A CP-ABE Access Control Scheme Based on Proxy Re-encryption in Cloud Storage

Abstract

With the popular application of cloud storage and the diversification of terminal devices, especially the widespread popularization of smart terminals. Users have more and more requirements for how to access information in the cloud safely and efficiently. Ciphertext policy attribute-based encryption (CP-ABE) is an effective method to achieve fine-grained access control of cloud data. However, the large decryption overhead is a potential problem of attribute-based encryption. In this paper, a CP-ABE access control scheme based on proxy re-encryption is proposed, it helps markedly reduce the user’s decryption overhead. Meanwhile, attribute revocation is provided for key update while ensuring fine-grained access control, and an improved decryption key generation method is proposed, which solves the data leakage problem caused by illegal stealing private key in the traditional CP-ABE scheme. A comparison with other CP-ABE schemes shows that our scheme has better decryption performance for mobile devices accessing cloud data.

1 Introduction

With the rapid development of information technology and the explosive growth of user data, it is becoming more and more convenient to share cloud data over the Internet [1]. Cloud computing is one of the most important technologies for cloud data sharing [2], it is a new computing paradigm that provides users with on-demand deployment, dynamic optimization and recovery, on-demand billing, and massive amounts of storage and computing resources available over the Internet at all times and places [3]. Shared data is remote storage, it is a threat to the privacy of the data owner, and the security of the shared data itself [4]. Therefore, enforcing the protection of personal, confidential and sensitive data stored in the cloud is extremely crucial. The simultaneous participation of a large number of users requires fine-grained access control for data sharing [5]. Attribute-based encryption (ABE) [6] provides a flexible access control scheme, it can implement one-to-many communication mechanism in cloud storage environment, which means that a single key can decrypt different ciphertexts or different keys can decrypt the same ciphertext [7]. ABE is divided into two categories: key policy attribute-based encryption (KP-ABE) and ciphertext policy attribute-based encryption (CP-ABE) [8]. For KP-ABE, the attribute set is associated with the ciphertext, and the access policy is associated with the decryption private key. For CP-ABE, the access policy is embedded into the ciphertext, and the attribute set is embedded into the private key. CP-ABE allows data owner can define their own access policy with an attribute set. Due to this property, CP-ABE is quite suitable for the construction of secure, fine-grained access control for cloud data sharing [1].

In 2005, Sahai and Waters [9] proposed a fuzzy identity-based encryption (FIBE) based on classic identity-based encryption. Since FIBE indicated some many key features of ABE, it laid a theoretical foundation of subsequent research into ABE. In 2006, Goyal et al. proposed a formal definition of ABE. With the rapid popularization of mobile intelligent terminals, a growing number of mobile devices participate in cloud data sharing, such as smartphones, wearable devices. Green et al. [10] indicated that ciphertext size and decryption cost are major drawbacks of practical ABE applications. At the same time, there are more and more illegal attacks on mobile terminals at present, and the user’s private key is also likely to be stolen by illegal users. A mechanism for deferred re-encryption and proxy re-encryption based on HDFS was proposed in [11]. In this scheme, a large number of encryption and decryption computations are performed by the cloud server and reduces the computational overhead of data owner when the right is revoked. An absolute outsourcing decryption scheme for mobile devices was proposed in [12] to achieve the stability of network traffic of mobile devices. In [13], an attribute-based data sharing system is proposed. By introducing secure two-party computation (2PC) between the key generation center and the data storage center, a new solution to the key escrow problem in a single authorization system is provided.

In this paper, a CP-ABE scheme based on proxy re-encryption (CP-CPE-BPRE) is proposed aiming to solve key escrow problem and decrease decryption overhead. In CP-ABE-BPRE, the private key consists of two parts, the proxy server uses one of the keys to decrypt ciphertext to obtain the semi-decrypted message and sends it to terminal devices, and the devices decrypt the semi-decrypted message by the other key. The scheme can effectively reduce the decryption overhead of user, while guaranteeing flexible and fine-grained access control, but also reduces the data leakage problem caused by the private key exposure.

2 Preliminaries

In this section, we first give some basic definition. Then, we provide formal definitions for access structures and relevant background on Linear Secret Sharing Schemes (LSSS), as taken from [14]. Finally, we will briefly review the cryptographic background about the bilinear map and its security assumption.

Definition 1:

The set of users is \( U = \left\{ {u_{1} ,u_{2} , \cdots ,u_{l} } \right\} \), where \( l \) represents the total number of users.

Definition 2:

The set of attributes that have been authorized is \( A = \{ att_{1} ,att_{2} , \ldots \ldots att_{p} \} \), where \( p \) represents the total number of attributes.

Definition 3:

Let \( G_{t} \) denotes users with the same attribute \( att_{t} \), and \( G_{t} \subseteq U \). The collection of attribute group is represented as .

Definition 4:

Let \( K_{t} \) denote the attribute group key associated with \( G_{t} \). The collection of attribute group key is represented as .

Definition 5 (Access Structure):

Let \( P = \left\{ {P_{1} ,P_{2} , \cdots ,P_{n} } \right\} \) be a set of parties. A collection \( {\mathbf{\mathbb{A}}} \subseteq 2^{P} \) is monotone if for arbitrary \( B \) and \( C \) we have that \( B \in {\mathbf{\mathbb{A}}} \) and \( \text{B} \subseteq C \), and \( C \in {\mathbf{\mathbb{A}}} \) holds. An access structure (monotone access structure) is a collection (monotone collection) \( {\mathbf{\mathbb{A}}} \subseteq 2^{P} |\left\{\Phi \right\} \). We call sets in \( {\mathbf{\mathbb{A}}} \) authorized sets, and sets not in \( {\mathbf{\mathbb{A}}} \) unauthorized sets.

Definition 6 (Linear Secret Sharing Schemes, LSSS):

Let \( P \) be a set of participants and \( M \) be a matrix with \( m \) rows and \( d \) columns. The map \( \rho :\left\{ {1,2, \cdots ,m} \right\} \to P \) associates each row with one participant for labeling. A secret sharing scheme \( \Pi \) over \( P \) for access structure \( {\mathbf{\mathbb{A}}} \) is a linear secret sharing scheme in \( Z_{p}^{*} \) represented by \( \left( {M,\rho } \right) \) if it consists of two polynomial-time algorithms:

• Share \( \left( {M,\rho } \right) \): The share algorithm takes \( s \in Z_{p}^{*} \) as an input secret to be shared. Share randomly chooses a group of elements \( r_{1} ,r_{2} , \cdots ,r_{n} \in Z_{p}^{*} \) and generates a column vector \( \vec{v} = \left( {s,r_{1} ,r_{2} , \cdots ,r_{n} } \right)^{T} \). Then, it outputs \( M \cdot \overrightarrow {v} \) as a vector that \( l \) participants share such that they each possess an element. We define \( M_{i} \) as the \( i{\text{th}} \) row in \( M \) so that \( \lambda_{\rho \left( i \right)} = M_{i} \cdot \overrightarrow {v} \) is the element belonging to participant \( \rho \left( i \right) \).

• Recovery \( \left( S \right) \): The recovery algorithm takes a set \( S \) of participants as input. We define a set \( I = \left\{ {i:\rho \left( i \right) \in S} \right\} \subset \left\{ {1,2, \cdots ,m} \right\} \). If \( S \in {\mathbf{\mathbb{A}}} \), there exists a group of constants \( \left\{ {\omega_{i} \in Z_{p}^{*} } \right\}_{i \in I} \), it can recovery the shared secret by \( \sum {\omega_{i} \cdot \rho_{\left( i \right)} = s} \left( {i \in I} \right) \).

Definition 7 (Bilinear pairings):

Let \( {\mathbf{\mathbb{G}}}_{0} \) and \( {\mathbf{\mathbb{G}}}_{T} \) be two multiplicative cyclic groups of prime order \( p \). Let \( g \) be a generator of \( {\mathbf{\mathbb{G}}}_{0} \) and \( e:{\mathbf{\mathbb{G}}}_{0} \times {\mathbf{\mathbb{G}}}_{0} \to {\mathbf{\mathbb{G}}}_{T} \) be a bilinear map with the properties:

• Bilinearity: For all \( u,v \in {\mathbf{\mathbb{G}}}_{0} \) and \( a,b \in Z_{p} \), we have \( e\left( {u^{a} ,v^{b} } \right) = e\left( {u,v} \right)^{ab} \).

• Non-degeneracy: There exists a generator \( g \) of \( {\mathbf{\mathbb{G}}}_{0} \) such that \( e\left( {g,g} \right) \ne 1 \) holds.

• Computability: For all \( u,v \in {\mathbf{\mathbb{G}}}_{0} \), there exists an effective calculation \( e\left( {u,v} \right) \).

Assumption 1 (Discrete Logarithm Assumption):

Given two \( X,Y \in {\mathbf{\mathbb{G}}}_{0} \), no probabilistic polynomial-time algorithm can find an integer \( k \in Z_{p}^{*} \) with a non-negligible advantage for which \( Y = X^{k} \) holds.

Assumption 2 (Decisional Bilinear Diffie-Hellman Assumption):

For an arbitrary group of exponents \( a,b,c \in Z_{p}^{*} \), given a tuple \( \left( {g,g^{a} ,g^{b} ,\text{g}^{c} ,\text{e}\left( {\text{g},\text{g}} \right)^{abc} } \right) \), no probabilistic polynomial-time algorithm can find an integer \( z \in Z_{p}^{*} \) with a non-negligible advantage for which \( e\left( {g,g} \right)^{z} = e\left( {g,g} \right)^{abc} \) holds.

3 CP-ABE Access Control Scheme Based on Proxy Re-encryption

The above introduced the existing scheme deficiencies and the basic concepts. This section details how to improve the scheme and reduce the decryption overhead.

3.1 Model Construction

The scheme proposed in this paper is shown in Fig. 1, which is mainly composed of 5 parts. The 5 components communicate through the Internet.

Fig. 1.

CP-CPE-BPRE scheme model

• Trusted Key Authority (TKA): The TKA is a vital component in the system. The KA is responsible for most computing tasks, including key generation, key update, etc. The TKA is considered credible in our system.

• Data Owner (DO): DO is an authorized user who possesses data to be uploaded. DOs define their own explicit access policies. Only users whose attributes meet the access policy can obtain plaintext.

• Cloud Service Provider (CSP): CSP is responsible for data storage, management and ciphertext re-encryption. We assume that the CSP is semi-trusted in our system, meaning it is curious about the value of plaintext but has no intention of tampering with it.

• Proxy Decryption Server (PDS): PDS undertakes most of the decryption calculations in our model, it is also considered to be semi-trusted.

• Data User (DU): DO is an authorized user who accesses ciphertext. With the rapid development of cloud services, mobile devices have become the main devices for accessing cloud data. Therefore, we think there is a possibility that the private key of the terminal may be stolen.

We assume that all entities involved in data sharing does not collude with each other to access data illegally, otherwise the system model does not make any sense. The attributes submitted by users are authenticated by TKA. The user’s attribute set is a set that uniquely identifies the user. Each authorized attribute is represented by a random number in public parameters (PP). When DO wants to upload data, it encrypts the data with its access policy and public parameters to obtain \( C_{0} \). Then, \( C_{0} \) is uploaded to the cloud server, which is re-encrypted to \( C_{1} \) by the cloud server. When DU submits an attribute to TKA, TKA generates a private key composed of two parts, which are respectively distributed to DU and PDS. After the DU sends a ciphertext request (CR) to the CPS, the CPS sends \( C_{1} \) to PDS. PDS decrypts \( C_{1} \) using the key from TKA to obtain \( C_{2} \), which can be decrypted by DU.

3.2 Scheme Construction

1. 1.

   Setup

\( {\mathbf{\mathbb{G}}}_{1} \) and \( {\mathbf{\mathbb{G}}}_{2} \) are two multiplicative cyclic groups with prime order \( p \). Let \( k \) be a security parameter and \( g \) be a generator of \( {\mathbf{\mathbb{G}}}_{1} \). The hash functions are defined as follows:

$$ H:\left\{ {0,1} \right\}^{*} \to {\mathbb{G}}_{1} $$

$$ H_{1} :{\mathbb{G}}_{2} \to Z_{P}^{*} $$

TKA completes the initialization operation and returns a group of public parameters and master key of system.

1. 2.

   Key Generation

This algorithm is run by the TKA, takes as input \( PP \), \( MK \) and the attribute collection submitted by the DU. The private key is composed of \( DK_{PDS} \) and \( DK_{DU} \), which are respectively saved by the PDS and the DU, the PDS cannot decrypt ciphertext alone.

1. 3.

   Encryption

The encryption algorithm, which is run by DO, takes as input the public parameter \( PP \), an access structure \( {\mathbf{\mathbb{A}}} \) and plaintext and guarantees the confidentiality and integrity of the data.

1. 4.

   Re-encryption

The re-encryption algorithm, which is run by CSP, takes as input the public parameter \( PP \), initial ciphertext \( C_{0} \), and the collection of attribute groups . When CSP receives \( C_{0} \) and , the re-encryption algorithm selects two random numbers \( \mu ,\gamma \in_{R} Z_{p}^{*} \) to construct attribute group key set , and defines a unique identifier \( ID_{k} \in \left\{ {0,1} \right\}^{*} \) for user , which will not change with user attributes. We adopt the attribute group-based algorithm of [13] to re-encrypt the initial ciphertext.

1. 5.

   Decryption

The decryption algorithm takes as input DU’s attribute set \( S \), the ultimate ciphertext \( C_{1} \), and all private key components \( DK_{PDS} \) and \( DK_{DU} \). On receiving a ciphertext request from a DU \( u_{k} \), the CSP and TKA send the ultimate ciphertext \( C_{1} \) and the private key \( DK_{PDS} \) to the PDS immediately. The PDS decrypts \( C_{1} \) outputs the partially decrypted ciphertext \( C_{2} \). The PDS sends \( C_{2} \) to \( u_{k} \), and \( u_{k} \) decrypts it with its own private key \( DK_{DU} \).

4 Comprehensive Analysis

This section mainly analyses the proposed scheme CP-ABE-BPRE in this paper from attribute revocation, security requirements and efficiency. In our analysis, we use notation shown in Table 1.

Table 1. Notations relevant to efficiency comparision.

4.1 Revocation

When a user comes to hold or drop an attribute, the private key should be updated to prevent the user from accessing the previous or subsequent encrypted data for backward or forward secrecy. On receiving a join or leave request for some attribute groups from a user (e.g., a user comes to hold or drop an attribute \( att_{q} \) at some time instance), the proposed CP-ABE-BPRE will execute the revoking operation immediately. At the beginning of revocation, the KA updates the attribute group from to and the attribute group key of \( G_{q} \) and sends the updated membership list of the attribute group to CSP. The CSP runs the re-encryption algorithm upon receiving \( C_{0} \) and . The updated attribute group key set is:

The CSP constructs a new polynomial for \( G_{q} \), where \( v^{{\prime }} \) represents the number of DU in \( G_{q} \):

$$ f_{q} \left( x \right) = \prod\nolimits_{i = 1}^{{v^{{\prime }} }} {\left( {x - x_{i} } \right) = \sum\nolimits_{i = 0}^{{v^{{\prime }} }} {a_{i}^{{\prime }} x^{i} \left( {\bmod \,p} \right)} } $$

Then, the re-encryption algorithm selects a new random number \( R^{{\prime }} \in_{R} Z_{p}^{*} \) to build a new header message as follow:

$$ \left\{ {P_{0} ,P_{1} , \cdots ,P_{{v^{{\prime }} }} } \right\} = \left\{ {g^{{a_{0}^{{\prime }} }} ,g^{{a_{1}^{{\prime }} }} , \cdots ,g^{{a_{v}^{{\prime }} }} } \right\} $$

$$ Head_{q}^{{\prime }} = \left( {K_{q}^{{\prime }} \cdot P_{0}^{{R^{{\prime }} }} ,P_{1}^{{R^{{\prime }} }} , \cdots ,P_{{v^{{\prime }} }}^{{R^{{\prime }} }} } \right) $$

Subsequently, the CSP re-encrypts the ciphertext as:

$$ C_{1}^{''} = \left( {Head^{'} ,C_{0}^{''} } \right) $$

Finally, the key generation algorithm is implemented to update the privacy key:

$$ DK_{DU}^{'} = {{\pi^{'} } \mathord{\left/ {\vphantom {{\pi^{'} } {r^{'} }}} \right. \kern-0pt} {r^{'} }} $$

$$ DK_{CSP}^{{\prime }} = \left\{ {K_{3}^{{\prime }} = g^{{\left( {\alpha + \beta \tau } \right){{r^{{\prime }} } \mathord{\left/ {\vphantom {{r^{{\prime }} } {\pi^{{\prime }} }}} \right. \kern-0pt} {\pi^{{\prime }} }}}} ,D = g^{{{{\tau r^{{\prime }} } \mathord{\left/ {\vphantom {{\tau r^{{\prime }} } {\pi^{{\prime }} }}} \right. \kern-0pt} {\pi^{{\prime }} }}}} ,\forall x \in S:D_{x} = h_{x}^{{{{\tau r^{{\prime }} } \mathord{\left/ {\vphantom {{\tau r^{{\prime }} } {\pi^{{\prime }} }}} \right. \kern-0pt} {\pi^{{\prime }} }}}} } \right\} $$

4.2 Security Requirements

For the CP-ABE-BPRE scheme, we assume that TKA is trusted, the CSP and PDS are honest but curious about plaintext, and parties do not collude to access data illegally. In this scheme, the CSP re-encrypts the initial ciphertext. Like the trusted third party in [8, 10], the TKA generates and distributes the private key by the submitted attributes of user. However, the difference lies in that the private key of the user in the CP-ABE-BPRE scheme is composed of two parts, respectively stored in the PDS and the DU, and the PDS cannot decrypt the ciphertext only by the key kept in itself. In the process of PDS decrypting \( C_{1} \) to \( C_{2} \), since \( C_{2} \) is encrypted by ElGamal algorithm, the PDS cannot obtain the plaintext. \( C_{1}^{'} \) and \( C_{2} \) cannot be accessed for user whose attributes do not satisfy the access policy.

In terms of backward and forward secrecy, we adopt an attribute group mechanism inspired [13] to guarantee backward and forward secrecy. Once a DU lose an attribute, the TKA will update the attribute group list immediately. Then, the CSP updates the set of attribute group keys for re-encrypting ciphertext by rebuilding the head message at once. Later, the TKA distributes updated private key components. For ciphertext accessible only to those who hold this attribute, those who no longer possess this attribute can by no means extract any information from the ciphertext. If a DU obtains a new attribute, the CSP updates the attribute group key. Then, it embeds the newly rebuilt head message into the ciphertext. Finally, all DUs in the new attribute group obtain new private key components. Even if this DU possesses ciphertext encrypted before acquiring this attribute, it cannot be correctly decrypted by this DU. Thus, backward and forward secrecy can be guaranteed.

For key exposure, the private key is directly stored in the mobile terminal [8]. When the private key is obtained by the unauthorized user, the illegal user can directly decrypt the ciphertext. In [10], the proxy decryption server is also introduced to reduce the user’s decryption cost. However, the private key of the proxy decryption server is generated and distributed by the client. Therefore, the risk of private key exposure remains. The problem that the terminal private key may be stolen is solved by introducing secure two-party computation in [13], but there is a problem that the terminal has a larger decryption overhead. Mobile devices, such as smartphones, are far inferior to cloud storage servers in privacy protection, which may lead to the exposure of users’ private keys stored in these devices. In the CP-ABE-BPRE scheme, the private key is composed of two parts, which are respectively stored at the PDS and DU. When the terminal’s key is stolen illegally, unauthorized users can not directly decrypt the ciphertext stored in the PDS, thus effectively preventing the user from disclosing the key exposure problem.

4.3 Efficiency

In terms of efficiency, we assume that the time delay in this scheme is acceptable to the user and compare the CP-ABE-BPRE scheme with the [8, 10, 13]. Each scheme is compared in terms of total decryption overhead and client decryption overhead, the comparison results are presented in Tables 2 and 3. In CP-ABE, the calculation of bilinear pairs takes up most of the computational overhead. The introduction of attribute group encryption mechanism in CP-ABE-BPRE scheme adds an amount of computational overhead. However, most of the decryption computations are performed by PDS through proxy decryption, which obviously reduces user’s decryption overhead. As shown in Table 2, compared with other schemes, the total decryption overhead in the CP-ABE-BPRE does not have obvious advantages. However, when the user decryption overhead is significantly reduced, server-side decryption overhead is appropriately increased, which is acceptable. As can be seen from Table 3, the CP-ABE-BPRE is similar to the scheme in [10], the mobile terminal only needs to perform an exponentiation and division operation to complete the decryption. However, the private key generation and distribution of the proxy decryption server in [10] adds the extra computation overhead of client. In the schemes [8, 13], the user has to bear all the computational decryption overhead in the system, which is not conducive to the safe and efficient access of the mobile terminal to the cloud storage data.

Table 2. Comparison of total decryption overhead

Table 3. Comparison of client decryption overhead

In summary, our scheme has better decryption performance for mobile terminals accessing cloud data compared with the schemes of [8, 10, 13].

5 Conclusion and Future Work

Ciphertext policy attribute-based encryption achieves fine-grained access control in cloud storage. A CP-ABE scheme based on proxy re-encryption is proposed in this paper, which introduces the concept of attribute groups in [13] to implement ciphertext re-encryption. The proposed scheme perfectly optimizes clients’ user experience since only a small amount of responsibility is taken by them for decryption. Meanwhile it addresses a worse problem called key exposure. Thus, the proposed scheme performs better in cloud data sharing system serving massive performance-restrained mobile devices with respect to either security or efficiency.

The user’s encryption overhead and the size of the ciphertext are also the areas of great attention in the attribute encryption technology. We expect to improve the scheme by reducing the encryption overhead, total decryption overhead and ciphertext size of the system in our future work.