 Research
 Open Access
 Published:
High efficient keyinsulated attribute based encryption scheme without bilinear pairing operations
SpringerPlus volume 5, Article number: 131 (2016)
Abstract
Attribute based encryption (ABE) has been widely applied for secure data protection in various data sharing systems. However, the efficiency of existing ABE schemes is not high enough since running encrypt and decrypt algorithms need frequent bilinear pairing operations, which may occupy too much computing resources on terminal devices. What’s more, since different users may share the same attributes in the system, a single user’s private key exposure will threaten the security and confidentiality of the whole system. Therefore, to further decrease the computation cost in attribute based cryptosystem as well as provide secure protection when key exposure happens, in this paper, we firstly propose a high efficient keyinsulated ABE algorithm without pairings. The keyinsulated mechanism guarantees both forward security and backward security when key exposure or user revocation happens. Besides, during the running of algorithms in our scheme, users and attribute authority needn’t run any bilinear pairing operations, which will increase the efficiency to a large extent. The high efficiency and security analysis indicate that our scheme is more appropriate for secure protection in data sharing systems.
Background
With the continuing increase of network information resources, users are confronted with urgent challenges such as how to make secure data sharing with others efficiently. To help users achieve secure and flexible data access control, Sahai and Waters (2005) proposed a new notion called attribute based encryption (ABE). In this cryptosystem, data receiver’s access privileges are described by a certain number of attributes. A data receiver can get access to the ciphertext only if the attributes he owns match with the access control policy set by the data owner. Equipped with the advantages of providing secure data protection as well as flexible access control, ABE (Goyal et al. 2006; Lewko et al. 2010; Waters 2011) has become an effective tool for secure data sharing between users.
However, the efficiency of current ABE schemes is still not high enough compared to traditional public key cryptosystem. One important factor is that encryption and decryption in ABE need frequent bilinear pairing calculations. Researchers have proved that the computational complexity of bilinear pairing is much larger than that of other operations (exponential operation, multiplication, addition) in discrete group (Chen et al. 2007; Bertoni et al. 2005). In some special network systems such as wireless sensor networks (Yu et al. 2011) or body area networks (Hu and Zhang 2013; Tan et al. 2011), the computation capacity and energy resources of terminal devices are limited, frequent bilinear pairing operations may consume too much computing resources and lead to bottleneck or node failure during the process of data sharing. Consequently, to further enrich the application scenarios of ABE, it is essential to improve the efficiency by reducing the number of pairing operations. To the best of our knowledge, the elimination of pairing operation in attribute based cryptosystem is quite new in the research literature, which has not been solved yet.
Key exposure protection is another issue remains to be tackled in attribute based cryptosystem. Although many schemes have achieved forward and backward security in terms of attribute revocation (Hur 2013; Yu et al. 2010), however, the system is still at risk when key exposure happens. If the private key owned by a nonrevoked user leaks, any user can use the private key to decrypt the corresponding ciphertext since the leaked private key is still a valid one. Consequently, all the potential threat calls for frequent key refreshing in attribute based cryptosystem. When key exposure happens, effective and efficient key updating mechanism should be implemented to keep the system from potential threat.
To better guarantee the security during the process of data sharing as well as minimize the total computation cost, in the paper, we do the following research:
We propose a high efficient keyinsulated ABE scheme without pairings (KIABEWP). In our scheme, each user’s private key corresponds to an access structure. A user can decrypt the ciphertext only if the attributes used for encryption match with the access structure he owns. Besides, we divide the system lifetime into discrete time periods. When time period evolves, only part of the private key has to be updated and the system public parameters remain unchanged. This saves a lot of computation and transmission load when attribute revocation or key exposure happens. What’s more, during the running of algorithms in our scheme, users and attribute authority (AA) needn’t do any bilinear pairing operations, which will increase the total efficiency to a large extent compared to current ABE schemes. At last, our scheme is proved to be secure under CDH hardness assumption. The high efficiency due to the elimination of bilinear pairings makes our scheme more appropriate for secure data sharing in various network systems, especially those with limited computing capacity such as wireless sensor networks, mobile communication, etc.
The rest sections are arranged as follows:
In “Related works and preliminaries” section, we introduce the related works and essential mathematical preliminaries used to construct our scheme. The security model and concrete constructions of our scheme are proposed in “Models and assumptions” and “Constructions to our KIABEWP” sections respectively. The security and performance analysis are given in “Security proof and performance analysis” section. At last, we conclude our paper and make prospects on future directions in “Conclusion” section.
Related works and preliminaries
Related works
Existing literatures have achieved much progress in ABE with respect to finegrained access control (Goyal et al. 2006; Waters 2011; Bethencourt et al. 2007; Goyal et al. 2008), user flexible revocation (Hur and Noh 2011; Yu et al. 2011) and attribute based signcryption (Wang and Huang 2011), etc. Meanwhile, ABE has been widely designed for providing data protection in various network systems such as personal health record system (Li and Yu 2013), body area networks (Hu and Zhang 2013; Tan et al. 2011), wireless sensor networks (Yu et al. 2011), cloud computing (Yang et al. 2012). However, these schemes may not be entirely realistic to be applied to some application scenarios thanks to the heavy computation cost from bilinear pairing operations. Take the proposed scheme in Xhafa et al. (2015) for instance, if the number of attributes involved in encryption is n, then the decryption will take 4n times of pairing operations, which will bring a heavy computation burden on terminal devices. Consequently, to further improve the efficiency and performance of ABE, the number of pairing operations should be reduced, even totally eliminated.
Besides efficiency, key exposure protection is another issue urgently to be solved in ABE. Many existing schemes have guaranteed forward and backward security when attribute revocation happens by introducing a proxy reencryption server (Hur and Noh 2011; Yu et al. 2010). However, these schemes only focus on the key regeneration of the revoked users, but neglect the key updating for nonrevoked users. If a nonrevoked user’s private key leaks, the confidentiality of the system will be threatened since the leaked private key is still a valid one. In fact, in attribute based cryptosystem, key refreshing is more important since either attribute revocation or private key exposure protection calls for frequent keyupdating. Xu and Martin (2012) proposed an ABE scheme with secure key refreshing in, but their scheme has to regenerate the master key and public parameters in the system, this will bring about much more computation overheads when key updating happens. Keyinsulation (Dodis et al. 2002) is a promising tool to guarantee forward and backward security as well as achieving high efficiency of key updating. In this mechanism, the lifetime of the system is divided into discrete periods. The public key remains unchanged throughout the lifetime, while temporary secret keys are updated periodically. Keyinsulation mechanism can provide full security when user’s private key exposure happens and it has been designed for effective key exposure protection in identity based cryptosystem (Zhu et al. 2014), certificateless cryptosystem (Chen et al. 2015), etc. The advantage of keyinsulation mechanism can also be combined into attribute based cryptosystem and propose a keyinsulated ABE scheme with efficient and secure key updating.
Hardness assumptions

(a)
Discrete logarithm assumption (DL):
Given \(X,P \in G,\) it is computational infeasible to calculate the value of a \((a \in Z_{q}^{*} )\) such that X = aP with a nonnegligible probability within probabilistic polynomialtime.

(b)
Computational Diffie–Hellman assumption (CDH):
For \(a,b \in Z_{q}^{*} ,\) given (p, ap, bp), it is computational infeasible to calculate the value of abp with a nonnegligible probability within probabilistic polynomialtime.
Models and assumptions
A real world example of KIABEWP
One typical application of our KIABEWP is the mobile communication system, which can be illustrated in Fig. 1. It consists of six entitles: AA, key helper, base station, data centre, data sender and receiver. Base station and data centre are hardware architectures which are responsible for mobile communications and file storage. AA generates initial attribute private keys for each user in the system and the private key corresponds with an access structure. Data sender and receiver are the two sides of communication, data sender encrypts the file with a set of attributes, while a receiver can decrypt the ciphertext if the attributes used for encryption match with the access structure he owns. When system evolves into a new time period, users in the system update their private keys to the latest version with the assistance of key helper. Due to the elimination of bilinear pairing operations, the proposed KIABEWP will relieve the terminal devices from heavy computation burden, thus improving the efficiency and performance of the whole system.
Formalized definition of the algorithms in KIABEWP
Our KIABEWP consist of five algorithms:

Setup(1^{λ}){PK, MK} This algorithm takes a security parameter λ as input and outputs the public parameter PK and master key MK. PK is shared by users while MK is kept private by AA.

\(Initial\,private\,key\,generation{:}\,\{ PK,MK,\gamma ,TP_{0} \} \to \{ TD_{{\gamma ,TP_{0} }} \}\) This algorithm is operated by AA. It takes PK, MK, initial time period TP _{0} and the user’s access structure γ as input. The output of this algorithm is user’s initial private key \(TD_{{\gamma ,TP_{0} }} .\)

\(Key updating{:}\,\{ PK,MK,\gamma ,TP_{n} \} \to \{ TD_{{\gamma ,TP_{n} }} \}\) This algorithm is an interaction between AA and user. On input PK, MK, γ and the current time period TP _{ n }, AA outputs the keyupdating component \(U_{{\gamma ,TP_{n} }}\) and transfers it to users. User updates his temporal private key to the latest version using \(U_{{\gamma ,TP_{n} }} .\)

Encrypt \(\{ PK,M,\{ A_{i} \} \} \to \{ CT\}\) This algorithm is operated by the data sender. It takes PK, a plaintext M and an attribute set {A _{ i }} as input and outputs the corresponding ciphertext CT.

\(Decrypt{:}\,\{ D_{i,\gamma } ,CT\} \to \{ M\}\) This algorithm is run by the data receiver. The algorithm takes as input the ciphertext CT and the receiver’s temporal private key \(TD_{{\gamma ,TP_{n} }} ,\) it outputs the plaintext M.
Security model of KIABEWP
Definition
Our KIABEWP scheme is secure under chosen ciphertext attacks if there exists an Adversary has nonnegligible advantage in the following game played by a Challenger and an Adversary.
Phase 1 Setup
Challenger runs Setup procedure to obtain the system parameters PK and master keys MK. It sends PK to Adversary.
Phase 2 Queries
Adversary can make the following queries to Challenger.
Initial private key generation query
Challenger can obtain user’s initial private key \(D_{{\gamma ,TP_{0} }}\) by running Initial private key generation algorithm and returns the result back to Adversary.
Temporal private key generation query
Challenger can obtain user’s temporal private key at the current time period and returns the result \(D_{{\gamma ,TP_{n} }}\) back to Adversary.
Decrypt query
Adversary can ask Decrypt query for ciphertext CT. Challenger runs Decrypt algorithm and returns the results to Adversary.
Phase 3 Challenge
Adversary chooses two plaintexts M _{0} and M _{1} and a challenging access structure \(\gamma^{*}\) at current time period.
Challenger chooses \(\sigma \in \{ 0,1\}\) randomly and calculates CT _{ σ } = Encrypt(PK, M _{ σ }, {A _{ i }}) and returns the result to Adversary.
Adversary outputs a value \(\sigma^{*}\) as a conjecture of σ.
During the whole process of the challenge game:
Adversary cannot ask Challenger for Decrypt query of M _{0} and M _{1}.
Adversary cannot ask Challenger for Temporal private key generation query for the challenging structure \(\gamma^{*} .\)
If \(\sigma^{*} = \sigma\) then Adversary wins the game.
We denote \(Adv(A) = \left {Pr[\sigma^{*} = \sigma ]  \frac{1}{2}} \right\) to be the Adversary’s advantage in the above challenge game.
Constructions to our KIABEWP
Concrete algorithms of KIABEWP
Setup
Let G to be a cyclic addition group. Denote q and p to be the prime order and generator of G respectively. AA defines a global attribute set \(\{ A_{i} \}\) and picks \(t_{i} \in Z_{q}^{*}\) for each attribute in \(\{ A_{i} \}\). Let T _{ i } = t _{ i } p to be the public key of A _{ i }. Picks \(k_{n} \in Z_{q}^{*}\) for each time period TP _{ n } in the system lifetime. Let K _{ n } = k _{ n } p. Chooses a secret number \(y \in Z_{q}^{*}\) and calculates Y = yp. Define two hash functions \(H_{1} {:}\{ 0, 1\}^{*} \to Z_{q}^{*} ,\) \(H_{2} {:}\{ 0, 1\}^{*} \to \{ 0,1\}^{m} ,\) m is the size of plaintext. Define a Lagrange interpolation function \(\Delta _{i,S(x)} = \prod\nolimits_{j \in S,j \ne i} {\frac{x  j}{i  j}} .\)
The system public parameters are \(\{ G,q,p,A_{i} ,T_{i} ,K_{n} , Y,H_{1} ,H_{2} \}\) and the system master keys are {t _{ i }, y, k _{ n }}.
Initial private key generation
AA randomly chooses a polynomial q _{ x } for each node x in the user’s access tree γ. Denote d _{ x } to be the degree of q _{ x } and thr _{ x } to be the threshold value node. Let \(d_{x} = thr_{x}  1.\) For the root node AA sets \(q_{root} (0) = y.\) For any other node (except for root node) in the access tree, let \(q_{x} (0) = q_{parent(x)}^{index(x)} .\) The initial attribute private key at time period TP _{0} for access structure γ can be denoted by \(TD_{{\gamma ,TP_{0} }} = \{ q_{x} (0) + t_{i} + k_{0} \cdot H_{1} (T_{i} ,TP_{0} ),\,i \in \gamma \} .\)
Key updating
When time period evolves from TP _{ n } to TP _{ n+1}, AA calculates the updated key component \(U_{{\gamma ,TP_{n + 1} }} = (k_{n + 1} \cdot H_{1} (T_{i} ,TP_{n + 1} )  k_{n} \cdot H_{1} (T_{i} ,TP_{n} ),\,i \in \gamma )\) and transfers it to user. User calculates \(TD_{{\gamma ,TP_{n + 1} }} = TD_{{\gamma ,TP_{n} }} + U_{{\gamma ,TP_{n + 1} }}\) as the temporal private key at time period TP _{ n+1}.
Encrypt
At time period TP _{ n }, for a plaintext M,data sender picks a random number \(s \in Z_{q}^{*}\) and calculates:
Then data sender sends \(CT = \{ C_{1} ,C_{2} ,C_{3} ,C_{4} \}\) to data receiver.
Decrypt
Upon receiving CT, receiver calculates:
Correctness proof
If x is a leaf node, the calculation process is as follows:
All the value calculated from \(DecryptNode(x,TD_{{\gamma ,TP_{n} }} ,C_{1} ,C_{2} ,C_{3} )\) will be stored as F _{ z }. For any F _{ z } ≠ 0,the algorithm calculates F _{ root } (the value of root node) using Lagrange interpolation method.
If x is a nonleaf node, z is the child node of x, then the algorithm calculates the value of \(DecryptNode(x,TD_{{\gamma ,TP_{n} }} , C_{1} ,C_{2} ,C_{3} )\) as follows:
Let i = index(z), \(S_{{x^{\prime } }} = \{ index(z){:}z \in S_{x} \}\)
Since the value of \(DecryptNode(x,TD_{{i,TP_{n} }} , C_{1} ,C_{2} ,C_{3} ) = q_{x} (0) \cdot sp,\) whether x is a leaf node or nonleaf node, consequently, the value of root node F _{ root } and the plaintext M can be calculated by:
Security proof and performance analysis
Security proof
Theorem
If the proposed KIABEWP can be broken by an Adversary in the random oracle model, then a Simulator can be constructed to break the CDH hardness assumption in group G successfully with a nonnegligible advantage.
Proof
In the challenge game, if there exists an Adversary can break our KIABEWP with an advantage (t, ɛ) in the random oracle model, then there exists a Simulator which can break the CDH assumption with an advantage of \(\varepsilon^{\prime }\) which satisfies:
In the lemma (6), \(q_{p} ,q_{{H_{1} }} ,q_{i} ,q_{t} , q_{d}\) are the maximum numbers of Public key generation query, H _{1} query, Initial private key generation query, Temporal private key generation query and Decrypt query respectively. Denote t _{ sm } and t _{ a } to be the time consumption for running a scalar multiplication operation and an addition operation respectively.
The process of the challenge game is as follows:
Phase 1 Setup:
Challenger sets the parameters as follows:
Defines a global attribute set {A _{ i }}. Let G be a cyclic addition group with prime order q. The generator of group G is denoted by p. Defines two hash functions: \(H_{1} {:}\{ 0,1\}^{*} \to Z_{q}^{*} ,\) \(H_{2} {:}\{ 0,1\}^{ *} \to \{ 0,1\}^{m} ,\) m is the size of plaintext. Randomly picks \(a,b \in Z_{q}^{*} ,\) sets X = bp, Y = ap.
The aim of Simulator is to calculate the value of abp according to the process of the challenge game. Simulator plays the role of Challenger and runs Adversary as a subprogram.
Phase 2 Queries:
The proof skills used in our scheme resembles the method which has been proposed in Coron (2000). Without loss of generality, supposing that Adversary will make Public key generation query for an attribute A _{ i } before making Initial private key generation query, Temporal private key generation query and Decrypt query to Simulator.
Then Adversary makes the following queries to Simulator:
Public key generation query: Simulator maintains a list L _{ p }{A _{ i }, γ, c, t _{ i }, T _{ i }}. When Adversary asks a Public key generation query for A _{ i } in the γ. Simulator responds as follows:
Checks if A _{ i } has already existed in the list L _{ p }. If so, Simulator returns the result of T _{ i } to Adversary. If not, Simulator picks a biased coin \(c \in \{ 0,1\}^{l}\) at random and sets \(Pr[c = 0] = \theta\) while \(Pr[c = 1] = 1  \theta\). When c = 0, Simulator chooses \(t_{i} \in Z_{q}^{*}\) and sets T _{ i } = t _{ i } p. Otherwise let T _{ i } = t _{ i } X. Simulator adds the tuple {A _{ i }, γ, c, t _{ i } , T _{ i }} into L _{ p } and sends T _{ i } to Adversary.
H _{1} query: Simulator maintains a list \(L_{{H_{1} }} \{ A_{i} ,\gamma ,T_{i} ,TP_{n} ,H_{1} (T_{i} ,TP_{n} )\}\). When Adversary asks a H _{1} query for A _{ i }, Simulator responds as follows:
Checks if A _{ i } has already existed in \(L_{{H_{1} }}\). If so, Simulator sends the result back to Adversary. If not, Simulator calculates the value of H _{1}(T _{ i }, TP _{ n }) and adds it into the \(L_{{H_{1} }} .\)
Initial private key generation query: Simulator maintains a list \(L_{i} \{ A_{i} ,\gamma ,TD_{{\gamma ,TP_{0} }} \} .\) When Adversary asks a Initial private key generation query for γ, Simulator responds as follows:
Checks if \(\gamma\) exists in the list L _{ p }{A _{ i }, γ, c, t _{ i }, T _{ i }}. If not, Simulator aborts the challenge game and outputs failure. We denote this incident by E _{1}.
Otherwise, Simulator randomly chooses a polynomial q _{ x } for each node x in the user’s access tree γ. Denote d _{ x } to be the degree of q _{ x } and thr _{ x } to be the threshold value node. Let \(d_{x} = thr_{x}  1.\) For any other node (except for root node) in the access tree, let \(q_{x} (0) = q_{parent(x)}^{index(x)} .\) Simulator chooses \(k_{0} \in Z_{q}^{*}\) and sets initial private key \(TD_{{\gamma ,TP_{0} }} = \{ q_{x} (0) + t_{i} + k_{0} \cdot H_{1} (T_{i} ,TP_{0} ),\,i \in \gamma \}\). Then simulator adds the tuple into L _{ i } and sends \(TD_{{\gamma ,TP_{0} }}\) to Adversary.
\(Temporal private key generation query{:} Simulator\) maintains a list \(L_{t} \left\{ {A_{i} ,\gamma ,TP_{n} ,TD_{{\gamma ,TP_{n} }} } \right\}\). When Adversary asks a Temporal private key generation query for γ, Simulator responds as follows:
Checks γ in the list \(L_{i} \{ A_{i} ,\gamma ,TD_{{\gamma ,TP_{0} }} \} .\) If γ does not exist in L _{ i }, Simulator aborts the challenge game and outputs failure. We denote this incident by E _{2}.
Checks \(L_{{H_{1} }} \{ A_{i} ,\gamma ,T_{i} ,TP_{n} ,H_{1} (T_{i} ,TP_{n} )\} .\). If the tuple {γ, A _{ i }} does not exist in \(L_{{H_{1} }}\), Simulator aborts the challenge game and outputs failure. We denote this incident by E _{3}.
Otherwise, Simulator randomly chooses \(k_{n} \in Z_{q}^{*}\) and calculates \(TD_{{\gamma ,TP_{n} }} = TD_{{\gamma ,TP_{0} }} + (k_{n} H_{1} (T_{i} ,TP_{n} )  k_{0} \cdot H_{1} (T_{i} ,TP_{0} ))\). Simulator sends \(TD_{{\gamma ,TP_{n} }}\) to Adversary and adds the tuple into \(L_{t} \{ A_{i} ,\gamma ,TP_{n} ,TD_{{\gamma ,TP_{n} }} \} .\)
Decrypt query: Simulator maintains a list L _{ D }{A _{ i }, γ, CT = {C _{1}, C _{2}, C _{3}, C _{4}}, M}. When Adversary asks a Decrypt query for {A _{ i }, γ, CT = {C _{1}, C _{2}, C _{3}, C _{4}}}, Simulator responds as follows:
Checks {A _{ i }, γ} in the list L _{ p }{A _{ i }, γ, c, t _{ i }, T _{ i }}. If c = 1, Simulator aborts the game and outputs failure. We denote this incident by E _{4}.
Otherwise, Simulator recovers \(TD_{{\gamma ,TP_{n} }}\) from \(L_{t} \{ A_{i} ,\gamma ,TP_{n} ,TD_{{\gamma ,TP_{n} }} \}\) and calculates \(M = C_{4} \oplus H_{2} \left( {\sum\nolimits_{i \in \gamma } {TD_{{\gamma ,TP_{n} }} \cdot C_{1}  C_{2}  C_{3} \cdot H_{1} (T_{i} ,TP_{n} )} } \right)\). Simulator sends the result to Adversary and adds the tuple into L _{ D }{A _{ i }, γ, CT = {C _{1}, C _{2}, C _{3}, C _{4}}, M}.
Phase 3 Challenge:
Adversary outputs two plaintext M _{0} and M _{1} with a challenging access structure γ* at the current time period TP _{ n }.
Simulator checks if γ* exists in the list L _{ p }{A _{ i }, γ, c, t _{ i }, T _{ i }}. If not, Simulator aborts the challenge game and outputs failure. We denote this incident by E _{5}. If γ* exists in the list L _{ p }{A _{ i }, γ, c, t _{ i }, T _{ i }} and c = 0, Simulator aborts the challenge game and outputs failure. We denote this incident by E _{6}.
Simulator runs Temporal private key generation query for γ* and calculates \(TD_{{\gamma^{*} ,TP_{n} }} = (q_{x} (0) + t_{i} + k_{n} \cdot H_{1} (T_{i} ,TP_{n} ))^{*}\). Then, Simulator picks \(\sigma \in \{ 0, 1\}\), \(s \in Z_{q}^{*}\) and calculates:
Simulator sends CT _{ σ } = {C _{1,σ }, C _{2,σ }, C _{3,σ }, C _{4,σ }} to Adversary.
Adversary outputs \(M_{\sigma }^{ *}\) as a guess of \(M_{\sigma } .\) If \(M_{\sigma }^{*} = M_{\sigma }\) and Adversary wins the game, Simulator outputs \(abp = s^{  1} \cdot \sum\nolimits_{i \in \gamma } {\left( {TD_{{\gamma^{*} ,TP_{n} }} \cdot C_{1,\sigma }  C_{2,\sigma }  C_{3,\sigma } \cdot H_{1} (T_{i} ,TP_{n} )} \right)}\) as the solution to CDH assumption in group G.
Then we will analyse the time complexity of Simulator in breaking CDH assumption in group G.
From the description, assuming the average number of attributes involved is “n”, for each request of Public key generation query, Initial Private key generation query, Temporal private key generation query and Decrypt query, Simulator has to run n times of multiplication operation, n times of multiplication operation and 2n times of addition operation, n times of multiplication operation and 2n times of addition operation, 2n times of multiplication operation and 2n times of addition operation respectively.
During the Challenge phase, Simulator has to run (3n + 4) times of multiplication operation and 2n times of addition operation.
Denote t _{ sm }, t _{ a } to be the time consumption of scalar multiplication operation and addition operation in group G respectively. From what has been discussed above, the total time complexity of Simulator t′ satisfies:
Next we will discuss the advantage of Simulator in breaking the CDH assumption.
During the process of the challenge game, the responses of Initial Private key generation query, Temporal private key generation query and Decrypt query return to Adversary are valid and indistinguishable if E1, E2, E3, E4 do not happen. Furthermore, if Adversary succeeds in distinguishing \(M_{\sigma }\) and E5, E6 do not happen, then Simulator is capable of breaking the CDH assumption.
Next we will calculate the probability of the incidents discussed above.
According to the process of queries phase, the probability of E4 and E6 not occurring can be denoted by lemma (9):
The value of \(Pr\left {\overline{E4} \cap \overline{E6} } \right\) is maximized in lemma (10) when \(\theta = \frac{{q_{d} }}{{1 + q_{d} }}.\)
Since the responses of Public key generation query act as random oracle model, consequently, the probability of E1 and E5 not occurring can be denoted by lemma (11):
Likewisely, the probability of E2 and E3 not occurring can be denoted by lemma (12):
Taking all the probabilities of the above incidents into account, it can be figured out that if Adversary successfully attacks our scheme with an advantage ɛ, then a Simulator can break the CDH assumption in group G with an advantage of ɛ′ which satisfies:
Secure and efficient key updating
Our scheme achieves both secure and efficient key updating. According to the Keyupdating algorithm, the updated key component for attribute A _{ i } at time period TP _{ n+1} is calculated as \(U_{{\gamma ,TP_{n + 1} }} = (k_{n + 1} \cdot H_{1} (T_{i} ,TP_{n + 1} )  k_{n} \cdot H_{1} (T_{i} ,TP_{n} ),\,i \in \gamma ).\) Since a user cannot obtain the value of k _{ n+1}, k _{ n }, it is computational infeasible for him to calculate the value of \(U_{{\gamma ,TP_{n + 1} }}\) and update his private keys. Without loss of generality, when a user’s private key \(TD_{{\gamma ,TP_{n} }}\) was leaked during the time period TP _{ n }, the system still maintains safe after TP _{ n } since all the private keys have been securely updated.
With respect to the computation cost, key updating for a single attribute at a discrete period only needs one multiplication operation, one addition operation and 1 H _{1} operation. Besides, the system parameters remain unchanged throughout different time periods and this will reduce more the communication overheads.
Performance analysis
In this paper, assuming that the number of attributes involved in encryption is n, according to the algorithms discussed above, the Encrypt algorithm will take (n + 3) times of multiplication operations, one addition operation and one H _{2} operation, while the Decrypt algorithm will take 2n times of multiplication operations, 2n times of addition operations and 1 H _{2} operation. Detailed computation costs of each algorithm is listed in Table 1.
From Table 1, it can be seen that the total computation efficiency is much higher in our scheme compared to current ABE schemes since bilinear pairing operations have been totally eliminated.
Conclusion
In this paper, we combine the advantage of keyinsulation mechanism with ABE and propose a high efficient keyinsulated ABE algorithm without pairings (KIABEWP). During the running of algorithms in our scheme, users and AA needn’t run any bilinear pairing operations. The high efficiency and proved security make our scheme more appropriate for data sharing in network systems, especially those with limited computing capacity such as wireless sensor networks, mobile communication system, etc.
Our future research should focus on the ABS (attribute based signature) without pairing operations, which provides secure data authentication with higher efficiency than current ABS schemes.
References
Bertoni G, Chen L, Fragneto P, Harrison K, Pelosi G (2005) Computing tate pairing on smartcards. In: Proceedings of the workshop on cryptographic hardware and embedded systems (CHES ‘05)
Bethencourt J, Sahai A, Waters B (2007) Ciphertextpolicy attribute based encryption. In: Proceedings of the IEEE symposium on security and privacy, Washington, DC, pp 321–334
Chen L, Cheng Z, Smart NP (2007) Identitybased key agreement protocols from pairings. Int J Inf Secur 6(4):213–241
Chen Y, Xu W, Xiong H (2015) Strongly secure certificateless keyinsulated signature secure in the standard model. Ann Telecommun 70(9):395–405
Coron JS (2000) On the exact security of full domain hash. In: Advances in cryptology (CRYPTO ‘2000). LNCS no. 1880. Springer, Berlin, pp 229–235
Dodis Y, Katz J, Xu S, Yung M (2002) Keyinsulated publickey cryptosystems. In: Knudsen LR (ed) Proceedings of the Eurocrypt 2002. LNCS no. 2332. Springer, Berlin, pp 65–82
Goyal V, Pandey O, Sahai A, Waters B (2006) Attribute based encryption for finegrained access control of encrypted data. In: ACM conference on computer and communications security, pp 89–98
Goyal V, Jain A, Pandey O, Sahai A (2008) Bounded ciphertext policy attribute based encryption. In: Proceedings of the 35th international colloquium, Reykjavik, Iceland, pp 579–591
Hu C, Zhang N (2013) Body area network security: a fuzzy attributebased signcryption scheme. IEEE J Sel Areas Commun 31(9):37–46
Hur J (2013) Improving security and efficiency in attributebased data sharing. IEEE Trans Knowl Data Eng 25(10):2271–2282
Hur J, Noh DK (2011) Attributebased access control with efficient revocation in data outsourcing systems. IEEE Trans Parallel Distrib Syst 22(7):1214–1221
Lewko A, Okamoto T, Sahai A, Takashima K, Waters B (2010) Fully secure functional encryption: attributebased encryption and (hierarchical) inner product encryption. In: Advances in cryptology—EUROCRYPT 2010. Springer, Berlin, pp 62–91
Li M, Yu S (2013) Scalable and secure sharing of personal health records in cloud computing using attributebased encryption. IEEE Trans Parallel Distrib Syst 24(1):131–143
Sahai A, Waters B (2005) Fuzzy identitybased encryption. In: Proceedings of the international conference in EUROCRYPT 2005, Aarhus, Denmark, pp 457–473
Tan YL, Goi BM, Komiya R (2011) A study of attributebased encryption for body sensor networks. Inform Eng Inf Sci 251:238–247
Wang C, Huang J (2011) Attribute based signcryption with ciphertext policy and claim predicate mechanism. In: Seventh international conference in CIS, pp 905–909
Waters B (2011) Ciphertext policy attribute based encryption: an expressive, efficient, and provably secure realization. In: Proceedings of the international conference in PKC 2011, Taormina, Italy, pp 53–70
Xhafa F, Feng J, Zhang Y (2015) Privacyaware attributebased PHR sharing with user accountability in cloud computing. J Supercomput 71(5):1607–1619
Xu Z, Martin KM (2012) Dynamic user revocation and key refreshing for attributebased encryption in cloud storage. In: IEEE 11th international conference on trust, security and privacy in computing and communications
Yang K, Jia X, Kui R (2012) DACMACS: effective data access control for multiauthority cloud storage systems. IEEE Trans Inf Forensics Secur 7(2):743–754
Yu S, Wang C, Ren K (2010) Attribute based data sharing with attribute revocation. In: Proceedings of the 5th symposium on information, computer and communications security (ACM), pp 261–270
Yu S, Ren K, Lou W (2011) FDAC: toward finegrained distributed data access control in wireless sensor networks. IEEE Trans Parallel Distrib Syst 22(4):673–686
Zhu G, Xiong H, Wang R (2014) An improvement of an identitybased keyinsulated signcryption. In: Proceedings of the international conference on computer science and information technology, vol 255 of the series advances in intelligent systems and computing, pp 97–104
Authors’ contributions
Dr. Hanshu Hong: Carried out the KIABEWP studies, participated in the design of scheme and drafted the manuscript. Dr. Zhixin Sun: Participated in the performance analysis of the scheme. Both authors read and approved the final manuscript.
Authors’ information
Dr. Zhixin Sun is the dean of Internet of Things institute, Nanjing University of Posts and Telecommunications. He has published more than 50 literatures on journals worldwide. His research area includes information security, computer networks, computer science, etc. Dr. Hanshu Hong is a Ph.D. candidate in Nanjing University of Posts and Telecommunications. His research area includes information security, cryptology.
Acknowledgements
This research is supported by the National Natural Science Foundation of China (61373135). The authors thank the sponsors for their support and the reviewers for helpful comments.
Competing interests
Both authors declare that they have no competing financial interests.
Author information
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Received
Accepted
Published
DOI
Keywords
 ABE
 Keyinsulated
 Without pairings
 High efficiency