Keywords

1 Introduction

Public-key encryption is the fundamental primitive of public-key cryptography, which removes the key-agreement process in traditional symmetric-key encryption to facilitate data sharing via the certificate list. However, conventional public-key infrastructure is vulnerable to certificate management. To address this issue, identity-based encryption (IBE) [10] was proposed to provide a new paradigm by utilizing the user identity rather than searching the certificate of the receiver. Unfortunately, IBE only provides coarse-level data sharing. To overcome this drawback, attribute-based encryption (ABE) [26] was introduced. There are mainly two types of standard ABE systems: key-policy ABE (KP-ABE) and ciphertext-based ABE (CP-ABE) and they are useful in different applications. KP-ABE provides the content-based access control by specifying the receiver’s policy over ciphertext’s attributes for managing the accessing of sensitive information. CP-ABE offers the role-based access control by specifying the ciphertext’s policy over the receiver’s policy for controlling the data receiver.

IBE. Boneh and Franklin [10] proposed the first practical IBE by transforming ElGamal encryption [12] in finite fields to bilinear groups. To improve the performance, Boneh and Boyen [8, 9] proposed the selectively secure IBE without random oracles and Waters [28] introduced an adaptively secure IBE in the standard model. Gentry [13] proposed an adaptive security IBE with the constant-size parameter based on the interactive assumption. Abdalla et al. [1] then proposed IBE with wildcard operation. Lewko and Waters [18] design the first adaptive security IBE with the standard assumption by applying dual system encryption [29], which also used to design the adaptive security ABE [17].

KP-ABE. In KP-ABE, the key generation center (KGC) generates the users’ secret keys based on corresponding access trees, and ciphertexts are encrypted over a set of attributes. The encryptor has no control over who has access to the data except by choosing descriptive attributes for the data. The initial work was introduced by Sahai and Waters [26]. To enrich the expression, Goyal et al. [14] provided KP-ABE with monotonic span programs and Ostrovsky et al. [22] proposed KP-ABE supporting non-monotonic access structures. Attrapadung et al. [3] then proposed KP-ABE with constant-size ciphertexts.

CP-ABE. In CP-ABE, access trees are used to encrypt data and users’ secret keys associate a set of attributes. The encryptor has to manage the access tree to specify the users’ access right. The seminal work was introduced by Bethencourt et al. [6] with two-level random masking methodology. Waters [30] introduced the first selectively secure CP-ABE under the non-standard assumption, and Rouselakis and Waters [24] provided CP-ABE with the large universe.

Generic ABE Constructions. Generic constructions of ABE have been well studied before. Sahai et al. [25] proposed the generic ABE with piecewise key generation to derive RABE. Chow [11] provided generic ABE with the properties of key partition and ciphertext partition to build RABE with the multi-authority setting. Not surprisingly, self-updatable ABE [16] also applied a similar strategy. The core technique of them are based on the secret-splitting trick, and we also apply this concept to build generic schemes.

Many cloud-based data sharing applications are built based on IBE and ABE since they facilitate data sharing securely. However, consider usability and functionality, directly applying these scheme in cloud-based applications is insufficient. To address this problem, many cryptosystems with practical properties have been proposed, such as public-key cryptosystems with revocation (e.g., revocable IBE and ABE, RIBE/RABE for short) and dual-policy ABE (DP-ABE) with content-based and role-based access control simultaneously.

RIBE/RABE. RIBE/RABE (as shown in Fig. 1) is an extension of IBE/ABE by providing an efficient revocation mechanism. The issues of revocation have been pointed out in the corresponding seminal works [10, 23] and they suggested extending each attribute with an expiration date, e.g., private keys periodically update by representing an attribute as \(att\Vert t\), where att is the real attribute and t is the current date. However, such an approach incurs the heavy workload and unscalable because a secure channel between KGC and each user needs to be established each time. Boldyreva et al. [7] solved this issue by introducing indirect revocation, which divides the (short-term) decryption key into the long-term secret key and the public key-updating material. With this method, KGC only publishes public key-updating material in each revocation epoch. By applying tree-based structure [21], the size of the key-updating material is logarithmic in the number of system users. However, this work suffers decryption key exposure attacks. The frequently used decryption key could be compromised due to a variety of reasons, such as side-channel and key-leakage attacks. The long-term secret key will be compromised if the short-term decryption key is leaked. Seo and Emura [27] provided a strong model with perfect forward secrecy in the identity-based setting and proposed a secure RIBE under this model.

DP-ABE. To make the most advantages of both KP-ABE and CP-ABE, DP-ABE (as shown in Fig. 2) [2, 4] was introduced. It is a conjunctively combined between two types of ABE. Ciphertexts are specified access trees and a set of attributes simultaneously, and the secret keys are also required to specified a set of attributes and access trees. We further category DP-ABE into two types: sequential DP-ABE and parallel DP-ABE. In sequential DP-ABE, receivers will be able to decrypt if who pass both restrictions. Interestingly, the sequential DP-ABE is similar to RABE with indirect revocation. In RABE, two restrictions are long-term secret key and public key-updating material, where long-term secret keys are related to the key-policy or the ciphertext-policy depending on the access policy of RABE, and the public key-updating as the restriction based on the revocation mechanism. In parallel DP-ABE (sometimes called one-policy DP-ABE), receivers only need to satisfy one of two limitations to review messages. It is worth to notice that Attrapadung and Yamada [4] provided the generic construction based on ABE and pairing encodings, our generic constructions are based on the different building block ElGamal type cryptosystem, which also can be used to build RABE schemes.

Fig. 1.
figure 1

System model of RABE/RIBE

Full size image
Fig. 2.
figure 2

System model of DP-ABE

Full size image

1.1 Contribution

In this paper, we revisit ElGamal-like schemes [12] in both identity-based [1, 5, 8,9,10, 18, 28] and attribute-based [3, 6, 14, 17, 20, 22, 24, 26, 30] settings and introduce a new primitive called ElGamal type cryptosystem with formal definition and security model by summarizing their common properties. By applying this primitive, we can easily derive a variety of cryptosystems. To illustrate the feasibility of our proposed ElGamal type cryptosystem, we present the generic constructions of RABE with decryption exposure resistance and DP-ABE with parallel and sequential settings.

We first investigate RIBE/RABE and present the generic construction of RABE with decryption key exposure resistance. We should note that our ElGamal type cryptosystem allows the key re-randomization without the master secret key. This re-randomizable property is to remove the relationships among the long-term secret key, the public key-updating material, and the short-term decryption key. Hence, the long-term secret key is secure even both the key-updating material and the decryption key are compromised.

We then investigate DP-ABE schemes and present the concrete schemes of DP-ABE with parallel and sequential settings in the prime-order group. These schemes are the provable security under the proposed models. We then give detailed comparisons and experiment results to demonstrate the usability and high performance of our proposed schemes.

1.2 Outline

In Sect. 2, we introduce some preliminaries including the proposed ElGamal type cryptosystem and its semi-generic construction. In Sect. 3, we present definitions of DP-ABE and RABE. In Sect. 4, we give generic constructions of RABE and DP-ABE and the corresponding formal proofs. The instantiations of these schemes are presented in Sect. 5. In Sect. 6, we provide the analysis of functionality and efficiency. We summarize this paper in Sect. 6.

2 Preliminaries

2.1 Notations

Let \(\mathbb {N}\) denote the set of all natural numbers, and for \(n\in \mathbb {N}\), we define \([n]:={1,...,n}\). Let \(\vec {u}:=(u_1,u_2,...,u_\ell )\) denote a vector of dimension \(\ell \) in \(\mathbb {Z}_p\). To simplicity, \(X\in \mathcal {X}\) denotes the attributes of key and \(Y\in \mathcal {Y}\) represents the attributes of ciphertexts. Depending on the policy in the underlying ABE scheme, X and Y denote either an attribute set \(\mathcal {S}\) or an access policy \(\mathbb {A}\), and \(\mathcal {X}\) and \(\mathcal {Y}\) represent either the attribute universe \(\varOmega \) or the policies \(\mathcal {P}\). Let \(R:(\mathbb {X},\mathbb {Y})\rightarrow \{0,1\}\) denote the result of sufficient condition by inputting key attributes \(X\in \mathbb {X}\) and ciphertext attributes \(Y\in \mathbb {Y}\), and outputting a bit 0 or 1.

2.2 Bilinear Map

Let \(\mathbb {G}\) and \(\mathbb {G}_T\) be two cyclic multiplicative groups of prime order p and g be a generator of \(\mathbb {G}\). The map \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) is said to be an admissible bilinear pairing if the following properties hold true.

  • Bilinearity: for all \(u,v\in \mathbb {G}\) and \(a,b\in \mathbb {Z}_p\), \(e(u^a,v^b)=e(u,v)^{ab}\).

  • Non-degeneration: \(e(g,g)\ne 1\).

  • Computability: it is efficient to compute e(uv) for any \(u,v\in \mathbb {G}\).

2.3 Access Structure and Monotone Span Program

Definition 1

(Access Structure [14]). Let \(\{P_1,...,P_n\}\) be a set of parties. A collection \(\mathbb {A}\subseteq 2^{\{P_1,...,P_n\}}\) is monotone if \(\forall B,C:\) if \(B\in \mathbb {A}\) and \(B\subseteq C\), then \(C\subseteq \mathbb {A}\). A monotone access structure is a monotone collection \(\mathbb {A}\) of non-empty subsets of \(\{P_1,...,P_n\}\), i.e., \(\mathbb {A}\subseteq 2^{\{P_1,...,P_n\}}\setminus \{\emptyset \}\). The sets in \(\mathbb {A}\) are called authorized sets, and the sets not in \(\mathbb {A}\) are called unauthorized sets.

Definition 2

(Monotone Span Program (MSP) [14]). Let \(\mathcal {K}\) be a field and \(\{x_1,...,x_n\}\) be a set of variables. A MSP over \(\mathcal {K}\) is labeled matrix \(\tilde{M}(\mathbb {M},\rho )\) where \(\mathbb {M}\) is a matrix over \(\mathcal {K}\), and \(\rho \) is a labeling of the rows of \(\mathbb {M}\) by literals from \(\{x_1,...,x_n\}\) (every row is labeled by one literal). A MSP accepts or rejects an input by the following criterion. For every input set \(\mathcal {S}\) if literals, define the submatrix \(\mathbb {M}_{\mathcal {S}}\) of \(\mathbb {M}\) consisting of those rows whose labels are in S, i.e., rows labeled by some i such that \(i\in \mathcal {S}\). The MSP \(\tilde{M}\) accepts \(\mathcal {S}\) if and only if \(\vec {1}\in \mathsf{span}(\mathbb {M}_{S})\), i.e., some linear combination of the rows of \(\mathbb {M}_{\mathcal {S}}\) given the all-one vector \(\vec {1}\). The MSP \(\tilde{M}\) computes a boolean function \(f_{M}\) if it accepts exactly those input \(\mathcal {S}\) where \(f_{\mathbb {M}}(\mathcal {S})=1\). The size of \(\tilde{M}\) is the number of rows in \(\mathbb {M}\).

2.4 Definition of ElGamal Type Cryptosystem

Definition 3

(ElGamal Type Cryptosystem). ElGamal type cryptosystem \(\mathcal {ETC}\) with the key attribute universe \(\mathcal {X}\) that supports the ciphertext attribute universe \(\mathcal {Y}\) and the message space \(\mathcal {M}\) consists of the following five algorithms:

  • \(\mathcal {ETC}{.}\mathsf{Init}(\lambda )\rightarrow pp\): The probabilistic initialization algorithm takes the security parameter \(\lambda \in \mathbb {N}\) as input, and outputs the public parameter pp, such as the description of the bilinear group from the bilinear group generator \((g,p,\mathbb {G},\mathbb {G}_T)\leftarrow \mathcal {G}(\lambda )\).

  • \(\mathcal {ETC}{.}\mathsf{Setup}(pp)\rightarrow (pk,msk)\): The probabilistic setup algorithm takes the parameter pp as input, and outputs the public key pk and the master secret key msk. It is required that the master secret key and the public key are in the form of

    $$\begin{aligned} msk=(\alpha ,...),\quad pk=(e(g,g)^\alpha ,...), \end{aligned}$$

    where \(\alpha \in \mathbb {Z}_p\).

  • \(\mathcal {ETC}{.}\mathsf{KeyGen}(msk,X)\rightarrow sk_X\): The probabilistic key generation algorithm takes the master secret key msk and the attributes of the secret key \(X\in \mathcal {X}\) as input, and outputs the secret key \(sk_X\). It is required that the secret key is in the form of \(sk_X=(sk_1,sk_2,sk_3)\) as:

    $$\begin{aligned} sk_1=g^{h(\alpha )}\cdot f(pk,X)^r,\quad sk_2=g^r, \end{aligned}$$

    where \(r\in \mathbb {Z}_p\), \(h(x)\in \mathbb {Z}_p\) and \(f(x,y)\in \mathbb {G}\). Note that \(sk_3\) is for recording some extra information related attributes of the secret key.

  • \(\mathcal {ETC}{.}\mathsf{Enc}(pk,Y,m)\rightarrow c_Y\): The probabilistic encryption algorithm takes the public key pk, the attributes of the ciphertext \(Y\in \mathcal {Y}\) and the message \(m\in \mathcal {M}\) as input, and outputs the ciphertext \(c_Y\). It is required that the ciphertext is in the form of \(c_Y=(c_0,c_1,c_2)\) as:

    $$\begin{aligned} c_0=m\cdot e(g,g)^{\alpha s},\quad c_1=g^s, \end{aligned}$$

    where \(s\in \mathbb {Z}_p\) and \(c_2\) is some extra information related to attributes of the ciphertext.

  • \(\mathcal {ETC}{.}\mathsf{Dec}(pk,sk_X,c_Y)\rightarrow m\): The deterministic decryption algorithm takes the public key pk, the secret key \(sk_X\) and the ciphertext \(c_Y\) as input, and outputs the message \(m\in \mathcal {M}\). The decryption process is required to be two steps. The first step is to run the sub-decryption algorithm \(\mathcal {D}\) to get the message hiding component \(e(g,g)^{\alpha s}\leftarrow \mathcal {D}(sk_X,c_1,c_2)\). The second step is to extract the plaintext by eliminating the message hiding component as \(m=c_0/e(g,g)^{\alpha s}\).

The consistency condition requires for all \(\lambda \in \mathbb {N}\), all pp output by the initialization algorithm, pk and msk output by setup algorithm, \(m\in \mathcal {M}\) and \(R(X,Y)=1\), we then have

$$\begin{aligned} \mathcal {ETC}{.}\mathsf{Dec}(pk,sk_X,\mathcal {ETC}{.}\mathsf{Enc}(pk,Y,m))=m. \end{aligned}$$

Next, we describe the security model called selectively indistinguishable against chosen plaintext attack (sIND-CPA) for ElGamal type cryptosystem.

Definition 4

(sIND-CPA in ElGamal type cryptosystem). An ElGamal type cryptosystem consists of five algorithms above. For an adversary \(\mathcal {A}\), we define the following experiment:

$$\begin{aligned}&\mathbf {Exp}_\mathcal {A,ETC}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )\\&\quad Y^*\leftarrow \mathcal {A}(\lambda );\\&\quad pp\leftarrow \mathcal {ETC}{.}\mathsf{Init}(\lambda );\\&\quad (pk,msk)\leftarrow \mathcal {ETC}{.}\mathsf{Setup}(pp);\\&\quad (m_0,m_1)\leftarrow \mathcal {A}^{\mathcal {O}_\mathsf{KeyGen}}(pp,pk);\\&\quad b\leftarrow \{0,1\};\\&\quad c^*\leftarrow \mathsf{Enc}(pk,Y^*,m_b);\\&\quad b'\leftarrow \mathcal {A}^{\mathcal {O}_\mathsf{KeyGen}(\cdot )}(c^*);\\&\quad \text{ If } b=b'\text { return }1\text { else return }0. \end{aligned}$$

\(\mathcal {O}_\mathsf{KeyGen}(\cdot )\) represents the key generation oracle which allows \(\mathcal {A}\) to query on attributes of keys \(X\in \mathcal {X}\) except \(R(X,Y^*)=1\) to return the secret key \(sk_X\) by running \(\mathcal {ETC}{.}\mathsf{KeyGen}(msk,X)\).

An ElGamal type cryptosystem is said to be sIND-CPA secure if for any probabilistic polynomial time adversary \(\mathcal {A}\), the following advantage is negligible:

$$\begin{aligned} \mathbf {Adv}_\mathcal {A,ETC}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )=\big |\Pr [\mathbf {Exp}_\mathcal {A,ETC }^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )=1]-1/2 \big | \end{aligned}$$

2.5 Candidates of ElGamal Type Cryptosystem

The IBE [1, 5, 8,9,10, 18, 28] and ABE [3, 6, 14, 20, 22, 24, 26, 30] schemes are the instantiations of ElGamal type cryptosystems. We demonstrate three candidates of them to illustrate the feasibility of our proposed ElGamal type cryptosystem.

IBE. Let rs denote random numbers over \(\mathbb {Z}_p\), \(\mathcal {I}\) be the identity space and \(\ell =\log _2\mathcal {I}\) be the length of message space. Waters’ IBE [28] is given below.

$$\begin{aligned}&pk = \left( \underline{e(g,g)^\alpha },u_0,u_1,...,u_\ell \right) ,\quad msk:=\left( \underline{\alpha }\right) ,\\&\textstyle sk_{id} =\left( \underline{g^\alpha \left( u_0\prod _{i\in \mathcal {V}}u_i\right) ^r}, \underline{g^r}\right) ,\\&\textstyle c_{id} =\left( \underline{m\cdot e(g,g)^{\alpha s}},\underline{g^s},\left( u_0\prod _{i\in \mathcal {V}}u_i\right) ^s\right) , \end{aligned}$$

where \(\mathcal {V}\in [\ell ]\) be the set of all i for which \(id[i]=1\).

KP-ABE. Let \(\varDelta _{i,\mathsf{J}}=\prod _{j\in \mathsf{J},j\ne i}\left( \frac{x-j}{i-j}\right) \) denote the Lagrange coefficient for \(x,i\in \mathbb {Z}_p\) and \(\mathsf{J}\subset \mathbb {Z}\), n denote the maximum size of attributes used in encryption, \(\mathbb {M}\) is a matrix over \(\mathbb {Z}_p\) with d rows and l columns, \(\rho \) is a mapping function that maps any number in the domain [d] to the attribute universe \(\varOmega \), \(\mathcal {S}=(A_1,A_2,...,A_k)\) is the attribute set and \(\left( \{r_i\}_{i\in [d]},s\right) \) represent random numbers in \(\mathbb {Z}_p\). Goyal et al’s KP-ABE [14] is described as follows.

$$\begin{aligned}&pk=\left( \underline{e(g,g)^\alpha },\{t_i\}_{i\in [n+1]}\right) ,\quad msk=(\underline{\alpha }),\\&sk_\mathbb {A}=\left( \{\underline{g^{\mathbb {M}_i\vec {u}_i}T(i)^{r_i}},\underline{g^{r_i}}\}_{i\in [d]}\right) ,\\&c_\mathcal {S}=\left( \underline{m\cdot e(g,g)^{\alpha s}},\underline{g^s},\{T(i)^s\}_{\rho (i)\in \mathcal {S}}\right) , \end{aligned}$$

where the vector \(\vec {u}\) is a random l dimensional vector over \(\mathbb {Z}_p\) s.t. \(\vec {1}\cdot \vec {u}=\alpha \) and \(T(x)=g^{x^n}\prod _{i=1}^{n+1}t_i^{\varDelta _{i,[n+1]}(x)}\) be a function to map any index \(x\in \mathbb {Z}_p\) to the element in \(\mathbb {G}\).

CP-ABE. Let \(\{\phi _i\}_{i\in [n]}\in \mathbb {Z}_p\) denote a set of random numbers, Rouselakis and Waters’ CP-ABE [24] is given below.

$$\begin{aligned}&pk=\left( \underline{e(g,g)^\alpha },u,h,w,v\right) ,\quad msk=(\underline{\alpha }),\\&sk_\mathcal {S}=\left( \underline{g^\alpha w^r},\underline{g^r},\{g^{r_i},(u^{A_i}h)^{r_i}v^{-r}\}_{\rho (i)\in \mathcal {S}}\right) ,\\&c_\mathbb {A}=\left( \underline{m\cdot e(g,g)^{\alpha s}},\underline{g^s},\{w^{\mathbb {M}_i\vec {u}_i}v^{\phi _i},(u^{\rho (i)}h)^{\phi _i},g^{\phi _i}\}_{i\in [d]}\right) , \end{aligned}$$

where \(\vec {u}\) is a l dimensional vector in the domain \(\mathbb {Z}_p\) s.t. \(\vec {u}=(s,u_2,...,u_l)\in \mathbb {Z}_p^{l}\) and \( r,\{r_i\}_{\rho (i)\in \mathcal {S}},\{\phi _i\}_{i\in [d]}\) are random numbers over \(\mathbb {Z}_p\). Note that referring to Definition 3, we set \(h(\alpha )=\alpha \) and \(f(pk,X)^r=w^r\) for above CP-ABE setting.

2.6 Tree-Based Revocation Mechanism

Naor et al. [21] introduced a tree-based revocation architecture to reduce the cost of generating and transmitting key updates from linear to logarithmic. Let st be the state representing the tree-based data structure, rl denote the revocation list recording identities of revoked users and the timestamp of revocation and t be the timestamp representing the current revocation epoch. By running subset-cover algorithm \(\mathsf{KUNode}(st,rl,t)\), the KGC can derive get the key updates for all non-revoked users with the logarithmic size. When a user wants to join the system, who will be assigned a random identifier \(id\in \mathcal {I}\) and an undefined leaf node in st will be labeled this identifier id. The revocation method only requires the user id to store the keys in \(\mathsf{Path}(id)\), where \(\mathsf{Path}(id)\) denotes nodes from the root to the leaf node id. The details of algorithm \(\mathsf{KUNode}(st,rl,t)\) are given in Algorithm 1.

figure a

3 Definition of Revocable ABE and Dual-Policy ABE

In this section, we introduce definitions of RABE and DP-ABE. Specifically, we first introduce the syntax and security model of RABE. Next, we introduce syntaxes of DP-ABE for both parallel and sequential settings and their corresponding security models. We should note that ElGamal type cryptosystem supports IBE which could be used to manage the timestamp in RABE to efficient revocation rather than ABE to manage the timestamp [25] causing high computation and communication costs. Note that our proposed scheme is easy to apply outsourced ABE [15] since the elegant construction of ElGamal-like encryption to reduce the cost of ciphertext decryption.

3.1 Revocable ABE

Definition 5

(RABE). An RABE \(\mathcal {RABE}\) with key attributes \(X,\bar{X}_t\in \mathcal {X}\times \bar{\mathcal {X}}_t\) that support ciphertext \(Y,\bar{Y}_t\in \mathcal {Y}\times \bar{\mathcal {Y}}_t\)Footnote 1, the bounded system lifetime \(\mathcal {T}\), an identifier space \(\mathcal {I}\), the number of system users \(\mathcal {N}\) and the message space \(\mathcal {M}\) consists of nine algorithms given below.

  • \(\mathcal {RABE}{.}\mathsf{Setup}(\lambda )\rightarrow (pk,msk,rl,st)\): The probabilistic setup algorithm takes parameter \(\lambda \in \mathbb {N}\) as input, and outputs a public key pk, a master secret key msk, a revocation list rl and a state st.

  • \(\mathcal {RABE}{.}\mathsf{KeyGen}(msk,st,X,id)\rightarrow (sk_{id},st)\): The probabilistic key generation algorithm takes the master secret key msk, the state st, the key attributes \(X\in \mathcal {X}\) and an identifier \(id\in \mathcal {I}\) as input, and outputs the secret key \(sk_{id}\) and the state st.

  • \(\mathcal {RABE}{.}\mathsf{KeyUpdate}(msk,st,\bar{X}_t,rl)\rightarrow ku_t\): The probabilistic key update algorithm takes the master secret key msk, the state st, the key attributes \(\bar{X}_t\in \bar{\mathcal {X}}\) associated the timestamp t, the time t and the revocation list rl as input, and outputs the key-updating material \(ku_t\).

  • \(\mathcal {RABE}{.}\mathsf{DKGen}(pk,sk_{id},ku_t)\rightarrow dk_{id,t}\): The probabilistic decryption key generation algorithm takes the public key pk, the secret key \(sk_{id}\) and key-updating material \(ku_t\) as input, and outputs the decryption key \(dk_{id,t}\).

  • \(\mathcal {RABE}{.}\mathsf{Enc}(pk,Y,\bar{Y}_t,m)\rightarrow c_{Y,\bar{Y}_t}\): The probabilistic encryption algorithm takes the public key pk, the ciphertext attribute \(Y\in \mathcal {Y}\), the ciphertext attribute \(\bar{Y}_t\in \bar{\mathcal {Y}}\) associated with the timestamp \(t\in \mathcal {T}\) and a message \(m\in \mathcal {M}\) as input, and outputs a ciphertext c.

  • \(\mathcal {RABE}{.}\mathsf{Dec}(pk,dk_{id,t},c_{Y,\bar{Y}})\rightarrow m\): The deterministic decryption algorithm takes the public key pk, the decryption key \(dk_{id,t}\) and a ciphertext \(c_{Y,\bar{Y}}\) as input, and outputs a message \(m\in \mathcal {M}\).

  • \(\mathcal {RABE}{.}\mathsf{Rev}(rl,id,t)\rightarrow rl\): The deterministic revocation algorithm takes the revocation list rl, an identifier \(id\in \mathcal {I}\) and the timestamp \(t\in \mathcal {T}\) as input, and outputs the revocation list rl.

3.2 Security Model of RABE

Definition 6

(sIND-CPA in RABE). An RABE consist of seven algorithms in above. For an adversary \(\mathcal {A}\), we define the following experiment:

$$\begin{aligned}&\mathbf {Exp}_{\mathcal {A,RABE}}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )\\&\quad (Y^*,\bar{Y}_{t^*})\leftarrow \mathcal {A}(\lambda );\\&\quad (pk,msk,rl,st)\leftarrow \mathcal {RABE}{.}\mathsf{Setup}(pp);\\&\quad (m_0,m_1)\leftarrow \mathcal {A}^\mathcal {O}(pp,pk);\\&\quad b\leftarrow \{0,1\};\\&\quad c^*\leftarrow \mathsf{Enc}(pk,Y^*,\bar{Y}_{t^*},m_b);\\&\quad b'\leftarrow \mathcal {A}^\mathcal {O}(c^*);\\&\quad \text{ If } b=b'\text { return }1\text { else return }0. \end{aligned}$$

\(\mathcal {O}\) is a set of oracles, \(\{ \mathcal {O}_{\mathsf{KeyGen}}(\cdot ,\cdot ), \mathcal {O}_{\mathsf{KeyUpdate}}(\cdot ,\cdot ), \mathcal {O}_{\mathsf{Rev}}(\cdot ,\cdot ),\) \( \mathcal {O}_{\mathsf{DKGen}}(\cdot ,\cdot ) \}\) and the details are given below:

  • \(\mathcal {O}_{\mathsf{KeyGen}}(\cdot ,\cdot )\) is the key generation oracle that allows \(\mathcal {A}\) to query key attribute \(X\in \mathcal {X}\) and an identifier \(id\in \mathcal {I}\), and it runs \(\mathcal {RABE}{.}\mathsf{KeyGen}(msk,st,X,id)\) to return the secret key \(sk_{id}\).

  • \(\mathcal {O}_{\mathsf{KeyUpdate}}(\cdot ,\cdot )\) is the key update oracle that allows \(\mathcal {A}\) to query key attributes \(\bar{X}_t\) associated with the time \(t\in \mathcal {T}\), and it runs \(\mathcal {RABE}{.}\mathsf{KeyUpdate}(msk,st,\bar{X}_t,\) rl) to return the key update \(ku_t\).

  • \(\mathcal {O}_\mathsf{Rev}(\cdot ,\cdot )\) is the revocation oracle that allows \(\mathcal {A}\) to query an identifier \(id\in \mathcal {I}\) and the time \(t\in \mathcal {T}\), and it runs \(\mathcal {RABE}{.}\mathsf{Rev}(rl,id,t)\) to update the revocation list rl.

  • \(\mathcal {O}_{\mathsf{DKGen}}(\cdot ,\cdot ,\cdot )\) is the decryption key generation oracle that allows \(\mathcal {A}\) to query key attributes \((X,\bar{X})\in \mathcal {X}\times \bar{\mathcal {X}}\), the timestamp \(t\in \mathcal {T}\) and an identifier \(id\in \mathcal {I}\), and it runs \(\mathcal {RABE}{.}\mathsf{DKGen}(pk,sk_{id},ku_t)\) to return the decryption key \(dk_{id,t}\) if the secret key \(sk_{id}\) and the key update \(ku_t\) are available. Otherwise, it first runs the key generation oracle and key update oracle to obtain the secret key \(sk_{id}\) and the key update \(ku_t\).

\(\mathcal {A}\) is allowed to issue above oracles with the following restrictions:

  1. 1.

    \(\mathcal {O}_{\mathsf{KeyUpdate}}(\cdot ,\cdot )\) and \(\mathcal {O}_{\mathsf{Rev}}(\cdot ,\cdot )\) can be queried at the time t which is greater than or equal to that of all previous queries.

  2. 2.

    \(\mathcal {O}_{\mathsf{Rev}}(\cdot ,\cdot )\) cannot be queried at the time t if \(\mathcal {O}_{\mathsf{KeyUpdate}}(\cdot )\) was queried at the time t.

  3. 3.

    If \(\mathcal {O}_{\mathsf{KeyGen}}(\cdot ,\cdot )\) was queried on an identifier \(id\in \mathcal {I}\) with key attributes \(X\in \mathcal {X}\) s.t. \(R(X,Y^*)=1\), then \(\mathcal {O}_\mathsf{Rev}(\cdot ,\cdot )\) must be queried on this identifier id at the time \(t\le t^*\).

  4. 4.

    \(\mathcal {O}_{\mathsf{DKGen}}(\cdot ,\cdot )\) cannot be queried on any identifier \(id\in \mathcal {I}\) with the key attributes \(X\in \mathcal {X}\) s.t. \(R(X,Y^*)=1\) at the challenge time \(t^*\) or any identifier \(id\in \mathcal {I}\) has been revoked.

An RABE scheme is said to be sIND-CPA secure if for any probabilistic polynomial time adversary \(\mathcal {A}\), the following advantage is negligible:

$$\begin{aligned} \mathbf {Adv}_{\mathcal {A,RABE}}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )=\big |\Pr [\mathbf {Exp}_{\mathcal {A,RABE}}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )=1]-1/2\big |. \end{aligned}$$

3.3 Definition of DP-ABE

Definition 7

(DP-ABE). Dual-Policy Attribute-Based Encryption \(\mathcal {DP}\) with key attributes \((X,\bar{X})\in \mathcal {X}\times \bar{\mathcal {X}}\) that support ciphertext attributes \((Y,\bar{Y})\in \mathcal {Y}\times \bar{\mathcal {Y}}\) and the message space \(\mathcal {M}\) consists of following four algorithms:

  • \(\mathcal {DP}{.}\mathsf{Setup}(\lambda )\rightarrow (pk,msk)\): The probabilistic setup algorithm takes as input the security parameter \(\lambda \in \mathbb {N}\), and outputs the public key pk and the master secret key msk.

  • \(\mathcal {DP}{.}\mathsf{KeyGen}(msk,X,\bar{X})\rightarrow sk_{X,\bar{X}}\): The key generation algorithm takes as input the master secret key msk, the key attributes \((X,\bar{X})\in \mathcal {X}\times \bar{\mathcal {X}}\), and outputs the secret key \(sk_{X,\bar{X}}\).

  • \(\mathcal {DP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\rightarrow c_{Y,\bar{Y}}\): The encryption algorithm takes as input the public key pk, the ciphertext attributes \((Y,\bar{Y})\in \mathcal {Y}\times \bar{\mathcal {Y}}\) and the message \(m\in \mathcal {M}\), and outputs the ciphertext \(c_{Y,\bar{Y}}\).

  • \(\mathcal {DP}{.}\mathsf{Dec}(sk_{X,\bar{X}},c_{Y,\bar{Y}})\rightarrow m\): The decryption algorithm takes as input the secret key \(sk_{X,\bar{X}}\) and the ciphertext \(c_{Y,\bar{Y}}\), and outputs the message \(m\in \mathcal {M}\).

Definition 8

(Correctness of Parallel DP-ABE). Let \(\mathcal {PDP}\) denote a parallel DP-ABE scheme. The consistency condition requires for all \(\lambda \in \mathbb {N}\), the public key pk and the master secret key msk output by setup algorithm, \(m\in \mathcal {M}\) and \(\left( R(X,Y)\vee \bar{R}(\bar{X},\bar{Y})\right) =1\), we then have

$$\begin{aligned} \mathcal {PDP}{.}\mathsf{Dec}\left( sk_{X,\bar{X}},\mathcal {PDP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\right) =m. \end{aligned}$$

Definition 9

(Correctness of Sequential DP-ABE). Let \(\mathcal {SDP}\) denote a sequential DP-ABE scheme. The consistency condition requires for all \(\lambda \in \mathbb {N}\), the public key pk and the master secret key msk output by setup algorithm, \(m\in \mathcal {M}\), and \(R(X,Y)=\bar{R}(\bar{X},\bar{Y})=1\), we then have

$$\begin{aligned} \mathcal {SDP}{.}\mathsf{Dec}\left( sk_{X,\bar{X}},\mathcal {SDP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\right) =m. \end{aligned}$$

3.4 Security Model of DP-ABE

Definition 10

(sIND-CPA in Parallel DP-ABE). A parallel DP-ABE \(\mathcal {PDP}\) consists of four algorithms in above. For an adversary \(\mathcal {A}\), we define the following experiment:

$$\begin{aligned}&\mathbf {Exp}_{\mathcal {A,PDP}}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )\\&\quad (Y^*,\bar{Y}^*)\leftarrow \mathcal {A}(\lambda );\\&\quad (pk,msk)\leftarrow \mathcal {PDP}{.}\mathsf{Setup}(\lambda );\\&\quad (m_0,m_1)\leftarrow \mathcal {A}^{\mathcal {O}_\mathsf{KeyGen}}(pk);\\&\quad b\leftarrow \{0,1\};\\&\quad c^*\leftarrow \mathcal {PDP}{.}\mathsf{Enc}(pk,Y^*,\bar{Y}^*,m_b);\\&\quad b'\leftarrow \mathcal {A}^{\mathcal {O}_\mathsf{KeyGen}}(c^*);\\&\quad \text{ If } b=b' \text{ return } 1 \text{ else } \text{ return } 0. \end{aligned}$$

\(\mathcal {O}_\mathsf{KeyGen}(\cdot ,\cdot )\) is the key generation oracle that allows \(\mathcal {A}\) to query on any key attributes \(X,\bar{X}\in \mathcal {X}\times \bar{\mathcal {X}}\) s.t. \(R(X,Y^*)=\bar{R}(\bar{X},\bar{Y}^*)=0\), and returns the secret key \(sk_{X,\bar{X}}\) by running \(\mathcal {PDP}.\) KeyGen\((msk,X,\bar{X})\).

A parallel DP-ABE is said to be sIND-CPA secure if for any probabilistic polynomial time adversary \(\mathcal {A}\), the following advantage is negligible:

$$\begin{aligned} \mathbf {Adv}_\mathcal {A,PDP}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )=\big |\Pr [\mathbf {Exp}_\mathcal {A,PDP}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )=1]-1/2 \big |. \end{aligned}$$

Definition 11

(sIND-CPA in Sequential DP-ABE). A sequential DP-ABE \(\mathcal {SDP}\) consists of four algorithms in above. For an adversary \(\mathcal {A}\), we define the following experiment:

$$\begin{aligned}&\mathbf {Exp}_{\mathcal {A,SDP}}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )\\&\quad (Y^*,\bar{Y}^*)\leftarrow \mathcal {A}(\lambda );\\&\quad (pk,msk)\leftarrow \mathcal {SDP}{.}\mathsf{Setup}(\lambda );\\&\quad (m_0,m_1)\leftarrow \mathcal {A}^{\mathcal {O}_\mathsf{KeyGen}}(pk);\\&\quad b\leftarrow \{0,1\};\\&\quad c^*\leftarrow \mathcal {SDP}{.}\mathsf{Enc}(pk,Y^*,\bar{Y}^*,m_b);\\&\quad b'\leftarrow \mathcal {A}^{\mathcal {O}_\mathsf{KeyGen}}(c^*);\\&\quad \text{ If } b=b' \text{ return } 1 \text{ else } \text{ return } 0. \end{aligned}$$

\(\mathcal {O}_\mathsf{KeyGen}(\cdot ,\cdot )\) is the key generation oracle that allows \(\mathcal {A}\) to query on any key attributes \(X,\bar{X}\in \mathcal {X}\times \bar{\mathcal {X}}\) except \(R(X,Y^*)=\bar{R}(\bar{X},\bar{Y}^*)=1\), and returns the secret key \(sk_{X,\bar{X}}\) by running \(\mathcal {SDP}{.}\) KeyGen\((msk,X,\bar{X})\).

A sequential DP-ABE is said to be sIND-CPA secure if for any probabilistic polynomial time adversary \(\mathcal {A}\), the following advantage is negligible:

$$\begin{aligned} \mathbf {Adv}_\mathcal {A,SDP}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )=\big |\Pr [\mathbf {Exp}_\mathcal {A,SDP}^{\mathsf{sIND}\text{- }\mathsf{CPA}}(\lambda )=1]-1/2 \big |. \end{aligned}$$

4 Proposed Schemes

4.1 Generic Construction of Revocable ABE

Let \(\mathcal {ETC}\) and \(\mathcal {ETC}_{t}\) are ElGamal type cryptosystems. The generic construction of RABE \(\mathcal {RABE}\) are described as follows.

  • \(\mathcal {RABE}{.}\mathsf{Setup}(\lambda )\): The setup algorithm initializes an empty revocation list \(rl\leftarrow \emptyset \) and a state based on the binary tree BT with \(\mathcal {N}\) leaf nodes, where \(\mathcal {N}\) is the number of system users. The algorithm follows \(\mathcal {SDP}{.}\mathsf{Setup}(\lambda )\) to generate the public key pk and the master secret key msk.

  • \(\mathcal {RABE}{.}\mathsf{KeyGen}(msk,st,X,id)\): The key generation algorithm chooses an unassigned leaf node from the binary tree \(\mathsf{BT}\) and stores id in this node. For each node \(\theta \in \mathsf{Path}(id)\):

    • Fetch \(\alpha _\theta \) from the node \(\theta \). If \(\alpha _\theta \) is not available, it randomly chooses \(\alpha _\theta \in \mathbb {Z}_p\), and updates the state \(st\leftarrow st\cup (\theta ,\alpha _\theta )\).

    • Run \(\mathcal {ETC}{.}\mathsf{KeyGen}(\alpha _\theta ,X)\rightarrow sk_{\theta }\).

    The key generation algorithm returns the secret key \(sk_{id}=\{sk_{\theta }\}_{\theta \in \mathsf{Path}(id)}\) and the updated state st.

  • \(\mathcal {RABE}{.}\mathsf{KeyUpdate}(msk,st,\bar{X}_t,rl)\rightarrow ku_t\): Pases \(\bar{X}_t\) is the key attributes based on the timestamp \(t\in \mathcal {T}\). For each node \(\theta \in \mathsf{KUNodes}(st,rl,t)\):

    • Fetch \(\alpha _\theta \) (\(\alpha _\theta \) always predefined in the key generation algorithm).

    • Run \(\mathcal {ETC}_t{.}\mathsf{KeyGen}(\alpha -\alpha _\theta ,\bar{X}_t)\rightarrow sk_{t,\theta }\), where \(\alpha \) is the master secret key.

    The key update algorithm returns \(ku_t=\{sk_{t,\theta }\}_{\theta \in \mathsf{KUNodes}(st,rl,t)}\).

  • \(\mathcal {RABE}{.}\mathsf{DKGen}(pk,sk_{id},ku_t)\rightarrow dk_{id,t}\): Let \(\mathsf{I}\) and \(\mathsf{J}\) denote sets \(\mathsf{Path}(id)\) and \(\mathsf{KUNodes}(st,rl,t)\), respectively. For \(\theta \in \mathsf{I}\cap \mathsf{J}\), the algorithm chooses a serial of random values to re-randomize the keys \((sk_\theta ,sk_{t,\theta })\) and returns the decryption key \(dk_{id}=(sk_\theta ,sk_{t,\theta })\).

  • \(\mathcal {RABE}{.}\mathsf{Enc}(pk,Y,\bar{Y}_t,m)\rightarrow c_{Y,\bar{Y}_t}\): Same as \(\mathcal {SDP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\).

  • \(\mathcal {RABE}{.}\mathsf{Dec}(pk,dk_{id,t},c_{Y,\bar{Y}_t})\rightarrow m\): Same as \(\mathcal {SDP}{.}\mathsf{Dec}(dk_{id,t},c_{Y,\bar{Y}_t})\).

  • \(\mathcal {RABE}{.}\mathsf{Rev}(rl,id,t)\rightarrow rl\): The revocation algorithm returns the revocation list rl as \(rl\leftarrow rl\cup (id,t)\).

Theorem 1

If the underlying ElGamal type cryptosystems \(\mathcal {ETS}_1\) and \(\mathcal {ETS}_2\) are secure, the proposed generic construction is secureFootnote 2.

4.2 Generic Construction of Parallel DP-ABE

Let \(\mathcal {ETC}_\mathsf{kp}\) and \(\mathcal {ETC}_\mathsf{cp}\) are ElGamal type cryptosystems based on KP-ABE and CP-ABE, respectively. The generic construction of parallel DP-ABE \(\mathcal {PDP}\) are described as follows.

  • \(\mathcal {PDP}{.}\mathsf{Setup}(\lambda )\): The setup algorithm runs

    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {ETC}_\mathsf{kp}{.}\mathsf{Init}(\lambda )\rightarrow pp_\mathsf{kp}, or\\ \mathcal {ETC}_\mathsf{cp}{.}\mathsf{Init}(\lambda )\rightarrow pp_\mathsf{cp}. \end{array}\right. } \end{aligned}$$

    to obtain the description of bilinear group as the public parameter pp, where \(pp_\mathsf{kp}=pp_\mathsf{cp}=\mathcal {G}(\lambda )\) by the definition of ElGamal type cryptosystem. The algorithm also runs

    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {ETC}_\mathsf{kp}{.}\mathsf{Setup}(pp)\rightarrow (pk_\mathsf{kp}, msk_\mathsf{kp}), and\\ \mathcal {ETC}_\mathsf{cp}{.}\mathsf{Setup}(pp)\rightarrow (pk_\mathsf{cp}, msk_\mathsf{cp}). \end{array}\right. } \end{aligned}$$

    to obtain the master secret key \(\alpha \), where \(msk_\mathsf{kp}=msk_\mathsf{cp}=\alpha \) by the definition of ElGamal type cryptosystem. The setup algorithm outputs

    $$\begin{aligned} pk=(pp,pk_\mathsf{kp},pk_\mathsf{cp}),\quad msk=(\alpha ). \end{aligned}$$

  • \(\mathcal {PDP}{.}\mathsf{KeyGen}(msk,X,\bar{X})\): Parse X is the access structure in KP-ABE and \(\bar{X}\) is attribute set in CP-ABE. The key generation algorithm runs

    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {ETC}_\mathsf{kp}{.}\mathsf{KeyGen}(\alpha ,X)\rightarrow sk_{X}, and\\ \mathcal {ETC}_\mathsf{cp}{.}\mathsf{KeyGen}(\alpha ,\bar{X})\rightarrow sk_{\bar{X}}. \end{array}\right. } \end{aligned}$$

    The key generation algorithm outputs the secret key \(sk_{X,\bar{X}}=(sk_X,sk_{\bar{X}})\).

  • \(\mathcal {PDP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\): Parse Y is the attribute set in KP-ABE and \(\bar{Y}\) is the access structure in CP-ABE. The encryption algorithm runs

    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {ETC}_\mathsf{kp}{.}\mathsf{Enc}(pk_\mathsf{kp},Y,m)\rightarrow c_{Y}, and\\ \mathcal {ETC}_\mathsf{cp}{.}\mathsf{Enc}(pk_\mathsf{cp},\bar{Y},m)\rightarrow c_{\bar{Y}}. \end{array}\right. } \end{aligned}$$

    By the definition of ElGamal type cryptosystem, we have

    $$\begin{aligned} c_Y=(c_Y^{(0)},c_Y^{(1)},c_Y^{(2)})\ and\ c_{\bar{Y}}=(c_{\bar{Y}}^{(0)},c_{\bar{Y}}^{(1)},c_{\bar{Y}}^{(2)}), \end{aligned}$$

    where \(c_{Y}^{(0)} = c_{\bar{Y}}^{(0)}=m\cdot e(g,g)^{\alpha s}\) and \(c_{Y}^{(1)} = c_{\bar{Y}}^{(1)}=g^s\). The encryption algorithm outputs the ciphertext \(c_{Y,\bar{Y}}=(m\cdot e(g,g)^{\alpha s},g^s,c_{Y}^{(2)},c_{\bar{Y}}^{(2)})\).

  • \(\mathcal {PDP}{.}\mathsf{Dec}(sk_{X,\bar{X}},c_{Y,\bar{Y}})\): The decryption algorithm runs

    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {ETC}_\mathsf{kp}{.}\mathsf{Dec}(pk_\mathsf{kp},sk_{X},c_{Y})\rightarrow m \text{ if } R(X,Y)=1,\\ \mathcal {ETC}_\mathsf{cp}{.}\mathsf{Dec}(pk_\mathsf{cp},sk_{\bar{X}},c_{\bar{Y}})\rightarrow m \text{ if } \bar{R}(\bar{X},\bar{Y})=1. \end{array}\right. } \end{aligned}$$

    The decryption algorithm returns the message m.

Theorem 2

If the underlying ElGamal type cryptosystems \(\mathcal {ETC}_\mathsf{kp}\) and \(\mathcal {ETC}_\mathsf{cp}\) are secure, the proposed generic construction of parallel DP-ABE is secure.

4.3 Generic Construction of Sequential DP-ABE

Let \(\mathcal {ETC}_\mathsf{kp}\) and \(\mathcal {ETC}_\mathsf{cp}\) are ElGamal type cryptosystems based on KP-ABE and CP-ABE, respectively. The generic construction of parallel DP-ABE \(\mathcal {SDP}\) are described as follows.

  • \(\mathcal {SDP}{.}\mathsf{Setup}(\lambda )\): Same as \(\mathcal {PDP}{.}\mathsf{Setup}(\lambda )\).

  • \(\mathcal {SDP}{.}\mathsf{KeyGen}(msk,X,\bar{X})\): Parse X is the access structure in KP-ABE and \(\bar{X}\) is attribute set in CP-ABE. The key generation algorithm randomly picks \(\alpha '\in \mathbb {Z}_p\) and runs

    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {ETC}_\mathsf{kp}{.}\mathsf{KeyGen}(\alpha ',X)\rightarrow sk_{X}, and\\ \mathcal {ETC}_\mathsf{cp}{.}\mathsf{KeyGen}(\alpha -\alpha ',\bar{X})\rightarrow sk_{\bar{X}}. \end{array}\right. } \end{aligned}$$

    The key generation algorithm outputs the secret key \(sk_{X,\bar{X}}=(sk_X,sk_{\bar{X}})\).

  • \(\mathcal {SDP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\): Same as \(\mathcal {PDP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\).

  • \(\mathcal {SDP}{.}\mathsf{Dec}(sk_{X,\bar{X}},c_{Y,\bar{Y}})\): The decryption algorithm runs the sub-decryption algorithms

    $$\begin{aligned} {\left\{ \begin{array}{ll} \mathcal {D}_\mathsf{kp}(sk_{X},g^s,c_{Y}^{(2)})\rightarrow e(g,g)^{\alpha 's},\\ \mathcal {D}_\mathsf{cp}(sk_{\bar{X}},g^s,c_{\bar{Y}}^{(2)})\rightarrow e(g,g)^{(\alpha -\alpha ')s}. \end{array}\right. } \end{aligned}$$

    The decryption algorithm outputs the message \(m=m\cdot e(g,g)^{\alpha s}/e(g,g)^{\alpha s}\).

Theorem 3

If the underlying ElGamal type cryptosystems \(\mathcal {ETC}_\mathsf{kp}\) and \(\mathcal {ETC}_\mathsf{cp}\) are secure, the proposed generic construction of parallel DP-ABE is secure.

5 Instantiations Based on ElGamal Type Cryptosystem

5.1 Instantiations of RABE

By applying the generic construction in Sect. 4.1, we can build the concrete instantiation of key-policy RABE and ciphertext RABE, and even revocable DP-ABE by dividing the master secret key into three pieces for \((X,\bar{X},t)\), where \((X,\bar{X})\) are key attributes in DP-ABE and t is for managing user revocation. There are many concrete RABE schemes based on ElGamal type schemes. For example, the RABE with decryption key exposure resistance [31] are based on [14], and [24], the KP-ABE with efficient revocation mechanism and decryption key exposure resistance [32] are based on [14] and [28], and the CP-ABE with efficient revocation mechanism and decryption key exposure resistance [33] are based on [24] and [28]. We omit the detailed construction here since our paper focus on argue that any ElGamal type scheme as in Definition 3 can be used to build secure RABE schemes and dual-policy ABE, respectively.

5.2 An Instantiation of Parallel DP-ABE

By applying the generic construction in Sect. 4.2, we give an instantiation of parallel DP-ABE based on [14] and [24] as follows.

  • \(\mathcal {PDP}{.}\mathsf{Setup}(\lambda )\): Run \(\mathcal {G}(\lambda )\) to obtain \((p,g,\mathbb {G},\mathbb {G}_T)\). Pick \(u,h,w,v,\{t_i\}_{i\in [n+1]}\in \mathbb {G}\) and \(\alpha \in \mathbb {Z}_p\). Output

    $$\begin{aligned} pk=(p,g,\mathbb {G},\mathbb {G}_T,e(g,g)^\alpha ,u,h,w,v,\{t_i\}_{i\in [n+1]}),\quad msk=(\alpha ). \end{aligned}$$

  • \(\mathcal {PDP}{.}\mathsf{KeyGen}(msk,X,\bar{X})\): Parse \(X=(\mathbb {M}_\mathsf{kp},\rho _\mathsf{kp})\) and \(\bar{X}=(A_\mathsf{cp}^{(1)},...,A_\mathsf{cp}^{(k_\mathsf{cp})})\). Compute \(sk_X=(\{g^{\mathbb {M}_{\mathsf{kp},i}\vec {u}_i}T(i)^{r_i},g^{r_i}\}_{i\in [d_\mathsf{kp}]})\), where \(\mathbb {M}_\mathsf{kp}\) has \(d_\mathsf{kp}\) rows and \(l_\mathsf{kp}\) columns, and \(\vec {1}\cdot \vec {u}=\alpha \). Compute \(sk_{\bar{X}}=(g^{\alpha } w^r,g^r,\{g^{r_j},(u^{A_\mathsf{cp}^{(j)}}h)^{r_j}v^{-r}\}_{j\in [k_\mathsf{cp}]})\), where \(r,\{r_j\}_{j\in [k_\mathsf{cp}]}\in \mathbb {Z}_p\). Output \(sk_{X,\bar{X}}=(sk_X,sk_{\bar{X}})\).

  • \(\mathcal {PDP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\): Parse \(Y=(A_\mathsf{kp}^{(1)},A_\mathsf{kp}^{(2)},...,A_\mathsf{kp}^{(k_\mathsf{kp})})\) and \(\bar{Y}=(\mathbb {M}_\mathsf{cp},\rho _\mathsf{cp})\). Pick \(\vec {u}=(s,\vec {u}_2,...,\vec {u}_l)\in \mathbb {Z}_p^l\) and compute

    $$\begin{aligned} c_{Y}^{(3)}=(\{T(i)^s\}_{i\in [k_\mathsf{kp}]}),\quad c_{\bar{Y}}^{(3)}=(\{w^{\mathbb {M}_{\mathsf{cp},j}\vec {u}_j}v^{\phi _j},(u^{\rho (i)}h)^{\phi _i},g^{\phi _j}\}_{j\in [d_\mathsf{cp}]}), \end{aligned}$$

    where \(\mathbb {M}_\mathsf{cp}\) has \(d_\mathsf{cp}\) rows and \(l_\mathsf{cp}\) columns, \(\{\phi _j\}_{j\in [d_\mathsf{cp}]}\in \mathbb {Z}_p\). Output

    $$\begin{aligned} c_{Y,\bar{Y}}=(m\cdot e(g,g)^{\alpha s},g^s,c_{Y}^{(3)},c_{\bar{Y}}^{(3)}). \end{aligned}$$

  • \(\mathcal {PDP}{.}\mathsf{Dec}(sk_{X,\bar{X}},c_{Y,\bar{Y}})\): If \(R(X,Y)=1\), there exist \(I:\{i:\rho _\mathsf{kp}(i)\in \mathcal {S}_\mathsf{kp}\}\) and take \(\vec {u}\) s.t. \(\sum _{i\in I}\mathbb {M}_{\mathsf{kp},i}\vec {u}_i=\vec {1}\). Compute

    $$\begin{aligned} \prod _{i\in I}\left( \frac{e(g^{\mathbb {M}_{\mathsf{kp},i}\vec {u}_i}T(i)^{r_i},g^s)}{e(T(i)^s,g^{r_i})}^{\vec {u}_i} \right) =e(g,g)^{\alpha s}. \end{aligned}$$

    If \(\bar{R}(\bar{X},\bar{Y})=1\), there exist \(J=\{j:\rho _\mathsf{cp}(j)\in \mathcal {S}_\mathsf{cp} \}\) and take \(\vec {u}\) s.t. \(\sum _{j\in J}\mathbb {M}_{\mathsf{cp},j}\vec {u}_j=\vec {1}\). Also, compute

    $$\begin{aligned} \prod _{j\in J}\frac{e(g^s,g^{\alpha }w^r)}{ \left( e(w^{\mathbb {M}_{\mathsf{cp},j}\vec {u}_j}v^{\phi _j},g^r) e((u^{\rho (i)}h)^{\phi _i},g^{r_j}) e(g^{\phi _j},(u^{A_\mathsf{cp}^{(j)}}h)^{r_j}v^{-r})\right) ^{\vec {u}_j} }=e(g,g)^{\alpha s}. \end{aligned}$$

    Output \(m={m\cdot e(g,g)^{\alpha s}}/{e(g,g)^{\alpha s}}\).

5.3 An Instantiation of Sequential DP-ABE

By applying the generic construction in Sect. 4.3, we give an instantiation of sequential DP-ABE based on [14] and [24] as follows.

  • \(\mathcal {SDP}{.}\mathsf{Setup}(\lambda )\): Same as \(\mathcal {PDP}{.}\mathsf{Setup}(\lambda )\).

  • \(\mathcal {SDP}{.}{\mathsf{KeyGen}(msk,X,\bar{X})}\): Parse \(X=(\mathbb {M}_\mathsf{kp},\rho _\mathsf{kp})\) and \(\bar{X}=(A_\mathsf{cp}^{(1)},...,A_\mathsf{cp}^{(k_\mathsf{cp})})\). Compute \(sk_{X}=(\{g^{\mathbb {M}_{\mathsf{kp},i}\vec {u}_i}T(i)^{r_i},g^{r_i}\}_{i\in [d_\mathsf{kp}]})\), where \(\mathbb {M}_\mathsf{kp}\) has \(d_\mathsf{kp}\) rows and \(l_\mathsf{kp}\) columns, \(\alpha ',\{r_{i}\}_{i\in [d_\mathsf{kp}]}\in \mathbb {Z}_p\) and \(\vec {1}\cdot \vec {u}=\alpha '\). Also, compute \(sk_{\bar{X}}=(g^{\alpha -\alpha '} w^r,g^r,\{g^{r_j},(u^{A_\mathsf{cp}^{(j)}}h)^{r_j}v^{-r}\}_{j\in [k_\mathsf{cp}]})\), where \(r,\{r_j\}_{j\in [k_\mathsf{cp}]}\in \mathbb {Z}_p\). Output \(sk_{X,\bar{X}}=(sk_X,sk_{\bar{X}})\).

  • \(\mathcal {SDP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\): Same as \(\mathcal {PDP}{.}\mathsf{Enc}(pk,Y,\bar{Y},m)\).

  • \(\mathcal {SDP}{.}\mathsf{Dec}(sk_{X,\bar{X}},c_{Y,\bar{Y}})\): If \(R(X,Y)=1\), there exist \(I:\{i:\rho _\mathsf{kp}(i)\in \mathcal {S}_\mathsf{kp}\}\) and take \(\vec {u}\) s.t. \(\sum _{i\in I}\mathbb {M}_{\mathsf{kp},i}\vec {u}_i=\vec {1}\). Compute

    $$\begin{aligned} \prod _{i\in I}\left( \frac{e(g^{\mathbb {M}_{\mathsf{kp},i}\vec {u}_i}T(i)^{r_i},g^s)}{e(T(i)^s,g^{r_i})}^{\vec {u}_i} \right) =e(g,g)^{\alpha 's}. \end{aligned}$$

    If \(R(\bar{X},\bar{Y})=1\), there exist \(J=\{j:\rho _\mathsf{cp}(j)\in \mathcal {S}_\mathsf{cp} \}\) and take \(\vec {u}\) s.t. \(\sum _{j\in J}\mathbb {M}_{\mathsf{cp},j}\vec {u}_j=\vec {1}\). Also, compute

    $$\begin{aligned} \prod _{j\in J}\frac{e(g^s,g^{\alpha -\alpha '}w^r)}{ \left( e(w^{\mathbb {M}_{\mathsf{cp},j}\vec {u}_j}v^{\phi _j},g^r) e((u^{\rho (i)}h)^{\phi _i},g^{r_j}) e(g^{\phi _j},(u^{A_\mathsf{cp}^{(j)}}h)^{r_j}v^{-r})\right) ^{\vec {u}_j} }=e(g,g)^{(\alpha -\alpha ')s}. \end{aligned}$$

    Output \(m = {m\cdot e(g,g)^{\alpha s}}/({e(g,g)^{\alpha 's}\cdot e(g,g)^{(\alpha -\alpha ')s}})\).

6 Efficiency Analysis

To our knowledge, only few literature investigate DP-ABE [2, 4]. Compared with our proposed scheme, as shown in Table 1, our schemes have better performances than AI09 [2] and less efficient then AY15 [4]. However, to achieve adaptive security, AY15 is in the composite-order group which is less efficientFootnote 3 since it will incur heavy workload to process data, even transmission bandwidth. Our proposed scheme applies prime-order group and has the same complexity to the existing DP-ABE schemes except for the space complexity of system parameter. In our scheme, the component of KP-ABE is based on [14] and the part of CP-ABE is based [24], where [14] has the linear space complexity on the public parameter and [24] has the constant-size public parameter. Hence, our scheme only has better space complexity on the system parameter than AI09. Although AY15 has the constant-size public parameter, the composite-order group will lead to a heavy workload.

Table 1. Theoretical analysis of DP-ABE scheme
Full size table

For experimental analysis, we focus on evaluating AI09 and our schemes since the AY15 based on the inefficient composite-order group. Our experimental simulation was performed on a PC running 64-bit Windows 10 with 3.60 GHz Intel(R) Core(TM) i7-4790 CPU and 24 GB memory. We have implemented AI09 and our schemes in Java using JPBE library [19] with Type A elliptic curve and symmetric pairing setting from “a properties” provided by JPBE library. Hence, our scheme, p is a 160-bit prime number, and elements in \(\mathbb {G}\) and \(\mathbb {G}_T\) have 512-bit and 1024-bit, respectively. The experimental results are presented in Fig. 3.

Fig. 3.
figure 3

Experimental performance

Full size image

Figure 3a presents the experimental performances of the system initialization by increasing the maximum number of attribute set allowed to be assigned to a key and a ciphertext. Our proposed schemes are much more efficient than AI09, which only take half of the computational time in AI09. Figure 3b performs the ms key generation, the tendency is continually increasing based on the improvement of the maximum number of attribute set and policies allowed to be assigned to keys, and our proposed schemes have the lower growth rate. Figure 3c demonstrates the performances of encryption, the tendency of encryption is similar to the experimental result in the key generation. Figure 3d presents the results of decryption. Our PDP-ABE has a better performance than others since it only requires one of key-policy and ciphertext-policy to process the decryption algorithm, which takes half of the computational cost in SDP-ABE.

Overall, the results are similar to what we expected performances in Table 1. Therefore, our scheme has better performance than the existing DP-ABE based on the prime-order group.

7 Conclusion

We resisted IBE and ABE schemes and presented a new cryptographic primitive called ElGamal type cryptosystem. ElGamal type cryptosystem is a useful primitive for designing a variety of ABE schemes. In this paper, we present generic constructions of RABE with decryption key exposure resistance and DP-ABE with parallel and sequential settings and the corresponding security proofs. We also provide instantiations of these schemes and the experimental data of DP-ABE to demonstrate high performances of our proposed schemes.