1 Introduction
Attributebased encryption (ABE) scheme 1 is a onetomany cryptographic primitive which provides confidentiality and finegrained access control over the outsourced encrypted data, simultaneously. It provides access control on the shared data by specifying an access structure over the ciphertexts or data users’ secretkeys. According to the position of the access structure, this cryptographic primitive can be divided into two categories; keyPolicy ABE (KPABE) 2 and ciphertextpolicy ABE (CPABE) 3 . In a KPABE the access structure is embedded in data users’ secretkeys by the keygenerator authority and each ciphertext is labeled by a set of descriptive attributes. A data user can decrypt the ciphertext if and only if the user’s access structure is satisfied by the ciphertext’s attributes. While, in a CPABE the access structure is embedded in the ciphertext by the data owner, and considering attributes of each data user, his/her secretkeys are issued by the keygenerator authority. A data users can recover an encrypted data if and only if his/her attributes satisfy the access structure of the ciphertext.
In an ABE scheme data users have to make queries to the key generator authority for their secretkeys. However, this can make some problems in the scalability and flexibility of the system when a large number of data users want to get their secretkeys, simultaneously.
In order to address the scalability problem, Wang et al. proposed a CPhierarchical ABE (CPHABE) scheme 5 , by combining a hierarchical identity based encryption (HIBE) scheme 4 and a CPABE 3 scheme. By partitioning the universal attribute set to some disjoint subsets, they considered several key generators that each of them administers one of the subsets. In this scheme for each attribute, the data user just can get the corresponding secretkey from the key generator that manage a subset which contains the mentioned attribute.
After that, this idea had been used in several ABE schemes. Wan et al. proposed a Hierarchal attribute setbased encryption (HASBE) 22 , by combining the notion of HABE and the CPASBE scheme proposed by Bobba et al. 55 . Li et al. 7 proposed a multiauthority access control system with efficient key delegation and user revocation mechanisms. Using outsourcing technique, they significantly decrease the computational cost in the user side. Liu et al. 6 proposed a timebased proxy reencryption scheme, by combining an HABE scheme and a proxy reencryption scheme 66 , 666 , with a wide flexibility in user revocation mechanism. In this scheme, data owner can be offline along the user revocation phase. Huang et al. 8 proposed a data collaboration scheme, by using HABE model in the key delegation mechanism. As 7 , data outsourcing has been used to reduce the data user’s computational cost.
Although, it has been proved that the CPHABE scheme proposed by Wang et al. 5 is semantically secure in the random oracle model, we showed that this scheme is fully insecure according to the given security definition in 5 . The scheme has some obvious drawbacks in its key delegation mechanism which enables a malicious user to decrypt all the shared encrypted data in the cloud with just one attribute.
The rest of this letter is organized as follows: Some necessary basic concepts will be reviewed in Section 2. We introduce CPHABE scheme proposed by Wang et al. 5 and its security definition in Section 3. In Section 4
we give two attacks on the scheme that both of them break the security of the scheme with probability
. The conclusion of the paper is presented in Section 5.2 preliminaries
In this section, we introduce some required definitions and hardness assumptions.
2.1 Bilinear map
Consider two cyclic groups and of a prime order . Suppose that is a generator of . A function is a bilinear map if it has the following properties:

Nondegeneracy: .

Bilinearity: , for any and .

Computability: there is a polynomial time algorithm which compute , for any .
Consider two cyclic groups , of prime order , a bilinear map , and a random generator . The Bilinear Diffie–Hellman (BDH) problem is to compute for three given elements , where , and are three uniform elements of .
2.2 Access structure
Consider a universal attribute set . Each nonempty subset of is called an access structure on . For an access structure , any set in is called an authorized set of attributes and the other ones are called unauthorized sets.
Any access structure can be specified by a logical proposition , where each , , is a conjunction clause of some attributes. For example, the access structure corresponds to the logical proposition . For simplicity, is used for indicating an access structure. This type of presentation is called disjunctive normal form (DNF).
3 CPHABE proposed by Wang et al. 5 .
In this section, we first introduce system model of the Wang’s scheme, then the applied algorithms of this system are introduced in detail. After that, semantic security definition for a CPHABE scheme which is proposed by Wang et al. 5 will be presented.
3.1 Model definition and constructions
In the CPHABE scheme proposed by Wang et al. 4 the disjunctive normal form (DNF) is used for expressing the access control policy and a hierarchical key generation and user revocation model is applied to provide scalable and flexible mechanisms. Moreover, in this scheme each domain authority manages a number of disjoint attributes.
This system consists of five entities: the root master (RM), the cloud service provider (CSP), data owners, the domain authorities, and data users. The RM is responsible for generating the global public parameters and master keys for domain authorities at the first level. The cloud service provider’s role is to let a data owner to store its data and share them with some data users. The role of data owner is determining an access structure for his/her own data, encrypting the data under it, and outsourcing the encrypted data in the cloud. The domain authorities generate attribute secretkeys for some of the entities (data users or domain authorities) which stay on the next level. Data users can decrypt the outsourced encrypted data using their attribute secretkeys.
In this scheme, the applied key generation algorithms, named CeateDM and CreateUser adopt a hierarchical approach. First, the RM generates global public parameters of the system by the Setup algorithm and then generates the master secretkey of the domain authority in the first level, using the CeateDM algorithm. After that, some domain authorities run the CeateDM algorithm and generate master secretkeys of the domain authorities in its children. Also, the domain authorities in the last level generate identity secretkeys and attribute secretkeys of the authorized data users, using the CreateUser algorithm. When a data owner wants to outsource some data to the cloud, he/she should define an access structure and encrypt his/her data under the access structure using the Encrypt algorithm. Each data user can access to an outsourced encrypted data by running the Decrypt algorithm if and only if his/her attributes satisfy the access structure corresponding to the encrypted data.
In this scheme, it is assumed that each domain authority , data user , and attribute in the universal attribute set has a unique publickey , and , respectively. The scheme can be described by the following five algorithms:

Setup: This algorithm is run by the RM. It takes the security parameter as input and picks a large prime number , two cyclic groups and of order , a bilinear map , a uniform element , three random oracle , and , and a random generator . The algorithm outputs the master secretkey and system public parameters , where .

CreateDM: This algorithm is run by the root master or a domain authority as the parent. The inputs of the algorithm are the system public parameters , master secretkey of the parent and the publickey of the domain authority , . The output of the algorithm is the ’s master secretkey , where is the index of the random oracle , , , , and , for .

CreateUser: When a data user makes a query to the domain authority for a secretkey corresponding to an attribute , checks whether the user is authorized for or not. If so, it runs this algorithm to generate the identity secretkey and attribute secretkey , where and .

Encrypt: This algorithm is run by a data owner. It takes public parameter , a message , an access structure , and a set of the corresponding publickey of the attributes, . Suppose that all of the attributes in are covered by a specified domain authority . For each , consider the unique path for to the domain . The algorithm outputs a ciphertext , where and is the lowest common multiple (LCM) of , is a uniform element, , , and , for and .

Decrypt: A data user whose attributes satisfy the access structure of a ciphertext , can run this algorithm and recover the corresponding message. Suppose that for an , a data user has all the determined attributes in , then the corresponding message can be obtained as follows:
We refer the reader to 5 for more detail about this scheme.
3.2 Security definition:
Consider the following game:

Setup: The challenger runs Setup algorithm and gives the system public parameters to the adversary.

Phase 1: First of all, challenger runs CreateDM algorithm, then the adversary makes an arbitrary number of queries for users’ attribute secretkeys. For each data user , once the adversary makes a query for the user’s secretkey corresponding to an attribute , the challenger runs CreateUser algorithm, and gives the requested secretkey to the adversary .

Challenge: When the adversary decides to terminate Phase 1, he/she gives two equal length messages , and an access structure to the challenger, where the set of specified attributes for any data users in Phase 1, dose not satisfied the access structure . Then, the challenger randomly chooses , encrypts under the access structure, and returns the encrypted message to the adversary .

Phase 2: The adversary is allowed to make more attribute secretkeys query, with the same constraints in the previous phases.

Guess: The adversary outputs a bit . It wins this game if .
Let notation denotes the event that the adversary succeeds in the above game. A CPHABE scheme is semantically secure if is a negligible function in term of the security parameter, for each polynomial time adversary .
In Appendix A of 5 , the semantic security of the CPHABE scheme has been proved based on the hardness assumption of BDH problem, in the random oracle model . In the next section we will show that this scheme is vulnerable against our two proposed attacks.
4 Security analysis of the CPHABE scheme proposed by Wang et al.
We show that there are two drawbacks in the key delegation mechanism of the CPHABE proposed by Wang et al. 44 , 5 . Considering these drawbacks, a malicious data user with just one or two attributes can decrypt any outsourced encrypted data in the cloud.
In the following, we propose two nonadaptive attacks on the CPHABE scheme. Each of them breaks the semantic security of the scheme with probability .
Remark.
For an arbitrary domain , let be the unique path from to . Then, we have:
(1) 
Theorem 1.
For an arbitrary domain with , any user who has received his/her identity secretkey and obtained the secretkey of , , can recover any outsourced encrypted data to the could.
Proof.
Sine the user has received and can obtain , he/she can calculate by multiplying to the last component of , . So, the user know for each . Let be an arbitrary outsourced encrypted data. Then, since we have:
(2) 
4.1 Attack 1
This attack shows that any user who has just one attribute administrated by a domain can obtain . Therefore, from Theorem 1, we get the user can recover any outsourced encrypted data to the cloud.
According to the Security definition presented in the last section. Let a challenger has run the Setup and CreateDM algorithms and be a polynomial time adversary which is taken the system public parameters generated by Setup algorithm.

Then picks just an arbitrary attribute and authorized data user to the attribute and makes a query for the corresponding secretkey. The challenger runs the CreateUser algorithm and gives the requested secretkeys, and , to the adversary .

At Challenge step, gives two random equal length plaintexts and , and a DNF access structure to the challenger, where includes and also , therefore does not satisfy . The challenger chooses a uniform bit and encrypts under an access strutter . The generated ciphertext is given to .

With no need to run Phase 2, in Guess step, first, calculates , then using the last component of , , it calculates . Therefore, can obtain .
Now, from Theorem 1, since the adversary has and , he/she can decrypt and get . So the adversary can win the game with probability
Theorem 2.
By using the described techniques in Attack 1, a polynomial time adversary in a nonadaptive manner can break the semantic security of the CPHABE scheme proposed by Wang et al. 5 with probability .
Note that using Attack 1, an adversary with just one attribute secretkey, can decrypt any given ciphertext.
4.2 Attack 2
The attack shows that any user who has two attributes administrated by same domain can obtain master secret key of the domain and therefore from Theorem 1 he/she can decrypt any outsourced ciphertext to the cloud.
As before, considering the security definition presented in Section 3, Let the Setup and CreateDM algorithms have been run by a challenger and system pubicparameters are given to the adversary .

The adversary picks two attributes and , and a data user . Then it makes two queries for the corresponding secretkeys. The challenger runs CreateUser algorithm and gives the secretkeys , and to the adversary.

In Challenge step, the adversary gives two equal length messages and , and an access structure to the challenger, where . The challenger uniformly chooses and sends the generated ciphertext corresponding to and to the adversary.

Without runing Phase 2, in Guess step, the adversary sets:
So, can be obtained by the adversary. Now, if sets , for Lemma 1 it can decrypt any outsourced ciphertext. Therefore the adversary can win the game with probability .
Theorem 3.
Attack 2 enables a nonadaptive adversary to break the semantic security of the CPHABE proposed by Wang et al. with probability .
5 Conclusion
In this manuscript, we showed that the CPHABE proposed by Wang et al. 5 is fully insecure. We provided two attacks which break the scheme’s security with probability , that is contrary to the authors’ claim. Moreover, it was shown that any malicious user who has just one attribute can recover any outsourced encrypted data in the cloud.
References
References
 [1] Sahai, A. and Waters, B., 2005, May. Fuzzy identitybased encryption. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 457473). Springer, Berlin, Heidelberg.
 [2] Goyal, V., Pandey, O., Sahai, A. and Waters, B., 2006, October. Attributebased encryption for finegrained access control of encrypted data. In Proceedings of the 13th ACM conference on Computer and communications security (pp. 8998). Acm.
 [3] Bethencourt, J., Sahai, A. and Waters, B., 2007, May. Ciphertextpolicy attributebased encryption. In Security and Privacy, 2007. SP’07. IEEE Symposium on (pp. 321334). IEEE.
 [4] Wang, G., Liu, Q. and Wu, J., 2010, October. Hierarchical attributebased encryption for finegrained access control in cloud storage services. In Proceedings of the 17th ACM conference on Computer and communications security (pp. 735737). ACM.
 [5] Wang, G., Liu, Q., Wu, J. and Guo, M., 2011. Hierarchical attributebased encryption and scalable user revocation for sharing data in cloud servers. computers & security, 30(5), pp.320331.
 [6] C. Gentry and A. Silverberg. Hierarchical IDBased Cryptography. In Proceedings of ASIACRYPT 2002, pages 548566.
 [7] Wan, Z., Liu, J.E. and Deng, R.H., 2012. HASBE: A hierarchical attributebased solution for flexible and scalable access control in cloud computing. IEEE transactions on information forensics and security, 7(2), pp.743754.
 [8] Bobba, R., Khurana, H. and Prabhakaran, M., 2009, September. Attributesets: A practically motivated enhancement to attributebased encryption. In European Symposium on Research in Computer Security (pp. 587604). Springer, Berlin, Heidelberg.
 [9] Li, Q., Ma, J., Li, R., Liu, X., Xiong, J. and Chen, D., 2016. Secure, efficient and revocable multiauthority access control system in cloud storage. Computers & Security, 59, pp.4559.
 [10] Liu, Q., Wang, G. and Wu, J., 2014. Timebased proxy reencryption scheme for secure data sharing in a cloud environment. Information sciences, 258, pp.355370.
 [11] M. Blaze, G. Bleumer, M. Strauss, Divertible protocols and atomic proxy cryptography, in: Proceedings of International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT), 1998, pp. 127–144.
 [12] M. Green, G. Ateniese, Identitybased proxy reencryption, in: Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS), 2007, pp. 288–306.
 [13] Huang, Q., Yang, Y. and Shen, M., 2017. Secure and efficient data collaboration with hierarchical attributebased encryption in cloud computing. Future Generation Computer Systems, 72, pp.239249
Comments
There are no comments yet.