Unbounded Revocable Decentralized Multi-Authority Attribute-Based Encryption Supporting Non-monotone Access Structures

Abstract

Ciphertext-policy attribute-based encryption (CP-ABE) is a cryptographic technology that enforces an access control mechanism over encrypted data by specifying an access policy with encrypted data and introducing an attribute authority (AA) that manages user’s attributes. A CP-ABE with multiple attribute authorities and no central authority, a decentralized multi-authority CP-ABE (DMA-CP-ABE), can achieve more realistic attribute management than CP-ABE with a single authority.

However, DMA-CP-ABE has an attribute revocation problem. As a different problem, the size of the public parameters of each AA is proportional to the size of the attribute universe managed by each AA. Moreover, since most existing DMA-CP-ABE schemes support only monotonic access structures, the size of the access policy specified in the ciphertext becomes large when an encryptor specifies a non-monotonic access policy in the ciphertext. Therefore, the DMA-CP-ABE that supports the attribute revocation, constant-size public and secret parameters (a.k.a unboundedness), and non-monotonic access structure is required. However, to the best of our knowledge, no one has proposed it yet.

In this paper, we propose a new unbounded revocable DMA-CP-ABE (UR-DMA-CP-ABE) that supports a non-monotone access structure. We prove that our scheme achieves adaptively payload-hiding against chosen-plaintext attacks under the decisional linear (DLIN) assumption.

The order of authors is alphabetical.

Appendices

Appendix

A Span Programs

Definition 5

(Span Programs [23]). We define \(\{p_{1},\ldots ,p_{m}\}\) as a set of variables. A span program over \(\mathbb {F}_{q}\) is a labeled matrix \(\mathbb {S}:=(M, \rho )\). Note that M is a \(\ell \times r\) matrix over \(\mathbb {F}_{q}\). We also note that \(\rho \) is a labeling of the rows of M by literals from \(\{p_{1},\ldots ,p_{m},\lnot p_{1},\ldots ,\lnot p_{m}\}\). Every row is labeled by one literal, i.e., \(\rho :\{1,\ldots ,\ell \}\rightarrow \{p_{1},\ldots ,p_{m},\lnot p_{1},\ldots ,\lnot p_{m}\}\).

\(\mathbb {S}\) accepts or rejects an input by the following criterion. For every input sequence \(\delta \in {\{0, 1\}}^{m}\) define the submatrix \({M}_{\delta }\) of M consisting of those rows whose labels are set to 1 by the input \(\delta \), i.e., either rows labeled by some \(p_{i}\) such that \(\delta _{i}=1\) or rows labeled by some \(\lnot p_{i}\) such that \(\delta _i=0\). (i.e., \(\gamma :\{1,\ldots ,\ell \}\rightarrow \{0, 1\}\) is defined by \(\gamma (j)=1\ if\ [\rho (j)=p_i]\wedge [\delta _i=1]\ or\ [\rho (j)=\lnot p_i]\wedge [\delta _i=0]\), and \(\gamma (j)=0\) otherwise. \({M}_{\delta }:={({M}_{j})}_{\gamma (j)=1}\), where \({M}_{j}\) is the j-th row of M.)

\(\mathbb {S}\) accepts \(\delta \) if and only if \(\vec {1}=(\overbrace{1,\ldots ,1}^{r})\in \textsf{span}\langle {M}_{\delta }\rangle \). That is, the some linear combination of the rows of \(M_{\delta }\), \(\textsf{span}\langle {M}_{\delta }\rangle \), gives \(\vec {1}\) such that the row vector has the value 1 in each coordinate. \(\mathbb {S}\) computes a Boolean function f if it accepts exactly those inputs \(\delta \) where \(f(\delta )=1\).

\(\mathbb {S}\) is called monotone if the labels of the rows are only the positive literals \(\{p_{1},\ldots ,p_{m}\}\). Monotone span programs compute monotone functions. In other words, a span program in general is “non”-monotone.

Assume that no row \(M_{i} (i=1,\ldots ,\ell )\) of the matrix M is \(\vec {0}=(\overbrace{0,\ldots ,0}^{r})\), i.e., the row vector has the value 0 in each coordinate. We introduce a non-monotone access structure with evaluating map \(\gamma \) by using the inner-product of attribute vectors, which is employed in our scheme in the same way as [23].

B Linear Secret Sharing Schemes

Definition 6

(Linear Secret Sharing Schemes [23]). Let M be an \(\ell \times r\) matrix. Let column vector \(\vec {f}^{T}:={({f}_{1},\ldots ,{f}_{r})}^{T}\xleftarrow {\textsf{U}}\mathbb {F}^{r}_{q}\). Then, \({s}_{0}=\vec {1}\cdot \vec {f}^{T}=\sum _{k=1}^{r}{f}_{k}\) is the secret to be shared, and \(\vec {s}^{T}={({s}_{1},\ldots ,{s}_{\ell })}^{T}=M\cdot \vec {f}^{T}\) is the vector of \(\ell \) shares of the secret \(s_0\). Each share \(s_i\) belongs to \(\rho (i)\).

If span program \(\mathbb {S}:=(M,\rho )\) accepts \(\delta \), or access structure \(\mathbb {A}:=(M,\rho )\) accepts \(\varGamma \), i.e., \(\vec {1}\in \textsf{span}\langle {({M}_{i})}_{\gamma (i)=1}\rangle \) with \(\gamma :\{1,\ldots ,\ell \}\rightarrow \{0, 1\}\), then there exist constants \(\{{\alpha }_{i}\in \mathbb {F}_{q} \mid i\in I\}\) such that \(I\subseteq \{i\in \{1,\ldots \ell \} \mid \gamma (i)=1\} \) and \(\sum _{i\in I} {\alpha }_{i}{s}_{i} = {s}_{0}\). Note that \(\{\alpha _{i}\}\) can be computed in time polynomial in the size of matrix M.

C Usefulness of Splitting the Attribute Universe When Using the NOT Operator

For example, we assume that t-th AA is a company and manages attributes about employees split into two categories, “department”(={Human Resource Department, Accounting Department, General Affairs Department, Manufacturing Department}) and “length of service”(={1,2,3,4,5}). If an encryptor encrypts the message so that only employees with five years of service outside of the Human Resources Department can decrypt it, the encryptor would like to specify the access policy such as (NOT(department = “Human Resources Department”)) AND (length of service = “5”) in the ciphertext. If t-th AA manages all attributes in one category, the expression of access policy would be complicated, and the ciphertext size may increase. In the previous example, an encryptor needs to specify the access policy such as (“Accounting Department” AND “5”) OR (“General Affairs Department” AND “5”) OR (“Manufacturing Department” AND “5”) because the encryptor cannot use NOT operator. If t-th AA manages all attributes in one category, an access policy (NOT “Human Resources Department”) equals “Accounting Department” OR “General Affairs Department” OR “1” OR “2” OR “3” OR “4” OR “5”.

Hence, the AA in the DMA-CP-ABE system supporting non-monotone access structures (e.g., [23]) is required to manage attributes in multiple categories. However, we emphasize that the size of the public parameters managed by each AA would be proportional to the number of categories. Therefore, the non-monotone ABE scheme supporting unboundedness for the number of attribute categories (that means the size of the public parameter must be independent of the number of attribute categories) is desirable.

D Full Binary Tree

A full binary tree \(\mathcal{B}\mathcal{T}\) is a tree data structure such that every node except leaf nodes has two child nodes. If we let h be the depth³ of \(\mathcal{B}\mathcal{T}\), the number of leaf nodes of \(\mathcal{B}\mathcal{T}\) is denoted as \(N_{max}=2^{h}\). Note that the depth of the root node is 0. The total number of nodes is \(2N_{max}-1(=2^{h+1}-1)\).

For any index \(0 \le i \le 2{N}_{max}-1\), we let \({\nu }_{i}\) be a i-th node in \(\mathcal{B}\mathcal{T}\). Note that we assign the index 0 to the root node and other indices to other nodes using a breadth-first search. That is, for any \(\nu _{i}\), the index of its left child node is \(2i+1\) and the index of its right child node is \(2i+2\), while the index of its parent node is \(\lfloor \frac{i-1}{2} \rfloor \). Siblings are nodes sharing the same parent node.

We define ID as a map** from the node \({\nu }_{i}\) to its index i. That is, it holds that \(ID(\nu _{i})=i\).

E The Subset-Cover Revocation Framework (SC)

Naor et al. introduced SC as a general methodology for the construction of efficient revocation systems [19]. We let \(\mathcal {N}=\{1,\ldots ,N_{max}\}\) be the set of all users. SC for \(\mathcal {N}\) consists of the following four probabilistic polynomial-time algorithms.

1. 1.

   \(\textsf{Setup}(N_{max})\): The setup algorithm takes the maximum number of users \({N}_{max}\) as input and outputs a collection \(\mathcal {S}\mathcal {U}\mathcal {B}\) of subsets \({S}_{1},\ldots ,{S}_{w}\) where \({S}_{i}\subseteq {\mathcal {N}}\).

2. 2.

   \(\textsf{Assign}(\mathcal {S}\mathcal {U}\mathcal {B}, u)\): The assigning algorithm takes the collection \(\mathcal {S}\mathcal {U}\mathcal {B}\) and a user \(u\in {\mathcal {N}}\). It outputs a private set \({PV}_{u}=\{{S}_{{j}_{1}},\ldots ,{S}_{{j}_{n}}\}\) that is associated with the user u.

3. 3.

   \(\textsf{Cover}(\mathcal {S}\mathcal {U}\mathcal {B}, R)\): The covering algorithm takes as the collection \(\mathcal {S}\mathcal {U}\mathcal {B}\) and a revoked set \(R\subset {\mathcal {N}}\) of users, and it outputs a covering set \({CV}_{R}=\{{S}_{{i}_{1}},\ldots ,{S}_{{i}_{m}}\}\) that is a partition of the unrevoked users \({\mathcal {N}}\setminus R\) into disjoint subsets \({S}_{{i}_{1}},\ldots ,{S}_{{i}_{m}}\), that is, they are disjoint, and it holds that \({\mathcal {N}}\setminus R=\bigcup _{k=1}^{m}{S}_{{i}_{k}}\).

4. 4.

   \(\textsf{Match}({CV}_{R}, {PV}_{u}):\) The matching algorithm takes as input a covering set \({CV}_{R}=\{{S}_{{i}_{1}},\ldots ,{S}_{{i}_{m}}\}\) and a private set \({PV}_{u}=\{{S}_{{j}_{1}},\ldots ,{S}_{{j}_{n}}\}\). It outputs \(({S}_{{i}_{k}}, {S}_{{j}_{k'}})\) such that \({S}_{{i}_{k}}\in {CV}_{R}\), \(u\in {S}_{{i}_{k}}\) and \({S}_{{j}_{k'}}\in {PV}_{u}\), or it outputs \(\perp \).

The correctness of SC is defined as follows: For all \(\mathcal {S}\mathcal {U}\mathcal {B}\) generated by \(\textsf{Setup}( N_{max})\), all \({PV}_{u}\) generated by \(\textsf{Assign}(\mathcal {S}\mathcal {U}\mathcal {B}, u)\) for any u, and all \({CV}_{R}\) generated by \(\textsf{Cover}(\mathcal {S}\mathcal {U}\mathcal {B}, R)\) for any R, it is required that:

• If \(u\notin R\), then \(\textsf{Match}({CV}_{R}, {PV}_{u})\) outputs \(({S}_{{i}_{k}}, {S}_{{j}_{k'}})\) such that \({S}_{{i}_{k}}\in {CV}_{R}\), \(u\in {S}_{{i}_{k}}\) and \({S}_{{j}_{k'}}\in {PV}_{u}\).

• If \(u\in R\), then \(\textsf{Match}({CV}_{R}, {PV}_{u})\) outputs \(\perp \).

In particular, we use the complete subtree (CS) method in [19]. For \(\mathcal{B}\mathcal{T}\) and a subset R of leaf nodes, we let \(ST(\mathcal{B}\mathcal{T}, R)\) be the Steiner Tree induced by the set R and the root node. That is, \(ST(\mathcal{B}\mathcal{T}, R)\) is the minimal subtree of \(\mathcal{B}\mathcal{T}\) connecting all the leaf nodes in R and the root node. Hereafter, we simply denote \(ST(\mathcal{B}\mathcal{T}, R)\) by ST(R). The CS method consists of the following four probabilistic polynomial-time algorithms.

1. 1.

   \(\mathsf {CS.Setup}(N_{max})\): The setup algorithm takes the maximum number of users \({N}_{max}=2^{h}\) as input. It first sets \(\mathcal{B}\mathcal{T}\) of depth h. Each user is assigned a different leaf node in \(\mathcal{B}\mathcal{T}\)⁴. The collection \(\mathcal {S}\mathcal {U}\mathcal {B}\) of CS is \(\{{S}_{i}:{\nu }_{i}\in \mathcal{B}\mathcal{T}\}\). Recall that \({S}_{i}\) is the set of all the leaf nodes in the subtree \(\mathcal {T}_{i}\). Then, it outputs \(\mathcal{B}\mathcal{T}\).

2. 2.

   \(\mathsf {CS.Assign}(\mathcal {S}\mathcal {U}\mathcal {B}, u)\): The assign algorithm takes \(\mathcal{B}\mathcal{T}\) and a user \(u\in \mathcal {N}\) as inputs. We let \({\nu }_{u}\) be the leaf node of \(\mathcal{B}\mathcal{T}\) that is assigned to u. Let \(( {\nu }_{{j}_{0}}, {\nu }_{{j}_{1}},\ldots ,{\nu }_{{j}_{h}})\) be the path from the root node \({\nu }_{{j}_{0}}={\nu }_{0}\) to the leaf node \({\nu }_{{j}_{h}}={\nu }_{u}\). It sets \({PV}_{u}=\{{S}_{{j}_{0}},\ldots ,{S}_{{j}_{h}}\}\), and outputs the private set \({PV}_{u}\).

3. 3.

   \(\mathsf {CS.Cover}(\mathcal {S}\mathcal {U}\mathcal {B}, R)\): The covering algorithm takes \(\mathcal{B}\mathcal{T}\) and a revoked set R of users as inputs. It first computes ST(R). Let \(\mathcal {T}_{i_1},\ldots ,\mathcal {T}_{i_m}\) be all the subtrees of \(\mathcal{B}\mathcal{T}\) that hang off ST(R), that is, all subtrees whose roots \({\nu }_{{i}_{1}},\ldots ,{\nu }_{{i}_{m}}\) are not in ST(R) but adjacent to nodes of outdegree 1 in ST(R). It outputs a covering set \({CV}_{R}=\{{S}_{{i}_{1}},\ldots ,{S}_{{i}_{m}}\}\).

4. 4.

   \(\mathsf {CS.Match}({CV}_{R}, {PV}_{u})\): The matching algorithm takes a covering set \({CV}_{R}=\{{S}_{{i}_{1}},\ldots ,{S}_{{i}_{m}}\}\) and a private set \({PV}_{u}=\{{S}_{{j}_{0}},\ldots ,{S}_{{j}_{h}}\}\) as inputs. It finds a subset \({S}_{k}\) such that \({S}_{k}\in {CV}_{R}\) and \({S}_{k}\in {PV}_{u}\). If there is such a subset, it outputs \(({S}_{k}, {S}_{k})\). Otherwise, it outputs \(\perp \).

F Comparison Between Existing DMA-CP-ABE and Ours

1.1 F.1 Structure of Ciphertexts and Secret Keys

We compare our scheme and the existing schemes [23, 29]. These schemes and ours achieve adaptively payload-hiding against chosen-plaintext attacks under DLIN assumption.

Okamoto and Takashima gave a DMA-CP-ABE scheme achieving adaptively payload-hiding against chosen-plaintext attacks on the DPVS framework [23]. In [23], ciphertexts (CT) and secret keys (SK) vectors have dimension \(5{n}_{t}+1 = 2{n}_{t}+2{n}_{t}+{n}_{t}+1\), where the first \(2{n}_t\) dimension is the real-encoding part (real part, for short) for CT and SK vectors, the second \(2{n}_t\) is the hidden part for temporary, pre-semi-functional and semi-functional CT and SK vectors, the third \({n}_{t}\) is the SK randomness part and the fourth is the CT randomness part. However, DMA-CP-ABE [23] is not supporting the revocation of the user’s attributes.

To realize the revocation, the authors of [29] introduced two types of CT and SK, CT (and SK) for access control and revocation, respectively. In addition, they increased double possession resistance part (resist. part, for short), i.e., \(n_{\textsf{f},t}-\)dimentional with \(6{n}_{\textsf{f},t}+1 = 2{n}_{\textsf{f},t}+2{n}_{\textsf{f},t}+{n}_{\textsf{f},t}+{n}_{\textsf{f},t}+1\) inner−structure. “Double possession” means having SK, each of which has a different value (different vector \(\vec {x}_{\textsf{f},t}\)) for the same category t. However, revocable DMA-CP-ABE [29] is not supporting unboundedness.

To realize the unboundedness, we employ the indexing and consistent randomness amplification [22] in the same way as [8]. Hence, we increased the indexing part in CT and SK. We note that the consistent randomness amplification can realize the unboundedness for the number of attribute categories or dimensions of a vector. Therefore, in our scheme, the dimension of the attribute vector in CT and SK is fixed, i.e., 2.

1.2 F.2 Performance

Table 2. Comparison of the parameter size of public parameters (PP) and master secret keys (MSK) between existing DMA-ABE and ours (\(|\mathbb {G}|\): the size of \(\mathbb {G}\), \(|\mathbb {G}_{T}|\): the size of \(\mathbb {G}_{T}\), \(|\mathbb {F}_{q}|\): the size of \(\mathbb {F}_{q}\), \(n_{t}\): the dimension of the attribute vector, \({\varphi }_{t}\): the upper bound for the number of subsets in the cover, \({h}_{t}\): the height of the tree of users).

Table 3. Comparison of the parameter size of user’s secret key (SK) and ciphertexts (CT) between existing DMA-ABE and ours (\(|\varGamma |\): the size of the attribute set, \(\textsf{R}_{t}\): the number of revoked users in \(AA_{t}\)).

We compare the parameter size between existing DMA-CP-ABE and ours in Tables 2 and 3. For simplicity, we assume that each AA manages one attribute category.

Table 2 shows the comparison of the parameter size of public parameters and master secret keys (managed by each AA) between existing schemes and ours. It shows that our parameter sizes are independent of the number of attributes and attribute categories.

Table 3 compares the parameter size of the user’s secret keys and ciphertexts between existing schemes and ours. Our parameter sizes are smaller than that of the existing revocable DMA-CP-ABE supporting non-monotone access structures [29] even if \(n_{t}=2\).