A Proxy-Based and Collusion Resistant Multi-Authority Revocable CPABE Framework with Efficient User and Attribute-Level Revocation (PCMR-CPABE)

Since cloud computing has become the “buzzword” in the information technology industry, researchers are looking into and identifying a number of solutions to the security challenges encountered by cloud users. The key security concerns of cloud users included enforcement of data confidentiality and fine-grained access control. Goyal et al. [1] have introduced attribute-based encryption (ABE) scheme to address and restrict unauthorized access to the cloud resident sensitive data and realized one-to-many encryption in the scheme. Ciphertext policy attribute based encryption (CPABE) is a class of ABE and has been introduced by Brethencourt et al. [2]. CPABE allowed one-to-many encryptions along with the enforcement of fine-grained access control. CPABE recommended that a data owner shall formulate an access policy and embed it with the encrypted sensitive files before outsourcing to the cloud. Additionally, the scheme states that any data user who wants to access the encrypted file should hold certain attributes such as name, pan card number, driving license, etc. These possessed attributes are used by a data user to obtain a secret key from the attribute authority. The attribute authority is the entity that manages attributes and distributes secret keys to the users. The obtained secret key is used by the data user to decrypt the ciphertext. Furthermore, the secret key of the data user should satisfy the defined access policy to successfully decrypt the ciphertext. For example, (Branch=CS AND (Profile=Faculty OR (Profile=Student AND Batch=2023))) is an access policy defined by the data owner of encrypted file. The access policy says a data user who is faculty of CS Branch or a student studying in CS Branch in 2023 can only satisfy the access policy. Only the data users whose secret key possess sufficient attributes could successfully decrypt the ciphertext. Existing studies have implemented CPABE either using single-authority or multi-authority systems.

In the single-authority CPABE scheme, the responsibility of generating and distributing the secret key to data users has been delegated to a single authority. Such an approach turns into an impractical approach if the attributes possessed by a data user are issued by distinct authorities. In the real world, attributes included in the access policy are issued by several authorities. For example, the income tax authority issues pan card, driving licences are issued by transport authorities, and so on. In such cases, the attributes possessed by a data user can be verified only by the issuing authorities. The multi-authority CPABE concept was therefore designed to satisfy the aforementioned need. Additionally, the threat of data loss escalates with the single authority. It is because the entire system could get affected if it were compromised by any attacker. The presence of multiple attribute authorities in the multi-authority CPABE scheme makes it challenging for the attackers to breach security.

The existing studies have proposed majorly two implementations in the different versions of the multi-authority CPABE scheme viz: centralized multi-authority CPABE scheme and decentralized multi-authority CPABE scheme [3, 4]. The former says that the central authority controls the distribution of the secret key of the user apart from handling users’ and attributes authorities’ registration. Whilst the latter implementation provides distributed control and the attribute authorities independently manage the attributes held by the data user as depicted in Figure 1.

1.png

Figure 1. Decentralized approach

Figure 1 exhibits the communication and data flow between various entities involved in the multi-authority CPABE scheme employing distributed control. The encrypted file uploaded by a data owner has a defined access policy. A user whose secret key satisfies the access policy can only decrypt the file successfully. For example, the access policy in Figure 1 states that the encrypted file shall be accessible to the user only if the data user possesses an aadhar card and pan card along with a driving licence or if he only possesses a driving licence and passport. It is demonstrated in Figure 1 that all the attributes are issued by distinct authorities and are independently controlled.

The researchers found numerous challenges with the base CPABE approach, including policing hiding, traceability, single-authority, revocability, etc. In this paper, the revocability challenge within the multi-authority CPABE scheme has been studied. Data users of the system in an organization leave or are denied access if traced as malicious users. It has remained a major challenge for researchers to provide an effective method for dynamically revoking such users with an effective computing capability. Apart from system-level revocation of a user, an efficient solution to attribute-level revocation has also remained a challenge amongst researchers. This paper contributes the solution to the revocation issue in multi-authority CPABE framework. The proposed framework of revocable decentralized multi-authority CPABE framework based on bilinear pairing cryptography contributes the following properties:

1. User and Attribute-level Revocation – the proposed PCMR-CPABE framework provide solutions to the user as well as attribute-level revocation. The proposed framework has employed a trusted proxy server to enforce fine-grained access control. The secret decryption key of a data user has two parts: secret key and proxy key. The secret keys are issued by the associated attribute authority to the data user and the proxy key is issued by the proxy server. The proxy key is time bound and is invalidated by the proxy server whenever the access privileges of the data user changes. The design of the framework allows dynamic revocation of access rights of a user if found malicious or if he exits the system. Many a time, users lose certain attributes however, are still a member of the system. Thus, the design of the framework dynamically allows the revocation of lost attributes and the data user shall be allowed to access only those files which are accessible with the remaining attributes.

2. Collusion Resistant – The proposed PCMR-CPABE framework's design makes it harder for the revoked users to collude in an attack as well as for the cloud service provider to collude with the revoked users. The research that currently exists paid little attention to collusion attacks carried on by dishonest cloud service providers. The proposed PCMR-CPABE framework gave minimal privileges to cloud service provider. The cloud service provider has been delegated no role in key distribution and decryption unlike existing schemes. Thus, the provider has no means to access or store the secret key or proxy key of data user. The proposed framework contributes an efficient collusion-resistant design of a multi-authority CPABE scheme.

3. Computationally Efficient – the proposed PCMR-CPABE framework is computationally efficient as it does not require an update of non-revoked users’ secret keys or ciphertext updates to enforce revocation. The design of the proposed framework employed a proxy server to control unauthorized access. Therefore, it has improved computational efficiency in comparison to the existing literature.

4. Dynamic and Scalable – as users in an organization leave and join frequently, thus their access privileges should be immediately updated to avoid unauthorized access. Similarly, the job roles of users keep changing in an organization and so as their access privileges. Additionally, these changes ought to be made immediately to prevent unauthorized access. The design of the proposed PCMR-CPABE framework ensures instant and scalable revocation as it only requires updating of the proxy key of revoked user to deny access.

The rest of the paper is organized as follows: the second section critically reviews the methodology adopted by the existing revocable multi-authority CPABE schemes, the third section discusses the mathematical background required for the proposed implementation, the fourth section proposes an efficient framework of revocable multi-authority CPABE scheme based on bilinear pairing cryptography, the fifth section assesses the strength of proposed framework against security attacks, the sixth section discusses and compares the performance of proposed framework with the existing schemes, the seventh section presents the implementation results. The ninth section serves as the conclusion of the study.

2.png

Figure 2. PCMR-CPABE framework

Security analysis aims to overview and assess the security threats against the proposed framework. In this section, security against data confidentiality and collusion attack has been proven. In addition, the realization of forward and backward secrecy in the framework has been assessed in the following propositions:

5.1 Proposition 1

If the decisional q-parallel BDHE assumption is true, then the adversaries’ algorithms that run in polynomial time and have LSSS share matrix of $m^* \times n^*$ where $m^*, n^* \leq q$ as achallenge, will have a negligible advantage when trying to selectively compromise the security of the proposed framework.

Provability:

Init: The challenger $C$ accepts q-parallel BDHE challenge $\vec{y}, T$ and receives the challenge access matrix $\left(M^*, \rho^*\right)$ by adversary $A$, where $M^*$ is a matrix of $m$ rows and $n$ cols with $m^*, n^* \leq q$ and $\rho^*$ functions as mapping function. Here, $\vec{y}=$ $\left(g, g^s, g^a, \ldots \ldots, g^{\left(a^q\right)}, g^{a^{q+1}}, \ldots \ldots \ldots \ldots g^{a^{2 q}}\right)$ and if the message stays secret from the adversary then a random element will be generated through group $G_T$ and assigned to $T$, otherwise $T=e(g, g)^{a^{q+1} v}$.

Setup: The challenger in the first place chooses a random parameter $v \in Z_p$ and sets $s=v a^{q+1}$ and then runs two modules Global_Setup() and AAReg() and shares $g$ with the adversary. The adversary then chooses a set of compromised authorities $S_A^{\prime}$ and shares with the challenger. The challenger then chooses three random parameters $\left(\delta_{\mathrm{k}}, \beta_{\mathrm{k}}, \gamma_{\mathrm{k}}\right) \in Z_p$ for each uncompromised authorities $A A_k$, where $k \in S_A-S_A^{\prime}$.

Furthermore, the challenger computes a random oracle $y_{x_k}$ and chooses random parameter $z_{x_k} \in Z_p$ for each attribute $x$ in the system of $k$ attribute authority and $I$ represents the set of indices such that

$y_{x_k}=g^{x_k} \prod_{i \in I} g^{a . \mathcal{M}_{i, 1} / b_i} \cdot g^{a^2 \mathcal{M}_{i, 2} / b_i} \ldots \ldots \ldots \ldots g^{a^n \mathcal{M}_{i, n} / b_i}$

If $I=0$, such that there does not exist any $i$ for $\rho^*(i)=x$, then $y_{x_k}=g^{z_x}$.

Thereafter, the challenger computes the public key $P K_k$ using the above mentioned $S K_k=\left(\delta_{\mathrm{k}}, \beta_{\mathrm{k}}, \gamma_{\mathrm{k}}\right) \in Z_p$ for all uncorrupted authorities such that

$P K_k=\left(A A 1_k=Z^{\delta_{\mathrm{k}} \cdot \beta_{\mathrm{k}}}, A A 2_k=g^{\delta_{\mathrm{k}} \cdot \beta_{\mathrm{k}}}, \quad Y_i=g^{t_i}\right.$ where $\left.i \epsilon S_{A_k}\right)$    

Moreover, adversary is distributed a unique user ID $P K_u$ by the challenger such that,

$P K_u=\left(\left(g_u, a_u, b_u\right) \epsilon Z_p, U 0=g_u\left(a_u+b_u\right), U 1=g_u \cdot a_u \cdot b_u, U 2=g_u \cdot a_u\right)$

where, $\left(g_u, a_u, b_u\right) \in Z_p$ are randomly chosen parameters.

Phase 1: In the phase 1, the challenger responds to multiple queries issued by the adversary on secret key and the proxy key where each query has two inputs $I D_u$ and $S_k$, user id and set of attributes respectively. It is assumed that $S_k$ belongs to uncorrupted authorities. Subsequently, the revocation list $R_1^*=\left\{u_0^*, u_1^*, \ldots \ldots . u_k^*\right\}$ is shared to challenger and the challenger updates its list $R^*$. The challenger returns null value on the condition that the $S_k$ shared by the adversary satisfies the access matrix $\left(M^*, \rho^*\right)$ however, $\left\{u_j^*\right\} \notin R^*$. Otherwise, following conditions holds true:

• If $S_k$ of adversary $A$ does not satisfies $\left(M^*, \rho^*\right)$ and the user $\left\{u_j^*\right\} \notin R^*$, then a vector $\vec{r}=\left(r_1, r_2, \ldots . . r_{n^*}\right) \in Z_p$ is generated where $w_1=-1$ and $\forall i, \rho^*(i) \in S_k^{\prime}$ and $M^* \cdot \vec{r}=0$. Furthermore, the challenger randomly computes $x, y, z \in Z_p$ and defines $q_u, a_u, b_u$ as follows:

$q_u=t 1_u=x^{\prime}+w_1 \cdot a^q+w_2 \cdot a^{q-1} \ldots \ldots+w_n \cdot a^{q-n^*+1}$     (10)

$a_u=t 2_u=y^{\prime}+w_1 \cdot a^q+w_2 \cdot a^{q-1} \ldots \ldots .+w_n \cdot a^{q-n^*+1}$      (11)

$b_u=t 3_u=z^{\prime}+w_1 \cdot a^q+w_2 \cdot a^{q-1} \ldots \ldots .+w_n \cdot a^{q-n^*+1}$      (12)

and further computes

13.png

$K 1_k=g^{g_u}=g^{t 1_u}=g^{x^{\prime} \cdot \prod_{i=1, n^*}\left(g^{a^{q-i+1}}\right)\quad^{w_i}}$          (14)

15.png

16.png

For each $x_k$ in the access structure, $K 2_{x_k}$ computation turns harder as the term $g^{a^{q+1 / b_i}}$ is hard to compute.

• If the user $\left\{u_j^*\right\} \in R^*$, then as explained above all the secret decryption key components are computed. Subsequently, proxy key PXK is generated by the challenger on the request of adversary. If the $\left\{u_j^*\right\} \in R^*$, the $b$ component of PXK is invalidated in the game to cause failure of the decryption process. In the same way, if $\left\{u_j^*\right\}$ loses $x^*$ attributes that is $S_j^{\prime}=S_j-x^*$, and the attacker computes valid secret decryption key then also, if $S_j^{\prime}$ is insufficient to satisfy the challenge access matrix then also PXK fails the decryption process.

Challenge: In the challenge phase, the adversary shares two equal-length messages $M_0, M_1 \in G_T$ along with the access policy $\left(M^*, \rho^*\right)$ to the challenger, such that either $u_i^* \in R^*$ or $S_k$ do not satisfy access matrix. At this phase, challenger has to flip a coin $c$ to select one of the acquired messages $M_c$ (where $\left.c \in 0,1\right) . M_c$ is used to generate the ciphertext.

The challenger computes the ciphertext as follows:

$C=\mathcal{M} \cdot e(g, g)^s=C=\mathcal{M} \cdot e(g, g)^{v a^{q+1}}, C 0=g^{v a^{q+1} s}$      (17)

In addition, a vector $\quad \vec{v}=\left(s, s a+\overline{y_2}, s a^2+\right.$ $\left.\overline{y_3}, \ldots \ldots . s a^{n-1}+\overline{y_n}\right) \in Z_p^{n^*}$ is computed, where $\mathrm{s}$ is secret that has to be shared and $\overline{y_2}, \ldots \ldots \ldots \overline{y_n}$ are randomly chosen. Furthermore, the challenger randomly chooses $r_1^{\prime}, r_2^{\prime}, \ldots \ldots . r_l^{\prime}$. Subsequently, it generates $R_i$ for $1, \ldots, n^*$. $R_i$ includes all $k \neq i$, where $\rho^*(k)=\rho^*(i)$. Thus, the ciphertext components are computed as follows:

$C 1_{i_k}=g^{\lambda_{i_k}}=\prod_{j=2, \ldots, n^*} g^{M_{i, j}^* \cdot y_j^{\prime}}$     (18)

$C 2_{i_k}=g^{r_{i_k}}=g^{r_{i_k}^{\prime}} \cdot g^{s b_{i_k}}$     (19)

$\begin{gathered}C 3_{i_k}=g^{\lambda_{i_k}} \cdot y_{i_k}^{-r_{i_k}}=y_{i_k}^{r_i^{\prime}}\left(\prod_{j=2, \ldots, n^*} g^{M_{i, j}^* \cdot y_j^{\prime}}\right) \cdot\left(g^{s b_i}\right)^{-z_{i_k}} \cdot\left(\prod_{k \in R_i} \prod_{j=1, \ldots n^*}\left(g^{s \cdot\left(b_i / b_k\right)}\right)^{M_{k, j}^*}\right) \\ C 4_{i_k}=g^{-u \cdot r_{i_k}}=g^{r_{i_k}^{\prime}} \cdot g^{s b_{i_k}}-u\end{gathered}$      (20)

Phase 2: Same as phase 1

Guess: In phase 2, the adversary has to guess $c^{\prime}$. If $c^{\prime}=c$, and the challenger returns 0 which means $T=e(g, g)^{a^{q+1} s}$ and, 1 indicates $T$ is some random element in $G_T$ and message secrecy is maintained. If $T=e(g, g)^{a^{q+1} s}$, then we get $\operatorname{Pr}\left[B\left(\vec{y}, T=e(g, g)^{a^{q+1} s}\right)=0\right]=\frac{1}{2}+A d v_A$, and if $\mathrm{T}$ is random element, we have $\operatorname{Pr}[B(\vec{y}, T=R)=0]=$ $\frac{1}{2}$. Consecutively, it can be stated that the adversary has nontrivial advantage in q-parallel BDHE security game and the proposed framework has been proven secure.

5.2 Proposition 2

The proposed framework is secured against unauthorized access and ensures traceability and data confidentiality.

Provability: In the proposed framework each user is assigned a unique identity component $P K_u=(U 0, U 1, U 2)$. Additionally, the identity component is incorporated in the secret key and the proxy key of the user. Thus, no two users who possess similar attributes can have identical keys. Consequently, the framework allows quick traceability of the malicious user. Moreover, the secret decryption key decrypts the ciphertext only if the key satisfies the access policy. The access policy in the proposed framework has been defined using a linear secret sharing scheme (LSSS) and every LSSS scheme holds linear reconstruction property [25]. The share matrix $W$ of the secret sharing scheme $\Pi$ has $m$ rows and $n$ cols. Each row of $W$ is mapped to the associated attribute through a mapping function $\rho$. Thus, $\forall i=$ $1, \ldots \ldots, m, \rho(i)$ is the attribute that labels row $i$. For generating secret shares a vector $\vec{v}=\left(s, r_2, r_3, \ldots \ldots \ldots, r_n\right)$ is defined, where $s \in Z_p$ represents shared secret and $r_2, r_3, \ldots \ldots \ldots, r_n \in Z_p$ are randomly chosen numbers, then according to $\Pi, W . \vec{v}$ is a vector of $l$ shares of secret. Each share $W \cdot \overrightarrow{v_l}$ belongs to attribute $\rho(i)$. 

For the access structure $\mathbb{A}$, let $S \in \mathbb{A}$ be any authorized set, and for the access matrix $M$ with $m$ rows and $n$ cols, let $I \subset$ $\{1,2, \ldots \ldots \ldots . . m\}$ where, $I=\{i: \rho(i) \in S\}$, there exists constants $w_i \in Z_p$ where $i \in m$. Thus, for valid shares $\lambda_i$, $\sum_{i \in I} w_i \lambda_i=s$. Additionally, it is also proved in [25] that the constants $w_i \in Z_p$, where $i \in I$, can be found in polynomial time and for any unauthorized sets, no such $w$ exists.

Thus, the LSSS employability for access structure in the proposed framework ensures data confidentiality and avoids unauthorized access.

5.3 Proposition 3

The proposed framework is resilience to collusion attacks.

Provability: The proposed framework has addressed the possibility of revoked users colluding with each other as well as the capability of the cloud service provider to collude with the revoked users. As in the proposed framework, each user has been assigned a unique identity component $P K_u$, thus no two users with insufficient attributes can collude. As the users’ ID has been embedded in the secret key of the user, thus users cannot combine their attributes in decryption. Furthermore, in the encryption algorithm, the message $\mathcal{M}$ has been blinded while generating ciphertext component $C=\mathcal{M} \cdot e(g, g)^s$. As explained in proposition 2, for the valid value of s, $\sum_{i \in I} w_i \lambda_i=s$. Thus, any user who wants to access the encrypted file and recover $\mathcal{M}$ must recover the component $B=e(g, g)^{U 1 . s}$  in decrypt module by pairing secret key, proxy key and ciphertext components. If the users possess matching keys, this term will cancel out and message $\mathcal{M}$ is retrieved else the term cannot be canceled. Thus, if two revoked users attempt to conspire and collude together, while using different IDs, this term do not get cancelled. Consequently, the decryption process fails.

Furthermore, the secret keys and the proxy key are directly distributed to the data user by the authorities. Since the cloud do not participate in any module and do not have any information of the secret key, they cannot collude with the revoked users. Even if they attempt to collude, the time bound proxy key fails the collusion. The proxy key has an associated expiry time with it and thus, the older version of the proxy key is not useful for the revoked user to decrypt the ciphertext. Consequently, the cloud service provider has no means to aid in unauthorized access by colluding with the revoked user. Therefore, our proposed framework achieves full collusion resistance

5.4 Proposition 4

The proposed framework ensures forward and backward secrecy.

Provability: The proxy server ensures forward and backward secrecy in the proposed framework. Backward secrecy implies that the revoked user cannot decrypt files that were earlier accessible. In the proposed framework, to successfully execute the decryption process, the data user is required to acquire proxy key PXK from the proxy server. The generated proxy key is associated to ciphertext as it calculates $C \_1_i=C 1_i{ }^{\left(b_u\right)}$ where C1 is the component of requested ciphertext and b is the component of private key of user. When the user’s access privileges are revoked, the proxy key generated by the proxy server invalidates the component b while calculating the $C \_1_i$ term. The generated proxy key causes the failure of decryption process and thus, denies revoked user’s access to the files which were earlier accessible. Moreover, the proxy key is time bound. Once it is expired, it cannot be reused. The user has to again request for the new proxy key to access encrypted file. Consequently, the proxy key helps to enforce fine-grained access control.

Similarly, the forward secrecy implies denial of access of newly uploaded files to revoked user. Here also the requested proxy key imposes fine-grained access control by causing the failure of decryption process and thus, refraining the revoked users. Consequently, the proposed framework makes it harder for the revoked user to breach security.

The Stanford Pairing-based Crypto Library from the Charm-Crypto framework has been employed to construct the proposed framework [27]. Charm-Crypto framework is a python based framework that provides libraries to support implementation of pairing based cryptography. The proposed framework has employed Toolbox modules from the Charm-Crypto architecture. The Charm-Crypto architecture is based on OpenSSL, GMP and PBC libraries to efficiently construct attribute based encryption schemes. The Toolbox module is a library of various python or C based sub-modules such as pairinggroup, integergroup, Hash, secretutil, msp, etc. These modules help in pairing parameters generation, parsing access policy and implementing attribute based encryption schemes.

The proposed implementation is based on a singular symmetric elliptic curve group (“SS512”) of 160-bit order. All the experimental trials have been conducted using Python 3.7.13 over the Oracle Virtual Box 6.1. The virtual platform operates on a Windows 11 machine with an Intel Core i3 processor running at 1.20 GHz and 8 GB of RAM to run Ubuntu 22.04.

The experimental results delineate the computing time required by all the algorithms of the proposed framework on various criteria. Stable experimental results have been obtained by an average of 15 experimental trials. The algorithms of the proposed framework are mainly based on pairing, multiplication and exponentiation operation. The framework has employed randomly selected attribute sets of equal size for keygen module and a text file of 12 kb size for encryption and decryption module to perform experiments. Figure 3 exhibits the computing time consumed by the KeyGen, Encrypt, Decrypt, and ProxKeyGen algorithm when the number of attribute authorities is varied from 2 to 20 against the number of attributes owned by the attribute authorities is fixed to 5. It has been observed that the increase in the number of attribute authorities linearly increases the execution time of algorithms. However, increase in the number of attribute authorities has little impact on the ProxKeyGen algorithm, whilst the encryption and decryption algorithm’s computing time grows linearly with the increasing number of attribute authorities. Thus, the observations exhibit the computational efficiency of the proposed framework and conclude that the framework stays computationally efficient even when the load increases in the form of increasing number of attribute authorities.

In addition, Figure 4 expresses the computing time consumed by the Keygen algorithm when attribute authorities are fixed to 5 and user attributes are varied from 5 to 20. The execution time of the KeyGen algorithm grows linearly with the increasing number of user attributes. After comparing Figures 3 and 4, it has been observed that changing the number of attribute authorities has a significant impact on the keygen algorithm's execution time. Figures 5 and 6 depict the execution time of the Encryption and Decryption algorithm. Both the algorithms are dependent on the number of policy attributes. A linear relationship exists between the number of policy attributes and algorithmic computation time. To calculate the experimental findings, policy attributes, in this case were varied from 5 to 20. Since the decryption algorithm varies with the matched user attributes, thus the decryption algorithm consumes less computing time than the encryption algorithm. Furthermore, the Proxkeygen algorithm computing time result has been considered in all the cases viz: no revocation, user revocation, and attribute-level revocation. Figure 7 demonstrates the impact of policy attributes on the computing time of the Proxkeygen algorithm in case of no revocation and user revocation. Both algorithms consume an equivalent amount of computing time. In the same way, Figure 8 depicts the execution time consumed during the attribute-level revocation. In this experiment it has been demonstrated that the execution time of the proxkeygen algorithm increases linearly with the increasing number of revoked attributes. Consequently, it can be stated that the proposed framework avoids heavy computation costs and is efficiently implementable.

Every experimental operation depicts that the increase in the load in terms of number of attributes, number of policy attributes or number of attribute authorities in the algorithm add minimal increase in computational cost due to the presence of proxy server. The incorporation of proxy server eliminated the need of ciphertext re-encryption or key update of non-revoked users with every change in access privileges. The proposed framework also eliminated the need to outsource partial decryption to cloud service provider.

3.png

Figure 3. Execution time

4.png

Figure 4. Key generation algorithm

5.png

Figure 5. Encryption algorithm

6.png

Figure 6. Decryption algorithm

7.png

Figure 7. Proxy key generation algorithm (1)

8.png

Figure 8. Proxy key generation algorithm (2)