Abstract
Attribute-based encryption is one of the most suitable access control mechanism for modern data sharing models. To provide better performance, lots of attribute-based encryption schemes are constructed over without pairings. However, these schemes are either with no security proofs or broken. In this manuscript, we give the cryptanalysis of two key-policy attribute-based encryption schemes for weighted threshold gates. We propose two attack methods, the first one is able to generate valid private keys without the master secret keys, and the second one is able to recover the master secret key when an attacker gathers enough number of private keys. Moreover, an improved schemes is given in this manuscript. We also present a security analysis to show that our improved scheme fix the security flaws with only one pairing added.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
In the era of cloud computing, multi-user scenarios have become increasingly common, and traditional one-to-one encryption mechanisms, such as RSA [13] and ElGamal encryption [3], are no longer suitable for applications nowadays. As a result, many cryptographers are turning to attribute-based encryption (ABE) [4, 20] as a solution.
ABE is a type of encryption that enables access control based on attributes, rather than specific identities. This makes it ideal for multi-user scenarios where different users may have varying access rights based on their attributes. For example, in a financial setting, employees with different roles may require different levels of access to sensitive data.
While ABE has many advantages over traditional encryption methods, one of the main challenges is reducing the computational complexity involved in the encryption and decryption process. In response to this challenge, many pairing-free ABE schemes [1, 2, 8, 9, 11, 12, 14,15,16, 19, 21], i.e. schemes built over elliptic curves, have been proposed to simplify the process. Unfortunately, these schemes have all been shown to be insecure. In 2017, Herranz [6] broke the schemes of [11, 12]. In 2020, Tseng and Huang demonstrated a collusion attack to [2, 19], and Herranz [7] further give cryptanalysis to [2, 8, 9, 15, 16, 21]. Later in 2021, Tseng [17] give a attack method to [15] so that in [15] a ciphertext can be decrypted by an unauthorized user.
In this manuscript, we further show the cryptanalysis to two pairing-free ABE schemes, [5, 10]. Both these two schemes are in key-policy setting, i.e., an access structure is associated with the private key, and an attribute set is related to the ciphertext. The access structures supported by both the two schemes are weighted threshold gates \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\), which can be satisfied by a set of weighted attributes if the summation of the weight is greater then a pre-defined threshold value k. Unfortunately, we found that both [5, 10] are insecure. In this manuscript, we propose two attack methods, which can be applied to these two ABE schemes, due to the structural similarity between [5, 10]. Our first attack allows a malicious user with a private key for \((\mathbb {A}^{\textsf{WT}}_{1, n}, \textsf{S}_K)\) to compute a private key for \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\) without the knowledge of the master secret key. Furthermore, our second attack method allows an attacker colluding with several users to recover the master secret key. Moreover, an improved scheme to fix the security flaws is also given in this manuscript.
1.1 Organization
The rest of the manuscript is organized as follows. In Sect. 2, we introduce the preliminaries for our work, including notations, complexity assumption, definition for ABE, etc. In Sect. 3, we briefly review on the scheme of [5], and show our proposed two attacks to [5]. An improved scheme is demonstrated in Sect. 4. For [10], we only give the high-level description for the scheme and the cryptanalysis, in order to avoid the unnecessary duplication. Finally, we conclude our work in Sect. 6.
2 Preliminaries
In this section, we give the notation used in this manuscript, and the definition of key-policy attribute-based encryption for weighted threshold gate (KP-ABE-WT).
2.1 Notations
The notations used in this manuscript are listed as follows.
-
For a set S, by “\(x\xleftarrow {\$} S\)” we mean uniformly randomly choose an element x from S.
-
For an algorithm A, we denote by “\(y\leftarrow A\)” that y is the output obtained by running A.
-
By PPT we mean “probabilistic polynomial-time”.
-
By [n, m] for some integers \(n \le m\), we mean \(\{n, n+1, \dots , m\}\).
-
A function \(f: \mathbb {N} \rightarrow \mathbb {R}\) is said negligible in n, if for every \(k \in \mathbb {N}\), there is \(n_0 \in \mathbb {N}\) such that for every \(n \ge n_0, |f(n)|< \frac{1}{n^k}\).
2.2 Bilinear Maps and Complexity Assumption
Let \(\mathbb {G}\) and \(\mathbb {G}_T\) be multiplicative groups with prime order p. Let g be a generator of \(\mathbb {G}\). A bilinear map e, aka pairing, is defined as \(e: \mathbb {G} \times \mathbb {G} \rightarrow \mathbb {G}_T\), where the following properties are satisfied.
-
1.
For all \(a, b \in \mathbb {Z}_p, e(g^a, g^b) = e(g,g)^{ab}\).
-
2.
There is an efficient algorithm to compute e(u, v) for all \(u, v \in \mathbb {G}\).
-
3.
e(g, g) is not the identity of \(\mathbb {G}_T\).
We also give a complexity assumption which the security of our improved scheme bases on.
Definition 1 (Discrete-Log Assumption)
The discrete-log assumption says that, no PPT algorithm is able to compute \(\log _{g}h\) from a given \(h \in \mathbb {G}\).
Definition 2
(M-DDH\(_{\mathbb {G}_T}\) Assumption [18]). Let \(a, b \xleftarrow {\$} \mathbb {Z}_p\). Let \(e(g,g) = \mathfrak {g}\) The M-DDH\(_{\mathbb {G}_T}\) assumption states that, there is no PPT algorithm, given \((g, \mathfrak {g}, g^a, \mathfrak {g}^a, \mathfrak {g}^b)\), tells the difference between \(\mathfrak {g}^{ab}\) and an element \(Z\xleftarrow {\$} \mathbb {G}_T\).
2.3 Access Structure
In both [5, 10], the authors propose a KP-ABE scheme for weighted threshold gates, which is defined as follows. Let \(\textsf{S}\) be a set of attributes. A weighted threshold gate is defined by
where
-
\(w_x \ge 1\) is the weight of the attribute x;
-
n is the total weight of the attributes in an attribute set \(\textsf{S}\);
-
\(k\in [1,n]\) is the threshold.
A threshold gate is a special case of weighted threshold gate when \(w_x = 1\) for all \(x\in \textsf{S}\). For a set \(\textsf{S}' \subseteq \textsf{S}\), we say that \(\textsf{S}'\) satisfies \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S})\) if
2.4 Lagrange Polynomial Interpolation
Lagrange polynomial interpolation is an algorithm to compute a polynomial f of \(k-1\) degree given k points. More precisely, given k points \((x_1, y_1), \dots , (x_k, y_k)\), the polynomial f passing the k points can be computed by
where \(\varDelta _i(x) = \prod _{j \in [1,k]\setminus \{i\}} \frac{x-x_j}{x_i - x_j}\).
2.5 Key-Policy Attribute-Based Encryption for Weighted Threshold Gates
A KP-ABE scheme for weighted threshold gates consists of the following four algorithms \(\textsf{Setup}, \textsf{Encrypt}, \textsf{KeyGen}, \textsf{Decrypt}\).
\(\textsf{Setup}(1^\lambda )\). Taking as input the security parameter, the algorithm outputs the system parameter \(\textsf{params}\) and the master secret key \(\textsf{msk}\). Note that \(\textsf{params}\) will be a implicitly input for the following algorithms.
\(\textsf{Encrypt}(\textsf{S}, \textsf{M})\). Taking as inputs an attribute set \(\textsf{S}\) and a message \(\textsf{M}\), the algorithm outputs a ciphertext \(\textsf{CT}\).
\(\textsf{KeyGen}(\textsf{msk}, (\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}))\). Taking as inputs the master secret key \(\textsf{msk}\) and an access structure \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S})\) described in Sect. 2.3, the algorithm outputs a private key \(\textsf{D}\).
\(\textsf{Decrypt}(\textsf{CT}, \textsf{D})\). Taking as inputs a ciphertext \(\textsf{CT}\) and a private key \(\textsf{D}\), the algorithm outputs a message.
Correctness. For \(\textsf{CT}\leftarrow \textsf{Encrypt}(\textsf{S}_C, \textsf{M}), \textsf{D}\leftarrow \textsf{KeyGen}(\textsf{msk}, (\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K))\), we have \(\textsf{M}\leftarrow \textsf{Decrypt}(\textsf{CT}, \textsf{D})\) if \(\textsf{S}_C\) satisfies \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\), denoted by \(\textsf{S}_C \models (\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\).
3 Review and Cryptanalysis on Gu and Lin’s KP-ABE-WT Scheme
In this section, we briefly review on the KP-ABE-WT scheme (named \(\textsf{GL22}\) ) proposed by Gu and Lin [5] in 2022, and give the attacks to break their scheme.
3.1 Review on \(\textsf{GL22}\)
\(\textsf{GL22}\) supports small universe, i.e., the set of all attributes in the system is polynomially large. Let \(\mathcal {U}\) be the universe in \(\textsf{GL22}\). We omit the description of \(\textsf{Decrypt}\) algorithm since our attack method does not depend on it.
\(\textsf{Setup}(1^\lambda )\). Taking as input the security parameter, the algorithm performs as follows.
-
1.
Choose a group \(\mathbb {G}\) over an elliptic curve. Let g be a generator of \(\mathbb {G}\) and p be the prime order of \(\mathbb {G}\).
-
2.
Choose \(t \xleftarrow {\$} \mathbb {Z}_p\) and choose \(t_x \xleftarrow {\$} \mathbb {Z}_p\) for each attribute \(x \in \mathcal {U}\).
-
3.
Compute \(T = g^t\) and \(T_x = g^{t_x}\) for each attribute \(x \in \mathcal {U}\).
-
4.
Choose a cryptographic hash function \(H: \mathbb {G} \rightarrow \mathbb {Z}_p\).
-
5.
Output \(\textsf{params} = (p, g, T, \{T_x\}_{x \in \mathcal {U}}, H)\) and \(\textsf{msk} = (t, \{t_x\}_{x \in \mathcal {U}})\).
\(\textsf{Encrypt}(\textsf{S}, \textsf{M})\). Taking as inputs an attribute set \(\textsf{S}_C\) and a message \(\textsf{M}\in \mathbb {Z}_p\), the algorithm performs as follows.
-
1.
Choose \(s \xleftarrow {\$} \mathbb {Z}_p\).
-
2.
Compute \(C = \textsf{M}\cdot H(T^s), C' = g^s\).
-
3.
Compute \(C_x = T_x^{s}\) for each \(x \in \textsf{S}_C\).
-
4.
Output \(\textsf{CT}= (C, C' \{C_x\}_{x \in \textsf{S}_C})\).
\(\textsf{KeyGen}(\textsf{msk}, (\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K))\). Taking as inputs the master secret key \(\textsf{msk}\) and an access structure \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K) = \{(k, n), \{w_x~|~x \in \textsf{S}_K\}\}\), the algorithm performs as follows.
-
1.
For each attribute \(x \in \textsf{S}_K\) and \(y \in [1, w_x]\), choose \(r_{x,y} \xleftarrow {\$} \mathbb {Z}_p\). Let \(R = \{r_{x,y}~|~x \in \textsf{S}_C, y \in [1, w_x]\}\).
-
2.
For each \(r_{x,y} \in R\), compute the corresponding Lagrange basis polynomial
$$ \varDelta _{r_{x, y}}(z) = \prod _{r \in R\setminus \{r_{x,y}\}} \frac{z - r}{r_{x,y} - r}. $$ -
3.
Choose a \((k-1)\)-degree polynomial q such that \(q(0) = t\).
-
4.
For each \(r_{x,y} \in R\), compute \(q_{x, y} = q(r_{x,y}), D_{x,y} = q_{x,y} + t_x\).
-
5.
Output \(\textsf{D}= ((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K), \{D_{x, y}, \varDelta _{r_{x, y}}(0)\})\).
3.2 Cryptanalysis on \(\textsf{GL22}\)
Our attack algorithms focus on collusion attacks, that is, to recover the master secret \(\textsf{msk}\) or generate another private key without knowing \(\textsf{msk}\), given enough amount of private keys \(\textsf{D}\). For simplicity, we will consider access structures for threshold gate, i.e., \(w_x = 1\) for all \(x \in \textsf{S}_K\) for describing the intuition of our attack algorithms.
Attack 1. Suppose a user query a private key for the access structure \((\mathbb {A}^{\textsf{WT}}_{1, 2}, \textsf{S}_K) = \{(1, 2), \{w_x = 1~|~x \in \textsf{S}_K\}\}\) and \(\textsf{S}_K = \{A, B\}\) for some attributes \(A, B \in \mathcal {U}\). Observe that when \(k = 1\), the polynomial chosen in Step 2 of \(\textsf{KeyGen}\) algorithm is actually a constant polynomial \(q(z) = t\), and henceFootnote 1
Then the user is able to generate a private key for \((\mathbb {A}^{\textsf{WT}}_{2, 2}, \textsf{S}_K) = \{(2, 2), \{w_x = 1~|~x \in \textsf{S}_K\}\}\) and \(\textsf{S}_K = \{A, B\}\), given the private key \(\textsf{D}' = ((\mathbb {A}^{\textsf{WT}}_{1, 2}, \textsf{S}_K), \{D_{A}, \varDelta _{r_{A}}(0), D_{B}, \varDelta _{r_{B}}(0)\})\). The details are shown as follows.
-
1.
Choose \(r_A, r_B \xleftarrow {\$} \mathbb {Z}_p\).
-
2.
Compute \(\varDelta _{r_A}(z) = \frac{z - r_B}{r_A - r_B}, \varDelta _{r_B}(z) = \frac{z - r_A}{r_B - r_A}\).
-
3.
Choose \(a \xleftarrow {\$} \mathbb {Z}_p\) and compute \(D_A = ar_A + (t + t_A), D_B = ar_B + (t + t_A)\).
-
4.
Output the private key for \((\mathbb {A}^{\textsf{WT}}_{2, 2}, \textsf{S}_K) = \{(2, 2), \{w_x = 1~|~x \in \textsf{S}_K\}\}\).
In Step 3, our attack algorithm implicitly set the polynomial \(q(z) = az + t\). and no master secret is needed since \((t+t_A, t+t_B)\) has been given to the user in the private key \(\textsf{D}'\). Besides, our attack algorithm can be extended into any general weighted threshold gate \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\), given a private key \(\textsf{D}_{\mathcal {U}}\) for \((\mathbb {A}^{\textsf{WT}}_{1, |\mathcal {U}|}, \mathcal {U}) = \{(1, |\mathcal {U}|), \{w_x = 1~|~x \in \textsf{S}_K\}\}\), since
-
the computation of \(\varDelta _{r_x}(0)\) for \(x \in \textsf{S}_K\) depends only on the choice of randomness in Step 1, which is fully controlled by the attack algorithm;
-
the computation of \(D_x = q(r_x) + t_x = a_{k-1}(r_x)^{k-1} + \dots + a_1r_A + (t + t_A)\) can be done given \(\textsf{D}_{\mathcal {U}}\).
Attack 2. Consider a private keyFootnote 2 \(\textsf{D}= ((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K), \{D_{x}, \varDelta _{r_{x}}(0)\})\) for an access structure \(\{(k, n), \{w_x = 1~|~x \in \textsf{S}_K\}\}\) and \(\textsf{S}_K \subseteq \mathcal {U}\), where \(D_x = q(r_x) + t_x\) for \(x \in \textsf{S}_K\). By the correctness of Lagrange polynomial interpolation, we have that, for any subset \(U \subset \textsf{S}_K\) with \(|U| = k\),
Therefore, by Eq. (1), we have
As \(D_x, \varDelta _{r_{x}}(0)\) for \(x \in U\) is given in \(\textsf{D}\), there are only \(|U|+1 = k+1\) unknown variables in Eq. (2), i.e. \(t, \{t_x\}_{x \in U}\). Therefore, given private keys \(\textsf{D}^{(1)}, \dots , \textsf{D}^{(k+1)}\) for \(\{(k, n), \{w_x = 1~|~x \in \textsf{S}_K^{(1)}\}\}, \dots , \{(k, n), \{w_x = 1~|~x \in \textsf{S}_K^{(k+1)}\}\}\), respectively, such that \(U \subseteq \textsf{S}_K^{(1)} \cap \dots \cap \textsf{S}_K^{(k+1)}\), anyone is able to recover \(t, \{t_x\}_{x \in U}\) by solving a linear equation system.
We give the following simple example to illustrate Attack 2. Let
be the private keys for
In this example, \(U = \{A,B\} \subseteq \textsf{S}_K^{(1)} \cap \textsf{S}_K^{(2)} \cap \textsf{S}_K^{(3)}\). By Eq. (2) we have
Thus \((t, t_A, t_B)\) can be easily recovered by solving the linear equation systems shown above.
4 An Improved Scheme
The main reason causing the security flaws shown in Sect. 3.2 is that, the information of the master secret key has been directly exposed in a private key. Equation (2) shows the linear relation between \(\textsf{D}\) and \(\textsf{msk}\). A straightforward way to fix the problem is to raise \(\textsf{D}\) to the power of g. However, this method would make the number of pairings be \(\mathcal {O}(\textsf{S}_K)\) in \(\textsf{Decrypt}\) algorithm.
To reduce the number of pairings as possible, we move the most of the computations of \(\textsf{GL22}\) to the group \(\mathbb {G}_T\), and randomize the components \(D_{x, y}\) in \(\textsf{D}\) with a new randomness \(\beta \). We give our improved version below. Let \(\mathfrak {g} = e(g, g)\).
\(\textsf{Setup}\) is the same as \(\textsf{GL22}\), except that \(T = \mathfrak {g}^t\) and \(T_x = \mathfrak {g}^{t_x}\) for \(x \in \mathcal {U}\).
\(\textsf{Encrypt}\) is the same as \(\textsf{GL22}\), except that \(C' = \mathfrak {g}^s\) and an additional component \(C'' = g^s\) is added.
\(\textsf{KeyGen}\) is the same as \(\textsf{GL22}\), except that
-
1.
a random number \(\beta \) is chosen from \(\mathbb {Z}_p\);
-
2.
\(D_{x,y}\) is computed as \(q_{x,y}+t_x+\beta \);
-
3.
an additional component \(E = g^\beta \) is added.
\(\textsf{Decrypt}(\textsf{CT}, \textsf{D})\). Taking as inputs a ciphertext \(\textsf{CT}= (C, C', C'' \{C_x\}_{x \in \textsf{S}_C})\) and a private key \(\textsf{D}= ((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K^{(1)}), \{D_{x, y}, \varDelta _{r_{x, y}}(0)\}, E)\), the algorithm performs as follows.
-
1.
Compute \(F = e(C'', E) = e(g^s, g^\beta ) = \mathfrak {g}^{s\beta }\).
-
2.
For \(x \in \textsf{S}_K\) and \(y \in [1, w_x]\), compute
$$ F_{x,y} = \frac{(C')^{D_{x,y}}}{C_x\cdot F} = \frac{\mathfrak {g}^{s(q_{x,y}+t_x+\beta )}}{\mathfrak {g}^{st_x}\cdot \mathfrak {g}^{s\beta }} = \mathfrak {g}^{sq_{x,y}}. $$ -
3.
Compute
$$ T^s = \mathfrak {g}^{st} = \prod _{x\in \textsf{S}_K} F_{x,y}^{ \varDelta _{r_{x, y}}(0) }. $$ -
4.
Recover \(\textsf{M}= C/H(T^s)\).
Correctness. The correctness nearly follows that of \(\textsf{GL22}\), except the difference due the newly-added randomness \(\beta \). Thus, we cancel the term \(\mathfrak {g}^{s\beta }\) in Step 2 of \(\textsf{Decrypt}\) algorithm, with the cost of only 1 pairing.
Security Analysis. To see why the attacks shown in Sect. 3.2 do not work in our improved scheme, note that there is a newly-added randomness \(\beta \) is added in \(\textsf{KeyGen}\) algorithm. \(\beta \) will be sampled each time \(\textsf{KeyGen}\) algorithm is perform. Besides, the information of \(\beta \) is hidden in E, which is impossible to be retrieved due to the discrete-log assumption. Therefore, Eq. (2) shown in Sect. 3.2 will become
Thanks to the existence of \(\beta \), the number of unknown variable now increases with the number of private keys obtained by the attacker, which makes the attacker impossible to recover \(\textsf{msk}\) by solving a linear equation system. Furthermore, according to the M-DDH\(_{\mathbb {G}_T}\) assumption, even with the knowledge of \((g, \mathfrak {g}, C'' = g^s, C' = \mathfrak {g}^s, T = \mathfrak {g}^t)\), no PPT algorithm distinguishes \(T^s =\mathfrak {g}^{st}\) from an uniformly random element in \(\mathbb {G}_T\). This fact implies that the information of \(\textsf{M}\) is hidden from the attacker’s view, and thus guarantees the security of our improved scheme.
5 Cryptanalysis on Lin et al.’s KP-ABE-WT Scheme
In this section, we show the insecurity of the KP-ABE-WT scheme (named \(\textsf{LHXS17}\) ) proposed by Lin et al. [10] in 2017. Due to the conceptual similarity of \(\textsf{GL22}\) and \(\textsf{LHXS17}\), we only give the high-level description for \(\textsf{LHXS17}\) to avoid the unnecessary duplication, and show the intuition for the corresponding cryptanalysis.
\(\textsf{LHXS17}\) is almost identical to \(\textsf{GL22}\), except that, in \(\textsf{GL22}\) the Langrange coefficients \(\varDelta _{r_x, y}(0)\) is included as a part of the private key \(\textsf{D}\), while in \(\textsf{LHXS17}\) \(\varDelta _{r_x, y}(0)\) is computed in \(\textsf{Decrypt}\) algorithm. By this operation, \(\textsf{GL22}\) has lower computation cost in \(\textsf{Decrypt}\) algorithm than \(\textsf{LHXS17}\), with the cost of doubling the private key size. Besides, since \(\varDelta _{r_x, y}(0)\) needs to be computed by user, in \(\textsf{LHXS17}\) the randomness \(r_x\) used in \(\textsf{KeyGen}\) algorithm is set to be some public indices instead of fresh random numbers, which allows anyone to compute \(\varDelta _{r_x, y}(0)\) for any user. Therefore, our attack methods shown in Sect. 3.2 work well for \(\textsf{LHXS17}\).
6 Conclusion
With the raise of cloud computing, ABE has become one of the most suitable cryptographic primitives for multi-user scenario. In order to reduce the computation cost, lots of ABE schemes are designed without using pairings. However, all of these schemes are either flawed or lacking of security proofs. In this manuscript, we find out the security issues of [5, 10] by giving two attack methods. Our attack methods are generate private keys without \(\textsf{msk}\), and even recover \(\textsf{msk}\). Moreover, an improved scheme have been given to fix the security problem of [5, 10]. Our improved scheme requires only one pairing, which may be an optimal result when constructing ABE in pairing groups. In the future, we will prove the security of the improved scheme, and attempt to further improve the efficiency and the expressiveness of the proposed scheme.
Notes
- 1.
We omit the subscript y here since all the weight are 1 and \(y \in [1,1]\).
- 2.
We again omit the subscript y here since all the weight are 1 and \(y \in [1,1]\).
References
Cheng, R., Wu, K., Su, Y., Li, W., Cui, W., Tong, J.: An efficient ECC-based CP-ABE scheme for power IoT. Processes 9(7) (2021). https://doi.org/10.3390/pr9071176. https://www.mdpi.com/2227-9717/9/7/1176
Ding, S., Li, C., Li, H.: A novel efficient pairing-free CP-ABE based on elliptic curve cryptography for IoT. IEEE Access 6, 27336–27345 (2018). https://doi.org/10.1109/ACCESS.2018.2836350
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) Advances in Cryptology, pp. 10–18. Springer, Berlin Heidelberg, Berlin, Heidelberg (1985)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 89–98 (2006). https://doi.org/10.1145/1180405.1180418
Gu, Z., Lin, G.: A pairing-free key policy weighted attributed-based encryption. Available at SSRN 4173677 (2022)
Herranz, J.: Attribute-based encryption implies identity-based encryption. IET Inf. Secur. 11(6), 332–337 (2017)
Herranz, J.: Attacking pairing-free attribute-based encryption schemes. IEEE Access 8, 222,226–222,232 (2020). https://doi.org/10.1109/ACCESS.2020.3044143
Karati, A., Amin, R., Biswas, G.P.: Provably secure threshold-based ABE scheme without bilinear map. Arab. J. Sci. Eng. 41, 3201–3213 (2016)
Khandla, D., Shahy, H., Bz, M.K., Pais, A.R., Raj, N.: Expressive CP-ABE scheme satisfying constant-size keys and ciphertexts. Cryptology ePrint Archive, Report 2019/1257 (2019).https://ia.cr/2019/1257
Lin, G., Hong, H., Xia, Y., Sun, Z.: An expressive, lightweight and secure construction of key policy attribute-based cloud data sharing access control. J. Phys.: Conf. Series 910(1), 012,010 (2017)
Odelu, V., Das, A.K.: Design of a new cp-abe with constant-size secret keys for lightweight devices using elliptic curve cryptography. Security Commun. Netw. 9(17), 4048–4059 (2016). https://doi.org/10.1002/sec.1587, https://onlinelibrary.wiley.com/doi/abs/10.1002/sec.1587
Odelu, V., Das, A.K., Khurram Khan, M., Choo, K.R., Jo, M.: Expressive CP-ABE scheme for mobile devices in IoT satisfying constant-size keys and ciphertexts. IEEE Access 5, 3273–3283 (2017)
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Sowjanya, K., Dasgupta, M., Ray, S.: A lightweight key management scheme for key-escrow-free ecc-based CP-ABE for IoT healthcare systems. J. Syst. Architect. 117, 102,108 (2021). https://doi.org/10.1016/j.sysarc.2021.102108, https://www.sciencedirect.com/science/article/pii/S1383762121000849
Sowjanya, K., Dasgupta, M., Ray, S., Obaidat, M.S.: An efficient elliptic curve cryptography-based without pairing KPABE for internet of things. IEEE Syst. J. 14(2), 2154–2163 (2020). https://doi.org/10.1109/JSYST.2019.2944240
Tan, S.Y., Yeow, K.W., Hwang, S.O.: Enhancement of a lightweight attribute-based encryption scheme for the internet of things. IEEE Internet Things J. 6(4), 6384–6395 (2019). https://doi.org/10.1109/JIOT.2019.2900631
Tseng, Y.-F.: Cryptanaylsis to Sowjanya et al.’s ABEs from ECC. In: Tsihrintzis, G.A., Wang, S.-J., Lin, I.-C. (eds.) 2021 International Conference on Security and Information Technologies with AI, Internet Computing and Big-data Applications, pp. 287–294. Springer International Publishing, Cham (2023). https://doi.org/10.1007/978-3-031-05491-4_29
Tseng, Y.F., Liu, Z.Y., Tso, R.: Practical inner product encryption with constant private key. Appl. Sci. 10(23) (2020)
Wang, Y., Chen, B., Li, L., Ma, Q., Li, H., He, D.: Efficient and secure ciphertext-policy attribute-based encryption without pairing for cloud-assisted smart grid. IEEE Access 8, 40704–40713 (2020). https://doi.org/10.1109/ACCESS.2020.2976746
Waters, B.: Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) Public Key Cryptography - PKC 2011, pp. 53–70. Springer, Berlin Heidelberg, Berlin, Heidelberg (2011)
Yao, X., Chen, Z., Tian, Y.: A lightweight attribute-based encryption scheme for the internet of things. Future Gen. Comput. Syst. 49, 104–112 (2015). https://doi.org/10.1016/j.future.2014.10.010, https://www.sciencedirect.com/science/article/pii/S0167739X14002039
Acknowledgment
This work was partially supported by the National Science and Technology Council of Taiwan, under grants 111-2221-E-004-005-, 111-2218-E-004-001-MBK.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Tseng, YF., Chen, PH. (2024). Cryptanalysis and Improvement to Two Key-Policy Attribute-Based Encryption Schemes for Weighted Threshold Gates. In: Hung, J.C., Yen, N., Chang, JW. (eds) Frontier Computing on Industrial Applications Volume 4. FC 2023. Lecture Notes in Electrical Engineering, vol 1134. Springer, Singapore. https://doi.org/10.1007/978-981-99-9342-0_15
Download citation
DOI: https://doi.org/10.1007/978-981-99-9342-0_15
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-9341-3
Online ISBN: 978-981-99-9342-0
eBook Packages: EngineeringEngineering (R0)