For Alice to communicate securely with Bob via public-key encryption, she encrypts a message with Bob’s public key, which Bob decrypts with his private key. Here Alice knows that it is Bob who she would like to communicate with. However, there are situations where a data sender (data owner or DO) would like to share data securely with (multiple) data receivers (data users or DU) whose identities are not known at the time of sharing. Although their identities are not known to the sender ahead of time, the intended receivers or interested users could be characterized by certain attributes. For instance, in the context of medical research, a patient may want to share his/her medical information with receivers who possess attributes such as [“Doctor” or (“Researcher” & “Pathology Department”)]. As the patient may not have the identities of all the eligible data users, the conventional two-party public-key encryption schemes cannot be applied.
In 2005, Sahai and Waters  introduced the concept of Attribute-Based Encryption, which allows the mentioned patient to share his/her medical information with all the eligible data users without knowing their explicit identities. There are two kinds of ABE systems: Ciphertext Policy Attribute-based Encryption (CP-ABE)  and Key Policy Attribute-based Encryption (KP-ABE) . In CP-ABE, each data user receives one secret key for each of his/her attributes from the Authority. The sender encrypts the data with an access policy specifying the desired attributes of the intended receivers. Following the previous example, the patient determines that only data users who are either doctors or pathology researchers could decrypt the ciphertext. In contrast, in KP-ABE , a data user receives one secret key which encodes the predefined access policy to decrypt the ciphertext. As CP-ABE is more practical for real world applications, almost all research efforts work on improving CP-ABE. For instance, a more efficient CP-ABE scheme , privacy-preserving for the data users [13, 14, 32], faster decryption , constant-sized ciphertexts [4, 27, 10], revocable data users or attributes [9, 6], and so on.
The earlier CP-ABE systems are centralized as there is only one authority. The authority decides the system parameters, chooses the master key (MK), and issues Secret Keys (SK) associated with attributes to DU. Such a centralised architecture raises several security issues, such as the single point of failure and the key escrow problem where the authority, by using MK, can generate SK for all the attributes for itself to decrypt ciphertexts. To address these defects, many efforts  have tried to decentralize earlier CP-ABE schemes by “dividing” MK among different authorities, requesting a threshold out of authorities to cooperate to issue SK, and demanding that none of the authorities can issue SK for itself alone. However, decentralization raises new kinds of collusion attacks.
This paper makes the following contributions. We first review two existing types of collusion attacks on DABE, collusion among authorities and collusion among DUs. We then introduce a new kind of collusion where some authorities collude with DUs, so that the colluding authorities can recover the MKs of the other non-colluding authorities. After that, the colluding authorities can take over the entire DABE system and issue new SKs without needing any cooperation or permission from other non-colluding authorities. Furthermore, we show that six of the previously published DABE systems are vulnerable to this new attack. Finally we introduce a model to secure one of the defected systems from the newly introduced of collusion attack.
The paper proceeds in Section II to review background knowledge. Section III first discusses two existing collusion models on DABE schemes and then introduces a new collusion model among authorities and DUs. In Section IV, we analyze four existing DABE models to show that they are all vulnerable to the newly introduced collusion attack. In Section V, we propose a new model to secure one of the vulnerable models. Section VI concludes the paper with future work.
In this section, we review background knowledge needed for the establishment of ABE and DABE systems and the analyses of their security.
Ii-a Bilinear Maps
Consider and as two multiplicative cyclic groups. Suppose that the prime order of both groups is and the generator of is . There exists a map : , with an efficient algorithm, which, for all , computes . Map is termed bilinear if it has the following two properties:
1) Bilinearity: For all and , there is equation .
2) Non-degeneracy: .
A CP-ABE scheme consists of the following four algorithms.
Setup: The authority runs the setup algorithm to select the Public Parameters (PP) of the system, choose the Master Key (MK) for itself, and broadcast the Public Key (PK) to the users.
Encryption: A DO specifies an access policy to determine the needed attributes of DUs for decrypting the ciphertext. The DO then uses PK to encrypt messages specifying the access policy as part of the encryption, and broadcasts the ciphertext.
Key Generation: The authority runs the key generation algorithm which uses MK to issue Secret Keys (SK) to DUs based on the list of attributes of each DU.
Decryption: A DU uses its SK and PK to decrypt the ciphertext. If a DU possesses enough attributes which are specified in the access policy, the DU can recover the message. If not, the decryption algorithm outputs an error to the DU.
Ii-C Decentralized ABE
The original ABE models are administrated by a central authority. Such a centralized architecture raises issues such as key escrow , key exposure , ineligible DUs , privacy of DUs , forging signatures , and scalability . To address these issues, several effort [17, 15, 18, 19, 12] have been proposed to decentralize ABE so that the responsibilities of a central authority are divided among multiple authorities.
Iii Collusion Attacks on DABE
Although decentralization addresses several issues related to centralized ABE, it raises new issues. In this section, we review two existing collusion attacks on DABE: collusion among different DUs and collusion among authorities, and introduce a new collusion attack model among both authorities and DUs.
1) Collusion among DUs: This type of collusion happens when some data users with different SKs, collude with each other and combine their SKs to decrypt a ciphertext which is not accessible for each of them alone but is accessible for the sum of the SKs . For instance, suppose that has two attributes and has one attribute . Then, a DO encrypts a massage and determines the access policy as . None of the two DUs has the needed SKs to decrypt the ciphertext individually. Therefore, they might want to collude each other by sharing their SKs to decrypt the ciphertext with a set of .
Most of the excising ABE and DABE schemes adopt a similar idea to secure systems against collusion among DUs. Authority/authorities should choose different GIDs when running the Key Generating algorithm to issue the SKs. Different SKs with different GIDs could not be combined to decrypt ciphertext. To the best of our knowledge, all the existing ABE and DABE schemes are secure against this kind of collusion attacks.
2) Collusion among authorities. To address the key escrow problem, several efforts [7, 21, 20, 26] had proposed different DABE architectures, in which none of the authorities is able to issue SKs by itself, as long as authorities do not collude each other. However, these efforts had assumed explicitly that authorities behave honestly so that they do not collude with each other nor share their MKs with each other. Since there is no easy way to monitor the authorities for collusion, this is not a acceptable assumption. To the best of our knowledge, there is not a DABE system which could prevent authorities from colluding. Therefore, the key escrow problem remains an open issue.
3) Collusion among authorities and DUs. In a DABE system, each authority has its own MK and is responsible for protecting it from leaking to other authorities. In addition, there should be no chance for other authorities to circumvent the security of an authority to uncover its MK. However, one potential vulnerability is the collusion between other authorities and DUs and the colluding authorities might uncover the MKs of non-colluding authorities. This paper analyzes the limitations of some of the existing DABE schemes to show their vulnerability to this kind of collusion attack.
Iv Analysis of Vulnerable Schemes
In this section, we analyze four existing DABE models to show that they are vulnerable to the newly introduced collusion attack among authorities and DUs. We show how some of the authorities can collude with one DU to uncover the MK of the other authority. We then describe a solution to secure one of the vulnerable schemes.
Notice that the paper has been using “multiple authorities” to represent DABE generically. However, each specific DABE scheme has its unique way of “decentralizing” ABE so that the multiple “authorities” are not simply replicas, but with different delegated and/or partially replicated functions. In addition, these “authorities” are also named differently in different schemes. The following analysis of this paper adopts the specific terminologies used in each scheme.
Iv-a The Hur Model I
Hur et al.  investigated the key escrow problem by decentralizing the Bethencourt model.
Iv-A1 Review of the Hur model I
Hur et al. developed a DABE model with two authorities: Key Generation Center (KGC) and Attribute Authority (AA). The model works as follows.
Setup: First, a trust initializer (TI) decides the public parameters: a bilinear group with prime order and generator and a hash function , and broadcasts public key . Then, KGC chooses a random exponent 111 denotes choosing randomly from a finite set . , saves its master key , and broadcasts its public key . AA selects a random exponent , saves its master key , and broadcast its public key .
Key Generation: As depicted in Fig. 1, (1) a DU communicates with the AA to request SKs, based on the attributes which it possesses. (2) AA chooses a specific random exponent for the DU which should be unique for each DU to prevent DUs from colluding with each other. Afterward, AA runs a secure two-party computation protocol [8, 5, 1] to cooperate with KGC to issue the personalized component () of the SK without leaking their MKs to each other. The secure two-party computation protocol outputs to KGC. (3) KGC chooses a random exponent and sends to AA. (4) KGC shares the choosen with DU. (5) AA selects random exponent for each (the set of DU’s attributes), and sends , a list of and to DU. Finally, DU calculates so that the computed SK would be the same as the one in the Bethencourt model .
The Hur model I does not change the formulas used in the Setup and Key Generation algorithms. Instead, the Hur model I divides the responsibilities of the single authority in the Bethencourt model between two authorities KGC and AA. As SK, MK and PK are the same as in , the encryption and decryption algorithms remain the same.
Iv-A2 Vulnerability Analysis
The Hur model I is secure against collusion among different DUs, because AA considers a unique (as GID) for each DU. However, given that the Hur model I provided no explicit mechanism to prevent collusion between AA and KGC, it is vulnerable to such an attack.
Furthermore, the following analysis demonstrates that the Hur model I is not secure against collusion between DU and AA. Suppose that AA colludes with a DU and receives from the DU, while it has . AA can calculate . In addition, AA has , and hence can find and then . Finally, AA divides by to get . AA cannot find from because solving such a logarithm problem is not easy.
However, AA does not need as is enough to generate the component parts of SK which are generated by KGC. Therefore, AA can generate SKs for itself or for any other new DU without any permission and cooperation with KGC. For instance, suppose AA decides for a new DU or for itself. Then it calculates . It finds which is the part of the secret key for the new DU that is supposed to be generated through a secure two-party computation protocol with the cooperation of both KGC and AA. Therefore, AA generated SK without any permission from KGC.
A similar collusion cannot happen between KGC and a DU. Even if KGC colludes with a DU to receive , and , KGC cannot uncover and from them. Although KGC cannot launch effective collusion with any DU, it should worry about collusion between AA and a DU. As there is no way for KGC to prevent AA from such a collusion, KGC is obligated to trust AA.
Iv-B The Hur Model II
Iv-B1 Review of the Hur model II
This model decentralized the Bethencourt model  by using a central authority (CA) and a set of attribute authorities . This model works as follows.
Setup: First, a trusted initializer chooses a bilinear group of prime order and generator . In addition, it selects hash functions . Then it broadcasts the public parameter . Then, CA chooses a random exponent as its MK and publishes its public key . Similarly, each selects a random exponent as its MK and broadcasts its public key .
Key Generation: As depicted in Fig. 2, (1) DU requests SK from CA. (2) CA chooses random exponents for each such that . Then CA runs a secure two-party computation protocol via cooperation with each which outputs to . (3) randomly chooses exponent , computes , and sends it to CA. (4) CA computes and then sends it to . (5) computes and sends it to DU. The protocol depicted in Fig. 2 should be ran between CA and each . At the end, DU receives all from all the authorities and computes the part of its SK via . (6) To generate the other parts of SK, CA chooses a random exponent and sends to DU. (7) CA sends to . (8) selects and issues different parts of SK to DU (for each attribute related to the set of attributes of DU which is decided by ) as follow.
DU computes to find its total SK which is the same as the Bethencourt model.
Iv-B2 Vulnerability Analysis
Assume that CA colludes with one DU and receives the part of SK from DU. Since CA knows and , it can compute which is enough to issue SK to a new DU without needing to cooperate with any other authorities.
Iv-C The Wang Model
Iv-C1 Review of the Wang model
Two entities termed Key Authority (KA) and Cloud Service Provider (CSP) cooperatively issue SKs for DUs through a secure two-party key generation protocol. The model works as follows.
Setup: The Wang model denotes as a bilinear group of prime order and generator , and choosew bilinear map . It also chooses hash function and a set of weights for the set of attributes .
Afterwards, KA chooses random exponents , saves its master key and broadcasts its public key . Similarly, CSP chooses , saves its master key and broadcasts it public key .
Key Generation: As depicted in Fig. 3, (1) a DU requests SKs for its attributes. (2) KA chooses a unique . Then KA and CSP cooperatively run a secure two-party computation protocol which outputs to CSP. (3) CSP chooses a random exponent and sends to KA. (4) KA chooses a random exponent and sends and to CSP. (5) CSP chooses a random exponent and sends to KA. (6) KA computes and sends it to CSP. (7) CSP issues the part of SK and sends it to DU. (8) KA issues other parts of SK ( and ) and sends them to DU. The complete SK for the DU is as follows.
Since the Wang model is developed based on the Waters model , the general formulas of the setup and key generation algorithms are similar in both models. This similarity concludes similar encryption and decryption algorithms.
Iv-C2 Vulnerability Analysis
At the end of the key generation, DU receives from CSP. Now, suppose that KA colludes with one DU and receives from it. Since KA knows and , as its MK, and its chosen , KA computes to uncover .
Although KA cannot recover from due to the hardness of the discrete logarithm problem, it doe not need . Suppose that a new DU requests SK from KA. Then KA decides as a GID for the new DU and then issues without any cooperation with CSP through the secure two-party computation protocol. In addition, KA can issue the other components of SK for all the attributes. Although this model is vulnerable to collusion between KA and DU, there is no chance for CSP to collude with a DU and uncover .
Iv-D The Lin Model
Lin et al.  developed a collaborative key management protocol for cloud data sharing.
Iv-D1 Review of the Lin model
Lin et al. developed a DABE model with three authorities: Key Authority (KA), Cloud Server (CS), and Decryption Server (DS). Both KA and CS issue SKs and DS helps DUs to simplify the decryption process. The model works as follows.
Setup: A TI chooses two multiplicative cyclic groups and with prime order and generator of . Then it selects two hash functions and , chooses a group of random elements that are associated with the attributes, and outputs public parameters . KA chooses a random exponent as its master key () and broadcasts its public key . Similarly, CS chooses a random exponent , saves its master key () and broadcasts its public key .
Key Generation: The Key Generation protocol consists of two sub-protocols. In the first sub-protocol, depicted in Fig. 4, (1) A DU requests SK from authorities. (2) KA chooses a unique for DU. Then, CS and KA run a secure two-party computation protocol which outputs to CS. (3) CS selects a random exponent to calculate and send it to KA. (4) KA calculates and sends it to CS. Then CS calculates and saves .
In the second sub-protocol, depicted in Fig. 5, (5) CS and KA choose random exponents and , respectively. Then, they run another secure two-party computation protocol which outputs to DU, and to both CS and KA. (6) CS chooses and calculates and sends it to KA. (7) KA computes and sends it to CS. CS computes and saves its secret key . (8) KA selects random exponent , calculates and sends it to CS. (9) CS calculates and sends to KA. Finally, KA calculates and saves its secret key .
Although the Lin model is developed based on the Water model, the Lin model changes the formulas of SKs as it divides SKs among DU, KA, and CS. Afterwards, DO generates the ciphertext and upload it on CS. Then CS re-encrypts the ciphertext to realize effective attribute revocation.
To decrypt the ciphertext, both KA and CS send their SKs () to DS which generates a simpler ciphertext and sends it to DU. DU then uses to decrypt the simpler ciphertext.
Iv-D2 Vulnerability Analysis
Suppose that a DU colludes with both KA and DS. Then the DU sends to KA and DS sends , which was received from CS during the decryption round, to KA . Therefore, KA has three secret keys, , and . KA can then calculate . Since, KA has and , it can uncover . Although recovering from is not practical for KA, having is enough to generate SK for a new DU. KA can choose random exponent and generate new without needing to cooperate with CS or running the first sub-protocol in Fig. 4. Then KA decides random exponents and issues to the new DU, without needing to cooperate with CS or running the second sub-protocol depicted in Fig. 5. Then, KA issues related and to itself, while CS does not know anything about newly issued SK.
Iv-E Other Models
The Hur model I has been adopted as the base model by [16, 33], for instance. Although a key revocation capability was introduced in , due to the same key generation round used as the Hur model I, it suffers from the newly introduced collusion. Similarly, due to the same key generation round used in  as the Hur model I, it is also vulnerable to the newly introduced collusion.
We suspect that other models developed based on the Hur model I/II, the Wang model, and the Lin model might be vulnerable to the collusion attack among authorities and DUs, which need further investigation.
V A Secured Model
In this section, we propose a model to secure the Hur model I against the newly introduced collusion attack. The secued model decentralizes ABE with two entities, KGC and AA, which works as follow.
Setup: To start the system, a TI chooses the public parameters: a bilinear group with prime order and generator and a hash function , and then broadcasts its public key . Afterwards, KGC chooses two random exponents , saves its master key , and broadcasts its public key . Similarly, AA selects a random exponent , saves its master key , and broadcasts its public key . Since when , the public key of the system is as follows.
Key Generation: As depicted in Fig. 6, (1) DU requests SK from AA. (2) AA chooses a specific random exponent for the DU. AA then runs a secure two-party computation protocol to cooperate with KGC which outputs to KGC. (3) KGC computes and sends it to DU. (4) AA issues other components of the SK based on DU’s attributes: . Therefore, the final SK for DU is the same as the Bethencourt model.
Analysis: Suppose that a DU colludes with AA and sends to AA. Since AA does not know the two elements of and , it cannot uncover any components of . Therefore, our proposed model is secure against the newly introduced collusion attack.
In this paper, we reviewed two types of existing collusion attacks on DABE schemes, and introduced a new type of collusion attack among authorities and DUs. We then analyzed the vulnerability of four DABE models subject to the newly introduced collusion attack. Based on the analyses, we proposed a new model to secure one of the vulnerable DABE models. Secured solutions to other vulnerable DABE models are left as future work.
-  (2008) P-signatures and noninteractive anonymous credentials. In Theory of Cryptography, R. Canetti (Ed.), Berlin, Heidelberg, pp. 356–374. External Links: Cited by: §IV-A1.
-  (2007-05) Ciphertext-policy attribute-based encryption. In 2007 IEEE Symposium on Security and Privacy (SP ’07), Vol. , pp. 321–334. External Links: Cited by: §I, §III, §IV-A1, §IV-A1, §IV-B1.
-  (2012) Multi-authority attribute-based encryption with honest-but-curious central authority. International Journal of Computer Mathematics 89 (3), pp. 268–283. External Links: Cited by: §II-C.
-  (2013) An efficient key-policy attribute-based encryption scheme with constant ciphertext length. Mathematical Problems in Engineering. External Links: Cited by: §I.
-  (2009) Improving privacy and security in multi-authority attribute-based encryption. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, New York, NY, USA, pp. 121–130. External Links: Cited by: §IV-A1.
-  (2014-06) Efficient decentralized attribute-based access control for cloud storage with user revocation. In 2014 IEEE International Conference on Communications (ICC), Vol. , pp. 3782–3787. External Links: Cited by: §I.
-  (2018) Generic construction of outsourced attribute-based encryption without key escrow. IEEE Access 6 (), pp. 58955–58966. External Links: Cited by: §III.
-  (2009) Removing escrow from identity-based encryption. In Public Key Cryptography – PKC 2009, S. Jarecki and G. Tsudik (Eds.), Berlin, Heidelberg, pp. 256–276. External Links: Cited by: §IV-A1.
-  (2016-08) Revocable and Decentralized Attribute-Based Encryption. The Computer Journal 59 (8), pp. 1220–1235. External Links: Cited by: §I.
-  (2014-11) Fully secure ciphertext policy attribute-based encryption with constant length ciphertext and faster decryption. Sec. and Commun. Netw. 7 (11), pp. 1988–2002. External Links: Cited by: §I.
-  (2006) Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS ’06, New York, NY, USA, pp. 89–98. External Links: Cited by: §I.
-  (2019) Multi-authority attribute-based access control with smart contract. international conference on blockchain technology (), pp. . External Links: Cited by: §II-C.
-  (2012-11) Privacy-preserving decentralized key-policy attribute-based encryption. IEEE Transactions on Parallel and Distributed Systems 23 (11), pp. 2150–2162. External Links: Cited by: §I.
-  (2015-03) Improving privacy and security in decentralized ciphertext-policy attribute-based encryption. IEEE Transactions on Information Forensics and Security 10 (3), pp. 665–678. External Links: Cited by: §I.
-  (2014-02) Secure data retrieval for decentralized disruption-tolerant military networks. IEEE/ACM Transactions on Networking 22 (1), pp. 16–26. External Links: Cited by: §II-C, §IV-B.
-  (2013-10) Improving security and efficiency in attribute-based data sharing. IEEE Transactions on Knowledge and Data Engineering 25 (10), pp. 2271–2282. External Links: Cited by: §IV-E.
-  (2013) Removing escrow from ciphertext policy attribute-based encryption. Computers & Mathematics with Applications 65 (9), pp. 1310 – 1317. Note: Advanced Information Security External Links: Cited by: §II-C, §IV-A, §IV-B.
-  (2011) Decentralizing attribute-based encryption. In Advances in Cryptology – EUROCRYPT 2011, K. G. Paterson (Ed.), Berlin, Heidelberg, pp. 568–588. External Links: Cited by: §II-C.
-  (2016-05) TMACS: a robust and verifiable threshold multi-authority access control system in public cloud storage. IEEE Transactions on Parallel and Distributed Systems 27 (5), pp. 1484–1496. External Links: Cited by: §I, §II-C.
-  (2017) A collaborative key management protocol in ciphertext policy attribute-based encryption for cloud data sharing. IEEE Access 5 (), pp. 9464–9475. External Links: Cited by: §III, §IV-D.
-  (2018-01) Achieving collaborative cloud data storage by key-escrow-free multi-authority cp-abe scheme with dual-revocation. International Journal of Network Security, pp. 95–109. External Links: Cited by: §III.
-  (2015-12) Handling key escrow and attribute revocation problems in attribute based data sharing. International Journal of Scientific Engineering and Technology Research 4 (), pp. 10725–10728. External Links: Cited by: §II-C.
-  (2013) Decentralized ciphertext-policy attribute-based encryption scheme with fast decryption. In Communications and Multimedia Security, B. De Decker, J. Dittmann, C. Kraetzer, and C. Vielhauer (Eds.), Berlin, Heidelberg, pp. 66–81. External Links: Cited by: §I.
-  (2005) Fuzzy identity-based encryption. In Advances in Cryptology – EUROCRYPT 2005, R. Cramer (Ed.), Berlin, Heidelberg, pp. 457–473. External Links: Cited by: §I.
-  (2019) Efficient attribute-based encryption with privacy-preserving key generation and its application in industrial cloud. In Security and Communication Networks, Vol. , pp. . External Links: Cited by: §II-C.
-  (2017) A universal cloud user revocation scheme with key-escrow resistance for ciphertext-policy attribute-based access control. In Proceedings of the 10th International Conference on Security of Information and Networks, SIN ’17, New York, NY, USA, pp. 11–18. External Links: Cited by: §III.
-  (2012-11) A key-policy attribute-based encryption scheme with constant size ciphertext. In 2012 Eighth International Conference on Computational Intelligence and Security, Vol. , pp. 447–451. External Links: Cited by: §I.
-  (2016-08) Attribute-based data sharing scheme revisited in cloud computing. IEEE Transactions on Information Forensics and Security 11 (8), pp. 1661–1673. External Links: Cited by: §IV-C.
-  (2012-07-01) Accountable authority key policy attribute-based encryption. Science China Information Sciences 55 (7), pp. 1631–1638. External Links: Cited by: §II-C.
-  (2011) Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In Public Key Cryptography – PKC 2011, D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi (Eds.), Berlin, Heidelberg, pp. 53–70. External Links: Cited by: §I, §IV-C1, §IV-C.
-  (2016) Accountable ciphertext-policy attribute-based encryption scheme supporting public verifiability and nonrepudiation. In Proceedings of the 10th International Conference on Provable Security - Volume 10005, ProvSec 2016, New York, NY, USA, pp. 3–18. External Links: Cited by: §II-C.
-  (2017-05) Efficient privacy-preserving decentralized abe supporting expressive access structures. In 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Vol. , pp. 547–552. External Links: Cited by: §I.
-  (2017) Ciphertext-policy attribute based encryption supporting any monotone access structures without escrow. Chinese Journal of Electronics 26 (3), pp. 640–646. External Links: Cited by: §IV-E.