Cryptology ePrint Archive: Report 2016/457
Dynamic Policy Update for Ciphertext-Policy Attribute-Based Encryption
Abstract: Ciphertext-policy attribute-based encryption (CP-ABE) is a promising access control technique for cloud storage. However, due to the absence of the update function, CP-ABE has not been widely accepted as a complete access control tool. In this paper, we add the update function for CP-ABE such that data access policy can be dynamically updated after the ciphertext is generated. First, we present a new linear secret sharing (LSS) matrix update algorithm based on existing LSS matrix generation algorithm. Then we summarize the common structure of some typical CP-ABE schemes and abstract a basic CP-ABE scheme from them. Next, based on the matrix update algorithm, we implement the policy update algorithm with the encryption algorithm of the basic CP-ABE scheme.
In our scheme, data access policy can be directly changed without key update. If a user, whose attributes satisfy the old data access policy, does not decrypt old ciphertext before the policy update, he cannot obtain the data after the ciphertext is updated.
As a result, the long-term problem ``user can refuse to the update on his secret key if the policy update reduces his privilege" that hinders CP-ABE from being a practical network access control tool is overcome. Meanwhile, private channels to transmit update keys for non-revoked users are eliminated. The communication, computation, and storage costs for an update no longer depend on the number of users, but are relative to the number of attributes in the access policy.
Category / Keywords: Access control, attribute based encryption, policy update
Date: received 10 May 2016, last revised 21 Feb 2017
Contact author: yuanwei at iie ac cn
Available format(s): PDF | BibTeX Citation
Note: minor changes for introductions
Version: 20170221:213446 (All versions of this report)
Short URL: ia.cr/2016/457
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]