¹¹institutetext: ¹Russian Quantum Center, Skolkovo, Moscow 143025, Russia
² QApp, Skolkovo, Moscow 143025, Russia
³Bauman Moscow State Technical University, Moscow 105005, Russia
⁴ Moscow Institute of Physics and Technology, Dolgoprudny, Moscow Region 141700, Russia
¹¹email: [email protected]; [email protected]; [email protected]; [email protected]

Advanced attribute-based protocol based on the modified secret sharing scheme

M.A. Kudinov^1,2,3 A.A. Chilikov^3,4 E.O. Kiktenko^1,2 A.K. Fedorov^1,2

Abstract

We construct a new protocol for attribute-based encryption with the use of the modification of the standard secret sharing scheme. In the suggested modification of the secret sharing scheme, only one master key for each user is required that is achieved by linearly enlarging public parameters in the access formula. We then use this scheme for designing an attribute-based encryption protocol related to some access structure in terms of attributes. We demonstrate that the universe of possible attributes does not affect the resulting efficiency of the scheme. The security proofs for both constructions are provided.

Abstract

We construct a new protocol for attribute-based encryption with the use of the modification of the standard secret sharing scheme. In the suggested modification of the secret sharing scheme, only one master key for each user is required that is achieved by linearly enlarging public parameters in access formula. We then use this scheme for designing an attribute-based encryption protocol related to some access structure in terms of attributes. We demonstrate that the universe of possible attributes does not affect the resulting efficiency of the scheme. The security proofs for both constructions are provided.

Keywords:

secret sharing attribute-based encryption monotone access structures

Keywords:

Secret sharing Attribute-based encryption Monotone access structures

1 Introduction

In the view of the significant increase in the amount of digital communications, the problem of efficient protection of data becomes crucial. An important task is to construct a secured protocol for controlled access to data. In standard protocols for solving this problem, which are mostly based on public-key cryptography, a secret key is required for access to whole encrypted data. A straightforward modifications of such protocols for providing partial access to data lead to a significant increase of the complexity since multiple encryptions of the same data are needed.

Attribute-based encryption (ABE) is a relatively new approach for solving the data access control problem [1, 2, 3]. In the ABE schemes, the access to the parts of an encrypted data is determined by a set of attributes, which are inherent to various participants. Thus, if attributes of a participant belonging to a particular subset of possible attributes, then he is able to obtain access to a corresponding particular part of the encrypted data. The ABE conception appears to be very promising in a framework of cloud technologies and distributed ledgers. Over the past decade, a number of modifications and improvements have been presented [1, 4, 5]. However, some of the proposed approaches still suffer from implementation complexity, which increases with the number of attributes.

We note that the concept of ABE has much in common with the secret sharing (SS) problem. However, one of the most common SS schemes [6] has a problem related to a large number of shares per trustee.

In this work, we propose an advanced ABE protocol with a sufficiently low computational complexity. One of the main techniques of our work is a modification of the standard SS scheme, which allows one to use a single key for generating the whole set of required shares. This modification is then used for the construction of the ABE protocol, which is independent to the size of the set of possible attributes.

The paper is organized as follows. In Sec. 2 we provide basic definitions. In Sec. 3 we briefly describe the standard construction of the general SS scheme. In Sec. 4 we present our modification of the SS scheme, which is then used for constructing the ABE protocol in Sec. 5. In Sec. 6 we estimate the required resources for encryption and decryption for the suggested protocol. We summarize our results and conclude in Sec. 7.

2 Preliminaries

Let us introduce basic definitions and notations.

Let $x\leftarrow\mathcal{X}$ , where $x$ is a random value and $\mathcal{X}$ is a probability distribution, denote a sampling of $x$ from the distribution $\mathcal{X}$ . Let $y\leftarrow M(x)$ , where $M$ is an algorithm, denote the output $y$ of $M$ processed on the input $x$ . Let $x\stackrel{{\scriptstyle\$}}{{\leftarrow}}X$ , where $X$ is a set, denote an element $x$ , which is chosen uniformly at random from the set $X$ . Let $\lor(\phi_{1},\ldots,\phi_{n})$ and $\land(\phi_{1},\ldots,\phi_{n})$ stand for $\phi_{1}\lor\ldots\lor\phi_{n}$ and $\phi_{1}\land\ldots\land\phi_{n}$ , correspondingly.

Now we define a pseudorandom function (PRF) family. Given the oracle $f$ , we denote $M(f)$ as the execution of the oracle machine $M$ with an access to $f$ .

Definition 1 (pseudorandom function (PRF) family)

We define $\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}}=\{f_{k}:\mathcal{D}\rightarrow\mathcal{E}\}_{k\in\mathcal{K}}$ , where $|\mathcal{K}|=|\mathcal{D}|=|\mathcal{E}|<\infty$ to be a function family. We define the advantage of an adversary $\mathcal{A}$ against PRF as

{\rm Adv_{\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}}}^{PRF}(\mathcal{A})}=|\Pr[1\leftarrow\mathcal{A}(f_{k}):k\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathcal{K}]-\Pr[1\leftarrow\mathcal{A}(h):h\stackrel{{\scriptstyle\$}}{{\leftarrow}}H_{\mathcal{D}\rightarrow\mathcal{E}}]|,

where $H_{\mathcal{D}\rightarrow\mathcal{E}}$ is a family of all functions from $\mathcal{D}\rightarrow\mathcal{E}$ ( $|H_{\mathcal{D}\rightarrow\mathcal{E}}|=|\mathcal{E}|^{|\mathcal{D}|}$ ). We define the PRF insecurity of a function family $\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}}$ against time- $\xi$ adversaries as the maximum advantage of any classical adversary that runs in time $\xi$ :

{\rm InSec^{PRF}(\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}},\xi)=\underset{\mathcal{A}}{max}\{Adv_{\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}}}^{PRF}(\mathcal{A})\}}

Definition 2 ( $m$ -PRF family game)

We say that an oracle $\omega$ is initialized with a function $f(\cdot)$ if $\omega(x)=f(x)$ , and denote it as $\omega\leftarrow f$ . The following procedure is called $m$ -PRF family game

Init:: Given $\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}}=\{f_{k}:\mathcal{D}\rightarrow\mathcal{E}\}_{k\in\mathcal{K}}$ , where $|\mathcal{K}|=|\mathcal{D}|=|\mathcal{E}|$ , flip a fair coin $b$ . If $b=1$ then $\Omega=\{\omega_{i}\leftarrow f_{k}:k\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathcal{K},\ i\in\{1,\ldots,m\}\}$ . Otherwise $\Omega=\{\omega_{i}\leftarrow h:h\stackrel{{\scriptstyle\$}}{{\leftarrow}}H_{\mathcal{D}\rightarrow\mathcal{E}},\ i\in\{1,\ldots,m\}\}$ , where $H_{\mathcal{D}\rightarrow\mathcal{E}}$ is a family of all functions from $\mathcal{D}\rightarrow\mathcal{E}$ .
Game:: Given a set of oracles $\Omega$ , the challenge is to distinguish whether $\Omega$ is initialized with functions from $F_{\mathcal{D}\rightarrow\mathcal{E}}$ or from $H_{\mathcal{D}\rightarrow\mathcal{E}}$

We define the advantage of an adversary $\mathcal{A}$ against $m$ -PRF as

{\rm Adv}_{\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}}}^{m-{\rm PRF}}(\mathcal{A})=|\Pr[1\leftarrow\mathcal{A}(\Omega)|b=1]-\Pr[1\leftarrow\mathcal{A}(\Omega)|b=0]|.

We define the $m$ -PRF insecurity of a function family $\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}}$ against time- $\xi$ adversaries as the maximum advantage of any classical adversary that runs in time $\xi$ :

{\rm InSec}^{m-{\rm PRF}}(\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}},\xi)=\underset{\mathcal{A}}{\max}\{{\rm Adv}_{\mathbb{F}_{\mathcal{D}\rightarrow\mathcal{E}}}^{m-{\rm PRF}}(\mathcal{A})\}

Definition 3 (Decisional Diffie–Hellman (DDH) challenge [10, 11])

Consider a (multiplicative) cyclic group $G$ of the order $q$ with the generator $g$ . We define the advantage of an adversary $\mathcal{A}$ against DDH as

{\rm Adv}_{G}^{\rm DDH}(\mathcal{A})=|\Pr(1\leftarrow\mathcal{A}(g^{a},g^{b},g^{ab})-\Pr(1\leftarrow\mathcal{A}(g^{a},g^{b},g^{z}))|

(1)

where $a,b,z$ are chosen randomly and independently from $\mathbb{Z}_{q}$ . We define the DDH insecurity of a group $G$ against time- $\xi$ adversaries as the maximum advantage of any classical adversary that runs in time $\xi$ :

{\rm InSec^{DDH}}(G,\xi)={\rm\underset{\mathcal{A}}{max}}\{{\rm Adv}_{G}^{\rm DDH}(\mathcal{A})\}

Definition 4 ( $m$ -DDH challenge)

Consider a (multiplicative) cyclic group $G$ of the order $q$ with the generator $g$ , and following two distibutions:

•

$\Omega_{ab}=\{(g^{a},g^{b_{1}},g^{a\cdot b_{1}}),(g^{a},g^{b_{2}},g^{a\cdot b_{2}}),\ldots,(g^{a},g^{b_{m}},g^{a\cdot b_{m}})\}$ , where $a$ and $b_{i}$ are chosen randomly and independently from $\mathbb{Z}_{q}$ for $i=1,\ldots,m$ ,
•

$\Omega_{z}=\{(g^{a},g^{b_{1}},g^{z_{1}}),(g^{a},g^{b_{2}},g^{z_{2}}),\ldots,(g^{a},g^{b_{m}},g^{z_{m}})\}$ , where $a,b_{i},z_{i}$ are chosen randomly and independently from $\mathbb{Z}_{q}$ for $i=1,\ldots,m$ ,

We define the advantage of an adversary $\mathcal{A}$ against $m$ -DDH as

{\rm Adv}_{G}^{m-{\rm DDH}}(\mathcal{A})=|\Pr[1\leftarrow\mathcal{A}(\Omega_{ab})]-\Pr[1\leftarrow\mathcal{A}(\Omega_{z})]|

(2)

We define the DDH insecurity of a group $G$ against time- $\xi$ adversaries as the maximum advantage of any classical adversary that runs in time $\xi$ :

{\rm InSec}^{m-{\rm DDH}}(G,\xi)={\rm\underset{\mathcal{A}}{max}}\{{\rm Adv}_{G}^{m-{\rm DDH}}(\mathcal{A})\}

Definition 5

Let $\mathcal{P}=\{P_{1},\ldots P_{n}\}$ be a set. An access structure $\mathcal{B}$ is a collection of non-empty subsets of $\mathcal{P}$ , i.e., $\mathcal{B}\subseteq 2^{\mathcal{P}}$ .

Definition 6

Given a set $\mathcal{P}$ , a monotone access structure on $\mathcal{P}$ is a collection of subsets $\mathcal{B}\subseteq 2^{\mathcal{P}}$ such that

B\in\mathcal{B},B\subseteq B^{\prime}\subseteq\mathcal{P}\Rightarrow B^{\prime}\in\mathcal{B}.

Definition 7

A Boolean function $\Phi:\{0,1\}^{n}\rightarrow\{0,1\}$ is called monotone, if $\Phi(x_{1},\ldots,x_{n})\leq\Phi(x_{1}^{\prime},\ldots,x_{n}^{\prime})$ , whenever for every $i\in\{1,\ldots,n\}$ $x_{i}\leq x_{i}^{\prime}$ .

Definition 8

Given an access structure $\mathcal{B}$ , define a Boolean function $\Phi_{\mathcal{B}}:\{0,1\}^{|P|}\rightarrow\{0,1\}$ on $|\mathcal{P}|$ -bit strings, where each bit is indexed by an element from $\mathcal{P}$ , such that $\Phi(x)=1$ iff $\{p:x_{p}=1\}\in\mathcal{B}$ .

One can look at the Boolean function $\Phi_{\mathcal{B}}$ as an indicator of the set $\mathcal{B}$ . It is easy to check that the defined $\Phi_{\mathcal{B}}$ is a monotone Boolean function for a proper monotone access structure $\mathcal{B}$ .

Definition 9

For a given set $\mathcal{P}$ and a monotone access structure $\mathcal{B}$ on $\mathcal{P}$ , define $\mathcal{F(B)}$ to be the set of all Boolean formulae (expressions consisted of logical operations) on $|P|$ variables, such that for every formula $\phi\in\mathcal{F(B)}$ the output of $\phi$ is true iff the true variables in $\phi$ correspond exactly to a set $B\in\mathcal{B}$ (here we assume that each Boolean variable in the formula is indexed with an element form $\mathcal{P}$ ).

We note that $\phi$ , $\phi^{\prime}\in\mathcal{F(B)}$ implies that $\phi$ and $\phi^{\prime}$ correspond to the same function $\Phi_{\mathcal{B}}$ . They may, however, represent entirely different formula to express this function.

Definition 10 (Random oracle [12])

Random oracle is an oracle (a theoretical black box) that responds to every unique query with a value chosen uniformly at random from its output domain. If a query is repeated, it responds the same way every time that query is submitted. We refer a set of independent Random Oracles, $\{{\rm RO}_{1},\ldots,{\rm RO}_{t}\}$ , as a family of Random Oracles.

3 Standard construction of the general SS scheme

We begin our consideration with a SS scheme, which is proposed by J. Benaloh and J. Leichter [6], that we refer to as a standard SS scheme. For this purpose we first introduce a definition of the secure generalized SS scheme. It is known that for certain access structures every secure generalized SS scheme must be able to assign multiple shares to each trustee (see Theorem 3.2 below). In this case, we use $s_{p,j}$ to denote the $j^{\rm th}$ share given to trustee $p$ .

We define the scheme with the use of the following roles. We call the dealer, a user who shares a secret according to some access structure. The trustees are users among which the secret is shared. A party is a group of trustees. We denote the set of all trustees as $\mathcal{P}$ .

Definition 11 (Secure generalized SS scheme)

Given a monotone access structure $\mathcal{B}$ on a set of trusties $\mathcal{P}$ and a set of possible secrets $\mathcal{S}$ , a secure generalized SS scheme for $\mathcal{B}$ is a method of dividing a secret $s\in\mathcal{S}$ into shares $\{s_{p,j}\}_{p\in\mathcal{P},j\in\mathbb{N}}$ such that

•

for every $B\in\mathcal{B}$ , there is an algorithm for reconstructing the secret $s$ from the subset of shares $\underset{p\in B}{\cup}\underset{j}{\cup}s_{p,j}$ ;
•

for every $B\notin\mathcal{B}$ the subset of shares $\underset{p\in B}{\cup}\underset{j}{\cup}s_{p,j}$ provides no information (in an information theoretic sense) about the value of $s$ .

In what is presented below, we define the secret domain $\mathcal{S}=\mathbb{Z}_{q}$ , for some positive integer $q$ . We then are able to construct the secure generalized SS scheme.

It is known that every monotone function $\Phi$ can represented with a formula $\phi$ consisted only of $\land$ and $\lor$ operations (without NOT operation). It is then sufficient to demonstrate how to divide a secret “across” these two operators. We use $X_{p,j}$ to denote the $j^{\rm th}$ appearance of variable $X_{p}:p\in P$ in a formula $\phi$ . We refer it as $j$ -notation. For example, a formula $(X_{1}\land X_{2})\lor(X_{1}\land X_{3})$ transforms to $(X_{1,1}\land X_{2,1})\lor(X_{1,2}\land X_{3,1})$

Let $\$(s,\phi)$ be a random function, which declares shares for each trustee $p\in P$ for $s\in\mathcal{S}$ and a monotone formula $\phi$ , that is defined as follows (we assume that $\phi$ is represented in $j$ -notation):

•

$\$(s^{\prime},X_{p,j})$ assigns the share $s^{\prime}$ to trustee $p\in P$ , such that $s_{p,j}:=s^{\prime}$ ;
•

$\$(s^{\prime},\lor(\phi_{1},\ldots,\phi_{n}))=\underset{1\leq i\leq n}{\cup}\$(s,\phi_{i})$ ;
•

$\$(s,\land(\phi_{1},\ldots,\phi_{n}))=\underset{1\leq i\leq n}{\cup}\$(s_{i},\phi_{i})$ , where the $s_{i}$ are chosen uniformly from $\mathcal{S}$ , such that $s=(\sum_{i=1}^{n}{s_{i}})({\rm mod}\ q)$ .

It is then possible to show that for every monotone access structure $\mathcal{B}$ , the SS scheme defined by $\$(s,\phi)$ satisfies the definition of a secure generalized SS scheme.

Theorem 3.1

Let $\mathcal{B}$ be a monotone access structure on a set $\mathcal{P}$ , $\phi\in\mathcal{F(B)}$ such that it is represented in $j$ -notaition and contains only operators $\land$ and $\lor$ , and let $s$ be a secret from $\mathbb{Z}_{q}$ . The SS scheme determined by $\$(s,\phi)$ is a secure generalized SS scheme for $\mathcal{B}$ .

Finally, we note that it is shown in [6] that there are access structures, which cannot be realized without giving multiple (or extra large) shares to some trustee.

Theorem 3.2

There exist access structures for which any generalized SS scheme must give some trustee shares which are from a domain larger than that of the secret.

See [6] for the proofs of Theorem 3.1 and Theorem 3.2.

4 Advanced SS scheme

4.1 General idea

As it is noted in [6], that we are unable to realize most monotone access structures with a standard SS scheme. However, one can modify the structures that can be realized efficiently, such that each trustee holds only one secret value, which we refer as a master key. With the use of the master key, a trustee is able to calculate all required shares.

We define the scheme with the use of the roles as defined above.

Let us begin with an illustrative example. Assume that a dealer wants to share a secret $s\in\mathbb{Z}_{q}$ between trustees Alice ( $A$ ), Bob ( $B$ ), Charlie ( $C$ ), and David ( $D$ ) according to the following access formula:

((X_{A,1}\land X_{B,1})\lor(X_{B,2}\land X_{C,1})\lor(X_{C,2}\land X_{D,1})),

(3)

where $X_{p,j}$ is a Boolean variable that represents a trustee $p$ and appeared $j^{\rm th}$ time in the formula. Let us introduce an address for each variable as its position in the formula as follows:

((\stackrel{{\scriptstyle 0}}{{X_{A,1}}}\land\stackrel{{\scriptstyle 1}}{{X_{B,1}}})\lor(\stackrel{{\scriptstyle 2}}{{X_{B,2}}}\land\stackrel{{\scriptstyle 3}}{{X_{C,1}}})\lor(\stackrel{{\scriptstyle 4}}{{X_{C,2}}}\land\stackrel{{\scriptstyle 5}}{{X_{D,1}}}))

(4)

Thus, $X_{A,1}.{\rm address}=0$ , $X_{B,1}.{\rm address}=1$ , $X_{B,2}.{\rm address}=2$ , and so on.

To share a secret, the dealer first gives each trustee $p\in\{A,B,C,D\}$ a value ${\rm mk}_{p}$ , which is chosen uniformly at random from some domain $\mathcal{K}$ . Next we refer to ${\rm mk}_{p}$ as a master key belonging to a trustee $p$ .

Let us then assume that the dealer and trustees have access to independent random oracles family $\{{\rm RO}_{i}:i\in\mathbb{Z}_{q}\}$ with an output domain in $\mathbb{Z}_{q}$ . In order to generate a share that corresponds to a variable $X_{p,j}$ , a trustee $p$ has to query the random oracle ${\rm RO}_{{\rm mk}_{p}}$ with $X_{p,j}.{\rm address}$ . For example, the shares for the defined access formula are computed in this way:

	$\displaystyle s_{A,1}={\rm RO}_{{\rm mk}_{A}}(X_{A,1}.{\rm address})={\rm RO}_{{\rm mk}_{A}}(0),$
	$\displaystyle s_{B,1}={\rm RO}_{{\rm mk}_{B}}(X_{B,1}.{\rm address})={\rm RO}_{{\rm mk}_{B}}(1),$
	$\displaystyle s_{B,2}={\rm RO}_{{\rm mk}_{B}}(X_{B,2}.{\rm address})={\rm RO}_{{\rm mk}_{B}}(2),$
	$\displaystyle s_{C,1}={\rm RO}_{{\rm mk}_{C}}(X_{C,1}.{\rm address})={\rm RO}_{{\rm mk}_{C}}(3),$		(5)
	$\displaystyle s_{C,2}={\rm RO}_{{\rm mk}_{C}}(X_{C,2}.{\rm address})={\rm RO}_{{\rm mk}_{C}}(4),$
	$\displaystyle s_{D,1}={\rm RO}_{{\rm mk}_{D}}(X_{D,1}.{\rm address})={\rm RO}_{{\rm mk}_{D}}(5).$

Since each random oracle is independent, every share is a random value from $\mathbb{Z}_{q}$ . As a result, a sum of shares, e.g. $s^{\prime}:=(s_{A,1}+s_{B,2})({\rm mod}\ q)$ , is also a uniformly random variable from $\mathbb{Z}_{q}$ . To make it possible to reconstruct a secret $s$ by trustees $A$ and $B$ , we add a publicly known value $y_{1}$ to this bracket, such that $(y_{1}+s^{\prime})({\rm mod}\ q)=s$ .

Consequently, we modify our access formula into the following form:

((\stackrel{{\scriptstyle 0}}{{X_{A,1}}}\land\stackrel{{\scriptstyle 1}}{{X_{B,1}}}\land Y_{1})\lor(\stackrel{{\scriptstyle 2}}{{X_{B,2}}}\land\stackrel{{\scriptstyle 3}}{{X_{C,3}}}\land Y_{2})\lor(\stackrel{{\scriptstyle 4}}{{X_{C,2}}}\land\stackrel{{\scriptstyle 5}}{{X_{D,1}}}\land Y_{3})),

(6)

where $Y_{i}$ are Boolean variables that correspond to fictitious trustees, whose shares $y_{i}$ are considered to be publicly known to every actual trustee. The value of $y_{i}$ is computed in such a way that a reconstruction of secret becomes possible. We note that $y_{i}$ is computed by the dealer, since he knows all the master keys.

Below we present our scheme in a more formal and efficient way.

4.2 Formal Construction

Let $n$ be a security parameter, $\mathbb{F}_{q}=\{f_{k}:k\in\mathcal{K}\}$ be a PRF family, where $q\geq 2^{n}$ and $f_{k}:\mathbb{Z}_{q}\rightarrow\mathbb{Z}_{q}$ with $|\mathcal{K}|=q$ . Here we chose $f_{k}:\mathcal{D}\rightarrow\mathcal{E}$ with $\mathcal{D}=\mathbb{Z}_{q}$ , but one can choose another domain. Note that $\mathcal{E}=\mathbb{Z}_{q}$ , so we are able to sum the shares in $\mathbb{Z}_{q}$ . Let $H_{q}$ be a family of all functions $\mathbb{Z}_{q}\rightarrow\mathbb{Z}_{q}$ . Let $l={\rm poly}(n)$ be the maximum size of monotone formula that we can use efficiently and let $l^{\prime}:=l/2$ . Hereby the size of the monotone formula is the number of times that variables occur in the formula.

The roles for the scheme (dealer, trustees, and party) are defined in the previous subsection.

First, we define a modifying function $g_{s}(\phi)$ , where $\phi$ is an access formula, whose size is less than $l^{\prime}+1$ and it is written in $j$ -notation, and $s\in\mathbb{Z}_{q}$ . Let $X_{p,j}$ be a variable, which represents a trustee $p$ and it is appeared $j^{\rm th}$ time in the formula. Let $X_{p,j}.{\rm address}$ represents the position of the variable in $\phi$ . Let ${\rm mk}_{p}\in\mathcal{K}$ be the value of $p$ ’s master key. We denote $Y_{i}$ as a variable that corresponds to a fictitious trustee and $y_{i}$ as the value of his share. We use $\phi_{i}$ as subformula. Since every formula can be written in the following form:

\circ(\phi_{1},\phi_{2},\ldots,\phi_{j},X_{p_{1},k_{1}},X_{p_{2},k_{2}},\ldots X_{p_{t},k_{t}}),

(7)

where $\circ$ stands for either $\land$ or $\lor$ .

Let is introduce a global counter $\alpha$ , which is initialized with $1$ . There are three separate cases to look at:

•

$g_{s}(X_{p_{1},k_{1}}\land\ldots\land X_{p_{t},k_{t}})=(X_{p_{1},k_{1}}\land\ldots\land X_{p_{t},k_{t}}\land Y_{\alpha})$ ,
where $t\geq 1$ and $y_{i}=s-f_{{\rm mk}_{p_{1}}}(X_{p_{1},k_{1}}.{\rm address})-\ldots-f_{{\rm mk}_{p_{t}}}(X_{p_{t},k_{t}}.{\rm address})({\rm mod}\ q)$ , and the counter $\alpha$ is incremented $\alpha:=\alpha+1$ .
•

$g_{s}(X_{p_{1},k_{1}}\land\ldots\land X_{p_{t},k_{t}}\land\phi_{1}\land\ldots\land\phi_{j})=(X_{p_{1},k_{1}}\land\ldots\land X_{p_{t},k_{t}}\land g_{s_{1}}(\phi_{1})\land\ldots\land g_{s_{j}}(\phi_{j}))$ , where $j\geq 1$ , $\phi_{i}=\lor(\cdot)$ with at least one operator, $s_{i}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathbb{Z}_{q}$ for $i\in\{1,\ldots,j-1\}$ and $s_{j}:=s-f_{{\rm mk}_{p_{1}}}(X_{p_{1},k_{1}}.{\rm address})-\ldots-f_{{\rm mk}_{p_{t}}}(X_{p_{t},k_{t}}.{\rm address})-s_{1}-\ldots-s_{j-1}\ ({\rm mod}~{}q)$ .
•

$g_{s}(X_{p_{1},k_{1}}\lor\ldots\lor X_{p_{t},k_{t}}\lor\phi_{1}\lor\ldots\lor\phi_{j})=(g_{s}(X_{p_{1},k_{1}})\lor\ldots\lor g_{s}(X_{p_{t},k_{t}})\lor g_{s}(\phi_{1})\lor g_{s}(\phi_{2})\lor\ldots\lor g_{s}(\phi_{j}))$ .

Let us clarify that the address of a variable is the number of the position of that variable in the formula $\phi$ (conventionally, we count from left to right).

Now we can describe our advanced SS scheme. To share a secret the dealer should follow these steps:

1.

Choose a secret $s\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathbb{Z}_{q}$ .
2.

Choose a master key for each trustee in the union $\mathcal{P}$ uniformly at random from $\mathcal{K}$ (for each $p\in\mathcal{P}:{\rm mk}_{p}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathcal{K}$ ).
3.

Choose a monotone formula $\phi$ of size less or equal to $l^{\prime}$ , which represents an access structure.
4.

Evaluate $\phi^{\prime}=g_{s}(\phi)$ .
5.

Publish $\phi^{\prime}$ , so that the values $y_{i}$ are available for everyone.

To reconstruct a secret a party should follow these steps:

1.

Each trustee $p$ in the party has to evaluate their shares:
$s_{p,j}=f_{{\rm mk}_{p}}(X_{p,j}.{\rm address})$ .
2.

Using the corresponding shares and public values $y_{i}$ , a verified party can calculate the secret $s$ according to the way it is shared.

Definition 12

Given a set $\mathcal{P}$ and a monotone access structure $\mathcal{B}$ on $\mathcal{P}$ , an advanced SS scheme for $\mathcal{B}$ is a method of dividing a secret $s$ into shares $s_{p,j}$ such that the following statements hold true:

•

When $B\in\mathcal{B}$ , the secret $s$ can be reconstructed from the shares $\underset{p\in B}{\cup}\underset{j}{\cup}s_{p,j}$ and public values $y_{1},\ldots,y_{t}$ .
•

When $B\notin\mathcal{B}$ , the secret $s$ can be reconstructed only with a negligible probability from the shares $\underset{p\in B}{\cup}\underset{j}{\cup}s_{p,j}$ and public values $y_{1},\ldots,y_{t}$ .

4.3 Security proof

Here we introduce a notion of the security model that is used for our scheme, which is similar to the Selective-Id model [7, 8, 9].

Definition 13 (Selective-Id model for advanced SS scheme)

The following procedure is called Selective-Id model for advanced SS scheme.

Init:: The adversary chooses an access structure $\mathcal{B}$ with a corresponding formula $\phi$ and gives it to the challenger.
Phase 1:: The adversary declares the set of trustees $\gamma$ , which does not satisfy the formula $\phi$ and obtains master keys of trustees from $\gamma$ from the challenger.
Challenge:: The adversary submits two secrets $s_{0}$ and $s_{1}$ . The challenger flips a fair coin $b$ and shares the secret $s_{b}$ .
Phase 2:: The challenger gives to the adversary $\phi^{\prime}=g_{s_{b}}(\phi)$ and corresponding values $y_{1},\ldots,y_{j}$ .
Guess:: The adversary outputs a guess $b^{\prime}$ of $b$ .

The advantage of an adversary in this game is defined as $|\Pr[b^{\prime}=b]-\frac{1}{2}|$ .

Theorem 4.1

Consider the advanced SS scheme for a set of parties $\mathcal{P}$ based on PRF family $\mathbb{F}_{q}=\{f_{k}:\mathbb{Z}_{q}\rightarrow\mathbb{Z}_{q}\}_{k\in\mathcal{K}}$ with $|\mathcal{K}|=q$ . The advantage $\varepsilon^{\prime}$ in the Selective-Id model of any classical adversary $\mathcal{A}$ that runs in time $\xi^{\prime}$ satisfies the inequality $\varepsilon^{\prime}\leq{\rm InSec^{PRF}}(\mathbb{F}_{q},\xi)\cdot|\mathcal{P}|$ , where $\xi^{\prime}\approx\xi$ assuming that time needed for sampling no more than $|\mathcal{P}|+l^{\prime}$ random variables is negligible, where $l^{\prime}$ is the maximum size of the formula which can be efficiently processed by the advanced SS scheme.

Proof

First of all, one can easily notice that the reconstruction of the secret happens the same way as in the standard SS scheme. We also note that if $B\notin\mathcal{B}$ (i.e. $B$ does not satisfy the formula $\phi$ ), then $B\cup(\underset{i}{\cup}Y_{i})$ does not satisfy the access structure defined by $\phi^{\prime}=g_{s}(\phi)$ as $X_{p,j}\land 1=X_{p,j}$ .

Consider, a modification of the advanced SS scheme (modified advanced SS scheme), where PRF family $\mathbb{F}_{q}$ is replaced with a set of random oracles. One can see that this scheme is exactly the standard SS scheme based on formula $\phi^{\prime}=g_{s}(\phi)$ . So there is no chance for an adversary to compute the secret, which possesses the shares from $B\notin\mathcal{B}$ .

Now suppose that there exists a probabilistic polynomial time adversary ${\mathcal{A}}$ , which has an advantage $\varepsilon^{\prime}$ in Selective-Id model for advanced SS scheme. Without loss of generality, we assume that it’s probability of guessing a correct value is $\Pr[b^{\prime}=b]=1/2+\varepsilon^{\prime}$ . Then we show that it is possible to distinguish the PRF family $\mathbb{F}_{q}$ from truly random function family with a probability at least $\varepsilon^{\prime}/|\mathcal{P}|$ . To show this we construct an oracle machine $\mathcal{M}^{{\mathcal{A}}}$ that has an advantage $\varepsilon^{\prime}$ in $|\mathcal{P}|$ -pseudorandom function family game (see Algorithm 1). Let us calculate the probabilities to obtain $v^{\prime}=0$ and $v^{\prime}=1$ ( $v^{\prime}$ is defined in Algorithm 1).

Input : Security parameter

n

, function family

\mathbb{F}_{q}

|\mathcal{P}|

-pseudorandom function family challenge

\Omega=\{\omega_{p_{1}},\ldots,\omega_{p_{N}}\}

, where

\{p_{1},\ldots,p_{N}\}=\mathcal{P}

Output : A guess

v^{\prime}

The adversary

\mathcal{A}

declares an access structure, a corresponding formula

\phi

, and a set of trustees

\gamma

, which does not satisfy the formula

\phi

\mathcal{A}

queries the master keys of trustees from

\gamma

Generate a master key uniformly at random for each trustee in

\gamma

and response to the adversary with those keys.

The adversary submits two secrets

s_{0}

and

s_{1}

Flip a fair coin

b

and share the secret

s_{b}

according to the advanced SS scheme, but instead of generating master keys for trustees in

\mathcal{P}\setminus\gamma

and calculating the shares with

f_{k}\in\mathbb{F}_{q}

, use an oracle

\omega_{p}

from

\Omega

for trustee

p\in\mathcal{P}\setminus\gamma

and calculate the shares as

s_{p.j}=\omega_{p}(X_{p.j}.{\rm address})

. We call this modification

g^{\prime}_{s}(\phi)

Give to the adversary

\phi^{\prime}=g^{\prime}_{s_{b}}(\phi)

and corresponding values

y_{1},\ldots,y_{j}

The adversary outputs a guess

b^{\prime}

b

if $b^{\prime}=b$ then

return

v^{\prime}=1

else

return

v^{\prime}=0

Algorithm 1

\mathcal{M}^{{\mathcal{A}}}

Suppose that the challenge $\Omega$ is initialised with functions from the family $\mathbb{F}_{q}$ . In this case, the situation for the adversary is completely the same as in the case of the (non-modified) advanced SS scheme. Therefore, the adversary correctly guesses the value $b^{\prime}$ with an advantage $\varepsilon^{\prime}$ or what is the same with probability $\frac{1}{2}+\varepsilon^{\prime}$ .

If the challenge $\Omega$ is initialized with functions from the family $H_{q}$ , then the shares of the trustees from $\mathcal{P}\setminus\gamma$ are chosen uniformly at random. And the situation is the same as in the standard SS scheme. Since $\gamma$ does not satisfy the formula, it is required to obtain at least one more share to get the secret, but all the remaining shares are chosen uniformly at random. Therefore, according to the Theorem 3.1 the adversary has no information about the secret in this situation. Thus, in this case the adversary can only randomly guess the value $b$ , so $b^{\prime}$ is correctly guessed with a probability $\frac{1}{2}$ .

Let $v=0$ corresponds to the challenge $\Omega$ initialized with functions from the family $H_{q}$ and $v=1$ to the challenge $\Omega$ initialized with functions from the pseudorandom function family. Then the overall advantage in the $|\mathcal{P}|$ -pseudorandom game is $|\Pr[v^{\prime}=1|v=0]-\Pr[v^{\prime}=1|v=1]|=|\frac{1}{2}-(\frac{1}{2}+\varepsilon^{\prime})|=\varepsilon^{\prime}$ .

By the hybrid argument [13] we can distinguish a pseudorandom function family with probability $\varepsilon^{\prime}/(|\mathcal{P}|)$ . In order to apply the hybrid argument consider two distributions,

D_{1}=\{D_{1.i}=f_{k}:k\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathcal{K},\ 1\leq i\leq|\mathcal{P}|,f_{k}\in\mathbb{F}_{q}\},

(8)

and

D_{2}=\{D_{2.i}=h\stackrel{{\scriptstyle\$}}{{\leftarrow}}H_{q}:1\leq i\leq|\mathcal{P}|\}.

(9)

Define a sequence of hybrid distributions $D_{1}=T_{0},\ T_{1},\ldots,\ T_{|\mathcal{P}|}=D_{2}$ , where $T_{i}=\{T_{i.j}=h\stackrel{{\scriptstyle\$}}{{\leftarrow}}H_{q}:1\leq j\leq i\}\cup\{T_{i.j}=f_{k}:k\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathcal{K},\ i<j\leq|\mathcal{P}|,f_{k}\in\mathbb{F}_{q}\}.$ So we have ${\rm Adv}_{D_{1},D_{2}}(\mathcal{M}^{{\mathcal{A}}})=\varepsilon^{\prime}$ . Let us remind that

{\rm Adv}_{T_{i},T_{i+1}}(\mathcal{M}^{{\mathcal{A}}})=|\Pr[x\stackrel{{\scriptstyle\$}}{{\leftarrow}}T_{i}:\mathcal{M}^{{\mathcal{A}}}(x)=1]-\\ -\Pr[x\stackrel{{\scriptstyle\$}}{{\leftarrow}}T_{i+1}:\mathcal{M}^{{\mathcal{A}}}(x)=1]|

(10)

By the triangle inequality, it is clear that

{\rm Adv}_{D_{1},D_{2}}(\mathcal{M}^{{\mathcal{A}}})\leq\sum_{i=0}^{|\mathcal{P}|-1}{\rm Adv}_{T_{i},T_{i+1}}(\mathcal{M}^{{\mathcal{A}}})

Thus, there exists some $\eta$ , such that $0\leq\eta<|\mathcal{P}|$ and

{\rm Adv}_{T_{\eta},T_{\eta+1}}(\mathcal{M}^{{\mathcal{A}}})\geq{\rm Adv}_{D_{1},D_{2}}(\mathcal{M}^{{\mathcal{A}}})/|\mathcal{P}|=\varepsilon^{\prime}/|\mathcal{P}|.

(11)

Suppose that we have a sample $\omega\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathbb{F}_{q}$ or $\omega\stackrel{{\scriptstyle\$}}{{\leftarrow}}H_{q}$ . Let us construct a distribution $T^{\prime}=\{T_{i}\stackrel{{\scriptstyle\$}}{{\leftarrow}}H_{q}:1\leq i\leq\eta\}\cup\{T_{\eta+1}=\omega\}\cup\{T_{i}\leftarrow f_{k}:k\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathcal{K},\ \eta+1<i\leq|\mathcal{P}|,f_{k}\in\mathbb{F}_{q}\}$ . If $\omega\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathbb{F}_{q}$ then $T^{\prime}$ is distributed the same as $T_{\eta}$ , otherwise it is distributed as $T_{\eta+1}$ . Thus, we can distinguish samples from $\mathbb{F}_{q}$ and $H_{q}$ with probability $\varepsilon^{\prime}/|\mathcal{P}|$ .

Finally, we obtain: $\varepsilon^{\prime}\leq{\rm InSec^{PRF}}(\mathbb{F}_{q},\xi)\cdot|\mathcal{P}|$ , where $\xi$ is a total time of running $\mathcal{M^{A}}$ plus initialization of an appropriate hybrid. Neglegting the time needed for preparing data for $\mathcal{A}$ and the hybrid $T^{\prime}$ we obtain $\xi\approx\xi^{\prime}$ .

5 Advanced ABE Scheme

5.1 Formal Construction

Consider a group of users, where each user posses a list of attributes. Let $\mathcal{P}$ be a set of all existing attributes. Let us call a community a subgroup of users, who possess a particular attribute $p\in\mathcal{P}$ . In what follows, we refer to the community $p$ as a subgroup of users that possess an attribute $p$ . We note that a user can belong to several communities if he has more than one attribute.

Let $n\in\mathbb{N}$ be a security parameter, $G$ be a multiplicative group of a prime order $q$ , where $2^{n}<q<2^{n+1}$ in which DDH assumption is considered to be true, $g$ is a generator of that group, $H_{q}$ is a family of all functions $\mathbb{Z}_{q}\rightarrow\mathbb{Z}_{q}$ , and $\mathbb{F}_{q}=\{f_{k}:\mathbb{Z}_{q}\rightarrow\mathbb{Z}_{q}\}_{k\in G}$ is a PRF family. We construct the advanced ABE scheme based on the advanced SS scheme in the following form.

Setup:: Each community $p$ in the universe $\mathcal{P}$ generates their secret key ${\rm sk}_{p}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathbb{Z}_{q}$ and a correspong public key ${\rm pk}=g^{{\rm sk}_{p}}$ . Then the public key is shared among the whole group of users. So that the set of public keys $PK=\{{\rm pk}_{p}=g^{{\rm sk}_{p}}:p\in\mathcal{P}\}$ is assumed to be known to every user in the group.
Encryption $(M,PK,\phi,\mathbb{F}_{q})$ :: To encrypt a message $M\in\mathbb{Z}_{q}$ under public keys $PK$ and formula $\phi$ , which represents some monotone access structure, one generates $s\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathbb{Z}_{q},e\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathbb{Z}_{q}$ and computes the ciphertext in the following form $E=\{E^{\prime}=M+s({\rm mod}\ q),g^{e},\phi^{\prime}=g_{s}(\phi),y_{1},\ldots,y_{t}\}$ , where $g_{s}(\cdot),y_{1},\ldots,y_{t}$ come from the advanced SS scheme based on PRF family $\mathbb{F}_{q}$ and the corresponding master keys are calculated as ${\rm mk}_{p}=g^{{\rm sk}_{p}\cdot e}$ .
Decryption $(E,SK,Attr,\mathbb{F}_{q})$ :: , where $SK$ is a set of all secret keys known to a concrete user and $Attr$ is a set of attributes he posseses. For each ${\rm sk}_{p}\in SK$ , a user calculates the master key ${\rm mk}_{p}=(g^{e})^{{\rm sk}_{p}}$ . Then if $Attr$ satisfies the access structure, then the secret $s$ can be reconstructed using $MK=\{{\rm mk}_{p}\}$ , $\phi^{\prime}$ and $y_{1},\ldots,y_{t}$ . The message is obtained from $E^{\prime}$ as $M=E^{\prime}-s({\rm mod}\ q)$ .

5.2 Security proof

In order to provide a formal security analysis of the advanced ABE scheme, we introduce the following definition.

Definition 14 (Attribute-based Selective-Set model)

The following
procedure is called attribute-based Selective-Set model:

Init:: The adversary chooses an access structure and a corresponding formula $\phi$ and sends $\phi$ to the challenger.
Phase 1:: The adversary declares the set of communities $\gamma$ , which does not satisfy the formula $\phi$ and obtains secret keys of communities from $\gamma$ from the challenger.
Challenge:: The adversary submits two secrets $s_{0}$ and $s_{1}$ . The challenger flips a fair coin $b$ and encrypts $m\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathbb{Z}_{q}$ : $E^{\prime}=m+s_{b}({\rm mod}\ q)$ .
Phase 2:: The challenger gives to the adversary public keys of all communities and $E$ , which is a ciphertext of $m$ generated according to the advanced ABE scheme.
Guess:: The adversary outputs a guess $b^{\prime}$ of $b$ .

The advantage of an adversary in this game is defined as $|\Pr[b^{\prime}=b]-\frac{1}{2}|$ .

Below we prove that the security of our scheme in the attribute-based Selective-Set model reduces to the hardness of the DDH challenge and pseudorandomness of the function family.

Theorem 5.1

Consider the advanced ABE scheme based on an PRF family $\mathbb{F}_{q}$ and set of communities $\mathcal{P}$ . The advantage $\varepsilon^{\prime}$ in the the Attribute-based Selective-Set model game of any classical adversary $\mathcal{A}$ that runs in time $\xi^{\prime}$ satisfies the following inequality: $\varepsilon^{\prime}\leq{\rm InSec^{DDH}}(G,\xi)\cdot|\mathcal{P}|+\rm{InSec^{PRF}}(\mathbb{F}_{q},\tilde{\xi})\cdot|\mathcal{P}|$ . With $\xi\approx\xi^{\prime}\approx\tilde{\xi}$ assuming that time required for sampling no more than $3|\mathcal{P}|+l^{\prime}$ random variables is negligible, where $l^{\prime}$ is the maximum size of the formula which can be efficiently processed by the advanced ABE scheme.

Proof

First, suppose that the master keys are replaced with uniformly random keys. In this case, let us denote the advantage in breaking the modified advanced ABE protocol in the attribute-based Selective-Set model as $\widetilde{\varepsilon}$ . If $(\varepsilon^{\prime}-\widetilde{\varepsilon})$ is not negligible, then we can construct a machine that breaks $|\mathcal{P}|$ -DDH challenge with an advantage of at least $(\varepsilon^{\prime}-\widetilde{\varepsilon})$ .

We assume that $\widetilde{\varepsilon}<\varepsilon^{\prime}$ , since we limit the value of $\widetilde{\varepsilon}$ by the pseudoradnomnes property and if $\varepsilon^{\prime}$ is less than $\widetilde{\varepsilon}$ then we can limit them both.

Let us denote a $|\mathcal{P}|$ -DDH challenge $\Omega=\{w_{p_{1}},\ldots,w_{p_{N}}\}$ , where $N=|\mathcal{P}|$ , $\{p_{1},\ldots,p_{N}\}=\mathcal{P}$ and $w_{p_{i}}$ is a tuple either $(g^{a},g^{b_{i}},g^{a\cdot b_{i}})$ or $(g^{a},g^{b_{i}},g^{z_{i}})$ . We use $w_{i.j}$ to denote the $j^{\rm th}$ element of the tuple. To prove the theorem, consider the following algorithm.

Input : Security parameter

n

|\mathcal{P}|

-DDH challenge

\Omega

Output : A guess

v^{\prime}

The adversary

\mathcal{A}

chooses an access structure and a corresponding formula

\phi

and sends it to the challenger.

\mathcal{A}

declares the set of communities

\gamma

, which does not satisfy the formula

\phi

, whose secret keys he wishes to get and queries them.

Generate a secret key for each community in

\gamma

and response to the adversary with those keys.

The adversary submits two secrets

s_{0}

and

s_{1}

Flip a fair coin

b

and encrypt a message

m\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathbb{Z}_{q}

according to the advanced ABE scheme with

s=s_{b}

, but instead of secret keys for communities in

\mathcal{P}\setminus\gamma

use sample

\omega_{p}

from

\Omega

for community

p\in\mathcal{P}\setminus\gamma

. Take

\omega_{p.2}

as his public key and

\omega_{p.3}

as his master key. We call this modification

g^{\prime}_{s}(F)

Give to the adversary

E=\{E^{\prime}=m+s({\rm mod}\ q),\omega_{1,1},\phi^{\prime}=g^{\prime}_{s}(\phi),y_{1},\ldots,y_{j}\}

The adversary outputs a guess

b^{\prime}

b

if $b^{\prime}=b$ then

return

v^{\prime}=1

else

return

v^{\prime}=0

Algorithm 2

\mathcal{M}^{{\mathcal{A}}}

If $\omega_{p.3}$ is sampled uniformly at random ( $v=0$ ), then the master keys are chosen uniformly at random. Hence the adversary has no information about the master keys he did not query. Remind that we denote the advantage of the adversary in this situation as $\widetilde{\varepsilon}$ . Otherwise $(v=1)$ the situation is the same as in the original ABE protocol. Thus, we have the overall advantage in the $|\mathcal{P}|$ -DDH game as follows:

{\rm InSec^{|\mathcal{P}|-DDH}}(G,\xi_{\mathcal{P}})\geq|\Pr[v^{\prime}=1|v=0]-\Pr[v^{\prime}=1|v=1]|=\\ =|(\frac{1}{2}+\widetilde{\varepsilon})-(\frac{1}{2}+\varepsilon^{\prime})|=\varepsilon^{\prime}-\widetilde{\varepsilon},

(12)

where $\xi_{\mathcal{P}}$ is a running time of Algorithm 2. Neglegting the time for preparing data for $\mathcal{A}$ we obtain $\xi_{\mathcal{P}}\approx\xi^{\prime}$ .

In analogy to the proof of Theorem 4.1, one can see that due to the hybrid argument

{\rm InSec^{DDH}}(G,\xi)\geq(\varepsilon^{\prime}-\widetilde{\varepsilon})/|\mathcal{P}|,

where $\xi\approx\xi_{\mathcal{P}}$ neglegting the time, needed to prepare an appropriate hybrid.

Finally, we limit the value of $\widetilde{\varepsilon}$ . Due to the fact the master keys are chosen uniformly at random, the security of such a scheme reduces to the security of the advanced SS scheme straightforwardly. Therefore, according to Theorem 4.1: $\widetilde{\varepsilon}\leq\rm{InSec^{PRF}(\mathbb{F}_{q},\tilde{\xi})}\cdot|\mathcal{P}|$ , with $\tilde{\xi}\approx\xi_{\mathcal{P}}$ .

Thus, we arrive to the final result:

\varepsilon^{\prime}\leq{\rm InSec^{DDH}}(G,\xi)\cdot|\mathcal{P}|+\rm{InSec^{PRF}(\mathbb{F}_{q},\tilde{\xi})}\cdot|\mathcal{P}|,

with $\xi^{\prime}\approx\xi\approx\tilde{\xi}$ .

6 Efficiency estimation for advanced ABE scheme

Here we analyze the efficiency of the proposed advanced ABE scheme in terms of sizes of ciphertext, public parameters, and private key, and the computation time for decryption and encryption.

Consider a ciphertext $E=\{E^{\prime}=m+s({\rm mod}\ q),g^{e},\phi^{\prime}=g_{s}(\phi),y_{1},\ldots,y_{j}\}$ and a plaintext $PT=\{m,\phi\}$ . We note that it is required to publish the rules of the access structure, hence we assume that the plaintext is accomplished by the formula $\phi$ . One can see that $\phi^{\prime}$ is no more than twice bigger than $\phi$ . This is due to the fact that the number of additional Boolean variables corresponded to fictitious trustees (communities) can not exceed the number of Boolean variables corresponded to the actual trustees (communities). We then note that $\phi$ and $\phi^{\prime}$ make a major contribution into the size of $PT$ and $E$ . Hence, the overhead of the ciphertext compared to plaintext is of the size linear in the size of the formula $\phi$ .

The public parameters of the system are of size linear in the number of existing attributes. The private key of the community consists of a single value from $\mathbb{Z}_{q}$ .

The encryption procedure generates two random values, performs one addition in $\mathbb{Z}_{q}$ and one exponentiation in the group $G$ , $l$ calls to functions from $\mathbb{F}_{q}$ , where $l$ denotes the size of the formula $\phi$ . The modification of the formula $\phi$ into $\phi^{\prime}$ is performed in the linear time with the usage of syntax tree.

Thus, the amount of the communities in the scheme is $|\mathcal{P}|$ . The decryption procedure needs to perform at most $|\mathcal{P}|$ exponentiations, $l^{\prime}$ sums and pseudorandom function calls, where $l^{\prime}$ is the size of formula $\phi^{\prime}$ . Finally, one subtraction is required.

7 Conclusion

Here we summarize the main results of our work. First, we have presented the modification of the SS scheme, which allows a user to store only one value to calculate the corresponding shares. Based on this modification, we have proposed the advanced ABE protocol. We have provided the security and efficiency analysis of the proposed scheme.

One of the most significant impacts of this paper is rejection of bilinear mappings, which evidently increases the efficiency of the proposed scheme and allows to dinamicaly add new attributes.

One can see that the proposed ABE scheme is not collusion resistant as well as some other ABE schemes (e.g. see [14]). We note, that all known collusion resistant schemes are based on using of trusted centers which are absent in our scheme.

There are several ways to improve the proposed scheme. The first one is based on adding new logical elements, e.g. threshold, so that the formula $\phi$ can be constructed more efficiently. The second question is related to modification of this protocol with respect to the use of other key exchange schemes.

Acknowledgments

This work is supported by Russian Foundation for Basic Research (18-37-20033). A.A.C. is supported by Russian Science Foundation (17-11-01377).

References

[1] Goyal, V., Pandey, O., Sahai, A., Waters B.R.: Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 89-98 (2006)
[2] Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. In: Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, pp. 213–229 (2001)
[3] Boneh, D., Gentry, C., Waters, B.: Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. In: Advances in Cryptology - CRYPTO, Lecture Notes in Computer Science 3621, pp. 258-275 (2005)
[4] Sahai, A., Waters, B.: Fuzzy Identity-Based Encryption. In: Advances in Cryptology – EUROCRYPT 2005, pp. 457-473 (2005)
[5] Abdalla, M., Catalano, D., Dent, A.W., Malone-Lee, J., Neven, G., Smart, N.P.: Identity-based encryption gone wild. In: Bugliesi M., Preneel B., Sassone V., Wegener I, (eds) ICALP (2), Lecture Notes in Computer Science 4052, pp. 300-311 (2006)
[6] Benaloh, J., Leichter J.: Generalized secret sharing and monotone functions. In: Goldwasser S. (ed.) Advances in Cryptology – CRYPTO ’88, Lecture Notes in Computer Science 403, pp. 27–35 (1990)
[7] Canetti, R., Halevi, S., Katz, J.: A Forward-Secure Public-Key Encryption Scheme. In: Advances in Cryptology – Eurocrypt, Lecture Notes in Computer Science 2656, pp. 255-271 (2003)
[8] Canetti, R., Halevi, S., Katz J.: Chosen Ciphertext Security from Identity Based Encryption. In: Advances in Cryptology – Eurocrypt, Lecture Notes in Computer Science 3027, pp. 207–222 (2004).
[9] Boneh, D., Boyen X.: Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles. In: Cachin C., Camenisch J.L. (eds) Advances in Cryptology - EUROCRYPT 2004. EUROCRYPT 2004. Lecture Notes in Computer Science, 3027. Springer, Berlin, Heidelberg, pp. 223-238 (2004)
[10] Boneh, D.: The decision Diffie–Hellman problem. In: Proceedings of the Third Algorithmic Number Theory Symposium, Lecture Notes in Computer Science 1423, ed. J.P. Buhler. Springer-Verlag, Berlin, pp. 48–63 (1998)
[11] Cramer, R., Damgård, I., Kiltz, E., Zakarias, S., Zottarel, A.: DDH-like Assumptions Based on Extension Rings. In: Public Key Cryptography – PKC 2012, Lecture Notes in Computer Science 7293, pp. 644-661 (2012)
[12] Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM conference on Computer and Communications Security (ACM CCS), pp. 62-73 (1993)
[13] Goldreich, O. Foundations of Cryptography: Cambridge University Press, Cambridge (2001).
[14] Kapadia, Apu and Tsang, Patrick and Smith, Sean: Attribute-Based Publishing with Hidden Credentials and Hidden Policies. (2007)

Advanced attribute-based protocol based on the modified secret sharing scheme

Abstract

Abstract

Keywords:

Keywords:

1 Introduction

2 Preliminaries

Definition 1 (pseudorandom function (PRF) family)

Definition 2 (mm-PRF family game)

Definition 3 (Decisional Diffie–Hellman (DDH) challenge [10, 11])

Definition 4 (mm-DDH challenge)

Definition 5

Definition 6

Definition 7

Definition 8

Definition 9

Definition 10 (Random oracle [12])

3 Standard construction of the general SS scheme

Definition 11 (Secure generalized SS scheme)

Theorem 3.1

Theorem 3.2

4 Advanced SS scheme

4.1 General idea

4.2 Formal Construction

Definition 12

4.3 Security proof

Definition 13 (Selective-Id model for advanced SS scheme)

Theorem 4.1

Proof

5 Advanced ABE Scheme

5.1 Formal Construction

5.2 Security proof

Definition 14 (Attribute-based Selective-Set model)

Theorem 5.1

Proof

6 Efficiency estimation for advanced ABE scheme

7 Conclusion

Acknowledgments

References

Definition 2 ( $m$ -PRF family game)

Definition 4 ( $m$ -DDH challenge)