Security-Strengthened Constructions Of Attribute-Based Encryption And Signcryption

Cloud computing emerges as a new computing paradigm which aims to provide reli-able, customized and dynamic computing environment for massive amounts of end-users.Although the advantages of cloud computing are exciting, data security and privacy issueshave seriously hindered cloud computing’s large scale deployment and usage in practice.Attribute-based encryption (ABE) is a promising cryptographic primitive for implement-ing fne-grained access control of shared data in cloud computing. In particular, attribute-based signcryption (ABSC) further takes authentication into consideration. As for ABSC,however, there seems no available schemes supporting key evolution. Key-evolving cryp-tography is intended to mitigate the damage in case of a secret key compromise, one of theseverest security threats to actual cryptographic systems. In the traditional public keysetting, the essential idea of key evolution lies in updating the private key with time, whilemaintaining the same public key. From a more practical standpoint, one would like to usethe primitive signcryption in the key-evolving hierarchical identity-based setting, whichtakes only two attributes time and identity into account and hence is a special case ofattribute-based setting. As for ABE, anonymous ABE further hides information on accesspolicies in ciphertexts because many attributes are sensitive and related to the identityof eligible users. However, in existing anonymous ABE work, a user knows whether theattributes and the access policy match or not only after repeating decryption attempt-s. And, the computation overhead of each decryption is high as the computational costlinearly grows with the complexity of the access formula, which usually requires manypairings in most of the existing ABE schemes. As a result, this direct decryption methodin anonymous ABE will sufer a severe efciency drawback. On the other hand, the chal-lenging issue with regard to the attribute and user revocation has to be addressed. Inparticular, the revocation issue is essential and difcult in ABE systems, since users maychange their attributes frequently in practice and each attribute is conceivably shared bymultiple users. To our knowledge, all the existing ABE schemes are not able to supportfexible and direct revocation due to the burdensome update of attribute secret keys andall ciphertexts.In order to address these challenging issues, this dissertation studies and strengthensABE and ABSC. The frst part of this dissertation studies a special case of ABSC, that is,key-evolving hierarchical identity-based signcryption (ke-HIBSC), where two importantattributes time and identity are considered and the attribute hierarchy is supported. Thesecond part of this dissertation focuses on security-strengthened constructions of ABE.The authors’ main contributions are summarized as follows. (1) As for ABSC, we formalize the notion and security model of ke-HIBSC, and give outa concrete construction. As the frst ke-HIBSC construction, the proposed scheme isscalable and joining-time-oblivious and allows secret keys to be updated autonomous-ly. The security proofs of our construction depend on the BDH assumption and theCDH assumption in the random oracle model. To be specifc, the proposed ke-HIBSCscheme not only achieves the fundamental goals of confdentiality and authentic-ity, but also enjoys desirable properties of non-repudiation, ciphertext anonymityand strong forward security. Compared with the conventional sign-then-encrypt ap-proach, our construction provides better efciency in terms of the computation costand the communication overhead.(2) Towards a practical anonymous ABE, we propose a novel technique called match-then-decrypt, in which a matching phase is additionally introduced before the decryptionphase. This technique works by computing special components in ciphertexts, whichare used to perform the test that if the attribute private key matches the hiddenattributes policy in ciphertexts without decryption. In our proposed constructions,the computation cost of such a test is much less than one decryption operation.Our basic construction and its extension are proven to be secure under the DBDHassumption and the D-Linear assumption. In addition, the results in simulationexperiments indicate that the proposed solutions are efcient and practical, whichgreatly improve the efciency of decryption in anonymous ABE.(3) As for the revocation issue, we formalize the notion of CP-ABE with fexible and di-rect revocation (FDR-CP-ABE), and give out a concrete construction. The proposedscheme supports direct attribute and user revocation and is applicable to the datasharing architecture. Direct revocation has a desirable property that revocation canbe done without afecting any non-involved users, that is, it does not require users toupdate attribute secret keys periodically. We achieve this by introducing an auxiliaryfunction to determine the ciphertexts involved in revocation events, and then usingthe technique of broadcast encryption (BE) to update only the involved ciphertexts.The proposed FDR-CP-ABE scheme outperforms the previous revocation-relatedmethods in that it has constant-size ciphertexts and only partial ciphertexts need tobe updated whenever revocation events occur. Furthermore, FDR-CP-ABE is provento be secure in the standard model. In particular, it is shown that our technique canalso be applicable to the key-policy attribute-based encryption counterpart.