Security Analysis

We analyze security of our scheme in terms of its correctness and fulfillment of our security goals. Correctness of our design can be shown by the following theorems: Lemma 5.1.2 A user can correctly decrypt M if and only if she holds all the in-

tended attributes in the data access structure.

Proof: To decrypt M, blind factor e(g, g)αs0

should be removed from ˜C as

illustrated by Eq. (6). The only way to construct e(g, g)αs0

mapping between gβs0

and g(α+r)/β_{, i.e., e(g}βs0

, g(α+r)/β_{), which introduces another}

blind factor e(g, g)rs0

. As shown in Eq. (6), cancelling this blind factor requires

x = x0 _{holds. By Theorem 5.1.1, x = x}0 _{holds if and only if the user holds all the} intended attributes in the data access structure.

Lemma 5.1.3 Except for the authority, it is hard for any other parties to generate

a valid secret key component Di for attribute Atti,Xi even if they have already known secret key components of other attributes.

Proof: As defined in Section 5.1.2, h_{i, ¯Xi} = gai or gbi, where a

i, bi ∈ Zp are two independent random numbers. Without lose of generality, we assume h_{i, ¯Xi} = gai.

Therefore, the secret key component for attribute Atti,Xi is Di = h

r i, ¯Xi = g

rai, where r and ai are not known to any user. Any user not assigned the attribute Atti,Xi only

knows gr_{, g}βr_{, and g}rbi. Without knowing a

i and bi, it is hard to generate grai given

gr_{, g}βr _{and g}rbi since a

i and bi are independent. Therefore, this theorem holds. From above lemmas, we can conclude that: (1) only the users with intended attributes can decrypt M; (2) Any user can not generate valid credentials for those attributes which are not assigned to him. Therefore, our design is correct.

Our proposed scheme meets the following security goals:

Data Confidentiality As is shown above, only intended users are able to decrypt

the message M. Moreover, it can be shown that collusion does not help the unin- tended users decrypt the message since each user’s SK is blinded by a blind factor

r which is unique to each user.

Confidentiality of Access Structure First, we show that from the ciphertext the

eavesdroppers are not able to derive the access structure information as follows. In the ciphertext, the intended attributes are secretly marked with a random number

tj ∈ Zp, j ∈ Zn. Assume Ci,0 and Ci,1 of attribute i have the following form:

Ci,0 = gk0hsi,0i+ti and Ci,1 = gk1hsi,1i. Since hi,0 and hi,1 are not publicly known,

Ci,0 and Ci,1 appear as the form of Ci,0 = gk0gai(si+ti) and Ci,1 = gk1gbisi from the eavesdroppers’ viewpoint. As ai and bi are randomly and independently chosen for any attribute i, Ci,0 and Ci,1 appear to be independent and random for the eavesdroppers. Therefore, they are not able to tell which one is marked and how many attributes are actually used in the access structure. Next, we show that the intended recipients are not able to derive the access structure information. This can be shown by observing the steps in the Decryption algorithm. As is shown in the steps, the user does not know if she is an intended receiver until she has aggregated the secret key components of all her attributes and decrypted the ciphertext in

Step 4. Since her attributes take effort only when they are aggregated, the user

can not tell which attributes grant or decline her access to the message M, nor how many attributes contribute to the access grant or declination. Therefore, any user, no matter authorized or unauthorized, can not tell, even partially, which or how many attributes are actually used in the access structure. Collusion does not help reveal this information because of the unique blind factor r in each user’s SK. In addition, any user is not able to derive the number of associated attributes from the ciphertext size because it is constant in our proposed scheme.

Backward Secrecy For backward secrecy, any new user can not decrypt the mes-

sages sent before she joined the group. To achieve this goal, we can update the master key (MK) α before any new user joins. Similar to the process of delivering the message M, we can deliver gα0_/β

to all users. Upon gα0_/β

, each user updates α as follows: g(α+r)/β_{· g}α0_/β

= g(α+α0_+r)/β

. In this way, α is updated as (α + α0_{) securely.} Member revocation can be realized in the same way except that we now update MK