A Multi-Authority Attribute-Based Encryption System Against Malicious KGC

Attribute-based encryption scheme is a scheme in which each user is identified by a set of attributes, and some function of those attributes is used to determine decryption ability for each ciphertext. Similar with identity-based encryption scheme, attribute-based schemes are also confronted with key escrow problem. Furthermore, the attributes belonging to a user usually are monitored by different authorities. This paper resolves the two problems by using a general attribute-based encryption scheme and K-Sibling intractable function families. In our construction, different attributes sets of a user are still certified by different authorities, but the partial private keys corresponding to the attributes are generated by a central authority. Simultineously, different authorities jointly generate the users’ secret value which cannot be obtained by the central authority. Compared with general multi-authourity attributed-based encryption scheme, our approach has more efficiency.


Introduction
With the development of the internet, expressive access-control is becoming more and more a key technology, where access decisions depend upon attributes of the protected data and access policies assigned to users. A natural solution for expressive access-control is attribute-based encryption (ABE) introduced by Sahai and Waters [1]. Following, two variants of ABE were subsequently proposed: key-policy variant (KP-ABE) of Goyal, Pandey, Sahai and Waters (GPSW) [2] and ciphertext-policy variant (CP-ABE) of Bethencourt, Sahai and Waters (BSW) [3]. In order to make the access structure more expressive, many schemes have been presented [2,3,4,5,6,7,8]. Simultaneously, schemes [6,9,10,11] were devoted to get constant-size ciphertexts.
With the increasing number of international cooperation among different organization and department, the attributes belonging to a user usually are monitored by different authorities. Furthermore, similar to identity-based encryption schemes, the attribute-based schemes encounters key escrow problem. One approach to mitigate the above two problems is to employ multi-authority attribute-based encryption scheme, which is an attractive solution and successfully avoids placing trust in a single entity by making the system distributed. However, this solution comes at the cost of introducing extra infrastructure and communication.

Related Work
Building on the ideas from [12], Chase proposed a solution for multi-authority attribute-based encryption, provided that a trusted central authority is available [13], but a global identifier is a "linchpin" for tying users' keys together. Müller, Katzenbeisser, and Eckert [14,15] give a system with a centralized authority that realizes any LSSS access structure. Their proof is limited to non-adaptive queries. The system achieves roughly the same functionality as the engineering approach above, except one can still acquire attributes from additional authorities without revisiting the central authority. The scheme [16] removed the central authority using a distributed PRF, however, the same limitations of an AND policy of a determined set of authorities remained. Lin et. al. [17] give a threshold-based scheme that is also somewhat decentralized. The set of authorities is fixed ahead of time, and they must interact during the system setup. Scheme [18] proposes a new multi-authority attribute-based encryption system. and the sample space of all finite strings of coin flips that F could have tossed.

A General Construction for Multi-Authority Attribute-Based Encryption Scheme
We assume that there are n attribute authorities, and every attribute authority k monitors k d attributes, and there are r users. Let : Σ → Σ . Let (Setup; PartialPrivateKeyExtract; SetSecretValue; SetPrivateKey; SetPublicKey; Encrypt; Decrypt) be the attribute-based certificateless encryption scheme from the above attribute-based encryption scheme, k -sibling intractable function families and one-way trapdoor function, and the construction is as follows: -SetUp: Central authority runs Setup' of attribute-based encryption scheme to get the master secret key msk and master public key mpk . The master public key mpk includes a description of the ciphertext space C . The master key is: Every attribute authority k generates his own signature secret key k s and verifying secret key k v . -SetPublicKey: Given master public key mpk and the entity ' i A s temporary secret key x , one-way trapdoor function f with x as its trapdoor is returned. -Encrypt. In order to encrypt message T m G ∈ with attributes setω′ , pick P s Z ∈ and compute the ciphertext as follows: -Decryption.: Suppose that a ciphertext, C is encrypted with a key for attributes set ω′ and we have the partial private key Correctness: (13) We can randomly define the secret key for 1 Γ as follows: Where i s is chosen randomly. B can define the other secret key i D : ∏ ∏ . The ciphertext is output as: phase2 B acts exactly as it did in phase 1.
Guess If A correctly guess the bit b , B will decide that the tuple ( ) A B C Z , , , is the Modified Bilinear Diffie-Hellman tuple, else it is not. From the above analysis, we find that the advantage of B is equal to the advantage of A . Theorem 2. If f is one-way trapdoor function and h is a k -sibling intractable function, then our attribute-based encryption scheme is secure against malicious central authority.

Conclusion
In order to mitigate the key escrow, this paper gives a new approach which adds new secret value to the user by the attribute authorities, and the central authority doesn't know the secret value. Compared with the general multi-authority attribute-based encryption scheme, our approach is simple, and the length of the cipertext and the public key published to the sender is not increased.

42
Information Technology for Manufacturing Systems III