HAL Id: hal-01788815
https://hal.archives-ouvertes.fr/hal-01788815
Submitted on 9 May 2018
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entic research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diusion de documents
scientiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Ciphertext-Policy Attribute-Based Encryption
John Bethencourt, Amit Sahai, Brent Waters
To cite this version:
John Bethencourt, Amit Sahai, Brent Waters. Ciphertext-Policy Attribute-Based Encryption. 2007
IEEE Symposium on Security and Privacy (SP ’07), May 2007, Berkeley, France. �10.1109/SP.2007.11�.
�hal-01788815�
Ciphertext-Policy Attribute-Based Encryption
John Bethencourt
Carnegie Mellon University
bethenco@cs.cmu.edu
Amit Sahai
∗
UCLA
sahai@cs.ucla.edu
Brent Waters
†
SRI International
bwaters@csl.sri.com
Abstract
In several distributed systems a user should only be
able to access data if a user posses a certain set of cre-
dentials or attributes. Currently, the only method for
enforcing such policies is to employ a trusted server to
store the data and mediate access control. However, if
any server storing the data is compromised, then the
confidentiality of the data will be compromised. In this
paper we present a system for realizing complex access
control on encrypted data that w e call Ciphertext-Policy
Attribute-Based Encryption. By using our techniques
encrypted data can be kept confidential even if the stor-
age server is untrusted; moreover, our methods are
secure against collusion attacks. Previous Attribute-
Based Encryption systems used attributes to describe
the encrypted data and built policies into user’s keys;
while in our system attributes are used to describe a
user’s credentials, and a party encrypting data deter-
mines a policy for who can decrypt. Thus, our meth-
ods are conceptually closer to traditional access control
methods such as Role-Based Access Control (RBAC).
In addition, we provide an implementation of our sys-
tem and give performance measurements.
1 Introduction
In many situations, when a user encrypts sensitive
data, it is imperative that she establish a specific ac-
cess control policy on who can decrypt this data. For
example, suppose that the FBI public corruption of-
fices in Knoxville and San Francisco are investigating
an allegation of bribery involving a San Francisco lob-
byist and a Tennessee congressman. The head FBI
agent may want to encrypt a sensitive memo so that
only personnel that have certain credentials or at-
∗
Supported the US Army Research Office under the CyberTA
Grant No. W911NF-06-1-0316.
†
Supported by NSF CNS-0524252 and the US Army Research
Office under the CyberTA Grant No. W911NF-06-1-0316.
tributes can access it. For instance, the head agent
may specify the following access structure for accessing
this information: ((“Public Corruption Office”
AND (“Knoxville” OR “San Francisco”)) OR
(management-level > 5) OR “Name: Charlie
Eppes”).
By this, the head agent could mean that the memo
should only be seen by agents who work at the public
corruption offices at Knoxville or San Francisco, FBI
officials very high up in the management chain, and a
consultant named Charlie Eppes.
As illustrated by this example, it can be crucial that
the person in possession of the secret data be able to
choose an access policy based on specific knowledge of
the under lying data. Furthermore, this person may
not know the exact identities of all other people who
should be able to access the data, but rather she may
only have a way to describe them in terms of descriptive
attributes or credentials.
Traditionally, this type of expressive access control
is enforced by employing a trusted server to store data
locally. The server is entrusted as a reference monitor
that checks that a user presents proper certification be-
fore allowing him to access records or files. However,
services are increasingly storing data in a distributed
fashion across many servers. Replicating data across
several locations has advantages in both performance
and reliability. The drawback of this trend is that it is
increasingly difficult to guarantee the security of data
using traditional methods; when data is stored at sev-
eral locations, the chances that one of them has been
compromised increases dramatically. For these reasons
we would like to require that sensitive data is stored in
an encrypted form so that it will remain private even
if a server is compromised.
Most existing public key encryption methods allow
a party to encrypt data to a particular user, but are
unable to efficiently handle more expressive types of en-
crypted access control such as the example illustrated
above.
Our contribution. In this work, we provide the first
construction of a ciphertext-policy attribute-based en-
cryption (CP-ABE) to address this problem, and give
the first construction of such a scheme. In our system,
a user’s private key will be associated with an arbi-
trary number of attributes expressed as strings. On
the other hand, when a party encrypts a message in our
system, they specify an associated access structure over
attributes. A user will only be able to decrypt a cipher-
text if that user’s attributes pass through the cipher-
text’s access structure. At a mathematical level, ac-
cess structures in our system are described by a mono-
tonic “access tree”, where nodes of the access struc-
ture are composed of threshold gates and the leaves
describe attributes. We note that AND gates can be
constructed as n-of-n threshold gates and OR gates
as 1-of-n threshold gates. Furthermore, we can handle
more complex access controls such as numeric ranges
by converting them to small access trees (see discussion
in the implementation section for more details).
Our techniques. At a high level, our work is sim-
ilar to the recent work of Sahai and Waters [24] and
Goyal et al. [15] on key-policy attribute based encryp-
tion (KP-ABE), however we require substantially new
techniques. I n key-policy attribute based encryption,
ciphertexts are associated with sets of descriptive at-
tributes, and users’ keys are associated with policies
(the reverse of our situation). We stress that in key-
policy ABE, the encryptor exerts no control over who
has access to the data she encrypts, except by her choice
of descriptive attributes for the data. Rather, she must
trust that the key-issuer issues the appropriate keys
to grant or deny access to the appropriate users. In
other words, in [24, 15], the “intelligence” is assumed
to be with the key issuer, and not the encryptor. In our
setting, the encryptor must be able to intelligently de-
cide who should or should not have access to the data
that she encrypts. As such, the techniques of [24, 15]
do not apply to our setting, and we must develop new
techniques.
At a technical level, the main objective that we must
attain is collusion-resistance: If multiple users collude,
they should only be able to decrypt a ciphertext if at
least one of the users could decrypt it on their own. In
particular, referring back to the example from the be-
ginning of this Introduction, suppose that an FBI agent
that works in the terrorism office in San Francisco col-
ludes with a friend who works in the public corruption
office in New York. We do not want these colluders to
be able to decrypt the secret memo by combining their
attributes. This type of security is the sine qua non of
access control in our setting.
In the work of [24, 15], collusion resistance is in-
sured by using a secret-sharing scheme and embedding
independently chosen secret shares into each private
key. Because of the independence of the randomness
used in each invo cation of the secret sharing scheme,
collusion-resistance follows. In our scenario, users’ pri-
vate keys are associated with sets of attributes instead
of access structures over them, and so secret sharing
schemes do not apply.
Instead, we devise a novel private key randomization
technique that uses a new two-level random masking
methodology. This methodology makes use of groups
with efficiently computable bilinear maps, and it is the
key to our security proof, which we give in the generic
bilinear group model [6, 28].
Finally, we provide an implementation of our system
to show that our system performs well in practice. We
provide a description of both our API and the structure
of our implementation. In addition, we provide several
techniques for optimizing decryption performance and
measure our performance features experimentally.
Organization. The remainder of our paper is struc-
tured as follows. In Section 2 we discuss related work.
In Section 3 we our definitions and give background
on groups with efficiently computable bilinear maps.
We then give our construction in Section 4. We then
present our implementation and performance measure-
ments in Section 5. Finally, we conclude in Section 6.
2 Related Work
Sahai and Waters [24] introduced attribute-based
encryption (ABE) as a new means for encrypted ac-
cess control. In an attribute-based encryption system
ciphertexts are not necessarily encrypted to one par-
ticular user as in traditional public key cryptography.
Instead both users’ private keys and ciphertexts will be
associated with a set of attributes or a policy over at-
tributes. A user is able to decrypt a ciphertext if there
is a “match” between his private key and the cipher-
text. In their original system Sahai and Waters pre-
sented a Threshold ABE system in which ciphertexts
were labeled with a set of attributes S and a user’s pri-
vate key was associated with both a threshold param-
eter k and another set of attributes S
′
. In order for a
user to decrypt a ciphertext at least k attributes must
overlap between the ciphertext and his private keys.
One of the primary original motivations for this was
to design an error-tolerant (or Fuzzy) identity-based
encryption [27, 7, 12] scheme that could use biometric
identities.
The primary drawback of the Sahai-Waters [24]
threshold ABE system is that the threshold semantics
are not very expressive and therefore are limiting for
designing more general systems. Goyal et al. intro-
duced the idea of a more general key-policy attribute-
based encryption system. In their construction a ci-
phertext is associated with a set of attributes and a
user’s key can be associated with any monotonic tree-
access structure.
1
The construction of Goyal et al.
can be viewed as an extension of the Sahai-Waters tech-
niques where instead of embedding a Shamir [26] secret
sharing scheme in the private key, the authority embeds
a more general secret sharing scheme for monotonic ac-
cess trees. Goyal et. al. also suggested the possibility
of a ciphertext-policy ABE scheme, but did not offer
any constructions.
Pirretti et al. [23] gave an implementation of
the threshold ABE encryption system, demonstrated
different applications of attribute-based encryption
schemes and addressed several practical notions such as
key-revocation. In recent work, Chase [11] gave a con-
struction for a multi-authority attribute-based encryp-
tion system, where each authority would administer a
different domain of attributes. The primary challenge
in creating multi-authority ABE is to prevent collusion
attacks between users that obtain key components from
different authorities. While the Chase system used the
threshold ABE system as its underlying ABE system at
each authority, the problem of multi-authority ABE is
in general orthogonal to finding more expressive ABE
systems.
In addition, there is a long history of access control
for data that is mediated by a server. See for exam-
ple, [18, 14, 30, 20, 16, 22] and the references therein.
We focus on encrypted access control, where data is
protected even if the server storing the data is compro-
mised.
Collusion Resistance and Attribute-Based En-
cryption The defining property of Attribute-Based
Encryption systems are their resistance to collusion
attacks. This property is critical for building cryp-
tographic access control systems; otherwise, it is im-
possible to guarantee that a system will exhibit the
desired security properties as there will exist devastat-
ing attacks from an attacker that manages to get a hold
of a few private keys. While we might consider ABE
systems with different flavors of expressibility, prior
work [24, 15] made it clear that collusion resistance
is a required property of any ABE system.
Before attribute-based encryption was introduced
1
Goyal et al. show in addition how to construct a key-policy
ABE scheme for any linear secret sharing scheme.
there were other systems that attempted to address
access control of encrypted data [29, 8] by using se-
cret sharing schemes [17, 9, 26, 5, 3] combined with
identity-based encryption; however, these schemes did
not address resistance to collusion attacks. Recently,
Kapadia, Tsang, and Smith [19] gave a cryptographic
access control scheme that employed proxy servers.
Their work explored new methods for employing proxy
servers to hide policies and use non-monontonic access
control for small universes of attributes. We note that
although they called this scheme a form of CP-ABE,
the scheme does not have the property of collusion re-
sistance. As such, we believe that their work should not
be considered in the class of attribute-based encryption
systems due to its lack of security against collusion at-
tacks.
3 Background
We first give formal definitions for the security
of ciphertext policy attribute based encryption (CP-
ABE). Next, we give background information on bilin-
ear maps. Like the work of Goyal et al. [15] we define
an access structure and use it in our security defini-
tions. However, in these definitions the attributes will
describe the users and the access structures will be used
to label different sets of encrypted data.
3.1 Definitions
Definition 1 (Access Structure [1]) Let
{P
1
, P
2
, . . . , P
n
} be a set of parties. A collection
A ⊆ 2
{P
1
,P
2
,...,P
n
}
is monotone if ∀B, C : if B ∈ A and
B ⊆ C then C ∈ A. An access structure (respectively,
monotone access structure) is a collection (respec-
tively, monotone collection) A of non-empty subsets
of {P
1
, P
2
, . . . , P
n
}, i.e., A ⊆ 2
{P
1
,P
2
,...,P
n
}
\{∅}. The
sets in A are called the authorized sets, and the sets
not in A are called the unauthorized sets.
In our context, the role of the parties is taken by
the attributes. Thus, the access structure A will con-
tain the authorized sets of attributes. We r estrict our
attention to monotone access structures. However, it
is also possible to (inefficiently) realize general access
structures using our techniques by having the not of an
attribute as a separate attribute altogether. Thus, the
number of attributes in the system will be doubled.
From now on, unless stated otherwise, by an access
structure we mean a monotone access structure.
An ciphertext-policy attribute based encryption
scheme consists of four fundamental algorithms: Setup,
Encrypt, KeyGen, and Decrypt. In addition, we allow
for the option of a fifth algorithm Delegate.
Setup. The setup algorithm takes no input other
than the implicit security parameter. It outputs the
public parameters PK and a master key MK.
Encrypt(PK, M, A). The encryption algorithm
takes as input the public parameters PK, a message
M, and an access structure A over the universe of
attributes. The algorithm will encrypt M and produce
a ciphertext CT such that only a user that possesses a
set of attributes that satisfies the access structure will
be able to decrypt the message. We will assume that
the ciphertext implicitly contains A.
Key Generation(MK, S). The key generation al-
gorithm takes as input the master key MK and a set of
attributes S that describe the key. It outputs a private
key SK.
Decrypt(PK, CT, SK). The decryption algorithm
takes as input the public parameters PK, a ciphertext
CT, which contains an access policy A, and a private
key SK, which is a private key for a set S of attributes.
If the set S of attributes satisfies the access structure
A then the algorithm will decrypt the ciphertext and
return a message M .
Delegate(SK,
˜
S). The delegate algorithm takes as
input a secret key SK for some set of attributes S and
a set
˜
S ⊆ S. It output a secret key
˜
SK for the s et of
attributes
˜
S.
We now describe a security model for ciphertext-
policy ABE schemes. Like identity-based encryption
schemes [27, 7, 12] the security model allows the ad-
versary to query for any private keys that cannot be
used to decrypt the challenge ciphertext. In CP-ABE
the ciphertexts are identified with access structures and
the private keys with attributes. It follows that in our
security definition the adversary will choose to be chal-
lenged on an encryption to an access structure A
∗
and
can ask for any private key S such that S does not
satisfy S
∗
. We now give the formal security game.
Security Model for CP-ABE
Setup. The challenger runs the Setup algorithm and
gives the public parameters, PK to the adversary.
Phase 1. The adversary makes repeated private keys
corresponding to sets of attributes S
1
, . . . , S
q
1
.
Challenge. The adversary submits two equal length
messages M
0
and M
1
. In addition the adversary
gives a challenge access structure A
∗
such that
none of the sets S
1
, . . . , S
q
1
from Phase 1 satisfy
the access structure. The challenger flips a random
coin b, and encrypts M
b
under A
∗
. The ciphertext
CT
∗
is given to the adversary.
Phase 2. Phase 1 is repeated with the restriction that
none of sets of attributes S
q
1
+1
, . . . , S
q
satisfy the
access structure corresponding to the challenge.
Guess. The adversary outputs a guess b
′
of b.
The advantage of an adversary A in this game is
defined as Pr[b
′
= b] −
1
2
. We note that the model
can easily be extended to handle chosen-ciphertext at-
tacks by allowing for decr yption queries in Phase 1 and
Phase 2.
Definition 2 An ciphertext-policy attribute-bas ed en-
cryption scheme is secure if all polynomial time adver-
saries have at most a negligible advantage in the above
game.
3.2 Bilinear Maps
We present a few facts related to groups with effi-
ciently computable bilinear maps.
Let G
0
and G
1
be two multiplicative cyclic groups
of prime order p. Let g be a generator of G
0
and e be
a bilinear map, e : G
0
× G
0
→ G
1
. The bilinear map e
has the following properties:
1. Bilinearity: for all u, v ∈ G
0
and a, b ∈ Z
p
, we
have e(u
a
, v
b
) = e(u, v)
ab
.
2. Non-degeneracy: e(g, g) 6= 1.
We say that G
0
is a bilinear group if the group op-
eration in G
0
and the bilinear map e : G
0
× G
0
→ G
1
are both efficiently computable. Notice that the map
e is symmetric since e(g
a
, g
b
) = e(g, g)
ab
= e(g
b
, g
a
).
4 Our Construction
In this section we provide the construction of our
system. We begin by descr ibing the model of access
trees and attributes for respectively describing cipher-
texts and private keys. Next, we give the description
of our scheme. Finally, we follow with a discussion of
security, efficiency, and key revocation. We provide our
proof of security in Appendix A.
4.1 Our Model
In our construction private keys will be identified
with a set S of descriptive attributes. A party that