An efficient and traceable KPABS scheme with untrusted attribute authority in cloud computing
 Hanshu Hong^{1} and
 Zhixin Sun^{1}Email author
DOI: 10.1186/s1367701600521
© Hong and Sun. 2016
Received: 17 November 2015
Accepted: 6 March 2016
Published: 12 March 2016
Abstract
ABE has been widely applied for secure data protection in cloud computing. In ABE, user’s private keys are generated by attribute authority, thus, attribute authority has the ultimate privileges in the system and can impersonate any users to forge valid signatures. Once the attribute authority become dishonest or be invaded in cloud systems, the system’s security will be at risk. To better solve the problem mentioned above, in this paper, we propose a keypolicy attribute based signature scheme with untrusted authority and traceability (KPABSUT). In our scheme, the signer’s private key is composed by two components: one part is distributed by attribute authority and the other part is chosen privately by the signer’s self. Thus attribute authority cannot forge any signatures which should be signed by legal users. Besides, our scheme introduces an entity “tracer”, which can trace the identity of signer when necessary. By security analysis and efficiency comparison, we prove our KPABSUT scheme meets the requirements of unforgeability as well as lower computation cost.
Keywords
Access structure Untrusted authority TraceabilityIntroduction
After the proposal of ABE, ABS (attribute based signature) has been developed as a primitive to solve the data authentication problem in attribute based cryptosystem. ABS was originally proposed by Maji et al. in [5]. In ABS mechanism [6–9], a user is capable of signing a message using the private key component of the attribute set he owns. A receiver validates the signature by utilizing system public parameters. The signature can be verified to an attribute set or access structure which the signer possesses. Since the advent of the notion, many ABS schemes have been proposed. However, most of the existing ABS schemes have one thing in common, that is the attribute authority has the ultimate privileges in the whole system. In order to keep the whole system running safely, attribute authority must be honest and highly protected. In the open network systems, attribute authority are vulnerable to external as well as internal threat. Once being invaded, it can impersonate any users to forge legal signatures, which will threaten the whole security of the system. What’s more, anonymity is an important feature of common attribute based signature mechanism. However, some malicious users may take advantage of this feature to release illegal information without taking responsibility.
To better solve the problems discussed above, in this paper, we construct a KPABSUT (keypolicy attribute based signature with untrusted authority and traceability) scheme, which has the following merits: (1) the signature is unforgeable, even attribute authority cannot impersonate any users to forge legal signatures; (2) the overall computation cost of the whole process of signing and verifying is reduced sharply; (3) the signer’s identity can be traced by the system administer if necessary.
The rest sections are arranged as follows:
In section 2, we give the literature review and fundamental mathematical preliminaries and notions. The security model and detailed algorithms of our KPABSUT scheme are constructed in section 3 and section 4. Section 5 gives the security proof and performance comparison of our scheme. At last, the conclusion of this paper and prospects on future directions are made in section 6.
Related works and preliminaries
Related works
The notion of ABS was first proposed by Maji in [5]. Since then, many ABS schemes have been proposed by researchers worldwide. Existing literatures of ABS can be classified to three types in terms of the data access structure :(1)ABS using threshold structure [10–12]; (2) ABS using LSSS access structure [13–15];(3) ABS using access tree [16], which has been illustrated in Fig. 1. Besides access structure, different ABS schemes have different advantages and performances. A. Escala et al. in [13] proposed a userrevocable attribute based signature. If a user drops some of the attributes, his signing privilege can be exactly withdrawn. Their scheme also achieves adaptively security in the standard model. S. Shahandashti et al. in [10] construct a threshold ABS and applied it to credential systems. Their scheme enables a signature holder to prove possession of signatures by revealing only the relevant attributes of the signer, hence providing signer attribute privacy for the signature holder. S. Kumar et.al in [11] proposed an ABS which is equipped with multiple threshold access structure. Their scheme is efficient as well as stretchable. Tatsuaki et al. in [16] proposed a decentralized multiauthority ABS. In their scheme, due to the introducing of multiple authorities, thus no central CA is needed. However, this also brings about other problems such as parameter synchronization, time synchronization, etc. Besides, the efficiency of their scheme can be further improved. S.L Ding et al. proposed a traceable ABS in [14], which allows PKG and the issuing authority join together to trace the identity of a malicious signer. However, since the trace algorithm needs frequent participation of PKG, it may be exposed to more internal and external security risks. Li et al. in [15] proposed a novel ABS with hidden attribute property. In their scheme, anonymous user revocation is achieved. Liu et al. in [17] proposed an attribute based multisignature scheme, which allows a number of users to participate to authenticate a message with only one signature. Their scheme is shown to be secure and is more appropriate to be applied for wireless communications. Chen et al. in [9] proposed a new paradigm named “Outsourced ABS”. The computation load in their scheme is reduced sharply by delegating most of the computation work to a semitrusted server, thus this will relieve the terminal devices from heavy computation burden. The high efficiency and security level makes their scheme an excellent method for providing data authentication in cloud computing. Xu et al. in [18] propose an ABS scheme with dynamic user revocation. Their scheme has superior performance with regard to scalability, which is able to be applied to massive data storage environments.
The above schemes have laid solid foundations for filling the gap between theoretical proposal and practical application of ABS. However, in the above schemes, the attribute authority has the ultimate privilege in the system. Even worse, it can forge as any legal users and generates a valid signature. Once the attribute authority become dishonest, the system will be exposed to potential risks. Although ABS with multiple attribute authorities has been proposed in [16], if these attribute authorities collude with each other to obtain a user’s private key, a legal signature can still be successfully forged. Thus, it is of significance to cut down the privilege of the attribute authority in ABS systems.
Bilinear pairings

Bilinearity: For a, b ∈ Z _{ q }, ê(g ^{ a }, g ^{ b }) = ê(g, g)^{ ab }.

Nondegeneracy: There exists P, Q ∈ G _{1} which satisfy ê(g, g) ≠ 1.

Computability: The value of ê(u, v) can be calculated for any u, v ∈ G _{1}.
Hardness assumption
Decision Bilinear DiffieHellman problem:
Picks random numbers \( a,b,c,z\in {Z}_q^{*} \) , assuming that the value of (g, g ^{ a }, g ^{ b }, g ^{ c }, z) are given, no probabilistic polynomialtime algorithm can distinguish the tuples (A = g ^{ a }, B = g ^{ b }, C = g ^{ c }, ê(g, g)^{ abc }) and (A = g ^{ a }, B = g ^{ b }, C = g ^{ c }, ê(g, g)^{ z }) with a nonnegligible probability.
Lagrange Interpolation function
For a polynomial p(x) in Z _{ q } of order d − 1 and a set S in Z _{ q } with the size S = d is computed by \( p(x) = {\displaystyle {\sum}_{i\in S}p(i){\prod}_{j\in S,j\ne i}\frac{xj}{ij}} \).
Our model and assumptions
Formal model of our scheme
Notations and their corresponding meanings
Notations  Meanings 

G _{1}, G _{2}  Groups 
ê  Bilinear paring operation 
H _{1}  Hash function 
PK  System public parameters 
MK  System master key 
AA  Attribute authority 
U  Global attribute set 
A _{ i }  Attribute i 
D _{ i }  Private key of attribute i 
M  Plaintext 
T _{ i }  Access structure 
x  Node in the access tree 
Δ _{ i,S(x)}  Lagrange interpolation function 
q _{ x }  Polynomial defined by AA 
p _{ x }  Polynomial defined by signer 
v  Signature to be verified 
id _{ l }  Identity of user l 

Setup{1^{ λ }} → {PK, MK}:This algorithm is operated by AA. Take in a security parameter, it generates PK and MK. PK is shared by users while MK is kept private by AA.

\( Private\ key\ generation\left\{PK,MK,{T}_k,s\right\}\mathit{\to}\left\{{D}_{i,{T}_k,i{d}_l}\right\} \): The private key generation algorithm is an interaction between AA and a user with an access structure T _{ k }. On input PK, MK, T _{ k }, AA firstly returns \( {D}_{i,{T}_k} \) to be the initial attribute private key for T _{ k }. Then each signer embeds a secret component into \( {D}_{i,{T}_k} \) to regenerate his own private key \( {D}_{i,{T}_k,i{d}_l} \).Signer sends certain information referring to the secret component to tracer. Tracer assigns a unique identity number to the signer and stores the relationship of each signer with his identity.

\( Sign\left\{{D}_{i,{T}_k,i{d}_l},PK,M,{\sigma}_{i{d}_l}\right\}\mathit{\to}\left\{v\right\} \): This algorithm is run by a signer which the systems public parameter PK, a plaintext M, signer’s private key \( {D}_{i,{T}_k,i{d}_l} \) and a mathematical constant \( {\sigma}_{i{d}_l} \) which can reveal signer’s identity as input. Then the algorithm outputs a signature v for the plaintext M.

Verify{PK, v, M} → {θ}: This algorithm is run by the receiver. On input PK and the plaintext M with the signature, it outputs a value θ. If θ = 1 then the signature is a valid one, if θ = 0 then the signature is invalid.

Trace{MK, v} → {id _{ l }}: This algorithm is run by the tracer. On input the signature v,the tracer can pinpoint the exact identity of a signer.
The essential unforgeability of our KPABSUT
Definition 1
Our KPABSUT has the existential unforgeability if no Adversary has nonnegligible advantage in the following game played by a Challenger and an Adversary.
Setup : Challenger runs Setup procedure to obtain the system parameters and sends PK to Adversary.
Sign queries : Adversary chooses an access control structure T _{ i },a plaintext M. Challenger calculates the attribute private key \( {D}_{i,{T}_k,i{d}_l} \) and runs the Sign procedure to calculate the signature \( v= Sign\left(PK,M,{D}_{i,{T}_k,i{d}_l}\right) \).After then, Challenger sends the signature v to Adversary.
Challenge : Adversary chooses a plaintext M*,a challenging access structure T _{ c } , and calculates the signature v*.
Challenger verifies the signature by running the procedure Verify(PK, v*) and outputs a value θ.
Adversary wins if the output of Verify algorithm is valid.
Denote Adv(A) = Pr[θ = 1] to be advantage of Adversary.
Our construction to KPABSUT scheme
Concrete algorithms:
Setup: Let G _{1} and G _{2} be two cyclic groups of prime order p, while g is the generator of G _{1}. Let ê : G _{1} × G _{1} → G _{2} be a bilinear paring. Define H _{1} : {0, 1}* → Z _{ p }.AA picks \( {t}_i\in {Z}_p^{*} \) for each A _{ i } in the system. Besides, AA picks another secret number \( y\in {Z}_p^{*} \) and calculates ê(g, g)^{ y }.Set MK to be {t _{ i }, y} while PK to be \( \left\{{G}_1,{G}_2, p,g,{H}_1,\widehat{e}{\left(g,g\right)}^y,{g}^{t_i}\right\} \).
Private key generation: AA randomly chooses a polynomial q _{ x } for each node x in the access tree and sets the degree d _{ x } of q _{ x } to be one less than the threshold value k _{ x } of that node (d _{ x } = k _{ x } − 1). For any other node (except root node) in the access tree, let q _{ x }(0) = q _{ parent(x)} ^{ index(x)}. For the root node AA sets q _{ root }(0) = y. To avoid the signature forgery which can be made by AA, the signer also chooses a polynomial p _{ x } likewise and picks a secret number s. For the root node AA sets q _{ root }(0) = y while the signer sets p _{ root }(0) = s. Once the polynomials have been decided, the private key is of each leaf node x in the access tree can be denoted by \( {D}_{i,{T}_k,i{d}_l}=\left\{{g}^{\frac{q_x(0).{p}_x(0)}{t_i}},i\in {T}_k\right\} \). Signer sends the value of g ^{ s } to tracer. For each signer, tracer chooses a global unique identifier \( i{d}_l\in {Z}_p^{*} \) to describe his identity (Without loss of generality, the signer’s identity is denoted by id _{ l }). Tracer calculates \( {\sigma}_{i{d}_l}={\left({g}^s\right)}^{i{d}_l} \) and sends \( {\sigma}_{i{d}_l} \) back to the signer. Meanwhile, it stores a list recording the relationship between singer’s unique identifier and \( {\sigma}_{i{d}_l} \).
The signature can be denoted by \( v=\left\{{C}_1,{C}_2,{C}_3,M,{\sigma}_{i{d}_l},{g}^s,{H}_1{\left(M\left\right{\sigma}_{i{d}_l}\right)}^s\right\} \). The signer sends v to the receiver.
Verify: After receiving the signature v = {C _{1}, C _{2}, C _{3}, M, σ _{ id }, g ^{ s }, H _{1}(Mσ _{ id })^{ s }} from the signer, receiver firstly calculates: ê(H _{1}(Mσ _{ id })^{ s }, g) = ê(H _{1}(Mσ _{ id }), g ^{ s }).
If the equation is set up, then calculates \( VerityNode\left(x,PK,v\right)=\widehat{e}\left({g}^{t_i},{C}_2\right) \).
All the value calculated from VerityNode(x, PK, v) will be stored as F _{ z }. For any F _{ z } ≠ 0, the algorithm calculates F _{ root } (the value of root node) using Lagrange interpolation method.
If x is a nonleaf node, z is the child node of x,then the value of VerityNode(x, PK, v) is calculated as follows:
Then, the algorithm calculates F _{ root } (the value of root node) by recursive function.
If the equation is set up, then the signature is a legal one and the signer’s attributes satisfies the claimed structure.
Trace: The tracer searches the list recording the relationship between \( i{d}_l{\sigma}_{i{d}_l} \), then the identity of the signer can be pinpointed.
Security proof and performance evaluation
Correctness proof
To calculate the value of F _{ root }, it is essential to obtain the value of leaf nodes which satisfy the access structure.
Unforgeability
Theorem 1
If our scheme can be broken by an Adversary then it can be constructed that a simulator with a non negligible advantage solves the DBDH problem successfully.
Proof
In the challenge game, if an Adversary can break our scheme with advantage ε, then a simulator be constructed to solve the DBDH problem with an advantage of \( \frac{\varepsilon }{2} \).
The construction process of the simulator is as follows:
Phase 1 Setup:
Challenger sets the parameters as follows:
Defines a global attribute set U = {1, 2, … n}.
Denotes id _{ l } to be the unique identifier of Adversary.
Defines G _{1} and G _{2} be two cyclic groups of prime order p. The generator of G _{1} is denoted by g.
Defines a bilinear paring ê : G _{1} × G _{1} → G _{2}.
The aim of simulator is to output a value μ* as a guess of μ.
The simulator runs Adversary as subprogram and plays the role of Challenger.
Adversary defines attribute set γ.
Simulator randomly chooses r _{ i }, β _{ i } ∈ Z _{ p } and sets PK to be \( Y=\widehat{e}\left({g}^a,{g}^b\right)=\widehat{e}{\left(g,g\right)}^{ab},{T}_i=\left\{\begin{array}{c}\hfill {g}^{r_i},\kern0.75em if\ i\in \gamma \hfill \\ {}\hfill {g}^{b{\beta}_i}, if\ i\notin \gamma \hfill \end{array}\right. \)
Phase 2 Queries :
Private key generation queries:When Adversary asks a Private key generation query for access structure T _{ k }, simulator responds as follows:
Sign queries: When Adversary asks a Sign query for access structure T _{ k } and a plaintext M, simulator responds as follows:
Firstly, simulator calculates the private key \( {D}_{i,{T}_k,{\sigma}_{i{d}_l}} \).
Obtaining the private key of access structure T _{ k } by running
Then signer outputs \( v=\left\{{C}_1,{C}_2,{C}_3,M,{\sigma}_{\sigma_{i{d}_l}},{g}^s,{H}_1{\left(M\left\right{\sigma}_{\sigma_{i{d}_l}}\right)}^s\right\} \) and sends it to Adversary.
It can be seen that the simulator is consistent with our scheme.
Phase 3:Challenge:
Adversary outputs a new signature v _{ l } with a challenging access structure T _{ l } and plaintext M.
Adversary cannot make Sign queries about T _{ l } and v _{ l } is not gained by a previous Sign query.
Adversary forges the signature as the following process:
Chooses a polynomial p _{ lx }.Sets p _{ lroot }(0) = s _{ l }. Picks r _{ l } ∈ Z _{ p }, returns \( {g}^{s_l} \) to simulator.
Simulator chooses sends \( {\sigma}_{\sigma_{i{d}_l}}={\left({g}^{s_l}\right)}^{id} \) back to Adversary.
Then we will discuss the advantage of simulator in breaking the DBDH assumption.
Unforgeability with untrusted authorities and traceability
In attribute based signature mechanism, users’ attribute private keys are generated and distributed by AA. Under this circumstance, AA is capable of forging any signatures without being detected. To keep the whole system running safely, AA must be honest and highly protected from being invaded. However, in the complex network systems, there are variety risks which may result in the fault of AA. Consequently, for the sake of safety, AA’s rights in the system should be reduced to some extent. In our KPABSUT, the private key used for signature is generated by joint efforts of both AA and user, so it is computational infeasible for AA to forge any signatures which should be signed by legal users. Besides, since different users randomly choose different secret numbers to embed into their initial private keys distributed from AA, it is computational infeasible for a user to personate any other users to forge a legal signature in the system.
Anonymity is another important feature of common attribute based signature mechanism. However, some malicious users may take advantage of this feature to send out illegal information without taking responsibility. To prevent such incidents happening, in our KPABSUT scheme, the signer’s identity can be revealed with the introducing of “tracer”. When data receivers receive illegal information from a malicious signer, they can send the signature v to tracer. Since tracer has stored \( {\sigma}_{i{d}_l}={\left({g}^s\right)}^{i{d}_l} \) with user’s identity, the signer’s identity can be located by searching the \( i{d}_l{\sigma}_{i{d}_l} \) list. Then tracer calculates \( {\sigma_{i{d}_l}}^{i{d}_l}={\left({\left({g}^s\right)}^{i{d}_l}\right)}^{i{d}_l}={g}^s \). Since s is the secret number used in the Sign algorithm and g ^{ s } has been sent to tracer, a signer cannot deny the message he signed before.
Efficiency and comparison analysis
From the result we can see that the computation cost is lower in our KPABSUT since the number of bilinear paring operation is reduced. Thus our plan has a higher efficiency. Besides, our KPABSUT uses access tree as control structure, each signer’s private key corresponds a certain structure. It is computational infeasible for different users to collude their private keys with each other to forge a legal signature. With the introducing of user’s secret key component and the entity “tracer”, the signature cannot be forged by AA and can be traced to identity if a malicious user releases information illegally. The overall comparison shows our KPABSUT is of better performance and is more appropriate for secure data verification in open network systems such as cloud computing, etc.
Conclusion
In this paper, we propose a KPABS with untrusted authorities and traceability, which is also of high efficiency. In our scheme, the signer’s private key is composed by two components: one part is distributed by attribute authority and the other part is chosen privately by the signer’s self. The signature cannot be forged by any other users including attribute authority. What’s more, the identity of signer can be traced. Our scheme is proved to be secure and of better performance with respect to efficiency.
Our future work should focus on the attribute revocation and key refreshing in our KPABS scheme. Once key exposure happens, although the system can trace the traitor, however, user’s private keys still need to be refreshed for the safe of privacy. Consequently, research on the attribute based refreshing mechanisms should be taken into our future research direction. Besides, outsourcing ABS [9] with untrusted attribute authorities also merits attention.
Declarations
Acknowledgement
This research is supported by the National Natural Science Foundation of China (60973140, 61170276, 61373135).
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
Authors’ Affiliations
References
 Sahai, A, Waters, “Fuzzy identitybased encryption”. Proc. Int. Conf.EUROCRYPT 2005, pp. 457473, Aarhus, Denmark: Springer; 2005. http://link.springer.com/chapter/10.1007%2F11426639_27
 V. Goyal, O. Pandey, A. Sahai and B. Waters, “Attribute Based Encryption for FineGrained Access Control of Encrypted Data”, In ACM conference on Computer and Communications Security, pp. 8998. 2006.
 Attrapadung N, Libert B, De Panafieu E. Expressive keypolicy attributebased encryption with constantsize ciphertexts, Public Key Cryptography—PKC 2011, vol. 6571 of LNCS. Taormina, Italy: Springer, pp. 90108, 2011.
 Bethencourt J, Sahai A, Waters B (2007) CiphertextPolicy Attribute Based Encryption. Proceedings of the 2007 IEEE Symposium on Security and Privacy, Washington DC, pp 321–334Google Scholar
 H. K. Maji, M. Prabhakaran, and M. Rosulek, “Attributebased signatures: Achieving attributeprivacy and collusionresistance,” IACR Cryptology ePrint Archive, pp. 328 – 351, 2008.
 B. Z. J. S. Dan Cao, Xiaofeng Wang and Q. Hu, “Mediated attribute based signature scheme supporting key revocation,” in Proceedings of the 8th International Conference on Information Science and Digital Content Technology. Jeju Island, Korea: IEEE; 2012; 277–282.
 S.Q. Guo and Y.P. Zeng, “Attributebased signature scheme”, In International Conference on Information Security and Assurance, pp.509511, 2008.
 H. K. Maji, M. Prabhakaran, and M. Rosulek, “Attributebased signatures”, in CTRSA, 2011, pp. 376–392, 2011.
 Chen X, Li J, Huang X (2014) Secure Outsourced AttributeBased Signatures”. IEEE Transactions on Parallel and Distributed Systems 25(12):3285–3294View ArticleGoogle Scholar
 S. Shahandashti and R. SafaviNaini, “Threshold attributebased signatures and their application to anonymous credential systems,” Progress in Cryptology–AFRICACRYPT 2009, pp. 198–216, 2009.
 Kumar S, Agrawal S, Balaraman S, Rangan C (2011) Attribute Based Signatures for Bounded Multilevel Threshold Circuits. Public Key Infrastructures, Services and Applications (EuroPKI 2010), Berlin Heidelberg, pp 141–154Google Scholar
 J. Herranz, F. Laguillaumie, B. Libert, “Short attribute based signatures for threshold predicates”, Topics in Cryptology–CTRSA 2012, pp. 51–67, 2012.
 A. Escala, J. Herranz, and P. Morillo, “Revocable attributebased signatures with adaptive security in the standard model,” in AFRICACRYPT, pp. 224–241, 2011.
 S.L Ding, Y. Zhao, “Efficient Traceable AttributeBased Signature”, in IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp 582589, 2014.
 Li J, Kim K (2010) Hidden attributebased signatures without anonymity revocation. Inform Sci 180(9):1681–1689MathSciNetView ArticleMATHGoogle Scholar
 Okamoto, T., Takashima, K, “Decentralized attributebased signatures”, Public Key CryptographyPKC. Nara, Japan: 2013; 125–142.
 X. Liu, J. Ma, Q. Li, J. Xiong, and F. Huang, “Attribute based multisignature scheme in the standard model,” in Proceedings of the 9th International Conference on Computational Intelligence and Security (CIS’13). Sichuan Province, China: IEEE; 2013; 738–742.
 Zhiqian Xu, Keith M. Martin, “Anonymous User Revocation for Using AttributeBased Signature in Cloud Computing”. 6th International Conference on Cloud Computing Technology and Science. Singapore: IEEE; 2014; 358365.
 Boneh D, Franklin M (2001) IdentityBased encryption from the weil pairing. In: Advances in CryptologyCRYPTO 2001. SpringerVerlag, LNCS 2139, Berlin, Heidelberg, pp 213–229View ArticleGoogle Scholar