Secure and efficient revocable key-aggregate cryptosystem for multiple non-predefined non-disjoint aggregate sets

Abstract

Revocation and renewal of access rights of users are desirable requirements of a practical access control solution. Recently, key-aggregate cryptosystems have attracted significant attention of the research community, due to their elegance and efficiency, as a tool for access control enforcement. However, key-aggregate encryption schemes proposed so far in the literature are suitable only for enforcing static predefined access control policies. This paper proposes a novel key-aggregate encryption scheme that efficiently handles dynamic access control policies. The proposed scheme not only has all key-aggregate characteristics, but can also efficiently revoke/add any data class from/to a given aggregate set. Further, unlike conventional key-aggregate cryptosystems, the proposed scheme can introduce a new data class in the cryptosystem without having to initialize it all over again. The proposed scheme requires constant length master-secret to be stored by the data owner and is proved IND-CPA secure under standard model assumption. We define forward security for the proposed key-aggregate cryptosystem and formally prove that the proposed construction is secure under the definition of forward security. Performance analysis in a practical dynamic hierarchical access control scenario further confirms suitability of the proposed scheme for enforcing dynamic access control policies.

Introduction

With recent advances in Cloud Computing and Internet of Things (IoT), the need to store and share large amounts of data on third-party storage has grown immensely. However, security and privacy issues [1], [2] have also arisen as a result of potential threats of privacy abuse and data breach concerning third-party data storage and cloud computing platforms. This has triggered extensive research in the field of secure data sharing on public cloud storage. Users of a storage service may not trust the service provider for preserving privacy of their data. So, users encrypt their data before storing on the third-party storage. Due to flexibility requirements of cloud storage, asymmetric-key cryptosystems are suitable for managing access to shared data in a privacy preserving manner [3]. Since large amount of data is shared, storage and computation efficiency of the cryptosystem used determine the overall effectiveness of the secure data sharing and access control solution for sensitive data.

Consider an example where a user stores his personal photographs on Dropbox.¹ The user may not trust the secure storage offered by Dropbox and encrypt all the photographs before uploading them. Later, the user may not only wish to access the photographs, but may also wish to share all or a subset of the photographs securely with other users of Dropbox. Since there can be thousands of photographs, it is desirable that the cryptosystem used for encryption does not require the user to store as many different secret keys on its private storage as the number of photographs. Further, the user must be able to share a subset of his photographs with other user(s) without risking the privacy of photographs other than those in the subset and by transmitting only a small number of keys securely, e.g. via a secure e-mail.

Recently, key aggregate cryptosystem (KAC) [4], [5] has been proposed as an asymmetric-key cryptography primitive for secure and controlled data sharing on cloud storage. A data owner classifies his data items into multiple classes and delegates decryption rights of one or more classes to a user by securely transmitting a constant size key, called aggregate key. In the Dropbox example discussed above, the photographs can be classified into classes {personal, office, work, picnic}. KAC handles access delegation when the data owner wishes to share different subsets of these classes with different users. Suppose that the data owner wishes to share photographs under {work, office} with his co-worker and the ones under {personal, office, picnic} with his family members. KAC enables the data owner to output a constant-size aggregate key for each of these subsets. These subsets are also referred to as aggregate sets. Given an aggregate key corresponding to the subset {personal, office, picnic}, all photographs under classes personal, office and picnic can be accessed by the family members. However, photographs under the class work cannot be accessed using the same aggregate key.

Using KAC, the data owner defines a set of public identifiers corresponding to all the data classes during the initialization phase. The encryption procedure of KAC encrypts a plaintext data item under two components, namely a data class and the data owner’s public key. For a given aggregate set, the data owner computes an aggregate key, using which data encrypted under data classes belonging to the aggregate set can be decrypted. This aggregate key, which is as compact as a user’s secret key, is transmitted by the data owner to its intended recipient over a secure communication channel. Efficiency of KAC comes from the size of the aggregate key, which is constant with respect to the size of the aggregate set. In this way, decryption rights of a large number of data items can be delegated to any user by securely transmitting only a constant length aggregate key. Also, to enjoy access to a collection of data items, a user is not required to store large number of secrets.

A general access delegation scenario using key aggregate cryptosystem for the Dropbox example discussed above is depicted in Fig. 1. Owner of the photographs encrypts each photograph under a data class from a predefined collection $\{1,2,\dots ,n\}$ of $n$ data classes. Suppose the owner wants to share photographs encrypted under classes $1,2,4$ and $6$ with a given user. Data owner determines an aggregate set $S=\{1,2,4,6\}\subseteq \{1,\dots ,n\}$, computes and securely transmits an aggregate key ${\mathcal{K}}_S$ to the user. The user can download the encryptions under classes $1,2,4$ and $6$ and access the shared photographs through decryption using ${\mathcal{K}}_S$. Note that the KAC is generalized in the sense that it allows a data owner to share any number (between $1$ and $2^n$) of subsets for a collection of $n$ data classes. The size of an aggregate key remains constant and does not depend on the number of classes in the aggregate set.

One of the important applications of KAC is in flexible key-assignment for access hierarchies [4], [5]. Other scenarios where KAC finds application include patient controlled encryption system [6], group data sharing [7], secure and dynamic cloud data sharing [8], cloud authentication service [9] etc. In all these applications, the goal is to securely and efficiently enforce data owner-defined access control policy for a predefined collection of data classes. Whereas in most of the practical applications, it is necessary to address dynamically changing access rights of users while not subjecting the data owner to significant computation and storage overhead [10], [11], [12]. However, we stress that the existing key-aggregate encryption schemes cannot be employed to efficiently address dynamic updates of users’ access rights. For an aggregate key ${\mathcal{K}}_S$, securely removing/revoking a data class $i$ from $S$ so that ${\mathcal{K}}_S$ can decrypt no future encryptions under class $i$, is extremely inefficient. Although scheme by Patranabis et al. [5] claims to address dynamic requirements, our analysis of their scheme in a general setting shows that the cost of revoking a data class from a given aggregate set requires computational effort same as required to compute all the aggregate keys afresh. Gan et al. [13] proposed a ‘revocable’ KAC by employing the technique inspired from [14], originally proposed for attribute-based encryption schemes. However, their scheme is extremely inefficient for in a practical scenario as it employs multilinear maps, for which no known efficient implementations exist. Moreover, their scheme requires non-constant number of ciphertext components which grows with the number of classes in an aggregate set. In the following, we present a simple generalized access control scenario that employs a typical KAC. We identify a significant research gap in the design of conventional KACs as a solution to dynamic access control problem. In this paper, we address this research gap by proposing a novel bilinear pairing-based revocable key-aggregate encryption scheme with constant ciphertext size.

Consider that there are $n$ data classes $\{1,2,\dots ,n\}$ and $N$ users $\{u_1,u_2,\dots ,u_N\}$. For simplicity, consider that each user $u_i$ is authorized for a unique subset $S_i$ of the data classes. Suppose that there are $N$ different aggregate sets $\{S_1,S_2,\dots ,S_N\}$ for $N\le 2^n$ such that each $S_i\subseteq \{1,2,\dots ,n\}$ is defined as: $S_i=\{j:u_i\text{can access data encryptedunder class}j\}$. Obviously, these aggregate sets may be non-disjoint, i.e., $\exists a,b\in \left[1,N\right],\text{where}{S}_a\cap S_b\ne \varphi$. Each ${\mathcal{K}}_{S_k}$ for $k\in \left[1,N\right]$ is securely transmitted to the user authorized for the data classes in $S_k$. Now, suppose that any data class $r$ is removed from an aggregate set $S_k$. This is equivalent to revoking user $u_k$’s access to encrypted data under class $r$. It is an essential requirement that the system state and ${\mathcal{K}}_{S_k}$ be updated in such a way that both new and old values of the aggregate key ${\mathcal{K}}_{S_k}$ can no more successfully decrypt any future encryptions under class $r$. Whereas, the access permissions of other users for data encrypted under class $r$ must remain unchanged. This requirement is referred to as forward secrecy. In general, forward secrecy can be preserved by updating the public key under which a message is encrypted [15], [16]. So in KAC, a straightforward approach to enforce forward secrecy following the revocation of class $r$ is to update either the data owner’s public key or the public identifier corresponding to class $r$. In all existing KACs based on bilinear pairing [4], [5], [9], [17], the data owner’s public key is nothing but the blinded version of the master secret stored privately by the data owner. The same master secret is also used as one of the inputs for computing all the aggregate keys ${\mathcal{K}}_{S_1},{\mathcal{K}}_{S_2},\dots ,{\mathcal{K}}_{S_N}$. Hence for correctness, updating the data owner’s public key also requires updating all $N$ aggregate keys. Further, the existing constructions of KACs do not allow the data owner to update public identifiers corresponding to a data class without executing the system initialization again. So, none of the existing KACs supports efficient revocation of a data class from a given aggregate set.

As another practically motivated requirement, consider that the data owner wishes to introduce a new data class, say $n+1$. Managing access to data items encrypted under class $n+1$ requires updating the existing aggregate set(s) and/or introducing new ones. To address such situations, few KACs have been proposed along with their public key extensions [4], [5], [17]. Public key extension of a KAC that is originally designed to handle $n$ data classes, can realize $n$ additional data classes by introducing one additional master-secret to be stored by the data owner on its private storage. More generally, for a KAC that originally handles $n$ data classes, its public key extension uses the same $n$ public identifiers and combines them with (say) $m$ different master secret keys to obtain a total of $mn$ distinct public class identifiers. However, the data owner has to store $m$ distinct master-secrets on its private storage and publish their blinded versions as a collection of $m$ public keys of the data owner. At first glance, public key extension of a KAC seems to address the scalability requirement with some storage overhead on the data owner. However, its use for non-disjoint aggregate sets is extremely limited. Suppose that each of these $m$ master secrets is denoted by ${\gamma }_i$ and we refer to a data class obtained after combining it with $j\in \{1,2,\dots ,n\}$ as a pair $(i,j)$, as shown in Fig. 2. In the encryption procedure, the data owner’s public key used for encrypting messages under class $(a,i)$ is blinded version of ${\gamma }_a$. Similarly, blinded version of ${\gamma }_b$ is used for encrypting messages under class $(b,i)$. For two different master-secrets ${\gamma }_a,{\gamma }_b$ and for $i,j\in \{1,2,\dots ,n\}$, classes $(a,i)$ and $(b,j)$ cannot be members of the same aggregate set. This is because any given aggregate key is produced using a unique master-secret. Two classes corresponding to two different master secrets cannot be simultaneous members of any given aggregate set. Therefore, an aggregate key that can decrypt data encrypted under both $(a,i)$ and $(b,j)$, cannot be produced. Also, if there is an aggregate key ${\mathcal{K}}_{S_1}$ for an aggregate set defined as $S_1=\{(a,i):a\in [1,m],i\in [1,n]\}$ and ${\mathcal{K}}_{S_2}$ for $S_2=\{(b,j):b\in [1,m],j\in [1,n]\}$, it implies $S_1\cap S_2=\varphi$ must hold. Hence, public key extension of KAC does not support non-disjoint aggregate sets.

In view of the discussion presented above, we stress that no key-aggregate cryptosystem addresses the two fundamental requirements of a dynamic access control model — revoking a data class from an aggregate set and introducing an entire new data class in the cryptosystem with non-predefined and non-disjoint aggregate sets. This paper proposes a novel key-aggregate encryption scheme that addresses both aforementioned requirements without having to set up the whole cryptosystem all over again. The proposed scheme satisfies all other desirable efficiency requirements featured by the existing KACs — constant-size aggregate key, constant private storage requirement for the data owner and overall public storage requirement linear in the number of data classes. Further, we prove security of the proposed scheme under chosen-plaintext attacks. We analyze applicability of the proposed scheme for key assignment in dynamic hierarchies and draw performance comparisons between the proposed and existing well-known KACs. Our performance analysis indicates that the proposed scheme handles dynamic updates in a practical access control model more efficiently than the existing KACs.

Secure access revocation and access renewal are two important requirements of a cryptosystem suitable for dynamic access control enforcement. While key-aggregate cryptosystem is an efficient and secure solution for data sharing between users, scalability and dynamic updates of access rights remain its critical issues. We summarize contributions of this paper as follows:

• In this paper, we formalize the definitions of a revocable key-aggregate cryptosystem that features the following two additional functionalities: (1) “forward-secure” removal (revocation) of a data class from any given aggregate set; and (2) introduction of a new data class in the cryptosystem and adding it to desired aggregate set(s). Our definition suits the range of scenarios where multiple non-predefined and non-disjoint aggregate sets are to be handled.

• We propose a concrete construction of the proposed revocable key-aggregate cryptosystem for multiple non-disjoint aggregate sets. The proposed construction is based on bilinear-pairing and features constant length aggregate key irrespective of the size of the aggregate set and overall public storage requirement is linear with respect to the number of data classes in the cryptosystem. The data owner has to store nothing except a constant length master-secret on its private storage.

• We formally prove chosen plaintext security and forward security of the proposed concrete construction. The chosen plaintext security establishes that no probabilistic polynomial time (PPT) algorithm can distinguish two encrypted plaintext messages under a target data class even if it has access to all aggregate keys except the ones that can “legally” decrypt messages under the target data class. Forward security establishes that no PPT adversary can distinguish two plaintext messages under a revoked data class even if it has access to aggregate key(s) produced by the data owner prior to the revocation.

• We analyze applicability of the proposed key-aggregate encryption scheme for key assignment in dynamic (non-predefined) hierarchies. We discuss security and performance implications of using the proposed scheme in the scenario. Also, we compare performance of the proposed scheme with other existing KACs in a dynamic access control scenario. Our analyses indicate that proposed key-aggregate encryption scheme is a complete solution that satisfies all classical efficiency requirements of key assignment in dynamic access hierarchies. Also, compared with other existing KACs, the proposed scheme leads to better efficiency of dynamic updates in the access hierarchy.

The remainder of the paper is organized as follows. Section 2 summarizes recent works in the field of key-aggregate encryption with special focus on revocability and potential for introducing a new data class. In Section 3, we define procedures involved in the proposed key-aggregate encryption scheme along with security definitions. In Section 4, we present concrete construction of the proposed revocable key-aggregate encryption scheme, prove its correctness and security and compare it with the existing schemes with respect to various performance parameters and desirable features. In Section 5, we study application of the proposed scheme for dynamic hierarchical key assignment and analyze its performance in the scenario. Finally, the paper concludes in Section 6.