High efficient key-insulated attribute based encryption scheme without bilinear pairing operations

Attribute based encryption (ABE) has been widely applied for secure data protection in various data sharing systems. However, the efficiency of existing ABE schemes is not high enough since running encrypt and decrypt algorithms need frequent bilinear pairing operations, which may occupy too much computing resources on terminal devices. What’s more, since different users may share the same attributes in the system, a single user’s private key exposure will threaten the security and confidentiality of the whole system. Therefore, to further decrease the computation cost in attribute based cryptosystem as well as provide secure protection when key exposure happens, in this paper, we firstly propose a high efficient key-insulated ABE algorithm without pairings. The key-insulated mechanism guarantees both forward security and backward security when key exposure or user revocation happens. Besides, during the running of algorithms in our scheme, users and attribute authority needn’t run any bilinear pairing operations, which will increase the efficiency to a large extent. The high efficiency and security analysis indicate that our scheme is more appropriate for secure protection in data sharing systems.


Related works
Existing literatures have achieved much progress in ABE with respect to fine-grained access control (Goyal et al. 2006;Waters 2011;Bethencourt et al. 2007;Goyal et al. 2008), user flexible revocation (Hur and Noh 2011;Yu et al. 2011) and attribute based signcryption (Wang and Huang 2011), etc. Meanwhile, ABE has been widely designed for providing data protection in various network systems such as personal health record system (Li and Yu 2013), body area networks (Hu and Zhang 2013;Tan et al. 2011), wireless sensor networks (Yu et al. 2011), cloud computing (Yang et al. 2012). However, these schemes may not be entirely realistic to be applied to some application scenarios thanks to the heavy computation cost from bilinear pairing operations. Take the proposed scheme in Xhafa et al. (2015) for instance, if the number of attributes involved in encryption is n, then the decryption will take 4n times of pairing operations, which will bring a heavy computation burden on terminal devices. Consequently, to further improve the efficiency and performance of ABE, the number of pairing operations should be reduced, even totally eliminated.
Besides efficiency, key exposure protection is another issue urgently to be solved in ABE. Many existing schemes have guaranteed forward and backward security when attribute revocation happens by introducing a proxy re-encryption server (Hur and Noh 2011;Yu et al. 2010). However, these schemes only focus on the key regeneration of the revoked users, but neglect the key updating for non-revoked users. If a nonrevoked user's private key leaks, the confidentiality of the system will be threatened since the leaked private key is still a valid one. In fact, in attribute based cryptosystem, key refreshing is more important since either attribute revocation or private key exposure protection calls for frequent key-updating. Xu and Martin (2012) proposed an ABE scheme with secure key refreshing in, but their scheme has to regenerate the master key and public parameters in the system, this will bring about much more computation overheads when key updating happens. Key-insulation (Dodis et al. 2002) is a promising tool to guarantee forward and backward security as well as achieving high efficiency of key updating. In this mechanism, the lifetime of the system is divided into discrete periods. The public key remains unchanged throughout the lifetime, while temporary secret keys are updated periodically. Key-insulation mechanism can provide full security when user's private key exposure happens and it has been designed for effective key exposure protection in identity based cryptosystem (Zhu et al. 2014), certificateless cryptosystem (Chen et al. 2015), etc. The advantage of key-insulation mechanism can also be combined into attribute based cryptosystem and propose a key-insulated ABE scheme with efficient and secure key updating.

Hardness assumptions
(a) Discrete logarithm assumption (DL): Given X, P ∈ G, it is computational infeasible to calculate the value of a (a ∈ Z * q ) such that X = aP with a non-negligible probability within probabilistic polynomial-time.

(b) Computational Diffie-Hellman assumption (CDH):
For a, b ∈ Z * q , given (p, ap, bp), it is computational infeasible to calculate the value of abp with a non-negligible probability within probabilistic polynomial-time.

A real world example of KI-ABE-WP
One typical application of our KI-ABE-WP is the mobile communication system, which can be illustrated in Fig. 1. It consists of six entitles: AA, key helper, base station, data centre, data sender and receiver. Base station and data centre are hardware architectures which are responsible for mobile communications and file storage. AA generates initial attribute private keys for each user in the system and the private key corresponds with an access structure. Data sender and receiver are the two sides of communication, data sender encrypts the file with a set of attributes, while a receiver can decrypt the ciphertext if the attributes used for encryption match with the access structure he owns. When system evolves into a new time period, users in the system update their private keys to the latest version with the assistance of key helper. Due to the elimination of bilinear pairing operations, the proposed KI-ABE-WP will relieve the terminal devices from heavy computation burden, thus improving the efficiency and performance of the whole system.

Formalized definition of the algorithms in KI-ABE-WP
Our KI-ABE-WP consist of five algorithms: Setup(1 λ ){PK, MK} This algorithm takes a security parameter λ as input and outputs the public parameter PK and master key MK. PK is shared by users while MK is kept private by AA.

Security model of KI-ABE-WP
Definition Our KI-ABE-WP scheme is secure under chosen ciphertext attacks if there exists an Adversary has non-negligible advantage in the following game played by a Challenger and an Adversary.
Phase 1 Setup Challenger runs Setup procedure to obtain the system parameters PK and master keys MK. It sends PK to Adversary.
Phase 2 Queries Adversary can make the following queries to Challenger.
Initial private key generation query Challenger can obtain user's initial private key D γ ,TP 0 by running Initial private key generation algorithm and returns the result back to Adversary.
Temporal private key generation query Challenger can obtain user's temporal private key at the current time period and returns the result D γ ,TP n back to Adversary.
Decrypt query Adversary can ask Decrypt query for ciphertext CT. Challenger runs Decrypt algorithm and returns the results to Adversary.
Phase 3 Challenge Adversary chooses two plaintexts M 0 and M 1 and a challenging access structure γ * at current time period.
During the whole process of the challenge game: Adversary cannot ask Challenger for Decrypt query of M 0 and M 1 . Adversary cannot ask Challenger for Temporal private key generation query for the challenging structure γ * .
If σ * = σ then Adversary wins the game.

Setup
Let G to be a cyclic addition group. Denote q and p to be the prime order and generator of G respectively. AA defines a global attribute set {A i } and picks t i ∈ Z * q for each attribute in {A i }. Let T i = t i p to be the public key of A i . Picks k n ∈ Z * q for each time period TP n in the system lifetime. Let K n = k n p. Chooses a secret number y ∈ Z * q and calculates Y = yp. Define two hash functions The system public parameters are {G, q, p, A i , T i , K n , Y , H 1 , H 2 } and the system master keys are {t i , y, k n }.

Initial private key generation
AA randomly chooses a polynomial q x for each node x in the user's access tree γ. Denote d x to be the degree of q x and thr x to be the threshold value node. Let d x = thr x − 1. For the root node AA sets q root (0) = y. For any other node (except for root node) in the access tree, let q parent(x) . The initial attribute private key at time period TP 0 for access structure γ can be denoted by TD γ ,

Key updating
When time period evolves from TP n to TP n+1 , AA calculates the updated key component U γ ,TP n+1 = (k n+1 · H 1 (T i , TP n+1 ) − k n · H 1 (T i , TP n ), i ∈ γ ) and transfers it to user. User calculates TD γ ,TP n+1 = TD γ ,TP n + U γ ,TP n+1 as the temporal private key at time period TP n+1 .

Encrypt
At time period TP n , for a plaintext M,data sender picks a random number s ∈ Z * q and calculates: Then data sender sends CT = {C 1 , C 2 , C 3 , C 4 } to data receiver.

Correctness proof
If x is a leaf node, the calculation process is as follows: All the value calculated from DecryptNode(x, TD γ ,TP n , C 1 , C 2 , C 3 ) will be stored as F z . For any F z ≠ 0,the algorithm calculates F root (the value of root node) using Lagrange interpolation method.
If x is a non-leaf node, z is the child node of x, then the algorithm calculates the value of DecryptNode(x, TD γ ,TP n , C 1 , C 2 , C 3 ) as follows: Since the value of DecryptNode(x, TD i,TP n , C 1 , C 2 , C 3 ) = q x (0) · sp, whether x is a leaf node or non-leaf node, consequently, the value of root node F root and the plaintext M can be calculated by:

Security proof
Theorem If the proposed KI-ABE-WP can be broken by an Adversary in the random oracle model, then a Simulator can be constructed to break the CDH hardness assumption in group G successfully with a non-negligible advantage.
Proof In the challenge game, if there exists an Adversary can break our KI-ABE-WP with an advantage (t, ɛ) in the random oracle model, then there exists a Simulator which can break the CDH assumption with an advantage of ε ′ which satisfies: t ′ ≤ t + n q p + q i + q t + 2q d + 3 + 4 · t sm + n(2q i + 2q t + 2q d + 2) · t a ε ′ ≥ ε e(q d + 1) · q i · q H 1 2 l q t · q p 2 l 1+q i In the lemma (6), q p , q H 1 , q i , q t , q d are the maximum numbers of Public key generation query, H 1 query, Initial private key generation query, Temporal private key generation query and Decrypt query respectively. Denote t sm and t a to be the time consumption for running a scalar multiplication operation and an addition operation respectively. The process of the challenge game is as follows: Phase 1 Setup: Challenger sets the parameters as follows: Defines a global attribute set {A i }. Let G be a cyclic addition group with prime order q. The generator of group G is denoted by p. Defines two hash functions: The aim of Simulator is to calculate the value of abp according to the process of the challenge game. Simulator plays the role of Challenger and runs Adversary as a sub-program.
Phase 2 Queries: The proof skills used in our scheme resembles the method which has been proposed in Coron (2000). Without loss of generality, supposing that Adversary will make Public key generation query for an attribute A i before making Initial private key generation query, Temporal private key generation query and Decrypt query to Simulator.
Then Adversary makes the following queries to Simulator: Public key generation query: Simulator maintains a list L p {A i , γ, c, t i , T i }. When Adversary asks a Public key generation query for A i in the γ. Simulator responds as follows: Checks if A i has already existed in the list L p . If so, Simulator returns the result of T i to Adversary. If not, Simulator picks a biased coin c ∈ {0, 1} l at random and sets Pr[c = 0] = θ while Pr[c = 1] = 1 − θ. When c = 0, Simulator chooses t i ∈ Z * q and sets T i = t i p. Otherwise let T i = t i X. Simulator adds the tuple {A i , γ, c, t i , T i } into L p and sends T i to Adversary.
H 1 query: Simulator maintains a list L H 1 {A i , γ , T i , TP n , H 1 (T i , TP n )}. When Adversary asks a H 1 query for A i , Simulator responds as follows: Checks if A i has already existed in L H 1 . If so, Simulator sends the result back to Adversary. If not, Simulator calculates the value of H 1 (T i , TP n ) and adds it into the L H 1 .
Initial private key generation query: Simulator maintains a list L i {A i , γ , TD γ ,TP 0 }. When Adversary asks a Initial private key generation query for γ, Simulator responds as follows: Checks if γ exists in the list L p {A i , γ, c, t i , T i }. If not, Simulator aborts the challenge game and outputs failure. We denote this incident by E 1 .
Otherwise, Simulator randomly chooses a polynomial q x for each node x in the user's access tree γ. Denote d x to be the degree of q x and thr x to be the threshold value node. Let d x = thr x − 1. For any other node (except for root node) in the access tree, let q x (0) = q index(x) parent(x) . Simulator chooses k 0 ∈ Z * q and sets initial private key TD γ ,TP 0 = {q x (0) + t i + k 0 · H 1 (T i , TP 0 ), i ∈ γ }. Then simulator adds the tuple into L i and sends TD γ ,TP 0 to Adversary.
Temporalprivatekeygenerationquery:Simulator maintains a list L t A i , γ , TP n , TD γ ,TP n . When Adversary asks a Temporal private key generation query for γ, Simulator responds as follows: Checks γ in the list L i {A i , γ , TD γ ,TP 0 }. If γ does not exist in L i , Simulator aborts the challenge game and outputs failure. We denote this incident by E 2 .
Checks L H 1 {A i , γ , T i , TP n , H 1 (T i , TP n )}.. If the tuple {γ, A i } does not exist in L H 1 , Simulator aborts the challenge game and outputs failure. We denote this incident by E 3 .
Decrypt query: Simulator maintains a list L D {A i , γ, CT = {C 1 , C 2 , C 3 , C 4 }, M}. When Adversary asks a Decrypt query for {A i , γ, CT = {C 1 , C 2 , C 3 , C 4 }}, Simulator responds as follows: Checks Simulator aborts the game and outputs failure. We denote this incident by E 4 .
Otherwise, Simulator recovers TD γ ,TP n from L t {A i , γ , TP n , TD γ ,TP n } and calculates Simulator sends the result to Adversary and adds the tuple into L D {A i , γ, CT = {C 1 , C 2 , C 3 , C 4 }, M}.
Phase 3 Challenge: Adversary outputs two plaintext M 0 and M 1 with a challenging access structure γ* at the current time period TP n .
Simulator checks if γ* exists in the list L p {A i , γ, c, t i , T i }. If not, Simulator aborts the challenge game and outputs failure. We denote this incident by E 5 . If γ* exists in the list L p {A i , γ, c, t i , T i } and c = 0, Simulator aborts the challenge game and outputs failure. We denote this incident by E 6 .
Then we will analyse the time complexity of Simulator in breaking CDH assumption in group G.
From the description, assuming the average number of attributes involved is "n", for each request of Public key generation query, Initial Private key generation query, Temporal private key generation query and Decrypt query, Simulator has to run n times of multiplication operation, n times of multiplication operation and 2n times of addition operation, n times of multiplication operation and 2n times of addition operation, 2n times of multiplication operation and 2n times of addition operation respectively.
During the Challenge phase, Simulator has to run (3n + 4) times of multiplication operation and 2n times of addition operation. (7) Denote t sm , t a to be the time consumption of scalar multiplication operation and addition operation in group G respectively. From what has been discussed above, the total time complexity of Simulator t′ satisfies: Next we will discuss the advantage of Simulator in breaking the CDH assumption. During the process of the challenge game, the responses of Initial Private key generation query, Temporal private key generation query and Decrypt query return to Adversary are valid and indistinguishable if E1, E2, E3, E4 do not happen. Furthermore, if Adversary succeeds in distinguishing M σ and E5, E6 do not happen, then Simulator is capable of breaking the CDH assumption.
Next we will calculate the probability of the incidents discussed above.
According to the process of queries phase, the probability of E4 and E6 not occurring can be denoted by lemma (9): The value of Pr E4 ∩ E6 is maximized in lemma (10) Since the responses of Public key generation query act as random oracle model, consequently, the probability of E1 and E5 not occurring can be denoted by lemma (11): Likewisely, the probability of E2 and E3 not occurring can be denoted by lemma (12): Taking all the probabilities of the above incidents into account, it can be figured out that if Adversary successfully attacks our scheme with an advantage ɛ, then a Simulator can break the CDH assumption in group G with an advantage of ɛ′ which satisfies:

Secure and efficient key updating
Our scheme achieves both secure and efficient key updating. According to the Keyupdating algorithm, the updated key component for attribute A i at time period TP n+1 is calculated as U γ ,TP n+1 = (k n+1 · H 1 (T i , TP n+1 ) − k n · H 1 (T i , TP n ), i ∈ γ ). Since a user cannot obtain the value of k n+1 , k n , it is computational infeasible for him to calculate the value of U γ ,TP n+1 and update his private keys. Without loss of generality, when a user's private key TD γ ,TP n was leaked during the time period TP n , the system still maintains safe after TP n since all the private keys have been securely updated.
With respect to the computation cost, key updating for a single attribute at a discrete period only needs one multiplication operation, one addition operation and 1 H 1 operation. Besides, the system parameters remain unchanged throughout different time periods and this will reduce more the communication overheads.

Performance analysis
In this paper, assuming that the number of attributes involved in encryption is n, according to the algorithms discussed above, the Encrypt algorithm will take (n + 3) times of multiplication operations, one addition operation and one H 2 operation, while the Decrypt algorithm will take 2n times of multiplication operations, 2n times of addition operations and 1 H 2 operation. Detailed computation costs of each algorithm is listed in Table 1. From Table 1, it can be seen that the total computation efficiency is much higher in our scheme compared to current ABE schemes since bilinear pairing operations have been totally eliminated.

Conclusion
In this paper, we combine the advantage of key-insulation mechanism with ABE and propose a high efficient key-insulated ABE algorithm without pairings (KI-ABE-WP). During the running of algorithms in our scheme, users and AA needn't run any bilinear pairing operations. The high efficiency and proved security make our scheme more appropriate for data sharing in network systems, especially those with limited computing capacity such as wireless sensor networks, mobile communication system, etc.
Our future research should focus on the ABS (attribute based signature) without pairing operations, which provides secure data authentication with higher efficiency than current ABS schemes.