A motivating story

A data owner employs a cloud storage system and outsources its data after encrypting the data under access policy $A \lor {B \land C}$ . Each user in the system is assigned with some attributes, such as Alice is assigned with attributes $A$ , $B$ and $C$ ; Bob with $C$ ; and Ross with $B$ and $C$ . An authority (AA) will issue keys for each user according their attributes. Because ${A, B, C}$ and ${B, C}$ satisfy the access policy over the outsourced data, and Alice and Ross can decrypt these ciphertexts and get access to the sensitive data stored in the cloud. Thus, CP-ABE is quite suitable for cloud storage scenario.

However, in the CP-ABE system the secret key is related to attributes instead of identity, that is, users may have the same decryption privilege. In the above example, Alice and Ross have the same decryption privilege according to {B, C}. Then, a malicious user (e.g. Ross) is willing to share its secret key for profits without worrying about exposure because Alice has the same key. Thus, there should be a method to trace the owner of a shared secret key, that is, the CP-ABE system should support the property of traceability.

Furthermore, if the malicious user (e.g. Alice) is traced as the traitor (who shares her decryption key) but claims to be framed by the authority in the system, this case is possible in single authority CP-ABE system. There is only one authority that issues secret keys for all users, the authority can illegally generate arbitrary secret keys, and distribute it to an illegal user while this secret key may be associated with an honest user. For example, the authority generates a decryption key associated with Alice, and shares this key to Evil who is unauthorized. Then how to judge whether Alice is framed or not? If a user is traced to be malicious the CP-ABE system should provide accountability, that is, it is necessary to provide a method that enables an auditor to judge whether a traced user is innocent or not.

Related works

Cloud computing, such as computation model^3,4 and application of blockchain⁵ to cloud computing, is still an interesting and attractive research field. As to secure cloud storage, many ABE schemes^6–15 aiming at better efficiency, security and expressiveness have been proposed.

As to ABE with white-box traceability which takes a well-formed decryption key as input, Li et al.¹⁶ gave an accountable ABE supporting AND gate with wildcards access policy. However, it cannot achieve traceability as mentioned in Yu et al.¹⁷ Liu et al.¹⁸ proposed a traceable CP-ABE supporting any monotone access structures, Ning et al.¹⁹ proposed a traceable CP-ABE scheme supporting large universe, a fully secure traceable CP-ABE scheme.²⁰

As to ABE with accountability, Ning et al.²¹ proposed an accountable ABE supporting traceability and public auditing. The public auditing in scheme given by Ning et al.²¹ is based on zero-knowledge proofs of knowledge (ZK-POK) of a random. However, if there is only one authority and there is not a public verifiable binding between the random and user’s identity, the authority still can generate an illegal secret key related to another random for an unauthorized user.

Yu et al.¹⁷ proposed an traceable ABE supporting public verifiability which fails to support accountability owing to the fact that there is only one authority who knows secret keys of all users. Then, Yu et al.²² proposed an accountable ABE based on two authorities, neither of whom can generate a valid secret key. However, in the scheme given by Yu et al.,²² the user needs two steps of interaction with the two authorities during the key generation phase. This is more complicated than traditional ABE schemes from the view of users. Furthermore, the malicious user can change the number of elements in secret keys before sharing them which will make the identity of the secret key more complicated to trace.

The concrete comparison of features with related works^16–22 is shown in Table 1. According to Table 1, both the proposed traceable and undeniable ciphertext-policy attribute-based encryption (tuCP-ABE) scheme and the scheme by Yu et al.²² can achieve accountability. However, the scheme by Yu et al.²² needs an additional interaction with the two authorities during the key generation phase, and Table 2 shows that it needs to compute additional $2 | U |$ bilinear maps to trace a masked key where $| U |$ denotes the number of users in the system. It is a heavy workload to trace a masked key when there are many users in the system.

Table 1.

Comparison of properties.

Scheme	Traceability	Key escrow	Accountability
Li et al.¹⁶	✗	✗	✗
Yu et al.¹⁷	✓	✗	✗
Liu et al.¹⁸	✓	✗	✗
Ning et al.¹⁹	✓	✗	✗
Ning et al.²⁰	✓	✗	✗
Ning et al.²¹	✓	✓	✗
Yu et al.²²	✓	✓	✓
tuCP-ABE	✓	✓	✓

tuCP-ABE: traceable and undeniable ciphertext-policy attribute-based encryption.

Table 2.

Comparison of cost.

Scheme	Additional interactionduring decryptionkey generation	Additional computationfor tracing masked key
Yu et al.²²	1	$2 \| U \|$ bilinear maps
tuCP-ABE	0	$\| U \|$ exponent

tuCP-ABE: traceable and undeniable ciphertext-policy attribute-based encryption.

Besides white-box traceability, there is another practical property called black-box traceability which takes a decryption device as input. The black-box device will hide the decryption key and the black-box trace algorithm should find the identity of decryption key that has been used in constructing the decryption device. Li et al.¹⁰ proposed a black-box traceable ABE supporting AND gate with wildcards access policy. Liu et al.²³ proposed a black-box traceable CP-ABE system which supports any monotone access structures, and Liu et al.²⁴ gave a full secure black-box traceable CP-ABE system based on prime order groups, Ning et al.²⁵ proposed a black-box traceable CP-ABE scheme with shorter ciphertexts, and there are some researches on traceable CP-ABE in fog computing,^26,27 and auditable $σ$ -time outsourced CP-ABE²⁸ which limits that users can enjoy access privilege at most $σ$ times.

Our results

In this article, we investigate the key abuse problem and further propose a tuCP-ABE. To achieve traceability, the identity information of key owner is signed by the authority and inserted into the user’s secret key as a necessary part for successful decryption. To achieve accountability, two authorities are applied to avoid key escrow that neither of the two authorities knows the user’s secret key and a short signature of the user is used to achieve nonrepudiation. The main features of tuCP-ABE are as follows.

Practical key generation: In the decryption key generation algorithm of the scheme given by Yu et al.,²² the authorities, central authority (CA) and outsourcing authority (OA) need to generate a one-time $K$ and send to user, and then the user signs a signature of $K$ and sends to CA which will introduce an additional interaction. To improve efficiency, the user (instead of authorities) will select a one-time random $r_{U}$ and sign a signature of $r_{U}$ , and no additional interactions between a user and authorities is needed. This is more practical than that in scheme given by Yu et al.,²² where the user will sign a short signature for a received element by interacting with authorities.

Efficient traceability: If the user shares its secret key without a mask, the identity of a shared secret key in our tuCP-ABE can be easily traced with public verifiability because the identity is a part of shared key. Else, if the user shares a masked secret key, the CA will do $| U |$ times exponent computations to trace the identity information related to a shared key, where $| U |$ denotes the number of users in system. This is more efficient than that in scheme given by Yu et al.²² which needs $2 | U |$ computations of bilinear maps.

Accountability: The auditing in scheme given by Ning et al.²¹ is based on $t_{id} = (c / t)$ , where $c$ is a random chosen by the authority and $t$ is a random chosen by the user. The authority still can illegally generate a decryption key that is related to an identity who never requests a secret key and can decrypt arbitrary ciphertexts. The essence of these shortcomings is that there is not a public verifiable binding between the random and the user’s identity. Thus, we introduce a short signature scheme, and the user will sign a signature for the one-time random $r_{U}$ . Based on one-time random $r_{U}$ and unforgeability of the signature, both CA and OA cannot generate a secret key separately, and cannot decrypt any ciphertexts without collusion, that is, the scheme is without key escrow. Besides traceability, an auditor can public audit whether a user is malicious or innocent, that is, the proposed tuCP-ABE scheme can support accountability.

Public auditing: Note that the schemein Ning et al.²¹ is privately auditable, only a fully trusted auditor can run the audit procedure because the auditor needs know the whole secret key of user. In the proposed tuCP-ABE, the user only needs to submit a part of the decryption key to the auditor. The auditor can publicly verify the validness of the submitted key, and the auditor cannot decrypt any ciphertexts using the received key.

Organization

Section “Background” introduces some preliminaries, including the bilinear map and related assumptions. Section “Accountable CP-ABE” gives the formal definition of the tuCP-ABE and its security model. The main construction of tuCP-ABE is given in section “The concrete tuCP-ABE scheme.” Section “Security and performance analysis” presents the security proof and the performance analysis. Finally, section “Conclusion” presents a brief conclusion and foresees our future work.

Background

Definition 1

Bilinear maps

$G$ is a prime-order bilinear groups generator which takes a security parameter $λ$ as input and outputs prime-order bilinear groups $(G, G_{T}, e, p)$ , where $p$ is a prime, $G, G_{T}$ are two cyclic groups of order $p$ and $e : G \times G \to G_{T}$ is a bilinear maps such that (1) bilinearity: $\forall g, h \in G$ and $a, b \in Z_{p}$ , we have $e (g^{a}, h^{b}) = e (g, h)^{ab}$ ; (2) mon-degeneracy: $\exists g \in G$ such that $e (g, g)$ has order $p$ in $G_{T}$ ; and (3) computability: $e$ can be efficiently computed.

Definition 2

Discrete logarithm problem

Inputting $g^{a}$ , where $g \in G, a \in_{R} Z_{p}^{*}$ , the discrete logarithm (DL) problem is to compute $a$ .

Assumption 1

DL assumption

The advantage of an algorithm $A$ in solving the DL problem is defined to be $Ad v_{DL} (A) = \Pr [A (g, g^{a}) = a : g, g^{a} \leftarrow_{R} G]$ . We say that $G$ satisfies the DL assumption if $Ad v_{DL} (A)$ is a negligible function of security parameter $λ$ for any polynomial algorithm $A$ .

Definition 3

Decisional q parallel-BDHE problem

Inputting $\overset{⇀}{s} = g, g^{s}, g^{a}, \dots, g^{a^{q}}, g^{a^{q + 2}}, \dots, g^{a^{2 q}}, g^{s b_{j}}, g^{(a / b_{j})}, \dots, g^{(a^{q} / b_{j})}, g^{a^{(q + 2 / b_{j})}}, \dots, g^{a^{(2 q / b_{j})}} \forall 1 \leq j \leq q g^{(a s b_{k} / b_{j})}, \dots, g^{(a^{q} s b_{k} / b_{j})}, \forall 1 \leq j, k \leq q, k \neq j$ , the decisional $q$ parallel-BDHE problem is to distinguish $e (g, g)^{s a^{q + 1}}$ from a random element in $G_{T}$ , where $g \in G, a, s, b_{1}, . . ., b_{q} \in Z_{p}$ .

Assumption 2

Decisional $q$ parallel-BDHE assumption

The advantage of an algorithm $A$ in solving the decisional $q$ parallel-BDHE problem is defined to be $A d v_{D B D H} (A) = | \Pr [A (\overset{⇀}{s}, e {(g, g)}^{s a^{q + 1}}) = 1 - \Pr [A (g, \overset{⇀}{s}, R) = 1 |$ . We say that $G$ satisfies the decisional $q$ parallel-BDHE assumption if $Ad v_{DBDH} (A)$ is a negligible function of security parameter $λ$ for any polynomial algorithm $A$ .

Accountable CP-ABE

Definition

The traceable and undeniable CP-ABE, denoted by tuCP-ABE in brief, consists of 10 polynomial-time algorithms.

$GlobalSetup (λ) \to (GPP)$ : The global setup algorithm, takes in the security parameter $λ$ , and outputs the global public parameters $GPP$ .

$CASetup (λ) \to (P_{CA}, MS K_{CA})$ : The CA setup algorithm, takes in global public parameters $GPP$ , outputs the public key $P_{CA}$ of CA, CA’ secret key $MS K_{CA}$ .

$OASetup (GPP, P_{CA}) \to (P_{OA}, MS K_{OA})$ : The OA setup algorithm, takes in global public parameters $GPP$ , public key $P_{CA}$ of CA, and outputs the public key $P_{OA}$ of OA and OA’ secret key $MS K_{OA}$ .

$USignKeyGen (GPP) \to (x_{U}, P_{U})$ : The user sign-verify key generation algorithm, takes in $GPP$ , and outputs secret sign-key $x_{U}$ and public verify-key $P_{U}$ .

$UDecryptKeyGen (GPP, MS K_{CA}, MS K_{OA}, S, x_{U}, P_{U}, P_{CA}) \to S K_{U, S}$ : The user decryption key generation algorithm is accomplished by user, CA and OA in sequence. A user generates a signature $L$ for a random using sign-key $x_{U}$ , and submits an identity $U$ and attributes $S$ along with signature $L$ to CA. CA verifies the signature $L$ and generates an intermediate decryption key $S K_{U, S}'$ with $MS K_{CA}$ . A part of $S K_{U, S}'$ is secretly sent to $U$ and the other part of $S K_{U, S}'$ is secretly sent to OA. Then, OA generates the decryption key $S K_{U, S}$ with its secret key $MS K_{OA}$ .

$Encrypt (P_{CA}, P_{OA}, W, M) \to C T_{W}$ : The encryption algorithm, takes in $P_{CA} and P_{OA}$ , a plaintext $M$ , and an access structure $W$ over $U$ and outputs a ciphertext $C T_{W}$ .

$Decrypt (P_{CA}, P_{OA}, S K_{U, S}, W, C T_{W}) \to M$ : The decryption algorithm, takes in $P_{CA} and P_{OA}$ , decryption key $S K_{U, S}$ , a ciphertext $C T_{W}$ , and the access structure $W$ , outputs plaintext $M$ , or a failure symbol ⊥.

$KeySanityCheck (P_{CA}, P_{OA}, S K_{U, S}) \to 1 or 0$ : The key sanity check algorithm, takes in $P_{CA}, P_{OA}, and S K_{U, S}$ and outputs a valid symbol $1$ or a invalid symbol $0$ .

$Trace (P_{CA}, P_{OA}, S K_{U, S}) \to IDinfo$ : The trace algorithm, takes in $P_{CA},$ $P_{OA}, and S K_{U, S}$ and outputs identity information $IDinfo$ .

$PublicAudit (P_{CA}, P_{OA}, S K_{U, S}, S {\bar{K}}_{U, S}, S) \to U or CA$ : The public audition algorithm, takes in $P_{CA} and P_{OA}$ , decryption key $S K_{U, S}$ and $S {\bar{K}}_{U, S}$ over attribute set $S$ , outputs $U$ or $CA$ .

IND-s-CPA security

There are two authorities CA and OA. We assume that CA and OA are curious-but-honest, and CA is not allowed to collude with OA. The ciphertext indistinguishability under adaptive chosen plaintext attack in the selective model (IND-s-CPA) of accountable CP-ABE is described by following security game between a challenger $C$ and an adversary $A$ .

Init: $A$ submits a target access structure $W^{*}, ρ$ where $W^{*}$ is an $l^{*} \times k^{*}$ matrix.

Setup: $C$ runs the $GlobalSetup$ , $CASetup$ , and $OASetup$ algorithms and sends public parameters to $A$ . If the adversary $A$ is CA (OA), $C$ runs the $GlobalSetup$ , and $CASetup$ $(OASetup)$ algorithms, the public key of CA (OA) is given by $A$ , that is, the CA and OA are curious-but-honest.

Phase 1: $A$ queries the challenger $C$ for secret sign-key corresponding to a series of honest identities $U$ . If identity $U$ is colluded, $A$ directly submits the public verify-key to $C$ . And $A$ queries the challenger $C$ for decryption secret key corresponding to sets of identities $U$ and attributes $S$ .

Challenge: $A$ declares two messages $M_{0} and M_{1}$ of equal length and target access structure $(W^{*}, ρ)$ . $C$ flips a random coin $b \in {0, 1}$ and generates the challenge ciphertext $C T_{W^{*}}$ of $m_{b}$ . $C$ sends the challenge ciphertext $C T_{W^{*}}$ to $A$ .

Phase 2: $A$ continues to make queries adaptively as in Phase 1 except that it is not allowed to query decryption secret key for any $S$ satisfying $W^{*}$ .

Guess: At last, $A$ outputs a guess bit $b'$ . $A$ wins the game if $b' = b$ , and the advantage of $A$ is defined as $Adv (A) = \Pr [b' = b] - (1 / 2)$ .

Accountability

The accountability in tuCP-ABE scheme is based on two properties: the white-box traceability and the non-repudiation of user’s signature.

White-box traceability

The identity information is related to a decryption key by the signature of CA and OA. Thus, the white-box traceability game is similar to the unforgeability of signature. It can be described by following game between a challenger $C$ and an adversary $A$ .

Setup: $C$ runs the $GlobalSetup$ , $CASetup$ , and $OASetup$ algorithms and sends public parameters to $A$ . If the adversary $A$ is CA (OA), $C$ runs the $GlobalSetup$ , $CASetup$ $(OASetup)$ algorithms, and the public key of CA (OA) is given by $A$ .

Query phase: $A$ queries the challenger $C$ for secret sign-key corresponding to a series of honest identities $U$ . If identity $U$ is colluded, $A$ directly submits the public verify-key to $C$ , and $A$ queries the challenger $C$ for decryption secret key corresponding to sets of identities $U$ and attributes $S$ .

Forge: At last, $A$ outputs a decryption key $S K_{U^{*}, S^{*}}$ for $(U^{*}, S^{*})$ . The adversary $A$ wins the game if $S K_{U^{*}, S^{*}}$ is valid and $S K_{U^{*}, S^{*}}$ is not from a decryption key query on $(U^{*}, S^{*})$ . The advantage of $A$ is defined as $Adv (A) = \Pr [A wins]$ .

Non-repudiation of user

The non-repudiation of user is based on the unforgeability of the user’s signature, and we assume that at one period, a user has a unique random that relates to decryption key. The non-repudiation of user is defined by the following game between an adversary $A$ and a challenger $C$ .

Setup: $C$ runs the $GlobalSetup$ algorithms and sends public parameters to $A$ . The adversary $A$ sends the public keys of CA and OA to $C$ .

Query phase: $A$ queries the challenger $C$ for secret sign-key corresponding to a series of honest identities $U$ . If identity $U$ is colluded, $A$ directly submits the public verify-key to $C$ .

Forge: At last, $A$ outputs a decryption key $S K_{U^{*}, S^{*}}$ for $(U^{*}, S^{*})$ . The adversary $A$ wins the game if $S K_{U^{*}, S^{*}}$ is valid, and the one-time random of $S K_{U^{*}, S^{*}}$ is the same with a real $S K'_{U^{*}, S^{*}}$ for $(U^{*}, S^{*})$ . The advantage of $A$ is defined as $Adv (A) = \Pr [A wins]$ .

The concrete tuCP-ABE scheme

$GlobalSetup (λ) \to (GPP)$ : Given a security parameter $λ$ , it generates two cyclic groups $G, G_{T}$ of prime-order $p$ , two random generators $g, g_{1}$ of $G$ , a bilinear map $e : G \times G \to G_{T}$ . For each attribute $at t_{i} \in U$ , it randomly chooses $t_{i} \in_{R} Z_{p}$ , sets $T_{i} = g^{t_{i}}$ , generates two secure Hash functions $H_{1} : Z_{p} \times G \times {0, 1}^{d} \to G$ , $H_{2} : Z_{p} \times G \times G \times {0, 1}^{d} \times G \to Z_{p}$ , where $d$ denotes the bit length of identity information $IDinfo$ . The global public parameters $GPP = (p, G, G_{T}, e, g, g_{1}, {T_{i}}_{at t_{i} \in U}, H_{1}, H_{2})$ .

$CASetup (GPP) \to (P_{CA}, MS K_{CA})$ : CA randomly chooses $α_{1}, α_{2}, α_{3} \in_{R} Z_{p}$ , keeps $α_{1}, α_{2}, α_{3} \in_{R} Z_{p}$ as CA’ master secret key $MS K_{CA}$ and publishes $(e (g, g)^{α_{1}}, e (g, g)^{α_{2}}, e (g, g)^{α_{3}})$ as CA’s public key $P_{CA}$ .

$OASetup (GPP, P_{CA}) \to (P_{OA}, MS K_{OA})$ : OA randomly chooses $β, b \in_{R} Z_{p}$ , keeps $(β, b)$ as OA’ secret key $MS K_{OA}$ , publishes $e (g, g)^{α_{1} β}, e (g, g)^{α_{2} β},$ $e (g, g)^{α_{3} β}, g^{b}, g_{1}^{b}$ as OA’s public key $P_{OA}$ .

$USignKeyGen (GPP, U) \to (x_{U}, P_{U})$ : Each user needs to generate a pair of keys to sign a signature. User $U$ selects a random element $x_{U} \in Z_{p}$ as signature secret key, publishes $P_{U} = g^{x_{U}}$ as public key.

$UDecryptKeyGen (P_{CA}, P_{OA}, MS K_{CA}, MS K_{OA}, U, S, x_{U}, P_{U}) \to S K_{U, S}$ : The secret key $S K_{U, S} = (r_{U}, h_{2}, θ, K, D, K', K ″, K ″', {K_{i}}_{at t_{i} \in S})$ of user $U$ with attribute set $S$ can be generated as follows:

- $U$ selects a one-time random $r_{U} \in_{R} Z_{p}$ , computes $L = h_{1}^{x_{U}}$ , where $h_{1} = H_{1} (r_{U}, P_{U}, IDinfo)$ , and sends $(r_{U}, L, P_{U}, IDinfo, S)$ to CA.

- CA verifies the correctness of $L$ by $e (L, g) = e (h_{1}, P_{U})$ , where $h_{1} = H_{1} (r_{U}, P_{U}, IDinfo)$ . If it holds, CA searches $(r_{U}, *, *, IDinfo, *, *)$ in list $L_{CA}$ , if an item is found, CA requests another random $r_{U}$ . Else, it stores $(r_{U}, L, P_{U}, IDinfo, S, h_{2})$ , where $h_{2} = H_{2} (r_{U}, P_{U}, P_{CA}, IDinfo, L)$ , in list $L_{CA}$ , chooses $θ, s_{1} \in_{R} Z_{p}$ , computes

\hat{K} = g^{s_{1}}, \hat{K}' = g^{\frac{α_{1}}{b + r_{u}}} g_{1}^{s_{1}}, \hat{K} ″ = g^{\frac{α_{2}}{θ}} g_{1}^{s_{1}}

\hat{K} ″' = g^{\frac{α_{3}}{b + h_{2}}} g_{1}^{s_{1}}, {{\hat{K}}_{i} = T_{i}^{s_{1}}}_{at t_{i} \in S}

Then, CA sends $(r_{U}, L, P_{U}, IDinfo, S, \hat{K}, \hat{K}', \hat{K} ″, \hat{K} ″', {{\hat{K}}_{i}}_{at t_{i} \in S})$ to OA and $θ$ to $U$ secretly.

- OA randomly chooses $s_{2} \in_{R} Z_{p}$ , computes

\begin{matrix} K = {\hat{K}}^{β} g^{s_{2}}, D = (K)^{b}, K' = (\hat{K}')^{β} g_{1}^{s_{2}} \\ K ″ = (\hat{K} ″)^{β} g_{1}^{s_{2}}, K ″' = (\hat{K} ″')^{β} g_{1}^{s_{2}} \\ {K_{i}^{1} = {\hat{K}}_{i}^{β} T_{i}^{s_{2}}, K_{i}^{2} = ({\hat{K}}_{i})^{r_{u} β} T_{i}^{r_{u} s_{2}} {\hat{K}}_{i}^{h_{2} β} \\ T_{i}^{h_{2} s_{2}} ({\hat{K}}_{i}^{b β} T_{i}^{b s_{2}})^{2}}_{at t_{i} \in S} \end{matrix}

OA stores $(r_{U}, L, P_{U}, IDinfo, S, h_{2})$ in list $L_{OA}$ and sends $(K, D, K', K ″, K ″', {K_{i}^{1}, K_{i}^{2}}_{at t_{i} \in S})$ to $U$ secretly.

Let $s = s_{1} β + s_{2}$ , then $S K_{U, S} = (r_{U}, h_{2}, θ, K = g^{s}, D = g^{bs}, K' = g^{α_{1} β / (b + r_{u})} g_{1}^{s}, K ″ = g^{α_{2} β / θ} g_{1}^{s}, K ″' = g^{α_{3} β / (b + h_{2})} g_{1}^{s}, {K_{i} = T_{i}^{2 bs + (r_{u} + θ + h_{2}) s}}_{at t_{i} \in S})$ .

$Encrypt (GPP, P_{CA}, P_{OA}, W, M) \to C T_{W}$ : Given a plaintext $M$ and an access structure $(W, ρ)$ , where $W$ is a $l \times k$ matrix. Ciphertext $C T_{(W, ρ)} = (C, C', C ″, {C_{i}, D_{i}}_{i \in [l]})$ can be generated as follows:

- Chooses a random vector $\vec{v} = (r, y_{2}, \dots, y_{k}) \in_{R} (Z_{p})^{k}$ and random elements $r_{1}, \dots, r_{l} \in_{R} Z_{p}$ ;

- Computes $C' = g^{r}$ , $C ″ = g^{br}, C = M (e (g, g)^{α_{1} β} e (g, g)^{α_{2} β} e (g, g)^{α_{3} β})^{r}$ ;

- For $i = 1$ to $l$ , computes $λ_{i} = W_{i} \vec{v}$ , $C_{i} = g_{1}^{λ_{i}} T_{ρ (i)}^{- r_{i}}$ , and $D_{i} = g^{r_{i}}$ .

$Decrypt (GPP, P_{CA}, P_{OA}, S K_{U, S}, C T_{W}) \to M$ : Given $C T_{W}$ , user $U$ first get ${w_{i} : i \in I}$ such that $\sum_{i \in I} w_{i} W_{i} = (1, 0, \dots, 0)$ , where index set $I = {i : at t_{ρ (i)} \in S'}$ . If attributes set $S'$ satisfies the access structure $(W, ρ)$ the user $U$ retrieves the message as follows

M = C \frac{\underset{i \in I}{Π} {(e (C_{i}, D^{2} K^{r_{u} + θ + h_{2}}) e (D_{i}, K_{ρ_{(i)}}))}^{w_{i}}}{e (K', C ″ {C'}^{r_{U}}) e (K ″, {C'}^{θ}) e (K ″', C ″ {C'}^{h_{2}})}

$KeySanityCheck (GPP, P_{CA}, P_{OA}, S K_{U, S}) \to 1 or 0$ : Secret key $S K_{U, S} = (r_{U}, h_{2}, θ, K, D, K', K ″, K ″', {K_{i}}_{at t_{i} \in S})$ passes the key sanity check if

\begin{matrix} r_{U}, h_{2}, θ \in Z_{p} \\ K, D, K', K ″, K ″', {K_{i}}_{at t_{i} \in S} \in G \\ e (K, g^{b}) = e (D, g) \\ e (K', g^{b} g^{r_{U}}) = e (g, g)^{α_{1} β} e (g_{1}^{b}, K) e (g_{1}^{r_{U}}, K) \\ e (K ″, g^{θ}) = e (g, g)^{α_{2} β} e (g_{1}^{θ}, K) \\ e (K ″', g^{b} g^{h_{2}}) = e (g, g)^{α_{3} β} e (g_{1}^{b}, K) e (g_{1}^{h_{2}}, K) \\ e (K_{i}, g) = e (D, T_{i}^{2}) e (K, g)^{r_{U} + θ + h_{2}}, \exists at t_{i} \in S \end{matrix}

If $S K_{U, S}$ passes the key sanity check, it outputs 1; else outputs 0.

$Trace (GPP, P_{CA}, P_{OA}, S K_{U, S}) \to IDinfo$ .

If $S K_{U, S}$ passes the key sanity check, CA (OA) finds $(r_{U}, L, P_{U}, IDinfo, S)$ in list $L_{CA} (L_{OA})$ , and verifies $h_{2} = H_{2} (r_{U}, P_{U}, P_{CA}, IDinfo, L)$ , $e (L, g) = e (h_{1}, P_{U})$ , where $h_{1} = H_{1} (r_{U}, P_{U}, IDinfo)$ . If they hold, it outputs the identity information $IDinfo$ of $S K_{U, S}$ .

Note that a malicious user may mask the secret key as $(K^{r_{u} + θ + h_{2}}, K', (K')^{r_{u}}, K ″, (K ″)^{θ}, K ″', (K ″')^{h_{2}}, {K_{i}}_{at t_{i} \in S})$ to mask its identity. The CA (OA) can trace the identity of a shared key by checking $K'^{{r'}_{u}} = (K')^{r_{u}}$ for all $r'_{u}$ in the system, where only $| U |$ exponent computation is needed. In scheme by Yu et al.,²² a malicious user may share $(K^{θ / h}, (K')^{θ / h}, {(K_{i})^{θ / h} : \forall at t_{i} \in S})$ to mask its identity. The CA (OA) who records the $U, σ, and θ$ can trace the identity by checking $e (g, K^{θ / h}) = e (g, K)^{θ / h}$ for all $U, σ, and θ$ in the system, which is higher overhead to compute $2 | U |$ bilinear maps for all users $U \in U$ .

$PublicAudit (GPP, P_{CA}, P_{OA}, S K_{U, S}, S {\bar{K}}_{U, S}, S) \to U or CA$ .

Suppose a shared key $S K_{U, S}$ is related to user $U$ (with identity $IDinfo$ ) by the trace algorithm, but user $U$ claims to be innocent and framed by the system. To prove its innocence, $U$ submits $(r_{U}, h_{2}, K, K')$ to the auditor while $r_{U}, h_{2}$ is the same with that of $S K_{U, S}$ and $K, K'$ is different from $S K_{U, S}$ . Then the auditor checks whether $e (K', g^{b} g^{r_{U}}) = e (g, g)^{α_{1} β} e (g_{1}^{b}, K) e (g_{1}^{r_{U}}, K)$ holds or not. If it does, the auditor will rule that the user is innocent because of the one-time random $r_{U}$ ; else, outputs $IDinfo$ .

Security and performance analysis

IND-CPA security

The confidentiality (IND-CPA security) of the proposed scheme can be presented directly based on the (decision) $q$ parallel-BDHE assumption. We denote the CP-ABE scheme by Waters⁸ as WCP-ABE. For simplicity, we will reduce the security of the proposed scheme to that of WCP-ABE scheme.

Lemma 1

If the (decision) $q$ parallel-BDHE assumption holds, then the WCP-ABE scheme is IND-CPA secure.

Proof

The details of proof are referred to Waters.⁸

Lemma 2

If CA and OA are regarded as one authority, then the confidentiality of the proposed tuCP-ABE scheme can be reduced to that of WCP-ABE scheme.

Proof

If CA and OA are regarded as one authority, then CA (for example) runs the OASetup algorithm and gets the secret key of OA. And the UDecryptKeyGen algorithm is as follows:

$U$ selects a one-time random $r_{U} \in_{R} Z_{p}$ , computes $L = h_{1}^{x_{U}}$ , where $h_{1} = H_{1} (r_{U}, P_{U}, IDinfo)$ and sends $(r_{U}, L, P_{U}, IDinfo, S)$ to CA.

CA verifies the correctness of $L$ by $e (L, g) = e (h_{1}, P_{U})$ , where $h_{1} = H_{1} (r_{U}, P_{U}, IDinfo)$ . If it holds, CA searches $(r_{U}, *, *, IDinfo, *, *)$ in list $L_{CA}$ , if such an item is found, CA requests another random $r_{U}$ . Else, it stores $(r_{U}, L, P_{U}, IDinfo, S, h_{2})$ in $L_{CA}$ , chooses $θ, s \in_{R} Z_{p}$ randomly, and computes $S K_{U, S} = (r_{U}, h_{2}, θ, K = g^{s}, D = g^{bs}, K' = g^{α_{1} β / (b + r_{u})} g_{1}^{s}, K ″ = g^{α_{2} β / θ} g_{1}^{s}, K ″' = g^{α_{3} β / (b + h_{2})} g_{1}^{s}, {K_{i} = T_{i}^{2 bs + (r_{u} + θ + h_{2}) s}}_{at t_{i} \in S})$ .

If there is an adversary $A$ that can break the tuCP-ABE scheme with advantage $Ad v_{A}$ , we can construct an adversary $B$ against WCP-ABE⁸ with advantage ${A d v}_{ℬ}$ such that ${A d v}_{ℬ} = {A d v}_{A}$ . The construction is as follows, where $C$ simulates the queries both from $A$ and $B$ .

Setup: $C$ gives $B$ the WCP-ABE public parameters $p, G, G_{T}, e, g, e (g, g)^{α}, g_{1} = g^{a}, {T_{i}}_{at t_{i} \in U}$ . $C$ randomly selects $b, α_{2}, α_{3}, β \in_{R} Z_{p}$ and gives $(p, G, G_{T}, e, g, e (g, g)^{α}, g_{1} = g^{a}, {T_{i}}_{at t_{i} \in U}, g^{b}, g_{1}^{b}, e (g, g)^{α β})$ to $A$ as the tuCP-ABE public parameters, which implicitly sets $α_{1} = α_{2} = α_{3} = α$ .

Phase 1: $A$ submits a set of attributes set $S \subset U$ with identity $U$ for UdecryptGen oracle. $C$ generates $\hat{K} = g^{s}, \hat{K}' = g^{α} g_{1}^{s}, {{\hat{K}}_{i} = T_{i}^{s}}_{at t_{i} \in S}$ by running the KeyGen algorithm (or a KeyGen oracle queried by $B$ ) of WCP-ABE. Then, $C$ computes $K = (\hat{K})^{β / (b + r_{u})} = g^{s β / (b + r_{u})}, D = K^{b}, K' = K ″ = K ″' = (\hat{K}')^{β / (b + r_{u})} = g^{α β / (b + r_{u})} g_{1}^{s β / (b + r_{u})}, {K_{i} = ({\hat{K}}_{i})^{(β / (b + r_{u})) (2 b + r_{u} + θ + h_{2})} = T_{i}^{(s β / (b + r_{u})) (2 b + r_{u} + θ + h_{2})}}_{at t_{i} \in S}$ , and returns $S K_{U, S} = (r_{U}, h_{2}, θ, K, D, K', K ″, K ″', {K_{i}}_{at t_{i} \in S})$ to $A$ , where implicitly sets $h_{2} = r_{u} = θ - b$ .

Challenge: $A$ submits two messages $M_{0}, M_{1}$ of equal length along with target access structure $W^{*}$ , $C$ flips a random coin $b \in {0, 1}$ and generates the tuCP-ABE challenge ciphertext $C T_{W^{*}} = (C, C', C ″, {C_{i}, D_{i}}_{i \in [l]})$ of $M_{b}$ . $C$ returns $C T_{W^{*}}$ to $A$ and sends $((C / (e (g, g)^{α β r} e (g, g)^{α β r})), C', {C_{i}, D_{i}}_{i \in [l]})$ to $B$ .

Phase 2: Same with Phase 1.

Guess: $A$ outputs a guess bit $b'$ , then $B$ outputs the same $b'$ for WCP-ABE.

From the above simulation, the distributions of the public parameter, decryption keys and challenge ciphertext are indistinguishable from the real scheme (assuming CA and OA are regarded as one authority), we have $Ad v_{B} = Ad v_{A}$ .

Lemma 3

A curious-but-honest CA (without collusion with OA and a valid key from user) cannot decrypt any ciphertext.

Proof

Here we give a heuristic analysis. A curious-but-honest CA needs to get $β$ (1) or $r$ (2) to decrypt cophertext $M (e (g, g)^{α_{1} β} e (g, g)^{α_{2} β} e (g, g)^{α_{3} β})^{r}$ .

$(e (g, g^{r})^{α_{1}} e (g, g^{r})^{α_{2}} e (g, g^{r})^{α_{3}})^{β}$

$\to e (g, g)^{α_{1} β r} e (g, g)^{α_{2} β r} e (g, g)^{α_{3} β r}$

$\to M$

$(e (g, g)^{α_{1} β} e (g, g)^{α_{2} β} e (g, g)^{α_{3} β})^{r}$

$\to e (g, g)^{α_{1} β r} e (g, g)^{α_{2} β r} e (g, g)^{α_{3} β r}$

$\to M$

However, it is related to DL to compute $β$ or $r$ . Under the DL assumption, the OA cannot decrypt any ciphertext.

Lemma 4

A curious-but-honest OA (without collusion with CA and a valid key from user) cannot decrypt any ciphertext.

Proof

If OA is curious-but-honest, CA needs to recover $θ$ to recover cophertext. However, it is also related to DL to compute $θ$ . Under the DL assumption, the CA cannot decrypt any ciphertext.

Theorem 1

If the (decision) q parallel-BDHE assumption holds, then the proposed tuCP-ABE scheme is IND-CPA secure.

Proof

It follows from Lemma 1, Lemma 2, Lemma 3, and Lemma 4.

Lemma 5

If the $l - SDH$ assumption holds, the tuCP-ABE is white-box traceability, that is, a user cannot generate a forge secret key.

Proof

Actually, the $K' = g^{α_{1} β / (b + r_{u})} g_{1}^{s} and K ″' = g^{α_{3} β / (b + h_{2})} g_{1}^{s}$ can be seen as signature signed by CA and OA in sequence. Concretely, CA signs a short signature²⁹ $g^{α_{1} / (b + r_{u})} and g^{α_{3} / (b + h_{2})}$ of $r_{u}, h_{2}$ with sign-secret key $(α_{1}, b)$ , $(α_{3}, b)$ correspondingly, then OA signs a short signature³⁰ $(g^{α_{1} / (b + r_{u})})^{β}, and (g^{α_{3} / (b + h_{2})})^{β}$ with secret key $β$ . If the $l - SDH$ assumption and DL assumption hold, the short signature schemes by Boneh and colleagues^29,30 are secure against existential forgery under chosen message attack.^29,30 Thus, the tuCP-ABE is full white-box traceability, that is, a valid secret key is really related to $r_{u}, h_{2}$ , because a user cannot generate a forge secret key.

Theorem 2

If the $l - SDH$ and CDH assumption hold, the tuCP-ABE is accountability.

Proof

On one hand, from Lemma 5, the tuCP-ABE scheme is white-box traceability. On the other hand, the one-time random $r_{u}$ is signed by user using a short signature schemein Boneh et al.³⁰ The CA and OA cannot generate a secret key for a random $r'_{u}$ without the user’s signature. Thus, at some period, the secret key including $r_{u}$ is the only one valid secret key. Thus the tuCP-ABE is accountability.

Experimental results

Obviously, to achieve traceability and accountability the user secret key generation algorithm of the proposed tuCP-ABE scheme is more complicated than the pure CP-ABE scheme proposed by Waters.⁸ However, it is more practical than the key generation algorithm of scheme by Yu et al.²² Similar to scheme by Waters,⁸ the time cost of encrypt algorithm is linear to the number of attributes evolved in an access structure, and the time cost of decrypt algorithm is linear to the number of attributes related to decryption key.

To evaluate the performance of the proposed tuCP-ABE scheme, we implement the tuCP-ABE scheme in java with the JPBC library and run the experiments on a Win 10 system equipped with a dual-core Intel CPU and 8 GB RAM. In an ABE system, the computational cost depends on the complexity of access policy. To illustrate this, we simulate the worst case that the access policy in the form of ( $A_{1}$ and $A_{2}$ … and $A_{n}$ ), where $A_{i}$ denotes an attribute.

Figure 1(a) and (b) illustrate the time cost for encrypt, decrypt phases of our tuCP-ABE and the CP-ABE proposed by Waters.⁸ As shown in Figure 1, the time consumption for encrypt and decrypt of the proposed tuCP-ABE scheme is comparable to the practical CP-ABE scheme proposed by Waters.⁸

Figure 1.

Time consumption for (a) encrypt and (b) decrypt.

Conclusion

In this article, we propose a CP-ABE scheme, called tuCP-ABE, which supports traceability and accountability. In the tuCP-ABE system, the identity related to a shared secret key can be traced, furthermore an auditor can publicly judge whether the traced identity is innocent or not. We also prove that the tuCP-ABE scheme is selectively secure in the standard model and give some experimental results.

Note that a user is willing to mask the decryption key before sharing. Although the complexity of tracing a masked secret key in our tuCP-ABE is reduced from $2 | U |$ bilinear maps of scheme in Yu et al.²² to $| U |$ exponent computation, it is still a troublesome work when there are many users in the system. Furthermore, there exists a stronger way of masking the key; a malicious user may share a decryption device while the decryption key and the decryption algorithm can be hidden. In this case, the proposed tuCP-ABE scheme which only can support white-box traceability will fail. However, black-box traceable CP-ABE usually has lower encryption and decryption efficiency. Thus, constructing white-box traceable CP-ABE scheme that supports efficient traceability of a masked decryption key, and constructing efficient CP-ABE support black-box traceability and public auditing are two interesting open problems.

Footnotes

Handling Editor: Qingchen Zhang

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported in part by the National Natural Science Foundation of China (grant nos.: 61602512, 61632012, 61373154, 61371083, and 61672239), the Key Science and Technology Research Projects of Henan province (grant no.: 182102210575), the National Key Research and Development Program (grant nos.: 2016YFB0800101 and 2016YFB0800100), and the Innovative Research Groups of the National Natural Science Foundation of China (grant no.: 61521003).

ORCID iD

Gang Yu

References

Sahai

Waters

. Fuzzy identity-based encryption. In: 24th annual international conference on the theory and applications of cryptographic techniques, Aarhus, 22–26 May 2005, vol 3494, pp.457–473. Berlin: Springer.

Goyal

Pandey

Sahai

et al . Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM conference on computer and communications security, Alexandria, VA, 30 October–3 November 2006, pp.89–98. New York: ACM.

Zhang

Lin

Yang

et al . A double deep Q-learning model for energy-efficient edge scheduling. IEEE T Serv Comput. Epub ahead of print 28 August 2018. DOI: 10.1109/TSC.2018.2867482.

Zhang

Yang

Chen

et al . An adaptive dropout deep computation model for industrial IoT big data learning with crowdsourcing to cloud computing. IEEE T Ind Inform. Epub ahead of print 9 January 2018. DOI: 10.1109/TII.2018.2791424.

Zhang

Deng

Liu

et al . Outsourcing service fair payment based on blockchain and its applications in cloud computing. IEEE T Serv Comput. Epub ahead of print 7 August 2018. DOI: 10.1109/TSC.2018.2864191.

Ostrovsky

Sahai

Waters

. Attribute-based encryption with non-monotonic access structures. In: Proceedings of the 14th ACM conference on computer and communications security, Alexandria, VA, 29 October–2 November 2007, pp.195–203. New York: IEEE.

Lewko

Okamoto

Sahai

et al . Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Proceedings of the 29th annual international conference on theory and applications of cryptographic techniques, French Riviera, 30 May–3 June 2010, Vol. 6110, pp.62–91. Berlin: Springer.

Waters

. Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: International conference on practice and theory in public key cryptography, Taormina, 6–9 March 2011, Vol. 6571, pp.53–70. Berlin: Springer.

Lewko

Waters

. New proof methods for attribute-based encryption: achieving full security through selective techniques. In: 32nd international cryptology conference (CRYPTO), Santa Barbara, CA, 19–23 August 2012, Vol. 7417, pp.180–198. Berlin: Springer.

10.

Huang

Chen

et al . Multi-authority ciphertext-policy attribute-based encryption with accountability. In: Proceedings of the 6th ACM symposium on information, computer and communications security, Chicago, IL, 22–24 March 2011, pp.386–390. New York: ACM.

11.

Rouselakis

Waters

. Practical constructions and new proof methods for large universe attribute-based encryption. In: Proceedings of the ACM SIGSAC conference on computer & communications security, Berlin, 4–8 November 2013, pp.463–474. New York: ACM.

12.

Horvth

. Attribute-based encryption optimized for cloud computing. In: Italiano

Margaria-Steffen

Pokorný

et al . (eds) 41st international conference on current trends in theory and practice of computer science, Pec pod Sněžkou, 24–29 January 2015, Vol. 8939, pp.566–577. Berlin: Springer.

13.

Zhang

. Key-policy attribute-based encryption against continual auxiliary input leakage. Inform Sciences 2019; 470: 175–188.

14.

Zhang

Zheng

Deng

. Security and privacy in smart health: efficient policy-hiding attribute-based access control. IEEE Internet Things 2018; 5(3): 2130–2145.

15.

Yao

Han

et al . User collusion avoidance CP-ABE with efficient attribute revocation for cloud storage. IEEE Syst J 2018; 12(2): 1767–1777.

16.

Ren

Kim

. A2BE: accountable attribute-based encryption for abuse free access control. IACR cryptology ePrint archive: report 2009/118, https://eprint.iacr.org/2009/118

17.

Cao

Zeng

et al . Accountable ciphertext-policy attribute-based encryption scheme supporting public verifiability and nonrepudiation. In: Proceedings of the 10th international conference on provable security (ProvSec), Nanjing, China, 10–11 November 2016, Vol. 10005, pp.3–18. New York: Springer.

18.

Liu

Cao

Wong

. White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures. IEEE T Inf Foren Sec 2013; 8(1): 76–88.

19.

Ning

Dong

Cao

et al . White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes. IEEE T Inf Foren Sec 2015; 10(6): 1274–1288.

20.

Ning

Cao

Dong

et al . White-box traceable CP-ABE for cloud storage service: how to catch people leaking their access credentials effectively. IEEE T Depend Secure 2018; 15(5): 883–897.

21.

Ning

Dong

Cao

et al . Accountable authority ciphertext-policy attribute-based encryption with white-box traceability and public auditing in the cloud. In: 20th European symposium on research in computer security, Vienna, 21–25 September 2015, Vol. 9327, pp.270–289. Cham: Springer.

22.

Cao

et al . Accountable CP-ABE with public verifiability: how to effectively protect the outsourced data in cloud. Int J Found Comput S 2017; 28(6): 705–723.

23.

Liu

Cao

Wong

. Black-box traceable CP-ABE: how to catch people leaking their keys by selling decryption devices on ebay. In: Proceedings of the ACM SIGSAC conference on computer & communications security, Berlin, 4–8 November 2013, pp.475–486. New York: ACM.

24.

Liu

Wong

. Traceable CP-ABE on prime order groups: fully secure and fully collusion-resistant blackbox traceable. In: 6th IEEE international conference on Information and communications security, Amman, 7–9 April 2015, Vol. 9543, pp.109–124. Cham: Springer.

25.

Ning

Cao

Dong

et al . Traceable and revocable CP-ABE with shorter ciphertexts. Sci China Inf Sci 2016; 59(11): 119102-1–119102-3.

26.

Jiang

Susilo

et al . Ciphertext-policy attribute-based encryption against key-delegation abuse in fog computing. Future Gener Comp Sy 2018; 78(2): 720–729.

27.

Qiao

Ren

Wang

et al . Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing. Future Gener Comp Sy 2018; 88: 107–116.

28.

Ning

Cao

Dong

et al . Auditable-times outsourced attribute-based encryption for access control in cloud computing. IEEE T Inf Foren Sec 2018; 13(1): 94–105.

29.

Boneh

Boyen

. Short signatures without random oracles. In: International conference on the theory and applications of cryptographic techniques, Interlaken, 2–6 May 2004, Vol. 3027, pp.56–73. Berlin: Springer.

30.

Boneh

Lynn

Shacham

. Short signatures from the Weil pairing. In: 7th international conference on the theory and application of cryptology and information security, Gold Coast, Australia, 9–13 December 2001, Vol. 2248, pp.514–532. Berlin: Springer.

Traceable and undeniable ciphertext-policy attribute-based encryption for cloud storage service

Abstract

Keywords

Introduction

A motivating story

Related works

Our results

Organization

Background

Definition 1

Bilinear maps

Definition 2

Discrete logarithm problem

Assumption 1

DL assumption

Definition 3

Decisional q parallel-BDHE problem

Assumption 2

Decisional q parallel-BDHE assumption

Accountable CP-ABE

Definition

IND-s-CPA security

Accountability

White-box traceability

Non-repudiation of user

The concrete tuCP-ABE scheme

Security and performance analysis

IND-CPA security

Lemma 1

Proof

Lemma 2

Proof

Lemma 3

Proof

Lemma 4

Proof

Theorem 1

Proof

Lemma 5

Proof

Theorem 2

Proof

Experimental results

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References

Decisional $q$ parallel-BDHE assumption