The foundation of ABE-type algorithms is pairing computation. In this appendix, we adopt the design from [297] in terms of algebraic structure. Suppose we have two groups: an additive group and a multiplicative group with the same order , where and are two large prime numbers. We define a bilinear map . This map has three properties:
• Bilinearity. , for any and ;
• Nondegeneracy. , where g and h are generators of ;
• Efficiency. Computing the pairing can be efficiently achieved.
As mentioned in Section 7.2.1, the proposed solution includes an upper-level ontology-based attribute management scheme and a lower-level ABE-based naming scheme. The upper-level is only focused on the relationship between attributes, which has little to do with security. In this section, we only focus on the naming scheme, which can be modeled in the form of a game between a challenger and an adversary. The challenger simulates the operations of the TTP and the attribute authorities, while the adversary tries to impersonate as a number of normal network nodes. The game consists of the following five steps:
• Setup. The challenger runs the GlobalSetup algorithm and returns to the adversary the parameters.
• Phase 1. The adversary can ask for an arbitrary number of user keys from the challenger. The challenger runs the NodeJoin algorithm for each user involved in the requests and returns the corresponding secret information. The adversary then plays the roles of these users to request for attributes from the challenger. The challenger runs the AuthoritySetup algorithm to create parameters for authorities and runs the KeyGen algorithm to generate keys on behalf of the authorities and the TTP.
• Challenge. The adversary provides two messages and to the challenger, together with an access policy A such that none of the users created by the challenger has attributes satisfying A. The challenger flips a coin b and encrypts using A. It sends the ciphertext back to the adversary.
• Phase 2. The adversary can ask for more attributes and users from the challenger. But if any single user can gain satisfactory attribute combinations for A, the challenger aborts the game.
• Guess. The adversary makes a guess for the real value of b.
The adversary's advantage in this game can be defined as . The proposed scheme is secure if for all the polynomial time adversaries, the advantage is at most negligible in the game.
In this section, we use a composite order group with an order , where p and q are two large prime numbers. In other words, we fix the composite value s in Section C.1.1 as equal to pq. We also choose two subgroups and of such that , , and is orthogonal to . We deliberately choose such composite-order group configuration mainly because the proposed scheme is designed to support attribute rankings in . It follows RSA conditions to enforce one-direction deduction between attribute values. This is why the values of s and t are set to be products of two large prime numbers. Details of such process will be illustrated in Section C.1.4.
Attributes of an entity can be any value in strings. In our scheme, each attribute string corresponds to a triplet , where . and are assigned by the TTP. The mapping from a string to such a triplet is determined by the authority of attribute . An access policy can be expressed in Disjunctive Normal Form (DNF) of attributes. In each conjunctive clause of the DNF, the sequence of attributes is determined by the encrypter. The sequence encrypting a conjunctive clause (encryption sequence) is opposite to the decryption sequence. We define a public attribute in the scheme. Unlike other attributes, is associated with a triplet . For each conjunctive clause, the encrypter adds at the end of the encryption sequence. In other words, the special attribute is always the last attribute in encryption and the first attribute in decryption.
In the proposed scheme, GlobalSetup algorithm is run by the TTP to generate global parameters for the system. For each node joining in the network, the TTP runs NodeJoin algorithm once to generate a unique secret for the node. For each attribute, the authority in charge runs AuthoritySetup algorithm to generate secrets associated with that attribute. Besides, this naming scheme includes the other three basic algorithms: KeyGen, Encrypt, and Decrypt. Once set up, the authority of an attribute runs KeyGen for each node carrying this attribute to allocate the inherent attribute secrets. Encrypt and Decrypt are respectively used by encrypters and decrypters for message passing.
The GlobalSetup algorithm generates global parameters {, , φ, ψ, , , , , , }, and global secrets {β, }, where α and β are random values and , are a pair of symmetric encryption algorithms.
The NodeJoin algorithm is given in Algorithm C.2.
Each individual authority that manages an attribute will have to run AuthoritySetup to set up attribute secrets.
The KeyGen algorithm generates the private keys corresponding to each attribute for each node holding this attribute. It is defined in Algorithm C.4. When the node receives the keys from the authority, it checks if is true. If it's true, it updates with and accepts the keys. This update is intended to prevent from replay attack on . Otherwise, it will discard the keys.
The Encrypt algorithm works following the encryption sequence of each clause, by denoting each attribute from to , where m is the number of attributes in the clause. In the example of Fig. 7.6, , , , , . Choose a random value , set , and follow Algorithm C.5.
The Decrypt algorithm works in the decryption sequence. Note that the first attribute in a decryption sequence is always . The decrypter follows Algorithm C.6.
When Decrypt algorithm succeeds, is the random data encrypting key embedded in C.
The proposed ABE scheme extends the capabilities of traditional ABE schemes and is able to support a comparison between the values of the same attribute. In a real world scenario, this means, for instance, that two values, and , of attribute Occupation can be compared and have the relationship , meaning that the attribute subsumes all the privileges that the has, but the does not have any of the additional privileges the has. Such capability is applicable when capabilities of the lower-ranking role () is a subset of that of the higher-ranking role (). In traditional ABE solutions, each attribute value ( and in the above example) corresponds to a set of cryptographic components that are designated for that specific attribute (Occupation in the example) of a specific user. Components for different values of the same attribute are not related. In other words, the key components of are independent of those of . To establish ranking relations between attribute values, certain connections need to be created between the corresponding key components. Specifically, a one-direction relation between values of the same attribute is supported in the proposed scheme. It allows a higher-ranking user () to be able to legally derive the corresponding lower-ranking role () key components for himself. However, the lower-ranking role cannot derive anything regarding the higher-ranking role.
Such capability can be achieved by deliberately assigning appropriate values in KeyGen algorithm. We assign for and for such that , , , and . Thus, we have and . This is different from traditional ABE scheme, where both and are randomly chosen. This is the connection we establish between comparable values ( and ) of the same attribute (Occupation). Recall that when we defined the order of , it was written as , where p and q are two large prime numbers. In other words, is a composite number satisfying RSA algorithm requirements. If a user is assigned , i.e., the key for , it is able to calculate the corresponding key for as long as . This can be done as
This means that when we assign attributes to , we can choose to assign the value to the user together with . Thus, when the user needs to decode some message dedicated for , he can easily calculate following equation (C.1). However, if another user has the attribute , he cannot deduce following the same equation in a similar way. This is because in this case, . Under RSA assumption, cannot be efficiently computed due to the secrecy of . A benefit of such extension to our original scheme is that it allows the ranking relations among attributes without incurring too much workload on the TTP side. Only eligible users, owners in this example, can use such capability, and the value is only useful to eligible users.
With such a knowledge, the TTP can assign two more values, Δh and Δr, to user in KeyGen algorithms. When needed, the user can derive his key values corresponding to attribute afterwards. The modified step 3 of KeyGen is as follows:
Thus, the for 's attribute is changed to . Correspondingly, we have:
Here, we need to point out that to make sure that the values of h for two comparable attributes are the same, comparable attributes need to be managed by the same authority. This means that one single authority defines the relative order between these attributes. This requirement makes sense in a real-world scenario since in most cases a single authority (the hospital in this example) defines values of the same attribute (job position).
In this section, we provide a sketch of security proof following the structure in [63]. Before going into details of the proof, we firstly modify the security game described in Section C.1.2. This modification follows the same idea as in [63] and it is intended to change from differentiating two random messages to differentiating so that the generated intermediate results can be represented using the four mappings introduced in Section C.1.5.2. The goal of such modification is essentially to facilitate the following security proof. To differentiate these two games, we call the one in Section C.1.2 as Game1 and the modified game as Game2.
Game2 consists of five steps similar to Game1. The steps Setup, Phase1, and Phase 2 are the same as in Game1. The Challenge step is different in that the challenger does not choose one message to construct the ciphertext C. Instead, it outputs as
Here, all the are randomly chosen from following independent uniform distribution.
Suppose an adversary adv1 in Game1 has the advantage of ϵ, the corresponding adversary adv2 in Game2 can be constructed according to the following strategy:
• Forward all the messages between adv1 and the challenger during Setup, Phase1, and Phase 2;
• In the Challenge step, adv2 gets two messages and from adv1 and the challenge C from the challenger. adv2 flips a coin δ and sends to adv1 as the challenge for adv1 in Game1. adv2 generates its guess based on the output from adv1. If , then the guess is 1; otherwise, it is 0.
The advantage that adv2 has in this game can be calculated as .
In the following, we will show that no polynomial adversary can distinguish between and . Therefore, no adversary can have nonnegligible advantage in the security model.
In this section, we follow the generic group model introduced in [247] and use a simulator to model the modified security game between the challenger and the adversary. The simulator chooses random generators and . It then encodes any member in and to a random string following two mappings: . It also encodes any member in to a random string in a similar way: . One additional mapping is used to convert elements in to string representations: . The four mappings should be invertible so that the simulator and the adversary can map between the strings and the elements of corresponding algebraic structures in both directions. Four oracles are provided to the adversary by the simulator to simulate the group operations in , , , and the pairing. Only the string representations can be applied to the oracles. The results are returned from the simulator in the string representations as well. The oracles will strictly accept inputs from the same group. The simulator plays the role as the challenger in the modified game.
• Setup. The simulator chooses , , , e, φ, ψ, and random values α, β. It also defines the mappings , , and the four oracles mentioned above. The simulator chooses the public attribute parameters , , , and , where λ and μ are random strings. The public parameters are , , , , , , , and .
• Phase 1. When the adversary runs NodeJoin for a new user with UID, the simulator generates a random number . It returns to the adversary with , , , and , here is a random number chosen by the simulator. When the adversary requests a new attribute that has not been used before, the simulator randomly chooses and , to simulate the process for setting up an attribute authority. For each attribute key request made from the adversary, the simulator computes , , and , where is a random number chosen from . The simulator passes all these values to the adversary as the attribute keys associated with .
• Challenge. When the adversary asks for a challenge, the simulator flips a coin b and chooses a random value . If , the simulator calculates ; if , it picks a random value and calculates . In addition, it calculates and . It also computes other components of the ciphertext following Encrypt: , , and , where is a random number chosen by the simulator.
• Phase 2. The simulator interacts with the adversary similar as in Phase 1 with the exception that the adversary cannot acquire attribute keys enabling a single user to satisfy the access policy . The output of this step is similar to that of Phase 1 except that the simulator acquires more user IDs and attributes in this step.
From the above game, we can see that the adversary only acquires the string representation of random values in , and combinations of the values. We can model all the queries as rational functions and further assume that different terms always result in different string representations [63]. As shown in [63], the probability that two terms share the same string representation is , where q is the number of queries made by the adversary. We assume in the rest of the proof that no such collision happens.
Now we argue that the adversary's views are identically distributed between the two cases when and when . As a matter of fact, what the adversary can view from the modified game with the simulator are independent elements that are uniformly chosen and the only operation that the adversary can do on these elements is to test if two of them are equal or not. Thus, the situation that the views of the adversary differ can only happen when there are two different terms and that are equal when . Since αs and only occur in group , the results from cannot be paired. Queries by the adversary can only be in the form of additive terms. Then we have , where γ is a constant. By transformation, we have . This implies that by deliberately constructing a query , the adversary may be able to get the value of . Now we prove that such a query cannot be constructed by the adversary based on the information it gets from the game.
In fact, the information that an adversary can acquire from this game can be listed as in Table C.1. This table excludes values related to as it has nothing related to αs. To construct the desired value, the adversary can map two elements from and into one element in . He can also use elements in to change the exponentials. From this table, we can easily see that to obtain a value containing αs, the adversary can pair βs and to get in . In fact, this is the only way to get a term containing αs. But it is not feasible in that both βs and belong to while the pairing requires one element from and each.
Table C.1
Query information accessible to the adversary
μ | β | |
r Pub | h i | rUID + hiri |
r i | (In−1 − In)hn | tn(In−1 − In)hn |
λ | (α + rUID)/β | βs |
h i | ||
α | r UID I Pub | r UID I i |
I Pub | I i | k i |
h i |
Therefore, based on the information an adversary can get from the proposed scheme, the attacker cannot differentiate a random ciphertext from an authentic one. The security of the proposed scheme is proved. □
Essentially, the basic idea of P-CP-ABE to outsource intensive but noncritical part of the encryption and decryption algorithm to the service providers while retaining critical secrets. As we can prove later in this section, the outsourcing of computation does not reduce the security level compared with original CP-ABE schemes, where all computations are performed locally.
The encryption complexity of CP-ABE grows linearly in the size of access policy. During the encryption, a master secret is embedded into ciphertext according to the access policy tree in a recursive procedure, where, at each level of the access policy, the secret is split to all the subtrees of the current root. However, the security level is independent on the access policy tree. In other words, even if the ESP possesses secrets of most but not all parts of the access policy tree, the master secret is still information theoretically secure given there is at least one secret that is unknown to ESP. Thus, we can safely outsource most of encryption complexity to ESP by just retaining a small amount of secret information, which is processed locally.
As for the decryption, the CP-ABE decryption algorithm is computationally expensive since bilinear pairing operations over ciphertext and private key is a computational intensive operation. P-CP-ABE addresses this computation issue by securely blinding the private key and outsourcing the expensive Pairing operations to the DSP. Again, the outsourcing will not expose the data content of the ciphertext to the DSP. This is because the final step of decryption is performed by the decrypters.
The TA first runs Setup to initiate the P-CP-ABE system by choosing a bilinear map: of prime order p with the generator g. Then, TA chooses two random α, β . The public parameters are published as
The master key is , which is only known by the TA.
Each user needs to register with the TA, who authenticates the user's attributes and generates proper private keys for the user. An attribute can be any descriptive string that defines, classifies, or annotates the user to which it is assigned. The key generation algorithm takes as input a set of attributes S assigned to the user, and outputs a set of private key components corresponds to each of attributes in S. The GenKey algorithm performs the following operations:
1. Chooses a random ;
2. Chooses a random for each attribute ;
3. Computes the private key as:
4. Sends SK to the DO through a secure channel.
To outsource the computation of Encryption and preserve the data privacy, a DO needs to specify a policy tree , where ⋀ is an AND logic operator connecting two subtrees and . is the data access policy that will be performed by the ESP and is a DO controlled data access policy. usually has a small number of attributes to reduce the computation overhead at the DO, in which it can be a subtree with just one attribute (see the example shown in Fig. C.1).
In practice, if has one attribute, DO can randomly specify a 1-degree polynomial and sets , , and . Then DO sends to ESP, which is denoted as
Here, we must note that sending and will not expose any secret of our solution.
ESP then runs the algorithm, which is described below:
1. , randomly choose a polynomial with degree , where is the secret sharing threshold value:
(a) For the root node of , i.e., , choose a -degree polynomial with .
(b) set -degree polynomial with .
2. Generate a temporal ciphertext:
where is the set of leaf nodes in .
At the meantime, the DO performs the following operations:
1. Perform and derive:
2. Compute and , where M is the message.
3. Send to the ESP:
On receiving the message from the DO, ESP generates the following ciphertext:
Finally, the ESP sends CT to the SSP.
CP-ABE decryption algorithm is computationally expensive since bilinear pairing is an expensive operation. P-CP-ABE addresses this computation issue by outsourcing the expensive Pairing operations to the DSP. Again, the outsourcing will not expose the data content of the ciphertext to the DSP.
To protect the data content, the DO first blinds its private key by choosing a random and then calculates . We denote the blinded private key as :
Before invoking the DSP, the DO first checks whether its owned attributes satisfy the access policy . If so, the DO sends to the DSP, and requests the SSP to send the ciphertext to the DSP. On receiving the request, the SSP sends and to the DSP:
Once the DSP receives both and , it then runs the algorithm as follows:
1. , the DSP runs a recursive function , where R is the root of . The recursion function is the same as defined in [63] and is proceeded as follows:
The recursion is processed as follows: ∀y which is a child of x, it calls and stores the output as . Let be an arbitrary -sized set of children nodes y, the DSP computes:
where and , is the Lagrange coefficient. Finally, the recursive algorithm returns .
2. Then, one computes
3. And sends to the DO:
On receiving , DO calculates and then it recovers the message: