Black Box Traceable Ciphertext Policy Attribute-based Encryption Scheme

In the existing attribute-based encryption (ABE) scheme, the authority (i.e., private key generator (PKG)) is able to calculate and issue any user's private key, which makes it completely trusted, which severely influences the applications of the ABE scheme. To mitigate this problem, we propose the black box traceable ciphertext policy attribute-based encryption (T-CP-ABE) scheme in which if the PKG redistributes the users' private keys for malicious uses, it might be caught and sued. We provide a construction to realize the T-CP-ABE scheme in a black box model. Our scheme is based on the decisional bilinear Diffie-Hellman (DBDH) assumption in the standard model. In our scheme, we employ a pair (ID, S) to identify a user, where ID denotes the identity of a user and S denotes the attribute set associated with her.


Introduction
With the advent of cloud computing, more and more data and computations will be migrated to the cloud.Storing the data in the cloud has advantages as follows: individuals can reliably store the data and can easily and conveniently access the data; and organizations can save costs.However, when the data are stored remotely, acute concerns for security and privacy are raised.That is to say the sensitive data, such as financial and medical records, are out of the owners' control and may be accessed by untrusted parties.A traditional public key cryptosystem cannot be employed to protect the data well, since they have drawbacks as follows: (1) they only provide coarse-grained access to encrypted data decrypted only by a single secret key; (2) access to the encrypted data is all or nothing; one can either decrypt to recover the entire ciphertext or learns nothing from the plaintext, except for its length.In the cloud computing system, the data owner may share the data with groups of data consumers based on their attributes or credentials, and only the data consumers whose attributes satisfy the access policy can decrypt.The traditional public key cryptosystem cannot address these problems [1,2].
To address these problems, Sahai et al. [3] first presented the attribute-based encryption (ABE) scheme enforcing fine-grained access control over the ciphertexts.In their scheme, a ciphertext and a private key are associated with descriptive attribute sets.Decryption will succeed if and only if there exist at least d attributes overlapping them.Their scheme is suitable for error-tolerant encryption.However, one drawback of their scheme is that this construction is only able to address formulae comprising one threshold gate.To enhance the expressiveness, Goyal et al. [4] presented the key policy attribute-based encryption (KP-ABE) scheme in which ciphertexts are associated with attribute sets and the private keys are associated with access structures.While they proposed the CP-ABE scheme, they did not implement it.Bethencourt et al. [5] first implemented the CP-ABE scheme.In their scheme, attribute sets are employed to identify the private keys, and ciphertexts are associated with access structures.The ciphertexts are decrypted by the private keys iff the access structures are satisfied by the attribute sets.However, they proved security in the generic group model.To achieve CP-ABE schemes in the standard model, work has been done as follows: Cheung et al. [6] presented a CP-ABE scheme constructed under a policy with an AND gate.However, their scheme requires that the number of system attributes be fixed at setup, and the access structure of their scheme only supports an AND gate.These two drawbacks make it less expressive.To enhance the expressiveness, Goyal et al. [7] proposed the bounded CP-ABE scheme.However, the encryption and decryption cost blows up greatly, which influences its application in practice.Lewko et al. [8] presented a CP-ABE scheme that is expressive and adaptively secure.However, their scheme is based on a composite order bilinear group, which incurs some efficiency loss, and the assumption is a non-standard strong assumption.Waters [9] proposed an expressive, efficient and provable secure CP-ABE scheme in the standard model and achieves the same performance and functionality as the scheme of [5].Researchers applied CP-ABE schemes to a cloud storage system, social networks, etc.
In a CP-ABE scheme, a private key for a user's attributes is not able to be generated by herself.Hence, there exists a trusted party, named the authority, i.e., the private key generator (PKG), which sets up the system.To get a private key from the PKG, a user with some attributes will go to a PKG to get the private key associated with her attributes.During this process, she needs to prove to the PKG that these attributes are entitled to her.Then, the private key is generated and passed on to her by the PKG.Since the authority possesses the master secret of the scheme, it is capable of calculating the private key associated with the users' arbitrary attributes, and it is able to decrypt any ciphertexts encrypted to any users; it has to be absolutely trusted.If the authority engages in malicious activities, it will not be caught and sued.Thus, it is required that the trust in the authority should be reduced in a CP-ABE scheme.
That is to say, there still exists the key escrow problems in the CP-ABE scheme.Due to the inherent key escrow problem, the CP-ABE scheme is restricted to be used in the small and closed groups, where there exists a central trusted authority.If this problem is not solved well, it will influence the adoption of the CP-ABE scheme.
Our contributions: We formalize the conception of the black box traceable ciphertext policy attribute-based encryption scheme and propose its construction.This construction builds on the ciphertext policy attribute-based encryption scheme presented by [9].In this scheme, a secure private key generation protocol is constructed.A new security proof is presented to show that this scheme is a traceable (T)-CP-ABE scheme, which handles black box decoders.In this T-CP-ABE scheme, the authority will access decryption oracles, and a judge will decide whether the decoder box is created by the malicious authority or the malicious user.
Organization: The remainder of our paper is organized as follows.Preliminaries are presented in Section 2. The scheme definition and the definition of the security game are presented in Section 3. The scheme construction is presented in Section 4. Security is proven in Section 5. Related works are discussed in Section 6.We make a conclusion and specify future work in Section 7.

Bilinear Map
Let G and G T be two cyclic groups whose orders are prime order p, respectively.g, u are a generator of G, respectively.e is a bilinear map e : G × G → G T , which has properties as follows.Bilinearity: for any a, b ∈ Z p , e(g a , u b ) = e(g, u) ab .Nondegenerate: e(g, g) = 1 G T , e(g, g) is a generator of G T .If the group operations on G and on the bilinear map e : G × G → G T are efficiently computable, then G is a bilinear group.In our scheme, the symmetric bilinear map is employed, such that: e(g a , u b ) = e(g, u) ab = e(g b , u a ).

Access Structure
Let S be the universe of attributes.An access structure [10] on S is a collection A of non-empty subsets of attributes, i.e., A ⊆ 2 S \ {}.We call the sets in A the authorized attribute sets and the sets not in A the unauthorized attribute sets.Specifically, an access structure is monotone if ∀B, C: if B ∈ A and B ⊆ C, then C ∈ A. In this scheme, only the monotone access structure is handled.

Linear Secret Sharing Scheme
A secret sharing scheme [10] Π over the attribute set is called linear over Z p if .1.The shares for each attribute of a secret form a vector over Z p .2.There is a matrix M with h rows and c columns for Π.For any i = 1, • • • , h, let the function ϕ defined the attribute that labels the i-th row as ϕ(i).Given the column vector , in which T is the transpose of the vector − → v , s is the secret that will be shared and x 2 , • • • , x n ∈ Z p are uniformly picked at random, then M − → v is the vector of h shares of the secret s based on Π.The share (M − → v ) i belongs to the attribute ϕ(i).
Let attribute set S ∈ A S ∈ S be any authorized attribute set, and let I = {i|i ∈ {1, • • • , h} ϕ(i) ∈ S}.Then, there exist constants {η i ∈ Z p } i∈I , such that, if {s i } i∈I are valid shares of a secret s according to Π, then Π i∈I η i s i = s.

Fully Simulatable k-out-of-N Oblivious Transfer
A k-out-of-N oblivious transfer protocol makes a recipient pick and receive exactly k of the N messages from the sender, such that the remaining messages are hidden from the recipient and the choices of the recipient are hidden from the sender.We employ fully-simulatable oblivious transfer [11].

Ciphertext Policy Attribute-Based Encryption
Waters [9] proposed the ciphertext policy attribute-based encryption (CP-ABE) scheme, which is expressive, efficient and provably secure.In this scheme, ciphertexts are associated with access structures, and private keys are associated with attribute sets.They proposed a CP-ABE scheme, which is proven secure in the DBDH assumption in the standard model.Our scheme in part builds on this scheme.

Our Scheme Definition Definition 1. A traceable ciphertext policy attribute-based encryption (T-CP-ABE) scheme comprises five components.
Setup(1 k ) → (MSK, PP) : The Setup algorithm takes in a security parameter κ, and it returns a master secret key MSK and the public parameters PP.
PriKeyGen(PP, MSK, ID, S)(→)K ID,S : This is a private key generation algorithm, which takes in PP,MSK, S and ID employed to trace back to the corresponding owner and the Authority engages in an oblivious transfer protocol with a user U, where S is an attribute set belonging to the user U.At the end, U receives a private key for her ID and her attribute set S, K (ID,S) .The notation (→) denotes the fact that the authority may not exactly know which key the user has received.Encrypt(PP, ID, A, m) → CT ID,A : The Encrypt algorithm takes in the public parameters PP, the identity ID, access structure A and a message m and it returns a ciphertext CT ID,A .
Decrypt(PP, CT ID,A , K ID,S ) → m: The Decrypt algorithm takes in the public parameters PP, the ciphertext CT ID,A and a private key K ID,S .It returns a plaintext message m if the identity of the private key matches that of the ciphertext and the attribute set S satisfies the access structure A, else it returns an error symbol ⊥.Trace D (PP, ID, K ID,S , ε) → {User, Authority}: The Trace algorithm takes in the identity ID, the public parameters PP, a well-formed private key K ID,S , a parameter ε and has black box access to a ε useful decoder box D. It outputs User or Authority.
The tracing algorithm allows an honest user to present her private key and a captured decoder box to a judge to incriminate the misfeasance of Authority; furthermore, the tracing algorithm hinders a dishonest user from falsely incriminating that the Authority has created the decoder box.Query Phase 1: The attacker A runs the interactive PriKeyGen protocol with the challenger for adaptively-picked identities ID i and attribute sets S i , where i ∈ {1, • • • , q}, and receives the corresponding private keys K ID i ,S i .Challenge: The attacker A submits two plaintext messages m 0 and m 1 , which are of equal length, challenge identity ID and a challenge access structure A , except that ID should not be equal to any of the identities queried in Query Phase 1, and the access structure A is satisfied by none of the attribute sets S i where i ∈ {1, • • • , q} in Query Phase 1.The challenger flips a fair binary coin β ∈ {0, 1} and encrypts m β with ID and A .The resulting ciphertext CT = Encrypt(P P, ID , A , m β ) is passed on to the attacker A. Query Phase 2: Phase 1 is repeated, except that ID should not be equal to any of the identities in ID i , and the access structure A is satisfied by none of the attribute sets S i in which i ∈ {q + 1, • • • , Q}, where Q is the number of the queries made by the attacker.Guess: The attacker returns a guess β ∈ {0, 1} of β; if β = β, the attacker will win.Definition 4. The proposed scheme is secure against chosen plaintext attacks (CPA) if no probabilistic polynomial time adversary has a non-negligible advantage in the aforementioned game, in which the advantage is defined as:

Definition of Security
The above game can be extended to obtain security against chosen ciphertext attacks where decryption oracles are allowed for in Phase 1 and Phase 2. Such a game is called the IND-ID-CCA security game.Definition 5. (Dishonest User Security Game) In this game, some dishonest users ID i where i ∈ {1, • • • , Q} collude to try to create a decoder box framing the Authority.The challenger and the attacker have the following common inputs: the security parameter κ and another parameter ε = 1/poly(κ).A T-CP-ABE scheme is Dishonest User secure if no PPT attacker A has a non-negligible advantage in the following game: Init: The attacker A commits to a challenge identity ID to the challenger.Setup: The challenger runs the Setup algorithm, which generates MSK and PP that are given to the attacker A.
Private Key Generation Queries: The attacker A runs the interactive PriKeyGen protocol with the challenger for adaptively-picked identities ID i and attribute sets S i , where i ∈ {1, • • • , Q}, and receives the corresponding private keys K ID i ,S i .Create Decoder Box: The attacker A submits a private key K ID * ,S and a decoder box D for the challenge identity ID declared in the Init phase.
Tracing Failure: The tracing algorithm falsely incriminates the Authority, i.e., Trace D (ID, K ID,S , ε) = Authority.Furthermore, the decoder box D is ε useful for ID, i.e., P r[D(Encrypt(PP, ID, A, m)) = m] > ε.If these two conditions hold, the attacker A will win this game.Definition 6. (Dishonest Authority Security Game) In this game, a malicious Authority tries to create a decoder box framing the user.Both the challenger and the attacker Authority have common inputs as follows: the security parameter κ and another parameter ε = 1/poly(κ).A traceable CP-ABE scheme is Dishonest Authority secure if no PPT attacker A has non-negligible advantages in the following game: Setup: The challenger is given an identity ID and PP, which are generated by the attacker A (acting as a malicious Authority) and checks whether ID and PP are well formed, aborting if these checks fail.PriKeyGen: The attacker A and the challenger conduct the private key generation protocol to generate a private key for the identity ID and the attribute set S. If no party aborts, the private key K ID,S is received by the challenger as output.Decryption Queries: The attacker A adaptively makes queries for ciphertexts CT 1 , • • • , CT Q of the challenger, and the challenger responds with the decryption values under K ID,S .Create Decoder Box: The attacker A returns a decoder box D. Tracing Failure: The tracing algorithm falsely incriminates the User, i.e., Trace D (ID, K ID,S , ε) = User.Furthermore, the decoder box D is ε useful for ID, i.e., P r[D(Encrypt(PP, ID, A, m)) = m] > ε.If these two conditions hold, the attacker A will win this game.

Scheme Construction
A ciphertext has a structure as follows: (ID,A 1 , • • • , A Z ), where ID is the identity of the user and where Z is a positive integer) parallel repetitions, each comprising monotone access structure A z (1 ≤ z ≤ Z).A private key has a structure as follows: (ID,S 1 , • • • , S Z ), where each S z (1 ≤ z ≤ Z) comprises k out of N attributes.A ciphertext can be decrypted by a user U iff (the ID of the private key matches that of the ciphertext) AND (S 1 satisfies monotone access structure A 1 ) AND• • • AND (S Z satisfies monotone access structure A Z ).Let L be the length of bits of the identity string ID ∈ Z p , N the global security parameter, Z super-logarithmic in N , C max the maximum number of columns of the matrix M and ID j the j-th bit of the identity Setup: For each j ∈ [L], pick two random elements ω j,0 and ω j,1 from Z p with the restriction that these 2L values are all different.For each c ∈ [C max ], j ∈ [N ] and z ∈ [Z], pick a random t c,j,z uniformly from Z p .Pick two random elements µ, θ ∈ Z p uniformly.The public parameters are: The master secret key M SK = ({ω j,z : j PriKeyGen: This protocol enables a user U to obliviously pick which attributes she needs, employing a k-out-of-N oblivious transfer protocol upon each repetition.The corresponding same index in each repetition has distinct attributes.Distinct attributes correspond to distinct elements in Z p .The repetitions are conducted in parallel and are viewed as individual components of the private key.
The private key generation protocol between the Authority and a user U is performed as follows: Step 1.The user will abort if W j,z and T c,j,z are not all different.
Step 3. The Authority picks L elements ν 1 , • • • , ν L ∈ Z p uniformly at random with the restriction that Step 4. The Authority picks r c,z , µ z ∈ Z p : c ∈ [C max ], z ∈ [Z] uniformly at random with the restriction that Step 5.The Authority calculates the private key components K j = g ν j /ω j,ID j for any j ∈ [L] and passes them on to the user U.
Step 6.The Authority picks permutations P = (P 1 , • • • , P Z ) ∈ S Z N at random.Step 7. The Authority and the user U conduct Z executions of a k-out-of-N oblivious transfer protocol in which the Authority is a sender and the user U is a receiver.In the z-th execution, the private input of the Authority is the private key components {K Pz(j),z } N j=1 , and the private input of the user U is a set S z of k attributes picked at random.The private output of the user is the private key component {P z (j), K Pz(j),z } j∈Sz Step 8.The Authority passes the permutation list P to the user U.The user U checks whether she obtains the correct private key components as a percent P. If not, it will abort.
Step 9.The user ) and checks whether a private key validity check on K ID,S passes.If not, the user U will abort.

Key Validity Check: For a given private key K
) for the ID and attribute set S, to check whether this private key is well formed, a deterministic algorithm Key Validity Check is defined as follows: Step 1.
Encrypt: The encryption algorithm takes in P P , a message m ∈ G T and an LSSS access structure , where ϕ z associates rows of M z to attributes and ϕ z is an injective function.
Let M z denote an h × C max matrix.This algorithm picks a random vector employed to share the encryption exponent s ∈ Z p .The ciphertext CT ID,A is constructed as follows: Ciphertext Validity Check: To check whether this ciphertext CT ID,A is well formed, a deterministic Ciphertext Validity Check algorithm is defined as follows: If the attribute sets S z of the private keys satisfy the access structures A z of the ciphertexts, then there exist coefficients is the i-th row vector of the access matrix M z .Check if e(E j , W 1,ID 1 ) = e(W j,ID j , E 1 ), j ∈ [L] and ϕ(i)∈Sz e(E i,c,z , g) η i,z = e(g θ , E b,z ) • ϕ(i)∈Sz e(T −1 c,j,z , E b,z ) η i,z ,j ∈ S z , z ∈ [Z] holds.If not, it fails and returns ⊥.If so, the ciphertext validity check passed, and the user U sets CT ID,A = CT ID,A .
Decrypt: The Decrypt algorithm takes in the public parameters PP, the well-formed CT ID,A and K ID,S .If the identity of the private key matches that of the ciphertext and the attribute sets S z of the private keys satisfy the access structures A z of the ciphertexts, then there exist coefficients ; the ciphertext is decrypted to recover the message m as follows: e(g rc,z , ϕ(i)∈Sz g θM i,c,z vc,z ) η i,z } = m • e(g, g) µs /e(g, g) µ 0 s z∈[Z] {e(E b,z , K b,z )/e(g r 1,z , ϕ(i)∈Sz g θM i,1,z v 1,z ) η i,z } = m • e(g, g) µs /e(g, g) µ 0 s z∈[Z] {e(g s , g µz g θr 1,z )/e(g r 1,z , g θs )} = m • e(g, g) µs /e(g, g) µ 0 s e(g, g) (µ 1 +•••+µ Z )s = m • e(g, g) µs /e(g, g) µs = m Trace: The tracing algorithm runs a Key Validity Check to check whether the private key is well formed.It repeats the experiments poly(κ) times as follows: Pick a set of attributes S z with the restriction with S z not satisfying the access structure A z .Pick a message m at random and encrypt m using the access structure A z .The decoder box returns some message m = D(CT ID,A ).For any iteration, if m = m, incriminate the Authority, else incriminate the user U.

Security Proofs
The security of the aforementioned scheme is proven as follows: This theorem is trivially reduced to the IND-ID-CCA security of [9] and [12].If an attacker breaks the IND-ID-CCA security of our scheme, it is trivial to construct an attacker breaking the IND-ID-CCA security of Naccache's scheme [12] and Waters's scheme [9].For any message m, it is a secret shared with m 1 ⊕m 2 in which a random m 1 is picked uniformly and encrypted with the CP-ABE scheme [9] and m 2 with Naccache's IBE scheme [12] to achieve the T-CP-ABE scheme under the DBDH assumption.
Theorem 2. Provided that the k-out-of-N oblivious transfer is secure based on the real/ideal world security definition, the advantage of an attacker in the Dishonest Authority Security Game is negligible for the T-CP-ABE scheme.
Proof.This scheme comprises Z attribute sets in parallel and employs fully-simulatable oblivious transfer in the private key generation phase.If Key Validity Check and Ciphertext Validity Check pass, this scheme will incriminate the Authority, which can access a decryption oracle D. Via Key Validity Check and Ciphertext Validity Check, all of the same ciphertexts can be decrypted by the users whose attributes satisfy the access structures associated with these ciphertexts to the same value, and the Authority can decrypt to this value.
Let D be a ε useful decoder box, where ε is non-negligible.Perform the experiment as follows: Pick a set of attributes S z , except that S z does not satisfy the access structure A z .Pick a message m at random; encrypt it employing the access structure A z , and this returns the resulting ciphertext CT ID,A .
The decoder box returns m = D(CT ID,A ).
Return the Authority if m = m.
Theorem 3. The advantage of an attacker in the Dishonest User Security Game is negligible for the T-CP-ABE scheme under the DBDH assumption.
Proof.A user can adapt the security proof in [9] to show that the selective ID Dishonest User Security Game can be reduced to the decisional bilinear Diffie-Hellman (DBDH) assumption.

Related Work
To mitigate the trust on the PKG, Boneh et al. [13] proposed an approach that has the multiple PKGs distributed based on threshold cryptography.However, their scheme brings about extra infrastructure and communication.Without employing multiple PKGs, the known mitigation approaches are as follows: Goyal [14] presented a traceable identity based encryption scheme.To obtain black box security, Libert et al. [15] presented an IBE scheme, which is weak black box traceable, while ciphertexts and private keys are short, and Goyal et al. [16] proposed the black box traceable IBE scheme.Both schemes are selectively secure.To enhance the security, Libert et al. [15] proposed the fully-secure traceable IBE scheme.Since ABE schemes are the generalizations of IBE schemes, they inherit the key escrow problem from IBE schemes.Some traceable CP-ABE schemes [17] have been presented to handle this problem.Unfortunately, the access structures of these schemes only support the AND gate, which makes them less expressive.To enhance the expressiveness, Liu et al. [18] presented a novel T-CP-ABE scheme, which supports access polices as monotone access structures.Their scheme achieves traceability and high expressiveness at the same time.However, their scheme only achieves white box traceability.Furthermore, since their scheme builds on Lewko et al.'s scheme [8], which is based on the composite order group, which incurs some efficiency loss, and Lewko et al.'s scheme is based on non-standard assumption, Liu et al's scheme [18] inherits the same drawbacks as Lewko et al.'s scheme.

Conclusions and Future Work
We present a traceable ciphertext policy attribute-based encryption scheme that addresses black box decoders.Security is proven in the IND-ID-CCA security game, Dishonest User Security Game and Dishonest Authority Security Game.Here, we only investigate the accountability of the attribute-based encryption scheme, which is only payload hiding, but not attribute hiding.In future work, we will design a traceable predicate encryption scheme to catch the malicious authority.Furthermore, there exists the key escrow problem in the attribute-based encryption scheme from lattice resisting quantum cryptoanalysis.To the best of our knowledge, the problem is still an open problem.In future work, we will solve this problem.

Definition 2 .
(ε Useful Decoder Box) A PPT algorithm D is a ε Useful Decoder Box for the identity ID, where ε is non-negligible, if P r[D(Encrypt(PP, ID, A, m)) = m] > ε.

A
secure black box traceable ciphertext policy attribute-based encryption (T-CP-ABE) scheme holds if the following three requirements are met: (1) it satisfies IND-ID-CCA security; (2) if the Authority created a decoder box D, the tracing algorithm should incriminate the Authority; (3) if the colluding users created the decoder box D, it should incriminate these users.We capture the security conditions in the three games as follows: Definition 3. (IND-ID-Chosen Plaintext Attacks (CPA) Security Game) A T-CP-ABE scheme is IND-ID-CPA secure if no PPT attacker A has non-negligible advantages in this game: Setup: The challenger runs the Setup algorithm generating MSK and PP given to the attacker A.

Definition 7 .
A black box T-CP-ABE scheme is secure if no PPT attacker A has non-negligible advantage in κ in the IND-ID-CCA security game, Dishonest User Security Game and Dishonest Authority Security Game.

Theorem 1 .
The advantage of an attacker in the IND-ID-CCA security game is negligible for the T-CP-ABE scheme under the DBDH assumption.
The challenger C sends public parameters P P to F, which transfers P P to A. Private Key Generation Query: If A makes a request for a private key on ID = ID , then sends the corresponding user attributes to F that passes it to C, it outputs a well-formed private key that F sends back to A. If ID = ID * , since F obtains the private keys, it can pick permutations P 1 , • • • , P Z , such that the private key received by A cannot decrypt a ciphertext containing the previously-picked access structure.F queries C for this private key and sends it back to A. Create Decoder Box: A submits a private key K ID ,S and a decoder box D. If A wins the Dishonest User Security Game, then the Authority will be incriminated by the decoder box.F picks two messages m 0 , m 1 at random sent to C that sends F a challenge ciphertext CT ID,A under the previously-picked access structures.If K ID ,S can decrypt this message, so can F, and F sends the right guess to C; else CT ID * ,A is a random ciphertext that ID cannot decrypt.Hence, if A wins the Dishonest User Security Game, D has a non-negligible advantage in decrypting this ciphertext.Therefore, F has a non-negligible advantage in the attribute-based selective set game against C, which is in contradiction with the security of the CP-ABE scheme under the DBDH assumption.
The attacker A declares a challenge identity ID .The ideal functionality F from the ideal world in the simulation based model of Oblivious Transfer picks W j,z and the challenge access structures {A z } z∈[Z], which are employed to obtain the resulting challenge ciphertexts sent to the challenger C by F.Setup: