SABE: A Selective Attribute-based Encryption for an Efficient Threshold
Multi-level Access Control
Nesrine Kaaniche and Maryline Laurent
SAMOVAR, CNRS, Telecom SudParis, University Paris-Saclay,
Member of the Chair Values and Policies of Personal Information, Paris, France
Keywords:
Multi-level Access Control, Ciphertext-policy Attribute-based Encryption, Flexible Access Policies, Data
Secrecy.
Abstract:
With the emergence of decentralized systems and distributed infrastructures, access control to outsourced data
becomes more complex, as it should be flexible and distinguishable among users with different access rights.
In this paper, we present SABE, a Selective Attribute-based Encryption scheme, as a new threshold multi-
level access control mechanism based on an original use of attribute based encryption schemes. Our proposal
is multi-fold. First, it ensures fine-grained access control, supporting multi-security levels with respect to
different granted access privileges for each outsourced data file. Second, SABE is proven secure against
selective non-adaptive chosen ciphertext attacks in the generic group model. Third, our construction is proven
to provide efficient processing and communication complexities, compared to most closely related schemes.
1 INTRODUCTION
The emergence of decentralized systems and distri-
buted infrastructures has increased the complexity of
access control to outsourced data and has given rise to
encrypted access schemes. These mechanisms, refer-
red to as Attribute based Encryption (ABE) mecha-
nisms, are used to encrypt data files with respect to an
access policy computed on a set of attributes.
Let us take a simple example for illustrating the
need for a multi level access tree for ABE. During the
reviewing process of scientific papers submitted to a
conference, access to the papers can be provided to
general chairs, program committee, publicity chairs
or to the registration manager for the validation of re-
gistered papers. This can be formalized by an access
policy based on users’ attributes, which assigns dif-
ferent access rights to each part of the scientific pa-
per to the actors. For instance, reviewers should not
have access to identifying information of the authors
(e.g; name, affiliation, ···), registration staff should
not have access to the paper contents, while general
chairs have access to the whole research paper’s con-
tent. Thus, to enable access to encrypted data, the
encryptor is assumed to create an access structure for
each part of the scientific paper which is then encryp-
ted, w.r.t. each group of authorized entities. Depen-
ding on the attributes comprising each access struc-
ture, there might be a strong overlapping of attribu-
tes between access structures, thus leading to duplica-
ted efforts when encrypting and decrypting each part
of the data content. In addition, the management of
access control policies becomes more complex and
the burden of enciphering keys’ management rises
mainly with the dynamicity of users groups.
In this paper, we present SABE, Selective
Attribute based Encryption, a novel and efficient
threshold encryption scheme relying on attribute
based mechanisms, and provided with the following
features:
(1) SABE ensures a selective access to data based on
users’ granted privileges. A party willing to encrypt
a data file only specifies one single access structure
and certain security levels assigned to different data
blocks of the enciphered file. Thus, a user is next
able to decipher a sub-set of data blocks associated to
a security level k if the secret keys of that user satisfy
the related k
l
sub-sets of attributes.
(2) SABE is a threshold access-control scheme
associated to multi-security levels, i.e. each security
level defines the threshold number k
l
of related
sub-sets of attributes that need to be satisfied.
(3) Relying on an attribute based encryption mecha-
nism, users sharing the same access privileges are not
required to collaborate to extract the secret encrypting
key. Thus, the complexity of key management is
Kaaniche, N. and Laurent, M.
SABE: A Selective Attribute-based Encryption for an Efficient Threshold Multi-level Access Control.
DOI: 10.5220/0006855501550167
In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications (ICETE 2018) - Volume 2: SECRYPT, pages 155-167
ISBN: 978-989-758-319-3
Copyright © 2018 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
155
minimized, providing an efficient processing and
communication overhead, and the definition of access
control policies is flexible and distinguishable among
users with different privileges to access data.
(4) SABE is proven secure against non-adaptive
chosen ciphertext attacks.
Paper Organization – Section 2 discusses related
works, presents the problem statement and highlights
security and functional requirements. Section 3 intro-
duces our definitions and gives background on access
structures and Lagrange Interpolation. Section 4 de-
tails our system and threat models and section 5 pre-
sents the concrete construction.The security of our
scheme is discussed in section 6. Finally, The scheme
performances are evaluated in section 7 The potential
of SABE technique to support security and privacy
in concrete networking and computing applications in
section 8 before concluding in section 9.
2 RELATED WORKS AND
SECURITY REQUIREMENTS
ANALYSIS
Sharing data contents between different involved ac-
tors is often an issue, due to the complexity of access
control policies’ management. This issue becomes
more complex when involved actors do not share the
same access privileges to each part of the data file.
In the following, we first detail related works in sub-
section 2.1. Then, we present the problem statement
based on a real-world use case, in subsection 2.2. Af-
terwards, we introduce the security and functional re-
quirements for the design of the SABE mechanism in
subsection 2.3.
2.1 Related Work
Fine-grained access control based on selective en-
cryption is a novel approach that enables selective
access to encrypted data while supporting a compel-
ling key management process. Indeed, different de-
ciphering keys can be distributed to different users
that are allowed to access the corresponding data con-
tent, with respect to their granted privileges. Howe-
ver, the translation of an access control list into an
equivalent multi-level policy remains the main issue
of these schemes. To ban access to some parts of the
data, some processes propose to cover out or remove
these chunks. These mechanisms are known by re-
daction tools. They generally rely on malleable cryp-
tographic primitives (e.g; chameleon hash functions
instead of the conventional hash functions) to ena-
ble redactors, based on their own respective private
keys to modify some portions of the originally en-
crypted file. Although these mechanisms allow se-
lective access to some parts of the originally encryp-
ted file, they are also still inefficient with multi-level
access privileges.
In 2010, Di Vimercati et al. (Di Vimercati et al.,
2010) introduce a selective authorization policy mo-
del based on graph theory in order to ensure read pri-
vilege. The authors consider a dynamic group of users
sharing data stored in remote cloud servers and as-
sume that each data content may only be accessed by
a subset of users. That is, (Di Vimercati et al., 2010)
proposal is based on the use of both a key agreement
algorithm and a key derivation function that enable a
key to be derived from another key and a public to-
ken. The combination of these two algorithms per-
mits to correctly convert access policies defined by
data owners into encryption policies. Later, in 2013,
Di Vimercati et al. (di Vimercati et al., 2013) propose
another approach to support modification of outsour-
ced data files. The main idea of (di Vimercati et al.,
2013) proposal relies on the association of each con-
tent with a write tag. The remote server permits a user
to perform the write operation on a data file if he cor-
rectly shows the corresponding write tag. A crucial
concern of the (di Vimercati et al., 2013) scheme is
that the keys used to encrypt the write tags have to be
shared between authorized users and the server. Alt-
hough the attractive advantages of the proposed solu-
tions (Di Vimercati et al., 2010), (di Vimercati et al.,
2013) to support selective access control, they do not
support multi-level access structure on the same data
content.
Along with the different emerging techniques sup-
porting selective access control to encrypted data, At-
tribute based Encryption (ABE) has been often pre-
sented as a solution to provide flexible data sharing
(Sahai and Waters, 2005) (Bethencourt et al., 2007).
In order to ensure fine grained access control to
outsourced data, several constructions relying on
ABE have been proposed (Kaaniche and Laurent,
2017b), (Hur and Noh, 2011),(Yu et al., 2010),(Jahid
et al., 2011), (Horv
´
ath, 2015), (Huang et al., 2016),
(Belguith et al., 2016). Indeed, Hur et al. proposed an
access control scheme based on CP-ABE in data out-
sourcing systems such as cloud computing (Hur and
Noh, 2011). Horvath proposed a fine-grained access
control scheme for securely sharing data in cloud en-
vironments (Horv
´
ath, 2015). To guarantee an effi-
cient revocation scheme, this construction relies on an
identity based user revocation mechanism to manage
access rights . The proposed extension is based on
SECRYPT 2018 - International Conference on Security and Cryptography
156
multiple independent attribute authorities which ma-
kes the revocation of specific users (e.g. based on
users’ identities) from the system is possible without
updates of public and private keys. However, these
schemes only focus on data sharing, at one single se-
curity level and cannot support selective access privi-
leges to outsourced data.
In (Huang et al., 2016), Huang et al. propose a
data collaboration scheme, such that authorized users
can share data in a collaborative manner. In fact, the
data owner encrypts data with respect to a selected
access policy based on CP-ABE, while the coope-
rative user re-encrypts the modified data and signs
a collaboration request with his attributes. As such,
only the users whose attributes satisfy the access po-
licy can modify outsourced data. (Huang et al., 2016)
employs a delegation mechanism based hierarchical
ABE, which contains a central authority and a number
of independent domains. Each domain holds a dom-
ain authority that requests a secret parameter from the
higher level authority and generates attribute secret
keys for its domain users. The (Huang et al., 2016)
proposal introduces a partial decryption and signing
construction, where users are able to outsource most
of the decryption and signing computation overhead
to the service provider.
Afterwards, Khan et al. presented a multi-level
access control scheme, proving a single ciphertext
over a global access policy (Khan et al., 2016). The
data owner can define limited users’ privileges to dif-
ferent chunks of the whole data D. However, the
enciphering symmetric key sk is defined as a vector
of different sub-keys sk = [s
i
]
i∈[1,n+1]
, where each s
i
is the related encrypting key of m
i
, such that D =
{m
1
,m
2
,··· ,m
n
} and s
n+1
is the enciphering key of
the whole data D. Thus, the (Khan et al., 2016) con-
struction requires heavy computation and communi-
cation costs. Recently, in 2017, Kaaniche and Lau-
rent proposed a multi-level access control scheme ba-
sed on attribute based mechanisms for e-health appli-
cations (Kaaniche and Laurent, 2017a). Their con-
struction permits the enciphering party to encrypt a
data file, while specifying an access structure and a
certain number of security levels. Thus, a user can
decrypt a sub-set of data chunks associated to a secu-
rity level k if that user’s private keys satisfy the sub-set
of attributes related to the k-security level. Nonethe-
less, the (Kaaniche and Laurent, 2017a) proposal does
not offer a threshold multi-level access, such that the
deciphering entity has to satisfy a precise set of at-
tributes to be able to decrypt a given sub-sets of data
blocks w.r.t. a given security level. In addition, the
encrypting entity has to encipher each sub-set of data
blocks associated with a given security level, using on
a different secret.
Although these schemes proposed efficient soluti-
ons to protect data contents from unauthorized access,
they are still inefficient with multi-level access poli-
cies, where users must share the same data content
with different access rights to distinct data chunks.
In addition, these schemes mainly provide interes-
ting computation and communication costs at the re-
ceiving entity side, w.r.t to the decryption procedure,
while it is important to focus on the processing over-
head at the data owner side, responsible for defining
different access policies to different parts of outsour-
ced data files.
2.2 Problem Statement
In real-world data sharing scenarios, different orga-
nisations and actors can be involved. The shared data
must be protected from unauthorized access while en-
suring fine grained access control for different aut-
horized actors. For preserving data confidentiality
against malicious users, encryption should be applied
while supporting flexible sharing of encrypted data
among dynamic groups of users, with fine-grained
access control policies.
Let us consider the case of the reviewing process
of scientific papers: the website administrator mana-
ges access to the encrypted versions of submitted pa-
pers with respect to three different groups of users:
reviewers, sub-reviewers and PC chair. Indeed, ac-
cording to their related credentials, some entities can
have access to the paper content as well as the name
of authors and their personal information, while ot-
hers may have access to only anonymized versions of
the submitted papers, referred to as blinded papers.
Thus, the aforementioned group of users define se-
veral access control policies as follows:
• access to the blinded paper – [((reviewer or sub-
reviewer) and research track) and (computer sys-
tems or network security)] or [(computer systems
or network security) and PC chair] or [((revie-
wer or sub-reviewer) and research track) and PC
chair] ;
• access to the paper and identifying information –
((reviewer or sub-reviewer) and research track)
and (computer systems or network security) and
(PC chair);
To enable access to encrypted data, the available
option related to the use of ABE mechanisms is ba-
sed on the naive computing approach referred to as
NC in the following. In NC, the data owner, i.e; the
website administrator, is assumed to create an access
structure for each part of the scientific paper which is
SABE: A Selective Attribute-based Encryption for an Efficient Threshold Multi-level Access Control
157
then encrypted, with respect to every group of autho-
rized users. Concretely, the blinded version of the pa-
per and the whole paper content including identifying
information have to be enciphered with respect to dif-
ferent access structures. However, it is worthy notice-
able that (i) these access structures share several leaf
nodes, corresponding to redundant required attributes
and (ii) each data content is encrypted several times
under different access policies. In fact, this use-case
points out that there might be overlapping between
access structures for the same data share, thus leading
to complex access structures. In addition, the mana-
gement of access policies becomes more complex and
the burden of enciphering keys’ derivation for every
data chunk rises mainly with groups of users having
different access privileges. That is why we propose
a multi-level access control mechanism for the same
data content, based on an ABE aggregate access tree.
2.3 Security and Functional
Requirements
The proposed SABE scheme has to fulfill the follo-
wing security properties and functional features:
• data confidentiality – even in case of collusions,
SABE has to ensure the secrecy of encrypted data
contents against malicious entities, namely unaut-
horized and revoked users.
• multi-level fine grained access control – SABE
should support flexible multi-level security poli-
cies among groups of users with different granted
privileges.
• threshold support – SABE should ensure the
threshold feature, such that each defined security
level may encompass several sub-trees.
• low processing and communication costs –
SABE encrypted data file should be short-sized
as the transmission overhead is essential in the
emerging infrastructure context. In addition, the
encryption and decryption processes should have
a low computation cost in order to reduce the im-
pact of heavy cryptographic mechanisms on the
efficiency of the intended algorithms.
3 PRELIMINARIES
3.1 Mathematical Background
In this section, we introduce our prerequisites, namely
multi-leveled pairing functions, access structures and
Lagrange interpolation, defined as follows:
Definition 1. (Leveled Multilinear Maps (Hohenber-
ger et al., 2013) (Garg et al., 2013))
Let G be a group generator G(1
κ
,k), where κ is a
security parameter and k is the number of allowed
pairing operations. G(1
κ
,k) outputs a sequence of
groups such that
~
G = [G
1
,· ·· ,G
k
], each of prime or-
der p > 2
κ
. Let g
i
be a canonical generator of G
i
.
We assume the existence of a set of bilinear maps
{e
i, j
: G
i
× G
j
−→ G
i+ j
|i, j ≥ 1, i + j ≤ k}. The map
e
i, j
satisfies the following relation:
e
i, j
(g
i
a
,g
j
b
) = g
i+ j
ab
, ∀a,b ∈ Z
p
Definition 2. (Access Structure (Beimel, 2011))
Let P = {P
1
,P
2
,· ·· ,P
n
} be a set of parties, and a col-
lection A ⊆ 2
{P
1
,P
2
,···,P
n
}
is called monotone if ∀B,C ⊆
2
{P
1
,P
2
,···,P
n
}
: if B ∈ A and B ⊆ C then C ∈ A. An
access structure is a collection A of non-empty sub-
sets of {P
1
,P
2
,· ·· ,P
n
} ; i.e. A ⊆ 2
{P
1
,P
2
,···,P
n
}
\ {
/
0}.
The sets in A are called authorized sets, and the sets
not in A are called unauthorized sets.
Definition 3. (Lagrange Interpolation)
Given a set of (k + 1) distinct points
{(x
0
,y
0
),· ·· ,(x
k
,y
k
)}, the Lagrange polynomial
is a linear combination L(x) =
∑
k
j=0
y
j
δ
j
(x) of
Lagrange coefficients δ
j
(x) =
∏
0≤i6= j≤k
x−x
i
x
j
−x
i
.
3.2 Cryptographic Assumptions
For our construction, we consider the following com-
plexity assumptions:
• Discrete Logarithm Problem (DLP) – Let G be a
multiplicative cyclic group of a prime order p, and
g is a generator of G. The DLP problem is, given
the public element y = g
x
∈ G, there is no efficient
probabilistic algorithm A
DLP
that can compute the
integer x.
• Computational Diffie Hellman Assumption
(CDH) – Let G be a group of a prime order p,
and g is a generator of G. The CDH problem
is, given the tuple of elements (g,g
a
,g
b
), where
{a,b}
R
←− Z
p
, there is no efficient probabilistic
algorithm A
CDH
that computes g
ab
.
4 OVERVIEW
Our Selective Attribute based Encryption (SABE)
enables a group of users to access different parts of an
encrypted data file in a threshold manner with respect
to their different granted privileges. The main idea
behind SABE relies on ABE such that users’ keys
SECRYPT 2018 - International Conference on Security and Cryptography
158
and decryption capabilities are related to the attribu-
tes they possess. Indeed, the SABE scheme considers
that the plaintext is composed of a set of messages and
users’ credentials (i.e; certified attributes) settle which
subset of data blocks may be deciphered. It provides
the ability to strike a balance between security and
processing demands.
Accurately, the encrypting entity defines an access
structure with respect to n attributes, while specifying
multi-threshold levels {k
l
}
l∈[1,c]
, where k
l
is the k
l
-
security level and c is the number of defined security
levels. Note that each security level k
l
corresponds to
n
l
sub-trees that permit to reconstruct a secret key v
l
required to decipher the subset of data blocks associ-
ated to the security level k
l
.
4.1 System Model
A selective attribute-based encryption scheme
(SABE) for a message space M and an access struc-
ture space G relies on four randomized algorithms,
defined as follows:
• setup – it is executed the master entity (i.e; attri-
bute authority) to set up the system. The setup
algorithm takes as input the security parameter κ
and outputs the public parameters pp and the mas-
ter key mk.
• encrypt – it is performed by the encryptor. The
encrypt algorithm takes as input the public pa-
rameters pp, an access structure Γ over the uni-
verse of attributes S and the set of security levels
{k
l
}
l∈[1,c]
, where c is the number of security le-
vels and a message M = {m
l
}
l∈[1,c]
. It encrypts
the message M w.r.t. c security levels and out-
puts a ciphertext CT = {Γ, ∀k
l
: CT
l
}, such that
l ∈ [1,c] and each security level has to be satis-
fied by at least n
l
root subtrees. This algorithm is
performed such that only a user that holds a set
of certified attributes w.r.t. a security level k
l
that
satisfies the access structure Γ can decipher the
encrypted message CT
l
.
• keygen – it is run by the attribute authority. This
algorithm takes as input the public parameters pp,
the master key mk and a set of attributes S and
outputs the related secret key sk.
• decrypt – it is performed by the deciphering en-
tity. The decrypt algorithm takes as input the pu-
blic parameters pp, the ciphertext CT , which con-
tains an access policy Γ, the security level k
l
and
the secret key sk associated to the set of attributes
S. Recall that S has to satisfy Γ, w.r.t. a security
level k
l
, to be able to decrypt the corresponding
ciphertext CT
l
and retrieve the message m
l
.
The correctness property requires that for all
security parameter κ, all universe descriptions S,
all (pp,mk) ∈ setup(κ), all S ⊆ S, all M ∈ M ,
all Γ ∈ G, all sk ∈ keygen(pp,mk,S ), all k
l
∈
K (K is the security level space) and all CT ∈
encrypt(pp,Γ, M,{k
l
}
l∈[1,c]
), if S satisfies Γ w.r.t. a
security level k
l
, then decrypt (pp,CT,k
l
,sk) algo-
rithm outputs m
l
.
4.2 Selective CCA-1 Security Model
Let Π = (setup, encrypt,keygen,decrypt) be a SABE
scheme for a message space M and an access struc-
ture space G. To prove the resistance of SABE against
selective chosen ciphertexts attacks, we consider a se-
curity game, referred to as G
S−CCA
(1
κ
), between a
challenger C and an adversary A. That is, A defines
a challenge access structure Γ
∗
, such that he can ask
for any private keys generation of a set of attributes
S as well as decryption queries of ciphertexts CT that
do not satisfy Γ
∗
. G
S−CCA
(1
κ
) is formally defined as
follows:
INIT — C executes the setup algorithm, gives the
public parameters pp to A and keeps secret mk.
QUERIES — A can repeatedly make any of the
following queries for each session j:
• obtain : A queries for the secret jets {sk
j
}
j∈[1,t]
w.r.t. a set of attributes {S
j
}
j∈[1,t]
related to the
security level {k
l, j
}.
• cordec : A sends the pair (CT
j
,S
j
) and asks for
the decryption of a selected ciphertext CT
j
, based
on the private key associated to the set of attributes
S
j
. Note that if C has not previously extracted sk
j
related to S
j
, then C does the extraction based on
the obtain algorithm and outputs the result of the
decryption of CT
j
w.r.t. {k
l, j
} selected security
levels.
CHALLENGE — A submits two equal length mes-
sages M
0
and M
1
, gives the access policy Γ
∗
and the
set of security levels {k
l
}
∗
, such that none of the pre-
vious quiered sets {S
j
}
j∈[1,t]
satisfies Γ
∗
for {k
l
}
∗
.
Consequently, C flips a coin b and encrypts M
b
un-
der Γ
∗
, w.r.t. {k
l
}
∗
. The resulting ciphertext CT
∗
is
then submitted to A.
GUESS — A outputs a guess b
0
of b. The output
of G
S−CCA
(1
κ
) is 1 if and only if b = b
0
.
Definition 4. SABE security w.r.t. G
S−CCA
(1
κ
)
A SABE scheme Π is selectively CCA secure (i.e;
selectively secure against chosen-ciphertext attacks)
for attribute universe S if for all probabilistic
polynomial-time adversaries A, there exists a negligi-
ble function ε, such that Pr[G
S−CCA
(1
κ
) = 1] =
1
2
±ε.
SABE: A Selective Attribute-based Encryption for an Efficient Threshold Multi-level Access Control
159
5 SABE CONSTRUCTION
In this section, we first introduce the access tree mo-
del (subsection 5.1) before detailing our SABE con-
crete construction (subsection 5.2).
5.1 Access Tree Model
In SABE, we consider that each access structure, re-
ferred to as Γ is defined with respect to two levels:
• Level 1 – the first level encompasses the root node
and its direct children. The root node is defined as
k
l
-out-of-c security levels. Each security level k
l
requires at least p
l
subsets of attributes and n
l
sub-
trees of the root node for the reconstruction of the
corresponding secret key v
l
.
• Level 2 – it corresponds to interior nodes as well
as leaf nodes. Each interior node of the tree is a
threshold gate and the leaves are associated with
attributes, as detailed in Bethencourt et al. con-
struction (Bethencourt et al., 2007).
Note that the same notation as (Bethencourt et al.,
2007), is used to describe the access tree. Each
non-leaf node of Γ is expressed w.r.t. the number
of its children num
x
and a threshold value t
x
, where
1 ≤ t
x
≤ num
x
. As introduced in (Bethencourt et al.,
2007), three additional functions are defined namely
parent(x), att(x) and index(x). The parent(x)
function denotes the parent of the node x, the att(x)
denotes the attributes associated with the leaf node x
and the index(x) denotes a number associated with
the node. We denote by Γ
x
the subtree of Γ rooted at
the node x. If a set of attributes S = {a
i
}
i∈[1,l]
, where
l is the number of attributes and l ≥ t
x
, satisfies the
access tree Γ
x
, it is referred to as Γ
x
(S) = 1.
Hence, Γ is rooted by the root node r. For in-
stance, depending on the number of the attributes l
and the number of subtrees n
l
rooted by the root node,
the user may decrypt CT
l
, w.r.t. k
l
, such that:
if ∃x
i
i∈[1,n
l
]
such that Γ
x
i
(S) = 1, then Γ
k
l
(S) = 1
where Γ
k
l
is the access tree for the security level k
l
.
5.2 Concrete Construction
SABE construction is based on the following algo-
rithms:
setup(κ) – this algorithm first selects leveled 4-
linear maps. In fact, it defines two symmetric pairing
functions ˆe
1
and ˆe
2
, such that ˆe
1
: G
1
× G
1
→ G
2
and
ˆe
2
: G
2
× G
2
→ G
3
, where G
1
, G
2
and G
3
are three
multiplicative groups of prime order p. It also selects
three random generators g, h and f of G
1
, G
2
and G
3
,
respectively, such as ˆe
1
(g,g) = h and ˆe
2
(h,h) = f .
The setup algorithm defines for each security level
k
i
∈ K (i.e; K is the security level universe), an ele-
ment X
k
i
such as ∀k
i
,X
k
i
= ˆe
2
(h,h)
α
i
, where i ∈ [1,n]
α
i
∈ Z
p
and n is the maximum number of security le-
vels. The public parameters pp are defined as follows:
pp = {G
1
,G
2
,G
3
, ˆe
1
, ˆe
2
,g,h, f , p, n,{X
i
}
i∈[1,n]
}
The master key mk is the set of generators {h
α
i
}
i∈[1,n]
.
encrypt(pp,Γ, M,{k
l
}
l∈[1,c]
) – it first selects a po-
lynomial q
x
for each node x and sets the degree d
x
of
each polynomial, to be less than the threshold value
such that d
x
= t
x
− 1 (i.e; t
x
is the threshold value of
the node x).
Let q
r
be the polynomial associated to the root
node and defined as q
r
(x) = s + a
1
x + · · · + a
d
r
x
d
r
,
where d
r
= t
r
− 1. In the following, we denote by
a
0
the secret s.
Subsequently, for each security level k
l
, the
encrypt algorithm calculates t
r
− n
l
auxiliary con-
stants such as:
Σ
k
l
= {X
k
l
−a
1
,· ·· ,X
k
l
−a
t
r
−n
l
}
The ciphertext is presented as follows:
CT = {Γ, ∀k
l
:
˜
C
k
l
= m
l
· X
s
k
l
,Σ
k
l
,
∀y : C
y
= g
q
y
(0)
,C
0
y
= H (att(y))
q
y
(0)
}
where Y is the set of leaf nodes and H is a hash
function, such that H : {0,1}
∗
→ G
1
.
keygen(pp,mk,S ) – it chooses a random r ∈ Z
p
and a set of random values {r
j
} ( i.e; j is the number
of attributes of S). The private key sk associated to S
is defined as:
sk = { ∀k
i
∈ K : D
k
i
= h
r
−1
α
i
,
∀a
j
∈ S : D
j
= g
r
· H ( j)
r
j
,D
0
j
= g
r
j
}
decrypt(pp,CT, k
l
,sk) – for the decryption algo-
rithm, we assume that the decryptor satisfies the k
l
-
security level with n
l
sub-trees of Γ being satisfied.
This latter proceeds as follows:
• Level 2 – it works in a recursive manner, re-
lying on the DecryptNode function as presented
in (Bethencourt et al., 2007), resulting in F
x
=
ˆe
1
(g,g)
rq
x
(0)
, for each node x that belongs to Level
2 of Γ.
• Level 1 – Let S
r
be the set of a n
l
-sized set of child
nodes x of the root node. Referring to the gene-
ralization of Shamir’s threshold scheme (Shamir,
SECRYPT 2018 - International Conference on Security and Cryptography
160
) (Hassler et al., 1993), the decryption algorithm
computes two vectors~y and ~a, such as
~y = {y
i
}
i∈[1,n
l
]
= {q
r
(index(x
i
))}
i∈[1,n
l
]
= {q
i
(0)}
i∈[1,n
l
]
and ~a = {a
j
}
i∈[0,d
r
]
, where a
j
are the coefficients
of the root polynomial of degree d
r
.
Then, the decrypting entity defines a matrix U =
{U
i j
} = {u
i
j
}, such as u
i
= index(x
i
) and ~y =
U ·~a.
Afterwards, the algorithm takes the first and the
last n
l
− 1 columns of U and creates a sub-matrix
U
s
such that U
s
= {u
i
j
}, where i = 1, ··· , n
l
and
j = 0,t
r
− n
l
+ 1,t
r
− n
l
+ 2, ··· ,d
r
. Afterwards,
the decrypt algorithm computes the inverse ma-
trix of U
s
, referred to as U
s
−1
= {v
i j
}. The inverse
matrix is then used to form the following modi-
fied system of equations: U
s
−1
·~y = U
s
−1
·U ·~a.
The first equation of this system is of the form
s
k
l
= a
0
+ a
1
λ
1
+ ·· · + a
t
r
−n
l
λ
t
r
−n
l
, where s
k
l
=
∑
n
l
j=1
y
j
v
1 j
.
To extract the deciphering key, the decrypt algo-
rithm computes F
R
k
l
such as:
F
R
k
l
=
∏
y
k
∈S
r
[ ˆe
1
(g,g)
rq
k
(0)
]
v
1k
(1)
= ˆe
1
(g,g)
∑
y
k
∈S
r
rq
k
(0)v
1k
(2)
= ˆe
1
(g,g)
rs
k
l
(3)
The decrypt algorithm can now decrypt the cip-
hertext with respect to the k
l
-security level, such as:
˜
C
k
l
ˆe
2
(D
k
l
,F
R
k
l
)
∏
k∈[1,t
r
−n
l
],z
k
∈Σ
k
l
z
k
λ
k
=
m
l
· X
s
k
l
X
k
l
s
= m
l
(4)
6 SECURITY ANALYSIS
In this section, we first prove the correctness of our
SABE scheme, in section 6.1. Then, we discuss the
security of our proposed scheme with respect to the
security model detailed in section 4.2.
6.1 SABE Correctness
The correctness of our proposition relies on the cor-
rectness of Equation 5:
˜
C
k
l
ˆe
2
(D
k
l
,F
R
k
l
)
∏
k∈[1,t
r
−n
l
],z
k
∈Σ
k
l
z
k
λ
k
?
= m
k
, (5)
where F
R
k
l
=
∏
y
k
∈S
r
[ ˆe
1
(g,g)
rq
k
(0)
]
v
1k
.
Upon receiving the ciphertext CT , the decrypting
entity proceeds as follows based on two levels:
• Level 2 – the decrypt algorithm works in a re-
cursive manner, relying on the algorithm Decrypt-
Node as presented in (Bethencourt et al., 2007).
For each non-leaf node x, having z child nodes,
the DecryptNode algorithm outputs F
x
such as :
F
x
=
∏
z∈S
x
F
z
δ
i,S
0
x
(0)
= ˆe
1
(g,g)
rq
x
(0)
where: S
x
is an arbitrary k
x
sized set of child no-
des z such that F
z
6= ⊥, i = index(z) and S
0
x
=
{index(z) : z ∈ S
x
}. We note that if no such S
x
ex-
ists then the node is not satisfied and the function
returns ⊥.
• Level 1 – after executing the DecryptNode algo-
rithm for all child-nodes of the root node, the
decrypt algorithm proceeds as follows: for the
first level, we suppose that the deciphering entity
satisfies the k
l
-security level. Recall that for each
security level k
l
, S
r
is the n
l
-sized set of child
nodes x of the root node r. To extract the de-
ciphering key, the decrypting entity first defines
the vectors ~a and ~y and the matrices U , U
s
and
U
s
−1
, with respect to k
l
as explained in section 5.
Then, it defines the equation s
k
l
= a
0
+ a
1
λ
1
+
·· ·+a
t
r
−n
l
λ
t
r
−n
l
, where s
k
l
=
∑
n
l
j=1
y
j
v
1 j
and com-
putes F
R
k
l
as detailed in Equation 1.
For ease of presentation, we denote by r the quan-
tity
˜
C
k
l
ˆe
2
(D
k
l
,F
R
k
l
)
∏
k∈[1,t
r
−n
l
],z
k
∈Σ
k
l
z
k
λ
k
. Finally, the decrypt
algorithm deciphers the ciphertext with respect to the
k
l
-security level as follows:
r =
˜
C
k
l
ˆe
2
(h
r
−1
α
l
, ˆe
1
(g,g)
rs
k
l
)
∏
k∈[1,t
r
−n
l
],z
k
∈Σ
k
l
z
k
λ
k
=
˜
C
k
l
ˆe
2
(h,h)
α
l
s
k
l
ˆe
2
(h,h)
−α
l
∑
k∈[1,t
r
−n
l
]
a
k
λ
k
=
˜
C
k
l
ˆe
2
(h,h)
α
l
(s
k
l
−
∑
k∈[1,t
r
−n
l
]
a
k
λ
k
)
=
m
l
· X
a
0
k
l
X
k
l
a
0
, (a
0
= s)
= m
l
6.2 Selective CCA-1 Security
The resistance of the SABE scheme against is se-
lective chosen ciphertexts attacks relies on Theorem
6.1.
Theorem 6.1. Our SABE scheme is secure against se-
lective non-adaptive chosen ciphertext attacks in the
Generic Group Model (GGM), under the DLP and the
CDH assumptions, with respect to the G
S−CCA
(1
κ
) se-
curity game.
SABE: A Selective Attribute-based Encryption for an Efficient Threshold Multi-level Access Control
161
Proof. One of the main challenges to design our
SABE scheme was to prevent collusion attacks among
users. Hence, as our scheme is based on the CP-ABE
construction of Bethencourt et al. (Bethencourt et al.,
2007), it randomizes, in the same way, users’ private
keys such that they cannot be combined. In fact, each
secret element D
j
, related to an attribute j, encom-
passes a random value r associated to the user, and
r
j
related to the attribute j, which prevents colluding
users to override their rights. Subsequently, SABE is
resistant to collusion attacks. In addition, to decrypt
a ciphertext w.r.t. a security level k
l
, A must recover
X
k
l
s
= ˆe
2
(h,h)
α
l
·s
, where the secret sharing key s is
embedded in the ciphertext. For this purpose, A has
to retrieve the corresponding
˜
C
k
l
and the related pri-
vate key element D
k
l
from the user’s private key.
To prove that our scheme is secure against
selective non-adaptive chosen ciphertext attacks, we
first consider that A is running the G
S−CCA
expe-
riment with an entity B. This latter is running the
Exp
B
Bethencourt et al. security game (Bethencourt
et al., 2007), with C . The objective of this proof is to
show that the advantage of A to win the G
S−CCA
(1
κ
)
security game is equivalent to the advantage of B to
win the Bethencourt et al. security game (Bethen-
court et al., 2007). Hereafter, A and B proceed as
follows:
INIT — C executes setup, gives pp to B and keeps
secret mk. Consequently, B sends pp to A.
QUERIES — B sets an empty table T and repea-
tedly make the following queries, such that for each
session j:
• obtain : A queries {sk
j
}
j∈[1,t]
w.r.t. a set of
attribute {S
j
}
j∈[1,t]
associated to {k
l, j
} security
levels. That is, B uses C to derive and send
the queried secret keys to A. The private keys
{sk
j
,S
j
}
j∈[1,t]
are returned to B. Subsequently, B
sets a new entry with the pair {sk
j
,S
j
}
j∈[1,t]
and
returns {sk
j,GID
}
j∈N
to A.
• cordec : A sends (CT
j
,S
j
) and queries for the
decryption result of the ciphertext CT
j
, w.r.t. S
j
.
Indeed, B checks if an entry sk
j
for S
j
does exist
in T w.r.t. {Γ
∗
,k
l, j
} and retrieves sk
j
. Then, B
deciphers CT
j
and sends the result to A.
CHALLENGE — A submits two equal length messa-
ges M
0
and M
1
and gives the access policy Γ
∗
and
the set of security levels {k
l
}
∗
, such that none of
the previous sets {S
j
}
j∈[1,t]
satisfies Γ
∗
w.r.t. {k
l
}
∗
.
Consequently, B selects Γ
B
such that Γ
B
⊆ Γ
∗
. We
have to emphasize that all pre-identified subtrees ST
i
required to satisfy the security level {k
l
}
∗
have to be
included in the selected access structure Γ
B
.
Afterwards, B sends the access structure Γ
B
and the
two equal length messages M
0
and M
1
, defined by A.
C flips a coin b, encrypts M
b
under Γ
B
and sends the
resulting ciphertext {CT
b
}
∗
to A.
We distinguish two different cases for the
G
S−CCA
(1
κ
) game, as follows:
Case 0: we set only one security level k
l
∗
, during the
INIT phase such as the public parameter n defined
by C is equal to 1. That is, all queried secret keys
are associated to the set of attributes S
i
that decrypt
ciphertexts, encrypted w.r.t. k
l
∗
, for each session i.
As such, we notice that the two first steps INIT and
QUERIES of the G
S−CCA
(1
κ
) are similar to the (Be-
thencourt et al., 2007) experiment. Additionally, the
challenge access structure selected by A is equivalent
to the access policy defined by B (i.e; Γ
B
= Γ
∗
,
where all sub-trees of Γ
∗
have to be included in Γ
B
).
Case 1: during the INIT phase, C defines several se-
curity levels, where n 6= 1. Thus, we point out two
sub-cases as follows:
• Case 1-a : during QUERIES, a single security le-
vel is selected, such that all queried cordec have
to return response w.r.t. the pre-fixed k
l
∗
, whereas
queried private keys are encoded under different
security levels, for each session i. That is, B has
to select Γ
B
where subtrees ST
i
required to satisfy
each selected security level {k
l
}
∗
of Γ
∗
have to be
included in Γ
B
.
• Case 1-b: during QUERIES, the attacker A sends
cordec queries to the challenger C with respect
to different security levels {k
l,i
} for each different
session i and a ciphertext CT
i
. We note that CT
i
may be encoded under different security levels.
During the challenge phase, A sends two diffe-
rent messages M
0
and M
1
and asks C to encipher
the selected message under a security level k
l
∗
that
has never been queried during QUERIES. Hence,
B chooses Γ
B
such that identified subtrees ST
i
re-
quired to satisfy the security level {k
l
}
∗
of Γ
∗
have
to be included in Γ
B
.
In the G
S−CCA
(1
κ
) security game, including Case 0
and Case 1, the challenge ciphertext has a component
˜
C
k
l
which is either M
0
· X
k
l
s
or M
1
· X
k
l
s
(i.e; s is
the enciphering secret key). Hence, we consider
a modified game, defined in (Bethencourt et al.,
2007), in which
˜
C
k
l
is either ˆe
2
(h,h)
α
l
·s
or ˆe
2
(h,h)
θ
,
where θ is selected uniformly at random. A has to
guess which is the case. The adversary’s advantage
is obviously equal to ε in the original security game.
In fact, no efficient adversary A can output b
0
= b,
SECRYPT 2018 - International Conference on Security and Cryptography
162
in the security experiment Exp
A
(1
κ
), better than a
random guess. Recall that a random guess b
0
by A is
equal to b, with a probability 1/2. Thus, we call ε the
advantage of A if b
0
= b with the probability 1/2 ± ε.
As such, in the modified game, the adversary
advantage is at least ε/2, while considering two
equivalent sub-cases: when A has to distinguish
between M
0
· X
k
l
s
and ˆe
2
(h,h)
θ
and when A has to
distinguish between M
1
·X
k
l
s
and ˆe
2
(h,h)
θ
. Hereafter,
we consider A’s advantage in the modified game.
G
S−CCA
(1
κ
) Game Analysis – As introduced in
(Bethencourt et al., 2007) (Boneh et al., 2005), each
element of G
1
, G
2
and G
3
is encoded as a uni-
que random. The encoding properties of elements in
G
i
is presented by ξ
0,i
: Z
p
→ {0,1}
∗
that maps all
a ∈ Z
p
to the representation ξ
0,i
(a) of g
a
∈ G
i
and
ξ
T,i
: Z
p
→ {0, 1}
∗
that maps all a ∈ Z
p
to the repre-
sentation ξ
T,i, j
(a) of ˆe
j
(g,g)
a
∈ G
i
(i ∈ {1,2,3} and
j ∈ {1,2}). The adversary communicates with the
oracles to perform actions in G
1
, G
2
, G
3
, ˆe
1
and ˆe
2
based on ξ
0,i
and ξ
T,i, j
representations.
For Case 0, during the INIT phase, C sets n = 1, choo-
ses α ∈ Z
p
and sends the public parameters ξ
0,1
(1) =
g,ξ
0,2
(1) = h and ξ
T,3,2
(α) to the adversary. Subse-
quently, B initializes an empty table T . Then, du-
ring QUERIES, A queries several times obtain and
cordec algorithms. For each obtain query, C si-
mulates the H oracle function for each string i ∈ S
j
,
queried in session j. The H oracle outputs g
t
i
for
each different queried i. In the sequel, for a session j,
obtain selects a random r
( j)
, computes D
k
= h
α/r
( j)
.
Then, for each i ∈ S
j
, it provides D
i
= g
r
( j)
+t
i
r
i
( j)
and
D
0
i
= g
r
i
( j)
. Then, B sets these computed values as
new entries in T, and sends them to A.
Then, for the cordec oracle, A submits (S
j
,CT
j
)
and asks for the decryption of CT
j
, w.r.t. the pre-
defined security level k
l
∗
. Hence, B performs the
decryption of CT
( j)
for each session j and provides
a message M
j
or an error message if the set of at-
tributes does not satisfy the access policy w.r.t. the
pre-defined security level. Clearly, the SABE con-
struction is close to the CP-ABE construction propo-
sed by Bethencourt et al. (Bethencourt et al., 2007).
The main difference consists in the derivation of the
embedded shared secret, obfuscated in the exponent
of the related pairing function. Indeed, in addition to
Lagrange interpolation proposed by the (Bethencourt
et al., 2007) scheme, in our proposal, the processing
of Level 1 of an access structure Γ, with respect to
k
l
∗
requires pointing out the correct public element
X
k
l
∗
=
ˆ
E
2
(h,h)
α
k
, which is different for each level.
As such, to prove that Case 0 is close to the
(Bethencourt et al., 2007) construction, we consider
an absurdum reasoning, where A can win Exp
A
with non-negligible probability. To do so, we con-
sider that the root polynomial in Exp
B
is equal to
q
r,Exp
B
(x) =
∑
p
i=0
a
i
x
i
, where a
0
= s. In the sequel, we
easily verify that there exists one polynomial q
r,Exp
A
,
such that q
r,Exp
A
=
∑
p
i=0
a
0
i
x
i
and
∑
p
j=1
∑
p
i=0
a
0
i
x
j
i
= s.
To do, we consider p − 1 random values a
0
i
, where
i ∈ [1, p−1]. As such, we have the following equality:
p
∑
j=1
p
∑
i=0
a
0
i
x
j
i
= s =
p
∑
j=1
p−1
∑
i=0
a
0
i
x
j
i
+
p
∑
j=1
a
0
p
x
j
p
(6)
Following Equation 6, we notice that:
a
0
p
=
s −
∑
p
j=1
∑
p−1
i=0
a
0
i
x
j
i
∑
p
j=1
a
0
p
x
j
p
(7)
From Equation 6 and Equation 7, it is worth noti-
cing that the polynomial q
r,Exp
A
exists. Consequently,
A receives the challenge ciphertext CT
b
. If the ad-
versary A can win the Exp
A
experiment with a non-
negligible probability, then A can guess b
0
which is
therefore sent to B. As such, B can win the secu-
rity game Exp
B
, introduced in (Bethencourt et al.,
2007) with a non-negligible probability. This contra-
dicts our assumption that (Bethencourt et al., 2007)
is proved secure in GGM. Additionally, for Case 0
of G
S−CCA
(1
κ
), the INIT, QUERIES and CHALLENGE
phases relies on one single security level, such that M
b
contains one single data block w.r.t. the k
l
security le-
vel, this first case follows the selective CCA-security
of the Bethencourt et al.’s CP-ABE scheme (Bethen-
court et al., 2007). In the sequel, the advantage of A is
at most equal to O(
q
2
p
), where p is the order of an ad-
ditive group F
p
and q is a bound on the total number
of group elements received by any adversary A from
its interaction with the G
S−CCA
(1
κ
) game.
For Case 1, during the INIT phase, C defines n and
sends the public parameters ξ
0,1
(1) = g,ξ
0,2
(1) = h
and ∀ j ∈ [1, n],ξ
T,3,2
(α
j
) to B. Let us notice that
Case 1 can be modeled in multi-user setting, such
that there are multiple public keys and multiple chal-
lenge ciphertexts that can be dependent. In our case,
the public keys correspond to the security levels’ pu-
blic parameters X
k
i
and challenge ciphertexts consist
of the different chuncks of the challenge message
M
∗
= {m
l
∗
}
l∈[1,c
∗
]
. Hence, Case 1 is a generaliza-
tion of selective CCA security in the multi-user set-
ting and the adversary A, having access to n different
public keys, can perform multiple Left-or-Right que-
ries. These challenge ciphertexts must be created with
the same selector b; i.e; all ciphertexts are encryption
SABE: A Selective Attribute-based Encryption for an Efficient Threshold Multi-level Access Control
163
of the left input, or all ciphertexts are encryption of
the right input.
During the CHALLENGE phase, we distinguish
Case 1-a, where A sends two messages M
0
and M
1
,
the access structure Γ
∗
and a security level k
l
∗
; and
Case 1-b where A sends two messages M
0
and M
1
and the access structure Γ
∗
, which has to be encryp-
ted with respect to a set of security levels {k
l
∗
}.
First, for Case 1-a, as the encryption is performed
w.r.t. a single security level k
l
∗
, then the challenge
message has to be composed of one single data block
and the cardinal of the set of auxiliary constants is
equal to 0 (i.e; |Σ
k
l
| = 0 ). As the sequel, the progress
of the CHALLENGE phase of Case 1-a is similar to
Case 0, leading us to an adversary advantage equal at
most to O(
q
2
p
).
Second, for Case 1-b, when A asks for the encryp-
tion of the challenge message, C does the following.
C first chooses a random s ∈ F
p
and uses the linear se-
cret sharing scheme associated with the access struc-
ture Γ
∗
to construct the shares σ
k
and λ
i
of s for all
relevant sub-trees k and attributes i, respectively. As
detailed in (Bethencourt et al., 2007), both λ
i
and σ
k
shares have to be chosen uniformly and independently
at random values from F
p
. Subsequently, the simu-
lation chooses µ randoms θ
l
∈ F
p
, where l ∈ [1, µ]
and µ is the cardinal of the set of security levels
{k
l
∗
}
l∈[1,µ]
. Finally, C outputs the encryption of the
challenge message such that: for each security level
k
l
, we have
˜
C
k
l
= ˆe
2
(h,h)
θ
l
and Σ
k
l
= {ξ
T,3,2
(α
l
)
−σ
t
},
where t ∈ [1,t
r
− n
l
] and l ∈ [1, µ] (cf; section 5.2).
For each relevant attribute i, we have C
i
= g
λ
i
and
C
0
i
= g
t
i
λ
i
. These values are then sent to the advers-
ary. We state that if A asks for a decryption key for a
set of attributes that satisfy Γ
∗
w.r.t. any security le-
vel, then C does not issue the key. Similarly, if A asks
for Γ
∗
, w.r.t. any security level, such that one of the
keys is already issued then the simulation aborts. In
the sequel, the advantage of the adversary is at most
equal to O(µ
q
2
p
), due to the randomness of the choice
of variable values in the simulation.
In fact, knowing that this randomization is requi-
red for generating the ciphertext, A is led to break the
CDH assumption. The G
S−CCA
(1
κ
) security is then
considered with respect to the CDH-assumption. In-
tuitively, here, B relies on the capabilities of A to
forge a ciphertext C
i
obtained from interactions with
C in Exp
A
. Since A and B algorithms are based on
coin tosses, the first condition for B to succeed is that
it does not abort the game before A. In (Ahn et al.,
2012), this probability has been shown to be
1
e
if the
probability for the coin flipping to be 0 is
1
ξ
c
+1
, where
ξ
c
is the number of ciphertexts’ queries. The other
condition of the attacker is to be able to identify the
value of λ
i
for each C
i
or to guess the value θ
l
related
to a security level k
l
. After a time t
0
, this probability
is equal to
1
ξ
c
+1
. This shows that B can violate the
CDH-assumption with a probability equal to
ε
e(ξ
c
+1)
which conflicts the fact that G
1
is a (t,ε)-CDH group.
Indeed, the adversary’ view in this simulation is iden-
tically distributed for all security levels. In fact,
despite the multi-user setting environment, the en-
cryptions of data blocks of the challenge message M
b
are completely independent, thanks to the use of the
encoding function ξ
T,3,2
. As such, Case 1-b can be
considered as µ random repetitions of Case 0 simula-
tion, with respect to µ security levels.
As such, we prove that our SABE construction is
secure against selective non-adaptive chosen cipher-
texts attacks in the Generic Group Model (GGM), un-
der the DLP and the CDH assumptions, with respect
to Exp
A
(1
κ
) experiment.
7 SABE PERFORMANCES
DISCUSSION
In this section, we discuss the functional properties
as well as the processing, communication and storage
cost of our SABE construction compared to the naive
computing approach NC introduced in section 2.2 and
two of the most closely related schemes (Kaaniche
and Laurent, 2017a), (Khan et al., 2016). That is, we
first present a theoretical performance analysis, ba-
sed on mathematical operations’ complexities, in sub-
section 7.1. Then, we discuss measurement results of
different mathematical operations’ computation and
present an estimation of the different SABE algo-
rithms calculation times, relying on the cpabe toolkit
1
. Finally, we discuss the support of the threshold fe-
ature when designing multi-level access control sche-
mes in subsection 7.3.
7.1 Theoretical Performance Analysis
For our theoretical performance analysis, we assess
the theoretical complexity where the encrypting en-
tity has to create k different access control policies,
associated to k different security levels, for the naive
approach. To this purpose, we define, in Table 1 the
following costs:
Table 2 presents detailed computation, communi-
cation and storage overhead comparison, based on the
processing cost of the encryption and decryption al-
gorithms and the size of the ciphertext. Note that the
1
http://acsc.cs.utexas.edu/cpabe/index.html
SECRYPT 2018 - International Conference on Security and Cryptography
164
Table 1: Notations.
Notations Description
γ
M
cost of two group elements’ multiplication in a multiplicative group
γ
E
cost of an exponentiation in a multiplicative group
γ
ε
cost of a symmetric pairing function computation
γ
ε
cost of a leveled multi-linear map computation
|MT | size of an aggregate access tree, referred to as master tree
|AT| size of an access tree for an access policy k
η
k
number of auxiliary elements associated to a security level k
Y
MT
number of leaves of the master access tree
η
x
MT
number of interior nodes of the master access tree
Y
AT
number of leaves of an access tree, with respect to an access policy k
η
x
AT
number of interior nodes of an access policy associated to a security level k
|E| size of a multiplicative group element
communication and storage overhead are both refer-
ring to the size of the ciphertext.
It is worth noticing that the size of the master access
tree, proposed in our SABE construction, is lower
than the size of the set of access trees related to k
access policies introduced by the naive approach NC.
This is mainly due to the involved number of attri-
butes (access tree leaves), that should be duplicated
for different access trees in NC. Obviously, the num-
ber of leaves of the master tree Y
MT
is lower than the
sum of leaves of access trees related to k access struc-
tures of NC, such that Y
MT
≤
∑
k
Y
AT
k
. As such, our
SABE approach presents competitive communication
and storage costs, compared to the NC approach. No-
tice that the ciphertext size of our SABE scheme
is comparable to the (Khan et al., 2016) proposal.
Otherwise, our SABE construction presents larger
ciphertext-sizes compared to (Kaaniche and Laurent,
2017a), due to additional auxiliary elements associa-
ted with security levels. Indeed, these group elements
permit our SABE scheme to provide the threshold fe-
ature, which is not supported by either (Kaaniche and
Laurent, 2017a) nor (Khan et al., 2016) schemes.
In addition, based on the NC approach, the encip-
hering entity has to create an access tree AT to each
different security level. Thus, he has to assign dif-
ferent polynomials to each node of each access tree,
during the encryption phase. Consequently, the pro-
cessing and communication costs introduced by the
SABE approach are considerably optimized, where
the number of polynomials, that have to be assigned
to each node of an access tree, is reduced compa-
red to NC, thanks to the use of an aggregate access
structure. For the decrypt algorithm, SABE introdu-
ces merely the same computation cost generated by
the decryption procedure of (Kaaniche and Laurent,
2017a) and (Khan et al., 2016), except with only one
extra multi-linear map calculation. This processing
overhead remains interesting and attractive thanks to
the support of threshold feature offering more flexi-
bility for access policies’ definition, as discussed in
subsection 7.3.
7.2 Numerical Performance Analysis
Referring to the cpabe toolkit
2
proposed in (Be-
thencourt et al., 2007), the computation costs of the
key generation, encryption and decryption algorithms
are mainly depending on the number of attributes.
The cpabe toolkit provides a set of programs imple-
menting CP-ABE schemes (Bethencourt et al., 2007),
using the PBC library
3
for the algebraic operati-
ons. The code is split into two packages, libbswabe
(i.e; a library implementing the core cryptographic
operations) and cpabe (i.e; higher level functions
and user interface), proving four main algorithms,
namely cpabe − setup, cpabe − keygen, cpabe − enc
and cpabe − dec. To give some information on the
performance achieved by our scheme, some experi-
ments are conducted, for several mathematical opera-
tions (i.e; exponentiation, multiplication and pairing
functions) on an Intel E5-1650-v3 6 cores, where each
core relies on 1200 MHz. We set the security para-
meter to λ = 112, based on the super-singular curve
y
2
= x
3
+x over a finite field and we run 1000 samples
for getting an average duration.
Our measurements show that the computation of
a symmetric pairing function requires approximately
6 ms, exponentiations and multiplications take about
1.2 ms and 0.5 ms, respectively. In addition, as stated
above, based on the cpabe toolkit, the calculation of
the cpabe − keygen algorithm, similar to the keygen
algorithm of our proposed algorithm, is perfectly li-
near to the number of attributes. It takes about 1
second for generating a private key containing around
30 attributes (Bethencourt et al., 2007). Moreover,
it is worth noticing that our encrypt algorithm fol-
lows the (Bethencourt et al., 2007) construction, ex-
cept for the generation of auxiliary elements, depen-
ding on the execution of exponentiations and multi-
plications in a multiplicative group. In the sequel,
the running time of the decrypt algorithm is also al-
most perfectly linear to the number of attributes invol-
ved in the access policy, where the execution time of
cpabe − enc algorithm takes 1.5 seconds for 60 gates
(i.e; leaf nodes).
7.3 Threshold Support
Unlike (Kaaniche and Laurent, 2017a), (Khan et al.,
2016) schemes and the NC approach, our SABE con-
struction provides the threshold feature, as shown in
Table 2. This property aims at offering more flexibi-
lity while defining multiple access policies.
2
http://acsc.cs.utexas.edu/cpabe/index.html
3
https://crypto.stanford.edu/pbc/
SABE: A Selective Attribute-based Encryption for an Efficient Threshold Multi-level Access Control
165
Table 2: Theoretical Performance Comparisons.
Scheme Processing cost Ciphertext size Threshold
encrypt decrypt support
(Kaaniche and Laurent, 2017a) kγ
M
+ 2k(1 +Y
MT
)γ
E
(η
x
MT
+Y
AT
)[2γ
ε
+ γ
E
+ γ
M
] + (zη
x
MT
+ 2)γ
M
+ γ
ε
{|MT|,2(k +Y
MT
)|E|} 7
(Khan et al., 2016) 2(k + 1)γ
M
+ 2(k + 1)(1 +Y
MT
)γ
E
(η
x
MT
+Y
AT
)[2γ
ε
+ γ
E
+ γ
M
] + (zη
x
MT
+ 2)γ
M
+ γ
ε
{|MT|,2(k + 1)|E| + 2Y
MT
|E|} 7
NC kγ
M
+ 2k(1 +Y
AT
)γ
E
(η
x
AT
+Y
AT
)[2γ
ε
+ γ
E
+ γ
M
] + (zη
x
AT
+ 2)γ
M
+ γ
ε
{k|AT|,2k(1 +Y
AT
)|E|} 7
SABE kγ
M
+ 2[k(2 + η
k
) + Y
MT
]γ
E
(η
x
MT
+Y
AT
)[2γ
ε
+ γ
E
+ γ
M
] + (zη
x
MT
+ 2)γ
M
+ γ
ε
{|MT|,[k(2 + η
k
) + 2Y
MT
]|E|} X
Nonetheless, our approach is not convenient when
defining different independent access policies under
the same master access tree (i.e; there is no duplicated
attributes for each defined security level k). Hence, in
such use-cases, the NC approach is much more appro-
priate in terms of processing (i.e; encryption process)
and communication costs, mainly due to {η
k
}
c
, the
set of auxiliary elements that has to be associated to
each message m
k
enciphered with respect to a security
level k, where k ∈ [1,c].
Furthermore, it is still inappropriate for hierarchi-
cal scenarios that require restrictive privileges, such
as for military services. That is, these use cases of-
ten rely on encapsulated access structures, defined by
hierarchical levels of security, such that each higher
level of security k +1 introduces additional attributes,
compared to the security level k, that have to be satis-
fied with respect to the related access policy AT
k+1
.
Finally, thanks to the use of a threshold approach
for access policies’ definition, SABE presents interes-
ting computation, communication and storage over-
head in collaborative use cases, where each security
level requires the definition of several combinations
of sub-access policies.
8 POSSIBLE APPLICATIONS
Our SABE scheme comes as an alternative that aims
at providing sufficient security with an important gain
in processing and communication overhead. In the
following, we discuss a set of potential applications
for selective attribute based encryption mechanisms,
namely monitoring encrypted content, database
search as well as mobile communications.
Monitoring Encrypted Content – this case highlig-
hts situations when encrypted contents are usable for
monitoring. For example, several applications such as
military images, media audience or video surveillance
where some faces have to be scrambled, require iden-
tifying partially encrypted data files with no need to
decrypt the whole contents. Indeed, our SABE me-
chanism permits to decrypt parts of the enciphered
contents with respect to assigned credentials under
different security levels.
Database Search – nowadays, databases hold a
critical concentration of sensitive information and
their volume is increasing very quickly. In such
cases, database outsourcing is becoming increasingly
popular. Clients’ databases are stored at an external
service provider that should provide mechanisms
for securing access to these contents, mainly by
encrypting the outsourced data. However, the
problem consists in ensuring a selective retrieval
over encrypted data. Several existing access control
mechanisms, designed for distributed applications,
operate on client-server architectures with respect
to the basic assumption that the remote server is
in charge of defining and enforcing access control
policies. As such, our SABE scheme addresses the
problem of enforcing access control by following
up data encryption. The idea is concretely to use
different encryption keys for different security levels
as proposed, for example, for XML documents. To
access such encrypted data, users have to decrypt
them by using the appropriate deciphering key. If dif-
ferent users know different keys, with respect to their
assigned credentials, they have different access rights.
Mobile Communication – mobile phones, PDAs
and various mobile terminals are more and more often
used for multimedia communication that require effi-
cient access control mechanisms. Resource consump-
tion is the main limiting factor for the development
and deployment of such security mechanisms. This is
mainly due to the nature of the smart things, which are
resource-impoverished nodes where the implementa-
tion of heavy cryptographic primitives is unfeasible.
The resource consumption in mobile communications
is tied up to the amount of data being processed, sto-
red, and transmitted. As such, reducing the amount
of processed and transmitted data can effectively save
energy. Our SABE mechanism can be considered as
a promoting solution that permits to save computing
and storage capabilities of mobile terminals by remo-
ving redundant processed information within the net-
work flow. For example, our selective attribute based
encryption technique should be a candidate for pro-
tecting content in a home multimedia network where
some of the receiving devices are expected to be mo-
bile (i.e., resource-constrained) or meant to be very
inexpensive. So that, saving computational complex-
ity is very important.
SECRYPT 2018 - International Conference on Security and Cryptography
166
9 CONCLUSION
In this paper, we propose a novel cryptographic me-
chanism to ensure multi-level access control, based
on the use of an attribute based encryption scheme.
Our selective attribute based encryption mechanism
SABE, enables the enciphering user to encrypt the
same data content, based on an ABE aggregate access
tree, and the deciphering entity to decrypt the sub-
sets of data blocks with respect to a security level k
l
.
Indeed, SABE supports a fine grained access control
mechanism with low processing costs, which is di-
rectly inherited from the expressiveness of ciphertext-
policy attribute based encryption for defining access
policies. Additionally, our proposal is proven secure
against selective, non-adaptive chosen ciphertext at-
tacks in the generic group model. Besides, a quan-
titative comparison of SABE with the naive com-
puting approach shows the gain of our construction
with respect to the processing and communication
costs, especially due to the use of an aggregate access
structure. Finally, we present the potential of SABE
technique to support security and privacy in concrete
networking and computing applications.
REFERENCES
Ahn, J. H., Boneh, D., Camenisch, J., Hohenberger, S., She-
lat, A., and Waters, B. (2012). Computing on authen-
ticated data. In Proc. of TCC, LNCS.
Beimel, A. (2011). Secret-sharing schemes: A survey.
IWCC’11.
Belguith, S., Kaaniche, N., Jemai, A., Laurent, M., and At-
tia, R. (2016). Pabac: a privacy preserving attribute
based framework for fine grained access control in
clouds. In SECRYPT 2016: 13th International Confe-
rence on Security and Cryptography, volume 4, pages
133–146. Scitepress.
Bethencourt, J., Sahai, A., and Waters, B. (2007).
Ciphertext-policy attribute-based encryption. In Pro-
ceedings of the 2007 IEEE Symposium on Security
and Privacy, SP ’07, Washington, DC, USA. IEEE
Computer Society.
Boneh, D., Boyen, X., and Goh, E.-J. (2005). Hierarchical
Identity Based Encryption with Constant Size Cipher-
text. Springer Berlin Heidelberg.
Di Vimercati, S. D. C., Foresti, S., Jajodia, S., Paraboschi,
S., Pelosi, G., and Samarati, P. (2010). Encryption-
based policy enforcement for cloud storage. In Dis-
tributed Computing Systems Workshops (ICDCSW),
2010 IEEE 30th International Conference on, pages
42–51. IEEE.
di Vimercati, S. D. C., Foresti, S., Jajodia, S., Paraboschi,
S., and Samarati, P. (2013). On information leakage
by indexes over data fragments. In Data Engineering
Workshops (ICDEW), 2013 IEEE 29th International
Conference on, pages 94–98. IEEE.
Garg, S., Gentry, C., Halevi, S., Sahai, A., and Waters,
B. (2013). Attribute-based encryption for circuits
from multilinear maps. In Advances in Cryptology–
CRYPTO 2013, pages 479–499. Springer.
Hassler, H., Posch, R., and Risti
´
c, V. (1993). Unique Keys
Enabling Multithreshold Schemes. IIG-report-series /
Institutes for Information Processing Graz / Institute
fur Informationsverarbeitung Graz: IIG-report-series.
Institutes for Information Processing Graz.
Hohenberger, S., Sahai, A., and Waters, B. (2013). Full
domain hash from (leveled) multilinear maps and
identity-based aggregate signatures. In Advances in
Cryptology–CRYPTO 2013, pages 494–512. Springer.
Horv
´
ath, M. (2015). Attribute-based encryption optimized
for cloud computing. In SOFSEM 2015: Theory and
Practice of Computer Science, pages 566–577. Sprin-
ger.
Huang, Q., Yang, Y., and Shen, M. (2016). Secure and ef-
ficient data collaboration with hierarchical attribute-
based encryption in cloud computing. Future Genera-
tion Computer Systems.
Hur, J. and Noh, D. K. (2011). Attribute-based access con-
trol with efficient revocation in data outsourcing sys-
tems. IEEE Transactions on Parallel and Distributed
Systems, 22(7):1214–1221.
Jahid, S., Mittal, P., and Borisov, N. (2011). Easier:
Encryption-based access control in social networks
with efficient revocation. In The 6th ACM Symposium
on Information, Computer and Communications Se-
curity, pages 411–415. ACM.
Kaaniche, N. and Laurent, M. (2017a). Attribute based en-
cryption for multi-level access control policies. In SE-
CRYPT 2017: 14th International Conference on Secu-
rity and Cryptography, volume 6, pages 67–78. Scite-
press.
Kaaniche, N. and Laurent, M. (2017b). Data security and
privacy preservation in cloud storage environments
based on cryptographic mechanisms. Computer Com-
munications, 111:120–141.
Khan, F., Li, H., and Zhang, L. (2016). Owner specified ex-
cessive access control for attribute based encryption.
IEEE Access, 4:8967–8976.
Sahai, A. and Waters, B. (2005). Fuzzy identity-based
encryption. In EUROCRYPT 2005, pages 457–473.
Springer.
Shamir, A. How to share a secret. Commun. ACM, 22(11).
Yu, S., Wang, C., Ren, K., and Lou, W. (2010). Attribute
based data sharing with attribute revocation. In The
5th ACM Symposium on Information, Computer and
Communications Security, pages 261–270.
SABE: A Selective Attribute-based Encryption for an Efficient Threshold Multi-level Access Control
167
