tmacs: a robust and veriﬁable threshold multi-authority ... a robust and verifiabl… · tmacs: a...

1045-9219 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/TPDS.2015.2448095, IEEE Transactions on Parallel and Distributed Systems

1

TMACS: A Robust and Verifiable Threshold Multi-AuthorityAccess Control System in Public Cloud Storage

Wei Li, Kaiping Xue*, Yingjie Xue, and Jianan Hong

Abstract—Attribute-based Encryption (ABE) is regarded as a promising cryptographic conducting tool to guarantee data owners’direct control over their data in public cloud storage. The earlier ABE schemes involve only one authority to maintain the whole attributeset, which can bring a single-point bottleneck on both security and performance. Subsequently, some multi-authority schemes areproposed, in which multiple authorities separately maintain disjoint attribute subsets. However, the single-point bottleneck problemremains unsolved. In this paper, from another perspective, we conduct a threshold multi-authority CP-ABE access control scheme forpublic cloud storage, named TMACS, in which multiple authorities jointly manage a uniform attribute set. In TMACS, taking advantageof (t, n) threshold secret sharing, the master key can be shared among multiple authorities, and a legal user can generate his/hersecret key by interacting with any t authorities. Security and performance analysis results show that TMACS is not only verifiablesecure when less than t authorities are compromised, but also robust when no less than t authorities are alive in the system.Furthermore, by efficiently combining the traditional multi-authority scheme with TMACS, we construct a hybrid one, which satisfies thescenario of attributes coming from different authorities as well as achieving security and system-level robustness.

Index Terms—CP-ABE, (t, n) threshold secret sharing, multi-authority, public cloud storage, access control

F

1 INTRODUCTION

TO satisfy requirements of data storage and high perfor-mance computation, cloud computing has drawn ex-

tensive attentions from both academic and industry. Cloudstorage is an important service of cloud computing [1],which provides services for data owners to outsource datato store in cloud via Internet.

Despite many advantages of cloud storage, there stillremain various challenging obstacles, among which, priva-cy and security of users’ data have become major issues,especially in public cloud storage [2], [3]. Traditionally, adata owner stores his/her data in trusted servers, whichare generally controlled by a fully trusted administrator.However, in public cloud storage systems, the cloud isusually maintained and managed by a semi-trusted thirdparty (the cloud provider). Data is no longer in data own-er’s trusted domains and the data owner cannot trust onthe cloud server to conduct secure data access control.Therefore, the secure access control problem has become acritical challenging issue in public cloud storage, in whichtraditional security technologies cannot be directly applied.

Attribute-based Encryption (ABE) [4], [5], [6] is regardedas one of the most suitable schemes to conduct data accesscontrol in public clouds for it can guarantee data owners’direct control over their data and provide a fine-grainedaccess control service. Till now, there are many ABE schemesproposed, which can be divided into two categories: Key-Policy Attribute-based Encryption (KP-ABE), such as [7],[8], and Ciphertext-Policy Attribute-based Encryption (CP-ABE), such as [9], [10], [11], [12]. In KP-ABE schemes,

• W. Li, K. Xue(Corresponding author, E-mail: [email protected]), Y.Xue and J. Hong are with the Department of Electrical Engineering andComputer Science, University of Science and Technology of China, Hefei,China, 230027.

decrypt keys are associated with access structures whileciphertexts are only labeled with special attribute sets. Onthe contrary, in CP-ABE schemes, data owners can define anaccess policy for each file based on users’ attributes, whichcan guarantee owners’ more direct control over their data.Therefore, compared with KP-ABE, CP-ABE is a preferredchoice for designing access control for public cloud storage.

In most existing CP-ABE schemes [9], [10], [11], [12],there is only one authority responsible for attribute manage-ment and key distribution. This only-one-authority scenariocan bring a single-point bottleneck on both security and per-formance. Once the authority is compromised, an adversarycan easily obtain the only-one-authority’s master key, thenhe/she can generate private keys of any attribute subsetto decrypt the specific encrypted data. Moreover, once theonly-one-authority is crashed, the system completely cannotwork well. Therefore, these CP-ABE schemes are still farfrom being widely used for access control in public cloudstorage. Although some multi-authority CP-ABE schemes[13], [14], [15] have been proposed, they still cannot dealwith the problem of single-point bottleneck on both securityand performance mentioned above. In these multi-authorityCP-ABE schemes, the whole attribute set is divided intomultiple disjoint subsets and each attribute subset is stillmaintained by only one authority. Although the adversarycannot gain private keys of all attributes if he/she hasn’tcompromised all authorities, compromising one or moreauthorities would make the adversary have more privilegesthan he/she should have. Moreover, the adversary canobtain private keys of specific attributes by compromisingspecific one or more authorities. In addition, the single-pointbottleneck on performance is not yet solved in these multi-authority CP-ABE schemes. Crash or offline of a specificauthority will make that private keys of all attributes inattribute subset maintained by this authority cannot begenerated and distributed, which will still influence the



2

whole system’s effective operation.In this paper, we propose a robust and verifiable thresh-

old multi-authority CP-ABE access control scheme, namedTMACS, to deal with the single-point bottleneck on both se-curity and performance in most existing schemes. In TMAC-S, multiple authorities jointly manage the whole attributeset but no one has full control of any specific attribute. Sincein CP-ABE schemes, there is always a secret key used togenerate attribute private keys, we introduce (t, n) thresholdsecret sharing [16] into our scheme to share the secretkey among authorities. In TMACS, we redefine the secretkey in the traditional CP-ABE schemes as master key. Theintroduction of (t, n) threshold secret sharing guaranteesthat the master key cannot be obtained by any authorityalone. TMACS is not only verifiable secure when less than tauthorities are compromised, but also robust when no lessthan t authorities are alive in the system. To the best of ourknowledge, this paper is the first try to address the single-point bottleneck on both security and performance in CP-ABE access control schemes in public cloud storage.

Main contributions of this work can be summarized asfollows:

• In existing access control systems for public cloudstorage, there brings a single-point bottleneck onboth security and performance against the singleauthority for any specific attribute. To the best ofour knowledge, we are the first to design a multi-authority access control architecture to deal with theproblem.

• By introducing the combining of (t, n) threshold se-cret sharing and multi-authority CP-ABE scheme, wepropose and realize a robust and verifiable multi-authority access control system in public cloud stor-age, in which multiple authorities jointly manage auniform attribute set.

• Furthermore, by efficiently combining the traditionalmulti-authority scheme with ours, we construct ahybrid one, which can satisfy the scenario of at-tributes coming from different authorities as well asachieving security and system-level robustness.

The rest of this paper is organized as follows. In Section2, technical preliminaries are presented. Following the def-initions of system model and security model in Section 3,we give our proposed multi-authority CP-ABE and relativeaccess control scheme for public cloud storage in detail inSection 4. In Section 5, we analyze our proposed scheme interms of security and performance. In Section 6, we brieflyintroduce the construction of a hybrid multi-authority sys-tem. We give some related work about ABE and someexisting multi-authority extension schemes in cloud storagein Section 7. Finally, the conclusion is given in Section 8.

2 PRELIMINARY

In this section, we first give a brief review of backgroundinformation on bilinear maps and the security assumptiondefined on it, then we briefly describe (t, n) threshold secretsharing introduced in TMACS.

2.1 Bilinear MapsLet G, GT be two multiplicative cyclic groups with the sameprime order p and g be a generator of G. A bilinear mape : G × G → GT defined on G has the following threeproperties:◦ Bilinearity: ∀a, b ∈ Zp and g1, g2 ∈ G, we have e(ga1 , g

b2) =

e(g1, g2)ab.

◦ Non-degeneracy: There exists g1, g2 ∈ G such thate(g1, g2) ̸= 1, which means the map does not send allpairs in G×G to the identity in GT.

◦ Computability: There is an efficient algorithm to computee(g1, g2) for all g1, g2 ∈ G.

Definition 1. Decisional q-parallel Bilinear Diffie-HellmanExponent Assumption(decisional q-BDHE): The decisionalq-BDHE problem is that, in a group G of prime order p,give a, s, b1, b2, . . . , bq ∈ Zp, if an adversary is given:

y⃗ = (g, gs, ga, . . . , g(aq), g(a

q+2), . . . , g(a2q)

∀1≤j≤q,gs·bj , ga/bj , . . . , g(a

q/bj), g(aq+2/bj), . . . , g(a

2q/bj)

∀1≤j,l≤q,l ̸=j , ga·s·bl/bj , . . . , ga

q·s·bl/bj ),

it must remain hard to distinguish e(g, g)aq+1s ∈ GT from a

random element R in GT .

An algorithm B that outputs z ∈ {0, 1} has advantage ξin solving decisional q-BDHE in G if

|Pr[B(y⃗, T = e(g, g)aq+1s) = 0]− Pr[B(y⃗, T = R) = 0]| ≥ ξ.

We say that the decisional q-BDHE assumption holdsin G if no polynomial-time algorithm has a non-negligibleadvantage in solving the decisional q-BDHE problem.

2.2 (t, n) Threshold Secret SharingSecret sharing is a technique used to share a secret amonga group of participants, each of whom is allocated partialinformation about the secret, which is named a share of thesecret. The secret can be reconstructed only when a sufficientnumber of partial shares are combined together. Individualshares are of no use on their own. There are several types ofsecret sharing schemes, among which, the most basic typesare the so-called (t, n) threshold schemes. After Shamir hasproposed the first (t, n) threshold secret sharing [17], manymore practical schemes [16], [18], [19] have been proposed.In TMACS, to avoid any entity being the security bottleneck,we adopt the scheme proposed by Pedersen [16], in whichthere is not any trusted third party.

Here, we give a simple description of (t, n) thresholdsecret sharing. Assume that there are n participants in thesystem, denoted as P = {P1, P2, . . . , Pn}. And we sett (t ≤ n) as the threshold value. Define a finite fieldK = GF (q). Each participant’s identification in public canbe denoted as x1, x2, . . . , xn ∈ GF (q), (xi ̸= xj , wheni ̸= j). Firstly, each participant Pi selects a random ele-ment Si ∈ GF (q) as his/her sub-secret, then the mastersecret can be set as S=

∑ni=1 Si, which cannot be known

by any participant. Each participant Pi separately generatesa random polynomial fi(x) of degree t − 1 that satisfiesthe formula fi(0) = Si. Subsequently, for each of the othern − 1 participants Pj (j = 1, 2, . . . , i − 1, i + 1, . . . , n), the



3

participant Pi separately calculates sub-shares: sij = fi(xj),and sends the sub-share sij to Pj securely. Meanwhile, Pi

generates sii = fi(xi) for himself/herself. After receivingmessages from all of the other n − 1 participants, eachparticipant Pi obtains n sub-shares sji, (j = 1, 2, . . . , n).Thus, Pi can calculate his/her own master share as si =∑n

j=1 sji =∑n

j=1 fj(xi). After that the sharing mastersecret S can be reconstructed by any t of the n partici-pants. Assume that there is a function F (x) =

∑nj=1 fj(x).

For each participant’s master share si, i = 1, 2, . . . , n, wecan know that si =

∑nj=1 sji =

∑nj=1 fj(xi) = F (xi).

Therefore, F (x) can be reconstructed using the Lagrangeinterpolating formula by any t participants’ master shares,and the sharing master secret S = F (0) can be calculated.

3 SYSTEM MODEL AND SECURITY MODEL

In this section, we give the definitions of the system modeland the security model in robust multi-authority publiccloud storage systems.

3.1 System Model

In robust multi-authority public cloud storage systems,there exist five entities: a global certificate authority (CA),multiple attribute authorities (AAs), data owners (Owners),data consumers (Users), and the cloud server.◦ The certificate authority (CA) is a global trusted entity

in the system that is responsible for the construction ofthe system by setting up system parameters and attributepublic key of each attribute in the whole attribute set. CAaccepts users and AAs’ registration requests by assigninga unique uid for each legal user and a unique aid foreach AA. CA also decides the parameter t about thethreshold of AAs that are involved in users’ secret keygeneration for each time. However, CA is not involved inAAs’ master key sharing and users’ secret key generation.Therefore, for example, CA can be government organiza-tions or enterprise departments which are responsible forthe registration [20] [21] [22] [23] [24] [25].

◦ The attribute authorities (AAs) focus on the task ofattribute management and key generation. Besides, AAstake part of the responsibility to construct the system, andthey can be the administrators or the managers of theapplication system. Different from other existing multi-authority CP-ABE systems, all AAs jointly manage thewhole attribute set, however, any one of AAs cannotassign users’ secret keys alone for the master key isshared by all AAs. All AAs cooperate with each otherto share the master key. By this means, each AA cangain a piece of master key share as its private key, theneach AA sends its corresponding public key to CA togenerate one of the system public keys. When it comes togenerate users’ secret key, each AA only should generateits corresponding secret key independently. That is to say,no communication among AAs is needed in the phase ofusers’ secret key generation.

◦ The data owner (Owner) encrypts his/her file and definesaccess policy about who can get access to his/her data.First of all, each owner encrypts his/her data with asymmetric encryption algorithm like AES and DES. Then

the owner formulates access policy over an attribute setand encrypts the symmetric key under the policy accord-ing to attribute public keys gained from CA. Here, thesymmetric key is the key used in the former process ofsymmetric encryption. After that, the owner sends thewhole encrypted data and the encrypted symmetric keyto store in the cloud server. However, the owner doesn’trely on the cloud server to conduct data access control.Data stored in the cloud server can be gained by any dataconsumer. Despite all this, no data consumer can gain theplaintext without the attribute set satisfying the accesspolicy.

◦ The data consumer (User) is assigned with a global useridentity uid from CA, and applies for his/her secret keysfrom AAs with his/her identification. The user can freelyget the ciphertexts that he/she is interested in from thecloud server. He/She can decrypt the encrypted data ifand only if his/her attribute set satisfies the access policyhidden inside the encrypted data.

◦ The cloud server does nothing but provide a platformfor owners storing and sharing their encrypted data.The cloud server doesn’t conduct data access control forowners. The encrypted data stored in the cloud server canbe downloaded freely by any data consumer.

3.2 Security Assumption and Security ModelIn this section, we first give the security assumption of eachentity in the robust multi-authority public cloud storagesystems, then we define the corresponding security model.

3.2.1 Security AssumptionIn multi-authority public cloud storage systems, the securityassumption of the five roles is assumed as follows. Thecloud server is always online and managed by the cloudprovider. Usually, the cloud server and its provider is as-sumed “honest-but-curious”. In actually using this model,there exist different assumptions about whether the cloudserver can collude with the malicious users. Thus in orderto eliminate the ambiguous, in this paper, we assume thatthe cloud server can still collude with some malicious usersto gain the content of encrypted data when it is highly ben-eficial. Moreover, if treating this as a relative strong securityassumption, the scheme meeting the security requirementscan also apply to the scenario with a relative weak securityassumption that the cloud server will never collude withmalicious users. CA is assumed to be trusted, but it can alsobe compromised by an adversary, so as to AAs. Although auser can freely get ciphertexts from the cloud server, he/shecan’t decrypt the encrypted data only unless the user’s at-tributes satisfy the access policy hidden inside the encrypteddata. Therefore, some malicious users are assumed to bedishonest and curious, who may collude with other entitiesexcept data owners(even compromising AAs) to obtain theaccess permission beyond their privileges. As a comparison,owners can be fully trusted.

3.2.2 Security ModelHere, we introduce the universal security model in multi-authority public cloud storage systems, which can be divid-ed into two phases. In the first phase, the malicious user



4

(denoted as an adversary in the following) compromisesAAs to gain AAs’ master key. In the second phase, theadversary attempts to decrypt a ciphertext with the secretkeys that can’t satisfy the access policy inside the ciphertext.In this sub-process, the security model is defined similarto Waters’s scheme [10]. In this security model, there isan adversary and a challenger. The adversary can queryfor any attributes keys as long as they can not be applieddirectly to decrypt the ciphertext. The ciphertext is providedby the challenger and encrypted under an access structurewith attribute public keys. The challenger is responsiblefor the secret key generation and hides its details from theadversary. Now the security game is described as follows:the adversary is challenged by the ciphertext encryptedunder the access structure M∗. He/She can query privatekeys of any attribute set S that can’t satisfy M∗. The formalsecurity game is described as follows:◦ Setup. The challenger runs the System Initialization op-

eration in our system to generate system parameters.◦ Secret Key Query Phase I. The adversary makes private

key queries for attribute set S not satisfying the accessstructure M∗ to the challenger.

◦ Challenge. The adversary submits two messages withequal length, M0 and M1, to the challenger. In addition,the challenger gains the access structure M∗ from theadversary. The access structure M∗ cannot be satisfiedby the attribute set S in phase I. The challenger randomlychooses one message marked as Mβ from the two mes-sages submitted by the adversary, then he/she encryptsthe message Mβ under the access structure M∗. Theciphertext is given to the adversary.

◦ Secret Key Query Phase II. The adversary can repeatphase I to ask more private keys of the attribute set Sas long as S doesn’t satisfy the access structure M∗.

◦ Guess. The adversary outputs a guess β′ of β.The advantage of an adversary A in this game is defined

as Pr[β′ = β]− 12 .

Definition 2. Our multi-authority CP-ABE scheme is secureif all polynomial time adversaries have at most a negligibleadvantage in the above game.

4 OUR PROPOSED THRESHOLD MULTI-AUTHORITY CP-ABE DATA ACCESS CONTROLSYSTEM

In this section, we first give an overview of TMACS, in-cluding the scheme structure and the challenging issuesin the design of TMACS. In the following, we detaileddescribe TMACS, which mainly consists of four phases:System Initialization, Secret Key Generation, Encryption,and Decryption.

4.1 Overview of Our Scheme

To address the problem of single-point bottleneck, we in-troduce (t, n) threshold secret sharing, based on redundantmultiple AAs, then propose a threshold multi-authority CP-ABE and the relevant access control scheme TMACS inpublic cloud storage.

In TMACS, the overall framework of the system, de-scribed in Figure 1, is similar to DAC-MACS [20] proposedby Yang et al. The main difference is: In DAC-MACS, thewhole attribute set is divided into multiple disjoint subsetsand each one of the multiple authorities maintains oneattribute subset. By contrast, in TMACS, multiple authoritiesjointly manage the whole attribute set but no one has fullcontrol of any specific attribute. In TMACS, a global certifi-cate authority (CA) is responsible for the construction of thesystem, which avoids the extra overhead caused by AAs’negotiation of system parameters. CA is also responsible forthe registration of users, which avoids AAs synchronizedmaintaining a list of users. However, CA is not involved inAAs’ master key sharing and users’ secret key generation,which avoids CA becoming the security vulnerability andperformance bottleneck.

(1) AA registers to CA to gain (aid, aid.cert);(2) User registers to CA to gain (uid, uid.cert);(3) User gains his/her SK from any t out of n AAs;(4) Owners gain PK from CA;(5) Owners upload (CT) to the cloud server;(6) Users download (CT) from the cloud server.

Fig. 1: Framework and Basic Protocol Flow

The scheme structure of TMACS can also be summarisedin Figure 1. In TMACS, AAs must firstly register to CAto gain the corresponding identity and certificate (aid,aid.cert). Then AAs will be involved in the constructionof the system, assisting CA to finish the establishment ofsystem parameters. CA accepts users’ registration and issuesthe certificate (uid, uid.cert) to each legal user. With thecertificate, the user can contract with any t AAs one byone to gain his/her secret key (SK). Owners who wantshare their data in the cloud can gain the public key (PK)from CA. Then the owner can encrypt his/her data underpredefined access policy and upload the ciphertext (CT) tothe cloud server. User can freely download the ciphertexts(CT) that he/she is interested in from the cloud server.However, he/she can’t decrypt the ciphertext (CT) unlesshis/her attributes satisfy the access policy hidden inside theciphertexts (CT).

One challenging issue in design of TMACS is reusing ofthe master key shared among multiple attribute authorities(AAs). In traditional (t, n) threshold secret sharing, oncethe secret is reconstructed among multiple participants,someone can actually gain its value. Similarly, in CP-ABEschemes, the only-one-authority knows the master key anduses it to generate each user’s secret key according to a



5

specific attribute set. In this case, if the AA is compromisedby an adversary, it will become the security vulnerability. Toavoid this, by means of (t, n) threshold secret sharing, themaster key cannot be individually reconstructed and gainedby any entity in TMACS. In TMACS, the master key α isimplicitly reconstructed by reconstructing gα and e(g, g)α.It is a discrete logarithm problem to calculate the master keyα from gα or e(g, g)α, which means that the master key αis actually secure. By this means, we solve the problem ofreusing of the master key.

How to guarantee the flexibility of the system in user-s’ secret key generation is another challenging issue. Intraditional (t, n) threshold secret sharing, the secret canbe reconstructed unless there are at least t participantscooperating with each other. This means that, if just simplyintroducing traditional (t, n) threshold secret sharing intoour multi-authority CP-ABE design, the user should contactwith t AAs during the secret key generation for each time,and the chosen t AAs also have to contact with each otherto implicitly reconstruct the master key. This will bring toomuch communication overhead, which is not flexible forsystem performing.

To reduce the trivial communication overhead, in T-MACS, rather than the master key, the entire secret key isreconstructed by collecting t secret key shares generated byAAs. Furthermore, the reconstructed process can be doneby the user rather than the specific t AAs. By this means,the user can contact with the t AAs one by one, which issuit for real application scenarios, enhances the flexibility ofthe system, avoids the extra communication overhead andsynchronization issues among AAs.

4.2 Details of Our Data Access Control Scheme4.2.1 System InitializationThe operation of System Initialization is divided into threesub-processes: CASetup1, AASetup, and CASetup2. The oper-ation of CASetup1 is mainly responsible for establishment ofsystem parameters and accepting registration of users andAAs. AAs cooperate with each other to share the master keyin AASetup, while the corresponding public key is generatedby CA in CASetup2.◦ CASetup1: The operation of CASetup1 is run by CA. Firstly,

CA chooses two multiplicative cyclic groups G and GT

with the same prime order p, then defines a binary mape : G × G → GT on G. CA chooses a random a ∈ Zp

as the master key, and then calculates the relevant publickey part ga. Here, the parameter g is a generator of G. CAgenerates a pair of keys (skCA, vkCA) to sign and verify,in which, vkCA is publicly known by each entity in thesystem. CA also generates public keys for each attributeAtti, (i = 1, 2, . . . , U): h1, h2, . . . , hU ∈ G. To distinguisheach user and AA, the following two processes are de-scribed separately:

• User Registration: Each user sends a registrationrequest to CA during the phase of System Initial-ization. CA authenticates the user, then assigns anidentification uid to him/her. The identification uidis a random element in Zp. CA signs a certificateuid.Cert with skCA for the user to verify his/heridentity.

• AA Registration: Each AA also sends a registrationrequest to CA during the System Initialization. Foreach legal authority, CA assigns a unique identityaid ∈ Zp and generates a certificate aid.Cert.

According to the total number (marked as n) of AAsinvolved in the system, CA decides the threshold number(marked as t) of AAs that participate in user’s secret keygeneration for each time.

◦ AASetup: The operation of AASetup is run by each one ofall n AAs. These n AAs cooperate with each other to call(t, n) threshold secret sharing as follows:

• Each AA (AAi, i = 1, 2, . . . , n) selects a randomnumber αi ∈ Zp as its sub-secret, in this way, themaster key α is implicitly decided: α =

∑ni=1 αi.

The value of α shouldn’t be gained by any entityalone. Then each AA (AAi, i = 1, 2, . . . , n) separate-ly generates a random polynomial fi(x) of degreet − 1 that satisfies the formula αi = fi(0). AAi cal-culates the sub-share sij = fi(aidj) for each of theother AA (AAj , j = 1, 2, . . . , i− 1, i+1, . . . , n), andsends the sub-share sij to AAj securely. Meanwhile,AAi calculates sii = fi(aidi) for itself.

• After receiving n−1 sub-shares sji (j = 1, 2, . . . , i−1, i + 1, . . . , n) from all of the other n − 1 AAs(AAj , j = 1, 2, . . . , i − 1, i + 1, . . . , n), AAi calcu-lates its master key share: ski =

∑nj=1 sji, then

AAi futher calculates its relevant public key share:pki = e(g, g)ski .

After finishing the operation of AASetup, each AA (AAi,i = 1,2,. . . ,n) gains a pair of keys (ski, pki). Here, thepublic key share pki can be shared with any other entities,including CA.

◦ CASetup2: The operation of CASetup2 is run by CA. Tocalculate the global public key, CA randomly chooses t outof n AAs’ public key shares, denoted as pki, i = 1,2,. . . ,t.Then CA calculates the global public key as follows:

e(g, g)α = e (g, g)

t∑i=1

(ski

t∏j=1,j ̸=i

aidjaidj−aidi

)

=t∏

i=1

e (g, g)ski

t∏j=1,j ̸=i

aidjaidj−aidi

=t∏

i=1

pki

t∏j=1,j ̸=i

aidjaidj−aidi

.

Now, the operation of System Initialization is finished,and it returns the public key PK :

PK =(g, ga, e(g, g)α, n, t, h1, . . . , hU ).

Meanwhile, MK = (a, α) implicitly exists in the system,which doesn’t need to be obtained by any entity.

4.2.2 EncryptionThe operation of Encryption is implemented by a specificdata owner independently. To improve the system’s perfor-mance, the owner first chooses a random number κ ∈ Zp

as the symmetric key and encrypts the plaintext message Musing κ with the symmetric encryption algorithm, such asAES. The encrypted data can be denoted as Eκ(M), then theowner encrypts the symmetric key κ using CP-ABE underan access policy defined by himself/herself. The owner firstdefines an easy expressed monotone boolean formula. By



6

following the method defined in [26], he/she can turn it toa LSSS access structure, which can be denoted as (M, ρ). Mis a l×k matrix, where l is the scale of a specific attribute setand k is variable that is depend on the monotone booleanformula definition and the LSSS turning method. The func-tion ρ maps each row of M to a specific attribute, marked asρ(i)(∈ {Att1, Att2, . . . , AttU}). A random secret parameters is chosen to encrypt the symmetric key κ. To hide theparameter s, a random vector v⃗ = (s, y2, y3, . . . , yk) ∈ Zn

p isselected, where y2, y3, . . . , yk are randomly chosen and usedto share the perameter s. Each λi = Miv⃗

⊤ is calculated fori = 1, 2, . . . , l, where Mi denotes the ith row of the matrixM. The owner randomly selects r1, r2, . . . , rl ∈ Zp andcalculates the ciphertext CT using the public keys gainedfrom CA:

CT = (C = κe (g, g)αs, C ′ = gs,

∀i = 1 to l, Ci = (ga)λi · hρ(i)

−ri , Di = gri).

Finally, the owner sends the encrypted data Eκ(M)encrypted by the symmetric key κ together with CT to thecloud server as the format in Figure 2.

� �E MN ^ `'

1, , ,i i i to l

C C C D

Description

Fig. 2: Ciphertext Format

4.2.3 Secret Key GenerationThe Secret Key Generation operation is run by one userand any t out of n AAs. Less than t AAs, user’s secret keycannot be generated. In this operation, there is no interactionbetween any two of t AAs, so the user can select t AAsaccording to his/her own preference, and then separatelycontact with each of these t AAs to get the secret key share.After getting t secret key shares separately from t AAs, theuser can generate his/her secret key.

To gain the secret key share from AAi, the user uidj firstsends his/her signed request including his/her identity andhis/her certificate to AAi. After receiving the request, AAi

verifies uidj ’s certificate by using CA’s public verificationkey vkCA, then authenticates the user by verifying his/hersignature over the request. If the user is an illegal one, theoperation aborts. Otherwise, AAi assigns an attribute set Sto the user according to the role he/she plays in the domain1

and generates the secret key share for him/her. AAi firstchooses a random number bi ∈ Zp and then generates thesecret key share as follows:

Ki = gski · ga·bi , Li = gbi , ∀Atti ∈ S : KAtti = hAttibi .

After collecting t secret key shares generated by t differ-ent AAs, the user can generate his/her secret key as follows:

K =t∏

i=1

Ki

t∏j=1,j ̸=i

aidjaidj−aidi

, L =t∏

i=1

Li

t∏j=1,j ̸=i

aidjaidj−aidi

,

∀Att ∈ S : KAtt =t∏

i=1

KAtti

t∏j=1,j ̸=i

aidjaidj−aidi

.

1. The assignment operation should accord the same standard by allAAs , so the assignment result from different AAs are consistent.

Furthermore, the formulas of the user’s secret key can beexpressed as follows:

K =t∏

i=1

(gski · ga·bi

) t∏j=1,j ̸=i

aidjaidj−aidi

=t∏

i=1

(gski

) t∏j=1,j ̸=i

aidjaidj−aidi ·

(ga·bi

) t∏j=1,j ̸=i

aidjaidj−aidi

= g

t∑i=1

(ski·

t∏j=1,j ̸=i

aidjaidj−aidi

)· g

t∑i=1

(a·bi·

t∏j=1,j ̸=i

aidjaidj−aidi

)

= gα · ga·

t∑i=1

(bi·

t∏j=1,j ̸=i

aidjaidj−aidi

),

L = g

t∑i=1

(bi·

t∏j=1,j ̸=i

aidjaidj−aidi

),

∀Att ∈ S : KAtt = hAtt

t∑i=1

(bi·

t∏j=1,j ̸=i

aidjaidj−aidi

).

To simplify the formulas, a parameter d is introduced:

d =t∑

i=1

bi ·t∏

j=1,j ̸=i

aidjaidj − aidi

.

Therefore, the formulas of user’s secret key can be sim-ply denoted as:

K = gα · ga·d, L = gd, ∀Att ∈ S : KAtt = hAttd.

4.2.4 DecryptionThe Decryption operation is run by each user. The user canfreely query and download any encrypted data that he/sheis interested in from the cloud server. However, he/she can’tdecrypted the data unless his/her attribute set satisfies theaccess structure hidden inside the ciphertext. For the userU , let MU be a sub-matrix of M, where each row of MU

corresponds to a specific attribute in U ’s attribute set SU .Let I ⊂ {1, 2, . . . , l} denote {i : ρ(i) ∈ SU}, and Mi denotethe ith row of M.

If the user U ’s attribute set SU satisfies the access struc-ture (M, ρ), the vector e⃗ = (1, 0, . . . , 0) is in the span ofmatrix MU , which means an appropriate parameter {ωi ∈Zp}i∈I can be found to satisfy e⃗ = (ω1, ω2, . . . , ω|I|)MU .

The parameter {ωi}i∈I can further help the user to findthe hidden secret parameter s:

s = (1, 0, . . . , 0) · (s, y2, . . . , yn)⊤

= e⃗ · v⃗⊤ =(ω1, ω2, . . . , ω|I|

)MU · v⃗⊤

=(ω1, ω2, . . . , ω|I|

)· λ⃗I

⊤=∑i∈I

ωi · λi.

Here, λ⃗I denotes the sub-vector of (λ1, λ2, . . . , λl), thenwith the help of parameter {ωi}i∈I , the user computes:

CU =e (C ′,K)∏

i∈I

(e (Ci, L) · e

(Di,Kρ(i)

))ωi

=e(gs, gα · ga·d

)∏i∈I

(e((ga)

λi · hρ(i)−ri , gd

)· e(gri , hρ(i)

d))ωi

=e (g, g)

α·s · e (g, g)a·s·d∏i∈I

e (g, g)d·a·λi·ωi

= e (g, g)αs

.



7

The user can further get the symmetric key κ by dividingout the above value CU from C:

κ = C/CU = C/e (g, g)αs

.

With the computed symmetric key κ, the user can de-crypt the ciphertext to get the final plaintext data M .

5 SECURITY AND PERFORMANCE ANALYSIS OFTMACS5.1 Security Analysis

We analyze the security properties of TMACS according tothe security model defined in Section 3.

5.1.1 Security of Access Policy

To prove the security of access policy in TMACS, we use thefollowing theorem:

Theorem 1. When the decisional q-BDHE assumption holds, noadversary can use a polynomial-time algorithm to selectively breakTMACS with a challenge matrix of size l∗×n∗, where l∗, n∗ ≤ q.

Proof. Suppose we have an adversary A with non-negligibleadvantage ϵ = AdvA in the selective security game definedin Section 3 against our construction. Moreover, supposehe/she chooses a challenge matrix M∗ where each of bothdimensions is at most q. In the security game, the adver-sary A can query any secret keys that can’t be directlyused for decrypting the ciphertext from the challenger. Thechallenger hides details of AAs generating secret key sharesand generates the integral secret key for the adversary A.In this way, the security game can be treated as same as thesingle authority one. We can also build a simulator B, whichplays the decisional q-BDHE problem. The detailed proof isdescribed as follows:

◦ Setup. The simulator B chooses a random number α′ ∈ Zp

and implicitly sets α = α′ + aq+1 by letting e(g, g)α =e(ga, ga

q

)e(g, g)α′. Here, we describe how the simulator

“programs” the group elements h1, . . . , hU . For each x ∈[1, U ], choose a random value zx. Let I∗ denote the set

{i : ∀x ∈ [1, U ], ρ∗(i) = x}.

The simulator programs hx as:

hx = gzx ·∏i∈I∗

ga·M∗i,1/bi · ga

2·M∗i,2/bi . . . ga

n∗·M∗

i,n∗/bi .

Note that if I∗ = ϕ we have hx = gzx .◦ Secret Key Query Phase I. In this phase the simulatorB answers private key queries. Suppose the simulatorB is given a private key query for a attribute set Swhere S does not satisfy M∗. The simulator B firstchooses a random r ∈ Zp, and then finds a vectorω⃗∗ = (ω∗

1 , ω∗2 , . . . , ω

∗n∗) ∈ Zn∗

p , such that ω∗1 = −1 and

for all i ∈ I∗, we have ω⃗∗ · M∗i = 0. By the definition of

a LSSS such a vector ω⃗∗ must exist. Note that if such avector does not exist, the vector (1, 0, 0, . . . , 0) will be inthe span of S. The simulator B implicitly defines d as

d = r + ω∗1 · aq + ω∗

2 · aq−1 + · · ·+ ω∗n∗ · aq−n∗+1.

It performs this by setting

L = gr ·n∗∏i=1

(gaq+1−i

)ω∗i = gd.

We observe that by the definition of d, ga·d contains a termof g−aq+1

, which will cancel out with the unknown termin gα when creating K. The simulator B can compute Kas:

K = gα′· gar ·

n∗∏i=2

(gaq+2−i

)ω∗i .

Now we further calculate Kx, ∀x ∈ S. First, we considerx ∈ S for which there is no i such that ρ∗(i) = x. We cansimply set Kx = Lzx .The more difficult task is to create key components Kx forattributes x ∈ S, where x is used in the access structure.For these keys we must make sure that we can simulate allterms of the form ga

q+1/bi or cancel out them. Fortunately,we have that M∗

i · ω⃗∗ = 0; therefore, all of these termscancel.Furthermore, let I∗ be the set of all i: {i : ρ∗(i) = x,∀x ∈S}. The simulator B creates Kx as follows:

Kx = Lzx ·∏i∈I∗

n∗∏j=1

g(aj/bi)·r ·

n∗∏k=1,k ̸=j

(gaq+1+j−k/bi)ω

∗k

M∗i,j

◦ Challenge. In this phase, we build the challenge cipher-text. The adversary A gives two messages M0,M1 to thesimulator B. The simulator B flips a coin β. It createsC = MβTe(g

s, gα′) and C ′ = gs. The tricky part here

is to simulate the value of Ci (i = 1, 2, . . . , n∗) since itcontains terms that we must cancel out. However, thesimulator B can choose the secret share, such that thesecan be canceled out. Intuitively, the simulator B willchoose random y′2, . . . , y

′n∗ and share the secret using the

vector

v⃗∗ = (s, sa+ y′2, sa2 + y′3, . . . , sa

n−1 + y′n∗) ∈ Zn∗

p .

In addition, it chooses random values r′1, . . . , r′l.

For all i ∈ [1, n∗], we define Ri as the set of all k ̸= i suchthat ρ∗(i) = ρ∗(k). In other words, the set of all otherrow indices that have the same attribute as row i. Thechallenge ciphertext components are then generated as:

Di =g−r′ig−sbi

Ci =hr′iρ∗(i)

n∗∏j=2

(ga)M∗i,j ·y

′j

· (gbi·s)−zρ∗(i)

·

∏k∈Ri

n∗∏j=1

(ga

j ·s·(bi/bk))M∗

k,j

◦ Secret Key Query Phase II. This phase is the same as

Secret Key Query Phase I.◦ Guess. In this phase, the adversary A outputs a guess β′

of β. If β′ = β, the simulator B outputs “0” to guess thatT = e(g, g)a

q+1s; otherwise, it outputs “1” to indicate thatit believes T is a random number in GT . When T is a



8

tuple the simulator B gives a perfect simulation so thatwe have

Pr[B(y⃗, T = e(g, g)a

q+1s)= 0

]=

1

2+AdvA.

When T is a random number in GT , the message Mβ iscompletely hidden from the adversary A and we have

Pr [B(y⃗, T = R) = 0] =1

2.

Therefore, the simulator B can play the decisional q-BDHE game with non-negligible advantage:

Pr[B(y⃗, T = e(g, g)aq+1s) = 0]− Pr[B(y⃗, T = R) = 0] = AdvA.

This is against the definition 1, thus we can say thatthere is not an adversary that can have an non-negligibleadvantage in the selective security game defined in Sec-tion 3. According to the definition 2, we can conclude thatour multi-authority CP-ABE scheme is secure.

5.1.2 Security Against Collusion AttackWhen some malicious users collude with each other, theymay share their secret keys to gain more privilege. However,they will be disappointed for the existence of the random

element d =t∑

i=1

(bi

t∏j=1,j ̸=i

aidj

aidj−aidi

)in the secret key. Due

to the existence of the random element, each componentassociated with the same attribute in different users’ secretkeys is distinguishable. So that they can’t gain more privi-lege by combining their secret keys.

5.1.3 Confidentiality GuaranteeThe cloud server can be seen as an adversary for it is “honestand curious”, but it doesn’t have any advantages comparedwith malicious users. The cloud server doesn’t participate inAAs’ master key sharing or any users’ secret key generation.All it does is only storing the ciphertext which makes nodifference for it to gain the plaintext, even if it colludes withthe malicious users.

5.1.4 Soundness and CompletenessAs defined in Section 3.2, the malicious users (adversary)can compromise AAs to gain more privilege. On one hand,the adversary can compromise AAs to gain the master keyto generate secret key for himself/herself; on the otherhand, he/she can deceive AAs to generate his/her secretkey shares so that he/she can reconstruct his/her secret key.

with regard to the former possible threaten, we introducethe concept of soundness and completeness. In our scheme,the soundness means that the adversary can’t gain any ben-efit if there is only less than t AAs comprised by him/her;the completeness means that as long as there are more thant AAs operation normally, the system can work properly.The soundness and completeness can be guaranteed by (t,n)threshold secret sharing.

In our scheme, we introduce (t, n) threshold secret shar-ing in [16] to share the master key among multiple AAs,which uses Shamir’s (t, n) threshold secret sharing [17] as abuilding block. Shamir’s (t, n) threshold secret sharing holds

the following properties in information-theoretically securedegree: (1) knowledge of any t or more secret pieces makesthe secret easily computable; (2) knowledge of any t − 1or fewer secret pieces leaves the secret completely under-mined (in the sense that all its possible values are equallylikely). Thus, based on the two properties, our scheme canguarantee that (1) any t or more AAs master key shares caneasily reconstruct AAs master key; (2) less than t AAs masterkey shares can’t learn anything about the master key. Inour scheme, users’ secret key can’t be generated unless themaster key can be reconstructed. Thus, our scheme actuallyhave achieved soundness and completeness.

The soundness guarantees that the adversary has tocompromise no less than t AAs to obtain illegal benefits.The ability of our scheme against this attack will be detaileddiscussed in the following subsection. The completenessguarantees that our scheme can be robust against AAs’crash or offline. The detailed analysis will be discussed inSection 5.2.4.

5.1.5 Security Against Compromising AAsHere, we give the security analysis against the attack thatthe adversary compromises AAs. The soundness guaranteesthat the adversary has to compromise more than t AAs toassign secret key shares for him/her. Now let the parameterε denote the probability that an illegal user gains one piecesecret key share from one AA. Then the probability ofTMACS security is:

t−1∑i=0

(i

n

)εi(1− ε)

n−i.

0.00 0.02 0.04 0.06 0.08 0.10 0.12 0.14 0.16 0.18 0.200.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

Prob

abili

ty o

f Se

curi

ty

H

t=2 t=3 t=4 t=5

n = 5

0.00 0.02 0.04 0.06 0.08 0.10 0.12 0.14 0.16 0.18 0.200.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

Prob

abili

ty o

f Se

curi

ty

H

t=2 t=3 t=4 t=5 t=6

n = 10

0.00 0.02 0.04 0.06 0.08 0.10 0.12 0.14 0.16 0.18 0.200.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

Prob

abili

ty o

f Se

curi

ty

H

t=2 t=3 t=4 t=5 t=6 t=7 t=8

n = 15

0.00 0.02 0.04 0.06 0.08 0.10 0.12 0.14 0.16 0.18 0.200.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

t=2 t=3 t=4 t=5 t=6 t=7 t=8 t=9Pr

obab

ility

of

Secu

rity

H

n = 20

Fig. 3: Probability of Security Against AA Compromise

To have an intuitive understanding for the security ofTMACS against this attack, we draw the probability mapin Figure 3, which shows the probability of system securityversus the number of AAs n and the probability ε. From thefigure, we can see that for any number of authorities, we canincrease the value of t to make TMACS secure against theabove attack as a high probability. But we can also noticethat the overlarge value of t will only bring extra overhead



9

rather than increase the security effectively. For example, thesystem can be secure with probability close to 1, when weset the value of t only equal to 5 rather than a larger value ina system with 10 authorities, even the adversary can devicethe authority as a high probability 0.2. We can say, TMACScan be secure against the above attack with an appropriatethreshold value t.

5.2 Performance AnalysisThis section numerically evaluates the performance of T-MACS in terms of storage, communication, and computa-tion overhead. At the same time, we give a detailed analysisabout how we can achieve system robustness to deal withauthority crash or offline.

For a better understanding, we conduct performanceanalysis between TMACS and Waters’s scheme [10]. Bothschemes are based on the same security assumption deci-sional q-BDHE assumption and support the same LSSS ac-cess structure. Besides, TMACS and existing multi-authorityCP-ABE schemes are based on different system models, sothat there is no comparable between them. Thus we chooseWaters’s scheme to conduct the performance analysis.

To conduct performance analysis, we have the followingdefinitions: Let |p| be the size of element in the groups withprime order p. Let n be the number of AAs and t be thethreshold value. Let U be the total number of attributes. LetNu be the number of users in the system and No be thenumber of owners. Let Nuid denote the average number ofattributes owned by user uid.

5.2.1 Storage OverheadStorage overhead on CA, each AA, user, and owner ofWaters’s scheme and TMACS is shown in TABLE 1.

TABLE 1: Storage Overhead

Entity TMACS Waters’s SchemeCA (2U + 2Nu + n+ 10)|p| 0AA (6 + 2U)|p| (each AA) (2U + 2Nu + 9)|p|

Owner (2U + 4)|p| (2U + 4)|p|User (5 + 2Nuid)|p| (4 + 2Nuid)|p|

In Waters’s scheme, there is not CA. But the authority(AA) in their scheme bears the same responsibility as CA inTMACS. Comparing the storage overhead on CA in TMACSwith that on AA in Waters’s scheme, there is no muchdifference except n AAs’ aid stored on CA in TMACS. Torelieve communication pressure on CA, the public keys arebacked up in AAs and owners. The main storage overheadon each AA in TMACS is the backup of the public keys. Onowners and users, there is no much difference about stor-age overhead between TMACS and Waters’s scheme. Theanalysis above shows that no additional storage overhead isintroduced in TMACS but the backup of attributes on AAsand the n aid on CA.

5.2.2 Communication OverheadTABLE 2 shows comparison result about communicationoverhead on CA, each AA, owner, and user of TMACS andWaters’s scheme. It’s clear that the communication overheadof TMACS is larger than Waters’s scheme, which can be

anticipated for the introduction of AAs. However, mostcommunication overhead is only needed in the process ofconstruction of the system. After the system is constructed,the main communication overhead is only users’ secretkey generation. We can see that, compared with Waters’sscheme, there is no much communication overhead additionon each entity except user in TMACS. But the additioncommunication overhead on user cannot be avoid for theintroduction of the multiple authorities, which is no differ-ent between TMACS and existing multi-authority schemes.

5.2.3 Computation Overhead

Here, we give a simple analysis about the additional compu-tation overhead introduced by the n AAs. The introductionof the n AAs mainly increases users’ computation overheadduring the process of users’ secret key generation, whilethere is no difference about the computation overhead onencryption and decryption compared with Waters’s scheme.Users must calculate the integral secret key from the t secretkey shares generated by AAs, which makes it inevitable forthe increase of the computation overhead.

5.2.4 Robustness

As we have defined in Section 5.1.4, the completeness guar-antee that our scheme can work properly with no less thant AAs. That means, the crash or offline of no more than n− tAAs doesn’t do harm to the normal operation of the system.In the following, we analyze the robustness of TMACS fromthe point of probability.

Let η denote the probability of a single AA crash oroffline. The probability of system normal operation is 1-η in the single authority scheme. In TMACS, the systemcan operate normally as long as there are t AAs in goodcondition. So the probability of system normal operation inTMACS is:

1−t−1∑i=0

(i

n

)(1− η)iηn−i.

3 4 5 6 7 8 9 10 11 12 13 14 150.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

Prob

abili

ty o

f R

obus

tnes

s

n

K=0.1 K=0.2 K=0.3 K=0.4 K=0.5

t = 3

5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 200.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

Prob

abili

ty o

f R

obus

tnes

s

n

K=0.1 K=0.2 K=0.3 K=0.4 K=0.5

t = 5

10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 400.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

Prob

alili

ty o

f R

obus

tnes

s

n

K=0.1 K=0.2 K=0.3 K=0.4 K=0.5

t = 10

16 18 20 22 24 26 28 30 32 34 36 38 40 420.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

Prob

abili

ty o

f R

obus

tnes

s

n

K=0.1 K=0.2 K=0.3 K=0.4 K=0.5

t = 15

Fig. 4: Probability of Robustness Against AA Crash or Of-fline



10

TABLE 2: Communication Overhead

Process Setup Key GenerationEntity CA AA Owner User AA User

TMACS (10n+ 4Nu + 2UNo + 4No + 2nU)|p| (2n+ 2U + 8)|p| (each AA) (2U + 4)|p| 4|p| (4 + 2Nuid)|p| (each AA) (2Nuid + 4)t|p|Waters’s scheme 0 (2Nu + 2UNo + 4No)|p| (2U + 4)|p| 2|p| (4 + 2Nuid)|p| (2Nuid + 4)|p|

In Figure 4, we draw the probability map versus thenumber of AAs n and the threshold value t. From the figure,we can see that TMACS can be robust against authoritiescrashing or offline because of existence of redundant au-thorities. For example, even if the authority is crashed oroffline as a probability of 50%, we can still set an appropriateproportion, like t = 10, n = 30, to make TMACS workproperly. By the way, a lager n, like 40, has no use for systemrobustness, but only increases system overhead.

Combing the security analysis against compromisingAAs with the performance analysis, we can find that thechoice of t is a trade-off between security and robustness.But from the analysis, we can be sure that the appropriatevalue of (t, n) can still be found easily. For example, we canset the whole number of authorities as 15 and the valueof t as 5. In this way, even the adversary can compromiseauthorities as a probability of 0.2, and the authorities may becrashed or offline as a high probability of 50%, the systemcan still achieve both security and robustness as a highprobability.

Restriction. From the performance analysis, while en-hancing robustness and security, the introduced redundancyamong AAs will increase the overhead of computing, com-munication and storage. Thus, the efficiency seems as themain restriction of our scheme. However, compared withthe benefit gained from the aspect of secrecy and robustness,the extra overhead is not very high, which is worthy and canbe ignored.

6 THE ENHANCED SCHEME

Usually two different multi-authority scenarios both existin the real complex environment, where attributes comefrom different authority-sets and multiple authorities in anauthority-set jointly maintain a subset of the whole attributeset. To satisfy this hybrid scenario, we conduct a hybridmulti-authority access control scheme, by combining thetraditional multi-authority scheme [14] with our proposedTMACS. In the enhanced scheme, the whole attribute set isdivided into disjoint subsets to be maintained by differentauthority-sets. Each attribute subset is managed by n AAsin the same authority-set jointly. The attribute managementmodel is shown in Figure 5. This model has both advan-tages: On one hand, it satisfies the scenario of attributes fromdifferent AAs; on the other hand, it can achieve security andsystem-level robustness.

We first assume the threshold and the total numberof AAs are equal in different authority-sets, which is notnecessary just because of easy description. Now, we givea brief introduction of our enhanced scheme to meet thismodel.◦ Global Setup: The global public parameters are published

publicly, which include a bilinear group G of prime orderp, a generator g of G, and a function H mapping user’sglobal identity uid to one element of G.

6

6� 6� 6P�� 6P��

$�� $�� $�Q $P� ��$P� $PQ��

Fig. 5: Attribute Management Model

◦ Authority Setup: For each attribute i maintained by theauthority-set AAj , the authorities in the authority-set AAj

cooperate with each other to call (t, n) threshold secretsharing to generate the attribute private key (αi, yi).After that, each AA (AAjk) keeps a private key share(skαi,jk, skyi,jk) as its secret key. Then these AAs cooper-ate with each other to calculate the public key of attributei: (e(g, g)αi , gyi).

◦ KeyGen: To create a key to the user with uid for attribute imaintained by the authority-set AAj , the authority AAjk

computes:

Ki,uid,jk = gskαi,jkH (uid)skyi,jk .

The user uid gains t secret key shares for attribute i fromany t authorities in authority-set AAj , then he/she cangenerate the secret key through Lagrange interpolatingformula:

Ki,uid = gαiH (uid)yi .

◦ Encrypt: The access structure is similar to the descriptionin Section 4. Besides, we choose a random vector c⃗ ∈ Zl

p

with 0 as its first entry. Let cx denote Mx·c⃗. The ciphertextis computed as:

C0 = M · e (g, g)s , C1,x = e (g, g)λx · e (g, g)αρ(x)rx ,

C2,x = grx , C3,x = gyρ(x)rxgcx ∀x.

◦ Decrypt: For each row of MU defined in Section 4, denot-ed as x, the user computes:

C1,x · e (H(uid), C3,x)/e(Kρ(x),uid, C2,x

)=

e(g, g)λx · e(H(uid), g)cx .

The user then chooses constants ωx ∈ Zp such that∑xωx · Mx = (1, 0, . . . , 0) and computes:

∏x

(e(g, g)λxe (H(uid), g)

cx)ωx

= e(g, g)s.

The message can be obtained as: M = C0/e(g, g)s.

7 RELATED WORK

How to provide a fine-grained access control is a critial chal-lenging issue in public cloud storage system [2], [3], whilethe access control can be easily and efficiently achieved



11

in private cloud [2], [27]. For ABE is one of the mostsuitable schemes, Yu et al. [28] have introduced KP-ABE[7] into public cloud storage to conduct fine-grained dataaccess control. After that, more data access control schemesbased on single-authority ABE, such as [24], [29], [30],have been proposed. However, in real complex scenario, itseems impossible to find only-one-authority to manage allattributes, a user usually holds attributes issued by multipleauthorities. How to make ABE satisfy the scenario whereattributes come from multiple authorities has been proposedas an open problem by Sahai and Waters in [4]. Based on thebasic ABE [4] scheme, Chase has proposed the first multi-authority ABE scheme [13], in which a global certificationauthority (CA) is introduced. However, in this scheme, CAmay become security vulnerability and performance bottle-neck of the system. Besides, the access structure is not flexi-ble enough to satisfy complex environments. Subsequently,much effort has been made to deal with the disadvantagesin the early schemes. Among them, some multi-authorityABE schemes without CA have been proposed, such as [14],[15], [31]. In [32], Li et al. have conducted a multi-authorityKP-ABE data access control scheme for securing personalhealth records in public cloud storage.

Since the first construction of CP-ABE [9], many works[33], [34], [35], [36], have been proposed for more expressive,flexible and practical versions of this technique. Based onCP-ABE, Lewko and Waters [14] have proposed a none-CAmulti-authority scheme, in which there is no global coordi-nation other than the creation of an initial set of commonreference parameters. Subsequently, some more practicalmulti-authority CP-ABE schemes for data access control inpublic cloud storage have been successively proposed, suchas [20], [21], [22], [23], [25]. In Yang et al.’s scheme [20],[22], [23], there is still a global CA, which is only responsiblefor the construction initialization of the system rather thangenerating users’ secret keys, so it can avoid CA becominga security vulnerability of the system. To get rid of CA, Rujat al. [21] have introduced Lewko and Waters’s scheme [14]to conduct a distributed access control in public clouds.

In these multi-authority access control schemes, the w-hole attribute set is divided into multiple disjoint subsetsand maintained by multiple authorities, but each attributesubset is still maintained by only one authority, whichmakes the problem of single-point bottleneck on both secu-rity and performance still exist in the system. As far as weknow, in existing single-authority and multi-authority ABEschemes, no one has paid special attention to this problem.Although Jung et al. [25] have noted that the compromisedauthorities may harm the security of the system, since theyare able to issue valid attribute keys for which they are incharge of, they have not proposed an appropriate solution.Instead, they rely on the assumption that the probability ofcompromising an authority is very low.

8 CONCLUSION

In this paper, we propose a new threshold multi-authorityCP-ABE access control scheme, named TMACS, in publiccloud storage, in which all AAs jointly manage the wholeattribute set and share the master key α. Taking advantageof (t, n) threshold secret sharing, by interacting with any

t AAs, a legal user can generate his/her secret key. Thus,TMACS avoids any one AA being a single-point bottleneckon both security and performance. The analysis results showthat our access control scheme is robust and secure. We caneasily find appropriate values of (t, n) to make TMACS notonly secure when less than t authorities are compromised,but also robust when no less than t authorities are alive inthe system. Furthermore, based on efficiently combining thetraditional multi-authority scheme with TMACS, we alsoconstruct a hybrid scheme that is more suitable for the realscenario, in which attributes come from different authority-sets and multiple authorities in an authority-set jointlymaintain a subset of the whole attribute set. This enhancedscheme addresses not only attributes coming from differentauthorities but also security and system-level robustness.How to reasonably select the values of (t, n) in theory anddesign optimized interaction protocols will be addressed inour future work.

ACKNOWLEDGMENT

The authors sincerely thank the anonymous referees fortheir invaluable suggestions that have led to the presentimproved version of the original manuscript. This work issupported by the National Natural Science Foundation ofChina under Grant No. 61379129 and No. 61170231.

REFERENCES

[1] P. Mell and T. Grance, “The NIST definition of cloud computing,”National Institute of Standards and Technology, vol. 53, no. 6, p. 50,2009.

[2] S. Kamara and K. Lauter, “Cryptographic cloud storage,” inProceedings of the 14th Financial Cryptography and Data Security.Springer, 2010, pp. 136–149.

[3] K. Ren, C. Wang, and Q. Wang, “Security challenges for the publiccloud,” IEEE Internet Computing, vol. 16, no. 1, pp. 69–73, 2012.

[4] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” inProceedings of the 24th Annual International Conference on the Theoryand Applications of Cryptographic Techniques. Springer, 2005, pp.457–473.

[5] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryptionwith non-monotonic access structures,” in Proceedings of the 14thACM conference on Computer and communications security. ACM,2014, pp. 195–203.

[6] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters,“Fully secure functional encryption: Attribute-based encryptionand (hierarchical) inner product encryption,” in Proceedings of the29th Annual International Conference on the Theory and Applicationsof Cryptographic Techniques. Springer, 2010, pp. 62–91.

[7] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-basedencryption for fine-grained access control of encrypted data,” inProceedings of the 13th ACM conference on Computer and communica-tions security. ACM, 2006, pp. 89–98.

[8] N. Attrapadung, B. Libert, and E. Panafieu, “Expressive key-policy attribute-based encryption with constant-size ciphertexts,”in Proceedings of the 14th International Conference on Practice andTheory in Public Key Cryptography. Springer, 2011, pp. 90–108.

[9] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policyattribute-based encryption,” in Proceedings of IEEE Symposium onSecurity and Privacy. IEEE, 2007, pp. 321–334.

[10] B. Waters, “Ciphertext-policy attribute-based encryption: An ex-pressive, efficient, and provably secure realization,” in Proceedingsof the 14th International Conference on Practice and Theory in PublicKey Cryptography. Springer, 2011, pp. 53–70.

[11] V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Bounded cipher-text policy attribute based encryption,” in Proceedings of the 35thInternational Colloquium on Automata, Languages and Programming.Springer, 2008, pp. 579–591.



12

[12] R. Bobba, H. Khurana, and M. Prabhakaran, “Attribute-sets:A practically motivated enhancement to attribute-based encryp-tion,” in Proceedings of the 14th European Symposium on Research inComputer Security. Springer, 2009, pp. 587–604.

[13] M. Chase, “Multi-authority attribute based encryption,” in Pro-ceedings of the 4th Theory of Cryptography Conference. Springer,2007, pp. 515–534.

[14] A. Lewko and B. Waters, “Decentralizing attribute-based encryp-tion,” in Proceedings of 30th Annual International Conference on theTheory and Applications of Cryptographic Techniques. Springer, 2011,pp. 568–588.

[15] H. Lin, Z. Cao, X. Liang, and J. Shao, “Secure threshold multi-authority attribute based encryption without a central authority,”Information Sciences, vol. 180, no. 13, pp. 2618–2632, 2010.

[16] T. Pedersen, “A threshold cryptosystem without a trusted party,”in Proceedings of the 10th Annual International Conference on theTheory and Applications of Cryptographic Techniques. Springer, 1991,pp. 522–526.

[17] A. Shamir, “How to share a secret,” Communications of the ACM,vol. 22, no. 11, pp. 612–613, 1979.

[18] M. Ito, A. Saito, and T. Nishizeki, “Secret sharing scheme realizinggeneral access structure,” Electronics and Communications in Japan(Part III: Fundamental Electronic Science), vol. 72, no. 9, pp. 56–64,1989.

[19] P. Feldman, “A practical scheme for non-interactive verifiablesecret sharing,” in Proceedings of the 28th Annual Symposium onFoundations of Computer Science. IEEE, 1987, pp. 427–438.

[20] K. Yang, X. Jia, and K. Ren, “DAC-MACS: Effective data accesscontrol for multi-authority cloud storage systems,” in Proceedingsof the 32nd IEEE International Conference on Computer Communica-tions. IEEE, 2013, pp. 2895–2903.

[21] S. Ruj, A. Nayak, and I. Stojmenovic, “Dacc: Distributed accesscontrol in clouds,” in Proceedings of the 10th IEEE InternationalConference on Trust, Security and Privacy in Computing and Com-munications. IEEE, 2011, pp. 91–98.

[22] K. Yang and X. Jia, “Expressive, efficient and revocable data accesscontrol for multi-authority cloud storage,” IEEE Transactions onParallel and Distributed Systems, vol. 25, no. 7, pp. 1735–1744, 2013.

[23] ——, “Attributed-based access control for multi-authority systemsin cloud storage,” in Proceedings of IEEE 32nd International Confer-ence on Distributed Computing Systems. IEEE, 2012, pp. 536–545.

[24] M. Barua, X. Liang, R. Lu, and X. Shen, “Espac: Enabling securityand patient-centric access control for ehealth in cloud computing,”International Journal of Security and Networks, vol. 6, no. 2, pp. 67–76,2011.

[25] T. Jung, X. Li, Z. Wan, and M. Wan, “Privacy preserving clouddata access with multi-authorities,” in Proceedings of The 32nd IEEEInternational Conference on Computer Communications. IEEE, 2013,pp. 2625–2633.

[26] Z. Liu and Z. Cao, “On efficiently transferring the linear secret-sharing scheme matrix in ciphertext-policy attribute-based en-cryption,” IACR Cryptology ePrint Archive, vol. 2010, p. 374, 2010.

[27] S. Patil, P. Vhatkar, and J. Gajwani, “Towards secure and depend-able storage services in cloud computing,” International Journal ofInnovative Research in Advanced Engineering, vol. 1, no. 9, pp. 57–64,2014.

[28] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable,and fine-grained data access control in cloud computing,” inProceedings of the 29th IEEE International Conference on ComputerCommunications. IEEE, 2010, pp. 1–9.

[29] S. Zarandioon, D. Yao, and V. Ganapathy, “K2c: Cryptographiccloud storage with lazy revocation and anonymous access,” inProceedings of the 8th International ICST Conference on Security andPrivacy in Communication Networks. Springer, 2012, pp. 59–76.

[30] J. Li, X. Huang, J. Li, X. Chen, and Y. Xiang, “Securely outsourcingattribute-based encryption with checkability,” IEEE Transactions onParallel and Distributed Systems, vol. 25, no. 8, pp. 2201–2210, 2014.

[31] M. Chase and S. Chow, “Improving privacy and security in multi-authority attribute-based encryption,” in Proceedings of the 16thACM conference on Computer and communications security. ACM,2009, pp. 121–130.

[32] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable andsecure sharing of personal health records in cloud computingusing attribute-based encryption,” IEEE Transactions on Parallel andDistributed Systems, vol. 24, no. 1, pp. 131–143, 2013.

[33] L. Cheung and C. Newport, “Provably secure ciphertext policyabe,” in Proceedings of the 14th ACM conference on Computer andcommunications security. ACM, 2007, pp. 456–465.

[34] Y. Wu, Z. Wei, and H. Deng, “Attribute-based access to scalablemedia in cloud-assisted content sharing,” IEEE Transactions onMultimedia, vol. 15, no. 4, pp. 778–788, 2013.

[35] J. Hur, “Improving security and efficiency in attribute-based datasharing,” IEEE Transactions on Knowledge and Data Engineering,vol. 25, no. 10, pp. 2271–2282, 2013.

[36] Z. Wan, J. Liu, and R. Deng, “Hasbe: a hierarchical attribute-based solution for flexible and scalable access control in cloudcomputing,” IEEE Transactions on Information Forensics and Security,vol. 7, no. 2, pp. 743–754, 2012.

Wei Li received the B.S. degree from the Depart-ment of Information Security, University of Sci-ence and Technology of China(USTC), in 2014.He is currently a graduated student in Communi-cation and Information System from the Depart-ment of Electronic Engineering and InformationScience(EEIS), USTC. His research interests in-clude network security protocol design and anal-ysis.

Kaiping Xue received the B.S. degree from theDepartment of Information Security, in 2003 andreceived a Ph.D. degree from the Department ofElectronic Engineering and Information Science(EEIS), University of Science and Technology ofChina(USTC), in 2007. Currently, he is an Asso-ciate Professor in the Department of InformationSecurity and Department of EEIS, USTC. Hisresearch interests include next-generation Inter-net, distributed networks and network security.

Yingjie Xue will receive her B. S. degree fromthe department of Information Security, Univer-sity of Science and Technology of China (USTC)in July, 2015. She will be a graduated studentin Communication and Information System fromthe Department of Electronic Engineering andInformation Science(EEIS), USTC. Her researchinterests include Network security and Cryptog-raphy.

Jianan Hong received the B.S. degree from thedepartment of Information Security, University ofScience and Technology of China (USTC), in2012. He is currently working toward the Ph.D.degree in Information Security from the Depart-ment of Electronic Engineering and InformationScience(EEIS), USTC. His research interests in-clude secure cloud computing and mobile net-work security.

tmacs: a robust and veriﬁable threshold multi-authority ... a robust and verifiabl… · tmacs: a...

Documents