Vous êtes sur la page 1sur 17

3 BK-Ciphertext-Policy Attribute-Based Encryption

3.1 Introduction
In this Chapter, we propose a new CP-ABE scheme, named as BK-CP-
ABE, which allows to encrypt data under an access policy, specied as a logical
combination of attributes. Such ciphertexts can be decrypted by anyone with a set of
attributes that satisfy the access policy. We construct the scheme based on a recent
secret sharing method called Linear Integer Secret Sharing Scheme (LISS). Waters [8]
proposed the rst CP-ABE scheme based on a Linear Secret Sharing Scheme(LSSS).
In 2006, Damgard et al [21] introduced the notion of Linear Integer Secret Sharing
(LISS) scheme. The following are the advantages of LISS over LSSS.
1. The computations in LISS are done directly over the Integer, while LSSS is
done over a nite eld.
2. In LISS, there is no limit for the number of occurrences of a particular variable(attribute)
in the access structure, where as in [8] there is a bound for the occurrence.
3. In LISS, the secret reconstruction method is very simple.
4. In LISS, a simple standard procedure is available to convert the access structure
into an access matrix.
5. In LISS, a surjective function is used to allocate the rows of the access matrix
to the corresponding attributes.
The above advantages motivate us to construct a CP-ABE based on LISS and because
of that any access policy can be expressed very eectively using the Boolean operators
such as AND, OR, of(threshold).
3.1.1 Main Idea

In BK-CP-ABE construction, the rst step is to convert the access policy

into a distribution matrix M, by using the three rules in the LISS method. The
secret s can be selected from the interval −2 , 2 , then we choose the distribution
` `

vector ρ and the secret can be split by M · ρ. Secret shares can be distributed by the
surjective function to the corresponding attributes present in the access policy. Next,
we encrypt the message then we use the shares to encrypt the attributes present in
the access policy. If any one satisfy the access policy then he is able to decrypt the
ciphertext. We prove BK-CP-ABE scheme in the selective secure model under the
Decisional Bilinear Die-Hellman assumption.
3.1.2 Related Work

Attribute Based Encryption (ABE) was introduced by Sahai and Waters [59].
The rst CP-ABE was proposed by Bethencourt et al [5] uses threshold secret sharing
to enforce the policy in the encryption phase. T be a tree representing an access
structure. Each non-leaf node of the tree represents a threshold gate, described by
its children and a threshold value. If num is the number of children of a node x and

k is its threshold value, then 0 ≤ k ≤ num . When k = 1, the threshold gate

x x x x

is an OR gate and when k = num , it is an AND gate. Each leaf node x of the
x x

tree is described by an attribute and a threshold valuek = 1. Secret reconstruction


is based on polynomial interpolation technique, thus many expensive pairing and

exponentiation operations are required in the decryption phase. The scheme is secure
in the generic group model.
The CP-ABE proposed by Cheung and Newport [17], in which decryption
policies are restricted to a single AND gate, attributes are allowed to be either positive
or negative. Security proof was in CPA secure under the DBDH assumption. Canetti
et al.[16] technique has been adopted to obtain Chosen Ciphertext Attack(CCA)
secure extension using one-time signatures. In this method the size of the ciphertext
and secret key increases linearly with the total number of attributes in the system.
Water's [8] presented three CP-ABE schemes which are based on Linear Secret
Sharing Scheme (LSSS) and secure under BDH, Bilinear Die-Hellman Exponent
and a new assumption called parallel Bilinear Die-Hellman assumptions. These
dierent constructions provide tradeos of the eciency of the system versus the
strength of the assumption used. One drawback of this technique is that it can only
work if an attribute appears atmost once in a ciphertext.
Goyal et al.[27] gave a "bounded" CP-ABE construction based on number
theoretic assumption and support advanced access structures. Access structure can
be represented by a bounded size access tree with threshold gates as its nodes. The

bound on the size of the access tree is chosen at the time of the system setup and is
represented by a tuple(d,num) where d represents the maximum depth of the access
tree and num represents the maximum number of children each non-leaf node of the
tree might have. Any access tree satisfying these upper bounds on the size can be
dynamically chosen by the encryptor and provide the security proof based on the
standard DBDH assumption.
Ibraimi [38] proposed a CP-ABE scheme in which the secret s can be split
by Shamir's Secret Sharing scheme or by Unanimous consent control by modular
addition scheme. The access tree is an n-ary tree represented by ∧, ∨ and of nodes.
Lewko et al.[39] proposed the rst full secure CP-ABE scheme by adapting the dual
system encryption techniques of [9] to the ABE case.
In a dual encryption system, keys and ciphertexts can take on one of two
forms: normal and semi-functional. A normal key can decrypt both normal and
semi-functional ciphertexts, while a semi-functional key can only decrypt normal
ciphertexts. The semi-functional keys and the ciphertexts are not used in the real
system, only in the proof of security. The proof employs a hybrid argument over a
sequence of security games. The rst is the real security game, with normal keys
and ciphertext. In the second game , the ciphertext is semi-functional and the keys
remain normal. In the subsequent games, the keys requested by the attacker are
changed to semi-functional one by one. By the nal game, none of the keys given out

are actually useful for decrypting a semi-functional ciphertext, and proves security
becomes relatively easy.
3.2 Denition and Security Model
Denition 8 Access structure Let {1, 2, ...n} be a set of parties. A collection Γ ⊆
2{1,2,...,n} is monotone if ∀B, C : if B ∈ Γ and B ⊆ C then C ∈ Γ. An access

structure(respectively, monotone access structure) is a collection (respectively, monotone

collection) A of non-empty subsets of {1, 2..., n}
i.e Γ ⊆ 2{1,2,..,n} \ φ. The sets in Γ are called the authorized sets, and the sets not

in Γ are called the unauthorized sets.

BK-CP-ABE scheme consists of four fundamental algorithms: Setup, Key Generation,

Encryption and Decryption. Let U be the set of attributes.
Setup: The setup algorithm takes no input other than the implicit security parameter.
It outputs the public parameters PK and a master key MK.
KeyGen (MK, S): The key generation algorithm takes as input the master key
MK and a set of attributes S that describes the key. It outputs a private key SK.
Encrypt (PK, P , m): The encryption algorithm takes as input the public parameters
PK, the message m, and an access structure P over the universe of attributes. The
algorithm will encrypt m and produce a ciphertext CT such that only a user that
possesses a set of attributes that satisfy the access structure will be able to decrypt
the message. Assume that the ciphertext implicitly contains P .

The decryption algorithm takes as input the ciphertext CT, which contains
an access structure P , and a private key SK, which is a private key for a set S of
attributes. If the set S of attributes satises the access structure P then the algorithm
will decrypt the ciphertext and return a message m.
3.2.1 Security Model for BK-CP-ABE

The semantic security against chosen-plaintext attack (CPA) is modelled in

the selective attribute model (sAtt), where the adversary must provide the challenge
access tree he wishes to attack before he receives the public parameters from the
challenger. The game is carried out between a challenger and an adversary. Specically,
the game is as follows.

The adversary chooses the challenge access policy τ and gives it to the


The challenger runs the Setup algorithm and gives the public parameters, PK
to the adversary.

The adversary makes a secret key request to the KeyGen oracle for any
attribute set ω = {a /a ∈ U } with the restriction that ω 2 τ . The Challenger
j j

returns KeyGen(ω, M K).


The adversary submits two equal length messages M and M . The Challenger
0 1

ips a random coin d, and encrypts M under τ . The ciphertext CT is given to the
∗ ∗

Phase 2

The adversary can continue querying KeyGen with the same restriction as
during Phase1.

The adversary outputs a guess d of d.


Denition 9 A ciphertext-policy attribute based encryption scheme is said to be

secure against a chosen-plaintext attack(CPA) in the selective attribute model if any
polynomial time adversaries have only a negligible advantage in the IND-sAtt-CPA(Indistinguishable-
selective attribute under chosen-plaintext attack)game, where the advantage is dened
to be  = P r[d0 = d] − 21 .

3.3 Main Construction
In BK-CP-ABE construction, it is required to convert the access policy into
a distribution matrix M. The matrix M can be formulated using the three rules in
LISS method[21]. After constructing the distribution matrix M, the secret s can be
selected from the interval −2 , 2 , then we choose the distribution vector ρ and
` `

the secret can be split by M · ρ. Secret shares can be distributed by the surjective
function to the corresponding attributes present in the access policy. Message m will
be encrypted and then the attributes present in the access policy are encrypted using
the corresponding attribute shares. Any one that satises the access policy is able to
decrypt the ciphertext.

Setup (1k )

The setup algorithm chooses a group G of prime order p and a generator


g. Let U = {a , a , ..., a } be the set of attributes. It chooses random elements

1 2 n

t , t , ..., t , α ∈ Z . Let y = e(g, g) , and T = g (1 ≤ j ≤ n).

1 2 n p

The Public Key is PK = (g, y, T (1 ≤ j ≤ n)) and the Master Secret Key is MK =

(α, t (1 ≤ j ≤ n)).

KeyGen (MK, S)

This algorithm takes as input the master secret key and a set S of attributes
and performs the following:
a) Select random values a, r ∈ Z and compute d
p 0 = g α−ar

b) For each attribute a j ∈S , compute d j = g artj


c) The secret key is SK = (d , ∀a 0 j ∈ S : dj )

Encrypt(PK, P , m)

The encryption algorithm takes as input the public key, a message m ∈ G 1

to encrypt and the access policy P .

Step 1: Select a random element s ∈ −2 , 2  and compute C = g . M is the
` `

distribution matrix constructed by the above method for the access policy P . Choose
ρ = (s, ρ , ..., ρ ) , where ρ s are uniformly random chosen integers in −2
  `0 +k `0 +k
2 e i ,2

Step 2:

a) Compute M · ρ = (s , ..., s )
1 d

b) C = m · y s = m · e(g, g)αs

c) For each attribute in P , compute C ∗

i = Tisi using the corresponding shares of the
attribute a .i

The ciphertext is published as CT = 0

C0 , C , Ci ; i = 1 to d

along with M.


The decryption algorithm takes as input a ciphertext CT along with M and

a private key for a set A ⊆ S. Suppose A satises the access policy P then there
is a vector λ ∈ Z such that M λ = ξ (by def[7]. With this, it is possible to
dA T

reconstruct the secret using P λ s = s.

i i

The decryption algorithm computes


C !
e(Ci ,(di )λi )
e(C0 ,d0 )

 λ !!
s α−ar
Q si art−1
e(g ,g ) e Ti , g i

−1 λi

e(g s ,g α−ar ) e g ti si , g arti

m.e(g,g)αs !
s α−ar
Q arsi λi
e(g ,g ) e(g,g)

m.e(g,g)αs !
e(g s ,g α−ar ) e(g,g)ars

(e(g s ,g α−ar )e(g,g)ars )

3.4 Security Analysis
Theorem 3.1 Suppose the DBDH assumption holds, then no polynomial adversary
can selectively break BK-CP-ABE system.

Proof: Suppose we have an adversary A with non-negligible advantage  in the

selective security game against our construction. We show how to use the adversary

A to build a simulator B that is able to solve the DBDH assumption. The Challenger

gives the simulator B the DBDH challenge : (g, A, B, C, D) = g, g a , gb , gs , D .

Init. The adversary chooses the challenge access policy (M 0 , p∗ ) and gives it to the

Setup The simulator selects at random a0 ∈ Zp and implicitly sets α = ab + a0 by

letting e(g, g)α = e(ga , gb )e(g, g)a . For all aj ∈ U it chooses a random qj ∈ Zp and
set Tj = g (Mj qj ) if aj ∈/ p∗ , otherwise Tj = gqj . The simulator B sends the public
parameters to A.

Phase 1 A makes secret key requests for any set of attributes ω = {aj /aj ∈ U }
with the restriction that aj 2 p∗ . On each request B chooses a random variable v ∈ Zp ,
and nds a vector k = (k1 , k2 , .., ke )T ∈ Z e such that M 0 · k = 0 with k1 = 1. By
the denition of Sweeping vector such a vector must exist. Simulator sets r value as
v + kj b.

Choose kj as k1 to compute, d0 = gα−a(v+k1 b)

= g ab+a −av−ab
= g a A−v

In calculating dj we have the term Mj0 a · kj b get cancelled because of M 0 · k = 0

0 0
dj = g a(v+kj b)qj Mj = AvMj qj

0 0
d0 = g a A−v , dj = AvMj qj , ∀aj ∈ ω are sent to the adversary.

Challenge A submits two messages m0 , m1 ∈ G1 . The simulator ips a fair

binary coin d, and returns the encryption of md . The encryption of md can be done
as follows:
0 0
C0 = g s , C = md De(g s , g a )

The simulator will choose uniformly random integers z2 , ..., zh in −2`0 +k , 2`0 +k and

share the secret susing the vector Φ = (s, z2 , ..., zh ).

Create the distribution matrix M, for the access policy p∗ . Compute M · Φ and use
the shares to encrypt the access policy with corresponding qj for the attributes present
in the access policy p∗ , Cj = Tjsj .

Phase 2 Same as Phase 1.

Guess A outputs a guess d0 of d. The simulator then outputs 0 to the guesses that
D = e(g, g)abs if d = d; otherwise, it outputs 1 to indicate that it believes D is

random group element in G1 .

When D is a tuple the simulator B gives a perfect simulation, so we have that
P r B ρ, D = e(g, g)abs = 0 = 2
+ .

When D is random group element the message md is completely hidden from the
adversary and we have P r [B (ρ, D = R) = 0] = 21 .

3.5 Implementation and Eciency Analysis
Implementation Details

We implement the BK-CP-ABE scheme in Charm[34]; a framework developed

to facilitate the rapid prototyping of cryptographic schemes and protocols. It is based
on the Python language which allows the programmer to write code similar to the
theoretical implementations. However, the routines that implement the dominant
group operations use the PBC library[4]. PBC (Pairing-Based Cryptography) library
is a free C library. The PBC library is designed to be the backbone of implementations
of pairing-based cryptosystems. It provides routines such as elliptic curve generation,
elliptic curve arithmetic and pairing computation. PBC is built on the GMP library
that performs the mathematical operations underlying pairing-based cryptosystems.

GNU Multiple Precision Arithmetic Library (GMP) is a free library for

arbitrary precision arithmetic, operating on signed integers, rational numbers, and
oating point numbers. There is no practical limit to the precision except the ones
implied by the available memory in the machine GMP runs on. GMP has a rich set
of functions, and the functions have a regular interface. The main target applications
for GMP are cryptography applications and research, Internet security applications,
algebra systems, computational algebra research, etc.

All Charm routines use formally asymmetric groups ( although the underlining
groups might be symmetric) and therefore we translated our schemes to the asymmetric
setting. Namely, we have three groups G , G , G and the pairing e is a function from
1 2 T

G × G → G . Our scheme was executed on Intel i3 with 4.0GB RAM running on

1 2 T

Ubuntu 12.04 with Python3.2.3. For BK-CP-ABE, we used a 512-bit supersingular

curve( with embedding degree k=2)from PBC.
National Technical Research Organization(NTRO), New Delhi has sponsored
a project called "` Smart and Secure Environment"'(SSE) in which eight dierent
institutions such as IIT Madras, Anna University Chennai, Pondicherry University,
PSG Technology Coimbatore, TCE Madurai, Madurai Kamarajar University, NIT
Trichy and Alagappa University work together to frame a Smart and Secure Environment.
In this setup Alagappa University's role was to provide the Database Security. A
testbed has been formed to test and verify several protocols, in which we have
implemented the BK-CP-ABE scheme.
Eciency Analysis

In Table 1, we give the comparison with Goyal et al [27], Waters [8] and
BK-CP-ABE method in terms of Ciphertext size (CT), Private Key Size (PKS),
Encryption time(EN), Decryption time (DE) based on DBDH assumption. Let n be
the number of attributes present in the access policy, A be the number of attributes in
user's key, T be the number of nodes satised by a user's attributes, U be the number
Table 1: Comparison of CP-ABE Schemes
Method CT PKS EN DE Complexity
GJPS[27] Θ(U.n 3.42
max ) Θ(A.n3.42
max )
Θ(U.nmax 3.42
) Θ(U.nmax DBDH
Waters[8] Θ(n ) 2
Θ(kmax .A + nmax ) Θ(n2 ) Θ(n.T ) DBDH
BK-CP-ABE Θ(n) Θ(A) Θ(n) Θ(T ) DBDH

of attributes dened in the system, nmax be the bound on the size of the access
formula, kmax be the maximum number of times a single attribute will appear in a
particular formula. BK-CP-ABE method achieves signicantly better performance
than Waters [8], GJPS [27] method.
In Table 2 we show the number of operations in the respective groups for
each algorithm of the schemes as counted by the Charm benchmarking utility. The
group operations refer to the number of arithmetic operations in Z , G , G and G .
p 1 2 T

"`MNT 224"' elliptic curve group have been used to deploy the algorithm. Gop.
denotes the number of group operations and Exp. denotes the exponentiations in
Groups G , G , G . By comparing the BK-CP-ABE scheme with Water[8] method,
1 2 T

the BK-CP-ABE requires less Exponentiation and Group operations.

3.6 Applications
PHR Maintenance

Online personal health record (PHR) enables patients to manage their own
medical records in centralized way, which greatly facilitates the storage, access and
sharing of personal health data. With the emergence of cloud computing, it is
Table 2: Group Operation BenchMarks
BK-CPABE Z G G G Pairings
Gop Exp Gop Exp Gop Exp Gop EXp
p 1 2 T

Setup 0 0 0 0 0 1 0 1 1
KeyGen 1 9 5 8 0 5 0 0 0
Encrypt 12 12 3 2 0 5 1 1 0
Decrypt 3 5 0 0 0 0 5 2 5
Waters[8] Z G G G Pairings
Gop Exp Gop Exp Gop Exp Gop EXp
p 1 2 T

Setup 0 0 0 1 0 0 0 1 1
KeyGen 0 0 9 10 0 5 0 0 0
Encrypt 12 12 8 16 0 5 1 1 0
Decrypt 4 10 0 0 0 0 8 2 7
attractive for the PHR service providers to shift their PHR applications and storage
into the cloud, in order to enjoy the elastic resources and reduce the operational cost.
However, by storing PHRs in the cloud, the patients lose physical control to their
personal health data, which makes it necessary for each patient to encrypt their PHR
data before uploading to the cloud servers. BK-CP-ABE scheme is suitable to achieve
ne-grained access control to PHR data in scalable and ecient way.
Online Social Networks

Online Social Networks(OSNs) such as Facebook, Myspace and Orkut enable

users to nd other users with similar interests. To use these applications, users must
reveal personal information such as name, age, address, personal interests, sexuality
etc into the public domain. Groups of people sharing similar attributes and friends
are then automatically linked to each other. Currently, such systems provide only
weak privacy guarantees. It may lead to user's data to be readily mined and abused
by undesirable parties. BK- CP-ABE scheme is well suited to provide user controlled-
privacy, as users in these communities are already characterized by their attributes.
Broadcast Encryption

Securing a Broadcast channel has always been an interesting and challenging

task for cryptographers. In Pay-TV systems, the receivers can frequently be arranged
according to some natural characteristics, or attributes. The Broadcaster might not
be interested in (or does not know) all the receivers which are able to access the
content, but merely wants to describe the authorized set of receivers in terms of some
descriptive attributes using a Boolean access policy and to eciently broadcast the
allowed receivers a session key encrypting the multimedia content. This situation is
eectively handled by BK-CP-ABE scheme.
3.7 Summary
We propose a new type of Ciphertext-Policy Attribute-Based Encryption
based on linear integer secret sharing scheme. This scheme is very expressive and
provably secure under the Decisional Bilinear Die-Hellman assumption.