1.1 Our contribution

Scheme [25] only considered trace malicious users, and scheme [29] can support attribute-level user revocation. Inspired by [25] and [29], we provide a traceable ciphertext-policy attribute-based encryption scheme with attribute-level user revocation for cloud storage (TUR-CPABE). Our main contributions are as follows.

1. In this paper, we formally propose the definition of a traceable ciphertext-policy attribute-based encryption scheme with attribute-level user revocation for cloud storage. In our scheme, we adopt linear secret sharing schemes (LSSS) as an access structure. This provides attribute-level user revocation for malicious user and fine-grained access control for ABE. In our scheme, the trust authority can trace defectors and send the identity of a defector to the attribute manager. The attribute manager is responsible for revoking the defector’s attributes and updating the related decryption key and ciphertext. A user in the system could decrypt ciphertext successfully if and only if his/her identity was absent from the revocation list and his/her attributes can satisfy the access policy.
2. In the scheme, we distribute the identity of each user on a leaf node in the KEK tree. We can revoke a user by revoking his/her attributes. When the attribute manager revokes a malicious user’s attribute i, it will update i’s users group G_i and the corresponding group key GSK, re-encrypted ciphertext CT′ and the header of the message Hdr. Thus, our scheme can resist collusion attacks between users.
3. In the proposed scheme, outsourcing encryption, decryption and attribute revocation are used to reduce the computational burden of data owners, users and trust authority, respectively. Moreover, the experimental results show that the time spent in the decryption phase is constant.
4. The scheme is proven to be secure against a chosen plaintext attack under decisional q – BDHE assumption in the standard model.

1.2 Related work

Sahai and Waters first presented the concept of ABE [1], and then, the ideas of KP-ABE and CP-ABE were formally proposed by Goyal et al.in [3]. After that, many cryptography researchers focused on KP-ABE and CP-ABE schemes [30–34].

In 2007, Abdalla et al. [35] proposed a traitor trace identity-based encryption scheme, and that was the original work on traitor tracing. In 2011, Wang et al. [36] presented another traitor tracing ABE scheme that can recognize a user’s identity. This scheme could employ the technique of betrayer tracing and combine with a security coding technique to ensure the identity of the key abuser. Subsequently, Ning [37] proposed a traceable CP-ABE scheme; this scheme can catch malicious users effectively. A commitment scheme is used to trace defectors, but the method does not support the malicious user revocation.

To expand the commercial applications of ABE systems and combine them with user revocation mechanisms, Liu [38] presented a white-box traceable dynamic ABE scheme. The scheme can support user revocation and outsourcing decryption. However, it can neither resist collusion attacks between users nor support key and ciphertext updates. Jiang [39] proposed a traceable CP-ABE scheme that can resist key abuse. A betrayer who wants to leak a decryption key must abandon the whole key and give an exclusive dummy attribute set. Yang [40] presented a traceable scheme supporting search encryption and user revocation; it can perform efficient keyword search and provides fine-grained access control for encrypted data. At the same time, a large proportion of cryptographic computing is being outsourced to the cloud server, and this alleviates the computational burden on end-user devices. Zhang et al. [41] used a composite order bilinear group to construct an effective white-box traceable CP-ABE scheme with a large universe and multiple authorities. Although this scheme can be used to trace malicious users and resist collusion attacks between users, it cannot support malicious user revocation.

1.3 Organization

The remainder of our paper is summarized as follows. We provide some necessary background knowledge that will be applied to our scheme in Section 2. We describe the system model and security model of our scheme in Section 3. We present a TUR-CPABE scheme and the proof of its security based on security games in Section 4 and 5, respectively. In Section 6, we provide a theoretical performance analysis of our scheme. Finally, we conclude the paper in Section 7.

2.1 Bilinear maps

Let and be two multiplication cyclic groups of prime order p, and g be a generator of . A map is a bilinear map [42] with the following properties:

1. Bilinearity: and , we have e(u^a,v^b) = e(u,v)^ab;
2. Nondegeneracy: e(g,g) ≠ 1;
3. Computability: There is an efficient polynomial time algorithm to compute the value of e(u,v) for all .

2.2 Access structure

Definition 1 (Access structure [43]). Let P = {P₁,P₂,⋯,P_n} be a set of parties. A collection is called monotone for ∀B,C: if and B ⊆ C then . An (monotone) access structure is a (monotone) collection of non-empty subsets of P, i.e.,. The sets in are called the authorized sets, or else the sets are called the unauthorized sets. In this paper, we only consider the monotone access structure.

2.3 Linear secret sharing scheme

Definition 2 (linear secret sharing scheme (LSSS) [43]). A LSSS over a group of parties P can be defined as follows:

1. The shares for each party from a vector over .
2. For a LSSS, there is a matrix M with l rows and n columns referred to as the share generating matrix. For i ∈ [1,l], we define a function ρ that labels the i-th row of matrix M as attribute ρ(i). We consider a column vector v = (s,v₂,v₃,…,v_n), where is a secret value to be shared and we choose random . Then Mv is the vector of l shares of the secret s, and the share (Mv)_i belongs to attribute ρ(i).

Each LSSS in the above definition also enjoys the linear reconstruction property, defined as follows: Let be an access structure for the LSSS and be any authorized sets, and let I ⊆ {1,2,…,l} be defined as I = {i: ρ(i) ∈ S}. There exists a set of constants {ω_i|i ∈ I} such that ∑_i∈Iω_iM_i = (1,0,…,0). Thus ∑_i∈Iω_iλ_i = s if λ_i = M_i ⋅ v is a valid share of any secret s.

2.4 Binary tree

Definition 3 (Binary tree [44]). We denote be a group of users in the system, a user and be users group for attribute x. We describe the binary tree below:

1. We assign a user u_k for every leaf node and allocate a unique value v_j for every node in the tree.
2. We define path(i) as a Dijkstra from the root node to the node i.
3. The minimal covering set node(G_x) is the minimal set of nodes, and it is able to cover all of the leaf nodes that have users connected in G_x.
4. To consider the intersection of path(u_k) and node(G_x), we have β_x = node(G_x) ∩ path(u_k). As shown in Fig 1, we give an example: suppose that the users group for attribute x is G_x = {u₁,u₃,u₄,u₅,u₆,u₈} and u₈ is a user connected with leaf node 14, then compute node(G_x) = {v₇,v₄,v₅,v₁₄}, path(u₈) ={v₀,v₂,v₆,v₁₄}, we have β_x = {v₁₄}.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. Binary tree.

https://doi.org/10.1371/journal.pone.0203225.g001

2.5 Complexity assumptions

Now we briefly introduce the l-Strong Diffie-Hellman (l − SDH) assumption and the q- Bilinear Diffie-Hellman exponent (q − BDHE) assumption.

Assumption 1 (l − SDH assumption [24]). Let be a bilinear group of prime order p and let g be a generator of . A l − SDH problem can be described as follows: Randomly choose exponent and given a l + 1-tuple , output a pair . Algorithm can solve the l − SDH problem with the advantage ε if

Definition 4. We say that the l − SDH assumption holds if no polynomial time algorithm can solve the l − SDH problem with a non-negligible advantage.

Assumption 2 (q − BDHE assumption [4]). Let be a bilinear group of prime order p and g be a generator of . A decisional q − BDHE problem can be described as follows: Randomly choose exponent , given

It is difficult for the algorithm to distinguish from the random element . Algorithm can solve the q − BDHE problem with the advantage ε if

Definition 5. We say that the q − BDHE assumption holds if no polynomial time algorithm has a non-negligible advantage in solving the q − BDHE problem.

3.1 System architecture

As shown in Fig 2, the system architecture of the TUR-CPABE scheme has the following six entities.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. System architecture of TUR-CPABE.

https://doi.org/10.1371/journal.pone.0203225.g002

Trust authority (TA): TA can produce the public parameters and the master key, and it is in charge of distributing private keys to users in the system. In our scheme, the TA is fully trusted.

Attribute manager (AM): The AM has users groups for every attribute, and it generates the manager public key, the manager master key and the group key for the users in each group. In addition, AM is responsible for re-encrypting local ciphertext, updating the key, updating the ciphertext and obtaining an attribute revocation list.

Data owner (DO): The DO takes charge of defining the access policy, encrypting data under the access policy and uploading the local ciphertext to the attribute manager.

Data user (DU): This is an entity who wants to access outsourced data. A user in the system can decrypt the ciphertexts successfully if and only if his/her identity is absent from the revocation list and his/her attributes can satisfy the access policy.

Cloud server provider (CSP): We suppose that a CSP is honest but curious. In other words, it can execute every authorization request honestly but it obtains as much information as possible in the process and from the result.

Outsourcing decryption server provider (ODSP): The server can provide outsourcing decryption service for the user to generate a partially decrypted ciphertext.

3.2 Formal definition

A TUR-CPABE involves eight algorithms: system setup, manager setup, key generation, encryption, decryption, key sanity check, trace and update.

System setup (λ,U)→(PP,MSK): TA runs this algorithm. The algorithm inputs the security parameter λ as well as the attributes universe U in the system, and it outputs the public parameters PP and the master key MSK.

Manager setup (PP)→(MPK,MMK): AM runs this algorithm. The algorithm inputs the public parameters PP, and it outputs the manager public key MPK and the manager master key MMK.

Key generation (PP,MSK,MPK,MMK,S,id)→SK: In this algorithm, a decryption key SK consists of the user private key USK produced by the TA and the group key GSK generated by the AM. The algorithm inputs the public parameters PP, the master key MSK, the manager public key MPK, the manager master key MMK, a user’s identity id as well as an attributes set S, then it outputs the user private key USK and the group key GSK.

Encryption (PP,MPK,m(M,ρ))→(Hdr,CT′): The algorithm inputs the public parameters PP, the manager public key MPK, a message m and an access policy (M,ρ), then it outputs the re-encrypted ciphertext CT′ and the header of message Hdr. This algorithm is performed by the AM and the DO.

Decryption (PP,CT′,Hdr,SK)→m: This algorithm is carried out by the DU and the ODSP. The algorithm inputs the public parameters PP, the re-encrypted ciphertext CT′, the header of the message Hdr and the decryption key SK. The algorithm outputs plaintext m if and only if the user’s identity is absent from the revocation list and his/her attributes can satisfy the access policy.

Key sanity check (PP,SK)→1 or 0: TA performs this algorithm. If a user’s decryption key SK is suspected, then it must be determined whether it is a well-formed decryption key by means of the key sanity check. If SK cannot pass the key sanity check, it outputs 0. Otherwise, it outputs 1.

Trace (PP,SK)→ id or ⊥: TA runs this algorithm. If a user’s decryption key SK is a well-formed decryption key, then TA sends his/her identity id to the AM. Finally, the AM revokes the attribute for the malicious user.

Update : AM can perform attribute revocation for the malicious user, add the malicious user’s id and revoke the attribute into the revocation list to get a new revocation list RL′. Finally, the AM inputs the group key GSK, the re-encrypted ciphertext CT′ and the header of message Hdr to obtain the updated , and .

3.3 Security model

In this section, we propose the security model for our TUR-CPABE system.

5.1 Traceability

Theorem 1. Suppose that q < l, our TUR-CPABE system is traceable if l − SDH assumption holds. Where q is the number of key queries that the attacker makes.

Proof: Suppose there is a probabilistic polynomial time (PPT) adversary capable of winning this traceability game with advantage ε, w.l.o.g., suppose l = q + 1, we can establish a PPT algorithm to break the l − SDH hardness problem with a non-negligible advantage.

Let and be two multiplication cyclic groups of prime order p, let g be a generator of and let function be a bilinear map. The algorithm receives a l − SDH challenge problem , where , and the goal of is to output a tuple . Let . To solve the l − SDH problem, algorithm can imitate a challenger’s role for adversary . The specific processes are stated below:

Setup: Algorithm selects q different values randomly. Let , where are the coefficient of polynomial f(y). Then performs the following algorithm:

1. Let and .
2. randomly picks . For each attribute x ∈ U, chooses a random number and establishes . Finally, publishes the public parameters as .
3. For each x ∈ U, randomly chooses and computes , then publishes the manager public key as MPK = {W_x|1≤x≤|U|}.
4. Set up a binary KEK tree and assign a user u for every leaf node, and the user’s identity is id. Every node possesses an exclusive value v_j as well as an exclusive sequence number sequence(v_j) in the binary KEK tree.

Key query: Adversary submits a set of attributes (id_i,S_i) to and requests the corresponding decryption keys. When it goes on the i-th query, we suppose i ≤ q, let polynomial , we can write f_i(y) as . computes and randomly selects , computes DSK_i related to (id_i,S_i) as follows: First, computes

Then sets the transformation key TK_i as and builds the user private key as USK_i = (K₁ =z,TK_i). Finally, computes .

To define a function node(G_x) for attribute x’s users group G_x, where x ∈ S_i. For every user , defines a function path(u_i) and performs an intersection operation β_x = node(G_x) ∩ path(u_i). If β_x = ϕ, sets GSK_i = {x,kek_x}. Otherwise, computes , where v_j ∈ β_x. Then, sets the group key as GSK_i = {x,sequence(v_j),kek_x,KEK_x}.

Finally, returns the decryption key SK_i = {DSK_i,GSK_i} to .

Key forgery: Adversary submits a forged decryption key SK* to . Here the distribution of the decryption key SK and the public parameters PP in the above game are the same as in the real system.

Let denote the event that wins the game, i.e., SK* can pass the key sanity check and K₁′ ∉ {c₁,c₂,…,c_q}. If the event does not happen, chooses a random tuple as a solution to the l − SDH hardness problem. If event takes place, writes the polynomial f as f(y) = γ(y)(y + K₁′) + γ − 1, where , . Note that γ − 1 ≠ 0, since , and K₁′ ∉ {c₁,c₂,…,c_q}, f(y) cannot be divisible by y + K₁′. computes the tuple as follows:

Suppose L₁ = g^r, where is unknown, and let K₁ =z, where . According to the equality e(L₂,g) = e(L₁,g^a) from the key sanity check, we have L₂ = g^ar. On the basis of the equality , we have . Then continues performing the following algorithm.

As , the tuple (c_r,ω_r) is a solution to l − SDH hardness problem.

At present, we assess the superiority of to break the l − SDH hardness problem.

Suppose ζ denotes the event that (c_r,ω_r) is the solution to the l − SDH hardness problem and this solution can be checked by verifying whether the equality holds. When randomly selects (c_r,ω_r), ζ can happen with a negligible advantage. We denote this as 0 for simplicity. When the event occurs, outputs a tuple (c_r,ω_r) and the probability of tuple (c_r,ω_r) satisfies the equality is 1. Hence, the possibility of solves l − SDH challenge problem is as follows:

5.2 IND − CPA security of the TUR-CPABE

Theorem 2. If the decisional q − BDHE assumption holds, then there are no PPT adversaries that have non-negligible advantages in breaking our TUR-CPABE scheme under selective access policy and chosen plaintext attacks, where and is the number of users in the system.

Proof: Suppose there is a PPT adversary able to break our TUR-CPABE scheme with an advantage ε. In this case, we could set up a simulator who has an advantage ε/2 to break the decisional q − BDHE hardness problem. The simulation processes are described as follows:

Let and be two multiplication cyclic groups of prime order p, g be a generator of and function be a bilinear map. Given then simulator casts a fair coin μ. If μ = 0, sets . Otherwise, sets T = Z, where Z is a random element in .

Initialization: Adversary chooses a challenge access policy (M*,ρ*) as well as a revocation list RL*, where M* is a l* × n* matrix and n* ≤ q.

Setup: To simulate public parameters as well as manager public key, simulator needs to execute the following algorithms.

1. chooses a random such that , where implicit sets α = α′ + d^q+1.
2. Randomly select a value for every attribute x ∈ U(1 ≤ x ≤ |U|), then every group element is generated as follows. If there exists i ∈ {1,2,…,l*} such that ρ*(i) = x, set . Otherwise, let .
3. randomly chooses , then computes g^a and sets h = g^d.
4. Given a revocation list RL*. If (u,x) ∈ RL*, randomly chooses and sets , where implicit sets w_x = dθ_x. Otherwise, builds , where w_x = θ_x.
5. Set up a binary KEK tree and assign a user u for every leaf node, and the user’s identity is id. Every node has an exclusive value v_j as well as an exclusive sequence number sequence(v_j) in the binary KEK tree.

Hence, the simulator publishes the public parameters as and the manager public key as MPK = {W_x|1 ≤ x ≤ |U|}.

Phase 1: Adversary commits a sequence of tuples (u₁,S₁),…,(u_q,S_q) to ask for the corresponding decryption keys, where (u,x) denotes revoke the user u’s attribute x. does the following in response:

Case 1. If S ∈ (M*,ρ*) and (u,x) ∉ RL*, the algorithm aborts.

Case 2. If S ∈ (M*,ρ*) and (u,x*) ∈ RL*, chooses a random and implicit sets . Then, the simulator performs the following algorithm to setting decryption key.

1. computes USK′ as follows:
2. Choose a random exponent , then let K₁ = z and set TK as
   Finally, obtain USK = (z,TK).
3. For have been revoked attribute x*, selects the value v* ∈ path(u), then computes and . Otherwise, computes , then computes a minimal covering set node(G_x) for the attribute x’s users group G_x and defines a Dijkstra path(u) for the user u, finally performs an intersection operation β_x = node(G_x) ∩ path(u). If β_x = ϕ, does not compute KEK_x for u. Otherwise, computes , where v_j ∈ β_x.

Case3. If S ∉ (M*,ρ*) and (u,x*) ∈ RL*, responds in the following.

1. Find a vector such that ω₁ = −1 and , where ρ*(i) ∈ S. As S ∉ (M*,ρ*), such a vector must exist.
2. selects a random number , builds K₁′ = c.
3. chooses a random number , implicit defines
4. computes K₂′,L₁′,L₂′,K_x,1′ are as follows:
   For ∀x ∈ S, computes K_x,2′. If there no exists i such that ρ*(i) = x, computes . Otherwise, sets .
5. chooses a random exponent , then builds K₁ = z. Compute the transformation key as and set USK = (K₁ = z,TK).Then, computes and as in case 2.

Case4. If S ∉ (M*,ρ*) and (u,x) ∉ RL*, the simulator computes USK as in case 3. First, computes . Then, computes a minimal covering set node(G_x) for the attribute x’s users group G_x and defines a Dijkstra path(u) for the user u. Finally, performs an intersection operation β_x = node(G_x) ∩ path(u). If β_x = ϕ, doesn’t compute KEK_x for u. Otherwise, computes , where v_j ∈ β_x.

Challenge: Finally, we set the challenge ciphertext. Adversary submits two equal length messages m₀,m₁ to . Then, casts a fair coin υ ∈ {0,1} and performs the following algorithms.

Local encryption: First, sets , C₀ = g^s, C₁ =(g^s)^a. Then, randomly chooses and builds

Third, computes

Finally, sets the local ciphertext as .

Re-encryption: For each non-revoked attribute ρ*(i)(1≤i≤l*), randomly chooses . Otherwise, sets k_i* = d ⋅ k_i. Then, re-encrypts the local ciphertext to obtain

In addition, for every ρ*(i)(1≤i≤l*) corresponding to the attribute x, computes a minimal covering set node(G_x) for x’s users group G_x. Then, sets the header of message as

Finally, sends the challenge ciphertext <Hdr_υ*,CT_υ*> to .

Phase 2: Same as Phase 1.

Guess: Finally, outputs a guess υ′of υ. If υ′ = υ, the simulator outputs μ′ = 0 to show that T is a valid q − BDHE tuple. Otherwise, outputs μ′ = 1 to indicate that T is a random group element from .

The decryption key and public parameters generated by simulations in the above game are the same as those in the real system.

When μ = 1, the adversary cannot acquire any information about υ. Therefore, we have . guesses μ′ = 1 as υ′ ≠ υ, we have .

When μ = 0, receives m_υ’s ciphertext. If the advantage of is ε, we have . guesses μ′ = 0 as υ′ = υ, and we have .

The advantage of simulator in the decisional q − BDHE game is defined as: