Flexible Attribute-Based Encryption Applicable to Secure E-Healthcare Records
Bo Qin, Hua Deng, Qianhong Wu, Josep Domingo-Ferrer, David Naccache, Yunya Zhou
NNoname manuscript No. (will be inserted by the editor)
Flexible Attribute-Based Encryption Applicable toSecure E-Healthcare Records
Bo Qin · Hua Deng · Qianhong Wu ∗ · Josep Domingo-Ferrer · David Naccache · Yunya Zhou
Received: date / Accepted: date
Abstract
In e-healthcare record systems (EHRS), attribute-based encryption (ABE) appears as a natural way to achievefine-grained access control on health records. Some propos-als exploit key-policy ABE (KP-ABE) to protect privacy insuch a way that all users are associated with specific accesspolicies and only the ciphertexts matching the users’ accesspolicies can be decrypted. An issue with KP-ABE is that itrequires an a priori formulation of access policies duringkey generation, which is not always practicable in EHRSbecause the policies to access health records are sometimesdetermined after key generation. In this paper, we revisit KP-ABE and propose a dynamic
ABE paradigm, referred to asaccess policy redefinable ABE (APR-ABE). To address theabove issue, APR-ABE allows users to redefine their accesspolicies and delegate keys for the redefined ones; hence apriori precise policies are no longer mandatory. We con-struct an APR-ABE scheme with short ciphertexts and prove
Bo QinRenmin University of ChinaNo. 59, Zhongguangun Street, Haidian District, Beijing, ChinaHua DengSchool of Computer, Wuhan University, Wuhan, ChinaQianhong Wu, Corresponding authorSchool of Electronic and Information Engineering, Beihang UniversityXueYuan Road No.37, Haidian District, Beijing, ChinaTel.: 0086 10 8233 9469E-mail: [email protected] Domingo-FerrerUniversitat Rovira i Virgili, Department of Computer Engineering andMathematicsUNESCO Chair in Data Privacy, E-43007 Tarragona, CataloniaDavid Naccache´Ecole normale sup´erieure, D´epartement d’informatique45 rue d’Ulm, F-75230, Paris Cedex 05, FranceYunya ZhouSchool of Electronic and Information Engineering, Beihang UniversityXueYuan Road No.37, Haidian District, Beijing, China its full security in the standard model under several static as-sumptions.
Keywords
E-Healthcare records · Privacy · Access control · Attribute-based encryption
Attribute-based encryption (ABE) provides fine-grained ac-cess control over encrypted data by using access policiesand attributes embedded in secret keys and ciphertexts. ABEcryptostems [19] fall into two categories: key-policy ABE(KP-ABE) [8] systems and ciphertext-policy ABE (CP-ABE)[3] systems. In a CP-ABE system, the users’ secret keys areassociated with sets of attributes, and a sender generates a ci-phertext with an access policy specifying the attributes thatthe decryptors must have. Alternatively, in a KP-ABE sys-tem, the users’ secret keys are labeled with access policiesand the sender specifies a set of attributes; only the userswhose access policies match the attribute set can decrypt.ABE requires a priori access policies, which are not al-ways available. This may limit its applications in practice.The following scenario illustrates our point.In an e-healthcare record system (EHRS), Alice’s healthrecords are encrypted by the doctors whom she consultedbefore. When Alice authorizes some doctors to access herencrypted medical records, she may have no sufficient ex-pertise to precisely determine which doctors should accessthe records. Instead, according to her experience and com-mon sense, she may specify a policy saying that the doctorought to be medicine professor with five-year working expe-rience from the hospitals she knows. After a matching doc-tor Bob sees Alice’s medical materials, Bob finds that Alicehas something wrong with her heart. Hence, a cardiologist’sadvice must be sought; thus, a cardiologist (who can be aprofessor or not) must be allowed to see Alice’s documents. a r X i v : . [ c s . CR ] D ec Bo Qin et al.
In this application, the main obstacle to apply ABE isthat Alice, serving as the key generation authority, cannotgenerate secret keys for access policies that are a priori “carv-ed in stone”, because she does not clearly know which ex-perts are necessary for her diagnosis.In fact, the access policy must be dynamically modified.That is, authorized users must be able to redefine their ac-cess policies and then delegate secret keys for the redefinedaccess policies to other users. For instance, in the above mo-tivating scenario, Alice first authorizes doctors with somegeneral attributes to access her encrypted medical records.After the matching doctor makes a preliminary diagnosisand finds something wrong with Alice’s heart, the doctorredefines his access policy to involve some special attributes(e.g. specialty: cardiologist) and delegates to the doctor withthe redefined access policy. In this way, a priori precise ac-cess policies are not mandatory during key generation be-cause they can be later redefined in delegation.There are already some ABE schemes supporting dele-gation. The CP-ABE schemes in [3,7,21] allow users to del-egate more restricted secret keys, that is, keys for attributesets that are subsets of the original ones.
In KP-ABE, theschemes proposed in [8,13,6,18] provide a delegation mech-anism, but all of them require that the access policy to bedelegated be more restrictive. This limited delegation func-tionality is often insufficient: for example, in the motivatingapplication above Bob should be able to delegate to a car-diologist even if Bob is not a cardiologist himself. Limitingthe user to delegating keys for other users associated withmore restrictive access policies is too rigid.The challenge of providing appropriate delegation forthe applications above has to do with the underlying secretsharing scheme. In most KP-ABE schemes ([8,13,18]), se-cret sharing schemes are employed to share a secret in keygeneration and reconstruct the secret during decryption. Inthe key generation, each attribute involved in the access pol-icy needs to be associated with a secret share. If there arenew attributes in the target access policy to be delegatedto, users cannot delegate a secret key for the access pol-icy since they are unable to generate shares for the new at-tributes without knowing the secret. This is why the abovementioned KP-ABE schemes require the delegated accesspolicy to be more restrictive than the original one. This hin-ders applying them for the motivating application, where thedoctor with general attributes would like to delegate his ac-cess rights to a doctor associated with new special attributes.1.1 Our WorkWe propose a dynamic primitive referred to as access policyredefinable ABE (APR-ABE). The functional goal of APR-ABE is to provide a more dynamic delegation mechanism.In an APR-ABE system, users can play the role of the key generation authority by delegating secret keys to their subor-dinates. The delegation does not require the redefined accesspolicy to be more restrictive than the one of the delegatingkey.Noting that attributes are very often hierarchically re-lated in the real word, we arrange the attribute universe ofAPR-ABE in a matrix. For example, we can place the at-tribute “Internal medicine” at a higher level of the matrixthan the attribute “Cardiologist”. Due to this arrangement,the notion of attribute vector naturally comes up: an attributevector can be generated by picking single attributes from up-per levels to lower levels. By using attribute vectors, we canrealize a delegation that allows new attributes to be addedinto the original access policy and a secret key to be del-egated for the resulting policy. This delegation is similar tothe one of hierarchical identity-based encryption (HIBE,[4]),but with the difference that only delegation to the attributesconsistent with the attribute matrix is allowed.We present an APR-ABE framework based on KP-ABEand define its full security. In APR-ABE, the users’ secretkeys are associated with an access structure formalized byattribute vectors. Users at higher levels can redefine theiraccess structures and then delegate secret keys to others inlower levels without the constraint that the redefined accessstructures of the delegated keys be more restrictive. Cipher-texts are generated with sets of attribute vectors, and decryp-tion succeeds if and only if the attribute set of a ciphertextsatisfies the access structure associated with a secret key,just as in the ordinary KP-ABE. In full security, a strongsecurity notion in ABE systems, an adversary is allowed toaccess public keys, create attribute vectors and query secretkeys for specified access structures. Full security states thatnot even such an adversary can get any useful informationabout the plaintext encrypted in a ciphertext, provided thathe does not have the correct decryption key.We construct an APR-ABE scheme by employing a lin-ear secret sharing scheme (LSSS). An LSSS satisfies lin-earity, that is, new shares generated by multiplying exist-ing shares by random factors can still reconstruct the secret.Hence, when delegating to new attributes, we create new at-tribute vectors by combining new attributes with existing at-tribute vectors and we generate shares for new attribute vec-tors by randomizing the shares of the existing vectors. Inthis way, all attribute vectors in the redefined access struc-ture will obtain functional shares and the access structureneed not to be more restrictive than the one of the delegatingkey. One may attempt to trivially construct APR-ABE fromHIBE by directly setting each attribute vector as the iden-tity vector in HIBE. However, this trivial construction wouldsuffer from collusion attacks because a coalition of usersmay collude to decrypt ciphertexts sent to none of them,even though the access structure of none of the colludersmatches the attribute sets of the concerned ciphertexts. The lexible Attribute-Based Encryption Applicable to Secure E-Healthcare Records 3 proposed APR-ABE scheme withstands this kind of collu-sion attack by associating random values to the secret keysof users. The proposed APR-ABE scheme has short cipher-texts and is proven to be fully secure in the standard modelunder several static assumptions.APR-ABE can provide an efficient solution to the mo-tivating application. General attributes can be placed in thefirst level and more specific, professional attributes in thenext level. Alice authorizes doctors to access her medicalrecords by specifying access policies in terms of generalattributes. These authorized doctors can redefine their ac-cess policies in terms of professional attributes and they candelegate keys to other doctors. The matching doctors thencan read Alice’s records if their general and specific profes-sional attributes match those specified by the doctors whoencrypted Alice’s health records.1.2 Applying APR-ABE to EHR SystemsOur APR-ABE can be applied to EHR systems to circum-vent the issue of a priori formulation of access policies. TheAPR-ABE solution relies on cleverly designed attribute hi-erarchies. We can arrange the attribute universe in a matrixsuch that general attributes like hospital name (for exam-ple “Hospital A”, “Hospital B”), title (for example “Profes-sor”) or working years are placed in the first level, while spe-cific professional attributes of doctors (typically their med-ical specialty, with values like “Cardiologist”, “Gastroen-terologist”, etc.) are placed in the next level. When delegat-ing, doctors matching general attributes can redefine theiraccess policies in terms of professional attributes. We nowdescribe how does APR-ABE work for such setting in anEHR system.As depicted in Fig. 1, an EHR system employs a healthrecord repository to store patients’ health records. To pro-tect privacy, all health records are encrypted by doctors whomake diagnoses. Suppose that Alice’s health records are en-crypted with an attribute set S = { Hospital A, Cardiologist,Professor, Working years ≥ } . When Alice feels sick, shewants to authorize some doctors to read her health records.However, she may not know what exact experts are neces-sary for her diagnosis. Instead of generating secret keys forall doctors of Hospital A, Alice specifies an access policy A = { Hospital A AND Professor AND Working years ≥ } and generates a secret key SK A for a doctor matching thisaccess policy. The matching doctor then makes a prelimi-nary diagnosis on Alice’s health records. Upon finding thatAlice has a heart condition, the doctor redefines the accesspolicy A to seek greater specialization, A (cid:48) = {{ Hospital A,Cardiologist } AND Professor AND Working years ≥ } anddelegates a secret key for A (cid:48) . Since the set S associated withAlice’s health records satisfies access structure A (cid:48) , the doc-tor with A (cid:48) can decrypt and read Alice’s health records. We Fig. 1
Application to EHR systems note that the pair of attributes { Hospital A, Cardiologist } that appears in A (cid:48) is treated as an attribute vector in ourAPR-ABE. Thus in the redefinition of A as A (cid:48) , the new at-tribute “Cardiologist” can be added, that is, the delegation is not more restrictive.1.3 Paper OrganizationThe rest of this paper is organized as follows. We recall therelated work in Section 2. Section 3 reviews the necessarybackground for our APR-ABE construction. We formalizethe APR-ABE and define its security in Section 4. Section5 proposes an APR-ABE and proves its security in the stan-dard model. Finally, we conclude the paper in Section 6. ABE is a versatile cryptographic primitive allowing fine-grained access control over encrypted files. ABE was intro-duced by Sahai and Waters [19]. Goyal et al. [8] formu-lated two complementary forms of ABE, i.e., Key-PolicyABE and Ciphertext-Policy ABE, and presented the firstKP-ABE scheme. The first CP-ABE scheme was proposedby Bethencourt et al. in [3], although its security proof re-lies on generic bilinear group model. Ostrovsky et al. [17]developed a KP-ABE scheme to handle any non-monotonestructure; hence, negated clauses can be included in the poli-cies. Waters [21] presented a CP-ABE construction that al-lows any attribute access structure to be expressed by a Lin-ear Secret Sharing Scheme (LSSS). Attrapadung et al. [1]gave a KP-ABE scheme permitting non-monotone accessstructures and constant-size ciphertexts. To reduce decryp-tion time, Hohenberger and Waters [9] presented a KP-ABEwith fast decryption.
Bo Qin et al.
The flexible encryption property of ABE made it widelyadopted in e-healthcare record systems. Li et al. [15] lever-aged ABE to encrypt personal health records in cloud com-puting and exploited multi-authority ABE to achieve a highdegree of privacy of records. Yu et al. [24] adopted andtailored ABE for wireless sensors of e-healthcare systems.Liang et al. [16] also applied ABE to secure private healthrecords in health social networks. In their solution, users canverify each other’s identifiers without seeing sensitive at-tributes, which yields a high level of privacy. Noting that theapplication of KP-ABE to distributed sensors in e-healthcaresystems introduces several challenges regarding attribute anduser revocation, Hur [10] proposed an access control schemeusing KP-ABE that has efficient attribute and user revoca-tion capabilities.In order to allow delegation of access rights to encrypteddata, some ABE schemes support certain key delegation.CP-ABE [3,7,21] allow users to delegate to attribute setsthat are subsets of the original ones. Since a secret sharingscheme is used in key generation, the delegation of KP-ABEis more complicated. Goyal et al. [8] adopted Lagrange in-terpolation to realize secret sharing and achieved a KP-ABEwith selective security. This scheme supports key delegationwhile requiring the tree structures of delegated keys to bemore restrictive than the one of the delegating key whennew attributes are introduced. Lewko and Waters [13] pre-sented a fully secure KP-ABE which employs a more gen-eral LSSS matrix to realize secret sharing. This KP-ABEallows key delegation while requiring the redefined accesspolicy to be either equivalent to the original access policy ormore restrictive when new attributes need to be added. TheKP-ABE in [18] is an improvement of Lewko and Waters’KP-ABE and inherits its delegation, which is hence limitedas well. Recently, Boneh et al. [6] proposed an ABE whereaccess policies are expressed as polynomial-size arithmeticcircuits. Their system supports key delegation but the sizeof the secret keys increases quadratically with the numberof delegations.There are some works resolving delegation in differentapplications. To achieve both fine-grained access control andhigh performance for enterprise users, Wang et al. [23] pro-posed a solution that combines hierarchical identity-basedencryption with CP-ABE to allow a performance-expressivitytradeoff. In that scheme, various authorities rather than at-tributes are hierarchically organized in order to generate keysfor users in their domains. Wan et al. [22] extended ciphertext-policy attribute-set-based encryption with a hierarchical struc-ture of users to achieve scalability and flexibility for ac-cess control in cloud computing systems. Li et al. [14] en-hanced ABE by organizing attributes in a tree-like structureto achieve delegation, which is similar to our arrangementof attributes; however, their delegation is still limited to in-creasingly restrictive access policies. Besides, the security of the proposed scheme is only selective. Indeed, all theseschemes are proposed to adapt ABE for specific applica-tions, while our APR-ABE aims at permitting users to rede-fine their access policies and delegate secret keys in a waythat does not need to be increasingly restrictive.
In this section, we overview access structures, linear secretsharing schemes (LSSS), the composite-order bilinear groupequipped with a bilinear map, and several complexity as-sumptions.3.1 Access Structures [2]
Definition 1
Let { P , P , · · · , P n } be a set of parties. Acollection A ⊆ { P ,P , ··· ,P n } is monotone if for ∀ B, C ,we have that C ∈ A holds if B ∈ A and B ⊆ C . An accessstructure (respectively, monotone access structure) is a col-lection (respectively, monotone collection) A of non-emptysubsets of { P , P , ..., P n } , i.e., A ⊆ { P ,P , ··· ,P n } \{∅} .The sets in A are called the authorized sets, and the sets notin A are called the unauthorized sets.In traditional KP-ABE, the role of the parties is playedby the attributes. In our APR-ABE, the role of the partiesis taken by attribute vectors. Then an access structure is acollection of sets of attribute vectors. We restrict our atten-tion to monotone access structures in our APR-ABE. How-ever we can realize general access structures by having thenegation of an attribute as a separate attribute, at the cost ofdoubling the number of attributes in the system.3.2 Linear Secret Sharing Schemes [2] Definition 2
A secret-sharing scheme Π over a set of par-ties P is called linear (over Z p ) if1. The shares for each party form a vector over Z p .2. There exists a matrix A called the share-generating ma-trix for Π , where A has l rows and n columns. For all i = 1 , · · · , l , the i -th row of A is labeled by a party ρ ( i ) ,where ρ is a function from { , · · · , l } to P . When weconsider the column vector s = ( s, s , · · · , s n ) , where s ∈ Z p is the secret to be shared, and s , · · · , s n ∈ Z p are randomly chosen, then As is the vector of l shares ofthe secret s according to Π . Let A i denote the i -th rowof A , then λ i = A i s is the share belonging to party ρ ( i ) . Linear Reconstruction. [2] shows that every LSSS Π en-joys the linear reconstruction property. Suppose Π is theLSSS for access structure A and S is an authorized set in A , lexible Attribute-Based Encryption Applicable to Secure E-Healthcare Records 5 i.e., A contains S . There exist constants { ω i ∈ Z p } whichcan be found in time polynomial in the size of the share-generating matrix A such that if { λ i } are valid shares of s , then (cid:80) i ∈ I ω i λ i = s , where I = { i : ρ ( i ) ∈ S } ⊆{ , · · · , l } .3.3 Composite-order Bilinear GroupsSuppose that G is a group generator and (cid:96) is a security pa-rameter. Composite-order bilinear groups [5] can be definedas ( N = p p p , G , G T , e ) ← G (1 (cid:96) ) , where p , p and p are three distinct primes, both G and G T are cyclic groupsof order N and the group operations in both G and G T arecomputable in time polynomial in (cid:96) . A map e : G × G → G T is an efficiently computable map with the following proper-ties.1. Bilinearity : for all a, b ∈ Z N and g, h ∈ G , e ( g a , h b ) = e ( g, h ) ab .2. Non-degeneracy : ∃ g ∈ G such that e ( g, g ) has order N in G T .Let G ij denote the subgroup of order p i p j for i (cid:54) = j , and G , G , G the subgroups of order p , p , p in G , respec-tively. The orthogonality property of G , G , G is definedas: Definition 3
For all u ∈ G i , v ∈ G j , it holds that e ( u, v ) =1 , where i (cid:54) = j ∈ { , , } .The orthogonality property is essential in our constructionsand security proofs.3.4 Complexity AssumptionsWe now list the complexity assumptions which will be usedto prove the security of our scheme. These assumptions wereintroduced by [12] to prove fully secure HIBE and they werealso employed by some ABE schemes (e.g., [11,13]) to at-tain full security. Assumption 1
Let ( N = p p p , G , G T , e ) R ← G (1 (cid:96) ) . De-fine a distribution g R ← G ; X R ← G ; D = ( G , g, X ); T R ← G ; T R ← G . The advantage of an algorithm A in breaking Assumption 1is defined asAdv1 A ( (cid:96) ) = | Pr [ A ( D , T ) = 1] − Pr [ A ( D , T ) = 1] | . Assumption 1 holds if Adv1 A ( (cid:96) ) is negligible in (cid:96) for anypolynomial-time algorithm A . Assumption 2
Let ( N = p p p , G , G T , e ) R ← G (1 (cid:96) ) . De-fine a distribution g, X R ← G , X , Y R ← G , X , Y R ← G , D = ( G , g, X X , X , Y Y ) , T R ← G , T R ← G . The advantage of an algorithm A in breaking Assumption 2is defined asAdv2 A ( (cid:96) ) = | Pr [ A ( D , T ) = 1] − Pr [ A ( D , T ) = 1] | . Assumption 2 holds if any polynomial-time algorithm A hasAdv2 A ( (cid:96) ) negligible in (cid:96) . Assumption 3
Let ( N = p p p , G , G T , e ) R ← G (1 (cid:96) ) . De-fine a distribution α, s R ← Z N , g R ← G , X , Y , Z R ← G , X R ← G , D = ( G , g, g α X , X , g s Y , Z ) , T = e ( g, g ) αs , T R ← G T . The advantage of an algorithm A in breaking Assumption 3is defined asAdv3 A ( (cid:96) ) = | Pr [ A ( D , T ) = 1] − Pr [ A ( D , T ) = 1] | . Assumption 3 holds if any polynomial-time algorithm A hasAdv3 A ( (cid:96) ) negligible in (cid:96) . U in a matrixwith L rows and D columns, that is, U = ( u i,j ) L × D = ( U , · · · , U i , · · · , U L ) T , where U i is the i -th row of U and contains D attributes and M T denotes the transposition of a matrix M . We note thatthere may be some empty attributes in the matrix. In thatcase, we use a special character “ ∅ ” to denote the emptyattributes.The attribute matrix naturally leads to the notion of at-tribute vector. We define an attribute vector of depth k ( ≤ k ≤ L ) as u = ( u , u , ..., u k ) , where u i ∈ U i for each i from 1 to k . This means that anattribute vector of depth k is formed by sampling single at-tributes from the first level to the k -th level. We note thateach attribute u i actually corresponds to two subscripts ( i, j ) Bo Qin et al. denoting its position in the attribute matrix, but we drop thesecond subscript j here to simplify notations.We next define a set of attribute vectors. Let S = { u } denote a set of attribute vectors of depth k and | S | denotethe set’s cardinality.For an attribute vector u (cid:48) of depth i and another attributevector u of depth k , we say that u (cid:48) is a prefix of u if u =( u (cid:48) , u i +1 , u i +2 , ..., u k ) , where ≤ i < k ≤ L .As in Definition 1, we can define A as an access structureover attribute vectors of depth k such that A is a collection ofnon-empty subsets of the set of all attribute vectors of depth k . If for a set S the condition S ∈ A holds, then we say that S is an authorized set in A and S satisfies A .In an APR-ABE system, a secret key associated with anaccess structure A can decrypt a ciphertext generated with aset S of attribute vectors if and only if S ∈ A . A secret keyassociated with an access structure A (cid:48) is allowed to delegatea secret key for an access structure A if these two accessstructures satisfy a natural condition. That is, each attributevector of a set S (cid:48) ∈ A (cid:48) must be a prefix of an attribute vectorin some set S ∈ A and all attribute vectors involved in A have prefixes in A (cid:48) . This guarantees that the user with accessstructure A (cid:48) can use his existing shares to generate sharesfor attribute vectors of authorized sets in A . We note thatin the delegation there is no requirement that the redefinedaccess structure A must be more restrictive than the originalaccess structure A (cid:48) when new attributes are added. This isbecause those new attributes can be concatenated to the endof existing attribute vectors of A (cid:48) instead of being treatedas new separate attributes that need to be assigned to newsecret shares.4.2 System ModelAn APR-ABE system for message space M and access struc-ture space Γ consists of the following five polynomial-timealgorithms: – ( P K, M SK ) ← Setup (1 (cid:96) ) : The setup algorithm takesno input other than the security parameter (cid:96) and outputsthe public key P K and a master secret key
M SK . – CT ← Encrypt ( M, P K, S ) : The encryption algorithmtakes as inputs a message M , the public key P K and aset S of attribute vectors. It outputs a ciphertext CT . – SK ← KeyGen ( P K, M SK, A ) : The key generationalgorithm takes as inputs an access structure A , the mas-ter secret key M SK and public key
P K . It outputs asecret key SK for the access structure A . – SK ← Delegate ( P K, SK (cid:48) , A ) : The delegation algo-rithm takes as inputs a public key P K , a secret key SK (cid:48) for an access structure A (cid:48) and another access structure A . It outputs the secret key SK for A if and only if A and A (cid:48) satisfy the delegation condition. – M/ ⊥ ← Decrypt ( CT, SK, P K ) : The decryption algo-rithm takes as inputs a ciphertext CT associated with aset S of attribute vectors, a secret key for an access struc-ture A , and the public key P K . If S ∈ A , it outputs M ;otherwise, it outputs a false symbol ⊥ .The correctness property requires that for all sufficientlylarge (cid:96) ∈ N , all universe descriptions U , all ( P K, M SK ) ← Setup (1 (cid:96) ) , all A ∈ Γ , all SK ← KeyGen ( P K, M SK, A ) or SK ← Delegate ( P K, SK (cid:48) , A ) , all M ∈ M , all CT ← Encrypt ( M, P K, S ) , if S satisfies A , then Decrypt ( CT,SK, P K ) outputs M .4.3 SecurityWe now define the full security against chosen access struc-ture and chosen-plaintext attacks in APR-ABE. In practice,malicious users are able to obtain the system public key and,additionally, they may collude with other users by queryingtheir secret keys. To capture these realistic attacks, we definean adversary allowed to access the system public key, createattribute vectors and query secret keys for access structureshe specifies. The adversary outputs two equal-length mes-sages and a set of attribute vectors to be challenged. Thenthe full security states that not even such an adversary candistinguish with non-negligible advantage the ciphertexts ofthe two messages under the challenge set of attribute vec-tors, provided that he has not queried the secret keys thatcan be used to decrypt the challenge ciphertext. Formally,the full security of APR-ABE is defined by a game playedbetween a challenger C and an adversary A as follows. – Setup : The challenger C runs the setup algorithm andgives the public key P K to A . – Phase 1 : A sequentially makes queries Q , ..., Q q to C ,where Q i for ≤ i ≤ q is one of the following threetypes: – Create ( A ) . A specifies an access structure A . In re-sponse, C creates a key for this access structure bycalling the key generation algorithm, and places thiskey in the set K which is initialized to empty. Heonly gives A a reference to this key, not the key it-self. – Delegate ( A , A (cid:48) ) . A specifies a key SK (cid:48) associatedwith A (cid:48) in the set K and an access structure A . Ifallowed by the delegation algorithm, C produces akey SK for A . He adds SK to the set K and againgives A only a reference to it, not the actual key. – Reveal ( A ) . A specifies a key in the set K . C givesthis key to the attacker and removes it from the set K . – Challenge : A declares two equal-length messages M and M and a set S ∗ of attribute vectors with an added lexible Attribute-Based Encryption Applicable to Secure E-Healthcare Records 7 restriction that for any revealed key SK for access struc-ture A , S ∗ (cid:54)∈ A and for any new key SK (cid:48) for accessstructure A (cid:48) that can be delegated from a revealed one, S ∗ (cid:54)∈ A (cid:48) . C then flips a random coin b ∈ { , } , and en-crypts M b under S ∗ , producing CT ∗ . He gives CT ∗ to A . – Phase 2 : A sequentially makes queries Q q +1 , ..., Q q to C just as in Phase 1, with the restriction that neither theaccess structure of any revealed key nor the access struc-ture of any key that can be delegated from a revealed onecontain S ∗ . – Guess : A outputs a guess b (cid:48) ∈ { , } .The advantage of A in this game is defined as Adv
APR-ABE A = | Pr[ b = b (cid:48) ] − / | . We note that the model above is for chosen-plaintext at-tacks and one can easily extend this model to handle chosen-ciphertext attacks by allowing decryption queries in Phase 1and Phase 2.
Definition 4
We say that an APR-ABE system is fully se-cure if all Probabilistic Polynomial-Time (PPT) attackers A have at most a negligible advantage in the above game. In this section, we construct an APR-ABE with short cipher-texts. The proposed scheme is proven to be fully secure inthe standard model.5.1 Basic IdeaWe first introduce the basic idea driving the construction ofthe APR-ABE scheme. We base the scheme on the KP-ABEscheme in [11] and we exploit the delegation mechanismused in several HIBE schemes (e.g., [4,12]). The key pointof this delegation mechanism is to hash an identity vectorto a group element, which internally associates the identityvector with a ciphertext or a secret key. When introducingthis mechanism into our APR-ABE, which involves multipleattribute vectors in a ciphertext or a secret key, we assign akey component to each attribute vector and randomize everykey component to resist collusion attacks.On the other hand, LSSS have been widely used in manyABE schemes [1,11,13,21]. In our APR-ABE scheme, anLSSS is used to generate a share for each attribute vectorof authorized sets in an access structure. The linear recon-struction property of LSSS guarantees that the shares of allattribute vectors in an authorized set can recover the secret. To realize a delegation not limited to more restrictive accesspolicies, we must additionally manage to generate sharesfor new incoming attributes. However, without knowing thesecret, delegators cannot directly generate new shares. Toovercome this problem, we concatenate the new incomingattributes to the end of existing attribute vectors to formnew attribute vectors and use the existing shares to generateshares for the new attribute vectors. Specifically, to achievethe access structure control, each share of an attribute vec-tor is blinded in the exponent of a key component. Then, togenerate new shares, we lift a key component of an exist-ing attribute vector to the power of a random exponent anddefine the resulting exponent as the new blinded share forthe new attribute vector. Since LSSS satisfies linearity, therandomization of shares can still reconstruct the secret.To realize the above idea, we slightly extend LSSS tohandle attribute vectors. For an access structure A , we gen-erate an l × n share-generating matrix A ( l is the number ofattribute vectors involved in A ). The inner product of the i -th row vector of A and a vector taking the secret as the firstcoordinate is the share for the i -th row. We define an injec-tion function ρ which maps the i -th row of the matrix A toan attribute vector. Then ( A , ρ ) is the LSSS for A . The in-jection function means that an attribute vector is associatedwith at most one row of A .5.2 The ProposalWe are now ready to describe our APR-ABE scheme, whichis built from bilinear groups of a composite order N = p p p , as defined in Section 2.3. The ciphertexts are gener-ated in the subgroup G . The keys are first generated in G and then randomized in G . The subgroup G is only usedto implement semi-functionality in the security proofs. – ( P K, M SK ) ← Setup (1 (cid:96) ) : Run ( N = p p p , G , G T ,e ) R ← G (1 (cid:96) ) . Let G i denote the subgroup of order p i for i = 1 , , . Choose random generators g ∈ G , X ∈ G . Choose random elements α ∈ Z N , v i , h j ∈ G forall i = 1 , · · · , D and j = 1 , · · · , L . The public key andthe master secret key arei P K = ( U , N, g, X , v , · · · , v D , h , · · · , h L , e ( g, g ) α ) ,M SK = α. – CT ← Encrypt ( M, P K, S ) : Encrypt a message M un-der a set S of attribute vectors of depth k . Choose a ran-dom s ∈ Z N and compute C = M e ( g, g ) αs , E = g s . For each j from 1 to | S | , choose a random element t j ∈ Z N . Recall that for each attribute vector u = ( u , u , ..., u k ) of S , the first coordinate u actually has two subscripts, Bo Qin et al. denoted by (1 , x ) , representing that u is the x -th entryof the first row in the attribute matrix. Then, choose v x corresponding to x from the public key and compute C j, = v sx ( h u · · · h u k k ) st j , C j, = g st j . Define the ciphertext (including S ) as CT = (cid:0) C, E, (cid:104) C j, , C j, (cid:105) j =1 ,..., | S | (cid:1) . – SK ← KeyGen ( P K, M SK, A ) : The algorithm gener-ates an LSSS ( A , ρ ) for A , where A is the share-generatingmatrix with l rows and n columns, and ρ maps each rowof A to an attribute vector of depth k . Choose n − random elements s , · · · , s n ∈ Z N to form a vector α = ( α, s , · · · , s n ) . For each i from 1 to l , compute λ i = A i α , where A i is the i -th row vector of A . Let u = ( u , ..., u k ) bethe attribute vector mapped by ρ from the i -th row. As-sume that the first coordinate u of u is the x -th entry ofthe first row in the attribute matrix and choose v x corre-spondingly. Then, select random elements r i ∈ Z N and R i, , R i, , R i, , R i,k +1 , · · · , R i,L ∈ G to compute K i, = g λ i v r i x R i, , K i, = g r i R i, ,K i, = ( h u · · · h u k k ) r i R i, ,K i,k +1 = h r i k +1 R i,k +1 , · · · , K i,L = h r i L R i,L . Set the secret key (including ( A , ρ ) ) to be SK = (cid:104) K i, , K i, , K i, , K i,k +1 , · · · , K i,L (cid:105) i =1 ,...,l . – SK ← Delegate ( P K, SK (cid:48) , A ) : The algorithm gener-ates a secret key SK for A by using the secret key SK (cid:48) = (cid:104) K (cid:48) i (cid:48) , , K (cid:48) i (cid:48) , , K (cid:48) i (cid:48) , , K (cid:48) i (cid:48) ,k +1 , · · · , K (cid:48) i (cid:48) ,L (cid:105) i (cid:48) =1 ,...,l (cid:48) for A (cid:48) , where A (cid:48) is an access structure over l (cid:48) attributevectors of depth k and A is an access structure over l attribute vectors of depth k + 1 . If A and A (cid:48) satisfy thedelegation condition, the algorithm works as follows.For each u involved in A , find its prefix u (cid:48) in A (cid:48) such that u = ( u (cid:48) , u k +1 ) . Suppose that u (cid:48) is associatedwith the i (cid:48) -th row of the share-generating matrix of A (cid:48) .Choose random elements γ i , δ i ∈ Z N and random groupelements R i, , R i, , R i, , R i,k +2 , · · · , R i,L ∈ G foreach i from 1 to l . Then pick the key component ( K (cid:48) i (cid:48) , ,K (cid:48) i (cid:48) , , K (cid:48) i (cid:48) , , K (cid:48) i (cid:48) ,k +1 , · · · , K (cid:48) i (cid:48) ,L ) of u (cid:48) from SK (cid:48) to com-pute the key component for u : K i, = (cid:0) K (cid:48) i (cid:48) , (cid:1) γ i v δ i x R i, ,K i, = (cid:0) K (cid:48) i (cid:48) , (cid:1) γ i g δ i R i, , K i, = (cid:0) K (cid:48) i (cid:48) , (cid:1) γ i (cid:16) K i (cid:48) ,k +1 (cid:17) γ i u k +1 (cid:0) h u · · · h u k +1 k +1 (cid:1) δ i R i, ,K i,k +2 = (cid:0) K (cid:48) i (cid:48) ,k +2 (cid:1) γ i h δ i k +2 R i,k +2 , · · · ,K i,L = (cid:0) K (cid:48) i (cid:48) ,L (cid:1) γ i h δ i L R i,L . This implicitly sets r i = γ i r (cid:48) i (cid:48) + δ i , where r (cid:48) i (cid:48) is therandom exponent used in creating the key component for u (cid:48) . The value r i is random since δ i is picked randomly.Finally, output SK = (cid:104) K i, , K i, , K i, , K i,k +2 · · · , K i,L (cid:105) i =1 ,...,l . Note that this key is identically distributed as the onedirectly generated by
KeyGen . – M ← Decrypt ( CT, SK, P K ) : Given a ciphertext CT = (cid:0) C, E, (cid:104) C j, , C j, (cid:105) j =1 ,..., | S | (cid:1) for S of attribute vectorsof depth k and a secret key SK = (cid:104) K i, , K i, , K i, , K i,k +1 , · · · , K i,L (cid:105) i =1 ,...,l for access structure A over attribute vectors of depth k ,if S ∈ A , compute the constants { ω i ∈ Z N } ρ ( i ) ∈ S suchthat (cid:88) ρ ( i ) ∈ S ω i A i = (1 , , · · · , . Let ρ ( i ) be the j -th attribute vector in S . Compute: M (cid:48) = (cid:89) ρ ( i ) ∈ S (cid:18) e ( E, K i, ) · e ( C j, , K i, ) e ( C j, , K i, ) (cid:19) ω i . Output M = C/M (cid:48) . Remark 1
In the key delegation, when delegating a secretkey for A from a secret key for A (cid:48) , an LSSS ( A , ρ ) for A is simultaneously generated: the share-generating matrix A is formed by setting the i -th row as A i = A (cid:48) i (cid:48) γ i , where A (cid:48) i (cid:48) is the i (cid:48) -th row of the share-generating matrix of A (cid:48) ; thefunction ρ maps the i -th row to the attribute vector u . Thevalue λ i = γ i λ (cid:48) i (cid:48) = γ i A (cid:48) i (cid:48) α = A i α is the share for u , where λ (cid:48) i (cid:48) is the share for u (cid:48) . Correctness.
Observe that M (cid:48) = (cid:89) ρ ( i ) ∈ S (cid:32) e (cid:0) g s , g λ i (cid:1) · e ( g s , v r i x ) · e ( g st j , ( h u · · · h u k k ) r i ) e ( v sx , g r i ) · e (( h u · · · h u k k ) st j , g r i ) (cid:33) ω i = e ( g, g ) sΣ ρ ( i ) ∈ S ω i A i α = e ( g, g ) sα . It follows that M = C/M (cid:48) . The G parts are canceledout because of the orthogonality property. lexible Attribute-Based Encryption Applicable to Secure E-Healthcare Records 9 Table 1
ComputationAlgorithm Computational Complexity
Key Generation ( L + 3) · l · t e Key Delegation (2 L − k + 5) · l (cid:48) · t e Encryption (( k + 2) | S | + 2) · t e Decryption l ∗ · t p We analyze the computational complexity of the main al-gorithms of the APR-ABE scheme, i.e., key generation, keydelegation, encryption and decryption. The proposed schemeis built in bilinear groups G and G T , and most computationstake place in the subgroup G . Therefore we evaluate thetimes t p and t e consumed by the basic group operations, bi-linear map and exponentiation in G , respectively. We donot take into account the multiplication operation since itconsumes negligible time compared to t p and t e .Table 1 summarizes the time consumed by the main al-gorithms of the APR-ABE scheme. In this table, L denotesthe maximum depth of the system, l the number of attributevectors associated with a secret key, l (cid:48) the number of at-tribute vectors associated with a delegated key, k the depthof the user delegating a key or the attribute vectors asso-ciated with a ciphertext, and l ∗ is the number of attributevectors of a set satisfying an access policy in the decryp-tion. We can see that the time cost by the key generationalgorithm grows linearly with the product of L and l , but isindependent of the user’s depth. The time consumed by thedelegation is related to the depth of the delegator and de-creases as the depth grows. Encryption takes time linear inthe product of the cardinality of the set S and the depth ofthe attribute vectors in S . The ciphertexts of APR-ABE areshort in that they are only linear in the cardinality of S . Thismakes the time consumed by decryption linear in the num-ber of matching attribute vectors and independent of depth.This feature is comparable to the up-to-date KP-ABEs [8,11,9], which nonetheless do not allow the flexible key dele-gation achieved in our scheme. The new APR-ABE scheme has full security, which meansthat any polynomial-time attacker cannot get useful infor-mation about the messages encrypted in ciphertexts if hedoes not have correct secret keys. Formally, the full secu-rity is guaranteed by Theorem 1.
Theorem 1
The Access Policy Redefinable Attribute-basedEncryption scheme is fully secure in the standard model ifAssumptions 1, 2 and 3 hold.
Our proof exploits the dual system encryption method-ology [20]. This approach has been shown to be a power-ful tool in proving the full security of properly designedHIBE and ABE schemes (e.g., [12,13,11,20]). Followingthis proof framework, we construct semi-functional keys andciphertexts for APR-ABE. A semi-functional APR-ABE key(semi-functional key for short) can be used to decrypt nor-mal ciphertexts; and a semi-functional APR-ABE ciphertext(semi-functional ciphertext for short) can be decrypted byusing normal keys. However, a semi-functional key cannotbe used to decrypt a semi-functional ciphertext. As in mostproofs adopting dual system encryption, there is a subtletythat the simulator can test the nature of the challenge key byusing it to try to decrypt the challenge ciphertext. To avoidthis paradox, we make sure that the decryption on input thechallenge key is always successful by cleverly setting therandom values involved in the challenge key and challengeciphertext. We also need to prove that these values are uni-formly distributed from the view of the adversary who can-not query the key able to decrypt the ciphertext.In the following proof, we define a sequence of gamesarguing that an attacker cannot distinguish one game fromthe next. The first game is
Game real , which denotes thereal security game as defined in Definition 4. The secondgame is
Game real (cid:48) , which is the same as
Game real ex-cept that the attacker A does not ask the challenger C todelegate keys. The third game is Game , in which all keysare normal, but the challenge ciphertext is semi-functional.Let q denote the number of key queries made by A . Forall ν = 1 , · · · , q , we define Game ν , in which the first ν keys are semi-functional and the remaining keys are normal,while the challenge ciphertext is semi-functional. Note thatwhen ν = q , in Game q , all keys are semi-functional. Thelast game is defined as Game final where all keys are semi-functional and the ciphertext is a semi-functional encryptionof a random message. We will prove that these games are in-distinguishable under Assumptions 1, 2 and 3.The semi-functional ciphertexts and keys are constructedas follows.
Semi-functional ciphertext.
Let g denote the generator of G . We first invoke Encrypt to form a normal ciphertext ( ¯ C, ¯ E, (cid:104) ¯ C i ∗ , , ¯ C i ∗ , (cid:105) i ∗ =1 ,..., | S ∗ | ) . We choose a random ele-ment c ∈ Z N and for all i ∗ = 1 , · · · , | S ∗ | , select randomexponents ϕ i ∗ , υ i ∗ ∈ Z N . Set the semi-functional ciphertextto be C = ¯ C, E = ¯ Eg c , C i ∗ , = ¯ C i ∗ , g ϕ i ∗ , C i ∗ , = ¯ C i ∗ , g υ i ∗ . Semi-functional key.
We first call algorithm
KeyGen toform normal key (cid:104) ¯ K i, , ¯ K i, , ¯ K i, , ¯ K i,k +1 , · · · , ¯ K i,L (cid:105) i =1 ,...,l . Then we choose random elements f i ∈ Z N for the i -th rowof the share-generating matrix A . We choose random ele- ments ζ , ζ , ..., ζ D , η , η , ..., η L ∈ Z N and a random vec-tor ϑ ∈ Z nN . The semi-functional key is set as: K i, = ¯ K i, g A i ϑ + f i ζ x , K i, = ¯ K i, g f i ,K i, = ¯ K i, g f i Σ kj =1 u j η j ,K i,k +1 = ¯ K ( i,k +1) g f i η k +1 , · · · , K i,L = ¯ K ( i,L ) g f i η L . Remark 2
When we use a semi-functional key to decrypt asemi-functional ciphertext, we will have an extra term (cid:89) ρ ( i ) ∈ S (cid:16) e ( g , g ) cA i ϑ e ( g , g ) f i ( cζ x + υ i ∗ Σ kj =1 u j η j − ϕ i ∗ ) (cid:17) ω i . If ϑ · (1 , , · · · ,
0) = 0 mod p and cζ x + υ i ∗ Σ kj =1 u j η j − ϕ i ∗ = 0 mod p , then the extra term happens to be one,which means that the decryption still works. We say that thekeys satisfying this condition are nominally semi-functionalkeys. We will show that a nominally semi-functional key isidentically distributed as a regular semi-functional key in theattacker’s view. Lemma 1
For any attacker A , Game real
Adv A = Game real (cid:48)
Adv A . Proof
From the construction of our APR-ABE, the keys fromthe key generation algorithm are identically distributed asthe keys from the delegation algorithm. Therefore, in A ’sview, there is no difference between these two kinds of games. (cid:117)(cid:116) Lemma 2 If A can distinguish Game real (cid:48) from
Game withadvantage (cid:15) , then we can establish an algorithm B to breakAssumption 1 with advantage (cid:15) .Proof We construct an algorithm B to simulate Game real (cid:48) or Game to interact with A by using the tuple ( g, X , T ) of Assumption 1. Setup : Algorithm B selects a random α ∈ Z N . For all i =1 , · · · , D and j = 1 , · · · , L , it chooses random elements ¯ ζ i , ¯ η j ∈ Z N and computes v i = g ¯ ζ i , h j = g ¯ η j . It provides A with public key: P K = ( U , N, g, v , · · · , v D , h , · · · , h L , e ( g, g ) α ) . Key generation Phase 1 , Phase 2 : Note that B knows themaster key M SK = α . Therefore, B can run KeyGen togenerate normal keys in Phase 1 and Phase 2.
Challenge : A gives two equal-length messages M and M ,and a set S ∗ = { u } of attribute vectors to B . B then uses the T in the given tuple to form a semi-functional or normalciphertext as follows. B flips a random coin b ∈ { , } . For all i ∗ = 1 , · · · , | S ∗ | ,it chooses random elements t i ∗ ∈ Z N . Finally, it sets thesemi-functional ciphertext CT to be: C = M b e ( g, T ) α , E = T,C i ∗ , = T ¯ ζ x T (¯ η u + ··· +¯ η k u k ) t i ∗ , C i ∗ , = T t i ∗ . If assuming T = g s g c , this implicitly sets ϕ i ∗ = c (¯ ζ x + t i ∗ k (cid:88) j =1 u j ¯ η j ) , υ i ∗ = ct i ∗ , but there is neither unwanted correlation between values ( ϕ i ∗ mod p ) and values (¯ ζ x , ¯ η j mod p ) , nor correlation be-tween ( t i ∗ mod p ) and ( υ i ∗ mod p ) by the Chinese Re-mainder Theorem. Thus, the G part of the ciphertext is un-related to the G part. Guess : If T ∈ G , CT is a properly distributed semi-functional ciphertext. Hence we are in Game . If T ∈ G ,by implicitly setting T = g s , CT is a properly distributednormal ciphertext. Hence we are in Game real (cid:48) . If A outputs b (cid:48) such that b (cid:48) = b , then B outputs 0. Therefore, with the tu-ple ( g, X , T ) , we have that the advantage of B in breakingAssumption 1 is | Pr [ B ( g, X , T ∈ G ) = 0] − Pr [ B ( g, X , T ∈ G ) = 0] | = | Game Adv A − Game real (cid:48)
Adv A | = (cid:15), where Game Adv A is the advantage of A in Game and Game real (cid:48)
Adv A is the advantage of A in Game real (cid:48) . (cid:117)(cid:116) Lemma 3 If A can distinguish Game ν − from Game ν withadvantage (cid:15) , then we can construct an algorithm B to breakAssumption 2 with advantage (cid:15) .Proof We construct an algorithm B to simulate Game ν − or Game ν to interact with A by using the tuple ( g, X X , X ,Y Y , T ) of Assumption 2. Setup : The public key
P K generated by B is the same asthat in Lemma 2. Algorithm B gives P K to A . Challenge : For convenience, we bring the Challenge phasebefore Phase1. This will not affect the security proof. When A queries the challenge ciphertext with two equal-size mes-sages M , M and a set S ∗ of attribute vectors, B flips arandom coin b ∈ { , } and randomly chooses t i ∗ ∈ Z N forall i ∗ = 1 , · · · , | S ∗ | . It sets the ciphertext to be C = M b e ( g, X X ) α , E = X X ,C i ∗ , = ( X X ) ¯ ζ x ( X X ) (¯ η u + ··· +¯ η k u k ) t i ∗ ,C i ∗ , = ( X X ) t i ∗ . lexible Attribute-Based Encryption Applicable to Secure E-Healthcare Records 11 By assuming X X = g s g c , this implicitly sets ϕ i ∗ = c (¯ ζ x + t i ∗ k (cid:88) j =1 u j ¯ η j ) , υ i ∗ = ct i ∗ . Again there is no correlation between values ( ϕ i ∗ mod p ) and values (¯ ζ x , ¯ η j mod p ) , nor is there any correlation be-tween ( t i ∗ mod p ) and ( υ i ∗ mod p ) by the Chinese Re-mainder Theorem. Thus the G part is unrelated to the G part of this ciphertext. Therefore, this ciphertext is a welldistributed semi-functional ciphertext. Key generation Phase 1 , Phase 2 : For the first ν − keyqueries, B simulates the semi-functional keys. For a queried A , it first calls the key generation algorithm to generate anLSSS ( A , ρ ) and a normal key (cid:104) ¯ K i, , ¯ K ( i, , ¯ K i, , ¯ K i,k +1 , · · · , ¯ K i,L (cid:105) ∀ i ∈ [ l ] for this LSSS. Then, for each i from 1 to l , B picks a random element ¯ f i ∈ Z N . B also chooses randomelements ζ , ..., ζ D , η , ..., η L ∈ Z N . Finally B chooses arandom vector ¯ ϑ ∈ Z nN and computes the secret key: K i, = ¯ K i, ( Y Y ) A i ¯ ϑ + ¯ f i ζ x , K i, = ¯ K i, ( Y Y ) ¯ f i ,K i, = ¯ K i, ( Y Y ) ¯ f i (cid:80) kj =1 u j η j ,K i,k +1 = ¯ K i,k +1 ( Y Y ) ¯ f i η k +1 , · · · ,K i,L = ¯ K i,L ( Y Y ) ¯ f i η L . If we assume Y = g a for some a , this implicitly sets ϑ = a ¯ ϑ , f i = a ¯ f i . Thus this key is identically distributed as thesemi-functional key.For the rest of key queries but the ν -th one, B simulatesnormal keys. Because B knows the master key M SK = α , it can easily create the normal keys by running the keygeneration algorithm.To respond to the ν -th key query on an access structure A , algorithm B will either simulate a normal key or a semi-functional key depending on T . Algorithm B generates anLSSS for A to prepare for key generation. It creates a vec-tor ¯ α with the first coordinate equal to α and the remaining n − coordinates picked randomly in Z N . B also createsa vector ¯ ϑ with the first coordinate equal to 0 and the re-maining n − coordinates picked randomly in Z N . For eachrow A i of A , B chooses random elements ¯ r i ∈ Z N and R i, , R i, , R i, , R i,k +1 , · · · , R i,L ∈ G . Then B computes: K i, = g A i ¯ α T A i ¯ ϑ T ¯ r i ¯ ζ x R i, , K i, = T ¯ r i R i, ,K i, = T (¯ η u + ··· +¯ η k u k )¯ r i R i, ,K i,k +1 = T ¯ r i ¯ η k +1 R i,k +1 , · · · , K i,L = T ¯ r i ¯ η L R i,L . If T ∈ G , by assuming T = g c g c , this implicitly sets r i = c ¯ r i and α = ¯ α + c ¯ ϑ . Thus this key is identicallydistributed as the normal key. If T ∈ G , by assuming T = g c g c g c , this implicitly sets: r i = c ¯ r i , f i = c ¯ r i , ϑ = c ¯ ϑ , α = ¯ α + c ¯ ϑ , and ζ = ¯ ζ , ..., ζ D = ¯ ζ D , η = ¯ η , ..., η L = ¯ η L . Since r i are created by ¯ r i in G and f i are created by ¯ r i in G , thereis no unwanted correlation between the G part and the G part by the Chinese Remainder Theorem. Similarly, the fact ζ = ¯ ζ , ..., ζ D = ¯ ζ D , η = ¯ η , ..., η L = ¯ η L will not resultin unwanted correlation between the G and the G of thiskey.When the simulator B uses the ν -th key to decrypt thesemi-functional ciphertext to test whether the key is normalor semi-functional, it will obtain (cid:89) ρ ( i ) ∈ S ∗ (cid:16) e ( g , g ) cA i ϑ e ( g , g ) f i ( cζ x + υ i ∗ Σ kj =1 u j η j − ϕ i ∗ ) (cid:17) ω i = 1 . This is because from the simulation of semi-functionalciphertext we have that ϕ i ∗ = c (¯ ζ x + t i ∗ k (cid:88) j =1 u j ¯ η j ) , υ i ∗ = ct i ∗ and from the simulation of the ν -th key, we have that ζ = ¯ ζ , ..., ζ D = ¯ ζ D , η = ¯ η , ..., η L = ¯ η L . Moreover, since the inner product ϑ · (1 , , · · · ,
0) = c ¯ ϑ · (1 , , · · · ,
0) = 0 , (cid:80) ρ ( i ) ∈ S ∗ ω i A i ϑ = 0 . Thus, when B uses the ν -th key to de-crypt the semi-functional ciphertext, the decryption will stillwork and the ν -th key is nominally semi-functional. Now,we argue that the nominally semi-functional key is identi-cally distributed as a semi-functional key in A ’s view. Thatis, if A is prevented from asking the ν -th key that can de-crypt the challenge ciphertext, the fact that ϑ = 0 ( ϑ is set as the first coordinate of ϑ ) should be information-theoretically hidden in A ’s view.Because the ν -th key cannot decrypt the challenge ci-phertext, the vector (1 , , · · · , is linearly independent of R S ∗ , which is a submatrix of A and contains only thoserows that satisfy ρ ( i ) ∈ S ∗ . From the basics of linear al-gebra and similarly to Proposition 11 in [11], we have thefollowing proposition: Proposition 1
A vector v is linearly independent of a set ofvectors represented by a matrix M if and only if there existsa vector w such that Mw = while v · w = 1 . Since (1 , , · · · , is linearly independent of R S ∗ , avector w must exist such that for each row A i ∈ R S ∗ , itholds that A i · w = 0 , w · (1 , , · · · ,
0) = 1 . Then for thefixed vector w , we can write A i · ϑ = A i · ( z w + r ) , where r is uniformly distributed and reveals no informationabout z . We note that ϑ · (1 , , ..., can not be determined from r alone, some information about z is also needed. If ρ ( i ) ∈ S ∗ , then A i · ϑ = A i · r . Thus, no informationabout z is revealed and A i · ϑ is hidden. If ρ ( i ) (cid:54)∈ S ∗ , then A i · ϑ + f i ζ x = A i · ( z w + r ) + f i ζ x . This equation in-troduces a random element f i ζ x , where f i is random andappears only once because ρ is injective. Hence if not all ofthe f i values are congruent to 0 modulo p , no informationabout z is revealed. The probability that all f i ’s are 0 modulo p is negligible. Therefore, the value being shared in G isinformation-theoretically hidden in A ’s view with probabil-ity close to 1. Hence, B simulates the semi-functional keyswith a probability close to 1. Guess : If T ∈ G , we are in Game ν − . If T ∈ G , we arein Game ν . If A outputs b (cid:48) = b , B outputs 0. Then, with theinput tuple ( g, X X , X , Y Y , T ) , the advantage of B inbreaking Assumption 2 is: | Pr [ B ( g, X X , X , Y Y , T ∈ G ) = 0] − Pr [ B ( g, X X , X , Y Y , T ∈ G ) = 0] | = | Game ν − Adv A − Game ν Adv A | = (cid:15), where Game ν − Adv A is the advantage of A in Game ν − and Game ν Adv A is the advantage of A in Game ν . (cid:117)(cid:116) Lemma 4 If A can distinguish Game q from Game final with advantage (cid:15) , then we can construct an algorithm B thatcontradicts Assumption 3 with advantage (cid:15) .Proof We construct B to simulate Game q or Game final tointeract with A by using the tuple ( g, g α X , X , g s Y , Z , T ) of Assumption 3. Setup : For all i = 1 , · · · , D and all j = 1 , · · · , L , B chooses random exponents ¯ ζ i , ¯ η j ∈ Z N and computes v i = g ¯ ζ i , h j = g ¯ η j . Then it sets
P K = ( U , N, g, v , · · · , v D , h , · · · , h L , e ( g, g α X )) and gives P K to A . We note that B does not know the secret α . Key generation Phase 1 , Phase 2 : To simulate the semi-functional keys for A , B first generates an LSSS ( A , ρ ) for A . It then selects two vectors: φ , which has the first coordi-nate set to 1 and the remaining n − coordinates randomlychosen in Z N , and ψ , which has the first coordinate set to0 and the remaining n − coordinates randomly chosen in Z N . We note that this implicitly sets α = α φ + ψ . For the i -th row A i of A , algorithm B chooses randomelements r i , ¯ f i ∈ Z N ; R i, , R i, , R i, , R i,k +1 , · · · , R i,L ∈ G . B randomly chooses ζ , ..., ζ D , η , ..., η L ∈ Z N andcomputes the key as follows: K i, = g A i ψ ( g α X ) A i φ v r i x Z ¯ f i ζ x R i, ,K i, = g r i Z ¯ f i R i, ,K i, = ( h u · · · h u k k ) r i Z ¯ f i (cid:80) kj =1 u j η j R i, ,K i,k +1 = h r i k +1 Z ¯ f i η k +1 R i,k +1 , ... K i,L = h r i L Z ¯ f i η L R i,L . By assuming X = g c , Z = g d , this implicitly sets ϑ = c φ , f i = d ¯ f i . We also note that the values being sharedin G are properly randomized by f i . Therefore, this keyis identically distributed as the semi-functional key in A ’sview. Challenge : When B is given two equal-length messages M and M and a set S ∗ of attribute vectors, B flips a ran-dom coin b ∈ { , } and chooses t i ∗ ∈ Z N for all i ∗ =1 , · · · , | S ∗ | . Then it sets the ciphertext to be: C = M b T, E = g s Y ,C i ∗ , = ( g s Y ) ¯ ζ x ( g s Y ) t i ∗ (¯ η u + ··· +¯ η k u k ) ,C i ∗ , = ( g s Y ) t i ∗ . Assuming Y = g c , this implicitly sets ϕ i ∗ = c (¯ ζ x + t i ∗ k (cid:88) j =1 u j ¯ η j ) and υ i ∗ = ct i ∗ , but again there is neither correlation be-tween ( ϕ i ∗ mod p ) and (¯ ζ x , ¯ η j mod p ) , nor correlationbetween ( t i ∗ mod p ) and ( υ i ∗ mod p ) by the ChineseRemainder Theorem.If T = e ( g, g ) α , then this ciphertext is the semi-functionalciphertext of message M b . If T is a random element in G T ,this ciphertext is a semi-functional encryption of a randommessage. Guess : If T = e ( g, g ) α , we are in Game q . If T is a randomelement in G T , we are in Game final . B outputs 0 when A outputs b (cid:48) = b . Given the tuple ( g, g α X , X , g s Y , Z , T ) ,the advantage of B in breaking Assumption 3 is: | Pr [ B ( g, g α X , X , g s Y , Z , T = e ( g, g ) α ) = 0] − Pr [ B ( g, g α X , X , g s Y , Z , T R ←− G T ) = 0] | = | Game q Adv A − Game final
Adv A | = (cid:15), where Game q Adv A is the advantage of A in Game q and Game final
Adv A is the advantage of A in Game final . (cid:117)(cid:116) lexible Attribute-Based Encryption Applicable to Secure E-Healthcare Records 13 From all the lemmas proven above, the proof of Theorem 1follows:
Proof In Game final , the ciphertext completely hides the bit b , so the advantage of A in this game is negligible. ThroughLemmas 1, 2, 3 and 4, we have shown that the real secu-rity game Game real is indistinguishable from
Game final .Therefore, the advantage of A in Game real is negligible.Hence, there is no polynomial-time adversary with a non-negligible advantage in breaking our APR-ABE system. Thiscompletes the proof of Theorem 1. (cid:117)(cid:116)
We revisited KP-ABE and proposed a dynamic ABE re-ferred to as APR-ABE. APR-ABE distinguishes itself fromother KP-ABE schemes by providing a delegation mecha-nism that allows a user to redefine the access policy and del-egate a secret key without making the redefined access pol-icy more restrictive. This feature renders APR-ABE espe-cially suitable to e-healthcare record systems where a priori specification of access policies for secret keys is too rigid orsimply not practical. We constructed an APR-ABE schemewith short ciphertexts and proved its full security in the stan-dard model under several non-interactive assumptions.
Acknowledgements and disclaimer
We thank the anonymous reviewers for their valuable sug-gestions. The following funding sources are gratefully ac-knowledged: Natural Science Foundation of China (projects61370190, 61173154, 61272501, 61402029, 61202465 and61472429), China National Key Basic Research Program(973 program, project 2012CB315905), Beijing Natural Sci-ence Foundation (project 4132056), Fundamental ResearchFunds for the Central Universities of China, Research Fundsof Renmin University (No. 14XNLF02), European Commis-sion (projects FP7 “DwB”, FP7 “Inter-Trust” and H2020“CLARUS”), Spanish Govt. (project TIN2011-27076-C03-01), Govt. of Catalonia (ICREA Acad`emia Prize to the fourthauthor). The fourth author leads the UNESCO Chair in DataPrivacy, but the views in this paper do not commit UNESCO.