Batch Attribute-Based Encryption for Secure Clouds

: Cloud storage is widely used by organizations due to its advantage of allowing universal access with low cost. Attribute-based encryption (ABE) is a kind of public key encryption suitable for cloud storage. The secret key of each user and the ciphertext are associated with an access policy and an attribute set, respectively; in addition to holding a secret key, one can decrypt a ciphertext only if the associated attributes match the predetermined access policy, which allows one to enforce ﬁne-grained access control on outsourced ﬁles. One issue in existing ABE schemes is that they are designed for the users of a single organization. When one wants to share the data with the users of different organizations, the owner needs to encrypt the messages to the receivers of one organization and then repeats this process for another organization. This situation is deteriorated with more and more mobile devices using cloud services, as the ABE encryption process is time consuming and may exhaust the power supplies of the mobile devices quickly. In this paper, we propose a batch attribute-based encryption (BABE) approach to address this problem in a provably-secure way. With our approach, the data owner can outsource data in batches to the users of different organizations simultaneously. The data owner is allowed to decide the receiving organizations and the attributes required for decryption. Theoretical and experimental analyses show that our approach is more efﬁcient than traditional encryption implementations in computation and communication.


Introduction
In cloud computing, if a file owner would like to share his file with others, he just stores his data on a cloud server, then his friends/colleagues, including himself, can access the data by visiting the server from any place where there is an Internet connection.In this way, cloud storage makes it possible for people to exploit almost unlimited computation, storage space and information services anytime and anywhere without suffering from complicated local maintenance and management.Due to these advantages, cloud computing is becoming an indispensable part of organizations and individuals.
The security concern of the data owner is believed to be the main obstacle for wide adoption of cloud storage.Especially, the user who do not have access right may collude with the server for illegal access.Encryption is a standard way to protect data security.Public encryption is preferable in organization-oriented applications.In this scenario, one organization can have a cloud account associated with a public key, and anyone can securely upload files to this account by encrypting the files under the public key.Only the one who owes the corresponding secret key of the public key can decrypt the encrypted file, which prevents illegal access from the cloud server or other non-authorized ones.However, the traditional public key cryptosystems suffer from complicated key management in this scenario, since it is unknown who will be allowed to access a specific encrypted file when the system is set up or the file is encrypted.Attribute-based encryption (ABE) [1] is the up-to-date cryptographic concept to address this problem.In this case, the encryptor can specify the attributes required for decryption, and the access policy can be made for the secret key of each requestor.A requestor can decrypt a ciphertext only if the labeled attributes meet the access policy associated with the secret key of the requestor.
An issue in deploying ABE is that all known ABE encryption/decryption operations are time and resource consuming.Furthermore, the existing ABE schemes only allow encryption for the receivers of a single organization.Consider a scenario where the scientists from different universities jointly work on a project.In this case, if a scientist wants to share his or her research progress with the scientists of other universities, then he or she needs to encrypt the files to these organizations repetitively.In [2], an approach is proposed to speed up the decryption with the help of a semi-honest third party.However, to the best of our knowledge, no known work in the public literature has been done to speed up the ABE encryption in our motivating scenario.This situation inspires our work in this paper.

Our Contribution
In this paper, we investigate the acceleration of ABE encryption where one encrypts for the requestors of different organizations.Our contributions are summarized as follows.
We propose a batch attribute-based encryption (BABE) framework.In this framework, when the different ABE systems are set up, the users of different systems get their keys from the authority of the corresponding system, and these keys are associated with the access policies of the corresponding organizations.One data owner can simultaneously encrypt his or her data for the receivers from different systems in a batch way.The data owner can freely choose the receiving organizations and define separate attributes for the receivers of different organizations.One can decrypt only if his/her organization has been chosen and his/her attributes meet the access policy for his organization.
Following the BABE framework, we propose a concrete BABE scheme.The security of the scheme is formally proven under a well-established computational assumption.Even if an adversary colludes with the cloud server and all non-authorized users, he or she cannot get any useful information of the encrypted message.We conduct experiments in typical system parameters.The experimental results show that our BABE scheme is more efficient than existing ABE implementations.These features render our BABE an efficient solution to securing one-to-many organization-oriented sensitive data sharing in clouds.

Related Work
Due to its versatility, ABE has attracted extensive research [1, [3][4][5].The ABE concept was introduced by Sahai and Waters [1].There are two types of ABE systems, i.e., ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE).In CP-ABE, the secret key of each user is associated with his/her attributes.When one encrypts for the users of the system, he or she specifies an access policy, which is a collection of attribute sets.Only the user whose attributes match the policy can decrypt.Similarly, in KP-ABE, the secret key of a user is associated with an access policy, and each ciphertext is labeled with a set of attributes.One can decrypt a ciphertext only if the labeled attributes meet the policy associated with the user's secret key.Yu et al. [6] proposed a KP-ABE scheme to achieve flexible access control over outsourced data.
In a regular ABE system, a single authority generates the secrets of all of the users in the system.This incurs the so-called single-point problem, that is all of the parties have to fully trust the single authority, who can read all of the messages encrypted for any users.Furthermore, no new user can join the system if the authority is occasionally unavailable.To mitigate this drawback, the notion of multi-authority ABE (MA-ABE) has been proposed.In this notion, multiple authorities jointly generate the secret keys for the users in the system.No single authority can read the messages encrypted for the users.New users can still be enrolled if some of the authorities are available.An encryptor can choose, for each authority, a number d k and a set of attributes; he or she can then encrypt a message, such that a user can decrypt only if he or she has at least d k of the given attributes from each authority k [7].Chase and Chow improved the MA-ABE in [8] by exchanging a shared secret among the authorities during the system setup process.Their scheme is time consuming and needs heavy communication and computation.Yang et al. [9] designed an access control framework for multi-authority systems and proposed a secure multi-authority access control scheme for cloud storage.Li et al. [10] proposed an MA-ABE scheme for mobile cloud computing by introducing a cloud-based semi-trusted-authority between the mobile user and the attribute authorities.
ABE schemes require time-consuming computations in encryption and decryption, which prevent them from being widely deployed in cloud computing applications for enforcing fine-grained access control.Several works have been proposed to speed up ABE.Attrapadung et al. proposed ABE schemes [11,12] that only need a constant number of bilinear maps in decryption, albeit with the constraint of a bound on the maximum number of attributes.Hohenberger and Waters [2] introduced a method that needs a constant number of bilinear maps in decryption without the bound constraint on the attribute number.In contrast, no public work has been reported to accelerate the encryption process in ABE.
Fiat proposed the first batch signature scheme [13].Since then, a large body of references has focused on the batch verification of signatures [14][15][16][17].It is unclear whether these technologies can be employed to accelerate ABE encryption in our motivating scenario.Still in a single system-oriented setting, multi-receiver encryption and signcryption [18] have been proposed to reduce the encryption complexity.Baek, Safavi-Naini and Susilo proposed an efficient multi-receiver identity-based encryption scheme [19] in multi-cast encryption applications.All of these schemes are considered in a single organization-oriented scenario.A trivial application of these schemes to multiple organizations needs to repeat the basic encryption operation for each organization, which implies growing overheads linear with the number of organizations.In this paper, we propose to encrypt for the different organizations in a batch way and to provide a more efficient solution to the motivating applications.

Paper Organization
The rest of this paper is organized as follows.Section 2 presents a BABE framework and the adversary model.We propose a concrete BABE scheme in Section 3, together with detailed security and efficiency analyses.Section 4 concludes the paper.

The System Framework
We propose a BABE framework for cloud storage, as illustrated in Figure 1.The framework consists of four types of parties: the data owner, the cloud server, the data requestor/consumer and the authority.
The data owner would like to share his or her data with the data requestors managed by different authorities.Each authority generates a secret key for the data requestor in its management domain according to the consumer's attributes (or the corresponding access policies).The data owner encrypts his or her file for the data requestors of different organizations, i.e., the users managed by different authorities, by specifying the intended authorities and the attributes that the data requestors should have in the according authorities' management domains.
Then, the data owner uploads the encrypted data to the cloud storage server.When a data requestor requests for the cloud server, the server responds with the corresponding ciphertext.The requestor can decrypt if the attributes labeled with the ciphertext meet the access policy associated with the secret key of the requestor; else, the requestor should get no useful information of the original data.

Defining BABE
A BABE scheme consists of four polynomial-time algorithms: Setup, Encrypt, KeyGeneration and Decrypt.Let I represent the collection of underlying ABE subsystems indexed from one to |I|.Denote that the i-th underlying ABE subsystem has master public key P K i and master secret key M K i for i ∈ I.The algorithms work as follows.
. This is a randomized algorithm run by an authority AA i .It takes as inputs the security parameter λ and an attribute universe U i , which defines the set of allowed attributes in different underlying ABE subsystems.The authority AA i outputs the public parameters P K i and the mater keys M K i .
Encrypt( P K, M , S)−→ CT .Assume that the data owner wants to share data M i with the data requestors of the systems i ∈ ψ ⊆ I.This is a randomized algorithm that takes as inputs the public parameters vector P K, a message vector M , which contain different messages M i , and a series of attribute sets S, which contains attribute sets S i , i ∈ ψ.It outputs |ψ| ciphertext CT i , i ∈ ψ associated with the attribute sets S i , i ∈ ψ.
Assume that a data requestor belongs to the i-th subsystem.Then, M K i is used to generate the secret key SK.This is a randomized algorithm that takes as inputs the master secret key M K i and an access structure A i and outputs a secret key SK.
The decryption algorithm takes as inputs a secret key SK associated with the access structure A i and a ciphertext CT i associated with attribute set S i .It outputs the message M i if S i satisfies A i or the error message ⊥ otherwise.

The Adversary Model
For sensitive files stored on the cloud, we mainly consider the secrecy of the files.In this scenario, both the cloud server and users may be potential attackers.Specifically, the cloud server (or the staff who manages the cloud server) may be curious and access the private files of the users without being known by the users.Furthermore, some unauthorized users may collude, even with the cloud server, to illegally access the files.However, we have to make a minimum trust assumption that the cloud server will honestly follow the scheme to execute the procedures and return the service to the users.Else, the scheme will not work and makes no sense in practice.We require that the attacker in such a situation cannot get any useful information of the outsourced data.Now we formally define the security model of a BABE scheme.Let U i be the attribute universe of the i-th underlying ABE scheme.All of the underlying ABE schemes share the security parameter λ.Each underlying ABE scheme is managed by an authority AA i .I is the index set of the underlying ABE schemes.Formally, we define the security model for BABE via a game between a challenger and an adversary.
Initialize.The adversary declares the different underlying ABE schemes upon which he or she wants to be challenged, indexed by ψ ⊆ I.The adversary also declares the attribute set S * i , i ∈ ψ of different ABE schemes upon which he or she wished to be challenged upon.
Setup.The challenger runs the Setup algorithm to set up the BABE system and sends the public parameters, P K i , i ∈ I, to the adversary.
Phase 1.For the i-th underlying ABE subsystem, the challenger initializes for i ∈ I an empty table T i , an empty set D i and an integer counter j i = 0.The adversary can repeatedly make the following queries: The challenger sets j i = j i + 1.It runs the key generation algorithm on A i to obtain the secret key SK and stores it in table T i , forming the entry (j i , A i , SK).

Corrupt(κ, i):
The adversary queries for the secret key corresponding to the κ-th entry in Table i.If there exists such an entry in table T i , the challenger obtains the entry (κ, A i , SK), sets D i = D i {A i } and returns the secret key SK to the adversary.Else, it returns ⊥.
Challenge.The adversary submits two equal-length messages, vector M 0 and M 1 , with each vector having |ψ| message M 0,i , i ∈ ψ and M 1,i , i ∈ ψ.In addition, the adversary gives a set of attributes S * i , i ∈ ψ, such that for all A i ∈ D i , i ∈ ψ, the set S * i , i ∈ ψ does not satisfy the access structure A i , i ∈ ψ.The challenger chooses b ∈ {0, 1} randomly and encrypts M b under S * i , i ∈ ψ.The resulting ciphertext CT * i , i ∈ ψ is given to the adversary.
Phase 2. Phase 1 is repeated with the restriction that the adversary cannot obtain any secret key that can be used to decrypt the challenge ciphertext.This means that it cannot issue a Corrupt query that would result in an access structure A i that S * i satisfies being added to D i ∈ ψ.Of course, the adversary cannot issue a decryption query on the challenge ciphertext CT * i , i ∈ ψ.Definition 1.A BABE scheme is secure if all polynomial time adversaries have at most a negligible advantage in the above game.
3. The Proposed BABE Scheme

Mathematical Background
We briefly review the basic mathematical concepts used in our schemes.
Definition 2. (Access structure [20]).Consider a set of parties  Definition 3. (Linear secret sharing scheme [20]).Let P be a set of parties.Let W be an l × m matrix.Let f be a function that maps a row to a party.A secret sharing scheme Π for access structure A over a set of parties P is a linear secret-sharing scheme (LSSS) in Z p and is represented by (W, f ) if it consists of two efficient algorithms: Share(W, f ): This takes as input s ∈ Z p , which is to be shared.It chooses r 2 , r 3 , • • • , r n , and let v = (s, r 2 , • • • , r n ).It outputs W v as the vector of the shares.The share ω i = W i v belongs to party f (i), where W i is the i-th row of W .
Recon(W, f ): This takes as input an access set S ∈ A.
In a KP-ABE scheme, a ciphertext is associated with a set of attributes S, and each secret key corresponds to an access structure A. One can decrypt if the attribute set S is authorized in the access structure A (i.e., S ∈ A).
Our scheme is built on bilinear groups briefly defined as follows.
Definition 4. (Bilinear group).Let G and G T be two multiplicative cyclic groups of prime order p.
Let g be a generator of G and e be a bilinear map, e : G × G −→ G T .The bilinear map e has the following properties: (1) Bilinearity: for all g, h ∈ G and a, b ∈ Z p , we have e(g a , h b ) = e(g, h) ab .
We say that G is a bilinear group if the group operation in G and the bilinear map e : G×G −→ G T are both efficiently computable.Notice that the map e is symmetric since e(g a , h b ) = e(g, h) ab = e(g b , h a ).

The Proposal
We first give an outline of our BABE scheme.The scheme is proposed to accelerate the encryption process when one needs to encrypt for the users from different organizations in a cloud storage setting where ABE is used to enforce fine-grained access control.
The data owner chooses the data he or she wants to share with the data requestors of the different systems.
Then, he or she encrypts the data and sends the encrypted data to the cloud server.Authorized data requestors will be able to decrypt the encrypted data by using the secret key given by the corresponding authority.Using the traditional approach, the owner needs to encrypt each data item for the receivers of the different organizations repetitively, which is inefficient in practice.We suggest to encrypt in a batch way and propose a BABE scheme managing to solve this problem.
For i ∈ I, we describe different subsystems with different universes U i of different attributes.The attributes are indexed by integers 1, • • • , |U i |.We use |U i | to represent the number of the attribute universe U i .The number of the attributes may be different in distinct subsystems.
Setup.This algorithm, run by the authority AA i , takes as inputs a system parameter λ and an attribute universe U i .It generates a bilinear group G of prime order p, with generator g ∈ G.
It further chooses a distinct α i ∈ Z p for each i.Finally, for each i, it outputs the public key and master secret key as: Encrypt.The data owner chooses the organizations that he or she wants to communicate with, denoted by ψ ⊆ I.
Then, he or she asks the authority AA i ,i ∈ ψ for the public key P K i and chooses a series of attributes S, where S i , i ∈ ψ, a series of messages M ∈ G T .
The data owner chooses a random s ∈ Z p .The ciphertext component used by i-th subsystem is CT i = (S i , C i , C , C i,x ) where: After the encryption, the data owner sends the encrypted data to the cloud server.
KeyGen.For each i, the authority AA i takes as inputs the master secret key M K i and an LSSS access structure A i represented by (W, f ).Let W be an l × m matrix.The function f is associated with the rows of W .Let β denote the set of distinct attributes appearing in the access structure matrix W , i.e., β = {d : ∃τ ∈ [1, l], f (τ ) = d}.This algorithm chooses a random vector Here, these values will be used to share the master secret α i , and y 2 , • • • , y m are random numbers.For τ = 1 to l, it calculates λ τ = v • W τ , where W τ is the vector corresponding to the τ -th row of W .The algorithm chooses random integers r 1 , It outputs the secret key SK as: Decrypt.The data requestor requests the encrypted data from the cloud server.The requestor runs the decryption algorithm with his/her secret key for access structure (W, f ) and the ciphertext CT i = (S i , C i , C , {C x } x∈S i ) for set S i .Let W be an l × m matrix.The function f is associated with some rows of W .If S i does not satisfy the access structure, the decryption algorithm outputs ⊥.
If S i satisfies the access structure, we let I ⊆ {1, 2, • • • l} be a set of indices and {ω τ } τ ∈I ∈ Z p be a set of constants, such that f (τ ) ∈ S i and Note that ω τ can be found in polynomial time.
We represent the attributes satisfying the access structure as γ = {x : ∃τ ∈ I, f (τ ) = x}.I is the set of indices corresponding to the rows used to decrypt the ciphertext, and γ is the set of distinct attributes associated with these rows.In fact, there are multiple I's that satisfy the constraints above.Typically, the smaller the size of I, the better.Observe that γ ⊆ S i , where S i is the attribute set used to encrypt the ciphertext M i and γ ⊆ β, the set of attributes used to create the secret key.
To recover the value e(g, g) α i s , we define a function v, which transforms a set of attributes into an element of G in the way v(γ) = x∈γ h i,x .For each τ ∈ I, the data requestor computes the value For the ciphertext, the data requestor computes the value Finally, the data requestor recovers the value e(g, g) α i s by computing: Hence, the data requestor can obtain M i from C i .From the computation process, it can be seen that the decryption algorithm requires only two pairing operations.

Security Analysis
The security of the proposal is based on the hardness of the q-decision bilinear Diffie-Hellman exponent (q-DBDHE) problem defined below.Definition 5. (q-Decision bilinear Diffie-Hellman exponent [21]).In (G, G T ), the q-DBDHE problem states that, given: where x ∈ Z p , g, h ∈ G and T ∈ G T , decide whether T = e(g, h) x (q+1 ) or T is a random element of G T .
The q-DBDHE assumption states that any probabilistic polynomial time (PPT) algorithm has only negligible advantage in solving the above q-DBDHE problem, where the advantage is defined as |P r[T = e(g, h) The security of the proposed BABE scheme is guaranteed by the following claim.
Theorem 1. (Security).The BABE scheme is selectively secure against chosen plaintext attacks under the |U | − DBDHE assumption in G.
Proof.Let |U | be the maximum of all of the |U i |'s for security parameter λ.Assume that each attribute is indexed by a unique integer between one and |U i |.Suppose there exists a PPT adversary A who can distinguish the encrypted message vectors with non-negligible probability under the selective security experiment [22].Then, we show that there exists a PPT adversary B that can break the |U | − DBDHE assumption in G, which contradicts the hardness of the |U | − DBDHE problem.
Init: A chooses the underlying ABE schemes on which he or she wants to be challenged.For each sub-system, A outputs the attribute set S * i , i ∈ [1, n] for the challenge ciphertext.Setup: The challenger B is given the tuple: for security parameter λ.The challenger is required to solve the |U | − DBDHE challenge, i.e., to answer whether T = e(g, g) a |U |+1 s or a random element in G T .The challenger randomly chooses and sets e(g, g) α i = e(g, g) α i • e(g a , g a |U | ), which means that The public parameter P K i for the i-th subsystem is (G, p, g, e(g, g) and is sent to the adversary A.
Phase 1: For system i, the challenger B initializes an empty table T i , an empty set D i and a counter j i = 0.The adversary A can query the challenger B, and the challenger B responds as follows: (1).Create(A i ): The challenger B sets j i = j i + 1.The access structure A i is represented by (W, f ), where W is an l × m matrix.Let K i be the set of the rows in which the attributes are in S * i and K i be the rows in which the attributes are not in S * i (i.e., K i = [1, l]/K i ).Define an m-element vector v over Z p with the first element of v being one, for all τ ∈ K i , vW τ = 0. W τ is the vector row τ of the matrix W .Note that when S i does not satisfy W , it must be the case that (1, 0, • • • , 0) is not in the span of rows W τ for τ ∈ K i .With the property of LSSS, the vector v can be found in polynomial time.In addition, in order to share the secret α i , B generates a secret key with the vector α i v by noting v 1 = 1.B computes The challenger B randomly chooses r 1 ,,• • • ,r l ∈ Z q and y 2 , and compute: is computed as follows: After the process above, the keys are valid with access policy (W, f ).From the view of A, their distribution is identical to that of the keys generated by the KeyGen algorithm.Hence, the secret keys requested by the adversary is perfectly simulated.
(2).Corrupt(κ, i): The challenger B obtains the entry (κ; A i ; SK) if the κ-th entry appears in table Phase 2: B responds to A's queries in the same manner as in Phase 1, except that it refuses to answer any Corrupt query that would result in an access structure A i , which S i satisfies.
Guess: Finally, A outputs a bit b .If b = b , then B outputs that T = e(g, g) a |U |+1 s , else it outputs that T is a random element.

Efficiency Analysis
In this section, we analyze the performance of our BABE scheme.It can be seen that our approach is more efficient than encrypting data for different organizations one by one using the underlying Hohenberger-Waters ABE (HW-ABE) [2] scheme.In the encryption process, the number of exponentiations grows with the number of attributes.Comparing to the plain implementation of the HW-ABE scheme, our approach is more efficient because C is the same for all of the ciphertexts.Hence, it can be calculated once and then be reused.Assume that the data owner wants to share data with the users of n organizations simultaneously, and the average number of the attributes used in encryption is m.Our scheme needs (m + 1)n + 1 exponentiations, while the HW-ABE scheme needs (m + 2)n exponentiations.From the comparison, the improved efficiency is dominated by the average number of the attributes used by the data owner.We can save n − 1 exponentiations in the encryption process.The computation overhead for the data requestors is also very small.They need only two pairings and a number of multiplications.This is the same as the HW-ABE scheme [2].
We encoded our BABE and performed experiments on a PC with a 2.80 GHz CPU and 3 GB RAM, using the C programming language in the GMP (https://gmplib.org/)and PBC (https://crypto.stanford.edu/pbc/)library.For the encryption algorithms: (1) we generated n different 1024 bit-long random numbers as exponents; (2) we implemented the batch algorithm and normal algorithm, respectively.We executed Steps 1 and 2 100 times to eliminate experimental noise.We set the values of n ranging from 10 to 100 to see the performance improvement due to the batch algorithms.
Figure 2 show the time to compute n ciphertext in the HW-ABE and BABE with the average attribute number m = 4 or m = 8.It can be seen that the time consumed in both BABE and HW-ABE grows linearly with the number of messages to be encrypted.However, the batch encryption takes about 15% less time for m = 4 or 10% less time for m = 8 than the normal encryption, which confirms the theoretical analysis.

Conclusions
In this paper, we proposed BABE to accelerate the ABE encryption for the users of multiple organizations.Our approach makes the data owner able to share his or her data with the data requestors of different systems simultaneously.We formally proved the security of our scheme and compared it to previous work.The analyses and comparisons show that our scheme has desirable high performance.It is efficient to secure data to be outsourced to clouds.

Guess.
The adversary outputs a guess bit b of b.The output of the experiment is one if and only if b = b .The advantage of the adversary A in this game is defined as P r[b = b] − 1 2 .
It then sends SK to adversary A. If no such entry exists, then return ⊥.Challenge: A outputs two equal-length message vectors M 0 , M 1 , each of which contains n messages in the message space of the corresponding subsystem.The challenger B chooses a random bit b.It constructs and sends to A the challenge ciphertext: