AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING

Luan Ibraimi

Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, Enschede, The Netherlands

Muhammad Asim

Philips Research Eindhoven, Eindhoven, The Netherlands

Milan Petkovi´c

Philips Research Eindhoven and Faculty of Mathematics and Computer Science

Eindhoven University of Technology, Eindhoven, The Netherlands

Keywords:

Proxy re-encryption, Attribute-based encryption, Access policy, Attribute-based proxy re-encryption.

Abstract:

Ciphertext policy attribute based encryption is an encryption technique where the data is encrypted according

to an access policy over attributes. Users who have a secret key associated with a set of attributes which satisfy

the access policy can decrypt the encrypted data.

However, one of the drawbacks of the CP-ABE is that it does not support updating access control policies

without decrypting the encrypted data.We present a new variant of the CP-ABE scheme called ciphertext

policy attribute based proxy re-encryption (CP-ABPRE). The proposed scheme allows to update the access

control policy of the encrypted data without decrypting the ciphertext. The scheme uses a semitrusted entity

called proxy to re-encrypt the encrypted data according to a new access control policy such that only users

who satisfy the new policy can decrypt the data. The construction of our scheme is based on prime order

bilinear groups. We give a formal deﬁnition for semantic security and provide a security proof in the generic

group model.

1 INTRODUCTION

Recent studies explore the use of cryptographic tech-

niques to enforce access control policies. Ciphertext

policy attribute based encryption (CP-ABE) schemes

allow the data to be encrypted according to an access

control policy over a set of descriptive attributes (e.g.

doctor and nurse). Once the data is encrypted, it can

be safely stored in an un-trusted server such that ev-

eryone can download the encrypted data (even a ma-

licious user), but only users who have the right se-

cret key associated with a set of attributes which sat-

isfy the access policy can decrypt. Therefore, when

the data is encrypted using a CP-ABE, access policy

moves with the data and there is no need for the use

of other entities, such as access-control managers, to

enforce access control policy. For instance, Bob can

encrypt his health data according to the access policy

p

1

= [Bob OR (GP AND Hospital 1)], and upload en-

crypted data to an un-trusted Personal Health Record

(PHR) server. Only users who have attributes Bob or

GP and Hospital 1 can decrypt the ciphertext, so nei-

ther the server itself nor an unauthorized person can

decrypt the ciphertext.

Despite numerous advantageous features of the

CP-ABE schemes compared to the traditional ac-

cess control technologies, CP-ABE schemes does

not support updating access control policies. The

only way is to decrypt the data and then re-

encrypt it according to a new access control pol-

icy. Following the above example, if Bob wants to

change the access control policy from p

1

to p

2

=

[Bob OR (GP AND (Hospital 1 OR Hospital 2))]

(in order to hear a second opinion from a GP from

Hospital 2), Bob has to re-encrypt his data accord-

ing to p

2

. A naive solution for Bob to re-encrypt

his data would be to send to the PHR server his se-

cret key. Once the PHR server receives the secret

399

Ibraimi L., Asim M. and Petkovi

´

c M. (2010).

AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING.

In Proceedings of the International Conference on Security and Cryptography, pages 399-408

DOI: 10.5220/0002994703990408

Copyright

c

SciTePress

key, it decrypts the data and then use the CP-ABE

scheme to re-encrypt the data according to the new

policy p

2

. However , the drawback of this approach is

that the server accesses sensitive plain data. To avoid

this drawback Bob might perform by himself the re-

encryption process. Therefore, Bob has to download

the encrypted data from the PHR server, decrypt the

data locally using his secret key, and then re-encrypt

the data using the CP-ABE scheme. The drawback

of this approach is that Bob has to be online during

each re-encryption process which is not very efﬁcient

both from the communication and processing point of

view.

Our Contribution. To overcome the aforemen-

tioned drawbacks of the CP-ABE schemes, we

propose a ciphertext policy attribute based proxy

re-encryption (CP-ABPRE) scheme. In the pro-

posed scheme Bob has to compute only once the

re-encryption key rk

p

1

→p

2

which is used by a

semitrusted entity called proxy (i.e. PHR server) to

update all ciphertexts encrypted according to policy

p

1

into ciphertexts encrypted according to policy p

2

.

The proxy is a semitrusted entity in the sense that

it does not have access to the plain data. However

it needs to perform re-encryption computations, and

also has to stop performing these computations when

Bob (the delegator) who generated the re-encryption

key rk

p

1

→p

2

does not want to re-encryptfuture cipher-

texts associated with the access policy p

1

. One of the

distinctive features of the proposed scheme is that it

is collision resistance, the feature which is lacking in

almost all the proxy re-encryptionschemes in the con-

ventional public key cryptography. The collision re-

sistance feature implies that even if the proxy and del-

egate collude they cannot generate a new secret key.

In general, the scheme is useful for dynamic environ-

ments where the access policy which controls access

to the data changes frequently (e.g. personal health

record systems).

The construction of our scheme is based on prime

order bilinear groups. The size of the ciphertext de-

pends on the size of the access policy and the size

of the user secret key depends on the number of at-

tributes that the user possesses. We give a formal def-

inition for semantic security and provide a security

proof in the generic group model.

1.1 Related Work

Proxy Re-encryption. In a proxy re-encryption

scheme, introduced by Mambo and Okamoto

(Mambo and Okamoto, 1997), a proxy is a

semitrusted entity which can transform an encryption

computed under Bobs’ (delegator) public key to an

encryption computed under Alices’(delegatee) pub-

lic key. The proxy is a semitrusted entity i.e. it is

trusted to perform only the ciphertext re-encryption,

without knowing the secret keys of Bob and Alice,

and without having access to the plain data. Blaze,

Bleumer and Strauss (Blaze, Bleumer and Strauss,

1998) introduced the notion of ”atomic proxy func-

tions” - functions that transform ciphertext corre-

sponding to one key into ciphertext corresponding to

another key without revealing any information about

the secret decryption keys or plain data. However

the scheme presented in (Blaze, Bleumer and Strauss,

1998) is bidirectional where one re-encryption key

can be used to transform ciphertext from the dele-

gator to the delegatee and vice versa, and is use-

ful only for the scenarios where the trust relation-

ship between involved parties is mutual. To overcome

this situation Jakobsson (Jakobsson,1999) and Zhou

et al. (Zhou, Marsh, Schneider, and Redz, 2005) pro-

posed a quorum-controlled protocol where a proxy

is divided into many components. Dodis and Ivan

(Ivan and Dodis, 2003) propose a number of unidi-

rectional proxy re-encryption for El-Gamal, RSA and

IBE scheme, where the delegator’s secret key is di-

vided into two shares: one share for the proxy and one

share for the delegatee. The drawback of the proposed

schemes is that they are collusion-unsafe, i.e. if the

proxy and the delegatee collude then they can recover

the delegator’s secret key. Matsuo (Matsuo, 2007)

and Green and Atteniese (Green and Ateniese, 2007)

propose identity-based proxy re-encryption scheme,

where the encrypted data under the public key gener-

ated by delegators’ identity is re-encrypted to an en-

crypted data under the public key generated by dele-

gatees’ identity.

Attribute-based Encryption. Sahai and Waters

(Sahai and Waters, 2005) introduce the concept of

Attribute-Based Encryption (ABE) where a cipher-

text and user secret key are associated with a set of

attributes. ABE relies on the presence of a trusted

authority (TA) who is in possession of a master key

which is used to generate secret keys of users. A user

can decrypt the ciphertext if the user secret key has

the list of attributes speciﬁed in the ciphertext. In CP-

ABE (Bethencourt, Sahai, and Waters, 2007; Cheung

and Newport, 2007; Ibraimi, Tang, Hartel, and Jonker,

2009) the user secret key is associated with a set of at-

tributes and a ciphertext is associated with an access

control policy over a list of attributes. The decryptor

can decrypt the ciphertext if the list of attributes asso-

ciated with the secret key satisﬁes the access policy.

In Key-Policy Attribute-Based Encryption (KP-ABE)

SECRYPT 2010 - International Conference on Security and Cryptography

400

(Goyal, Pandey, Sahai, and Waters, 2006) the idea

is reversed and the secret key is associated with an

access control policy over a list of attributes and the

ciphertext is associated with a list of attributes. The

decryptor can decrypt the ciphertext if the list of at-

tributes associated with the ciphertext satisfy the ac-

cess policy associated with the secret key.

Attribute-based Encryption and Proxy Re-

encryption. Guo et al. (Guo, Zeng, Wei, and

Xu, 2008) propose a proxy re-encryption scheme

based on the Goyal et al. (Goyal, Pandey, Sahai,

and Waters, 2006) KP-ABE scheme. The proposed

scheme can transform a ciphertext associated with

a set of attributes into a new ciphertext associated

with another set of attributes. Generally, adapting

CP-ABE to proxy re-encryption is more suitable

than adapting KP-ABE to proxy re-encryption since

CP-ABE allows the encryptor to express her policies

in the encryption phase, while in KP-ABE the access

policy is associated with the secret key and is deﬁned

in the key generation phase.

Lliang et al.(Liang, Cao, Lin, and Shao, 2009)

proposed an attribute-based proxy re-encryption

scheme. The Lliang et al. scheme is based on the

Cheung and Newport CP-ABE scheme (Cheung and

Newport, 2007) and it inherits the same limitations

that (Cheung and Newport, 2007) has: it supports

only access policies with AND boolean operator, and

the size of the ciphertext increases linearly with the

number of attributes in the system.

1.2 Organization

The remainder of this paper is organized as follows.

Section 2 provides background information. In Sec-

tion 3 we give a formal deﬁnition of the Ciphertext-

Policy Attribute-Based Proxy Re-Encryption scheme

(CP-ABPRE) and its security model. Section 4 de-

scribes the construction of the CP-ABPRE scheme.

The last section concludes the paper.

2 BACKGROUND - BILINEAR

GROUPS

The scheme presented in section 4 is based on

pairings over groups of prime order. Let G

0

and G

T

be two multiplicative groups of prime order p, and let

g be a generator of G

0

. A pairing (or bilinear map)

ˆe : G

0

× G

0

→ G

T

satisﬁes the following properties

(Boneh and Franklin, 2001):

1. Bilinear: for all u,v ∈ G

0

and a,b ∈ Z

∗

p

, we have

ˆe(u

a

,v

b

) = ˆe(u,v)

ab

.

2. Non-degenerate: ˆe(g,g) 6= 1.

G

0

is said to be a bilinear group if the group operation

in G

0

and the bilinear map ˆe : G

0

× G

0

→ G

T

can be

computed efﬁciently. Note that the map is symmetric

since ˆe(g

a

,g

b

) = ˆe(g,g)

ab

= ˆe(g

b

,g

a

).

3 CIPHERTEXT-POLICY

ATTRIBUTE-BASED PROXY

RE-ENCRYPTION (CP-ABPRE)

A CP-ABPRE scheme extends CP-ABE scheme by

adding a proxy component to the existing compo-

nents: the trusted authority (TA) and users. Another

extension has been made to the number of algorithms.

CP-ABPRE uses the RKGen algorithm to generate a

re-encryption key and Re − Encrypt algorithm to re-

encrypt the ciphertext, in addition to the four algo-

rithms of CP-ABE scheme: Setup, KeyGen, Encrypt,

Decrypt.

Deﬁnition 1. A CP-ABPRE scheme is a tuple of

six algorithms (Setup, KeyGen, Encrypt, Decrypt,

RKGen, Re − Encrypt):

• Setup(λ) run by the trusted authority (TA), the al-

gorithm on input of the security parameter λ out-

puts the master secret key MK which is kept pri-

vate, and the master public key PK which is dis-

tributed to users.

• KeyGen(MK,ω) run by the trusted authority (TA),

the algorithm takes as input a set of attributes ω

identifying the user, and the master secret key

MK, and it outputs a user secret key SK

ω

asso-

ciated with the set of attributes ω.

• Encrypt(m, p

1

,PK) run by the encryptor, the al-

gorithm takes as input a message to be encrypted

m, an access policy p

1

over a list of attribute

which speciﬁes which combinationof attribute the

decryptor needs to posses in order to obtain m,

and the master public key PK. The algorithm out-

puts the ciphertext CT

p

1

associated with the ac-

cess policy p

1

.

• RKGen(SK

ω

, p

1

, p

2

,PK) run by the delegator,

this algorithm takes as input the secret key SK

ω

,

the access policies p

1

and p

2

, and the master pub-

lic key PK. The algorithm outputs a unidirectional

re-encryption key rk

p

1

→p

2

if SK

ω

satisﬁes p

1

, or

an error symbol ⊥ if ω does not satisfy p

1

.

• Re − Encrypt(CT

p

1

,rk

p

1

→p

2

) run by the proxy,

this algorithm takes as input the ciphertext CT

p

1

AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING

401

and the re-encryption key rk

p

1

→p

2

, and outputs

the ciphertext CT

p

2

associated with the access

policy p

2

.

• Decrypt(CT

p

i

,SK

ω

) run by the decryptor, the al-

gorithm takes as input the ciphertext C

p

i

and the

secret key SK

ω

, and output a message m if ω satis-

ﬁes p

i

, or an error symbol ⊥ if ω does not satisfy

p

i

.

Security Model. In the following we present the

game-based security deﬁnition (security model) of the

CP-ABPRE scheme. Informally, the security model

guarantees that: a) an user (adversary) who does not

have enough attributes to satisfy the access policy p

∗

of the ciphertext cannot learn any information about

the plaintext being encrypted, b) two users cannot

combine their attributes to extend their decryption

power, for instance two users cannot combine their se-

cret keys and decrypt a ciphertext associated with p

∗

if none of users secret keys satisfy p

∗

, and c) the proxy

and an user cannot combine the re-encryption key and

the secret key in order to compute a new secret key.

Therefore in the security game, played between the

adversary A and the challenger (the challenger simu-

lates the game and answers A ’s queries) we allow A

to compromise users secret key except the secret keys

which satisfy the challenge access policy p

∗

. In addi-

tion, A is allowed also to compromise proxy keys or

re-encryption keys with the following restriction:

• A is not allowed to ask secret key queries for the

attribute set ω which satisﬁes p

2

if A has a re-

encryption key rk

p

∗

→p

2

. The reason for this re-

striction is that A can use the re-encryption key

to re-encrypt the challenge ciphertext associated

with p

∗

to a ciphertext associated with p

2

and de-

crypt the re-encrypted ciphertext using his secret

key which satisﬁes p

2

. In the sequel we will refer

to p

2

as a challenge derivative access policy if A

has the re-encryption key rk

p

∗

→p

2

.

At one point of the security game A gives to the chal-

lenger two messages and the challenge access policy

p

∗

, and the challenger return to A a ciphertext of one

of the two messages encrypted under p

∗

. A has to

guess which of the messages was encrypted. If the

guess is correct, then A wins the game. Formally the

security game is deﬁned as follows:

1. Setup. The challenger run Setup(λ) to generate

(PK,MK), and gives PK to A .

2. Phase1. A performs a polynomially bounded

number of queries:

• Keygen(ω

j

). A asks for a user secret key for

any attribute set ω

j

. The challenger returns

SK

ω

j

to A .

• RKGen(p

1

, p

2

). A asks for a re-encryption key

for rk

p

1

→p

2

, where p

1

6= p

2

. The challenger

runs SK

ω

= Keygen(ω

j

) such that SK

ω

satis-

ﬁes p

1

, and returns rk

p

1

→p

2

to A .

3. Challenge. A sends to the challenger two mes-

sages m

0

,m

1

and the challenge access policy p

∗

. A is not allowed to chose a challenge access

structure p

∗

if it has made the following queries

in Phase1:

• Keygen(ω

j

) queries such that SK

ω

j

satisﬁes a

challenge access structure p

∗

.

• Keygen(ω

j

) queries such that SK

ω

j

satisﬁes

any challenge derivative access policies.

• RKGen(p

1

, p

2

) queries if A previously has is-

sued Keygen(ω

j

) such that SK

ω

j

satisﬁes p

2

and p

1

is a challenge derivative access policy.

The challenger selects b ∈

R

(0,1) and returns

CT

p

∗

= Encrypt(m

b

, p

∗

,PK).

4. Phase2. A can continue querying Keygen and

RKGen. A is not allowed to make queries spec-

iﬁed in the Challenge phase.

5. Guess. A outputs a guess b

′

, where b

′

∈ (0,1).

Deﬁnition 2. A CP-ABPRE scheme is said to be se-

cure against adaptive chosen plaintext attack (IND-

CPA) if any polynomial-time adversary A has only a

negligible advantage in the CP-ABPRE game, where

the advantage is deﬁned to be |Pr[b

′

= b] −

1

2

|.

4 CONSTRUCTION OF

CP-ABPRE SCHEME

Before introducing the scheme, we brieﬂy explain the

structure of the access policy associated with the ci-

phertext. In our scheme an access control policy is

a monotonic boolean formula of conjunction and dis-

junctions of attributes. The TA in the Setup phase de-

ﬁnes the universe of all attributes Ω. An example of

the universeof all attribute can be Ω = {A, B,C,D,F},

and an example of an access policy can be p

1

=(A ∧

B) ∨ (C ∧ D) where {A,B,C, D} ∈ Ω.

Assigning Values to Attributes in the Access Pol-

icy. To enforce the access policy in such a way that

only users who satisfy the access policy can decrypt

the ciphertext, in the encryption phase, the encryp-

tor encrypts the data according to the access policy.

Therefore, the encryptor in the encryption phase picks

a secret value s and shares it according to the access

policy under which the data is encrypted. We use Be-

naloh and Leichter (Benaloh and Leichter, 1995) se-

SECRYPT 2010 - International Conference on Security and Cryptography

402

cret sharing scheme to share s. The scheme (Benaloh

and Leichter, 1995) works as follows:

• Transforms an access policy p

1

into an access tree

τ and set the value of the root node of τ to be s.

Then, recursively for each non-leaf node do the

following:

– If the symbol is ∨, set the values of each child

node to be s.

– If the symbol is ∧, for each child node, except

the last one, assign a random value s

i

where 1 ≤

s

i

≤ p − 1, and to the last child node assigns

s

t

= s−

∑

t−1

i=1

s

i

mod p.

For example, to share s according to the access policy

p

1

=(A ∧ B) ∨ (C ∧ D), the Benaloh and Leichter

(Benaloh and Leichter, 1995) secret sharing scheme

works as follows: a) assign s to OR (∨) operator,

b) assign s to two AND (∧) operators and c) assign

shares s

A

to A, s

B

to B, s

C

to C and s

D

to D, such that

s = s

A

+ s

B

and s = s

C

+ s

D

.

Policy Evaluation. To decrypt a ciphertext, a user

secret key SK

ω

associated with a set of attributes ω

has to satisfy the policy p

1

=(A ∧ B) ∨ (C ∧ D) as-

sociated with the ciphertext. In the example, if ω =

{A,B} then the policy is satisﬁed since s = s

A

+ s

B

.

This can be veriﬁed by substituting the attributes in

ω∩ p

1

= {A,B} (attributes which appear in ω and p

1

)

by true, and attributes in p

1

\ ω = {C,D} (attributes

which appear in p

1

but not appear in ω) by false. We

say that the user satisﬁes the policy if p

1

=(true ∧

true) ∨ (false ∧ false) evaluates to true.

4.1 The Scheme

In this section we describe the construction of the pro-

posed CP-ABPRE scheme. The scheme consists of

the following algorithms:

1. Setup(λ). The setup algorithm selects a bilinear

group G

0

of prime order p and generator g, and

the bilinear map ˆe : G

0

× G

0

→ G

T

. Next to

this, the algorithm generates the list of attributes

in the system Ω = {a

1

,a

2

,..., a

k

}, picks randomly

α,β, f, x

1

,x

2

,· ·· ,x

k

∈ Z

∗

p

, and sets T

j

= g

x

j

(1 ≤

j ≤ k). Note that for each a

j

∈ Ω (1 ≤ j ≤ k) there

is an x

j

∈ Z

∗

p

(1 ≤ j ≤ k). The algorithm also de-

ﬁnes the function H

1

: G

T

→ G

0

. The public key

is published as:

PK = (g, ˆe(g,g)

(α+β)

,g

f

,{T

j

}

k

j=1

,H

1

).

The master secret key consists of the following

components:

MK = (α,β, f,{x

j

}

k

j=1

).

2. KeyGeneration(MK,ω). The key generation al-

gorithm takes as input the attribute set ω which

characterize the user. For each user the algorithm

picks at random r ∈ Z

∗

p

and computes the secret

key SK

ω

which consists of the following compo-

nents:

SK

ω

= (D

(1)

= g

α−r

,

{D

(2)

j

= g

r+β

x

j

}

a

j

∈ω

).

3. Encryption(m, p

1

,PK). To encrypt a message m ∈

G

T

, under the access policy p

1

over the set of at-

tributes from Ω, the encryption algorithm picks at

random s ∈ Z

∗

p

and assigns s

i

values to attributes

in p

1

( s

i

values are shares of s and are generated

using the Benaloh and Leichter (Benaloh and Le-

ichter, 1995) secret sharing scheme). The resulted

ciphertext consists of the following components:

CT

p

1

= (C

(1)

= g

s

C

(2)

= m· ˆe(g,g)

(α+β)s

,C

(3)

= g

fs

,

{C

(4)

j,i

= g

x

j

s

i

}

a

j

∈p

1

).

4. RKGen(SK

ω

, p

1

, p

2

,PK): The algorithm outputs

a re-encryption key which is used by the proxy

to update the ciphertext associated with p

1

to

a ciphertext associated with p

2

. Let ω

′

⊆ ω

be the smallest set which satisﬁes the access

policy p

1

. The algorithm ﬁrst parses SK

ω

as

(D

(1)

,{D

(2)

j

}

a

j

∈ω

), picks at random l,x

′

∈ Z

∗

p

, it

sets (g

f

)

x

′

= g

x

and computes the re-ecnryption

key rk

p

1

→p

2

which consists of the following com-

ponents:

rk

p

1

→p

2

= (

ˆ

D

(1)

= D

(1)

· g

l

,

ˆ

D

(2)

= Encryption(g

x−l

, p

2

,PK),

ˆ

D

(3)

= g

x

′

= g

x

f

,

ˆ

D

(4)

j

= {D

(2)

j

}

a

j

∈ω

′

.

Note. Note that the message g

x−l

encrypted in this

phase belongs to the group G

0

, while the message

m encrypted in the Encryption phase belongs to

the group G

T

. The encryption of g

x−l

is done in

the same way as the encryption of m with a small

change on the computation of C

(2)

. The only pur-

pose for this change is to keep g

x−l

in group G

0

. So, in encrypting m in the Encryption phase the

C

(2)

had the form:

C

(2)

= m· ˆe(g,g)

(α+β)s

AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING

403

for a random s ∈ Z

∗

p

. In encrypting g

x−l

in the

RKGen phase the C

(2)

has the form:

C

(2)

= g

x−l

· H

1

( ˆe(g,g)

(α+β)z

)

where z is a random element in Z

∗

p

. All the other

components are computed in the same way as in

the Encryption phase.

5. Re − Encrypt(CT

p

1

,RK

p

1

→p

2

). The algorithm

parses CT

p

1

as (C

(1)

,C

(2)

,C

(3)

,{C

(4)

j,i

}

a

j,i

∈p

1

), and

RK

p

1

→p

2

as (

ˆ

D

(1)

,

ˆ

D

(2)

,

ˆ

D

(3)

,{

ˆ

D

(4)

j

}

a

j

∈ω

′

)

, and

computes the following:

(a) In the ﬁrst step, for every attribute a

j

∈ ω

′

, it

computes the following:

I

(1)

=

∏

a

j

∈ω

′

ˆe(

ˆ

D

(4)

j

,C

(4)

j,i

) =

∏

a

j

∈ω

′

ˆe(g

r+β

x

j

,g

x

j

s

i

)

= ˆe(g

r+β

,g

s

)

(b) In the second step it computes the following:

I

(2)

= ˆe(C

(1)

,

ˆ

D

(1)

) · I

(1)

= ˆe(g

s

,g

α−r

· g

l

) · ˆe(g,g)

(r+β)s

= ˆe(g

s

,g

α+β

· g

l

)

(c) In the third step it computes the following:

I

(3)

=

C

(2)

I

(2)

=

m· ˆe(g

s

,g

α+β

)

ˆe(g

s

,g

α+β

· g

l

)

=

m

ˆe(g

s

,g

l

)

ˆ

C

(2)

= ˆe(C

(3)

,

ˆ

D

(3)

) · I

(3)

= ˆe(g

sf

,g

x

f

) ·

m

ˆe(g

s

,g

l

)

= m· ˆe(g

s

,g

x−l

)

(d) In the fourth step it sets:

ˆ

C

(1)

= C

(1)

.

ˆ

C

(3)

=

ˆ

D

(2)

.

The algorithm outputs the re-encrypted cipher-

text, which consists of the following components:

CT

p

2

= (

ˆ

C

(1)

,

ˆ

C

(2)

,

ˆ

C

(3)

).

6. Decrypt(CT

p

i

,SK

ω

): The decryption algorithm

takes as input the ciphertext C

p

i

and secret key

SK

ω

. It checks if the secret key SK

ω

related to

the attribute set ω satisﬁes the access policy p

i

. If

not, then it outputs ⊥.

(a) If ω satisﬁes the access policy p

i

and C

p

i

is

a regular ciphertext, then the decryption algo-

rithm performs the following:

i. In the ﬁrst step, the algorithm chooses

the smallest set ω

′

⊆ ω which satis-

ﬁes the access policy p

i

and parses C

p

i

as (C

(1)

,C

(2)

,{C

(4)

j,i

}

a

j

∈p

i

), and SK

ω

as

(D

(1)

,{D

(2)

j

}

a

j

∈ω

).

ii. In the second step, for every attribute a

j

∈ ω

′

,

it computes

Z

(1)

=

∏

a

j

∈ω

′

ˆe(D

(2)

j

,C

(4)

j,i

)

=

∏

a

j

∈ω

′

ˆe(g

r+β

x

j

,g

x

j

s

i

)

= ˆe(g

r+β

,g

s

)

iii. In the third step, it computes

Z

(2)

= ˆe(D

(1)

,C

(1)

) · Z

(1)

= ˆe(g

α−r

,g

s

) · ˆe(g

r+β

,g

s

)

= ˆe(g,g)

(α+β)s

iv. In the ﬁnal step, the message is obtained by

computing

m =

C

(2)

Z

(2)

(b) If ω satisﬁes the access policy p

i

and C

p

i

is a

re-encrypted ciphertext, then the decryption al-

gorithm performs the following:

i. In the ﬁrst step it parses C

p

i

as

(

ˆ

C

(1)

,

ˆ

C

(2)

,

ˆ

C

(3)

)

ii. In the second step it recovers the message in

the following way:

m =

ˆ

C

(2)

ˆe(

ˆ

C

(1)

,Decrypt(

ˆ

C

(3)

,SK

ω

))

Note. The operation Decrypt(

ˆ

C

(3)

,SK

ω

) =

g

x−l

(where g

x−l

is part of the group G

0

) is

done in similar way as Decrypt(C

p

i

,SK

ω

) = m

(where m is part of the group G

T

) explained

under (a). The only change is under (iv) where

g

x−l

is computed as:

g

x−l

=

C

(2)

H

1

(Z

(2)

)

while m was computed as:

m =

C

(2)

Z

(2)

SECRYPT 2010 - International Conference on Security and Cryptography

404

In the following, we presents the properties of our

proposed scheme:

• Uni-directional. The re-encryption key rk

p

1

→p

2

only allows the proxy to re-encrypt ciphertexts

encrypted under the policy p

1

into ciphertexts

encrypted under policy p

2

, and not the other

way around. For instance, the re-encryption key

rk

p

1

→p

2

can be used to re-encrypt ciphertexts as-

sociated with a policy p

1

= [Patient AND Bob]

into ciphertext associated with a policy p

2

=

[General Practitioner (GP)]. The idea is that a

GP should access his patients’ health data, how-

ever individual patients should not be able to ac-

cess GPs’ data since GP possess data from differ-

ent patients.

• Non-interactive. The re-encryption key rk

p

1

→p

2

is computed by the delegator without any inter-

action with the delegatee, the TA authority or the

proxy. To compute rk

p

1

→p

2

, the delegator uses

his secret key and the master public key. There-

fore the delegator remains off-line while comput-

ing the re-encryption key and the proxy perform

re-encryption process to update ( or re-encrypt)

ciphertext without any interaction with the dele-

gator.

• Key Optimal. The delegator and the delegatee

don’t need to store extra secrets in addition to

their original secret keys associated with a set

of attributes, regardless of how many delegations

he/she gives (or accepts).

• Non-transitivity. The proxy cannot re-delegate

the decryption rights. Alternatively it can be said

that the proxy cannot combine re-encryption keys

to create new delegations. For example, proxy

cannot construct a re-encryptionkeyrk

p

1

→p

3

from

other two re-encryption keys rk

p

1

→p

2

and rk

p

2

→p

3

under it possession.

• Collusion Safe. The proxy and a cannot com-

bine their secrets in order to derive a new se-

cret key. For example, the proxy should not be

able to combine the re-encryption key rk

p

1

→p

2

where p

1

= [GP AND Hospital 1] and p

2

=

[GP AND (Hospital 1 OR Hospital 2)] with del-

egatee’s who has a secret key associated with at-

tributes {GP,Hospital 2} in order to compute a

delegator’s secret key which is associated with the

attributes {GP, Hospital 1}. Collusion safeness

also implies that two users cannot combine their

secret keys in order to extend their decryption

power. For instance, a user, Alice who has a secret

key associated with attributes {Nurse,Hospital 1}

should not be able to combine her secret key with

a user, Charlie who has a secret key associated

with the attributes {GP,Hospital 2} and be able

to decrypt a ciphertext encrypted under the pol-

icy p = [Nurse AND Hospital 2] which cannot be

satisﬁed neither by Alice nor by Charlie.

• Multi-user Decryption. In existing proxy re-

encryption, once the proxy performs the re-

encryption, the delegator losses the decryption

power, thus the delegator cannot use his secret

key to decrypt the re-encrypted data. The reason

is that the mapping ciphertext-public key is one-

to-one, which implies that one ciphertext can be

decrypted only by one secret key, thus after the

re-encryption is performed only the delegatee has

a power to decrypt the ciphertext. One can ar-

gue that the proxy can keep a copy of the origi-

nal ciphertext and enable the delegator to decrypt

the original ciphertext. However, this solution re-

quires for the proxy to keep the original ciphertext

for each re-encrypted data.

CP-ABPRE scheme has a property which allows

the delegator to generate a re-encryption key in

such a way that that the delegator does not loose

his decryption power after the proxy performs the

re-encryption, and the re-encrypted ciphertext can

be decrypted by many users whose secret key sat-

isﬁes the access policy. As an example, suppose

there is an encrypted data according to the pol-

icy p

1

= [(A AND B) OR (C AND D)]. Bob has

a secret key SK

ω

Bob

associated with a set of at-

tributes ω

Bob

= {A,B,F}. Since Bob satisfy the

access policy p

1

, Bob is capable to compute a re-

encryption key that can update the access policy

p

1

into another policy p

2

. If Bob updates the ac-

cess policy p

1

into p

2

, where p

2

= [C AND F]

then Bob looses his decryption power because

Bob does not satisfy the access policy p

2

. How-

ever, Bob can retain his decryption power by cre-

ating a policy ep = p

1

OR p

2

.

• Multi-user & Single-user Delegation. In CP-

ABE schemes many users may have a secret key

with an attribute sets that may satisfy access pol-

icy associated with ciphertext. Hence many users

can compute the re-encryption key as they atisfy

the access policy. However, this property may not

always be of potential interest and might become

a security threat in some scenarios. In practice

this threat can be overcomed by deﬁning attributes

that are unique to an individual, in addition to

the attributes that may be possessed by multiple

users. For example, consider Alice who has a se-

cret key SK

Alice

ω

associated with a set of attributes

ω = {Alice,Patient} (Alice is an individual at-

tribute which can be possessed solely by Alice and

Patient is an attribute which can be possessed by

AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING

405

many users), and a ciphertext encrypted under an

access policy p

1

= [Alice AND Patient]. It is ob-

vious that only Alice satisﬁes the access policy p

1

and only Alice can compute the re-encryption key

rk

p

1

→p

2

, for any p

2

.

4.2 Efﬁciency

The size of the secret key SK

ω

depends on the number

of attributes the user possess and consists of |ω| + 1

group elements in G

0

, where |ω| is the cardinality of

ω. The size of the ciphertext C

p

depends on the size

of the access policy p

1

and has |p| +1 group elements

in G

0

, and 1 group element in G

T

. The size of the re-

encryption key rk

p

1

→p

2

depends on ω

′

which is the

smallest set which satisﬁes p

1

and has |ω

′

| + 1 group

elements in G

0

.

5 CONCLUSIONS AND FUTURE

WORK

In this work we present a new proxy re-encryption

scheme in the CP-ABE setting. The scheme is unidi-

rectional and allows a user (the delegator) to change

dynamically the access policy associated with the ci-

phertext, without necessarily decrypting the cipher-

text. To reduce computations performed at the del-

egators’ side and to avoid the need for the delegator

to be online all the time, the delegator computes a re-

encryption key and delegates the power to the proxy

to update the access control policy associated with ci-

phertext.

There are two interesting open problems. First, it

would be interesting to hide the access control policy

from the semi-trusted proxy and from the user who

decrypts the data since in our scheme the access pol-

icy has to be in clear in order for the user who decrypts

the data to apply the right attributes to satisfy the ac-

cess policy associated with the ciphertext. Second, we

leave as an open problem to provide a security proof

in the standard model where the problem of breaking

the scheme is reduced to a well-studied complexity-

theoretic problem.

REFERENCES

Benaloh, J. and Leichter, J. (1995). Generalized secret shar-

ing and monotone functions. In S.Goldwasser , editor,

Proceedings of Eurocrypt 1998, volume 403 of LNCS,

pages 27–35. Springer-Verlag, 1995.

Bethencourt, J. and Sahai, A. and Waters, B. Ciphertext-

policy attribute-based encryption. In D. Shands, edi-

tor, Proceedings of the 2007 IEEE Symposium on Se-

curity and Privacy, pages 321–334. IEEE Computer

Society Washington, DC, USA, 2007.

Blaze, M. and Bleumer, G., and Strauss, M. Divertible Pro-

tocols and Atomic Proxy Cryptography. In K Nyberg,

editor, Proceedings of Eurocrypt 1998, volume 1403

of LNCS, pages 127–144. Springer-Verlag, 1998.

Boneh, D. and Franklin, M. Identity-based encryption from

the weil pairing. In J. Kilian, editor, Proceedings of

Crypto 2001, volume 2139 of LNCS, pages 213–229.

Springer-Heidelberg, 2001.

Cheung, L. and Newport, C. Provably secure ciphertext

policy ABE. In Proceedings of the 14th ACM Con-

ference on Computer and Communications Security,

pages 456–465. ACM, 2007.

ElGamal, T. A public key cryptosystem and a signature

scheme based on discrete logarithms. IEEE transac-

tions on information theory, 31(4):469–472, 1985.

Goyal, V. and Pandey, O. and Sahai, A. and Waters,

B. Attribute-based encryption for ﬁne-grained access

control of encrypted data. In Proceedings of the 13th

ACM Conference on Computer and Communications

Security, pages 89–98. ACM, 2006.

Green, M. and Ateniese, G. Identity-based proxy re-

encryption. In J. Katz and M. Yung, editors, Pro-

ceedings of Applied Cryptography and Network Secu-

rity, volume 4521 of LNCS, pages 288–306. Springer-

Heidelberg, 2007.

Guo, S. and Zeng, Y. and Wei, J. and Xu,

Q. Attribute-based re-encryption scheme in the stan-

dard model. Wuhan University Journal of Natural Sci-

ences, 13(5):621–625, 2008.

Ibraimi, L. and Tang, Q. and Hartel, P. and Jonker, W. Ef-

ﬁcient and provable secure ciphertext-policy attribute-

based encryption schemes. In F. Bao, H. Li, and

G. Wang, editors, Proceedings of Information Secu-

rity Practice and Experience, volume 5451 of LNCS,

pages 1–12. Springer-Heidelberg, 2009.

Ivan, A. and Dodis, Y. Proxy Cryptography Revisited. In

Proceedings of the Network and Distributed System

Security Symposium. The Internet Society, 2003.

Jakobsson, M. On quorum controlled asymmetric proxy

re-encryption. In H. Imai and Y. Zheng, editors, Pro-

ceedings of Public Key Cryptography, volume 1560 of

LNCS, pages 112–121. Springer-Heidelberg, 1999.

Liang, X. and Cao, Z. and Lin, H. and Shao, J. Attribute

based proxy re-encryption with delegating capabili-

ties. In Proceedings of the 4th International Sympo-

sium on Information, Computer, and Communications

Security, pages 276–286. ACM, 2009.

Mambo, M. and Okamoto, E. Proxy cryptosystems:

delegation of the power to decrypt ciphertexts. IE-

ICE Transactions on Fundamentals of Electronics,

Communications and Computer Sciences, 80(1):54–

63, 1997.

Matsuo, T. Proxy Re-encryption Systems for Identity-

Based Encryption. In T. Takagi, T. Okamoto,

E. Okamoto, and T. Okamoto, editors, Proceedings of

SECRYPT 2010 - International Conference on Security and Cryptography

406

Pairing 2007, volume 4575 of LNCS, pages 247–267.

Springer-Heidelberg, 2007.

Rivest, R. L. and Shamir, A. and Adleman, L. A method

for obtaining digital signatures and public-key cryp-

tosystems. Communications of the ACM, 21(2):126,

1978.

Sahai, A. and Waters, B. Fuzzy identity-based encryp-

tion. In R. Cramer, editor, Proceedings of Euro-

crypt 2005, volume 3494 of LNCS, pages 457–473.

Springer-Heidelberg, 2005.

Shoup, V. Lower Bounds for Discrete Logarithms and Re-

lated Problems. In F. Walter, editor, Proceedings of

Eurocrypt 1997.

Zhou, L. and Marsh, M. A. and Schneider, F. B. and Redz,

A. Distributed blinding for ElGamal re-encryption. In

Proceedings of 25th IEEE International Conference

on Distributed Computing Systems, pages 815–824.

IEEE Computer Society, 2005.

APPENDIX

Security Proof in Generic Group Model. We pro-

vide a security proof in the generic group model, in-

troduced by Shoup (Shoup, 1997). The model relies

on the fact that it is hard to ﬁnd the discrete logarithm

in a group (including a group with bilinear pairing)

when the order of the group is a large prime number.

In this model group elements are encoded as unique

random strings, in such a way that the adversary A

can manipulate group elements using canonical group

operations in G

0

and G

T

and cannot test any prop-

erty other than equality. Thus a cryptographically se-

cure group provides no mathematical properties of its

group other than its group structure.

Theorem 1. The advantage of any adversary A in

the security game receiving at most q group elements

from queries it makes to the oracles for computing

group operation in G

0

and G

T

, pairing operation ˆe

and from the interaction with the CP-ABPRE security

game is bounded by O(

q

2

p

).

Proof. Following the arguments from the proof in

(Bethencourt, Sahai, and Waters, 2007), we bound

the advantage of A in a modiﬁed game in which

the challenge ciphertext is either C

(1)

= ˆe(g,g)

(α+β)s

or C

(1)

= ˆe(g,g)

θ

, instead of giving a challenge ci-

phertext as deﬁned in the security game of Section

3 as C

(1)

= m

b

· ˆe(g,g)

(α+β)s

where b ∈ (0,1). We

show that A cannot distinguish which game is play-

ing. Then we show that there is no A which has a non-

negligible advantage in a modiﬁed game, so there is

no A with has a non-negligible advantage in the secu-

rity game of Section 3, either. Note that if there is an

A that has advantage ε in the security game of Sec-

tion 3 then there can be another adversary which has

advantage

ε

2

in the modiﬁed security game.

We will write γ

0

(x) : Z

∗

p

→ {0,1}

⌈log p⌉

as a ran-

dom encoding for the group element g

x

∈ G

0

, and

γ

1

(x) : Z

∗

p

→ {0,1}

⌈log p⌉

as a random encoding for

group element ˆe(g,g)

x

∈ G

T

. Each random encod-

ing is associated with a rational function (a func-

tion written as a division of two polynomial func-

tions). Let f be a rational function over the variables

{α,β,θ,s,s

ˆ

i

,{x

j

}(1 ≤ j ≤ k),r, f,l}, where each vari-

able is an element picked at random in the scheme. A

receives the following encodings from the interaction

with the simulator in the security game:

• Components generated by the Setup algorithm:

1. γ

0

(1) representing the group generator g.

2. γ

0

( f) representing the group element g

f

.

3. {γ

0

(x

j

)}(1 ≤ j ≤ k) representing {T

j

=

g

x

j

}

k

j=1

.

4. γ

1

(α+ β) representing ˆe(g,g)

α+β

.

• Components generated by the KeyGen oracle in

Phase1 and Phase2 of the security game. Let ω

be the attribute set for which A asks for e secret

key.

1. γ

0

(α− r) representing D

(1)

= g

α−r

.

2. {γ

0

(

r+β

x

j

)}

a

j

∈ω

representing {D

(2)

j

=

g

r+β

x

j

}

a

j

∈ω

.

• Components generated by the RKGen oracle in

Phase1 and Phase2 of the security game. Let

RKGen(p

1

, p

2

) be the re-encryption query used to

re-encrypt messages encrypted under the access

policy p

1

into messages encrypted under the ac-

cess policy p

2

. Let ω

′

be the set of attributes that

satisfy the access policy p

1

.

1. γ

0

(α− r+ l) representing

ˆ

D

(1)

= g

α−r+l

.

2. γ

0

(z), γ

0

(R), γ

0

( fz) and {γ

0

(x

j

z

ˆ

i

)}

a

j,

ˆ

i

∈p

2

repre-

senting

ˆ

D

(2)

j

= Encryption(g

x−l

, p

2

,PK).

3. γ

0

(x

′

) representing

ˆ

D

(3)

= g

x

′

= g

x

f

.

4. {γ

0

(

r+β

x

j

)}

a

j

∈ω

representing {

ˆ

D

(4)

j

=

g

r+β

x

j

}

a

j

∈ω

′

.

• Components generated by the Encryption oracle

in the Challenge phase of the security game. Let

A asks for a challenge for messages m

0

,m

1

∈ G

T

and the access policy p

∗

.

1. γ

0

(s) representing C

(1)

= g

s

.

2. γ

1

(θ) representing C

(2)

= ˆe(g,g)

θ

.

AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING

407

3. γ

0

( fs) representing C

(3)

= g

fs

.

4. {γ

0

(x

j

s

ˆ

i

)}

a

j,

ˆ

i

∈p

∗

representing {C

(4)

j,

ˆ

i

=

g

x

j

s

ˆ

i

}

a

j,

ˆ

i

∈p

∗

.

A uses the group elements received from the interac-

tion with the simulator to perform generic group op-

erations and equality tests.

• Queries to the oracles for group operation in G

0

and G

T

. A asks for multiplying or dividing group

elements represented with their random encod-

ings, and associated with a rational function. The

oracle returns f + f

′

when A asks for multiplying

f and f

′

, or f − f

′

when A asks for dividing f

and f

′

(Note that A knows only the encodings of

f and f

′

).

• Queries to the oracle for computing pairing op-

eration ˆe. A asks for pairing of group elements

represented with their random encoding and asso-

ciated with a rational function. The oracle returns

f f

′

when A asks for pairing f and f

′

.

We show that A cannot distinguish with non-

negligible advantage the simulation of the modiﬁed

game where the challenge ciphertext is set C

(2)

=

ˆe(g,g)

θ

, with the simulation of the real game where

the challenge ciphertext would have been set C

(2)

=

ˆe(g,g)

(α+β)s

.

First, we show the A ’s view when the chal-

lenge ciphertext is γ

1

(θ). Following the stan-

dard approach for security in generic group model,

A ’s view can change when an unexpected colli-

sion happen due to the random choice of the for-

mal variables {α,β,θ,s,s

ˆ

i

,{x

j

}

1≤ j≤k

,r, f,l} chosen

uniformly from Z

∗

p

. A collusion happen when two

queries evaluate to the same value. For any two dis-

tinct queries the probability of such collusion happen

is at most O(q

2

/p). Since for large p the probability

of such collusion is negligible we ignore this case.

Second, we show what the adversaries view would

have been if the challenge ciphertext had been set

γ

1

((α+ β)s). Again, A view can change when a col-

lusion happen, such that the values of two different

rational functions coincide. We show that A cannot

make a polynomial query which would be equal to

(α+ β)s, and therefore a collusion cannot happen. In

table 1 we list possible queries that A can make into

G

T

using the group elements received from interac-

tion with the simulator in the security game.

As is shown in table 1 (the highlighted cell), A

can pair s with α− r, and

r+β

x

j

with s

i

x

j

, and then sum

the results to get s(α − r) +

∑

a

i

∈ω

rs

i

+

∑

a

i

∈ω

βs

i

. In

order to get only (α+ β)s, A has to create polynomial

requests to cancel sr and to compute βs. We observe

that A to obtain βs and sr has to pair

r+β

x

j

with s

ˆ

i

x

j

.

Table 1: Possible queries into G

T

.

1 α+ β t

j

(α− r)s (r+ β)s

i

r+β

x

j

s

fz xs x

s(α− r) + (r+ β)s

i

r+ β (r+ β)s

i

x

j

s

i

(α− r)(x

j

s

i

) z

α− r± (r+ β)s

i

s(α− r+ l) R

(α+ β) ± s (α− r+ l)

From the table 1 we can see that A can construct a

query polynomial of the form:

sα

|{z}

A

− sr

|{z}

B

+

∑

a

i

∈ω

rs

i

|{z}

C

+

∑

a

i

∈ω

βs

i

|{z}

D

However A cannot construct a query polynomial

of the form (α + β)s = αs + βs if A does not have

a secret key which satisﬁes the access policy. First,

there must be at least one rs

i

missing (there must be

one ciphertext component g

x

j

s

i

for which A does not

have a secret key component g

β+r

x

j

to pair, therefore

A cannot cancel x

j

), therefore A cannot reconstruct

rs under the term C, and as a sequence cannot can-

cel term B and C. Second, there must be at least one

βs

i

missing, hence A cannot reconstruct βs under the

term D. As a result of the above analysis, we con-

clude that A cannot make a polynomial query which

has the form (α+ β)s.

SECRYPT 2010 - International Conference on Security and Cryptography

408