A Ciphertext-Policy Attribute-Based Encryption Based on Multi-valued Decision Diagram

,


Introduction
With the development of Internet and cloud computing technology, the datas in distributed and open computing environment are more and more frequently shared and processed by people.Therefore, the datas in cloud are suffering unprecedented security problems.These datas will be completely exposed to many unkind people for a lack of efficient security mechanism.At the same time, with the implementation of large-scale distributed applications, it requires resource owners to develop a security scheme supporting one-to-many situation.A practical method is to provide a flexible and reliable access control policy for resource owner and user.It can not only apply to complicated network environment and reality scene, but also guarantee data security in communication process.
The traditional public key encryption mechanism is based on encryption technology of public key infrastructure.Although it has enhanced the security of data, many defects still exist.For example, the encryption process cannot be implemented if the user can not obtain real public key certificate; the resource owner has a high computation overhead because it needs to accept every user's message, and sends the ciphertext to the corresponding user.
In order to improve these defects, Sahai and Waters [1] proposed the concept of attribute-based encryption (ABE) for the first time at 2005 European cryptography annual conference.ABE derived from identity-based encryption (IBE) mechanism based on bilinear pairings technology, and it had many advantages.First, ABE provided a one-to-many encryption mechanism.It only needed to encrypt messages according to the set of attributes, and resulted in reducing computing cost of data confidentiality.Second, ABE supported changing access structures based on attribute set, which made this scheme more realistic.Finally, the ciphertext can be decrypted successfully only if the attribute set conformed with the access structure.Overall, the flexibility, practicability, efficiency of encryption strategy and fine-grained access policy make ABE obtain a wally application prospects in distributed file management, third party data management, group key management, privacy protection and other fields [2].
Although the scheme of ABE has solved plenty of flaws of traditional encryption mechanism, several aspects should be improved, especially for the access structure.This paper puts forward a high-efficiency scheme of CP-ABE, by improving the access structure adoptting MDD.
MDD can not only realize the representation of Boolean functions but also accomplish the expression of multiple-valued attributes.Compared with the structure of AND gate, threshold structure, OBDD, et al., MDD can improve the efficiency of encryption and decryption of CP-ABE.Based on MDD, this paper proposes an efficient and flexible access structure, which supports not only positive attributes and negative attributes, but also attributes with multiple values directly.In addition, the scheme of CP-ABE this paper propose, provides a better efficiency in many stages, such as encryption stage, key generation stage and decryption stage.

Related Work
The initial access structure in ABE was implemented by access control tree, which can satisfy the linear access structure, such as AND gate, OR gate, and threshold structure.Later, in [3], Rafail Ostrovsky proposed an ABE scheme supporting access structure of nonlinear properties by using linear secret sharing scheme, which further improved the efficiency.Liu X [4] designed a hierarchical access control structure by using threshold secret sharing mechanism.Balu A [5] put forward an ABE scheme by taking advantage of integer linear secret sharing system instead of linear secret sharing scheme on finite field.It made the scheme more efficient.
Literature [6] proposed an ABE scheme which supported multi-value attributes by breaking previous situation.In the scheme, each attribute corresponded to two types of status value (0, 1).It made access structure more flexible.Literature [7] fused multiple access structures into a large access control tree which reduced ciphertext storage and encryption costs.Literature [8] proposed a fine-grained ciphertext access control scheme supporting user attribute revocation mechanism.
Literature [9] proposed a new access structure based on OBDD.It reduced the nodes of the access control tree compared with the threshold structure.Moreover, the time complexity and size of generated ciphertext both had a good performance.Literature [10] provided a privacy-preserving multi-keyword text search scheme with similarity-based ranking, and it alleviated the problem of over encrypted data.In literature [11], the authors designed a scheme in which access structures were AND gates on positive and negative attributes.It observably reduced the ciphertext size and encryption/decryption time .
3 Background Knowledge

Bilinear Map and Bilinear Group
Theorem 1. Bilinear Map: Let G and G T be two multiplicative cycle groups of prime order p, with g is one of generators of G and 1 T is a unit element of G T .If the map e : G × G → G T satisfies the following conditions, e is called a bilinear map: (1) Bilinearity: ∀v, w ∈ G and ∀m, n ∈ Z p , e(v m , w n ) = e(v, w) mn ; (2) Non-degeneracy: e(g, g) = 1 T .
Theorem 2. Bilinear Group: We say that (G, G) are a bilinear group if the group operation in G and the bilinear map e : G × G → G T can both be computed efficiently.

CP-ABE
Setup: Attribute authority executes the Setup algorithm with inputting security parameters.It returns system public key PK and master key MK, which are distributed to the data owner and data user at later stages.Encrypt: Encryption algorithm is executed by the data owner in order to encrypt plaintext M. It needs to input the system public key PK and an access policy T which data owner provides.It generates and outputs a ciphertext CT.
KeyGen: KeyGen algorithm is executed by data authority with inputting the system public key PK, master key MK, and an attribute set L. It generates a secret key SK which is corresponding to the attribute set L.
Decrypt: At this stage, data user inputs public key PK, ciphertext CT and a secret key SK.It outputs the message M if user's attribute set satisfies the access structure.

Access Structure
Access structure is an access control policy for accessing ciphertext, and it is mainly formed by attribute set in CP-ABE.Given an attribute set L and an access structure F , L F represents L satisfies F , and L F means L does not match F .If L F , it can decrypt successfully, otherwise, the decryption fails.

MDD
MDD is a directed acyclic graph, in which each node has k children, and k is the number of values of the node.Usually, MDD consists of terminal nodes (leaf nodes), non-terminal nodes and edges, and terminal nodes normally represent the results of MDD.
In general, a MDD is described as a graph consisting of circles, boxes, and one-way arrows.Each circle means a non-terminal node, which can be a variable of function or a component of system.The boxes mean the terminal nodes corresponding to the results of system.The number of possible states of the system corresponds to the number of terminal nodes, and usually we mark the system status as either normal or error.The outgoing branches of non-terminal nodes are represented by one-way arrows, and the number of states or values corresponds to the number of outgoing branches.Therefore, a MDD contains a number of non-terminal nodes and two terminal nodes generally.

Access Structure Based on MDD
The access structure based on MDD conforms with the realistic world more than the existing access structure such as [8] and [9], because it can represent the cases of multiple attribute values directly.
It is obvious that different variable orderings can generate different MDD, although the multi-valued function is same.Therefore, it is necessary to determine the variable ordering before constructing the MDD in order to obtain a unique access structure.
Assuming that, in the system, n is the number of attributes.The attributes can be represented as a set V = {v 1 , v 2 , . . . . . ., v n }.Each attribute contains multiple values.The values of each attribute can be described as a set v i = {v i,0 , v i,1 , . . . . . ., v i,ni }, 1 ≤ i ≤ n. n i is the number of the value of attribute v i .In addition, v i,0 is specified as "Non" which means the attribute set does not have this attribute.The MDD is expressed as ID represents the set of the node serial numbers and I is a set of the attribute variable serial numbers.id is the serial number of the current node, and i is the serial number of the attribute of the current node.The attribute value of the current node is represented as v i,ki , and next i,ki is the serial number of the next child node where the value of the current node is v i,ki .The parameter v i,ki and next i,ki are used to maintain the relationship between the parent nodes and child nodes.In addition, let W i represent the concrete value of the attribute W i , N = {1, 2, . . . . . ., n}.It should be pointed out that the leaf nodes whose node serial numbers respectively are 0 and 1 only mean the fail or success of the decryption, so delete the domain of i, v i,ki and n i,ki .
Supposing that encryption attribute set is W = {W 1 , W 2 , . . . . . ., W n }, and L n }, and L i = {L i,0 , L i,1 , . . . . . ., L i,ni }.We use encryption attribute set W build an access structure F .If W ⊆ L and W i ⊆ L i , we say the set L satisfies the set W , or say the set L satisfies the access structureF .If L satisfies F , the ciphertext can be decrypted by the user successfully; otherwise, the decryption fails.
For example, in order to access the file, the attributes of data visitors need to satisfy one of the following three conditions.Category 1: graduate students (Gra) of computer school (CS); Category 2: graduate students of law school (LS); Category 3: undergraduates (Und) of business school (BS).According to the above description, the following access structure based on MDD can be constructed.

Main Process of the CP-ABE Based on MDD
Setup: Let G and G T be two bilinear group of prime order p, with g is a generator of G and e : G × G → G T is a bilinear map.Choose several random exponents y, t i,ki ∈ Z p (i ∈ I).Define Y = e(g, g) y , T i,ki = g t i,k i , T i,ki ∈ {T i,ki |i ∈ I}, the paintext M ∈ G, and then generate the public key P K =<

Analysis of Capacities and Efficiency
Our scheme supports multi-valued system directly because of the implementation of access structure based on MDD, which performs well in supporting multiple values.Besides, lots of advantages can be found in many aspects.In Encrypt algorithm, the computation complexity and the size of the ciphertext are only affiliated to the valid paths, instead of the attributes of the system.Thus, it performs better than several other CP-ABE schemes such as [10] and [11]; In KeyGen algorithm, the computation complexity is O(1), because it only needs two exponential operations in G; In Decrypt algorithm, it supports fast decryption, because it only needs two exponentiations in G and two bilinear pairings computation, and the size of the secret key is constant.Furthermore, the CP-ABE scheme based on MDD in this paper can resist collusion attacks effectively in which attackers have multiple private keys.

Conclusion and Further Work
In this paper, we provide a new CP-ABE scheme based on MDD, which improves the efficiency and capability in many stages.Our scheme supports multi-valued attributes directly because of the access structure based on MDD.At the same time, the scheme allows for the collusion attacks in which the attacker has multiple private keys.At last, compared with several other CP-ABE schemes, our scheme performs better in terms of the main computation of KeyGen algorithm, Decrypt algorithm and the size of secret key.
In the future, it will be an exciting work to explore the approaches of improving the efficiency and capability of CP-ABE scheme, especially for the improvement of access structure.We can explore that whether the access structure based on Zero Suppressed Binary Decision Diagrams and Algebraic Decision Diagrams can help to enhance the effectiveness of CP-ABE scheme.