# Practical, Provably Secure, and Black-Box Traceable CP-ABE for Cryptographic Cloud Storage

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

**OR**(IT engineer

**AND**New York branch)”, then publish the encrypted message to the cloud. All users can download the message, but only the user who possesses the attribute {accountant} or the attributes {IT engineer, New York branch} can recover the message because their attribute sets satisfy the access control policy. Obviously, CP-ABE can provide a role-based, fine-grained, and expressive access control based on the special encryption method, moreover, the management of access control is transferred from the CSP to the data owners. The data stored in a public CCS can be shared securely, even if the CSP may be suspicious. Thus, CP-ABE is regarded as an ideal technique for access control, especially in the cases of cryptographic cloud storage and similar scenarios.

**Our contribution.**On the basis of the analysis above, we believe it is necessary to realize the black-box traceability in CCS. But we can see that most black-box traceable CP-ABE schemes are impractical due to the costly computation or the absence of scalability or the inefficiency of the tracing method. Although, the scheme of [15] firstly provides a practical scheme of black-box traceable CP-ABE, it is not that secure because its security proof is based on the generic group model instead of a stand model. Motivated by seeking a practical and secure CP-ABE scheme for the efficient implementation of access control in CCS, we design a new black-box traceable scheme. The following features make the scheme to be truly practical for the CCS system.

**High practicability**: To solve the problem of unacceptable computation cost, and to make the scheme to be practical for most CCS system, our scheme is constructed on the prime order bilinear groups instead of the composite order bilinear groups. This sharply cuts down the computation costs of group operations in CP-ABE system. Unlike the most of prior black-box traceable schemes, our scheme is scalable and significantly more efficient. More importantly, in our construction, the cost of tracing algorithm is $O(N)$ or even $O(1)$. Therefore, the scheme could be very practical in a variety of applications.**Provable security**: The scheme is proved to be secure under a selective standard model while acquires a high efficiency similar to the scheme of [15].

## 2. Related Work

## 3. Background

#### 3.1. Access Structures

#### 3.2. Linear Secret-Sharing Schemes (LSSS)

#### 3.3. Bilinear Groups and Complexity Assumption

#### 3.3.1. Bilinear Groups

- Computability: For all $u,v\in \mathbb{G}$, $e(u,v)$ is computable.
- Non-degeneracy: $e(g,g)\ne 1$.
- Bilinearity: For any $u,v\in \mathbb{G}$ and $a,b\in {\mathbb{Z}}_{p}$, there is $e({u}^{a},{v}^{b})=e{(u,v)}^{ab}$.

#### 3.3.2. Complexity Assumption

#### 3.4. CP-ABE Definition and Security Model

`Setup`$(U,\lambda )\to (PK,MK)$. The setup algorithm is used to set up the system parameters. It takes as inputs the attribute universe U and the security parameter $\lambda $ and outputs a master secret key $MK$ and the public parameter $PK$.`KeyGen`$(S,MK)\to (SK)$. This algorithm generates a private key $SK$ according to the user’s attribute set S by applying the master key $MK$.`Encrypt`$(M,\mathbb{A},PK)\to (CT)$.`Encrypt`algorithm encrypts a message M under an access structure $\mathbb{A}$ by using the public parameter $PK$. It outputs a ciphertext $CT$ that can be decrypted by the user whose attribute set satisfies $\mathbb{A}$.`Decrypt`$(CT,PK,SK)\to (M)$. This algorithm decrypts a ciphertext $CT$, that contains the access structure $\mathbb{A}$, with the private key $SK$ and the public parameter $PK$. If the attribute set of $SK$ satisfies $\mathbb{A}$, it can correctly decrypt $CT$ and outputs M, or it outputs ⊥.

#### 3.4.1. Selective Security Model for CP-ABE

**Init.**$\mathcal{A}$ selects an access structure ${\mathbb{A}}^{\ast}$ and submits it to the challenger.

**Setup.**The

`Setup`algorithm is performed by the challenger to produce the public parameter $PK$, then challenger gives it to $\mathcal{A}$.

**Phase 1.**For each $1\le i\le {q}^{\prime}$, $\mathcal{A}$ queries the challenger for private key according to the attribute set ${S}_{i}$, and the challenger responds with key $S{K}_{{S}_{i}}$. Note that none of ${S}_{1},\dots ,{S}_{{q}^{\prime}}$ satisfies ${\mathbb{A}}^{\ast}$.

**Challenge.**$\mathcal{A}$ chooses two messages ${M}_{0},{M}_{1}$ of equal length and gives them to the challenger. A random coin $b\in \{0,1\}$ is flipped by the challenger. Then the challenger encrypts ${M}_{b}$ under the access structure ${\mathbb{A}}^{\ast}$, and gives the ciphertext to $\mathcal{A}$.

**Phase 2.**For each $({q}^{\prime}+1)\le i\le q$, $\mathcal{A}$ queries the challenger for private key according to the attribute set ${S}_{i}$, and the challenger responds with key $S{K}_{{S}_{i}}$. Note that none of ${S}_{{q}^{\prime}+1},...,{S}_{q}$ satisfies ${\mathbb{A}}^{\ast}$.

**Guess.**$\mathcal{A}$ finally outputs a guess ${b}^{\prime}\in \{0,1\}$.

**Definition**

**1.**

#### 3.4.2. Traceability for CP-ABE

`Encrypt`${}_{Trace}(M,\mathbb{A},PK)\to (TCT,trap)$. The algorithm applies the public parameter $PK$ to encrypt the message M under an access structure $\mathbb{A}$. It outputs a tracing ciphertext $TCT$ which can be “decrypted” by the user whose attributes satisfy $\mathbb{A}$. When a decryption result is returned, $trap$ will be used to search for the private key. Note that $TCT$ is called as tracing ciphertext in this paper.

#### 3.4.3. Security Model for Compulsory Traceability

**Setup.**The

`Setup`algorithm is performed by the challenger to produce the public parameter $PK$, then challenger gives it to $\mathcal{A}$.

**Phase 1.**For each $1\le i\le {q}^{\prime}$, $\mathcal{A}$ queries the challenger for the private key according to attribute set ${S}_{i}$, and the challenger responds with key $S{K}_{{S}_{i}}$.

**Challenge.**$\mathcal{A}$ selects a access structure ${\mathbb{A}}^{\ast}$, then submits it to the challenger. The challenger chooses a message $M\in {\mathbb{G}}_{T}$ at random, and a random coin $b\in \{0,1\}$ is flipped. When $b=0$ the challenger runs

`Encrypt`$(PK,M,{\mathbb{A}}^{\ast})\to (C{T}_{0})$ and outputs $(C{T}_{0})$, or he runs

`Encrypt`${}_{Trace}(PK,M,{\mathbb{A}}^{\ast})\to (C{T}_{1},trap)$ and outputs $(C{T}_{1})$. Next he gives $C{T}_{b}$ to $\mathcal{A}$.

**Phase 2.**For each $({q}^{\prime}+1)\le i\le q$, $\mathcal{A}$ queries the challenger for private key according to the attribute set ${S}_{i}$, and the challenger responds with key $S{K}_{{S}_{i}}$.

**Guess.**$\mathcal{A}$ finally outputs a guess ${b}^{\prime}\in \{0,1\}$.

**Definition**

**2.**

## 4. Our Construction

#### 4.1. Concrete Construction

`Setup`$(U,\lambda )\to (PK,MK)$. Taking as inputs the attribute universe U and the security parameter $\lambda $ ($\lambda $ determines the size of p), this algorithm chooses a bilinear group generator to produce $(p,g,\mathbb{G},{\mathbb{G}}_{T},e)$. Then, the algorithm randomly chooses exponents $\alpha ,\beta ,a\in {\mathbb{Z}}_{p}$ and the group elements ${\{{h}_{x},{f}_{x}\in \mathbb{G}\}}_{x\in U}$. It publishes the public parameter as:$$PK=(\mathbb{G},{\mathbb{G}}_{T},g,{g}^{a},h={g}^{\beta},e{(g,g)}^{\alpha},{\{{h}_{x},{f}_{x}\}}_{x\in U})$$`KeyGen`$(MK,S)\to (SK,I{D}_{SK})$. This algorithm generates a private keys $SK$ according to the user’s attribute set S by applying the master key $MK$. It selects the exponents $r,{\left\{{r}_{j}\right\}}_{j\in S}\in {\mathbb{Z}}_{p}$ at random. Then, it computes and outputs the key $SK$:$$(D={g}^{(\alpha +ar)/\beta},\forall j\in S:{D}_{j}={g}^{r}\xb7{f}_{j}^{{r}_{j}},{D}_{j}^{{}^{\prime}}={g}^{{r}_{j}},{D}_{j}^{{}^{\prime \prime}}={h}_{j}^{r},{D}_{j}^{{}^{\prime \prime \prime}}={h}_{j}^{{r}_{j}})$$`Encrypt`$(PK,M,(A,\rho ))\to (CT)$.`Encrypt`algorithm encrypts a message M under $(A,\rho )$ by using the public parameter $PK$. A is an $m\times n$ LSSS matrix according to the access policy, and each row ${A}_{i}$ of A can be mapped to an attribute $\rho (i)$. This algorithm chooses the elements of vector $v=(s,{v}_{2},\dots ,{v}_{n})\in {\mathbb{Z}}_{p}^{n}$ at random. Then, for each row ${A}_{i}$ of A, it randomly chooses ${z}_{i},{t}_{i}\in {\mathbb{Z}}_{p}$ and calculates ${u}_{i}={A}_{i}\xb7v$. Finally, it outputs ciphertext $CT$ as$$((A,\rho ),C=Me{(g,g)}^{\alpha s},\tilde{C}={h}^{s},\forall i\in [m]:{C}_{i}={g}^{a{u}_{i}}{h}_{\rho (i)}^{{z}_{i}},{C}_{i}^{{}^{\prime}}={f}_{\rho (i)}^{a{u}_{i}}{h}_{\rho (i)}^{{t}_{i}},{C}_{i}^{{}^{\prime \prime}}={g}^{{z}_{i}},{C}_{i}^{{}^{\prime \prime \prime}}={f}_{\rho (i)}^{{z}_{i}},{C}_{i}^{{}^{\prime \prime \prime \prime}}={g}^{{t}_{i}}).$$`Decrypt`$(PK,SK,CT)\to (M)$. The algorithm decrypts a ciphertext $CT$, that contains the access structure $(A,\rho )$, with the private key $SK$ and the public parameter $PK$. If the access policy of $(A,\rho )$ can be satisfied by an attribute set $I\subseteq S$ (S is the attribute set associated with $SK$), the algorithm computes the constants ${w}_{i}\in {\mathbb{Z}}_{p}$ such that ${\sum}_{\rho (i)\in I}{w}_{i}{A}_{i}=\{1,0,\dots ,0\}$, then computes$$\frac{e(D,\tilde{C})}{{\prod}_{\rho (i)\in I}{(\frac{e({D}_{\rho (i)},{C}_{i})e({D}_{\rho (i)}^{{}^{\prime \prime \prime}},{C}_{i}^{{}^{\prime \prime \prime \prime}})}{e({D}_{\rho (i)}^{{}^{\prime}},{C}_{i}^{{}^{\prime}})e({D}_{\rho (i)}^{{}^{\prime \prime}},{C}_{i}^{{}^{\prime \prime}})e({D}_{\rho (i)}^{{}^{\prime \prime \prime}},{C}_{i}^{{}^{\prime \prime \prime}})})}^{{w}_{i}}}=e{(g,g)}^{\alpha s}$$The algorithm continues to compute $M=C/e{(g,g)}^{\alpha s}$ to finish the decryption. If the attribute set according to $SK$ cannot satisfy $(A,\rho )$, it outputs ⊥.

#### 4.2. Traceability

`Encrypt`${}_{Trace}$ algorithm, which is used to generate the tracing ciphertext, as follows:

`Encrypt`${}_{Trace}(PK,M,(A,\rho ))\to (TCT,trap)$. The algorithm encrypts a message M under $(A,\rho )$ by using the public parameter $PK$. This algorithm takes almost the same steps as algorithm`Encrypt`$(PK,M,(A,\rho ))\to (CT)$. The only difference is that it chooses tow random elements s and ${s}^{\prime}$ in ${\mathbb{Z}}_{p}$, and forms the sharing vector as $v=({s}^{\prime},{v}_{2},\dots ,{v}_{n})$ to calculate ${u}_{i}={A}_{i}\xb7v$. Then, it computes the ciphertext $TCT$ as$$((A,\rho ),C=Me{(g,g)}^{\alpha s},\tilde{C}={h}^{s},\forall i\in [m]:{C}_{i}={g}^{a{u}_{i}}{h}_{\rho (i)}^{{z}_{i}},{C}_{i}^{{}^{\prime}}={f}_{\rho (i)}^{a{u}_{i}}{h}_{\rho (i)}^{{t}_{i}},{C}_{i}^{{}^{\prime \prime}}={g}^{{z}_{i}},{C}_{i}^{{}^{\prime \prime \prime}}={f}_{\rho (i)}^{{z}_{i}},{C}_{i}^{{}^{\prime \prime \prime \prime}}={g}^{{t}_{i}})$$

`Encrypt`${}_{Trace}(PK,M,(A,\rho ))\to (TCT,trap)$, and send $TCT$ to $\mathcal{D}$ while keep the $trap$. If $\mathcal{D}$ correctly performs the decryption algorithm

`Decrypt`as

**Efficient tracing.**We can trace a black-box efficiently by setting the parameter ${s}^{\prime}=s+1$ rather than randomly choosing ${s}^{\prime}$. In this case, $trap$ is always set to 1. Thus, for the search in $LID$, we can directly compare W to $I{D}_{SK}$, and make the search quite efficient.

#### 4.3. Performance Analysis

#### 4.3.1. Theoretical Analysis of Performance

**Computation efficiency**. In fact, our scheme is much simpler than most prior black-box traceable schemes, especially the schemes of [11,12,13] which are constructed on composite order bilinear groups. In general, the order n of a composite order elliptic curve group must be at least 1024 bits, in order to make sure n is infeasible to factor. Meanwhile, a prime order elliptic curve group whose size is 160 bits can provide an equivalent level of security [41]. Thus, the group operations on composite order bilinear groups, especially pairing and exponentiations computations, are very costly. For example, the cost of a Tate pairing operation on 1024 bits composite order elliptic curve is about 50 times the cost of the same pairing operation on a prime order curve with comparably security [42]. Hence, we manage to construct our system based on the prime order bilinear groups. Although the scheme of [14] is also constructed on the prime order bilinear groups, it is clear in Table 1 that its computation cost is much higher than our scheme.

**Scalability**. In most prior black-box traceable CP-ABE schemes, the public key size or ciphertext length or private key length is dependent of N, so the schemes are not scalable. Therefore, we have to reset the total system, when a new user joins in. This makes these schemes impractical in many applications. By contrast, our construction is scalable, due to that the size of the public key, the ciphertext length, and the private key length are all independent of N.

**Tracing efficiency**. As mentioned in Section 2, when there are relatively more users in a system, tracing could be very costly in most black-box traceable CP-ABE systems. To trace a black-box in [11,12,13,14], we needs to perform the tracing step for $N+1$ times, and for each time we has to run the encryption algorithm for $8\lambda {(N/\u03f5)}^{2}$ times, where $\u03f5\le 1$ and $\lambda $ is the security parameter. In our system, one just needs to perform the algorithm

`Encrypt`${}_{Trace}$ for only one time to trace a black-box, and

`Encrypt`${}_{Trace}$ has the equal cost to the normal encryption algorithm

`Encrypt`. In addition, in our scheme one has to search the $LID$ to find the malicious user, but it is a light operation and the cost is at most $O(N)$. Actually, by making use of efficient tracing, the searching cost is almost negligible in contrast to the encryption. In this case, if the cost is measured in terms of the heavy operations as exponentiations and pairing computations, the cost of tracing is $O(1)$.

**Security**. In Table 2, we also provide a brief security comparison with some related works. We can see in Table 2, all the schemes are CPA secure or selectively CPA secure. But different from [15], our scheme is based on complexity assumption, thus, it owns the security comparable to the schemes in [11,14,30]. In addition, by comparing the performance, it is obvious that the scheme of [15] and the scheme of this paper are the only two practical black-box traceable schemes that can be implemented in CCS. However, the scheme of [15] is only proved secure in a generic group model, while this work is proved secure in a standard model under the non-interactive assumption. Thus, this scheme is more suitable for the implementation of the access control in CCS.

#### 4.3.2. Performance Measurements

## 5. Security Proof

**Theorem**

**1.**

**Proof**

**of**

**Theorem**

**1.**

**Init.**The adversary $\mathcal{A}$ chooses a LSSS access structure $(A,\rho )$ with matrix A of size $m\times n$, where $m,n\le q$, and gives it to the simulator.

**Setup.**The simulator chooses exponents ${\alpha}^{\prime},\beta ,{\{{c}_{x},{d}_{x}\}}_{x\in U}\in {\mathbb{Z}}_{p}$ at random, and set $e{(g,g)}^{\alpha}=e({g}^{a},{g}^{{a}^{q}})e{(g,g)}^{{a}^{\prime}}$, that means we have $\alpha ={\alpha}^{\prime}+{a}^{q+1}$. For each $x\in U$, X denotes the set $X=\{i:\rho (i)=x\}$ (i is the index of the row in A), and the simulator computes ${f}_{x}$ and ${h}_{x}$ as:

**Phase 1.**For each private key query, the simulator responds to the query as follows. Suppose the adversary $\mathcal{A}$ gives the simulator a key query for an attribute set S that does not satisfy the access structure $(A,\rho )$, and let the set ${I}_{S}=\left\{i\right|\rho (i)\in S\}$. Then, the simulator chooses ${r}^{\prime}\in {\mathbb{Z}}_{p}$ at random, and continues to find a vector $w=({w}_{1},\dots ,{w}_{n})$, such that ${w}_{1}=-1$ and $w\xb7{A}_{i}=0$ for all $i\in {I}_{S}$. This vector must exist, due to the property of LSSS which is discussed in Section 3. Then the simulator implicitly set $r={r}^{\prime}+{\sum}_{l=1}^{n}{w}_{l}{a}^{q-(l-1)}$ by letting

**Challenge.**$\mathcal{A}$ gives the simulator two message ${M}_{0},{M}_{1}$. The simulator flips a random coin $b\in \{0,1\}$, and computes

**Phase 2.**$\mathcal{A}$ queries the simulator for private keys, and the response of simulator is the same as that in Phase 1.

**Guess.**$\mathcal{A}$ outputs a guess ${b}^{\prime}$. When $b={b}^{\prime}$ the simulator outputs 0 to indicate that $E=e{(g,g)}^{{a}^{q+1}s}$, otherwise the output is 1. When $E=e{(g,g)}^{{a}^{q+1}s}$, the simulation is perfect, hence, we have

**The generic bilinear group model**[10]. Suppose that there are two random encodings ${\psi}_{0},{\psi}_{1}$ of group ${\mathbb{Z}}_{p}$, which are injective maps ${\psi}_{0},{\psi}_{1}:{\mathbb{Z}}_{p}\to {\{0,1\}}^{m}$, where $m>3log(p)$. Let the group $\mathbb{G}=\{{\psi}_{0}(x):x\in {\mathbb{Z}}_{p}\}$ and ${\mathbb{G}}_{T}=\{{\psi}_{1}(x):x\in {\mathbb{Z}}_{p}\}$. We give oracles for the computation of the group operation on $\mathbb{G},{\mathbb{G}}_{T}$ and bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{T}$. $\mathbb{G}$ is referred as the generic bilinear group.

**Theorem**

**2.**

**Proof**

**of**

**Theorem**

**2.**

## 6. Conclusions

## Author Contributions

## Funding

## Acknowledgments

## Conflicts of Interest

## Abbreviations

CCS | Cryptographic cloud storage |

CP-ABE | Ciphertext-policy attribute-based encryption |

KP-ABE | Key-policy attribute-based encryption |

DO | Data owner |

CSP | Cloud service provider |

LSSS | Linear Secret-Sharing Schemes |

PPT | probabilistic polynomial-time |

BDHE | Bilinear Diffie-Hellman Exponent |

## References

- Yun, A.; Shi, C.; Kim, Y. On protecting integrity and confidentiality of cryptographic file system for outsourced storage. In Proceedings of the ACM Conference on Computer and Communications Security, Chicago, IL, USA, 9–13 November 2009; pp. 67–75. [Google Scholar]
- Bowers, K.D.; Juels, A.; Oprea, A. HAIL: A high-availability and integrity layer for cloud storage. In Proceedings of the ACM Conference on Computer and Communications Security, Chicago, IL, USA, 9–13 November 2009; pp. 187–198. [Google Scholar]
- Wang, L.; Hayashi, T.; Kanamori, S.; Waseda, A.; Nojima, R.; Moriai, S. PRINCESS: A secure cloud file storage system for managing data with hierarchical levels of sensitivity. In Proceedings of the ACM Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; pp. 1684–1686. [Google Scholar]
- Tang, H.; Wu, J.; Cui, Y.; Weng, J.; Guan, C.; Ren, K. Enabling ciphertext deduplication for secure cloud storage and access control. In Proceedings of the 11th ACM Asia Conference on Computer and Communications Security, Xi’an, China, 30 May–3 June 2016; pp. 59–70. [Google Scholar]
- Kamara, S.; Lauter, K. Cryptographic cloud storage. Lect. Notes Comput. Sci.
**2010**, 6054, 136–149. [Google Scholar] - Ning, J.; Dong, X.; Cao, Z.; Wei, L. Accountable authority ciphertext-policy attribute-based encryption with white-box traceability and public auditing in the cloud. Lect. Notes Comput. Sci.
**2015**, 9327, 270–289. [Google Scholar] - Ba, H.; Zhou, H.; Qiao, H.; Wang, Z.; Ren, J. RIM4J: An Architecture for Language-Supported Runtime Measurement against Malicious Bytecode in Cloud Computing. Symmetry
**2018**, 10, 253. [Google Scholar] [CrossRef] - Sahai, A.; Waters, B. Fuzzy identity-based encryption. Lect. Notes Comput. Sci.
**2005**, 3494, 457–473. [Google Scholar] - Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the ACM Conference on Computer and Communications Security, Alexandria, WV, USA, 30 October–3 November 2006; pp. 89–98. [Google Scholar]
- Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-policy attribute-based encryption. In Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 20–23 May 2007; pp. 321–334. [Google Scholar]
- Liu, Z.; Cao, Z.; Wong, D.S. Blackbox traceable CP-ABE: How to catch people leaking their keys by selling decryption devices on eBay. In Proceedings of the ACM Conference on Computer and Communications Security, Berlin, Germany, 4–8 November 2013; pp. 475–486. [Google Scholar]
- Liu, Z.; Cao, Z.; Wong, D.S. Traceable CP-ABE: How to trace decryption devices found in the wild. IEEE Trans. Inf. Forensics Secur.
**2015**, 10, 55–68. [Google Scholar] - Ning, J.; Cao, Z.; Dong, X.; Gong, J.; Chen, J. Traceable CP-ABE with short ciphertexts: How to catch people selling decryption devices on ebay efficiently. Lect. Notes Comput. Sci.
**2016**, 9879, 551–569. [Google Scholar] - Liu, Z.; Wong, D.S. Traceable CP-ABE on prime order groups: Fully secure and fully collusion-resistant blackbox traceable. Lect. Notes Comput. Sci.
**2016**, 9543, 109–124. [Google Scholar] - Qiao, H.; Ren, J.; Wang, Z.; Ba, H.; Zhou, H. Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing. Future Gener. Comput. Syst.
**2018**, 88, 107–116. [Google Scholar] [CrossRef] - Shoup, V. Lower bounds for discrete logarithms and related problems. Lect. Notes Comput. Sci.
**1997**, 1233, 256–266. [Google Scholar] - Jiang, Y.; Susilo, W.; Mu, Y.; Guo, F. Flexible ciphertext-policy attribute-based encryption supporting AND-gate and threshold with short ciphertexts. Int. J. Inf. Secur.
**2018**, 17, 463–475. [Google Scholar] [CrossRef] - Cui, H.; Deng, R.H.; Wu, G.; Lai, J. An efficient and expressive ciphertext-policy attribute-based encryption scheme with partially hidden access structures. Lect. Notes Comput. Sci.
**2016**, 10005, 19–38. [Google Scholar] - Balu, A.; Kuppusamy, K. An expressive and provably secure Ciphertext-Policy Attribute-Based Encryption. Inf. Sci.
**2014**, 276, 354–362. [Google Scholar] [CrossRef] - Lai, J.; Deng, R.H.; Li, Y. Fully secure cipertext-policy hiding CP-ABE. Lect. Notes Comput. Sci.
**2011**, 6672, 24–39. [Google Scholar] - Wei, J.H.; Liu, W.F.; Hu, X.X. Forward-secure ciphertext-policy attribute-based encryption scheme. J. Commun.
**2014**, 35, 38–45. [Google Scholar] - Li, Q.; Ma, J.; Li, R.; Xiong, J.; Liu, X. Provably secure unbounded multi-authority ciphertext-policy attribute-based encryption. Secur. Commun. Netw.
**2015**, 8, 4098–4109. [Google Scholar] [CrossRef] - Liang, X.; Cao, Z.; Lin, H.; Xing, D. Provably secure and efficient bounded ciphertext policy attribute based encryption. In Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS’09, Sydney, Australia, 10–12 March 2009; pp. 343–352. [Google Scholar]
- Ibraimi, L.; Tang, Q.; Hartel, P.; Jonker, W. Efficient and provable secure ciphertext-policy attribute-based encryption schemes. Lect. Notes Comput. Sci.
**2009**, 5451, 1–12. [Google Scholar] - Doshi, N.; Jinwala, D.C. Fully secure ciphertext policy attribute-based encryption with constant length ciphertext and faster decryption. Secur. Commun. Netw.
**2018**, 7, 1988–2002. [Google Scholar] [CrossRef] - Emura, K.; Miyaji, A.; Nomura, A.; Omote, K.; Soshi, M. A ciphertext-policy attribute-based encryption scheme with constant ciphertext length. Lect. Notes Comput. Sci.
**2009**, 5451, 13–23. [Google Scholar] - Goyal, V.; Jain, A.; Pandey, O.; Sahai, A. Bounded ciphertext policy attribute based encryption. Lect. Notes Comput. Sci.
**2008**, 5126, 579–591. [Google Scholar] - Cheung, L.; Newport, C. Provably secure ciphertext policy ABE. In Proceedings of the ACM Conference on Computer and Communications Security, Alexandria, WV, USA, 29 October–2 November 2007; pp. 456–465. [Google Scholar]
- Lewko, A.; Waters, B. New proof methods for attribute-based encryption: Achieving full security through selective techniques. Lect. Notes Comput. Sci.
**2012**, 7417, 180–198. [Google Scholar] - Waters, B. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. Lect. Notes Comput. Sci.
**2011**, 6571, 53–70. [Google Scholar] - Li, J.; Ren, K.; Kim, K. A2BE: Accountable Attribute-Based Encryption for Abuse Free Access Control. Iacr Cryptol. Eprint Arch.
**2009**, 2009, 118. [Google Scholar] - Zhou, J.; Cao, Z.; Dong, X.; Lin, X. TR-MABE: White-box traceable and revocable multi-authority attribute-based encryption and its applications to multi-level privacy-preserving e-healthcare cloud computing systems. In Proceedings of the 2015 IEEE Conference on Computer Communications (INFOCOM), Hong Kong, China, 26 April–1 May 2015; Volume 26, pp. 2398–2406. [Google Scholar]
- Zhang, K.; Li, H.; Ma, J.; Liu, X. Efficient large-universe multi-authority ciphertext-policy attribute-based encryption with white-box traceability. Sci. China Inf. Sci.
**2018**, 61, 32102. [Google Scholar] [CrossRef] - Ning, J.; Dong, X.; Cao, Z.; Wei, L.; Lin, X. White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes. IEEE Trans. Inf. Forensics Secur.
**2015**, 10, 1274–1288. [Google Scholar] [CrossRef] - Ning, J.; Cao, Z.; Dong, X.; Wei, L.; Lin, X. Large universe ciphertext-policy attribute-based encryption with white-box traceability. Lect. Notes Comput. Sci.
**2014**, 8713, 55–72. [Google Scholar] - Liu, Z.; Cao, Z.; Wong, D.S. White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures. IEEE Trans. Inf. Forensics Secur.
**2013**, 8, 76–88. [Google Scholar] - Boneh, D.; Waters, B. A fully collusion resistant broadcast, trace, and revoke system. In Proceedings of the ACM Conference on Computer and Communications Security, Alexandria, WV, USA, 30 October–3 November 2006; pp. 211–220. [Google Scholar]
- Liu, Z.; Wong, D.S. Practical attribute-based encryption: Traitor tracing, revocation and large universe. Comput. J.
**2016**, 59, 983–1004. [Google Scholar] [CrossRef] - Lewko, A. Tools for simulating features of composite order bilinear groups in the prime order setting. Lect. Notes Comput. Sci.
**2012**, 7237, 318–335. [Google Scholar] - Beimel, A. Secure Schemes for Secret Sharing and Key Distribution. Ph.D. Thesis, Israel Institute of Technology, Haifa, Israel, 1996. [Google Scholar]
- Barker, E.B.; Barker, W.C.; Burr, W.E.; Smid, M.E. Recommendation for Key Management—Part 1; Special Publication 800-57; National Institute of Standards & Technology: Gaithersburg, MD, USA, 2007.
- Freeman, D.M. Converting pairing-based cryptosystems from composite-order groups to prime-order groups. Lect. Notes Comput. Sci.
**2010**, 6110, 44–61. [Google Scholar] - De Caro, A.; Iovino, V. jPBC: Java pairing based cryptography. In Proceedings of the 16th IEEE Symposium on Computers and Communications (ISCC 2011), Kerkyra, Greece, 28 June–1 July 2011; pp. 850–855. [Google Scholar]

Ciphertext Size | Private Key Size | Enc Cost | Dec Cost | Scalability | Order of Groups | |
---|---|---|---|---|---|---|

[11] | $2m+17\sqrt{N}$ | $\left|S\right|+4$ | $3m+22\sqrt{N}$ | $2\left|I\right|+10$ | × | Composite |

[13] | $2m+5$ | $\left|S\right|+6+O(N)$ | $3m+5$ | $2\left|I\right|+6$ | × | Composite |

[14] | $6m+46\sqrt{N}+2$ | $6\left|S\right|+12$ | $6m+61\sqrt{N}+3$ | $6\left|I\right|+30$ | × | Prime |

[15] | $4m+2$ | $4\left|S\right|+1$ | $5m+2$ | $4\left|I\right|+1$ | √ | Prime |

This work | $5m+2$ | $4\left|S\right|+1$ | $7m+2$ | $5\left|I\right|+1$ | √ | Prime |

Assumptions | Type of Security | Traceability | |
---|---|---|---|

[30] | Decisional q-parallel BDHE Assumption | selective CPA secure | no |

[11] | Assumption 1 in [29], General Subgroup Decision | CPA secure | black-box |

Assumption, 3-Party Diffie-Hellman Assumption, | |||

q-Parallel BDHE Assumption | |||

[14] | Decisional Linear Assumption, | CPA secure | black-box |

Decisional 3-Party Diffie-Hellman Assumption, | |||

q-Parallel BDHE Assumption | |||

[15] | Generic Group | CPA secure | black-box |

This work | Decisional q-parallel BDHE Assumption | selective CPA secure | black-box |

a | $\beta $ | ${c}_{x}$ | ${d}_{x}$ | $(\alpha +a{r}^{(k)})/\beta $ |

${r}^{(k)}+{d}_{j}{r}_{j}^{(k)}$ | ${r}_{j}^{(k)}$ | ${c}_{j}{r}^{(k)}$ | ${c}_{j}{r}_{j}^{(k)}$ | $\beta s$ |

$a{u}_{i}+{c}_{\rho (i)}{z}_{i}$ | $a{u}_{i}{d}_{\rho (i)}+{c}_{\rho (i)}{t}_{i}$ | ${z}_{i}$ | ${d}_{\rho (i)}{z}_{i}$ | ${t}_{i}$ |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Qiao, H.; Ba, H.; Zhou, H.; Wang, Z.; Ren, J.; Hu, Y.
Practical, Provably Secure, and Black-Box Traceable CP-ABE for Cryptographic Cloud Storage. *Symmetry* **2018**, *10*, 482.
https://doi.org/10.3390/sym10100482

**AMA Style**

Qiao H, Ba H, Zhou H, Wang Z, Ren J, Hu Y.
Practical, Provably Secure, and Black-Box Traceable CP-ABE for Cryptographic Cloud Storage. *Symmetry*. 2018; 10(10):482.
https://doi.org/10.3390/sym10100482

**Chicago/Turabian Style**

Qiao, Huidong, Haihe Ba, Huaizhe Zhou, Zhiying Wang, Jiangchun Ren, and Ying Hu.
2018. "Practical, Provably Secure, and Black-Box Traceable CP-ABE for Cryptographic Cloud Storage" *Symmetry* 10, no. 10: 482.
https://doi.org/10.3390/sym10100482