AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING
Luan Ibraimi
Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, Enschede, The Netherlands
Muhammad Asim
Philips Research Eindhoven, Eindhoven, The Netherlands
Milan Petkovi´c
Philips Research Eindhoven and Faculty of Mathematics and Computer Science
Eindhoven University of Technology, Eindhoven, The Netherlands
Keywords:
Proxy re-encryption, Attribute-based encryption, Access policy, Attribute-based proxy re-encryption.
Abstract:
Ciphertext policy attribute based encryption is an encryption technique where the data is encrypted according
to an access policy over attributes. Users who have a secret key associated with a set of attributes which satisfy
the access policy can decrypt the encrypted data.
However, one of the drawbacks of the CP-ABE is that it does not support updating access control policies
without decrypting the encrypted data.We present a new variant of the CP-ABE scheme called ciphertext
policy attribute based proxy re-encryption (CP-ABPRE). The proposed scheme allows to update the access
control policy of the encrypted data without decrypting the ciphertext. The scheme uses a semitrusted entity
called proxy to re-encrypt the encrypted data according to a new access control policy such that only users
who satisfy the new policy can decrypt the data. The construction of our scheme is based on prime order
bilinear groups. We give a formal definition for semantic security and provide a security proof in the generic
group model.
1 INTRODUCTION
Recent studies explore the use of cryptographic tech-
niques to enforce access control policies. Ciphertext
policy attribute based encryption (CP-ABE) schemes
allow the data to be encrypted according to an access
control policy over a set of descriptive attributes (e.g.
doctor and nurse). Once the data is encrypted, it can
be safely stored in an un-trusted server such that ev-
eryone can download the encrypted data (even a ma-
licious user), but only users who have the right se-
cret key associated with a set of attributes which sat-
isfy the access policy can decrypt. Therefore, when
the data is encrypted using a CP-ABE, access policy
moves with the data and there is no need for the use
of other entities, such as access-control managers, to
enforce access control policy. For instance, Bob can
encrypt his health data according to the access policy
p
1
= [Bob OR (GP AND Hospital 1)], and upload en-
crypted data to an un-trusted Personal Health Record
(PHR) server. Only users who have attributes Bob or
GP and Hospital 1 can decrypt the ciphertext, so nei-
ther the server itself nor an unauthorized person can
decrypt the ciphertext.
Despite numerous advantageous features of the
CP-ABE schemes compared to the traditional ac-
cess control technologies, CP-ABE schemes does
not support updating access control policies. The
only way is to decrypt the data and then re-
encrypt it according to a new access control pol-
icy. Following the above example, if Bob wants to
change the access control policy from p
1
to p
2
=
[Bob OR (GP AND (Hospital 1 OR Hospital 2))]
(in order to hear a second opinion from a GP from
Hospital 2), Bob has to re-encrypt his data accord-
ing to p
2
. A naive solution for Bob to re-encrypt
his data would be to send to the PHR server his se-
cret key. Once the PHR server receives the secret
399
Ibraimi L., Asim M. and Petkovi
´
c M. (2010).
AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING.
In Proceedings of the International Conference on Security and Cryptography, pages 399-408
DOI: 10.5220/0002994703990408
Copyright
c
SciTePress
key, it decrypts the data and then use the CP-ABE
scheme to re-encrypt the data according to the new
policy p
2
. However , the drawback of this approach is
that the server accesses sensitive plain data. To avoid
this drawback Bob might perform by himself the re-
encryption process. Therefore, Bob has to download
the encrypted data from the PHR server, decrypt the
data locally using his secret key, and then re-encrypt
the data using the CP-ABE scheme. The drawback
of this approach is that Bob has to be online during
each re-encryption process which is not very efficient
both from the communication and processing point of
view.
Our Contribution. To overcome the aforemen-
tioned drawbacks of the CP-ABE schemes, we
propose a ciphertext policy attribute based proxy
re-encryption (CP-ABPRE) scheme. In the pro-
posed scheme Bob has to compute only once the
re-encryption key rk
p
1
p
2
which is used by a
semitrusted entity called proxy (i.e. PHR server) to
update all ciphertexts encrypted according to policy
p
1
into ciphertexts encrypted according to policy p
2
.
The proxy is a semitrusted entity in the sense that
it does not have access to the plain data. However
it needs to perform re-encryption computations, and
also has to stop performing these computations when
Bob (the delegator) who generated the re-encryption
key rk
p
1
p
2
does not want to re-encryptfuture cipher-
texts associated with the access policy p
1
. One of the
distinctive features of the proposed scheme is that it
is collision resistance, the feature which is lacking in
almost all the proxy re-encryptionschemes in the con-
ventional public key cryptography. The collision re-
sistance feature implies that even if the proxy and del-
egate collude they cannot generate a new secret key.
In general, the scheme is useful for dynamic environ-
ments where the access policy which controls access
to the data changes frequently (e.g. personal health
record systems).
The construction of our scheme is based on prime
order bilinear groups. The size of the ciphertext de-
pends on the size of the access policy and the size
of the user secret key depends on the number of at-
tributes that the user possesses. We give a formal def-
inition for semantic security and provide a security
proof in the generic group model.
1.1 Related Work
Proxy Re-encryption. In a proxy re-encryption
scheme, introduced by Mambo and Okamoto
(Mambo and Okamoto, 1997), a proxy is a
semitrusted entity which can transform an encryption
computed under Bobs’ (delegator) public key to an
encryption computed under Alices’(delegatee) pub-
lic key. The proxy is a semitrusted entity i.e. it is
trusted to perform only the ciphertext re-encryption,
without knowing the secret keys of Bob and Alice,
and without having access to the plain data. Blaze,
Bleumer and Strauss (Blaze, Bleumer and Strauss,
1998) introduced the notion of ”atomic proxy func-
tions” - functions that transform ciphertext corre-
sponding to one key into ciphertext corresponding to
another key without revealing any information about
the secret decryption keys or plain data. However
the scheme presented in (Blaze, Bleumer and Strauss,
1998) is bidirectional where one re-encryption key
can be used to transform ciphertext from the dele-
gator to the delegatee and vice versa, and is use-
ful only for the scenarios where the trust relation-
ship between involved parties is mutual. To overcome
this situation Jakobsson (Jakobsson,1999) and Zhou
et al. (Zhou, Marsh, Schneider, and Redz, 2005) pro-
posed a quorum-controlled protocol where a proxy
is divided into many components. Dodis and Ivan
(Ivan and Dodis, 2003) propose a number of unidi-
rectional proxy re-encryption for El-Gamal, RSA and
IBE scheme, where the delegator’s secret key is di-
vided into two shares: one share for the proxy and one
share for the delegatee. The drawback of the proposed
schemes is that they are collusion-unsafe, i.e. if the
proxy and the delegatee collude then they can recover
the delegator’s secret key. Matsuo (Matsuo, 2007)
and Green and Atteniese (Green and Ateniese, 2007)
propose identity-based proxy re-encryption scheme,
where the encrypted data under the public key gener-
ated by delegators’ identity is re-encrypted to an en-
crypted data under the public key generated by dele-
gatees’ identity.
Attribute-based Encryption. Sahai and Waters
(Sahai and Waters, 2005) introduce the concept of
Attribute-Based Encryption (ABE) where a cipher-
text and user secret key are associated with a set of
attributes. ABE relies on the presence of a trusted
authority (TA) who is in possession of a master key
which is used to generate secret keys of users. A user
can decrypt the ciphertext if the user secret key has
the list of attributes specified in the ciphertext. In CP-
ABE (Bethencourt, Sahai, and Waters, 2007; Cheung
and Newport, 2007; Ibraimi, Tang, Hartel, and Jonker,
2009) the user secret key is associated with a set of at-
tributes and a ciphertext is associated with an access
control policy over a list of attributes. The decryptor
can decrypt the ciphertext if the list of attributes asso-
ciated with the secret key satisfies the access policy.
In Key-Policy Attribute-Based Encryption (KP-ABE)
SECRYPT 2010 - International Conference on Security and Cryptography
400
(Goyal, Pandey, Sahai, and Waters, 2006) the idea
is reversed and the secret key is associated with an
access control policy over a list of attributes and the
ciphertext is associated with a list of attributes. The
decryptor can decrypt the ciphertext if the list of at-
tributes associated with the ciphertext satisfy the ac-
cess policy associated with the secret key.
Attribute-based Encryption and Proxy Re-
encryption. Guo et al. (Guo, Zeng, Wei, and
Xu, 2008) propose a proxy re-encryption scheme
based on the Goyal et al. (Goyal, Pandey, Sahai,
and Waters, 2006) KP-ABE scheme. The proposed
scheme can transform a ciphertext associated with
a set of attributes into a new ciphertext associated
with another set of attributes. Generally, adapting
CP-ABE to proxy re-encryption is more suitable
than adapting KP-ABE to proxy re-encryption since
CP-ABE allows the encryptor to express her policies
in the encryption phase, while in KP-ABE the access
policy is associated with the secret key and is defined
in the key generation phase.
Lliang et al.(Liang, Cao, Lin, and Shao, 2009)
proposed an attribute-based proxy re-encryption
scheme. The Lliang et al. scheme is based on the
Cheung and Newport CP-ABE scheme (Cheung and
Newport, 2007) and it inherits the same limitations
that (Cheung and Newport, 2007) has: it supports
only access policies with AND boolean operator, and
the size of the ciphertext increases linearly with the
number of attributes in the system.
1.2 Organization
The remainder of this paper is organized as follows.
Section 2 provides background information. In Sec-
tion 3 we give a formal definition of the Ciphertext-
Policy Attribute-Based Proxy Re-Encryption scheme
(CP-ABPRE) and its security model. Section 4 de-
scribes the construction of the CP-ABPRE scheme.
The last section concludes the paper.
2 BACKGROUND - BILINEAR
GROUPS
The scheme presented in section 4 is based on
pairings over groups of prime order. Let G
0
and G
T
be two multiplicative groups of prime order p, and let
g be a generator of G
0
. A pairing (or bilinear map)
ˆe : G
0
× G
0
G
T
satisfies the following properties
(Boneh and Franklin, 2001):
1. Bilinear: for all u,v G
0
and a,b Z
p
, we have
ˆe(u
a
,v
b
) = ˆe(u,v)
ab
.
2. Non-degenerate: ˆe(g,g) 6= 1.
G
0
is said to be a bilinear group if the group operation
in G
0
and the bilinear map ˆe : G
0
× G
0
G
T
can be
computed efficiently. Note that the map is symmetric
since ˆe(g
a
,g
b
) = ˆe(g,g)
ab
= ˆe(g
b
,g
a
).
3 CIPHERTEXT-POLICY
ATTRIBUTE-BASED PROXY
RE-ENCRYPTION (CP-ABPRE)
A CP-ABPRE scheme extends CP-ABE scheme by
adding a proxy component to the existing compo-
nents: the trusted authority (TA) and users. Another
extension has been made to the number of algorithms.
CP-ABPRE uses the RKGen algorithm to generate a
re-encryption key and Re Encrypt algorithm to re-
encrypt the ciphertext, in addition to the four algo-
rithms of CP-ABE scheme: Setup, KeyGen, Encrypt,
Decrypt.
Definition 1. A CP-ABPRE scheme is a tuple of
six algorithms (Setup, KeyGen, Encrypt, Decrypt,
RKGen, Re Encrypt):
Setup(λ) run by the trusted authority (TA), the al-
gorithm on input of the security parameter λ out-
puts the master secret key MK which is kept pri-
vate, and the master public key PK which is dis-
tributed to users.
KeyGen(MK,ω) run by the trusted authority (TA),
the algorithm takes as input a set of attributes ω
identifying the user, and the master secret key
MK, and it outputs a user secret key SK
ω
asso-
ciated with the set of attributes ω.
Encrypt(m, p
1
,PK) run by the encryptor, the al-
gorithm takes as input a message to be encrypted
m, an access policy p
1
over a list of attribute
which specifies which combinationof attribute the
decryptor needs to posses in order to obtain m,
and the master public key PK. The algorithm out-
puts the ciphertext CT
p
1
associated with the ac-
cess policy p
1
.
RKGen(SK
ω
, p
1
, p
2
,PK) run by the delegator,
this algorithm takes as input the secret key SK
ω
,
the access policies p
1
and p
2
, and the master pub-
lic key PK. The algorithm outputs a unidirectional
re-encryption key rk
p
1
p
2
if SK
ω
satisfies p
1
, or
an error symbol if ω does not satisfy p
1
.
Re Encrypt(CT
p
1
,rk
p
1
p
2
) run by the proxy,
this algorithm takes as input the ciphertext CT
p
1
AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING
401
and the re-encryption key rk
p
1
p
2
, and outputs
the ciphertext CT
p
2
associated with the access
policy p
2
.
Decrypt(CT
p
i
,SK
ω
) run by the decryptor, the al-
gorithm takes as input the ciphertext C
p
i
and the
secret key SK
ω
, and output a message m if ω satis-
fies p
i
, or an error symbol if ω does not satisfy
p
i
.
Security Model. In the following we present the
game-based security definition (security model) of the
CP-ABPRE scheme. Informally, the security model
guarantees that: a) an user (adversary) who does not
have enough attributes to satisfy the access policy p
of the ciphertext cannot learn any information about
the plaintext being encrypted, b) two users cannot
combine their attributes to extend their decryption
power, for instance two users cannot combine their se-
cret keys and decrypt a ciphertext associated with p
if none of users secret keys satisfy p
, and c) the proxy
and an user cannot combine the re-encryption key and
the secret key in order to compute a new secret key.
Therefore in the security game, played between the
adversary A and the challenger (the challenger simu-
lates the game and answers A s queries) we allow A
to compromise users secret key except the secret keys
which satisfy the challenge access policy p
. In addi-
tion, A is allowed also to compromise proxy keys or
re-encryption keys with the following restriction:
A is not allowed to ask secret key queries for the
attribute set ω which satisfies p
2
if A has a re-
encryption key rk
p
p
2
. The reason for this re-
striction is that A can use the re-encryption key
to re-encrypt the challenge ciphertext associated
with p
to a ciphertext associated with p
2
and de-
crypt the re-encrypted ciphertext using his secret
key which satisfies p
2
. In the sequel we will refer
to p
2
as a challenge derivative access policy if A
has the re-encryption key rk
p
p
2
.
At one point of the security game A gives to the chal-
lenger two messages and the challenge access policy
p
, and the challenger return to A a ciphertext of one
of the two messages encrypted under p
. A has to
guess which of the messages was encrypted. If the
guess is correct, then A wins the game. Formally the
security game is defined as follows:
1. Setup. The challenger run Setup(λ) to generate
(PK,MK), and gives PK to A .
2. Phase1. A performs a polynomially bounded
number of queries:
Keygen(ω
j
). A asks for a user secret key for
any attribute set ω
j
. The challenger returns
SK
ω
j
to A .
RKGen(p
1
, p
2
). A asks for a re-encryption key
for rk
p
1
p
2
, where p
1
6= p
2
. The challenger
runs SK
ω
= Keygen(ω
j
) such that SK
ω
satis-
fies p
1
, and returns rk
p
1
p
2
to A .
3. Challenge. A sends to the challenger two mes-
sages m
0
,m
1
and the challenge access policy p
. A is not allowed to chose a challenge access
structure p
if it has made the following queries
in Phase1:
Keygen(ω
j
) queries such that SK
ω
j
satisfies a
challenge access structure p
.
Keygen(ω
j
) queries such that SK
ω
j
satisfies
any challenge derivative access policies.
RKGen(p
1
, p
2
) queries if A previously has is-
sued Keygen(ω
j
) such that SK
ω
j
satisfies p
2
and p
1
is a challenge derivative access policy.
The challenger selects b
R
(0,1) and returns
CT
p
= Encrypt(m
b
, p
,PK).
4. Phase2. A can continue querying Keygen and
RKGen. A is not allowed to make queries spec-
ified in the Challenge phase.
5. Guess. A outputs a guess b
, where b
(0,1).
Definition 2. A CP-ABPRE scheme is said to be se-
cure against adaptive chosen plaintext attack (IND-
CPA) if any polynomial-time adversary A has only a
negligible advantage in the CP-ABPRE game, where
the advantage is defined to be |Pr[b
= b]
1
2
|.
4 CONSTRUCTION OF
CP-ABPRE SCHEME
Before introducing the scheme, we briefly explain the
structure of the access policy associated with the ci-
phertext. In our scheme an access control policy is
a monotonic boolean formula of conjunction and dis-
junctions of attributes. The TA in the Setup phase de-
fines the universe of all attributes . An example of
the universeof all attribute can be = {A, B,C,D,F},
and an example of an access policy can be p
1
=(A
B) (C D) where {A,B,C, D} .
Assigning Values to Attributes in the Access Pol-
icy. To enforce the access policy in such a way that
only users who satisfy the access policy can decrypt
the ciphertext, in the encryption phase, the encryp-
tor encrypts the data according to the access policy.
Therefore, the encryptor in the encryption phase picks
a secret value s and shares it according to the access
policy under which the data is encrypted. We use Be-
naloh and Leichter (Benaloh and Leichter, 1995) se-
SECRYPT 2010 - International Conference on Security and Cryptography
402
cret sharing scheme to share s. The scheme (Benaloh
and Leichter, 1995) works as follows:
Transforms an access policy p
1
into an access tree
τ and set the value of the root node of τ to be s.
Then, recursively for each non-leaf node do the
following:
If the symbol is , set the values of each child
node to be s.
If the symbol is , for each child node, except
the last one, assign a random value s
i
where 1
s
i
p 1, and to the last child node assigns
s
t
= s
t1
i=1
s
i
mod p.
For example, to share s according to the access policy
p
1
=(A B) (C D), the Benaloh and Leichter
(Benaloh and Leichter, 1995) secret sharing scheme
works as follows: a) assign s to OR () operator,
b) assign s to two AND () operators and c) assign
shares s
A
to A, s
B
to B, s
C
to C and s
D
to D, such that
s = s
A
+ s
B
and s = s
C
+ s
D
.
Policy Evaluation. To decrypt a ciphertext, a user
secret key SK
ω
associated with a set of attributes ω
has to satisfy the policy p
1
=(A B) (C D) as-
sociated with the ciphertext. In the example, if ω =
{A,B} then the policy is satisfied since s = s
A
+ s
B
.
This can be verified by substituting the attributes in
ω p
1
= {A,B} (attributes which appear in ω and p
1
)
by true, and attributes in p
1
\ ω = {C,D} (attributes
which appear in p
1
but not appear in ω) by false. We
say that the user satisfies the policy if p
1
=(true
true) (false false) evaluates to true.
4.1 The Scheme
In this section we describe the construction of the pro-
posed CP-ABPRE scheme. The scheme consists of
the following algorithms:
1. Setup(λ). The setup algorithm selects a bilinear
group G
0
of prime order p and generator g, and
the bilinear map ˆe : G
0
× G
0
G
T
. Next to
this, the algorithm generates the list of attributes
in the system = {a
1
,a
2
,..., a
k
}, picks randomly
α,β, f, x
1
,x
2
,· ·· ,x
k
Z
p
, and sets T
j
= g
x
j
(1
j k). Note that for each a
j
(1 j k) there
is an x
j
Z
p
(1 j k). The algorithm also de-
fines the function H
1
: G
T
G
0
. The public key
is published as:
PK = (g, ˆe(g,g)
(α+β)
,g
f
,{T
j
}
k
j=1
,H
1
).
The master secret key consists of the following
components:
MK = (α,β, f,{x
j
}
k
j=1
).
2. KeyGeneration(MK,ω). The key generation al-
gorithm takes as input the attribute set ω which
characterize the user. For each user the algorithm
picks at random r Z
p
and computes the secret
key SK
ω
which consists of the following compo-
nents:
SK
ω
= (D
(1)
= g
αr
,
{D
(2)
j
= g
r+β
x
j
}
a
j
ω
).
3. Encryption(m, p
1
,PK). To encrypt a message m
G
T
, under the access policy p
1
over the set of at-
tributes from , the encryption algorithm picks at
random s Z
p
and assigns s
i
values to attributes
in p
1
( s
i
values are shares of s and are generated
using the Benaloh and Leichter (Benaloh and Le-
ichter, 1995) secret sharing scheme). The resulted
ciphertext consists of the following components:
CT
p
1
= (C
(1)
= g
s
C
(2)
= m· ˆe(g,g)
(α+β)s
,C
(3)
= g
fs
,
{C
(4)
j,i
= g
x
j
s
i
}
a
j
p
1
).
4. RKGen(SK
ω
, p
1
, p
2
,PK): The algorithm outputs
a re-encryption key which is used by the proxy
to update the ciphertext associated with p
1
to
a ciphertext associated with p
2
. Let ω
ω
be the smallest set which satisfies the access
policy p
1
. The algorithm first parses SK
ω
as
(D
(1)
,{D
(2)
j
}
a
j
ω
), picks at random l,x
Z
p
, it
sets (g
f
)
x
= g
x
and computes the re-ecnryption
key rk
p
1
p
2
which consists of the following com-
ponents:
rk
p
1
p
2
= (
ˆ
D
(1)
= D
(1)
· g
l
,
ˆ
D
(2)
= Encryption(g
xl
, p
2
,PK),
ˆ
D
(3)
= g
x
= g
x
f
,
ˆ
D
(4)
j
= {D
(2)
j
}
a
j
ω
.
Note. Note that the message g
xl
encrypted in this
phase belongs to the group G
0
, while the message
m encrypted in the Encryption phase belongs to
the group G
T
. The encryption of g
xl
is done in
the same way as the encryption of m with a small
change on the computation of C
(2)
. The only pur-
pose for this change is to keep g
xl
in group G
0
. So, in encrypting m in the Encryption phase the
C
(2)
had the form:
C
(2)
= m· ˆe(g,g)
(α+β)s
AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING
403
for a random s Z
p
. In encrypting g
xl
in the
RKGen phase the C
(2)
has the form:
C
(2)
= g
xl
· H
1
( ˆe(g,g)
(α+β)z
)
where z is a random element in Z
p
. All the other
components are computed in the same way as in
the Encryption phase.
5. Re Encrypt(CT
p
1
,RK
p
1
p
2
). The algorithm
parses CT
p
1
as (C
(1)
,C
(2)
,C
(3)
,{C
(4)
j,i
}
a
j,i
p
1
), and
RK
p
1
p
2
as (
ˆ
D
(1)
,
ˆ
D
(2)
,
ˆ
D
(3)
,{
ˆ
D
(4)
j
}
a
j
ω
)
, and
computes the following:
(a) In the first step, for every attribute a
j
ω
, it
computes the following:
I
(1)
=
a
j
ω
ˆe(
ˆ
D
(4)
j
,C
(4)
j,i
) =
a
j
ω
ˆe(g
r+β
x
j
,g
x
j
s
i
)
= ˆe(g
r+β
,g
s
)
(b) In the second step it computes the following:
I
(2)
= ˆe(C
(1)
,
ˆ
D
(1)
) · I
(1)
= ˆe(g
s
,g
αr
· g
l
) · ˆe(g,g)
(r+β)s
= ˆe(g
s
,g
α+β
· g
l
)
(c) In the third step it computes the following:
I
(3)
=
C
(2)
I
(2)
=
m· ˆe(g
s
,g
α+β
)
ˆe(g
s
,g
α+β
· g
l
)
=
m
ˆe(g
s
,g
l
)
ˆ
C
(2)
= ˆe(C
(3)
,
ˆ
D
(3)
) · I
(3)
= ˆe(g
sf
,g
x
f
) ·
m
ˆe(g
s
,g
l
)
= m· ˆe(g
s
,g
xl
)
(d) In the fourth step it sets:
ˆ
C
(1)
= C
(1)
.
ˆ
C
(3)
=
ˆ
D
(2)
.
The algorithm outputs the re-encrypted cipher-
text, which consists of the following components:
CT
p
2
= (
ˆ
C
(1)
,
ˆ
C
(2)
,
ˆ
C
(3)
).
6. Decrypt(CT
p
i
,SK
ω
): The decryption algorithm
takes as input the ciphertext C
p
i
and secret key
SK
ω
. It checks if the secret key SK
ω
related to
the attribute set ω satisfies the access policy p
i
. If
not, then it outputs .
(a) If ω satisfies the access policy p
i
and C
p
i
is
a regular ciphertext, then the decryption algo-
rithm performs the following:
i. In the first step, the algorithm chooses
the smallest set ω
ω which satis-
fies the access policy p
i
and parses C
p
i
as (C
(1)
,C
(2)
,{C
(4)
j,i
}
a
j
p
i
), and SK
ω
as
(D
(1)
,{D
(2)
j
}
a
j
ω
).
ii. In the second step, for every attribute a
j
ω
,
it computes
Z
(1)
=
a
j
ω
ˆe(D
(2)
j
,C
(4)
j,i
)
=
a
j
ω
ˆe(g
r+β
x
j
,g
x
j
s
i
)
= ˆe(g
r+β
,g
s
)
iii. In the third step, it computes
Z
(2)
= ˆe(D
(1)
,C
(1)
) · Z
(1)
= ˆe(g
αr
,g
s
) · ˆe(g
r+β
,g
s
)
= ˆe(g,g)
(α+β)s
iv. In the final step, the message is obtained by
computing
m =
C
(2)
Z
(2)
(b) If ω satisfies the access policy p
i
and C
p
i
is a
re-encrypted ciphertext, then the decryption al-
gorithm performs the following:
i. In the first step it parses C
p
i
as
(
ˆ
C
(1)
,
ˆ
C
(2)
,
ˆ
C
(3)
)
ii. In the second step it recovers the message in
the following way:
m =
ˆ
C
(2)
ˆe(
ˆ
C
(1)
,Decrypt(
ˆ
C
(3)
,SK
ω
))
Note. The operation Decrypt(
ˆ
C
(3)
,SK
ω
) =
g
xl
(where g
xl
is part of the group G
0
) is
done in similar way as Decrypt(C
p
i
,SK
ω
) = m
(where m is part of the group G
T
) explained
under (a). The only change is under (iv) where
g
xl
is computed as:
g
xl
=
C
(2)
H
1
(Z
(2)
)
while m was computed as:
m =
C
(2)
Z
(2)
SECRYPT 2010 - International Conference on Security and Cryptography
404
In the following, we presents the properties of our
proposed scheme:
Uni-directional. The re-encryption key rk
p
1
p
2
only allows the proxy to re-encrypt ciphertexts
encrypted under the policy p
1
into ciphertexts
encrypted under policy p
2
, and not the other
way around. For instance, the re-encryption key
rk
p
1
p
2
can be used to re-encrypt ciphertexts as-
sociated with a policy p
1
= [Patient AND Bob]
into ciphertext associated with a policy p
2
=
[General Practitioner (GP)]. The idea is that a
GP should access his patients’ health data, how-
ever individual patients should not be able to ac-
cess GPs’ data since GP possess data from differ-
ent patients.
Non-interactive. The re-encryption key rk
p
1
p
2
is computed by the delegator without any inter-
action with the delegatee, the TA authority or the
proxy. To compute rk
p
1
p
2
, the delegator uses
his secret key and the master public key. There-
fore the delegator remains off-line while comput-
ing the re-encryption key and the proxy perform
re-encryption process to update ( or re-encrypt)
ciphertext without any interaction with the dele-
gator.
Key Optimal. The delegator and the delegatee
don’t need to store extra secrets in addition to
their original secret keys associated with a set
of attributes, regardless of how many delegations
he/she gives (or accepts).
Non-transitivity. The proxy cannot re-delegate
the decryption rights. Alternatively it can be said
that the proxy cannot combine re-encryption keys
to create new delegations. For example, proxy
cannot construct a re-encryptionkeyrk
p
1
p
3
from
other two re-encryption keys rk
p
1
p
2
and rk
p
2
p
3
under it possession.
Collusion Safe. The proxy and a cannot com-
bine their secrets in order to derive a new se-
cret key. For example, the proxy should not be
able to combine the re-encryption key rk
p
1
p
2
where p
1
= [GP AND Hospital 1] and p
2
=
[GP AND (Hospital 1 OR Hospital 2)] with del-
egatee’s who has a secret key associated with at-
tributes {GP,Hospital 2} in order to compute a
delegator’s secret key which is associated with the
attributes {GP, Hospital 1}. Collusion safeness
also implies that two users cannot combine their
secret keys in order to extend their decryption
power. For instance, a user, Alice who has a secret
key associated with attributes {Nurse,Hospital 1}
should not be able to combine her secret key with
a user, Charlie who has a secret key associated
with the attributes {GP,Hospital 2} and be able
to decrypt a ciphertext encrypted under the pol-
icy p = [Nurse AND Hospital 2] which cannot be
satisfied neither by Alice nor by Charlie.
Multi-user Decryption. In existing proxy re-
encryption, once the proxy performs the re-
encryption, the delegator losses the decryption
power, thus the delegator cannot use his secret
key to decrypt the re-encrypted data. The reason
is that the mapping ciphertext-public key is one-
to-one, which implies that one ciphertext can be
decrypted only by one secret key, thus after the
re-encryption is performed only the delegatee has
a power to decrypt the ciphertext. One can ar-
gue that the proxy can keep a copy of the origi-
nal ciphertext and enable the delegator to decrypt
the original ciphertext. However, this solution re-
quires for the proxy to keep the original ciphertext
for each re-encrypted data.
CP-ABPRE scheme has a property which allows
the delegator to generate a re-encryption key in
such a way that that the delegator does not loose
his decryption power after the proxy performs the
re-encryption, and the re-encrypted ciphertext can
be decrypted by many users whose secret key sat-
isfies the access policy. As an example, suppose
there is an encrypted data according to the pol-
icy p
1
= [(A AND B) OR (C AND D)]. Bob has
a secret key SK
ω
Bob
associated with a set of at-
tributes ω
Bob
= {A,B,F}. Since Bob satisfy the
access policy p
1
, Bob is capable to compute a re-
encryption key that can update the access policy
p
1
into another policy p
2
. If Bob updates the ac-
cess policy p
1
into p
2
, where p
2
= [C AND F]
then Bob looses his decryption power because
Bob does not satisfy the access policy p
2
. How-
ever, Bob can retain his decryption power by cre-
ating a policy ep = p
1
OR p
2
.
Multi-user & Single-user Delegation. In CP-
ABE schemes many users may have a secret key
with an attribute sets that may satisfy access pol-
icy associated with ciphertext. Hence many users
can compute the re-encryption key as they atisfy
the access policy. However, this property may not
always be of potential interest and might become
a security threat in some scenarios. In practice
this threat can be overcomed by defining attributes
that are unique to an individual, in addition to
the attributes that may be possessed by multiple
users. For example, consider Alice who has a se-
cret key SK
Alice
ω
associated with a set of attributes
ω = {Alice,Patient} (Alice is an individual at-
tribute which can be possessed solely by Alice and
Patient is an attribute which can be possessed by
AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING
405
many users), and a ciphertext encrypted under an
access policy p
1
= [Alice AND Patient]. It is ob-
vious that only Alice satisfies the access policy p
1
and only Alice can compute the re-encryption key
rk
p
1
p
2
, for any p
2
.
4.2 Efficiency
The size of the secret key SK
ω
depends on the number
of attributes the user possess and consists of |ω| + 1
group elements in G
0
, where |ω| is the cardinality of
ω. The size of the ciphertext C
p
depends on the size
of the access policy p
1
and has |p| +1 group elements
in G
0
, and 1 group element in G
T
. The size of the re-
encryption key rk
p
1
p
2
depends on ω
which is the
smallest set which satisfies p
1
and has |ω
| + 1 group
elements in G
0
.
5 CONCLUSIONS AND FUTURE
WORK
In this work we present a new proxy re-encryption
scheme in the CP-ABE setting. The scheme is unidi-
rectional and allows a user (the delegator) to change
dynamically the access policy associated with the ci-
phertext, without necessarily decrypting the cipher-
text. To reduce computations performed at the del-
egators’ side and to avoid the need for the delegator
to be online all the time, the delegator computes a re-
encryption key and delegates the power to the proxy
to update the access control policy associated with ci-
phertext.
There are two interesting open problems. First, it
would be interesting to hide the access control policy
from the semi-trusted proxy and from the user who
decrypts the data since in our scheme the access pol-
icy has to be in clear in order for the user who decrypts
the data to apply the right attributes to satisfy the ac-
cess policy associated with the ciphertext. Second, we
leave as an open problem to provide a security proof
in the standard model where the problem of breaking
the scheme is reduced to a well-studied complexity-
theoretic problem.
REFERENCES
Benaloh, J. and Leichter, J. (1995). Generalized secret shar-
ing and monotone functions. In S.Goldwasser , editor,
Proceedings of Eurocrypt 1998, volume 403 of LNCS,
pages 27–35. Springer-Verlag, 1995.
Bethencourt, J. and Sahai, A. and Waters, B. Ciphertext-
policy attribute-based encryption. In D. Shands, edi-
tor, Proceedings of the 2007 IEEE Symposium on Se-
curity and Privacy, pages 321–334. IEEE Computer
Society Washington, DC, USA, 2007.
Blaze, M. and Bleumer, G., and Strauss, M. Divertible Pro-
tocols and Atomic Proxy Cryptography. In K Nyberg,
editor, Proceedings of Eurocrypt 1998, volume 1403
of LNCS, pages 127–144. Springer-Verlag, 1998.
Boneh, D. and Franklin, M. Identity-based encryption from
the weil pairing. In J. Kilian, editor, Proceedings of
Crypto 2001, volume 2139 of LNCS, pages 213–229.
Springer-Heidelberg, 2001.
Cheung, L. and Newport, C. Provably secure ciphertext
policy ABE. In Proceedings of the 14th ACM Con-
ference on Computer and Communications Security,
pages 456–465. ACM, 2007.
ElGamal, T. A public key cryptosystem and a signature
scheme based on discrete logarithms. IEEE transac-
tions on information theory, 31(4):469–472, 1985.
Goyal, V. and Pandey, O. and Sahai, A. and Waters,
B. Attribute-based encryption for fine-grained access
control of encrypted data. In Proceedings of the 13th
ACM Conference on Computer and Communications
Security, pages 89–98. ACM, 2006.
Green, M. and Ateniese, G. Identity-based proxy re-
encryption. In J. Katz and M. Yung, editors, Pro-
ceedings of Applied Cryptography and Network Secu-
rity, volume 4521 of LNCS, pages 288–306. Springer-
Heidelberg, 2007.
Guo, S. and Zeng, Y. and Wei, J. and Xu,
Q. Attribute-based re-encryption scheme in the stan-
dard model. Wuhan University Journal of Natural Sci-
ences, 13(5):621–625, 2008.
Ibraimi, L. and Tang, Q. and Hartel, P. and Jonker, W. Ef-
ficient and provable secure ciphertext-policy attribute-
based encryption schemes. In F. Bao, H. Li, and
G. Wang, editors, Proceedings of Information Secu-
rity Practice and Experience, volume 5451 of LNCS,
pages 1–12. Springer-Heidelberg, 2009.
Ivan, A. and Dodis, Y. Proxy Cryptography Revisited. In
Proceedings of the Network and Distributed System
Security Symposium. The Internet Society, 2003.
Jakobsson, M. On quorum controlled asymmetric proxy
re-encryption. In H. Imai and Y. Zheng, editors, Pro-
ceedings of Public Key Cryptography, volume 1560 of
LNCS, pages 112–121. Springer-Heidelberg, 1999.
Liang, X. and Cao, Z. and Lin, H. and Shao, J. Attribute
based proxy re-encryption with delegating capabili-
ties. In Proceedings of the 4th International Sympo-
sium on Information, Computer, and Communications
Security, pages 276–286. ACM, 2009.
Mambo, M. and Okamoto, E. Proxy cryptosystems:
delegation of the power to decrypt ciphertexts. IE-
ICE Transactions on Fundamentals of Electronics,
Communications and Computer Sciences, 80(1):54–
63, 1997.
Matsuo, T. Proxy Re-encryption Systems for Identity-
Based Encryption. In T. Takagi, T. Okamoto,
E. Okamoto, and T. Okamoto, editors, Proceedings of
SECRYPT 2010 - International Conference on Security and Cryptography
406
Pairing 2007, volume 4575 of LNCS, pages 247–267.
Springer-Heidelberg, 2007.
Rivest, R. L. and Shamir, A. and Adleman, L. A method
for obtaining digital signatures and public-key cryp-
tosystems. Communications of the ACM, 21(2):126,
1978.
Sahai, A. and Waters, B. Fuzzy identity-based encryp-
tion. In R. Cramer, editor, Proceedings of Euro-
crypt 2005, volume 3494 of LNCS, pages 457–473.
Springer-Heidelberg, 2005.
Shoup, V. Lower Bounds for Discrete Logarithms and Re-
lated Problems. In F. Walter, editor, Proceedings of
Eurocrypt 1997.
Zhou, L. and Marsh, M. A. and Schneider, F. B. and Redz,
A. Distributed blinding for ElGamal re-encryption. In
Proceedings of 25th IEEE International Conference
on Distributed Computing Systems, pages 815–824.
IEEE Computer Society, 2005.
APPENDIX
Security Proof in Generic Group Model. We pro-
vide a security proof in the generic group model, in-
troduced by Shoup (Shoup, 1997). The model relies
on the fact that it is hard to find the discrete logarithm
in a group (including a group with bilinear pairing)
when the order of the group is a large prime number.
In this model group elements are encoded as unique
random strings, in such a way that the adversary A
can manipulate group elements using canonical group
operations in G
0
and G
T
and cannot test any prop-
erty other than equality. Thus a cryptographically se-
cure group provides no mathematical properties of its
group other than its group structure.
Theorem 1. The advantage of any adversary A in
the security game receiving at most q group elements
from queries it makes to the oracles for computing
group operation in G
0
and G
T
, pairing operation ˆe
and from the interaction with the CP-ABPRE security
game is bounded by O(
q
2
p
).
Proof. Following the arguments from the proof in
(Bethencourt, Sahai, and Waters, 2007), we bound
the advantage of A in a modified game in which
the challenge ciphertext is either C
(1)
= ˆe(g,g)
(α+β)s
or C
(1)
= ˆe(g,g)
θ
, instead of giving a challenge ci-
phertext as defined in the security game of Section
3 as C
(1)
= m
b
· ˆe(g,g)
(α+β)s
where b (0,1). We
show that A cannot distinguish which game is play-
ing. Then we show that there is no A which has a non-
negligible advantage in a modified game, so there is
no A with has a non-negligible advantage in the secu-
rity game of Section 3, either. Note that if there is an
A that has advantage ε in the security game of Sec-
tion 3 then there can be another adversary which has
advantage
ε
2
in the modified security game.
We will write γ
0
(x) : Z
p
{0,1}
log p
as a ran-
dom encoding for the group element g
x
G
0
, and
γ
1
(x) : Z
p
{0,1}
log p
as a random encoding for
group element ˆe(g,g)
x
G
T
. Each random encod-
ing is associated with a rational function (a func-
tion written as a division of two polynomial func-
tions). Let f be a rational function over the variables
{α,β,θ,s,s
ˆ
i
,{x
j
}(1 j k),r, f,l}, where each vari-
able is an element picked at random in the scheme. A
receives the following encodings from the interaction
with the simulator in the security game:
Components generated by the Setup algorithm:
1. γ
0
(1) representing the group generator g.
2. γ
0
( f) representing the group element g
f
.
3. {γ
0
(x
j
)}(1 j k) representing {T
j
=
g
x
j
}
k
j=1
.
4. γ
1
(α+ β) representing ˆe(g,g)
α+β
.
Components generated by the KeyGen oracle in
Phase1 and Phase2 of the security game. Let ω
be the attribute set for which A asks for e secret
key.
1. γ
0
(α r) representing D
(1)
= g
αr
.
2. {γ
0
(
r+β
x
j
)}
a
j
ω
representing {D
(2)
j
=
g
r+β
x
j
}
a
j
ω
.
Components generated by the RKGen oracle in
Phase1 and Phase2 of the security game. Let
RKGen(p
1
, p
2
) be the re-encryption query used to
re-encrypt messages encrypted under the access
policy p
1
into messages encrypted under the ac-
cess policy p
2
. Let ω
be the set of attributes that
satisfy the access policy p
1
.
1. γ
0
(α r+ l) representing
ˆ
D
(1)
= g
αr+l
.
2. γ
0
(z), γ
0
(R), γ
0
( fz) and {γ
0
(x
j
z
ˆ
i
)}
a
j,
ˆ
i
p
2
repre-
senting
ˆ
D
(2)
j
= Encryption(g
xl
, p
2
,PK).
3. γ
0
(x
) representing
ˆ
D
(3)
= g
x
= g
x
f
.
4. {γ
0
(
r+β
x
j
)}
a
j
ω
representing {
ˆ
D
(4)
j
=
g
r+β
x
j
}
a
j
ω
.
Components generated by the Encryption oracle
in the Challenge phase of the security game. Let
A asks for a challenge for messages m
0
,m
1
G
T
and the access policy p
.
1. γ
0
(s) representing C
(1)
= g
s
.
2. γ
1
(θ) representing C
(2)
= ˆe(g,g)
θ
.
AN ENCRYPTION SCHEME FOR A SECURE POLICY UPDATING
407
3. γ
0
( fs) representing C
(3)
= g
fs
.
4. {γ
0
(x
j
s
ˆ
i
)}
a
j,
ˆ
i
p
representing {C
(4)
j,
ˆ
i
=
g
x
j
s
ˆ
i
}
a
j,
ˆ
i
p
.
A uses the group elements received from the interac-
tion with the simulator to perform generic group op-
erations and equality tests.
Queries to the oracles for group operation in G
0
and G
T
. A asks for multiplying or dividing group
elements represented with their random encod-
ings, and associated with a rational function. The
oracle returns f + f
when A asks for multiplying
f and f
, or f f
when A asks for dividing f
and f
(Note that A knows only the encodings of
f and f
).
Queries to the oracle for computing pairing op-
eration ˆe. A asks for pairing of group elements
represented with their random encoding and asso-
ciated with a rational function. The oracle returns
f f
when A asks for pairing f and f
.
We show that A cannot distinguish with non-
negligible advantage the simulation of the modified
game where the challenge ciphertext is set C
(2)
=
ˆe(g,g)
θ
, with the simulation of the real game where
the challenge ciphertext would have been set C
(2)
=
ˆe(g,g)
(α+β)s
.
First, we show the A s view when the chal-
lenge ciphertext is γ
1
(θ). Following the stan-
dard approach for security in generic group model,
A s view can change when an unexpected colli-
sion happen due to the random choice of the for-
mal variables {α,β,θ,s,s
ˆ
i
,{x
j
}
1 jk
,r, f,l} chosen
uniformly from Z
p
. A collusion happen when two
queries evaluate to the same value. For any two dis-
tinct queries the probability of such collusion happen
is at most O(q
2
/p). Since for large p the probability
of such collusion is negligible we ignore this case.
Second, we show what the adversaries view would
have been if the challenge ciphertext had been set
γ
1
((α+ β)s). Again, A view can change when a col-
lusion happen, such that the values of two different
rational functions coincide. We show that A cannot
make a polynomial query which would be equal to
(α+ β)s, and therefore a collusion cannot happen. In
table 1 we list possible queries that A can make into
G
T
using the group elements received from interac-
tion with the simulator in the security game.
As is shown in table 1 (the highlighted cell), A
can pair s with α r, and
r+β
x
j
with s
i
x
j
, and then sum
the results to get s(α r) +
a
i
ω
rs
i
+
a
i
ω
βs
i
. In
order to get only (α+ β)s, A has to create polynomial
requests to cancel sr and to compute βs. We observe
that A to obtain βs and sr has to pair
r+β
x
j
with s
ˆ
i
x
j
.
Table 1: Possible queries into G
T
.
1 α+ β t
j
(α r)s (r+ β)s
i
r+β
x
j
s
fz xs x
s(α r) + (r+ β)s
i
r+ β (r+ β)s
i
x
j
s
i
(α r)(x
j
s
i
) z
α r± (r+ β)s
i
s(α r+ l) R
(α+ β) ± s (α r+ l)
From the table 1 we can see that A can construct a
query polynomial of the form:
sα
|{z}
A
sr
|{z}
B
+
a
i
ω
rs
i
|{z}
C
+
a
i
ω
βs
i
|{z}
D
However A cannot construct a query polynomial
of the form (α + β)s = αs + βs if A does not have
a secret key which satisfies the access policy. First,
there must be at least one rs
i
missing (there must be
one ciphertext component g
x
j
s
i
for which A does not
have a secret key component g
β+r
x
j
to pair, therefore
A cannot cancel x
j
), therefore A cannot reconstruct
rs under the term C, and as a sequence cannot can-
cel term B and C. Second, there must be at least one
βs
i
missing, hence A cannot reconstruct βs under the
term D. As a result of the above analysis, we con-
clude that A cannot make a polynomial query which
has the form (α+ β)s.
SECRYPT 2010 - International Conference on Security and Cryptography
408