Attribute-based encryption (ABE) scheme 1 is a one-to-many cryptographic primitive which provides confidentiality and fine-grained access control over the outsourced encrypted data, simultaneously. It provides access control on the shared data by specifying an access structure over the ciphertexts or data users’ secret-keys. According to the position of the access structure, this cryptographic primitive can be divided into two categories; key-Policy ABE (KP-ABE) 2 and ciphertext-policy ABE (CP-ABE) 3 . In a KP-ABE the access structure is embedded in data users’ secret-keys by the key-generator authority and each ciphertext is labeled by a set of descriptive attributes. A data user can decrypt the ciphertext if and only if the user’s access structure is satisfied by the ciphertext’s attributes. While, in a CP-ABE the access structure is embedded in the ciphertext by the data owner, and considering attributes of each data user, his/her secret-keys are issued by the key-generator authority. A data users can recover an encrypted data if and only if his/her attributes satisfy the access structure of the ciphertext.
In an ABE scheme data users have to make queries to the key generator authority for their secret-keys. However, this can make some problems in the scalability and flexibility of the system when a large number of data users want to get their secret-keys, simultaneously.
In order to address the scalability problem, Wang et al. proposed a CP-hierarchical ABE (CP-HABE) scheme 5 , by combining a hierarchical identity based encryption (HIBE) scheme 4 and a CP-ABE 3 scheme. By partitioning the universal attribute set to some disjoint subsets, they considered several key generators that each of them administers one of the subsets. In this scheme for each attribute, the data user just can get the corresponding secret-key from the key generator that manage a subset which contains the mentioned attribute.
After that, this idea had been used in several ABE schemes. Wan et al. proposed a Hierarchal attribute set-based encryption (HASBE) 22 , by combining the notion of HABE and the CP-ASBE scheme proposed by Bobba et al. 55 . Li et al. 7 proposed a multi-authority access control system with efficient key delegation and user revocation mechanisms. Using outsourcing technique, they significantly decrease the computational cost in the user side. Liu et al. 6 proposed a time-based proxy re-encryption scheme, by combining an HABE scheme and a proxy re-encryption scheme 66 , 666 , with a wide flexibility in user revocation mechanism. In this scheme, data owner can be off-line along the user revocation phase. Huang et al. 8 proposed a data collaboration scheme, by using HABE model in the key delegation mechanism. As 7 , data outsourcing has been used to reduce the data user’s computational cost.
Although, it has been proved that the CP-HABE scheme proposed by Wang et al. 5 is semantically secure in the random oracle model, we showed that this scheme is fully insecure according to the given security definition in 5 . The scheme has some obvious drawbacks in its key delegation mechanism which enables a malicious user to decrypt all the shared encrypted data in the cloud with just one attribute.
The rest of this letter is organized as follows: Some necessary basic concepts will be reviewed in Section 2. We introduce CP-HABE scheme proposed by Wang et al. 5 and its security definition in Section 3. In Section 4
we give two attacks on the scheme that both of them break the security of the scheme with probability. The conclusion of the paper is presented in Section 5.
In this section, we introduce some required definitions and hardness assumptions.
2.1 Bilinear map
Consider two cyclic groups and of a prime order . Suppose that is a generator of . A function is a bilinear map if it has the following properties:
Bilinearity: , for any and .
Computability: there is a polynomial time algorithm which compute , for any .
Consider two cyclic groups , of prime order , a bilinear map , and a random generator . The Bilinear Diffie–Hellman (BDH) problem is to compute for three given elements , where , and are three uniform elements of .
2.2 Access structure
Consider a universal attribute set . Each nonempty subset of is called an access structure on . For an access structure , any set in is called an authorized set of attributes and the other ones are called unauthorized sets.
Any access structure can be specified by a logical proposition , where each , , is a conjunction clause of some attributes. For example, the access structure corresponds to the logical proposition . For simplicity, is used for indicating an access structure. This type of presentation is called disjunctive normal form (DNF).
3 CP-HABE proposed by Wang et al. 5 .
In this section, we first introduce system model of the Wang’s scheme, then the applied algorithms of this system are introduced in detail. After that, semantic security definition for a CP-HABE scheme which is proposed by Wang et al. 5 will be presented.
3.1 Model definition and constructions
In the CP-HABE scheme proposed by Wang et al. 4 the disjunctive normal form (DNF) is used for expressing the access control policy and a hierarchical key generation and user revocation model is applied to provide scalable and flexible mechanisms. Moreover, in this scheme each domain authority manages a number of disjoint attributes.
This system consists of five entities: the root master (RM), the cloud service provider (CSP), data owners, the domain authorities, and data users. The RM is responsible for generating the global public parameters and master keys for domain authorities at the first level. The cloud service provider’s role is to let a data owner to store its data and share them with some data users. The role of data owner is determining an access structure for his/her own data, encrypting the data under it, and outsourcing the encrypted data in the cloud. The domain authorities generate attribute secret-keys for some of the entities (data users or domain authorities) which stay on the next level. Data users can decrypt the outsourced encrypted data using their attribute secret-keys.
In this scheme, the applied key generation algorithms, named CeateDM and CreateUser adopt a hierarchical approach. First, the RM generates global public parameters of the system by the Setup algorithm and then generates the master secret-key of the domain authority in the first level, using the CeateDM algorithm. After that, some domain authorities run the CeateDM algorithm and generate master secret-keys of the domain authorities in its children. Also, the domain authorities in the last level generate identity secret-keys and attribute secret-keys of the authorized data users, using the CreateUser algorithm. When a data owner wants to outsource some data to the cloud, he/she should define an access structure and encrypt his/her data under the access structure using the Encrypt algorithm. Each data user can access to an outsourced encrypted data by running the Decrypt algorithm if and only if his/her attributes satisfy the access structure corresponding to the encrypted data.
In this scheme, it is assumed that each domain authority , data user , and attribute in the universal attribute set has a unique public-key , and , respectively. The scheme can be described by the following five algorithms:
Setup: This algorithm is run by the RM. It takes the security parameter as input and picks a large prime number , two cyclic groups and of order , a bilinear map , a uniform element , three random oracle , and , and a random generator . The algorithm outputs the master secret-key and system public parameters , where .
CreateDM: This algorithm is run by the root master or a domain authority as the parent. The inputs of the algorithm are the system public parameters , master secret-key of the parent and the public-key of the domain authority , . The output of the algorithm is the ’s master secret-key , where is the index of the random oracle , , , , and , for .
CreateUser: When a data user makes a query to the domain authority for a secret-key corresponding to an attribute , checks whether the user is authorized for or not. If so, it runs this algorithm to generate the identity secret-key and attribute secret-key , where and .
Encrypt: This algorithm is run by a data owner. It takes public parameter , a message , an access structure , and a set of the corresponding public-key of the attributes, . Suppose that all of the attributes in are covered by a specified domain authority . For each , consider the unique path for to the domain . The algorithm outputs a ciphertext , where and is the lowest common multiple (LCM) of , is a uniform element, , , and , for and .
Decrypt: A data user whose attributes satisfy the access structure of a ciphertext , can run this algorithm and recover the corresponding message. Suppose that for an , a data user has all the determined attributes in , then the corresponding message can be obtained as follows:
We refer the reader to 5 for more detail about this scheme.
3.2 Security definition:
Consider the following game:
Setup: The challenger runs Setup algorithm and gives the system public parameters to the adversary.
Phase 1: First of all, challenger runs CreateDM algorithm, then the adversary makes an arbitrary number of queries for users’ attribute secret-keys. For each data user , once the adversary makes a query for the user’s secret-key corresponding to an attribute , the challenger runs CreateUser algorithm, and gives the requested secret-key to the adversary .
Challenge: When the adversary decides to terminate Phase 1, he/she gives two equal length messages , and an access structure to the challenger, where the set of specified attributes for any data users in Phase 1, dose not satisfied the access structure . Then, the challenger randomly chooses , encrypts under the access structure, and returns the encrypted message to the adversary .
Phase 2: The adversary is allowed to make more attribute secret-keys query, with the same constraints in the previous phases.
Guess: The adversary outputs a bit . It wins this game if .
Let notation denotes the event that the adversary succeeds in the above game. A CP-HABE scheme is semantically secure if is a negligible function in term of the security parameter, for each polynomial time adversary .
In Appendix A of 5 , the semantic security of the CP-HABE scheme has been proved based on the hardness assumption of BDH problem, in the random oracle model . In the next section we will show that this scheme is vulnerable against our two proposed attacks.
4 Security analysis of the CP-HABE scheme proposed by Wang et al.
We show that there are two drawbacks in the key delegation mechanism of the CP-HABE proposed by Wang et al. 44 , 5 . Considering these drawbacks, a malicious data user with just one or two attributes can decrypt any outsourced encrypted data in the cloud.
In the following, we propose two non-adaptive attacks on the CP-HABE scheme. Each of them breaks the semantic security of the scheme with probability .
For an arbitrary domain , let be the unique path from to . Then, we have:
For an arbitrary domain with , any user who has received his/her identity secret-key and obtained the secret-key of , , can recover any outsourced encrypted data to the could.
Sine the user has received and can obtain , he/she can calculate by multiplying to the last component of , . So, the user know for each . Let be an arbitrary outsourced encrypted data. Then, since we have:
4.1 Attack 1
This attack shows that any user who has just one attribute administrated by a domain can obtain . Therefore, from Theorem 1, we get the user can recover any outsourced encrypted data to the cloud.
According to the Security definition presented in the last section. Let a challenger has run the Setup and CreateDM algorithms and be a polynomial time adversary which is taken the system public parameters generated by Setup algorithm.
Then picks just an arbitrary attribute and authorized data user to the attribute and makes a query for the corresponding secret-key. The challenger runs the CreateUser algorithm and gives the requested secret-keys, and , to the adversary .
At Challenge step, gives two random equal length plaintexts and , and a DNF access structure to the challenger, where includes and also , therefore does not satisfy . The challenger chooses a uniform bit and encrypts under an access strutter . The generated ciphertext is given to .
With no need to run Phase 2, in Guess step, first, calculates , then using the last component of , , it calculates . Therefore, can obtain .
Now, from Theorem 1, since the adversary has and , he/she can decrypt and get . So the adversary can win the game with probability
By using the described techniques in Attack 1, a polynomial time adversary in a non-adaptive manner can break the semantic security of the CP-HABE scheme proposed by Wang et al. 5 with probability .
Note that using Attack 1, an adversary with just one attribute secret-key, can decrypt any given ciphertext.
4.2 Attack 2
The attack shows that any user who has two attributes administrated by same domain can obtain master secret key of the domain and therefore from Theorem 1 he/she can decrypt any outsourced ciphertext to the cloud.
As before, considering the security definition presented in Section 3, Let the Setup and CreateDM algorithms have been run by a challenger and system pubic-parameters are given to the adversary .
The adversary picks two attributes and , and a data user . Then it makes two queries for the corresponding secret-keys. The challenger runs CreateUser algorithm and gives the secret-keys , and to the adversary.
In Challenge step, the adversary gives two equal length messages and , and an access structure to the challenger, where . The challenger uniformly chooses and sends the generated ciphertext corresponding to and to the adversary.
Without runing Phase 2, in Guess step, the adversary sets:
So, can be obtained by the adversary. Now, if sets , for Lemma 1 it can decrypt any outsourced ciphertext. Therefore the adversary can win the game with probability .
Attack 2 enables a non-adaptive adversary to break the semantic security of the CP-HABE proposed by Wang et al. with probability .
In this manuscript, we showed that the CP-HABE proposed by Wang et al. 5 is fully insecure. We provided two attacks which break the scheme’s security with probability , that is contrary to the authors’ claim. Moreover, it was shown that any malicious user who has just one attribute can recover any outsourced encrypted data in the cloud.
-  Sahai, A. and Waters, B., 2005, May. Fuzzy identity-based encryption. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 457-473). Springer, Berlin, Heidelberg.
-  Goyal, V., Pandey, O., Sahai, A. and Waters, B., 2006, October. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM conference on Computer and communications security (pp. 89-98). Acm.
-  Bethencourt, J., Sahai, A. and Waters, B., 2007, May. Ciphertext-policy attribute-based encryption. In Security and Privacy, 2007. SP’07. IEEE Symposium on (pp. 321-334). IEEE.
-  Wang, G., Liu, Q. and Wu, J., 2010, October. Hierarchical attribute-based encryption for fine-grained access control in cloud storage services. In Proceedings of the 17th ACM conference on Computer and communications security (pp. 735-737). ACM.
-  Wang, G., Liu, Q., Wu, J. and Guo, M., 2011. Hierarchical attribute-based encryption and scalable user revocation for sharing data in cloud servers. computers & security, 30(5), pp.320-331.
-  C. Gentry and A. Silverberg. Hierarchical ID-Based Cryptography. In Proceedings of ASIACRYPT 2002, pages 548-566.
-  Wan, Z., Liu, J.E. and Deng, R.H., 2012. HASBE: A hierarchical attribute-based solution for flexible and scalable access control in cloud computing. IEEE transactions on information forensics and security, 7(2), pp.743-754.
-  Bobba, R., Khurana, H. and Prabhakaran, M., 2009, September. Attribute-sets: A practically motivated enhancement to attribute-based encryption. In European Symposium on Research in Computer Security (pp. 587-604). Springer, Berlin, Heidelberg.
-  Li, Q., Ma, J., Li, R., Liu, X., Xiong, J. and Chen, D., 2016. Secure, efficient and revocable multi-authority access control system in cloud storage. Computers & Security, 59, pp.45-59.
-  Liu, Q., Wang, G. and Wu, J., 2014. Time-based proxy re-encryption scheme for secure data sharing in a cloud environment. Information sciences, 258, pp.355-370.
-  M. Blaze, G. Bleumer, M. Strauss, Divertible protocols and atomic proxy cryptography, in: Proceedings of International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT), 1998, pp. 127–144.
-  M. Green, G. Ateniese, Identity-based proxy re-encryption, in: Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS), 2007, pp. 288–306.
-  Huang, Q., Yang, Y. and Shen, M., 2017. Secure and efficient data collaboration with hierarchical attribute-based encryption in cloud computing. Future Generation Computer Systems, 72, pp.239-249