Privacy-Preserving Decentralized Key-Policy Attribute-Based Encryption

Privacy-Preserving Decentralized Key-PolicyAttribute-Based Encryption

Jinguang Han, Student Member, IEEE, Willy Susilo, Senior Member, IEEE,

Yi Mu, Senior Member, IEEE, and Jun Yan

Abstract—Decentralized attribute-based encryption (ABE) is a variant of a multiauthority ABE scheme where each authority can issue

secret keys to the user independently without any cooperation and a central authority. This is in contrast to the previous constructions,

where multiple authorities must be online and setup the system interactively, which is impractical. Hence, it is clear that a decentralized

ABE scheme eliminates the heavy communication cost and the need for collaborative computation in the setup stage. Furthermore,

every authority can join or leave the system freely without the necessity of reinitializing the system. In contemporary multiauthority ABE

schemes, a user’s secret keys from different authorities must be tied to his global identifier (GID) to resist the collusion attack.

However, this will compromise the user’s privacy. Multiple authorities can collaborate to trace the user by his GID, collect his attributes,

then impersonate him. Therefore, constructing a decentralized ABE scheme with privacy-preserving remains a challenging research

problem. In this paper, we propose a privacy-preserving decentralized key-policy ABE scheme where each authority can issue secret

keys to a user independently without knowing anything about his GID. Therefore, even if multiple authorities are corrupted, they cannot

collect the user’s attributes by tracing his GID. Notably, our scheme only requires standard complexity assumptions (e.g., decisional

bilinear Diffie-Hellman) and does not require any cooperation between the multiple authorities, in contrast to the previous comparable

scheme that requires nonstandard complexity assumptions (e.g., q-decisional Diffie-Hellman inversion) and interactions among

multiple authorities. To the best of our knowledge, it is the first decentralized ABE scheme with privacy-preserving based on standard

complexity assumptions.

Index Terms—Attribute-based encryption, multiauthority, privacy-preserving extract protocol, access control, privacy

Ç

1 INTRODUCTION

IN traditional access control schemes [1], [2], a centralauthority (CA) can control a user’s access to sensitive data.

We observed the following drawbacks in these schemes,especially in distributed systems. First, since a user’sidentity needs to be validated by the authority, in a largedistributed system, it is a difficult task to manage numeroususers identities. Second, all users must trust the centralauthority. If the authority is malicious, he can impersonateany user without being detected. Being different from thetraditional access control schemes, attribute-based accesscontrol [3], [4] are the schemes that allow users to bevalidated by the descriptive attributes instead of theirunique identities. Furthermore, a user can share his databy specifying an access structure so that all the users whoseattributes satisfy it can access the data without knowing

their identities. Therefore, attribute-based access controlschemes are efficient primitives to share data with multipleusers without knowing their identities. In order to reducethe trust on the central authority, some decentralized anddistributed access control schemes are proposed [5], [6], [7],[8], [9]. Although, decentralized attribute-based accesscontrol schemes demonstrated lots of metrics, they seldomconsider the user’s privacy. Therefore, a user’s attributescould be exposed to the malicious authorities. Thereafter, toprovide a sound solution for sharing sensitive data withmultiple users in distributed systems, a decentralizedattribute-based access control with privacy-preservingscheme should be addressed.

In an open communication environment, such as theInternet, sensitive data must be encrypted prior to beingtransmitted. To achieve this, encryption schemes can beemployed to protect the confidentiality of the sensitive data.Nevertheless, traditional encryption schemes cannot expressa complex access policy, and additionally, the sender mustknow all the public keys of the receivers. Attribute-basedencryption (ABE) introduced by Sahai and Waters [4] is amore efficient encryption scheme and it can express acomplex access structure. In an ABE scheme, both the user’ssecret keys and the ciphertext are labeled with sets ofattributes. The encrypter can encrypt a message under a setof attributes. Prior to decrypting the ciphertext, the receivermust obtain the secret (attribute) keys from the centralauthority. The receiver can decrypt the ciphertext and obtainthe data if and only if there is a match between his secret keysand the attributes listed in the ciphertext. The original idea ofABE is to construct a fuzzy (error-tolerant) identity-basedencryption (IBE) scheme [10], [11], [12], [13], [14].

2150 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 23, NO. 11, NOVEMBER 2012

. J. Han is with the Centre for Computer and Information Security Research,School of Computer Science and Software Engineering, University ofWollongong, Northfields Avenue, Wollongong NSW2522, Australia andCollege of Science, Hohai University, Nanjing 210098, China.E-mail: [email protected].

. W. Susilo and Y. Mu are with the Centre for Computer and InformationSecurity Research, School of Computer Science and Software Engineering,University of Wollongong, Northfields Avenue, Wollongong NSW2522,Australia. E-mail: {wsusilo, ymu}@uow.edu.au.

. J. Yan is with the School of Information Systems and Technology, Universityof Wollongong, Northfields Avenue, Wollongong NSW2522, Australia.E-mail: [email protected].

Manuscript received 17 Oct. 2011; revised 5 Jan. 2012; accepted 17 Jan. 2012;published online 27 Jan. 2012.Recommended for acceptance by A. Nayak.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TPDS-2011-10-0779.Digital Object Identifier no. 10.1109/TPDS.2012.50.

1045-9219/12/$31.00 � 2012 IEEE Published by the IEEE Computer Society

Since its seminal introduction, ABE as a special primitivehas attracted a lot of attention in the research community.Essentially, there are two kinds of ABE schemes:

Key-Policy ABE (KP-ABE). In these schemes, the secretkeys are associated with an access structure, while theciphertext is labeled with a set of attributes [4], [5], [15],[16], [17].

Ciphertext-Policy ABE (CP-ABE). In these schemes, theciphertext is associated with an access structure, while thesecret keys are labeled with a set of attributes [3], [18], [19],[20], [21].

An access structure is employed to control users fromaccessing the protected resource in systems where usersneed to cooperate with multiple parties. A monotonic accessstructure is an access structure where, given a universal setIP, if a subset S0 of IP satisfies the access structure, all subsetsS of IP which contain S0 satisfy the access structure. A ðk; nÞ-threshold access structure is an access structure where, givena universal set IP with jIPj ¼ n, a subset S of IP satisfies theaccess structure if and only if it contains at least k elements inIP. In an ABE scheme, an access structure is selected by theauthority (in KP-ABE) or the encrypter (in CP-ABE) tocontrol who can decrypt the ciphertext. For example, in KP-ABE, the authority specifies a ðk; nÞ-threshold accessstructure and issues secret keys to users according to thisaccess structure. An encrypter can encrypt a message underk-out-of-n attributes and lists them in the ciphertext. If a userholds a set of attributes which contains those listed in theciphertext, he can use his secret keys to decrypt the ciphertextand obtain the message. However, if a user does not hold therequired attributes specified in the ciphertext, he cannotdecrypt the ciphertext.

The limitation of the original ABE scheme is that it canonly express a threshold access structure. Goyal et al.proposed an ABE scheme [16] for fine-grained access policywhere any monotonic access structure can be expressed byan access tree. In an access tree, there is a tree accessstructure where interior nodes consist of AND and ORgates and the leaves consist of the attributes. Each interiornode x of the tree specifies a threshold gate ðkx; nxÞ, wherenx is the number of the children of x and kx � nx.Thereafter, when kx ¼ nx, the gate is an AND gate. Whenkx ¼ 1, the gate is an OR gate. If a set of attributes satisfiesthe tree access structure, the corresponding secret keys canbe used to reconstruct the secret embedded in the vertex ofthe tree. Subsequently, Ostrovsky et al. proposed an ABEscheme [17] with a nonmonotonic access structure wherethe secret keys are labeled with a set of attributes includingnot only the positive but also the negative attributes.Comparatively, ABE scheme with nonmonotonic accessstructure can express a more complicated access policy.

The first CP-ABE scheme was proposed by Bethencourtet al. [3], and it was proven to be secure in the genericgroup model. In contrast with KP-ABE, the access structurein CP-ABE is determined by the encrypter, instead of theCA. Therefore, the encrypter can decide who will decryptthe ciphertext; while, this is decided by the CA in the KP-ABE schemes. Cheung and Newport proposed another CP-ABE scheme [18] and reduced the difficulty of breakingtheir scheme to the decisional bilinear Diffie-hellman(DBDH) assumption. Both these CP-ABE schemes can only

express a threshold access structure. Waters proposed amore generic CP-ABE scheme [21] where any accessstructure can be expressed by using the linear secretsharing scheme (LSSS) [22].

Attrapadung and Imai proposed a dual-policy ABEscheme [23] which combines a KP-ABE scheme with CP-ABE scheme. In this scheme, two access structures arecreated. One is for the objective attributes labeled with theciphertext, and the other is for the subjective attributes heldby the users. Furthermore, there is only one access structurein both KP-ABE and CP-ABE schemes.

Rial and Bart Preneel [24] proposed a blind key extractprotocol for the centralized ABE scheme [3]. Hence, thisscheme constitutes a blind centralized ABE scheme.

An ABE scheme should be secure against the collusionattacks [4], namely no group of users can combine their secretkeys to decrypt the ciphertext which none of them candecrypt by himself. The most common technique to preventcollusion attacks is randomization. The central authorityrandomizes the user’s secret keys by selecting randomnumbers [17], [18] or random polynomials [4], [5], [15].

ABE has been used as a building block to express flexibleaccess structures in practical systems, such as distributedsystems [25], data outsourcing systems [26], and cloudcomputing [27].

1.1 Multiple-Authority Attribute-Based Encryption

In their seminal work, Sahai and Waters left an openquestion that whether it is possible to construct an ABEscheme where the secret keys can come from multipleauthorities [4]. Chase answered this question affirmativelyby proposing a multiauthority KP-ABE scheme [5]. In thisscheme, there are multiple authorities, one of which iscalled central authority. The central authority knows thesecret keys of the other authorities. The user needs to obtainsecret keys from all these authorities. Being different fromone authority ABE, it is hard to resist collusion attacks inmultiauthority ABE schemes. If the multiple authorities canwork independently, the scheme is subject to this attack.Chase [5] overcame this problem by introducing the globalidentifier (GID) to the multiauthority ABE scheme. All theuser’s secret keys from different authorities must be tied tohis GID. In order to let the ciphertext be independent of theuser’s GID, the central authority must compute a specialsecret key for the user using his secret key and the otherauthorities’ secret keys. Although this scheme is not adecentralized ABE scheme, Chase made an important stepfrom one authority ABE to multiauthority ABE.

Lin et al. proposed a multiauthority ABE scheme withouta central authority [7] based on the distributed keygeneration (DKG) protocol [28] and the joint zero secretsharing (JZSS) protocol [29]. To initialize the system, themultiple authorities must cooperatively execute the DKGprotocol and the JZSS protocol twice and k times, respec-tively, where k is the degree of the polynomial selected byeach authority. Each authority must maintain kþ 2 secretkeys. This scheme is k-resilient, namely the scheme is secureif and only if the number of the colluding users is no morethan k, and k must be fixed in the setup stage.

Chase and Chow proposed another multiauthority KP-ABE scheme [15] which improved the previous scheme [5]and removed the need of a central authority. Notably, they

HAN ET AL.: PRIVACY-PRESERVING DECENTRALIZED KEY-POLICY ATTRIBUTE-BASED ENCRYPTION 2151

also addressed the privacy of the user. In previous multi-authority ABE schemes [5], [7], the user must submit his GIDto each authority to obtain the corresponding secret keys. Thiswill risk the user being traced by a group of corruptedauthorities. Chase and Chow provided an anonymous keyissuing protocol for the GID where a 2-party secure computa-tion technique is employed. As a result, a group of authoritiescannot cooperate to pool the user’s attributes by tracing hisGID. However, the multiple authorities must collaborate tosetup the system. Each pair of authorities must execute a 2-party key exchange protocol to share the seeds of the selectedpseudorandom functions (PRF) [30]. This scheme is ðN � 2Þ-tolerant, namely the scheme is secure if and only if the numberof the corrupted authorities is no more thanN � 2, whereN isthe numberof theauthorities in the system.Thesecurityof thisscheme can be reduced to DBDH assumption and no-standard complexity assumption (q-decisional Diffie-Hell-man inverse (q-DDHI)). Chase and Chow also left an openchallenging research problem on how to construct a privacy-preserving multiauthority ABE scheme without the need ofcooperations among the authorities.

Lekwo and Waters proposed a new multiauthority ABEscheme named decentralizing CP-ABE scheme [8]. Thisscheme improved the previous multiauthority ABEschemes that require collaborations among multiple autho-rities to conduct the system setup. In this scheme, nocooperation between the multiple authorities is required inthe setup stage and the key generation stage, and there is nocentral authority. Note that the authority in this scheme canjoin or leave the system freely without reinitializing thesystem. The scheme was constructed in the composite orderðN ¼ p1p2p3Þ bilinear group, and achieves full (adaptive)security in the random oracle model. They also pointed outtwo methods to create a prime order group variant of theirscheme. As mentioned in [21], unfortunately this scheme isinefficient. Furthermore, the attributes of the user can becollected by tracing his GID.

Muller et al. proposed a distributed CP-ABE scheme [6],[31], where the pairing operations executed in the decryp-tion stage are constant. This scheme was proven to besecure in the generic group [3], instead of reducing to acomplexity assumption. Furthermore, there must be acentral authority who generates the global key and issuessecret keys to the user.

Liu et al. proposed a fully secure multiauthority CP-ABEscheme [32] in the standard model. Their scheme is based onthe CP-ABE scheme [20]. In their scheme, there are multiplecentral authorities and attribute authorities. The centralauthorities issue identity-related keys to users and theattribute authorities issue attribute-related keys to users.Prior to obtaining attribute keys from the attribute autho-rities, the user must obtain secret keys from multiple centralauthorities. This multiauthority ABE scheme was alsodesigned in the composite order ðN ¼ p1p2p3Þ bilinear group.

Li et al. [9] proposed a multiauthority cipher-policy ABEscheme with accountability, where the anonymous keyissuing protocol [15] was employed. In this scheme, the usercan only obtain secret keys anonymously from N � 1authorities; while he can be traced when he shared hissecret keys with others. Unfortunately, the multiple autho-rities must initialize the system interactively. Their schemerelied on DBDH assumption, decisional linear (DLIN)assumption and q-DDHI assumption.

1.2 Our Contribution

In this paper, we answered the question left by Chase andChow [15] affirmatively by proposing a decentralized KP-ABE scheme with the privacy-preserving key extractionprotocol. In our scheme, multiple authorities can workindependently without any cooperation and a centralauthority. The GID is used to tie all the user’s secret keystogether, while the corrupted authorities cannot pool theuser’s attributes by tracing it. Our scheme is any numberresilient for the users and ðN � 1Þ-tolerant for the autho-rities, whereN is the number of the authorities in the system.Our privacy-preserving decentralized ABE scheme is basedon standard complexity assumption (DBDH), instead of anynonstandard complexity assumptions (e.g., q-decisionalDiffie-Hellman inversion). To the best of our knowledge, itis the first decentralized ABE scheme with privacy-preser-ving that is based on merely a standard assumption.

1.3 Paper Organization

In Section 2, we review the preliminaries used throughoutthis paper. Subsequently, a privacy-preserving decentra-lized ABE scheme is proposed and proven in Section 3.Finally, Section 4 concludes the paper.

2 PRELIMINARIES

In the rest of this paper, by x R X, we denote that x israndomly selected from X. Especially, by x R X, we denotethat x is selected from X identically if X is a finite set. Wesay that a function � : ZZ! IR is negligible, if for all z 2 ZZthere exists a value � 2 ZZ such that �ðxÞ < 1

xz for all x > �.By R s S and R!r S, we denote that party S sends s toparty R and party R sends r to party S, respectively. Wedenote KGð1‘Þ as the secret-public key generation algorithmwhere ‘ is the security parameter. If X is a finite set, by jXj,we denote the cardinality of X. By AðxÞ ! y, we denote thaty is computed by running algorithm A on input x. Supposethat ZZp is a finite field with prime order p, by ZZp½x�, wedenote the polynomial ring on ZZp, which consists of allpolynomials with coefficients from ZZp.

2.1 Building Blocks

In this paper, the following building blocks are used.Lagrange Interpolation. Suppose that pðxÞ 2 ZZp½x� is a

ðk� 1Þ-degree polynomial. Given k different polynomialvalues pðx1Þ; pðx2Þ; . . . ; pðxkÞ, the polynomial pðxÞ can bereconstructed as follows:

pðxÞ ¼Xxi2S

pðxiÞY

xj2S;xj 6¼xi

x� xjxi � xj

¼Xxi2S

pðxiÞ�xi;SðxÞ;

where S ¼ fxi; x2; . . . ; xkg. The Lagrange coefficient for xi inS is

�xi;SðxÞ ¼Y

xj2S;xj 6¼xi

x� xjxi � xj

:

Therefore, given any k different values pðx1Þ, pðx2Þ; . . . ,pðxkÞ, we can compute pðxÞ for 8x 2 ZZp. However, whenonly k� 1 different polynomial values are provided, theother polynomial values are unconditionally hidden.

Commitment. A commitment scheme consists of treealgorithms: C ¼ ðSetup;Commit;DecommitÞ.


. Setupð1‘Þ ! params. This algorithm takes as input asecurity parameters ‘ and outputs the systemparameters params.

. Commitðparams;MÞ ! ðcom; decomÞ. This algorithmtakes as input the parameters params and a messageM and outputs a commitment com and a decom-mitment decom. decom can be used to decommite thecommitment com.

. Decommitðparams;M; com; decomÞ ! f0; 1g. This al-gorithm takes as input the parameter params, themessage M, the commitment com and the decom-mitment decom and outputs 1 if decom can decom-mite com to M; Otherwise, this algorithm outputs 0.

A commitment scheme should satisfy two properties: hiding

and binding. The hiding property requires that the message

M keeps undisclosed until the user reveals it. The binding

property requires that only one value decom can be used to

decommit the commitment.We use the Pedersen commitment scheme [33] which is a

perfectly hiding commitment scheme and is based on the

discrete logarithm assumption. Let G be a prime order

group with generators g0; g1; g2; . . . ; gl. In order to commit

messages ðm1;m2; . . . ;mlÞ, the user selects r R ZZp, and

computes the commitment T ¼ gr0Ql

j¼1 gmj

j . The user can

use r to decommit the commitment later.Proof of Knowledge. We use the notation introduced by

Camenisch and Stadler [34] to prove statements about

discrete logarithm. By

PoKfð�; �; �Þ : y ¼ g�h� ^ ~y ¼ ~g� ~h�g;

we denote a zero knowledge proof of knowledge of integers

�; �, and � such that y ¼ g�h� and ~y ¼ ~g� ~h� hold simulta-

neously in groups G ¼ hgi ¼ hhi and ~G ¼ h~gi ¼ h ~hi. Con-

ventionally, the values in the parenthesis denote the

knowledge that is being proven, while the rest of the other

values are known to the verifier. There exists a knowledge

extractor which can be used to rewind these quantities from

a successful prover.

2.2 Decentralized Key-Policy Attribute-BasedEncryption

The formal definition of access structure is as follows:

Definition 1 (Access Control) [22]. Let IP ¼ fP1; P2; . . . , PNgbe a set of parties. A collection AA � 2fP1;P2;...;PNg is monotonic,

if S1 2 AA and S1 � S2 implies S2 2 AA. An access structure

(resp., monotonic access structure) is a collection (resp.,

monotonic collection) AA of nonempty subsets of

fP1; P2; . . . ; PNg, namely AA � 2fP1;P2;...;PNg n f�g. The sets

in AA are called the authorized sets, and the sets outside of AA

are called the unauthorized sets.

A decentralized KP-ABE scheme consists of the follow-

ing five algorithms:

. Global Setup(1‘Þ ! params. This algorithm takes asinput a security parameter ‘ and outputs the systemparameters params.

. Authority Setupð1‘Þ ! ðSKi; PKi;AAiÞ. Each author-ity Ai generates his secret-public key pair KGð1Þ‘ !

ðSKi; PKiÞ and an access structure AAi, for i ¼ 1;2; . . . ; N .

. KeyGenðSKi;GID;AiGIDÞ ! SKi

U . Each authority Ai

takes as input his secret key SKi, a global identifierGID and a set of attributes Ai

GID, and outputs thesecret keys SKi

U , where AiGID ¼ AGID

T ~Ai, AGID and~Ai denote the attributes corresponding to the GIDand monitored by Ai, respectively.

. Encryptionðparams;M;ACÞ ! CT . This algorithmtakes as input the system parameters params, amessage M and a set of attributes AC , and outputsthe ciphertext CT , where AC ¼ fA1

C;A2C; . . . ; AN

C gand Ai

C ¼ AC

T ~Ai.. DecryptionðGID; fSKi

Ugi2IC ; CT Þ. This algorithmtakes as input the global identifier GID, the secretkeys fSKi

Ugi2IC and the ciphertext CT , and outputsthe message M, where IC is the index set of theauthorities Ai such that Ai

C 6¼ f�g.

Definition 2. We say that a decentralized key-policy attribute-

based encryption scheme is correct if

where the probability is taken over the random coins of all the

algorithms in the protocol.

Security ModelOur security model on the decentralized ABE is similar

to the model proposed in [5], [15], which is known as the

selective-set model. This model is described as follows:Initialization. The adversary A submits a set of attributes

AC which he wants to be challenged and a list of corrupted

authorities CA, where jCAj < N . There should exist at leastone authority Aj such that AC

T ~Aj 62 AAj.Global Setup. The challenger runs the Global Setup

algorithm to generate the system parameters params, and

sends them to A.Authority setup.

1. For Ai 2 CA, the challenger sends the secret-publickey pair ðSKi; PKiÞ to A.

2. For Ai 62 CA, the challenger sends the public key PKi

to A.

Phase 1. The adversary A can query secret keys for sets

of attributes A�GID1; A�GID2

; . . . ; A�GIDq1, the only constraint is

AC 6� A�GIDifor i ¼ 1; 2; . . . ; q1.

Challenge. A submits two messages M0 and M1 withequal length. The challenger flips an unbiased coin withf0; 1g, and obtain b 2 f0; 1g. The challenger computesCT � ¼ Encryptionðparams;Mb;ACÞ and sends CT � to A.

Phase 2. The adversaryA can query secret keys for sets of

attributes A�GIDq1þ1; A�GIDq1þ2

; . . . ; A�GIDq. Phase 1 is repeated.


Guess. The adversary A outputs his guess b0 on b.

Definition 3. A decentralized key-policy attribute-based encryp-tion (DKP-ABE) scheme is ðT; q; �Þ secure in the selective-setmodel if no probabilistic polynomial-time adversary A makingq secret key queries has advantage at least

AdvDKP�ABEA ¼ Pr½b0 ¼ b� � 1

2

�� > �ð‘Þ;

in the selective-set model.

2.3 Privacy-Preserving Decentralized Key-PolicyAttribute-Based Encryption

We have described the decentralized KP-ABE scheme andits security model. The privacy-preserving decentralizedKP-ABE scheme has the same algorithms Global Setup,Authority Setup, Encryption, and Decryption with thedecentralized KP-ABE scheme. We only replace the algo-rithm KeyGen in the decentralized KP-ABE scheme withalgorithm BlindKeyGen. In a privacy-preserving decentra-lized KP-ABE scheme, the authorities do not know theuser’s GID nor can cause failures using the information ofthe GID. This concept is from blind IBE schemes [35], [36].We define this algorithm as follows:

BlindKeyGen

ðUðparams; PKi; GID; decomÞ$ Aiðparams; SKi; PKi;AAi; comÞÞ !

�SKi

U; empty�:

In this algorithm, the user U runs the commitment algorithmCommitðparams;GIDÞ ! ðcom; decomÞ and sends com tothe authorityAi. Then, the userU and the authorityAi take asinput ðparams; PKi, GID; decomÞ and

ðparams; SKi; PKi;AAi; comÞ;

respectively. If Decommitðparams;GID; com; decomÞ ! 1,this algorithm outputs a secret key SKi

U for U and emptyfor Ai. Otherwise it outputs error messages ð?;?Þ for bothU and Ai.

The algorithm BlindKeyGen should satisfy the followingtwo properties: leak-freeness and selective-failure blindness[35], [36]. Leak-freeness requires that, by executing algo-rithm BlindKeyGen with the honest authorities, the mal-icious user cannot know anything which he cannot learn byexecuting algorithm KeyGen with the honest authorities.Selective-failure blindness requires that the maliciousauthorities cannot know anything about the user’s GIDand cannot cause the algorithm BlindKeyGen to selectivelyfail depending on the user’s choice of GID. We use thefollowing two games to define these two properties.

Leak-freeness. This game is defined by the real experi-ment and the ideal experiment:

Real Experiment. Runs Setupð1‘Þ ! params and AuthoritySetupð1‘Þ ! ðSKi; PKi;AAiÞ. As many times as the distin-guisher D wants, the adversary U chooses a GID andexecutes the algorithm BlindKeyGen with the authority

Ai : BlindKeyGenðUðparams; PKi;GID; decomÞ$ Aiðparams; SKi; PKi;AAi; comÞÞ:

Ideal Experiment. Runs Setupð1‘Þ ! params and Author-ity Setupð1‘Þ ! ðSKi; PKi;AAiÞ. As many times as thedistinguisher D wants, the simulator U chooses a GID and

queries a trusted party to obtain the output of the algorithmKeyGenðSKi;GID;A

iGIDÞ if Decommitðparams;GID; com;

decomÞ ! 1, and ? otherwise.

Definition 4. An algorithm BlindKeyGenðU $ AiÞ associated

with a decentralized KP-ABE schemeQ¼ (Global Setup,

Authority Setup, KeyGen, Encryption, Decryption) is leak-

free if for all efficient adversaries U, there exists an efficient

simulator U such that for the security parameter ‘, no

efficient distinguisher D can distinguish whether U is

executing Real Experiment or Ideal Experiment with

nonnegligible advantage.

Selective-failure Blindness. This game is defined as follows:

1. The adversary authority Ai outputs his public keyPKi and a pair of global identifiers ðGID0; GID1Þ.

2. A random bit b 2 f0; 1g is selected randomly.3. Ai is given two commitments

comb ¼ Commitðparams;GIDbÞ

and com1�b ¼ Commitðparams;GID1�bÞ, and black-box access the two oracles Uðparams; PKi;GIDb;combÞ and Uðparams; PKi;GID1�b; com1�bÞ.

4. The algorithm U outputs SKiU;b and SKi

U;1�b,respectively.

5. If SKiU;b 6¼? and SKi

U;1�b 6¼? , Ai is given

ðSKiU;b; SK

iU;1�bÞ:

If SKiU;b 6¼? and SKi

U;1�b ¼? , Ai is given ð�;?Þ. IfSKi

U;b ¼? and SKiU;1�b 6¼? , Ai is given ð?; �Þ. If

SKiU;b ¼? and SKi

U;1�b ¼? , Ai is given ð?;?Þ.6. Finally, Ai outputs his guess b0 on b.

Definition 5. An algorithm BlindKeyGenðU $ AiÞ associatedwith a decentralized KP-ABE scheme

Q¼ (Global Setup,

Authority Setup, KeyGen, Encryption, Decryption) isselective-failure blind if no probabilistic polynomial-timeadversary has advantage AvdSFBAi ¼ jPr½b

0 ¼ b� � 12 j > �ð‘Þ

in the above game.

Definition 6 (Privacy-Preserving Decentralized KP-ABE).A privacy-preserving decentralized KP-ABE scheme ~Q ¼(Global Setup, Authority Setup, BlindKeyGen, Encryption,Decryption) is secure in the selective-set model if and only if: 1)

Y¼ ðGlobal Setup;Authority Setup;KeyGen;

Encryption;DecryptionÞ

is a secure decentralized KP-ABE scheme in the selective-setmodel; and 2) algorithm BlindKeyGen is leak-free andselective-failure blind.

2.4 Complexity Assumption

Let GG and GG� be two multiplicative cyclic groups withprime order p, and g be a generator of GG. A bilinear mape : GG�GG! GG� is a map with following properties:

1. Bilinearity. for all x; y 2 GG and u; v 2 ZZp, eðxu; yvÞ ¼eðx; yÞuv.

2. Nondegeneracy. eðg; gÞ 6¼ 1, where 1 is the identityof GG� .


3. Computability. There exists an efficient algorithm tocompute eðx; yÞ for all x; y 2 GG.

Let GGð1‘Þ be a bilinear group generator which takes asinput a security parameter ‘ and outputs the bilinear groupðe; p;GG;GG� Þ with prime order p and a bilinear mape : GG�GG! GG� .

Definition 7 (Decisional Bilinear Diffie-Hellman As-

sumption) [10]. Let a; b; c; z R ZZp, GGð1‘Þ ! ðe; p;GG;GG�Þ, and g be a generator of GG. The DBDH assumption holds

in ðe; p;GG;GG�Þ, if no probabilistic polynomial-time adversary

A can distinguish ðA;B;C; ZÞ ¼ ðga; gb; gc; eðg; gÞabcÞ from

ðA, B;C;ZÞ ¼ ðga; gb; gc; eðg; gÞzÞ with advantage

AdvDBDHA ¼�� Pr½AðA;B;C; eðg; gÞ

abcÞ ¼ 1��Pr½AðA;B;C; eðg; gÞzÞ ¼ 1�

�� > �ð‘Þ;

where the probability is taken over the random choice of

a; b; c; z R ZZp, and the bits consumed by A.

3 PRIVACY-PRESERVING DECENTRALIZED

KEY-POLICY ATTRIBUTE-BASED ENCRYPTION

In this section, we propose a decentralized KP-ABE schemebased on the DBDH assumption. Then, we describe aprivacy-preserving extract protocol for the secret keys.

In our privacy-preserving decentralized KP-ABE scheme,a user executes a 2-party secure computation protocol with anauthority to obtain his secret keys. As a result, the user canobtain his secret keys anonymously without releasing any-thing about his identifier to the multiple authorities. Aspointed in [15], an anonymous credential system [37], [38] can

be used by the user to convince the authorities that he holdsthe corresponding attributes without revealing his identifier.In an anonymous credential system, a user can obtain acredential and prove the possession anonymously. The usercan interact with different partners with different pseudo-nyms [39] such that no partner can link the pseudonyms tothe same user. Furthermore, the user can prove that he hasobtained multiple credentials which correspond to the sameidentifier without revealing it. Hence, this technique can beemployed in our system to allow the user to obtain thecorresponding secret keys without revealing his identifier tothe authorities.

3.1 Decentralized Key-Policy Attribute-BasedEncryption

Our decentralized KP-ABE scheme is described in Fig. 1.This idea is inspired by the IBE schemes [13], [14] and themultiauthority ABE schemes [5], [8], [15].

Overview. In our scheme, suppose that there are Nauthorities A1; A2; . . . ; AN . Authority Ai manages a set ofattributes ~Ai ¼ fai;1; ai;2; . . . ; ai;nig and specifies an ðki; niÞ-threshold access structure AAi, for i ¼ 1; 2; . . . ; N . Ai gen-erates a secret-public key pair ðð�i; �iÞ; ðYi; ZiÞÞ and pub-lishes ðYi; ZiÞ. For each attribute aij 2 ~Ai, Ai creates a secret-public key pair ðti;j; Ti;jÞ and publishes Ti;j. The secret keysand public keys of Ai are ð�i; �i; fti;jgai;j2 ~Ai

Þ and ðYi; Zi;fTi;jgai;j2 ~Ai

Þ, respectively. To issue secret keys to a user Uwith a set of attributes AU , the authority Ai selects a randomnumber ri

RZZp and computes Di using ri, his secret key

ð�i; �iÞ and the user’s identifier u. Hence, the user’sidentifer u is tied to his secret keys. We use Di to protectagainst the collusion attacks. Otherwise, two users with


Fig. 1. Decentralized key-policy attribute-based encryption.

identifier u1 and u2 can combine their secret keys from Ai

and Aj together. The authority Ai selects a ðki � 1Þ-degree

polynomial piðxÞ with pið0Þ ¼ ri. For each attribute

ai;j 2 AU

T ~Ai, Ai computes the secret key Di;j using the

value piðai;jÞ and ti;j. To encrypt a message M 2 GG� under a

set of attributes AC ¼ fA1C;A

2C; . . . ; AN

C g where AiC ¼

AC

T ~Ai for i ¼ 1; 2; . . . ; N , a random number s R ZZp is

selected to hide M in C1 ¼M �Q

i2IC eðg; gÞs�i . The cipher-

text is C ¼ ðC1; C2; C3; fCi;jgai;j2ACÞ, where fCi;jgai;j2AC

are

computed by using s and the public keys fTi;jgai;j2AC. If a

user whose attributes contain those listed in the ciphertext,

he can use his secret keys Di and C2 to compute

E ¼Yi2IC

eðDi; C2Þ ¼Yi2IC

eðg; gÞs�iYi2IC

eðg; hÞsriYi2IC

eðg; h1Þus�i

and use fDi;jgai;j2ACand fCi;jgai;j2AC

to reconstruct the

exponential ri and compute Fi ¼Q

i2IC eðg; hÞsri . Using C3

and his identifier u, the user can compute

V ¼Yi2IC

eðg; h1Þus�i :

So, the user can obtainQ

i2IC eðg; gÞs�i by removing

Qi2IC Fi

and V from E. At the end, he can obtain M by removingQi2IC eðg; gÞ

s�i from C1.Correctness. We have

E ¼Yi2IC

eðDi; C2Þ

¼Yi2IC

eðg�ihrihu�i1 ; gsÞ

¼Yi2IC

eðg; gÞs�iYi2IC

eðg; hÞsriYi2IC

eðg; h1Þus�i ;

V ¼ eðC3; hu1Þ ¼

Yi2IC

eðg; h1Þus�i ;

and

Fi ¼Y

ai;j2AiC

eðCi;j; Di;jÞ�ai;j ;A

iCð0Þ

¼Y

ai;j2AiC

eðgsti;j ; hpiðai;jÞti;j Þ

�ai;j ;A

iCð0Þ

¼Y

ai;j2AiC

eðg; hÞspiðai;jÞ�ai;j ;A

iCð0Þ

¼ eðg; hÞsP

ai;j2AiCpiðai;jÞ�ai;j ;A

iCð0Þ

¼ eðg; hÞsri :

Therefore,

C1 �V �Q

i2IC Fi

E

¼M �Q

i2IC eðg; gÞs�ieðg; h1Þus�ieðg; hÞsriQ

i2IC eðg; gÞs�ieðg; hÞsrieðg; h1Þus�i

¼M:

Theorem 1. Our decentralized key-policy attribute-based en-

cryption scheme is ð�; q; �ð‘ÞÞ semantically secure (CPA) in

the selective-set model, if the ð�0; �0ð‘ÞÞ decisional bilinearDiffie-Hellman assumption holds in ðe; p;GG, GG� Þ, where

�0 ¼ �þOð�Þ and �0ð‘Þ ¼ 1

2�ð‘Þ:

Proof. Suppose that there exists an adversary A who canð�; q; �ð‘ÞÞ break our decentralized KP-ABE scheme, therewill exist an algorithm B that can use A to break thedecisional bilinear Diffie-Hellman assumption as follows:

The challenger generates the bilinear group ðe; p;GG;GG� Þ, and chooses a random generator g 2 GG. He flipsan unbiased coin with f0; 1g. If ¼ 0, he sendsðA;B;C; ZÞ ¼ ðga; gb; gc; eðg; gÞabcÞ to B. Otherwise, hesends ðA;B;C; ZÞ ¼ ðga; gb; gc; eðg; gÞzÞ to B, wherez R ZZp. B will output his guess 0 on .

Initialization. The adversaryA submits a set of attributes

AC ¼ fA1C;A

2C; . . . , AN

C g which he wants to be challenged

and a list of corrupted authorities CA. Suppose that AC is

mapped to the user with global identifier u�. B chooses

�; � R ZZp, and sets h ¼ Ag� and h1 ¼ g�.Authorities Setup. There should be at least one

authority A 62 CA where the adversary can only getsecret keys less than the specified threshold value.Suppose that A specifies the threshold ðk; nÞ andjAC

T ~Aj ¼ k� 1.

1. For Ak 2 CA, it chooses vk; �k; wk;j R

ZZp, and sets:

Yk ¼ eðg; gÞvk ; Zk ¼ g�k ; and fTk;j ¼ gwk;jgak;j2 ~Ak:

This implies that the secret key for Ak 2 CA isðvk; �k; wk;jÞ. B sends ðvk; �k; wk;jÞ and ðYk; Zk, Tk;jÞto A.

2. For Ak 62 CA and Ak 6¼ A, it chooses

vk; �k; wk;j R

ZZp;

and sets

Yk ¼ eðg; gÞbvk ; Zk ¼ g�k ;fTk;j ¼ hwk;j ¼ gðaþ�Þwk;jgak;j2 ~Ai�AC

;

and

fTk;j ¼ gwk;jgak;j2AC

T~Ai:

This implies that the secret key for Ak 62 CA isðbvk; �k; wk;jÞ. B sends ðYk; Zk, Tk;jÞ to A.

3. For A, it chooses wj; � R

ZZp, and sets

Y ¼ eðg; gÞabY

Ak 62CAeðg; gÞ�vkb

YAk2CA

eðg; gÞ�vk ;

Z ¼ g�; fTj ¼ gwjgaj2AC

T~A;

and

fTj ¼ hwj ¼ gðaþ�Þwjgaj2 ~A�AC:

This implies that the secret key for A is ðv; �; !jÞ,where v ¼ ab�

PAk 62CA vkb�

PAk2CA vk. B sends

ðY ; Z, TjÞ to A.


Phase 1. The adversary queries secret keys for global

identifiers u0 with a set of attributes A0U , where AC 6� A0U .

1. For Ak 2 CA, it can use ðvk; �k; wk;jÞ to computesecret keys for ak;j 2 ~Ak

TA0U .

2. For Ak 62 CA and Ak 6¼ A, it chooses rk R

ZZp and

a random ðkk � 1Þ-degree polynomial pkðxÞ R

ZZp½x� with pkð0Þ ¼ rk. It computes

Dk ¼ Bvkhrkhu0�k

1 :

1. If ak;j 2 AC

T ~Ak, it computes

Dk;j ¼ hpkðak;jÞwk;j :

2. If ak;j 2 ~Ak �AC , it computes

Dk;j ¼ hpkðak;jÞðaþ�Þwk;j ¼ g

pkðak;jÞwk;j :

3. For authority A, it chooses r; e1; e2; . . . ; ek�1 R

ZZp,and computes

D ¼ B��hrY

Ak 62CAB�vk

YAk2CA

g�vkhu0�

1 :

a. If aj 2 AC

T ~A, it computes

Dj ¼ hejwj :

b. If aj 2 ~A�AC , it computes

Dj ¼ ðgrB�1Þ�0;S ðajÞ

wj

Yk�1

i¼1

gei�i;S ðajÞ

wj :

We claim that D and Dj are correctly distributed.

D ¼ B��hrY

Ak 62CAB�vk

YAk2CA

g�vkhu0�

1

¼ g�b�ðgag�Þrg��P

Ak 62CAbvkþP

Ak2CAvk

�hu0�

1

¼ ðgag�Þ�bgabðgag�Þrg��P

Ak 62CAbvkþP

Ak2CAvk

�hu0�

1

¼ gabðgag�Þr�bg��P

Ak 62CAbvkþP

Ak2CAvk

�hu0�

1

¼ gab��P

Ak 62CAbvkþP

Ak2CAvk

�hr�bhu

0�1 :

Let r0 ¼ r� b, we have

D ¼ gab��P

Ak 62CAbvkþP

Ak2CAvk

�hr0hu0�

1 :

By selecting e1; e2; . . . ; ek�1, we implicitly define aðk� 1Þ-degree polynomial pðxÞ 2 ZZp½x�, such that pð0Þ ¼r0 and pðiÞ ¼ ei. So, we can compute any value of pðxÞ byinterpolation as follows:

pðxÞ ¼ r0�0;SðxÞ þXk�1

i¼1

ei�i;SðxÞ;

where S ¼ ðAC

T ~AÞSf0g.

Hence, for aj 2 ~A�AC ,

Dj ¼ hpðajÞð�þ�Þwj ¼ g

pðajÞwj ¼ g

r0�0;S ðajÞwj

Yk�1

i¼1

gei�i;S ðajÞ

wj

¼ ðgrB�1Þ�0;S ðajÞ

wj

Yk�1

i¼1

gei�i;S ðajÞ

wj :

Challenge. A sends B two messages M0 and M1 withequal length. B flips an unbiased coin with f0; 1g, andobtains 2 f0; 1g. B computes

C1 ¼ Z �M;C2 ¼ C;Ci;j ¼ fCwi;jgai;j2AC:

B responds with the challenged ciphertext ðC1; C2,fCi;jgai;j2AC

Þ. So ðC1; C2, fCi;jgai;j2ACÞ is a valid encryption

of M with correct distribution whenever Z ¼ eðg; gÞabc.Phase 2. Phase 1 is repeated.Guess. A outputs his guess ~ on . If ~ ¼ , B outputs

his guess 0 ¼ 0. Otherwise, B outputs his guess 0 ¼ 1.As shown above, the public parameters and the secret

keys generated in the simulation paradigm are identical tothose of the real protocol. Now, we compute theprobability with whichB can break the BDDH assumption.

If ¼ 0, ðC1; C2; fCi;jgai;j2ACÞ is the correct ciphertext of

M. Thereafter,A can output ~ ¼ with advantage at least�ð‘Þ, namely Pr½~ ¼ j ¼ 0� 1

2þ �ð‘Þ. Since B outputs0 ¼ 0 when ~ ¼ , we have Pr½0 ¼ j ¼ 0� 1

2þ �ð‘ÞIf ¼ 1, A cannot get any information about .

Therefore, A can output ~ 6¼ with no advantage,namely Pr½~ 6¼ j ¼ 1� ¼ 1

2 . Since B outputs 0 ¼ 1when ~ 6¼ , we have Pr½0 ¼ j ¼ 1� ¼ 1

2 .Therefore, the advantage with which B can break the

BDDH assumption is j 12Pr½0 ¼ j ¼ 0� þ 12Pr½0 ¼

j ¼ 1� � 12 j 1

2� 12þ 1

2� �ð‘Þ þ 12� 1

2� 12 1

2 �ð‘Þ. tu

We compare our scheme with other multiauthority

schemes in Tables 1 and 2. By jUj, jAU j, and jAC j, we denote

the number of the universal attributes, the attributes held by

user U , and the attributes required by the ciphertext,


TABLE 1The Comparison of Computing Cost

respectively. IU and IC denote the index set of the authoritiessuch that Ai

U 6¼ f�g and AiC 6¼ f�g, respectively. By E and P ,

we denote one exponential and one paring operation,respectively. By EGG and EGG�

, we denote one element ingroup GG and one element in group GG� , respectively. Ndenotes the number of the authorities in the systems. By d, wedenote the number of the central authorities in [32].

Collusion Resistance. To be secure against the collusionattacks, the user’s identifier u is embedded in his secret keysand bound with the second secret keys of the authorities sothat these keys can be tied together. When encrypting amessage, all the second public keys of the authoritiesAi withi 2 IC are aggregated and randomized by the value s.Therefore, only the secret keys from the same identifier canbe used to decrypt the ciphertext. The secret keys fromdifferent identifiers cannot be combined asC3 cannot be splitby the malicious users. Suppose that IC ¼ IC0

SIC00 and two

users U1 and U2 obtain secret keys for the attributes whichsatisfy the access structures specified by the authorities withthe indexes in IC0 and IC00 , respectively. If they cooperate todecrypt the ciphertext, they must compute C03 ¼

Qi2IC0 g

�is

and C003 ¼Q

i2Ic00 g�is. However, both C03 and C003 cannot be

obtained from C3 as the exponent s is unknown.Fine-grained access control. We can only express a

threshold access structure in the proposed decentralizedKP-ABE scheme above. In order to express any accessstructure, we employ the access tree technique introduced by

Goyal et al. [16]. Let T be a tree which specifies an access

structure, and defines an ordering between the children of

every node x from 1 to nx, where nx denotes the number of

the children of the node x. Each nonleaf node of Trepresents a threshold gate which consist of the number

of its children and a threshold value. Let kx be the threshold

value in the node x, where 0 < kx � nx. When kx ¼ 1, the

threshold gate is an OR gate. If kx ¼ nx, the gate is an AND

gate. Each leaf node in T is labeled with an attribute and a

threshold value kx ¼ 1. Given an access structure, a

polynomial px is selected for each node in T following the

way in a top-down manner. Starting from the root node r,

set the degree dx of the polynomial to be kx � 1. In our case,

we can set prð0Þ ¼ ri for the authority Ai. For other nodes in

T , we can set qxð0Þ ¼ qparentðxÞðindexðxÞÞ, where parentðxÞdenotes the parent node of x, and indexðxÞ denotes the

number associated with the node x.

3.2 Privacy-Preserving Key Extract Protocol

We propose a privacy-preserving key extract protocol for

the proposed decentralized KP-ABE in Fig. 2.Overview. In Fig. 1, the secret keys for the user with

identifier u are Di ¼ g�ihrihu�i1 and

�Di;j ¼ h

piðai;jÞti;j�ai;j2Ai

U

:


TABLE 2The Comparison of Type, Central Authority, Security Model and the Length of Ciphertext

Fig. 2. A privacy-preserving key extract protocol BlindKeyGen for the DKP-ABE scheme described in Fig. 1.

To obtain secret keys from the authority Ai blindly, the userneeds to prove that he holds the identifier u in zero-knowledge. Notably, if the random number ri is chosen byAi, he can detect the user by computing hu1 ¼ ð Di

g�ihri Þ�

�1i , where

the identifer u is public. Hence, the random number used togenerate secret keys for the user should be computed byexecuting a 2-party secure computing between the user andAi. As a result, the authority generates secret keys for theuser’s attributes without knowing his identifier.

The user U chooses z; 1 R

ZZp and computes T ¼ gzhu1and P1 ¼ h1 . Indeed, T is the commitment of the identifieru and can be used to prove that u has been included in it inzero-knowledge. P1 will be used to execute 2-party securecomputing with Ai. The user proves that he knows z; u; 1 toAi in zero-knowledge.

If the proof is correct, Ai selects ri; 2 R

ZZp and aðki � 1Þ-degree polynomial piðxÞ

RZZp½x� with pið0Þ ¼ ri. Ai

computes

P2 ¼ h2 ; ~Di ¼ g�iðP1P2ÞriT �i

¼ g�ihrið1þ2Þhu�i1 gz�i ; D1i;j ¼ ðP2Þ

piðai;jÞti;j ;

and D2i;j ¼ h

piðai;jÞti;j . Indeed, P1 and P2 are used to compute the

exponential rið1 þ 2Þ by executing a 2-party securecomputing. In this case, the secret key for attribute ai;j 2~Ai should be

Di;j ¼ hð1þ2Þpiðai;jÞ

ti;j :

Unfortunately, Ai does not know 1. Therefore, hecomputes

D1i;j ¼ ðP2Þ

piðai;jÞti;j ¼ h

2piðai;jÞti;j

and D2i;j ¼ h

piðai;jÞti;j so that the user can compute Di;j from

D1i;j, D

2i;j, and 1. Ai sends ðP2; ~Di; fD1

i;j; D2i;jgai;j2Ai

UÞ to the

user and proves that he knows ðri; 2; �i; piðxÞ; fti;jgai;j2AiUÞ

in zero-knowledge.If the proof is correct, the user can compute his secret

keys as Di ¼~Di

Zzi¼ g�ihrið1þ2Þhu�i1 and

Di;j ¼ D1i;jðD2

i;jÞ1 ¼ h

ð1þ2Þpiðai;jÞti;j :

In the BlindKeyGen protocol, the user obtains his secretkey SKi

U ¼ ðDi;Di;jÞ from the authority Ai, where Di ¼g�ihrið1þ2Þhu�i1 and

Di;j ¼ hpiðai;jÞð1þ2Þ

ti;j :

The value rið1 þ 2Þ is computed by U and Ai executing 2-party secure computing, where �i; �i; ri, and 2 are from Ai

and 1 is from U . Hence, from the view of Ai, ðDi;Di;jÞ isidentically distributed in the group GG.

The protocol in Fig. 2 works as follows:

1. The user U chooses 1; z; z1; z2; z3 R

ZZp, and com-putes T ¼ gzhu1 , P1 ¼ h1 , T 0 ¼ gz1hz2

1 and P 01 ¼ hz3 . Usends ðT; P1; T

0; P 01Þ to the authority Ai.2. Ai chooses c R ZZp, and sends c to U .3. U computes s1 ¼ z1 � cz, s2 ¼ z2 � cu, and s3 ¼

z3 � c1, and sends ðs1; s2; s3Þ to Ai.

4. Ai checks T 0 ¼? gs1hs2

1 Tc and P 01 ¼

?hs3Pc

1 . If so, Ai

chooses ri; 2; w; b1; b2; b3; dj R

ZZp and a randomðki � 1Þ-degree polynomial piðxÞ with pið0Þ ¼ ri,and computes

P2 ¼ h2 ; P 02 ¼ hw; ~Di ¼ g�iðP1P2ÞriT �i ; D1i;j

¼ Ppiðai;jÞti;j

2 ; D2i;j ¼ h

piðai;jÞti;j ; ~D0i ¼ gb1ðP1P2Þb2Tb3 ; Z0i

¼ gb3 ; Z0 ¼ eðg; hÞb2 ; V 1j ¼ P

dj2 ;

and V 2j ¼ hdj . Ai sends ðD1

i;j; D2i;j, P2; P

02; Z

0i; Z

0;~Di; ~D0i; V

1j ; V

2j Þ to U . Otherwise, aborts.

5. U chooses c0 R ZZp, and sends c0 to Ai.6. Ai computes �1 ¼ b1 � c0�i, �2 ¼ b2 � c0ri, �3 ¼ b3 �

c0�i, �4 ¼ w� c02, and �j ¼ tj � c0 piðai;jÞti;j. Ai sends

ð�1; �2; �3; �4; �jÞ to U .7. U computes Z ¼

Qai;j2Ai

UeðTi;j; D2

i;jÞ�ai;j ;A

iUð0Þ

, andchecks

P 02 ¼?h�4Pc0

2 ; Z0 ¼? eðg; hÞ�2Zc0 ; V 1

j ¼?P�j2 ðD1

i;jÞc0 ; V 2

j

¼? h�jðD2i;jÞ

c0

and ~D0i ¼?g�1ðP1P2Þ�2T�3 ~Dc0

i . If so, U computes Di ¼~Di

Zziand Di;j ¼ D1

i;jðD2i;jÞ

1 . Otherwise, aborts.

Theorem 2. The proposed privacy-preserving key extract protocolBlindKeyGen in Fig. 2 is both leak-free and selective-failureblind.

Proof. Leak freeness. Suppose that there exists anadversary U in the real experiment (where U isinteracting with an honest authority Ai running theBlindKeyGen protocol), there will exist a simulator U inthe ideal experiment (where U can access the trustedparty running the ideal KeyGen protocol) such that noefficient distinguisher D can distinguish the real experi-ment from the ideal experiment. The simulator Usimulates the communication between the distinguisherD and the adversary U by passing the input of D to U andthe output of U to D. U works as follows:

1. U sends the adversary U the public key PKi of Ai.2. U must submit two values T and P1, and prove

PoKfðz, u; 1Þ : T ¼ gzhu1 ^ P1 ¼ h1g. If the prooffails, U aborts the simulation. Otherwise, by usingthe rewind technique, U can obtain ðz; u; 1Þ.

3. U sends u to the trusted party. The trusted partyruns KeyGen to generates ðDi;Di;jÞ, and respondsit to U.

4. U chooses � R ZZp, and computes 2 ¼ �� 1,P2 ¼ h2 , ~Di ¼ DiZ

zi , D

1i;j ¼ ðDi;jÞ

2� and D2

i;j ¼ D1�

i;j.U returns ðP2; ~Di;D

1i;j; D

2i;jÞ to U.

If ðDi;Di;jÞ are correct keys from the trusted party inthe ideal experiment, ðP2; ~Di;D

1i;j; D

2i;jÞ are the correct

keys from Ai in the real experiment. So, ðDi;Di;jÞ andðP2; ~Di, D

1i;j; D

2i;jÞ are distributed identically. Therefore,

no efficient distinguisher D can distinguish the real gamefrom the ideal game.

Selective-failure blindness. The adversary Ai submits

the public key PKi, and two global identifiers u0 and u1.

Then, a bit b 2 f0; 1g is randomly selected. Ai can have a


black-box access to Uðparams; PKi; ubÞ and Uðparams;PKi; u1�bÞ. Then, U executes BlindKeyGen protocol with

Ai, where Ai plays the role of authority Ai. U outputs

secret keys SKbU and SK1�b

U for global identifiers ub andu1�b, respectively. If SKb

U 6¼? and SK1�bU 6¼? , Ai is

given ðSKbU; SK

1�bU Þ. If SKb

U 6¼? and SK1�bU ¼? , Ai is

given ð�;?Þ. If SKbU ¼? and SK1�b

U 6¼?;Ai is given

ð?; �Þ. If SKbU ¼? and SK1�b

U ¼?;Ai is given ð?;?Þ. At

the end, Ai outputs his prediction b0 on b.In the BlindKeyGen protocol, U sends Ai two random

values T; P1 2 GG, and proves PoKfðz; ub; 1Þ : T ¼gzhub1 ^ P1 ¼ h1g. Supposed that Ai runs one or both ofthe oracles up to this point. Now, it is Ai’s turn torespond. So far, Ai’s view on the two oracles iscomputationally undistinguishable. Otherwise, the hid-ing property of the commitment scheme and the witnessundistinguishable property of the zero-knowledge proofwill be broken. Suppose that Ai uses any computingstrategy to output secret keys f ~Di;Di;jg for the firstoracle. In the following, we will show that Ai can predictSKb

U of U without interaction with the two oracles:

1. Ai checks

PoK

�ð�i; �i; ri; 2Þ : ~Di ¼ g�iðP1P2ÞriT �i ^ P2

¼ h2 ^D1i;j ¼ ðP2Þ

piðai;jÞti;j ^D2

i;j ¼ hpiðai;jÞti;j

^Y

ai;j2AiU

eðTi;j; D2i;jÞ

�ai;j;A

iUð0Þ ¼ eðg; hÞri

�:

If the proof fails, A sets SK0U ¼? .

2. Ai generates different ð ~Di;Di;jÞ for the secondoracle and a proof of knowledge:

PoK

�ð�i; �i; ri; 2Þ : ~Di ¼ g�iðP1P2ÞriT �i ^ P2

¼ h2 ^D1i;j ¼ ðP2Þ

piðai;jÞti;j ^D2

i;j

¼ hpiðai;jÞti;j ^

Yai;j2Ai

U

eðTi;j; D2i;jÞ

�ai;j ;A

iUð0Þ ¼ eðg; hÞri

�:

Ai checks the proof, if it fails, it sets SK1U ¼? .

3. Finally, Ai outputs his predication on ðu0; u1Þwith ðSK0

U ; SK1UÞ, if SK0

U 6¼? and SK1U 6¼? ;

ð�;?Þ, if SK0U 6¼? and SK1

U ¼? ; ð?; �Þ, if SK0U ¼

? and SK1U 6¼? ; ð?;?Þ, i f SK0

U ¼? and

SK1U ¼? .

The predication on ðu0; u1Þ is correct, and has theidentical distribution with the oracle. Because Ai per-forms the same check as the honest U , it outputs thevalid keys as U obtains from BlindKeyGenðAiðpara ms;PKi; SKiÞ $ Uðparams; PKi; uÞÞ when both checks are

valid. Hence, if Ai can predict the final outputs of thetwo oracles, the advantage of Ai in distinguishingUðparams; PKi; ubÞ from Uðparams; PKi; u1�bÞ is thesame without the final outputs. Therefore, the advantageof Ai should come from the received T , P1, and the proofP

1 : PoKfðz; ub; 1Þ : T ¼ gzhub1 ^ P1 ¼ h1g. From thehiding property of the commitment scheme and witnessundistinguishable property of the zero-knowledge proof,Ai cannot distinguish one from the other with non-negligible advantage. tu

Therefore, from Theorem 1 and Theorem 2, we have thefollowing theorem:

Theorem 3. Our privacy-preserving decentralized attribute-based encryption scheme ~Q ¼ (Global Setup, AuthoritySetup, BlindKeyGen, Encryption, Decryption) is secure inthe selective-set model under the DBDH assumption.

Protecting privacy is an important issue in distributedsystems. Therefore, our privacy-preserving decentralizedKP-ABE scheme can be used as a sound solution toconstruct privacy-preserving data transfer and accesscontrol schemes in distributed systems, where the dataowner can encrypted his data under a set of attributes sothat only the users whose attributes satisfy the specifiedaccess structure can access the data. Users can obtain secretkeys from multiple parties without being traced andexposing their identities to the authorities. As a result,our scheme can capture the following important proper-ties: 1) Fine-grained access control. Our scheme canimplement any access structure using the access treetechnique; 2) Improving privacy and security. Users cannotbe impersonated as they can obtain secret keys frommultiple parties without exposing their identities to them;3) Efficiency. Multiple authorities can work independentlywithout any cooperation.

We list the computing cost and communication cost ofthe privacy-preserving key extract protocol in Table 3.

4 CONCLUSION

The decentralized ABE scheme has attracted a lot ofattention, because it can reduce the trust on merely a singlecentralized authority. In order to resist the collusion attacksin the decentralized ABE schemes, the global identifier GIDis used to tie all the user’s secret keys from multipleauthorities together. However, this will risk the user beingtraced and impersonated by the corrupted authorities. Inthis paper, we proposed a privacy-preserving decentralizedABE scheme to protect the user’s privacy. In our scheme, allthe user’s secret keys are tied to his identifier to resist thecollusion attacks while the multiple authorities cannot knowanything about the user’s identifier. Notably, each authority


TABLE 3The Computing Cost and Communication Cost of the Privacy-Preserving Key Extract Protocol

can join or leave the system freely without the need of

reinitializing the system and there is no central authority.

Furthermore, any access structure can be expressed in our

scheme using the access tree technique. Finally, our scheme

relies on the standard complexity assumption (e.g., DBDH),

rather than the nonstandard complexity assumptions (e.g.,

DDHI).

ACKNOWLEDGMENTS

Jinguang Han was supported by PhD scholarships of Smart

Services Cooperative Research Centre (CRC) and University

of Wollongong.

REFERENCES

[1] B.C. Neuman and T. Ts’o, “Kerberos: An Authentication Sewicefor Computer Networks,” IEEE Comm. Magazine, vol. 32, no. 9,pp. 33-38, Sept. 1994.

[2] N.P. Smart, “Access Control Using Pairing Based Cryptography,”CT-RSA ’03: Proc. RSA Conf. The Cryptographers’ Track, pp. 111-121,2003.

[3] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-PolicyAttribute-Based Encryption,” Proc. IEEE Symp. Security and Privacy(S&P ’07), pp. 321-34, May 2007.

[4] A. Sahai and B. Waters, “Fuzzy Identity-Based Encryption,”EUROCRYPT ’05: Proc. Advances in Cryptology, R. Cramer, ed.,pp. 457-473, May 2005.

[5] M. Chase, “Multi-Authority Attribute Based Encryption,” Proc.Theory of Cryptography Conf. (TCC ’07), S.P. Vadhan, ed., pp. 515-534, Feb. 2007.

[6] S. Muller, S. Katzenbeisser, and C. Eckert, “Distributed Attribute-Based Encryption,” Proc. 11th Int’l Conf. Information Security andCryptology (ICISC ’08), P.J. Lee and J.H. Cheon, eds., pp. 20-36,Dec. 2008.

[7] H. Lin, Z. Cao, X. Liang, and J. Shao, “Secure Threshold Multi-Authority Attribute Based Encryption without a Central Author-ity,” INDOCRYPT ’08: Proc. Int’l Conf. Cryptology in India,D.R. Chowdhury, V. Rijmen, and A. Das, eds., pp. 426-436, Dec.2008.

[8] A. Lewko and B. Waters, “Decentralizing Attribute - BasedEncryption,” EUROCRYPT ’11: Proc. 30th Ann. Int’l Conf. Theoryand Applications of Cryptographic Techniques: Advances in Cryptology,K.G. Paterson, ed., pp. 568-588, May 2011.

[9] J. Li, Q. Huang, X. Chen, S.S.M. Chow, D.S. Wong, and D. Xie,“Multi-Authority Ciphertext-Policy Attribute-Based Encryptionwith Accountability,” Proc. ACM Symp. Information, Computer andComm. Security (ASIACCS ’11), pp. 386-390, 2011.

[10] D. Boneh and M.K. Franklin, “Identity-Based Encryption from theWeil Pairing,” CRYPTO ’01: Proc. Advances in Cryptology, J. Kilian,ed., pp. 213-229, Aug. 2001.

[11] A. Shamir, “Identity-Based Cryptosystems and SignatureSchemes,” CRYPTO ’84: Proc. Advances in Cryptology, G.R. Blakleyand D. Chaum, eds., pp. 47-53, Aug. 1985.

[12] C. Gentry, “Practical Identity-Based Encryption without RandomOracles,” EUROCRYPT ’06: Proc. Advances in Cryptology,S. Vaudenay, ed., pp. 445-464, May/June 2006.

[13] B. Waters, “Efficient Identity-Based Encryption without RandomOracles,” EUROCRYPT ’05: Proc. Advances in Cryptology,R. Cramer, ed., pp. 114-127, May 2005.

[14] D. Boneh and X. Boyen, “Efficient Selective-Id Secure Identity-Based Encryption without Random Oracles,” EUROCRYP ’04:Proc. Advances in Cryptology, C. Cachin and J. Camenisch, eds.,pp. 223-238, May 2004.

[15] M. Chase and S.S. Chow, “Improving Privacy and Security inMulti-Authority Attribute-Based Encryption,” Proc. ACM Conf.Computer and Comm. Security (CCS ’09), E. Al-Shaer, S. Jha, andA.D. Keromytis, eds., pp. 121-130, Nov. 2009.

[16] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-BasedEncryption for Fine-Grained Access Control of Encrypted Data,”Proc. ACM Conf. Computer and Comm. Security (CCS ’06), A. Juels,R.N. Wright, and S.D.C. di Vimercati, eds., pp. 89-98, Oct./Nov.2006.

[17] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute- BasedEncryption with Non-Monotonic Access Structures,” Proc.ACM Conf. Computer and Comm. Security (CCS ’07), P. Ning,S.D.C. di Vimercati, and P.F. Syverson, eds., pp. 195-203, Oct.2007.

[18] L. Cheung and C. Newport, “Provably Secure Ciphertext PolicyAbe,” Proc. ACM Conf. Computer and Comm. Security (CCS ’07),P. Ning, S.D.C. di Vimercati, and P.F. Syverson, eds., pp. 456-465,Oct. 2007.

[19] J. Herranz, F. Laguillaumie, and C. Rafols, “Constant SizeCiphertexts in Threshold Attribute-Based Encryption,” Proc.Public Key Cryptography (PKC ’10), P.Q. Nguyen and D. Pointch-eval, eds., pp. 19-34, May 2010.

[20] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters,“Fully Secure Functional Encryption: Attribute- Based Encryptionand (Hierarchical) Inner Product Encryption,” EUROCRYPT ’10:Proc. Advances in Cryptology, H. Gilbert, ed., pp. 62-91, May/June2010.

[21] B. Waters, “Ciphertext-Policy Attribute-Based Encryption: AnExpressive, Efficient, and Provably Secure Realization,” Proc. 14thInt’l Conf. Practice and Theory in Public Key Cryptography Conf.Public Key Cryptography (PKC ’11), D. Catalano, N. Fazio,R. Gennaro, and A. Nicolosi, eds., pp. 53-70, Mar. 6-9 2011.

[22] A. Beimel, “Secure Schemes for Secret Sharing and Key Distribu-tion,” Phd thesis, Israel Inst. of Technology, Technion, Haifa,Israel, June 1996.

[23] N. Attrapadung and H. Imai, “Dual-Policy Attribute BasedEncryption,” Proc. Seventh Int’l Conf. Applied Cryptographyand Network Security (ACNS ’09), M. Abdalla, D. Pointcheval,P.-A. Fouque, and D. Vergnaud, eds., pp. 168-185, June 2009.

[24] A. Rial and B. Preneel, “Blind Attribute-Based Encryption andOblivious Transfer with Fine-Grained Access Control,” Proc.2010th Benelux Workshop Information and System Security (WISSec’10), pp. 1-20, 2010.

[25] S. Yu, K. Ren, and W. Lou, “FDAC: Toward Fine-Grained DataAccess Control in Wireless Sensor Networks,” IEEE Trans.Parallel and Distributed Systems, vol. 22, no. 4, pp. 673-686, Apr.2011.

[26] J. Hur and D.K. Noh, “Attribute-Based Access Control withEfficient Revocation in Data Outsourcing Systems,” IEEE Trans.Parallel and Distributed Systems, vol. 22, no. 7, pp. 1214-1221, July2011.

[27] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving Secure, Scalable,and Fine-Grained Data Access Control in Cloud Computing,”Proc. IEEE INFOCOM ’10, pp. 534-542, Mar. 2010.

[28] R. Gennaro, S.law Jarecki, H. Krawczyk, and T. Rabin, “SecureDistributed Key Generation for Discrete-Log Based Cryptosys-tems,” EUROCRYPT ’99: Proc. 17th Int’l Conf. Theory andApplication of Cryptographic Techniques, J. Stern, ed., pp. 295-310,May 1999.

[29] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “RobustThreshold DSS Signatures,” Information and Computation, vol. 164,no. 1, pp. 54-84, 2001.

[30] M. Naor, B. Pinkas, and O. Reingold, “Distributed Pseudo -Random Functions and KDCs,” EUROCRYPT ’99: Proc. Advancesin Cryptology, J. Stern, ed., pp. 327-346, May 1999.

[31] S. Muller, S. Katzenbeisser, and C. Eckert, “On Multi-AuthorityCiphertext-Policy Attribute-Based Encryption,” Bull. of the KoreanMath. Soc., vol. 46, no. 4, pp. 803-819, 2009.

[32] Z. Liu, Z. Cao, Q. Huang, D.S. Wong, and T.H. Yuen, “FullySecure Multi-Authority Ciphertext-Policy Attribute-Based En-cryption without Random Oracles,” Proc. 16th European Symp.Research in Computer Security (ESORICS ’11), V. Atluri and C. Diaz,eds., pp. 278-297, Sept. 2011.

[33] T.P. Pedersen, “Non-Interactive and Information- TheoreticSecure Verifiable Secret Sharing,” CRYPTO ’91: Proc. 11th Ann.Int’l Cryptology Conf. Advances in Cryptology, J. Feigenbaum, ed.,pp. 129-140, Aug. 1991.

[34] J. Camenisch and M. Stadler, “Efficient Group SignatureSchemes for Large Groups,” CRYPTO ’97: Proc. 17th Ann. Int’lCryptology Conf. Advances in Cryptology, B.S. Kaliski, Jr., ed.,pp. 410-424, Aug. 1997.

[35] J. Camenisch, M. Kohlweiss, A. Rial, and C. Sheedy, “Blind andAnonymous Identity-Based Encryption and Authorised PrivateSearches on Public Key Encrypted Data,” Proc. 12th Int’l Conf.Practice nad Theory in Public Key Cryptography (PKC ’09), S. Jareckiand G. Tsudik, eds., pp. 196-214, Mar. 2009.


[36] M. Green and S. Hohenberger, “Blind Identity-Based Encryptionand Simulatable Oblivious Transfer,” ASIACRYPT ’07: Proc. 13thInt’l Conf. Theory and Application of Cryptology and InformationSecurity: Advances in Cryptology, K. Kurosawa, ed., pp. 265-282,Dec. 2007.

[37] D. Chaum, “Security without Identification: Transaction Systemsto Make Big Brother Obsolete,” Comm. ACM, vol. 28, no. 10,pp. 1030-1044, 1985.

[38] J. Camenisch and A. Lysyanskaya, “An Efficient System for Non-Transferable Anonymous Credentials with Optional AnonymityRevocation,” EUROCRYPT ’01: Proc. Int’l Conf. the Theory andApplication of Cryptographic Techniques: Advances in Cryptology,B. Pfitzmann, ed., pp. 93-118, May 2001.

[39] A. Lysyanskaya, R.L. Rivest, A. Sahai, and S. Wolf, “PseudonymSystems,” Proc. Sixth Ann. Int’l Workshop Selected Areas inCryptography (SAC ’99), H.M. Heys and C. M. Adams, eds.,pp. 184-199, Aug. 1999.

Jinguang Han is currently working toward thePhD degree in School of Computer Science andSoftware Engineering, University of Wollongong,Australia. He is also a lecturer in College ofSciences, Hohai University, China. His researchinterests include applied cryptography, identitymanagement, access control and data outsour-cing. He is a student member of the IEEE.

Willy Susilo received the PhD degree incomputer science from the University of Wollon-gong, Australia. He is a professor at the Schoolof Computer Science and Software Engineeringand the codirector of Centre for Computer andInformation Security Research (CCISR) at theUniversity of Wollongong. He is currently holdingthe prestigious ARC Future Fellow awarded bythe Australian Research Council (ARC). Hismain research interests include cryptography

and information security. His main contribution is in the area of digitalsignature schemes. He has served as a program committee member indozens of international conferences. He has published numerouspublications in the area of digital signature schemes and encryptionschemes. He is a senior member of the IEEE.

Yi Mu received the PhD degree from theAustralian National University in 1994. Hecurrently is an associate professor, head ofSchool of Computer Science and SoftwareEngineering and the codirector of Centre forComputer and Information Security Research atUniversity of Wollongong, Australia. His currentresearch interests include network security,computer security, and cryptography. He is theeditor-in-chief of International Journal of Applied

Cryptography and serves as an associate editor for nine otherinternational journals. He is a senior member of the IEEE and amember of the IACR.

Jun Yan received the BEng and MEng degreesin computer application Technologies fromSoutheast University, Nanjing, China, in 1998and 2001, respectively, and the PhD degree ininformation technology from Swinburne Univer-sity of Technology, Melbourne, Australia, in2004. He is currently a senior lecturer in theSchool of Information Systems and Technology,University of Wollongong, Wollongong, Australia.His research interests include software technol-

ogies, workflow management, service-oriented computing, and agenttechnologies.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Documents

Privacy-Preserving Decentralized Key-Policy Attribute-Based Encryption