Paper 2016/457

Dynamic Policy Update for Ciphertext-Policy Attribute-Based Encryption

Wei Yuan

Abstract

Ciphertext-policy attribute-based encryption (CP-ABE) is a promising access control technique for cloud storage. However, due to the absence of the update function, CP-ABE has not been widely accepted as a complete access control tool. In this paper, we add the update function for CP-ABE such that data access policy can be dynamically updated after the ciphertext is generated. First, we present a new linear secret sharing (LSS) matrix update algorithm based on existing LSS matrix generation algorithm. Then we summarize the common structure of some typical CP-ABE schemes and abstract a basic CP-ABE scheme from them. Next, based on the matrix update algorithm, we implement the policy update algorithm with the encryption algorithm of the basic CP-ABE scheme. In our scheme, data access policy can be directly changed without key update. If a user, whose attributes satisfy the old data access policy, does not decrypt old ciphertext before the policy update, he cannot obtain the data after the ciphertext is updated. As a result, the long-term problem ``user can refuse to the update on his secret key if the policy update reduces his privilege" that hinders CP-ABE from being a practical network access control tool is overcome. Meanwhile, private channels to transmit update keys for non-revoked users are eliminated. The communication, computation, and storage costs for an update no longer depend on the number of users, but are relative to the number of attributes in the access policy.

Note: minor changes for introductions