Yongtao Wang,Kefei Chen,Yu Long

DOI: https://doi.org/10.3772/j.issn.1006-6748.2013.01.015

2013-01-01

Abstract:An accountable authority attribute-based encryption (A-ABE) scheme is presented in this paper. The notion of accountable authority identity-based encryption (A-IBE) was first introduced by Goyal at Crypto'07. It is a novel approach to mitigate the (inherent) key escrow problem in identity-based cryptosystems. In this work, the concept of accountable authority to attribute-based encryption (ABE) setting is generalized for the first time, and then a construction is given. The scheme non-trivially integrates an A-IBE scheme proposed by Libert et al. with an ABE scheme. In our construction, a user will be identified by a pair (id, ω), where id denotes the user's identity and ω denotes the set of attributes associated to the user. In addition, our construction is shown to be secure under some reasonable assumptions. © by HIGH TECHNOLOGY LETTERS PRESS.

Benoît Libert,Damien Vergnaud

DOI: https://doi.org/10.48550/arXiv.0807.1775

2009-09-09

Abstract:At Crypto'07, Goyal introduced the concept of Accountable Authority Identity-Based Encryption as a convenient tool to reduce the amount of trust in authorities in Identity-Based Encryption. In this model, if the Private Key Generator (PKG) maliciously re-distributes users' decryption keys, it runs the risk of being caught and prosecuted. Goyal proposed two constructions: the first one is efficient but can only trace well-formed decryption keys to their source; the second one allows tracing obfuscated decryption boxes in a model (called weak black-box model) where cheating authorities have no decryption oracle. The latter scheme is unfortunately far less efficient in terms of decryption cost and ciphertext size. In this work, we propose a new construction that combines the efficiency of Goyal's first proposal with a very simple weak black-box tracing mechanism. Our scheme is described in the selective-ID model but readily extends to meet all security properties in the adaptive-ID sense, which is not known to be true for prior black-box schemes.

Cryptography and Security

Zhen Liu,Qiong Huang,Duncan S. Wong

DOI: https://doi.org/10.1093/comjnl/bxaa082

2020-01-01

The Computer Journal

Abstract:Attribute-based encryption (ABE) is a versatile one-to-many encryption primitive, which enables fine-grained access control over encrypted data. Due to its promising applications in practice, ABE schemes with high efficiency, security and expressivity have been continuously emerging. On the other hand, due to the nature of ABE, a malicious user may abuse its decryption privilege. Therefore, being able to identify such a malicious user is crucial towards the practicality of ABE. Although some specific ABE schemes in the literature enjoys the tracing function, they are only proceeded case by case. Most of the ABE schemes do not support traceability. It is thus meaningful and important to have a generic way of equipping any ABE scheme with traceability. In this work, we partially solve the aforementioned problem. Namely, we propose a way of transforming (non-traceable) ABE schemes satisfying certain requirements to fully collusion-resistant black-box traceable ABE schemes, which adds only $O(\sqrt{\mathcal{K}})$ elements to the ciphertext where ${\mathcal{K}}$ is the number of users in the system. And to demonstrate the practicability of our transformation, we show how to convert a couple of existing non-traceable ABE schemes to support traceability.

Jin Li,Kui Ren,Bo Zhu,Zhiguo Wan

DOI: https://doi.org/10.1007/978-3-642-04474-8_28

2009-01-01

Abstract:As a new public key primitive, attribute-based encryption (ABE) is envisioned to be a promising tool for implementing fine-grained access control. To further address the concern of user access privacy, privacy-aware ABE schemes are being developed to achieve hidden access policy recently. For the purpose of secure access control, there is, how- ever, still one critical functionality missing in the existing ABE schemes, which is user accountability. Currently, no ABE scheme can completely prevent the problem of illegal key sharing among users. In this paper, we tackle this problem by firstly proposing the notion of accountable, anony- mous, and ciphertext-policy ABE (CP-A 3 BE, in short) and then giving out a concrete construction. We start by improving the state-of-the-art of anonymous CP-ABE to obtain shorter public parameters and ciphertext length. In the proposed CP-A 3 BE construction, user accountability can be achieved in black-box model by embedding additional user-specific information into the attribute private key issued to that user, while still maintaining hidden access policy. The proposed constructions are prov- ably secure.

Xing Zhang,Cancan Jin,Cong Li,Zilong Wen,Qingni Shen,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1007/978-3-319-28865-9_27

2015-01-01

Abstract:To ensure the security of sensitive data, people need to encrypt them before uploading them to the public storage. Attribute-based encryption (ABE) is a promising cryptographic primitive for fine-grained sharing of encrypted data. However, ABE lacks user and authority accountability. The user can share his/her secret key without being identified, while key generation center (KGC) can generate any user’s secret key. In this paper, we propose a practical large universe ciphertext-policy ABE (CP-ABE) with user and authority accountability in the white-box model. As embedding the user’s identity information into this user’s secret key directly, the trace stage has only O(1) time overhead. The property of accountability is proved against the dishonest user and KGC in the standard model. We implement our scheme in Charm. Experiments show that CP-ABE of Rouselakis and Waters in CCS 2013 is enhanced in user and authority accountability by our method with small computational cost.

Jianting Ning,Zhenfu Cao,Xiaolei Dong,Junqing Gong,Jie Chen

DOI: https://doi.org/10.1007/978-3-319-45741-3_28

2016-01-01

Abstract:Ciphertext-policy attribute-based encryption (CP-ABE) is a highly promising solution for cloud computing, which has been widely applied to provide fine-grained access control in cloud storage services recently. However, for CP-ABE based cloud storage systems, if a decryption device appears on eBay described and advertised to be able to decrypt any ciphertexts with policies satisfied by an attribute set or even with a specific access policy only, no one can trace the malicious user(s) who built such a decryption device using their private key(s). This has been known as a major obstacle to deploying CP-ABE systems in real-world commercial applications. Due to the one-to-many encryption mechanism of CP-ABE, the same decryption privilege is shared by multiple users who have the same attributes. It is difficult to identity the malicious user(s) who built such a decryption device. To track people selling decryption devices on eBay efficiently, in this paper, we develop a new methodology for constructing traitor tracing functionality, and present the first black-box traceable CP-ABE (BT-CP-ABE) with short ciphertexts which are independent of the number of users N. The black-box traceability is public, fully collusion-resistant, and adaptively traceable against both key-like decryption black-box and policy-specific decryption black-box.Our construction combines the conventional CP-ABE with Anonymous Hierarchical Identity-Based Encryption(A-HIBE) in a novel way, which is the first to construct the (underlying) traitor tracing system from A-HIBE. The resulting ciphertexts are independent of N while the private keys are linear in N, which partially answers an open problem posed by Boneh and Waters [CCS 2006]. We believe this work is a constructive step towards efficient traitor tracing system with short ciphertexts and private keys. In particular, we believe that following the route of this work, any progress in A-HIBE (i.e., with shorter ciphertexts and private keys) may result in some progress in BT-CP-ABE and finally give a satisfactory solution to this open problem.

Zhen Liu,Duncan S. Wong

DOI: https://doi.org/10.1093/comjnl/bxv101

2015-01-01

Abstract:A blackbox traceable Attribute-Based Encryption (ABE) can identify a malicious user called traitor, which created a decryption box with respect to an attribute set (respectively, access policy), out of all the users who share the same attribute set (respectively, access policy). However, none of the existing traceable ABE schemes can also support revocation and large attribute universe, that is, being able to revoke compromised keys, and can take an exponentially large number of attributes. In this paper, we formalize the definitions and security models, and propose constructions of both Ciphertext-Policy ABE and Key-Policy ABE that support (i) public and fully collusion-resistant blackbox traceability, (ii) revocation, (iii) large universe and (iv) any monotonic access structures as policies (i.e. high expressivity). We also show that the schemes are secure and blackbox traceable in the standard model against selective adversaries.

Zhen Liu,Zhenfu Cao,Duncan S. Wong

DOI: https://doi.org/10.1109/tifs.2014.2363562

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In Ciphertext-policy attribute-based encryption (CP-ABE), ciphertexts are associated with access policies, which do not have to contain the identities of eligible receivers, and attributes are shared by multiple users. CP-ABE is useful for providing fine-grained access control on encrypted data. However, it also has a practicality concern that a malicious user, with his attributes shared with other users, might leak his decryption privilege as a decryption blackbox, for some financial gain or other incentives, as there is little risk of getting caught. There are two types of decryption blackboxes that reflect different practical scenarios. A key-like decryption blackbox is associated with an attribute set S-D and can decrypt ciphertexts with access policies satisfied by S-D. A policy-specific decryption blackbox is associated with an access policy A(D) and can decrypt ciphertexts with A(D). Policy-specific decryption blackbox has weaker decryption capacity than key-like decryption blackbox, but tracing it is deemed to be more difficult. In the preliminary version (in CCS 2013) of this paper, we proposed a new CP-ABE scheme which is adaptively traceable against key-like decryption blackbox. The scheme has sublinear overhead, which is the most efficient one to date supporting fully collusion-resistant blackbox traceability. The scheme is fully secure in the standard model, and supports any monotonic access structures. In this paper, we further show that the scheme is also selectively traceable against policy-specific decryption blackbox. Furthermore, and more importantly, we prove a general statement that if a CP-ABE scheme is (selectively) traceable against policy-specific decryption blackbox, it is also (selectively) traceable against key-like decryption blackbox, which implies that we now only need to focus on building CP-ABE schemes which are traceable against policy-specific decryption blackbox.

Zhen Liu,Zhenfu Cao,Duncan S. Wong

DOI: https://doi.org/10.1007/978-3-319-16745-9_22

2015-01-01

Abstract:Recently a series of expressive, secure and efficient Attribute-Based Encryption (ABE) schemes, both inkey-policy flavor and ciphertext-policy flavor, have been proposed. However, before being applied into practice, these systems have to attain traceability of malicious users. As the decryption privilege of a decryption key in Key-Policy ABE (resp. Ciphertext-Policy ABE) may be shared by multiple users who own the same access policy (resp. attribute set), malicious users might tempt to leak their decryption privileges to third parties, for financial gain as an example, if there is no tracing mechanism for tracking them down. In this work we study the traceability notion in the setting of Key-Policy ABE, and formalize Key-Policy ABE supporting fully collusion-resistant blackbox traceability. An adversary is allowed to access an arbitrary number of keys of its own choice when building a decryption-device, and given such a decryption-device while the underlying decryption algorithm or key may not be given, a blackbox tracing algorithm can find out at least one of the malicious users whose keys have been used for building the decryption-device. We propose a construction, which supports both fully collusion-resistant blackbox traceability and high expressivity (i.e. supporting any monotonic access structures). The construction is fully secure in the standard model (i.e. it achieves the best security level that the conventional non-traceable ABE systems do to date), and is efficient that the fully collusion-resistant blackbox traceability is attained at the price of making ciphertexts grow only sub-linearly in the number of users in the system, which is the most efficient level to date.

Xingbing Fu,Xuyun Nie,Fagen Li

DOI: https://doi.org/10.3390/info6030481

2015-01-01

Information

Abstract:In the existing attribute-based encryption (ABE) scheme, the authority (i. e., private key generator (PKG)) is able to calculate and issue any user's private key, which makes it completely trusted, which severely influences the applications of the ABE scheme. To mitigate this problem, we propose the black box traceable ciphertext policy attribute-based encryption (T-CP-ABE) scheme in which if the PKG re-distributes the users' private keys for malicious uses, it might be caught and sued. We provide a construction to realize the T-CP-ABE scheme in a black box model. Our scheme is based on the decisional bilinear Diffie-Hellman (DBDH) assumption in the standard model. In our scheme, we employ a pair (ID, S) to identify a user, where ID denotes the identity of a user and S denotes the attribute set associated with her.

Xuecheng Ma,Xin Wang,Dongdai Lin

DOI: https://doi.org/10.48550/arXiv.1806.05943

2018-06-15

Abstract:Anonymous Identity-Based Encryption can protect privacy of the receiver. However, there are some situations that we need to recover the identity of the receiver, for example a dispute occurs or the privacy mechanism is abused. In this paper, we propose a new concept, referred to as Anonymous Identity-Based Encryption with Identity Recovery(AIBEIR), which is an anonymous IBE with identity recovery property. There is a party called the Identity Recovery Manager(IRM) who has a secret key to recover the identity from the ciphertext in our scheme. We construct it with an anonymous IBE and a special IBE which we call it testable IBE. In order to ensure the semantic security in the case where the identity recovery manager is an adversary, we define a stronger semantic security model in which the adversary is given the secret key of the identity recovery manager. To our knowledge, we propose the first AIBEIR scheme and prove the security in our defined model.

Cryptography and Security

Zhen Liu,Zhenfu Cao,Duncan S. Wong

DOI: https://doi.org/10.1145/2508859.2516683

2013-01-01

Abstract:In the context of Ciphertext-Policy Attribute-Based Encryption (CP-ABE), if a decryption device associated with an attribute set S_D appears on eBay, and is alleged to be able to decrypt any ciphertexts with policies satisfied by S_D, no one including the CP-ABE authorities can identify the malicious user(s) who build such a decryption device using their key(s). This has been known as a major practicality concern in CP-ABE applications, for example, providing fine-grained access control on encrypted data. Due to the nature of CP-ABE, users get decryption keys from authorities associated with attribute sets. If there exists two or more users with attribute sets being the supersets of S_D, existing CP-ABE schemes cannot distinguish which user is the malicious one who builds and sells such a decryption device. In this paper, we extend the notion of CP-ABE to support Blackbox Traceability and propose a concrete scheme which is able to identify a user whose key has been used in building a decryption device from multiple users whose keys associated with the attribute sets which are all the supersets of S_D. The scheme is efficient with sub-linear overhead and when compared with the very recent (non-traceable) CP-ABE scheme due to Lewko and Waters in Crypto 2012, we can consider this new scheme as an extension with the property of fully collusion-resistant blackbox traceability added, i.e. an adversary can access an arbitrary number of keys when building a decryption device while the new tracing algorithm can still identify at least one particular key which must have been used for building the underlying decryption device. We show that this new scheme is secure against adaptive adversaries in the standard model, and is highly expressive by supporting any monotonic access structures. Its additional traceability property is also proven against adaptive adversaries in the standard model. As of independent interest, in this paper, we also consider another scenario which we call it "found-in-the-wild". In this scenario, a decryption device is found, for example, from a black market, and reported to an authority (e.g. a law enforcement agency). The decryption device is found to be able to decrypt ciphertexts with certain policy, say A, while the associated attribute set S_D is missing. In this found-in-the-wild scenario, we show that the Blackbox Traceable CP-ABE scheme proposed in this paper can still be able to find the malicious users whose keys have been used for building the decryption device, and our scheme can achieve selective traceability in the standard model under this scenario.

J. Li,X. Chen,H. Tian,C. Gao

DOI: https://doi.org/10.1504/ijahuc.2014.065156

2014-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:Since the notion of attribute-based encryption (ABE) was proposed, it has been found a lot of important applications such as fine-grained access control. However, the issue of key exposure problem in ABE has been solved completely. This problem is formally addressed and formulated in this paper. More specifically, we propose a new key-insulated ABE (KI-ABE) scheme as a solution to the key exposure problem. The definition and security model of KI-ABE is proposed. Then, a KI-ABE scheme is presented, which is provably secure under the proposed model. The scheme is secure in the remaining time periods against an adversary who compromises the insecure device and obtains secret keys for the periods of its choice. Finally, we show that the scheme also supports user delegation, which is critical when one wants to delegate part of attributes (privileges) to others.

Jie Chen,Hoon Wei Lim,San Ling,Le Su,Huaxiong Wang

DOI: https://doi.org/10.48550/arXiv.1210.6441

2012-10-24

Abstract:In Identity-Based Encryption (IBE) systems, key revocation is non-trivial. This is because a user's identity is itself a public key. Moreover, the private key corresponding to the identity needs to be obtained from a trusted key authority through an authenticated and secrecy protected channel. So far, there exist only a very small number of revocable IBE (RIBE) schemes that support non-interactive key revocation, in the sense that the user is not required to interact with the key authority or some kind of trusted hardware to renew her private key without changing her public key (or identity). These schemes are either proven to be only selectively secure or have public parameters which grow linearly in a given security parameter. In this paper, we present two constructions of non-interactive RIBE that satisfy all the following three attractive properties: (i) proven to be adaptively secure under the Symmetric External Diffie-Hellman (SXDH) and the Decisional Linear (DLIN) assumptions; (ii) have constant-size public parameters; and (iii) preserve the anonymity of ciphertexts---a property that has not yet been achieved in all the current schemes.

Cryptography and Security

Xiaoyi Li,Kaitai Liang,Zhen Liu,Duncan Wong

DOI: https://doi.org/10.5220/0006220203090320

2016-01-01

Abstract:A Ciphertext-Policy Attribute-Based Encryption (CP-ABE) allows users to specify the access policies without having to know the identities of users. In this paper, we contribute by proposing an ABE scheme which enables revoking corrupted users. Given a key-like blackbox, our system can identify at least one of the users whose key must have been used to construct the blackbox and can revoke the key from the system. This paper extends the work of Liu and Wong to achieve traitor revocability. We construct an Augmented Revocable CP-ABE (AugR-CP-ABE) scheme, and describe its security by message-hiding and index-hiding games. Then we prove that an AugR-CP-ABE scheme with message-hiding and index-hiding properties can be transferred to a secure Revocable CP-ABE with fully collusion-resistant blackbox traceability. In the proof for index-hiding, we divide the adversary's behaviors in two ways and build direct reductions that use adversary to solve the D3DH problem. Our scheme achieves the sub-linear overhead of O(root N), where N is the number of users in the system. This scheme is highly expressive and can take any monotonic access structures as ciphertext policies.

YongTao Wang,KeFei Chen,Yu Long,ZhaoHui Liu

DOI: https://doi.org/10.1007/s11432-012-4594-7

2012-01-01

Science China Information Sciences

Abstract:We present an accountable authority key policy attribute-based encryption (A-KPABE) scheme. In this paper, we extend Goyal’s work to key policy attribute-based encryption setting. We first generalize the notion of accountable authority in key policy attribute-based encryption scenario, and then give a construction. In addition, our scheme is shown to be secure in the standard model under the modified Bilinear Decisional Diffie-Hellman (mBDDH) assumption.

Siyue Dong,Zhen Zhao,Baocang Wang,Wen Gao,Shanshan Zhang

DOI: https://doi.org/10.3390/electronics13071256

IF: 2.9

2024-03-29

Electronics

Abstract:Public key encryption with equality test (PKEET) is a cryptographic primitive that enables a tester to determine whether two ciphertexts encrypted with same or different public keys have been generated from the same message without decryption. Previous studies extended PKEET to public key encryption with designated-position fuzzy equality test (PKE-DFET), enabling testers to verify whether plaintexts corresponding to two ciphertexts are equal while ignoring specific bits at designated positions. In this work, we have filled the research gap in the identity-based encryption (IBE) cryptosystems for this primitive. Furthermore, although our authorization method is the all-or-nothing (AoN) type, it overcomes the shortcomings present in the majority of AoN-type authorization schemes. In our scheme, equality tests can only be performed between a ciphertext and a given plaintext. Specifically, even if a tester acquires multiple AoN-type authorizations, it cannot conduct unpermitted equality tests between users. This significantly reduces the risk of user privacy leaks when handling sensitive information in certain scenarios, while still retaining the flexible and simple characteristics of AoN-type authorizations. We use the Chinese national cryptography standard SM9-IBE algorithm to provide the concrete construction of our scheme, enhancing the usability and security of our scheme, while making deployment more convenient. Finally, we prove that our scheme achieves F-OW-ID-CCA security when the adversary has the trapdoor of the challenge ciphertext, and achieves IND-ID-CCA security when the adversary does not have the trapdoor of the challenge ciphertext.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zechao Liu,Xuan Wang,Lei Cui,Zoe L. Jiang,Chunkai Zhang

DOI: https://doi.org/10.1109/spac.2017.8304334

2017-01-01

Abstract:Ciphertext policy attribute-based encryption (CP-ABE) is a promising technology that offers fine-grained access control over encrypted data. In a CP-ABE scheme, any user can decrypt the ciphertext using his secret key if his attributes satisfy the access policy embedded in the ciphertext. Since the same ciphertext can be decrypted by multiple users with their own keys, the malicious users may intentionally leak their decryption keys for financial profits. So how to trace the malicious users becomes an important issue in a CP-ABE scheme. In addition, from the practical point of view, users may leave the system due to resignation or dismissal. So user revocation is another hot issue that should be solved. In this paper, we propose a practical CP-ABE scheme. On the one hand, our scheme has the properties of traceability and large universe. On the other hand, our scheme can solve the dynamic issue of user revocation. The proposed scheme is proved selectively secure in the standard model.

Yi Wang,Rongmao Chen,Xinyi Huang,Jianting Ning,Baosheng Wang,Moti Yung

DOI: https://doi.org/10.1007/978-3-030-92075-3_15

2021-01-01

Abstract:Our context is anonymous encryption schemes hiding their receiver, but in a setting which allows authorities to reveal the receiver when needed. While anonymous Identity-Based Encryption (IBE) is a natural candidate for such fair anonymity (it gives trusted authority access by design), the de facto security standard (a.k.a. IND-ID-CCA) is incompatible with the ciphertext rerandomizability which is crucial to anonymous communication. Thus, we seek to extend IND-ID-CCA security for IBE to a notion that can be meaningfully relaxed for rerandomizability while it still protects against active adversaries. To the end, inspired by the notion of replayable adaptive chosen-ciphertext attack (RCCA) security (Canetti et al., Crypto'03), we formalize a new security notion called Anonymous Identity-Based RCCA (ANON-ID-RCCA) security for rerandomizable IBE and propose the first construction with rigorous security analysis. The core of our scheme is a novel extension of the double-strand paradigm, which was originally proposed by Golle et al. (CT-RSA'04) and later extended by Prabhakaran and Rosulek (Crypto'07), to the well-known Gentry-IBE (Eurocrypt'06). Notably, our scheme is the first IBE that simultaneously satisfies adaptive security, rerandomizability, and recipient-anonymity to date. As the application of our new notion, we design a new universal mixnet in the identitybased setting that does not require public key distribution (with fair anonymity). More generally, our new notion is also applicable to most existing rerandomizable RCCA-secure applications to eliminate the need for public key distribution infrastructure while allowing fairness.

Ang Gao,Zengzhi Li

DOI: https://doi.org/10.1002/sec.683

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:ABSTRACT In order to resolve the problem that collusion attack on attribute‐based encryption (ABE) with multi‐authority, we firstly formulize user action of making request for key into legality and collusion by the relationship between user's attributes and decryption threshold. Furthermore, we propose an ABE scheme without presenting user's global ID (GID). In our first system, a trusted central authority assists each attribute authority (AA) to independently run a security check for users' requests, such that only legal users have power to decrypt a message. In order to prevent a malicious user from passing security check by submitting duplication request to AA, we improve the first system by our second system, where the same requests of different users are transformed into different ones associated with the subset of attributes indexes. Finally, in order to adapt this transformation to ABE, discrete Fourier transform and inverse discrete Fourier transform are used to share and recover secret key, respectively. As shown in the results of security and performance evaluation, our scheme not only improves user's privacy but also is more efficient than existing ABE schemes. Copyright © 2013 John Wiley & Sons, Ltd.