Next Article in Journal / Special Issue
Cable Capacitance Attack against the KLJN Secure Key Exchange
Previous Article in Journal
The Development of Philosophy and Its Fundamental Informational Turn
Previous Article in Special Issue
Analysis of Two-Worm Interaction Model in Heterogeneous M2M Network
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Batch Attribute-Based Encryption for Secure Clouds

1
China Information Security Research Institute, No. 11 ShangDi Xinxi Road, Beijing 100085, China
2
School of Electronics and Information Engineering, Beihang University, XueYuan Road No.37, Haidian District, Beijing 100191, China
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Submission received: 31 July 2015 / Revised: 27 September 2015 / Accepted: 26 October 2015 / Published: 29 October 2015
(This article belongs to the Special Issue Cybersecurity and Cryptography)

Abstract

:
Cloud storage is widely used by organizations due to its advantage of allowing universal access with low cost. Attribute-based encryption (ABE) is a kind of public key encryption suitable for cloud storage. The secret key of each user and the ciphertext are associated with an access policy and an attribute set, respectively; in addition to holding a secret key, one can decrypt a ciphertext only if the associated attributes match the predetermined access policy, which allows one to enforce fine-grained access control on outsourced files. One issue in existing ABE schemes is that they are designed for the users of a single organization. When one wants to share the data with the users of different organizations, the owner needs to encrypt the messages to the receivers of one organization and then repeats this process for another organization. This situation is deteriorated with more and more mobile devices using cloud services, as the ABE encryption process is time consuming and may exhaust the power supplies of the mobile devices quickly. In this paper, we propose a batch attribute-based encryption (BABE) approach to address this problem in a provably-secure way. With our approach, the data owner can outsource data in batches to the users of different organizations simultaneously. The data owner is allowed to decide the receiving organizations and the attributes required for decryption. Theoretical and experimental analyses show that our approach is more efficient than traditional encryption implementations in computation and communication.

1. Introduction

In cloud computing, if a file owner would like to share his file with others, he just stores his data on a cloud server, then his friends/colleagues, including himself, can access the data by visiting the server from any place where there is an Internet connection. In this way, cloud storage makes it possible for people to exploit almost unlimited computation, storage space and information services anytime and anywhere without suffering from complicated local maintenance and management. Due to these advantages, cloud computing is becoming an indispensable part of organizations and individuals.
The security concern of the data owner is believed to be the main obstacle for wide adoption of cloud storage. Especially, the user who do not have access right may collude with the server for illegal access. Encryption is a standard way to protect data security. Public encryption is preferable in organization-oriented applications. In this scenario, one organization can have a cloud account associated with a public key, and anyone can securely upload files to this account by encrypting the files under the public key. Only the one who owes the corresponding secret key of the public key can decrypt the encrypted file, which prevents illegal access from the cloud server or other non-authorized ones. However, the traditional public key cryptosystems suffer from complicated key management in this scenario, since it is unknown who will be allowed to access a specific encrypted file when the system is set up or the file is encrypted. Attribute-based encryption (ABE) [1] is the up-to-date cryptographic concept to address this problem. In this case, the encryptor can specify the attributes required for decryption, and the access policy can be made for the secret key of each requestor. A requestor can decrypt a ciphertext only if the labeled attributes meet the access policy associated with the secret key of the requestor.
An issue in deploying ABE is that all known ABE encryption/decryption operations are time and resource consuming. Furthermore, the existing ABE schemes only allow encryption for the receivers of a single organization. Consider a scenario where the scientists from different universities jointly work on a project. In this case, if a scientist wants to share his or her research progress with the scientists of other universities, then he or she needs to encrypt the files to these organizations repetitively. In [2], an approach is proposed to speed up the decryption with the help of a semi-honest third party. However, to the best of our knowledge, no known work in the public literature has been done to speed up the ABE encryption in our motivating scenario. This situation inspires our work in this paper.

1.1. Our Contribution

In this paper, we investigate the acceleration of ABE encryption where one encrypts for the requestors of different organizations. Our contributions are summarized as follows.
We propose a batch attribute-based encryption (BABE) framework. In this framework, when the different ABE systems are set up, the users of different systems get their keys from the authority of the corresponding system, and these keys are associated with the access policies of the corresponding organizations. One data owner can simultaneously encrypt his or her data for the receivers from different systems in a batch way. The data owner can freely choose the receiving organizations and define separate attributes for the receivers of different organizations. One can decrypt only if his/her organization has been chosen and his/her attributes meet the access policy for his organization.
Following the BABE framework, we propose a concrete BABE scheme. The security of the scheme is formally proven under a well-established computational assumption. Even if an adversary colludes with the cloud server and all non-authorized users, he or she cannot get any useful information of the encrypted message. We conduct experiments in typical system parameters. The experimental results show that our BABE scheme is more efficient than existing ABE implementations. These features render our BABE an efficient solution to securing one-to-many organization-oriented sensitive data sharing in clouds.

1.2. Related Work

Due to its versatility, ABE has attracted extensive research [1,3,4,5]. The ABE concept was introduced by Sahai and Waters [1]. There are two types of ABE systems, i.e., ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). In CP-ABE, the secret key of each user is associated with his/her attributes. When one encrypts for the users of the system, he or she specifies an access policy, which is a collection of attribute sets. Only the user whose attributes match the policy can decrypt. Similarly, in KP-ABE, the secret key of a user is associated with an access policy, and each ciphertext is labeled with a set of attributes. One can decrypt a ciphertext only if the labeled attributes meet the policy associated with the user’s secret key. Yu et al. [6] proposed a KP-ABE scheme to achieve flexible access control over outsourced data.
In a regular ABE system, a single authority generates the secrets of all of the users in the system. This incurs the so-called single-point problem, that is all of the parties have to fully trust the single authority, who can read all of the messages encrypted for any users. Furthermore, no new user can join the system if the authority is occasionally unavailable. To mitigate this drawback, the notion of multi-authority ABE (MA-ABE) has been proposed. In this notion, multiple authorities jointly generate the secret keys for the users in the system. No single authority can read the messages encrypted for the users. New users can still be enrolled if some of the authorities are available. An encryptor can choose, for each authority, a number d k and a set of attributes; he or she can then encrypt a message, such that a user can decrypt only if he or she has at least d k of the given attributes from each authority k [7]. Chase and Chow improved the MA-ABE in [8] by exchanging a shared secret among the authorities during the system setup process. Their scheme is time consuming and needs heavy communication and computation. Yang et al. [9] designed an access control framework for multi-authority systems and proposed a secure multi-authority access control scheme for cloud storage. Li et al. [10] proposed an MA-ABE scheme for mobile cloud computing by introducing a cloud-based semi-trusted-authority between the mobile user and the attribute authorities.
ABE schemes require time-consuming computations in encryption and decryption, which prevent them from being widely deployed in cloud computing applications for enforcing fine-grained access control. Several works have been proposed to speed up ABE. Attrapadung et al. proposed ABE schemes [11,12] that only need a constant number of bilinear maps in decryption, albeit with the constraint of a bound on the maximum number of attributes. Hohenberger and Waters [2] introduced a method that needs a constant number of bilinear maps in decryption without the bound constraint on the attribute number. In contrast, no public work has been reported to accelerate the encryption process in ABE.
Fiat proposed the first batch signature scheme [13]. Since then, a large body of references has focused on the batch verification of signatures [14,15,16,17]. It is unclear whether these technologies can be employed to accelerate ABE encryption in our motivating scenario. Still in a single system-oriented setting, multi-receiver encryption and signcryption [18] have been proposed to reduce the encryption complexity. Baek, Safavi-Naini and Susilo proposed an efficient multi-receiver identity-based encryption scheme [19] in multi-cast encryption applications. All of these schemes are considered in a single organization-oriented scenario. A trivial application of these schemes to multiple organizations needs to repeat the basic encryption operation for each organization, which implies growing overheads linear with the number of organizations. In this paper, we propose to encrypt for the different organizations in a batch way and to provide a more efficient solution to the motivating applications.

1.3. Paper Organization

The rest of this paper is organized as follows. Section 2 presents a BABE framework and the adversary model. We propose a concrete BABE scheme in Section 3, together with detailed security and efficiency analyses. Section 4 concludes the paper.

2. Modeling BABE

2.1. The System Framework

We propose a BABE framework for cloud storage, as illustrated in Figure 1. The framework consists of four types of parties: the data owner, the cloud server, the data requestor/consumer and the authority. The data owner would like to share his or her data with the data requestors managed by different authorities. Each authority generates a secret key for the data requestor in its management domain according to the consumer’s attributes (or the corresponding access policies). The data owner encrypts his or her file for the data requestors of different organizations, i.e., the users managed by different authorities, by specifying the intended authorities and the attributes that the data requestors should have in the according authorities’ management domains. Then, the data owner uploads the encrypted data to the cloud storage server. When a data requestor requests for the cloud server, the server responds with the corresponding ciphertext. The requestor can decrypt if the attributes labeled with the ciphertext meet the access policy associated with the secret key of the requestor; else, the requestor should get no useful information of the original data.
Figure 1. Batch attribute-based encryption (BABE) framework.
Figure 1. Batch attribute-based encryption (BABE) framework.
Information 06 00704 g001

2.2. Defining BABE

A BABE scheme consists of four polynomial-time algorithms: Setup, Encrypt, KeyGeneration and Decrypt. Let I represent the collection of underlying ABE subsystems indexed from one to | I | . Denote that the i-th underlying ABE subsystem has master public key P K i and master secret key M K i for i I . The algorithms work as follows.
  • Setup( λ , U i )→( P K i , M K i ). This is a randomized algorithm run by an authority A A i . It takes as inputs the security parameter λ and an attribute universe U i , which defines the set of allowed attributes in different underlying ABE subsystems. The authority A A i outputs the public parameters P K i and the mater keys M K i .
  • Encrypt( P K , M , S )→ C T . Assume that the data owner wants to share data M i with the data requestors of the systems i ψ I . This is a randomized algorithm that takes as inputs the public parameters vector P K , a message vector M , which contain different messages M i , and a series of attribute sets S , which contains attribute sets S i , i ψ . It outputs | ψ | ciphertext C T i , i ψ associated with the attribute sets S i , i ψ .
  • KeyGen( M K i , A i )→ SK. Assume that a data requestor belongs to the i-th subsystem. Then, M K i is used to generate the secret key S K . This is a randomized algorithm that takes as inputs the master secret key M K i and an access structure A i and outputs a secret key S K .
  • Decrypt ( S K , C T i ) M i . The decryption algorithm takes as inputs a secret key S K associated with the access structure A i and a ciphertext C T i associated with attribute set S i . It outputs the message M i if S i satisfies A i or the error message ⊥ otherwise.

2.3. The Adversary Model

For sensitive files stored on the cloud, we mainly consider the secrecy of the files. In this scenario, both the cloud server and users may be potential attackers. Specifically, the cloud server (or the staff who manages the cloud server) may be curious and access the private files of the users without being known by the users. Furthermore, some unauthorized users may collude, even with the cloud server, to illegally access the files. However, we have to make a minimum trust assumption that the cloud server will honestly follow the scheme to execute the procedures and return the service to the users. Else, the scheme will not work and makes no sense in practice. We require that the attacker in such a situation cannot get any useful information of the outsourced data.
Now we formally define the security model of a BABE scheme. Let U i be the attribute universe of the i-th underlying ABE scheme. All of the underlying ABE schemes share the security parameter λ. Each underlying ABE scheme is managed by an authority A A i . I is the index set of the underlying ABE schemes. Formally, we define the security model for BABE via a game between a challenger and an adversary.
Initialize
The adversary declares the different underlying ABE schemes upon which he or she wants to be challenged, indexed by ψ I . The adversary also declares the attribute set S i * , i ψ of different ABE schemes upon which he or she wished to be challenged upon.
Setup
The challenger runs the Setup algorithm to set up the BABE system and sends the public parameters, P K i , i I , to the adversary.
Phase 1
For the i-th underlying ABE subsystem, the challenger initializes for i I an empty table T i , an empty set D i and an integer counter j i = 0 . The adversary can repeatedly make the following queries:
Create( A i )
The challenger sets j i = j i + 1 . It runs the key generation algorithm on A i to obtain the secret key S K and stores it in table T i , forming the entry ( j i , A i , S K ) .
Corrupt( κ , i )
The adversary queries for the secret key corresponding to the κ-th entry in Table i. If there exists such an entry in table T i , the challenger obtains the entry ( κ , A i , S K ), sets D i = D i { A i } and returns the secret key S K to the adversary. Else, it returns ⊥.
Challenge
The adversary submits two equal-length messages, vector M 0 and M 1 , with each vector having | ψ | message M 0 , i , i ψ and M 1 , i , i ψ . In addition, the adversary gives a set of attributes S i * , i ψ , such that for all A i D i , i ψ , the set S i * , i ψ does not satisfy the access structure A i , i ψ . The challenger chooses b { 0 , 1 } randomly and encrypts M b under S i * , i ψ . The resulting ciphertext C T i * , i ψ is given to the adversary.
Phase 2
Phase 1 is repeated with the restriction that the adversary cannot obtain any secret key that can be used to decrypt the challenge ciphertext. This means that it cannot issue a Corrupt query that would result in an access structure A i that S i * satisfies being added to D i ψ . Of course, the adversary cannot issue a decryption query on the challenge ciphertext C T i * , i ψ .
Guess
The adversary outputs a guess bit b of b. The output of the experiment is one if and only if b = b .
The advantage of the adversary A in this game is defined as P r [ b = b ] - 1 2 .
Definition 1. A BABE scheme is secure if all polynomial time adversaries have at most a negligible advantage in the above game.

3. The Proposed BABE Scheme

3.1. Mathematical Background

We briefly review the basic mathematical concepts used in our schemes.
Definition 2. (Access structure [20]). Consider a set of parties P = { P 1 , P 2 , , P n } . A collection A 2 { P 1 , P 2 , , P n } is said to be monotone if for B , C , we have that B A and B C , then C A . An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of non-empty subsets of { P 1 , P 2 , , P n } , i.e., A 2 P \ . The authorized sets represent the sets in A , and the sets not in A are called the unauthorized sets.
Definition 3. (Linear secret sharing scheme [20]). Let P be a set of parties. Let W be an l × m matrix. Let f be a function that maps a row to a party. A secret sharing scheme Π for access structure A over a set of parties P is a linear secret-sharing scheme (LSSS) in Z p and is represented by ( W , f ) if it consists of two efficient algorithms:
Share ( W , f )
This takes as input s Z p , which is to be shared. It chooses r 2 , r 3 , , r n , and let v = ( s , r 2 , , r n ) . It outputs W v as the vector of the shares. The share ω i = W i v belongs to party f ( i ) , where W i is the i-th row of W.
Recon ( W , f )
This takes as input an access set S A . Let I = { i | f ( i ) S } . It outputs a set of constants ( i , μ i ) i I , such that i I μ i · ω i = s .
In a KP-ABE scheme, a ciphertext is associated with a set of attributes S, and each secret key corresponds to an access structure A . One can decrypt if the attribute set S is authorized in the access structure A ( i . e . , S A ) .
Our scheme is built on bilinear groups briefly defined as follows.
Definition 4. (Bilinear group). Let G and G T be two multiplicative cyclic groups of prime order p. Let g be a generator of G and e be a bilinear map, e : G × G G T . The bilinear map e has the following properties:
(1)
Bilinearity: for all g , h G and a , b Z p , we have e ( g a , h b ) = e ( g , h ) a b .
(2)
Non-degeneracy: e ( g , g ) 1 .
We say that G is a bilinear group if the group operation in G and the bilinear map e : G × G G T are both efficiently computable. Notice that the map e is symmetric since e ( g a , h b ) = e ( g , h ) a b = e ( g b , h a ) .

3.2. The Proposal

We first give an outline of our BABE scheme. The scheme is proposed to accelerate the encryption process when one needs to encrypt for the users from different organizations in a cloud storage setting where ABE is used to enforce fine-grained access control. The data owner chooses the data he or she wants to share with the data requestors of the different systems. Then, he or she encrypts the data and sends the encrypted data to the cloud server. Authorized data requestors will be able to decrypt the encrypted data by using the secret key given by the corresponding authority. Using the traditional approach, the owner needs to encrypt each data item for the receivers of the different organizations repetitively, which is inefficient in practice. We suggest to encrypt in a batch way and propose a BABE scheme managing to solve this problem.
For i I , we describe different subsystems with different universes U i of different attributes. The attributes are indexed by integers 1 , , | U i | . We use | U i | to represent the number of the attribute universe U i . The number of the attributes may be different in distinct subsystems.
Setup
This algorithm, run by the authority A A i , takes as inputs a system parameter λ and an attribute universe U i . It generates a bilinear group G of prime order p, with generator g G . It selects random values h i , 1 , h i , | U i | G . It further chooses a distinct α i Z p for each i. Finally, for each i, it outputs the public key and master secret key as:
P K i = ( G , p , g , e ( g , g ) α i , h i , 1 , , h i , | U | ) , M K i = ( P K i , α i )
Encrypt
The data owner chooses the organizations that he or she wants to communicate with, denoted by ψ I . Then, he or she asks the authority A A i , i ψ for the public key P K i and chooses a series of attributes S , where S i , i ψ , a series of messages M G T . The data owner chooses a random s Z p . The ciphertext component used by i-th subsystem is C T i = ( S i , C i , C , C i , x ) where:
C i = M i · e ( g , g ) α i s , C = g s , { C x = h i , x s } x S i
After the encryption, the data owner sends the encrypted data to the cloud server.
KeyGen
For each i, the authority A A i takes as inputs the master secret key M K i and an LSSS access structure A i represented by ( W , f ) . Let W be an l × m matrix. The function f is associated with the rows of W. Let β denote the set of distinct attributes appearing in the access structure matrix W, i.e., β = { d : τ [ 1 , l ] , f ( τ ) = d } . This algorithm chooses a random vector v = ( α i , y 2 , , y m ) Z n . Here, these values will be used to share the master secret α i , and y 2 , , y m are random numbers. For τ = 1 to l, it calculates λ τ = v · W τ , where W τ is the vector corresponding to the τ-th row of W. The algorithm chooses random integers r 1 , r l Z p .It outputs the secret key S K as:
( D 1 = g λ 1 · h i , f ( 1 ) r 1 , R 1 = g r 1 , d β \ f ( 1 ) , Q 1 , d = h i , d r 1 ) ( D l = g λ l · h i , f ( l ) r l , R l = g r l , d β \ f ( l ) , Q l , d = h i , d r l )
In the above, β \ x means the set β excluding x.
Decrypt
The data requestor requests the encrypted data from the cloud server. The requestor runs the decryption algorithm with his/her secret key ( S K = P K i , ( D 1 , R 1 , Q 1 , d ) , , ( D l , R l , Q l , d ) ) for access structure ( W , f ) and the ciphertext C T i = ( S i , C i , C , { C x } x S i ) for set S i . Let W be an l × m matrix. The function f is associated with some rows of W. If S i does not satisfy the access structure, the decryption algorithm outputs ⊥.
If S i satisfies the access structure, we let I { 1 , 2 , l } be a set of indices and { ω τ } τ I Z p be a set of constants, such that f ( τ ) S i and Σ τ I ω τ · W τ = ( 1 , 0 , 0 0 ) for all τ I . Note that ω τ can be found in polynomial time.
We represent the attributes satisfying the access structure as γ = { x : τ I , f ( τ ) = x } . I is the set of indices corresponding to the rows used to decrypt the ciphertext, and γ is the set of distinct attributes associated with these rows. In fact, there are multiple I’s that satisfy the constraints above. Typically, the smaller the size of I, the better. Observe that γ S i , where S i is the attribute set used to encrypt the ciphertext M i and γ β , the set of attributes used to create the secret key.
To recover the value e ( g , g ) α i s , we define a function v, which transforms a set of attributes into an element of G in the way v ( γ ) = x γ h i , x . For each τ I , the data requestor computes the value D τ = D τ · x γ / f ( τ ) Q τ , x = g λ τ f ( γ ) r τ . For the ciphertext, the data requestor computes the value L = x γ C x = x γ h i , x s = f ( γ ) s .
Finally, the data requestor recovers the value e ( g , g ) α i s by computing:
e ( C , τ I D τ ω τ ) / e ( τ I R τ ω τ , L ) = e ( g s , τ I g λ τ ω τ v ( γ ) r τ ω τ ) / e ( τ I g r τ ω τ , v ( γ ) s ) = e ( g , g ) α i s · e ( g , v ( γ ) ) s τ I r τ ω τ / e ( g , v ( γ ) ) s τ I r τ ω τ = e ( g , g ) α i s
Note that C i = M i · e ( g , g ) α i s . Hence, the data requestor can obtain M i from C i . From the computation process, it can be seen that the decryption algorithm requires only two pairing operations.

3.3. Security Analysis

The security of the proposal is based on the hardness of the q-decision bilinear Diffie–Hellman exponent (q-DBDHE) problem defined below.
Definition 5 (q-Decision bilinear Diffie–Hellman exponent [21]). In ( G , G T ) , the q-DBDHE problem states that, given:
( g , g x , g ( x 2 ) , g ( x q ) , g ( x q + 2 ) , g ( x 2 q ) , h , T )
where x Z p , g , h G and T G T , decide whether T = e ( g , h ) x ( q + 1 ) or T is a random element of G T .
The q-DBDHE assumption states that any probabilistic polynomial time (PPT) algorithm has only negligible advantage in solving the above q-DBDHE problem, where the advantage is defined as | P r [ T = e ( g , h ) x ( q + 1 ) ] - P r [ T = R ] | .
The security of the proposed BABE scheme is guaranteed by the following claim.
Theorem 1. (Security). The BABE scheme is selectively secure against chosen plaintext attacks under the | U | - D B D H E assumption in G.
Proof. Let | U | be the maximum of all of the | U i | ’s for security parameter λ. Assume that each attribute is indexed by a unique integer between one and | U i | . Suppose there exists a PPT adversary A who can distinguish the encrypted message vectors with non-negligible probability under the selective security experiment [22]. Then, we show that there exists a PPT adversary B that can break the | U | - D B D H E assumption in G, which contradicts the hardness of the | U | - D B D H E problem.
Init: A chooses the underlying ABE schemes on which he or she wants to be challenged. For each sub-system, A outputs the attribute set S i * , i [ 1 , n ] for the challenge ciphertext.
Setup: The challenger B is given the tuple:
( G , p , g , g s , g a , g ( a 2 ) , g ( a | U | ) , g ( a | U | + 2 ) , g ( a 2 | U | ) , T )
for security parameter λ. The challenger is required to solve the | U | - D B D H E challenge, i.e., to answer whether T = e ( g , g ) a | U | + 1 s or a random element in G T . The challenger randomly chooses α i , z i , 1 , , z i , | U i | Z p , i [ 1 , n ] and sets e ( g , g ) α i = e ( g , g ) α i · e ( g a , g a | U | ) , which means that α i = α i + a | U | + 1 . For x [ 1 , | U | ] , compute:
h i , x = g z i , x , x S i * h i , x = g z i , x g a x , x S i *
The public parameter P K i for the i-th subsystem is ( G , p , g , e ( g , g ) α i , h i , 1 , , h i , | U i | ) and is sent to the adversary A .
Phase 1: For system i, the challenger B initializes an empty table T i , an empty set D i and a counter j i = 0. The adversary A can query the challenger B , and the challenger B responds as follows:
(1). Create( A i ): The challenger B sets j i = j i + 1 . The access structure A i is represented by ( W , f ), where W is an l × m matrix. Let K i be the set of the rows in which the attributes are in S i * and K i be the rows in which the attributes are not in S i * ( i . e . , K i = [ 1 , l ] / K i ) . Define an m-element vector v over Z p with the first element of v being one, for all τ K i , v W τ = 0 . W τ is the vector row τ of the matrix W. Note that when S i does not satisfy W, it must be the case that ( 1 , 0 , , 0 ) is not in the span of rows W τ for τ K i . With the property of LSSS, the vector v can be found in polynomial time. In addition, in order to share the secret α i , B generates a secret key with the vector α i v by noting v 1 = 1 . B computes ( α i v ) W τ regarding share λ τ for τ [ 1 , l ] .
The challenger B randomly chooses r 1 , ,⋯, r l Z q and y 2 , , y m Z p to construct a new vector v n e w = ( 0 , y 2 , y 3 , , y m ) . Then, it computes λ τ = v n e w W τ for τ [ 1 , l ] .
For τ K i , compute D τ = g λ τ · h i , f ( τ ) r τ , R τ = g r τ , Q τ , x = h i , x r τ , x β \ f ( τ ) .
For τ K i , compute c τ = v W τ . Set that λ τ = c τ · α i = c τ ( α i + a | U | + 1 ) . Set R τ = g - c τ a | U | + 1 - f ( τ ) , which means r τ = - c τ a | U | + 1 - f ( τ ) . Then, set R τ = g - c τ a | U | + 1 - f ( τ ) g r τ , and compute:
D τ = g c τ α i · R τ z i , τ · g λ τ · h i , f ( τ ) r τ = g c τ α i · g - z i , τ c τ a | U | + 1 - f ( τ ) · g λ τ · h i , f ( τ ) r τ = g c τ α i · g - z i , τ c τ a | U | + 1 - f ( τ ) · g λ τ · h i , f ( τ ) r τ · g c τ a | U | + 1 · g - c τ a | U | + 1 = g c τ α i · ( g z τ ) r τ · ( g a f ( τ ) ) · g λ τ · h i , f ( τ ) r τ = g c τ α i · h i , f ( τ ) r τ · g λ τ · h i , f ( τ ) r τ
Next, for all x β \ f ( τ ) , Q τ , x = h i , x r τ + r τ is computed as follows:
h i , x r τ + r τ = g z i , x ( r τ + r τ ) = g - z i , x c τ a ( | U | + 1 ) - f ( τ ) g z i , x r τ , x S i * h i , x r τ + r τ = g z i , x ( r τ + r τ ) ( g a x ) ( r τ + r τ ) = g - z i , x c τ a ( | U | + 1 ) - f ( τ ) g - c τ a ( | U | + 1 ) - f ( τ ) + x · ( g z i , x g a x ) r τ , x S i *
After the process above, the keys are valid with access policy ( W , f ). From the view of A , their distribution is identical to that of the keys generated by the KeyGen algorithm. Hence, the secret keys requested by the adversary is perfectly simulated.
(2). Corrupt( κ , i ): The challenger B obtains the entry ( κ ; A i ; S K ) if the κ-th entry appears in table T i . Set D i = D i { A i } . It then sends S K to adversary A . If no such entry exists, then return ⊥.
Challenge: A outputs two equal-length message vectors M 0 , M 1 , each of which contains n messages in the message space of the corresponding subsystem. The challenger B chooses a random bit b. It constructs and sends to A the challenge ciphertext:
C T i * = ( C i * = M b · T · e ( g α i , g s ) , C = g s , x S * , C i , x * = ( g s ) z i , x )
Phase 2: B responds to A ’s queries in the same manner as in Phase 1, except that it refuses to answer any Corrupt query that would result in an access structure A i , which S i satisfies.
Guess: Finally, A outputs a bit b . If b = b , then B outputs that T = e ( g , g ) a | U | + 1 s , else it outputs that T is a random element.

3.4. Efficiency Analysis

In this section, we analyze the performance of our BABE scheme. It can be seen that our approach is more efficient than encrypting data for different organizations one by one using the underlying Hohenberger-Waters ABE (HW-ABE) [2] scheme. In the encryption process, the number of exponentiations grows with the number of attributes. Comparing to the plain implementation of the HW-ABE scheme, our approach is more efficient because C is the same for all of the ciphertexts. Hence, it can be calculated once and then be reused. Assume that the data owner wants to share data with the users of n organizations simultaneously, and the average number of the attributes used in encryption is m. Our scheme needs ( m + 1 ) n + 1 exponentiations, while the HW-ABE scheme needs ( m + 2 ) n exponentiations. From the comparison, the improved efficiency is dominated by the average number of the attributes used by the data owner. We can save n - 1 exponentiations in the encryption process. The computation overhead for the data requestors is also very small. They need only two pairings and a number of multiplications. This is the same as the HW-ABE scheme [2].
We encoded our BABE and performed experiments on a PC with a 2.80 GHz CPU and 3 GB RAM, using the C programming language in the GMP (https://gmplib.org/) and PBC (https://crypto.stanford.edu/pbc/) library. For the encryption algorithms: (1) we generated n different 1024 bit-long random numbers as exponents; (2) we implemented the batch algorithm and normal algorithm, respectively. We executed Steps 1 and 2 100 times to eliminate experimental noise. We set the values of n ranging from 10 to 100 to see the performance improvement due to the batch algorithms.
Figure 2 show the time to compute n ciphertext in the HW-ABE and BABE with the average attribute number m = 4 or m = 8 . It can be seen that the time consumed in both BABE and HW-ABE grows linearly with the number of messages to be encrypted. However, the batch encryption takes about 15% less time for m = 4 or 10 % less time for m = 8 than the normal encryption, which confirms the theoretical analysis.
Figure 2. The encryption performance comparison for producing multiple ciphertexts with BABE/HW-ABE ( m = 4 , m = 8 ).
Figure 2. The encryption performance comparison for producing multiple ciphertexts with BABE/HW-ABE ( m = 4 , m = 8 ).
Information 06 00704 g002

4. Conclusions

In this paper, we proposed BABE to accelerate the ABE encryption for the users of multiple organizations. Our approach makes the data owner able to share his or her data with the data requestors of different systems simultaneously. We formally proved the security of our scheme and compared it to previous work. The analyses and comparisons show that our scheme has desirable high performance. It is efficient to secure data to be outsourced to clouds.

Acknowledgments

This paper is partially supported by the National Key Basic Research Program (973 Program) under Project 2012CB315905, by the Natural Science Foundation under Projects 61370190, 61272501, 61173154, 61402029 and 61003214, by the Beijing Natural Science Foundation through Projects 4132056 and 4122041, by the Natural Science Foundation of Guangdong Province through Projects 2014A030313517 and S2012020011071, the Fundamental Research Funds for the Central Universities, the Research Funds (No. 14XNLF02) of Renmin University of China, the Open Research Fund of the State Key Laboratory of Information Security (Institute of Information Engineering), the Chinese Academy of Sciences and the Open Research Fund of Beijing Key Laboratory of Trusted Computing.

Author Contributions

Chen Yang mainly designed the research. Yang Sun mainly conducted the research and analyzed the data. Qianong Wu mainly wrote the paper. All authors have read and approved the final manuscript.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Sahai, A.; Waters, B. Fuzzy identity-based encryption. In Advances in Cryptology—EUROCRYPT 2005, Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005; Springer: Berlin/Heidelberg, Germany, 2005. Lecture Notes in Computer Science. Volume 3494, pp. 457–473. [Google Scholar]
  2. Hohenberger, S.; Waters, B. Attribute-based encryption with fast decryption. In Public-Key Cryptography–PKC 2013, Proceedings of the 16th International Conference on Practice and Theory in Public-Key Cryptography, Nara, Japan, 26 February–1 March 2013; Springer: Berlin/Heidelberg, Germany, 2013. Lecture Notes in Computer Science. Volume 7778, pp. 162–179. [Google Scholar]
  3. Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandri, VA, USA, 30 October–3 November 2006; pp. 89–98.
  4. Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-policy attribute-based encryption. In Proceedings of the SP’07 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 20–23 May 2007; pp. 321–334.
  5. Waters, B. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. In Public Key Cryptography (PKC) 2011, Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, 6–9 March 2011; Springer: Berlin/Heidelberg, Germany, 2011. Lecture Notes in Computer Science. Volume 6571, pp. 53–70. [Google Scholar]
  6. Yu, S.; Wang, C.; Ren, K.; Lou, W. Achieving secure, scalable, and fine-grained data access control in cloud computing. In Proceedings of the IEEE INFOCOM, San Diego, CA, USA, 14–19 March 2010; pp. 1–9.
  7. Chase, M. Multi-authority attribute based encryption. In Theory of Cryptography, Proceedings of the 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, 21–24 February 2007; Springer: Berlin/Heidelberg, Germany, 2007. Lecture Notes in Computer Science. Volume 4392, pp. 515–534. [Google Scholar]
  8. Chase, M.; Chow, S.S. Improving privacy and security in multi-authority attribute-based encryption. In Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA, 9–13 November 2009; pp. 121–130.
  9. Yang, K.; Jia, X. Attributed-based access control for multi-authority systems in cloud storage. In Proceedings of the 2012 IEEE 32nd International Conference on Distributed Computing Systems (ICDCS), Macau, China, 18–21 June 2012; pp. 536–545.
  10. Li, J.; Huang, Q.; Chen, X.; Chow, S.S.; Wong, D.S.; Xie, D. Multi-authority ciphertext-policy attribute-based encryption with accountability. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, Hong Kong, China, 22–24 March 2011; pp. 386–390.
  11. Attrapadung, N.; Libert, B.; de Panafieu, E. Expressive key-policy attribute-based encryption with constant-size ciphertexts. In Public Key Cryptography–PKC 2011, Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, 6–9 March 2011; Springer: Berlin/Heidelberg, Germany, 2011. Lecture Notes in Computer Science. Volume 6571, pp. 90–108. [Google Scholar]
  12. Attrapadung, N.; Herranz, J.; Laguillaumie, F.; Libert, B.; de Panafieu, E.; Ràfols, C. Attribute-based encryption schemes with constant-size ciphertexts. Theor. Comput. Sci. 2012, 422, 15–38. [Google Scholar] [CrossRef]
  13. Fiat, A. Batch rsa. In Advances in Cryptology CRYPTO 89 Proceedings; Springer: Berlin/ Heidelberg, Germany, 1990; Lecture Notes in Computer Science; Volume 435, pp. 175–185. [Google Scholar]
  14. Bellare, M.; Garay, J.A.; Rabin, T. Fast batch verification for modular exponentiation and digital signatures. In Advances in Cryptology EUROCRYPT 98, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques Espoo, Finland, 31 May–4 June 1998; Springer: Berlin/Heidelberg, Germany, 1998. Lecture Notes in Computer Science. Volume 1403, pp. 236–250. [Google Scholar]
  15. Zhang, C.; Lu, R.; Lin, X.; Ho, P.H.; Shen, X. An efficient identity-based batch verification scheme for vehicular sensor networks. In Proceedings of the IEEE INFOCOM 2008, the 27th Conference on Computer Communications, Phoenix, AZ, USA, 13–18 April 2008.
  16. Ferrara, A.L.; Green, M.; Hohenberger, S.; Pedersen, M.Ø. Practical short signature batch verification. In Topics in Cryptology—CT-RSA 2009, Proceedings of the The Cryptographers’ Track at the RSA Conference 2009, San Francisco, CA, USA, 20–24 April 2009; Springer: Berlin/Heidelberg, Germany, 2009. Lecture Notes in Computer Science. Volume 5473, pp. 309–324. [Google Scholar]
  17. Camenisch, J.; Hohenberger, S.; Pedersen, M.Ø. Batch verification of short signatures. In Advances in Cryptology—EUROCRYPT 2007, Proceedings of the 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, 20–24 May 2007; Springer: Berlin/Heidelberg, Germany, 2007. Lecture Notes in Computer Science. Volume 4515, pp. 246–263. [Google Scholar]
  18. Duan, S.; Cao, Z. Efficient and provably secure multi-receiver identity-based signcryption. In Information Security and Privacy, Proceedings of the 11th Australasian Conference, ACISP 2006, Melbourne, Australia, 3–5 July 2006; Springer: Berlin/Heidelberg, Germany, 2006. Lecture Notes in Computer Science. Volume 4058, pp. 195–206. [Google Scholar]
  19. Baek, J.; Safavi-Naini, R.; Susilo, W. Efficient multi-receiver identity-based encryption and its application to broadcast encryption. In Public Key Cryptography-PKC 2005, Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, 23–26 January 2005; Springer: Berlin/Heidelberg, Germany, 2005. Lecture Notes in Computer Science. Volume 3386, pp. 380–397. [Google Scholar]
  20. Beimel, A. Secure Schemes for Secret Sharing and Key Distribution. Ph.D. Thesis, Technion-Israel Institute of Technology, Haifa, Israel, 1996. [Google Scholar]
  21. Boneh, D.; Boyen, X.; Goh, E.J. Hierarchical identity based encryption with constant size ciphertext. In Advances in Cryptology–EUROCRYPT 2005, Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005; Springer: Berlin/Heidelberg, Germany, 2005. Lecture Notes in Computer Science. Volume 3494, pp. 440–456. [Google Scholar]
  22. Boneh, D.; Gentry, C.; Waters, B. Collusion resistant broadcast encryption with short ciphertexts and private keys. In Advances in Cryptology–CRYPTO 2005, Proceedings of the 25th Annual International Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2005; Springer: Berlin/Heidelberg, Germany, 2005. Lecture Notes in Computer Science. Volume 3621, pp. 258–275. [Google Scholar]

Share and Cite

MDPI and ACS Style

Yang, C.; Sun, Y.; Wu, Q. Batch Attribute-Based Encryption for Secure Clouds. Information 2015, 6, 704-718. https://0-doi-org.brum.beds.ac.uk/10.3390/info6040704

AMA Style

Yang C, Sun Y, Wu Q. Batch Attribute-Based Encryption for Secure Clouds. Information. 2015; 6(4):704-718. https://0-doi-org.brum.beds.ac.uk/10.3390/info6040704

Chicago/Turabian Style

Yang, Chen, Yang Sun, and Qianhong Wu. 2015. "Batch Attribute-Based Encryption for Secure Clouds" Information 6, no. 4: 704-718. https://0-doi-org.brum.beds.ac.uk/10.3390/info6040704

Article Metrics

Back to TopTop