## Cryptology ePrint Archive: Report 2014/616

Practical Attribute Based Encryption: Traitor Tracing, Revocation, and Large Universe

Zhen Liu and Duncan S. Wong

Abstract: In Ciphertext-Policy Attribute-Based Encryption (CP-ABE), a user's decryption key is associated with attributes which in general are not related to the user's identity, and the same set of attributes could be shared between multiple users. From the decryption key, if the user created a decryption blackbox for sale, this malicious user could be difficult to identify from the blackbox. Hence in practice, a useful CP-ABE scheme should have some tracing mechanism to identify this `traitor' from the blackbox. In addition, being able to revoke compromised keys is also an important step towards practicality, and for scalability, the scheme should support an exponentially large number of attributes. However, none of the existing traceable CP-ABE schemes supports revocation or large attribute universe. In this paper, we construct the first practical CP-ABE which possesses these three important properties: (1) blackbox traceability, (2) revocation, and (3) supporting large universe. When compared with the latest traceable CP-ABE schemes, this new scheme achieves the same efficiency level, enjoying the sub-linear overhead of $O(\sqrt{N})$, where $N$ is the number of users in the system, and attains the same security level, namely, the fully collusion-resistant traceability against policy-specific decryption blackbox, which is proven against selective adversaries in the standard model. The scheme also supports large attribute universe, and attributes do not need to be pre-specified during the system setup. It is highly expressive and can take any monotonic access structures as ciphertext policies.

We also present the analogous results in the Key-Policy Attribute-Based Encryption (KP-ABE) setting, where users' description keys are described by access policies and ciphertexts are associated with attributes. We construct the first practical KP-ABE which possesses the three important properties: (1) blackbox traceability, (2) revocation, and (3) supporting large universe. The scheme is highly expressive and can take any monotonic access structures as key policies, and is efficient, namely, enjoys the sub-linear overhead of $O(\sqrt{N})$ while supporting fully collusion-resistant blackbox traceability and revocation, and does not need to pre-specify the attributes during the system setup. The scheme is proven selectively secure in the standard model.

Category / Keywords: public-key cryptography / Attribute-Based Encryption, Traitor Tracing, Revocation, Large Attribute Universe

Date: received 12 Aug 2014, last revised 15 Aug 2014

Contact author: liuzhen sjtu at gmail com, duncan@cityu edu hk

Available format(s): PDF | BibTeX Citation

[ Cryptology ePrint archive ]