Received February 9, 2018, accepted March 18, 2018, date of publication March 28, 2018, date of current version

April 23, 2018.

Digital Object Identifier 10.1109/ACCESS.2018.2820182

Improving Privacy and Security in Decentralizing

Multi-Authority Attribute-Based Encryption
in Cloud Computing
YAN YANG1,2 , XINGYUAN CHEN 1,2,3 , HAO CHEN4 , AND XUEHUI DU2
1 School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China
2 Zhengzhou Information Science and Technology Institute, Zhengzhou 450001, China
3 State Key Laboratory of Cryptology, Beijing 100878, China
4 State Key Laboratory of Space-Ground Integrated Information Technology, China Academy of Space Technology, Beijing 100029, China

Corresponding author: Xingyuan Chen (chxy302@vip.sina.com)

This work was supported in part by the National High Technology Research and Development Program of China under Grant
2015AA016006 and in part by the National Key Research and Development Plan of China under Grant 2016YFB0501900.

ABSTRACT Decentralizing multi-authority attribute-based encryption (ABE) has been adopted for solving
problems arising from sharing confidential corporate data in cloud computing. For decentralizing multi-
authority ABE systems that do not rely on a central authority, collusion resistance can be achieved using
a global identifier. Therefore, identity needs to be managed globally, which results in the crucial problems
of privacy and security. A scheme is developed that does not use a central authority to manage users and
keys, and only simple trust relations need to be formed by sharing the public key between each attribute
authority (AA). User identities are unique by combining a user’s identity with the identity of the AA where
the user is located. Once a key request needs to be made to an authority outside the domain, the request
needs to be performed by the authority in the current domain rather than by the users, so, user identities
remain private to the AA outside the domain, which will enhance privacy and security. In addition, the key
issuing protocol between AA is simple as the result of the trust relationship of AA. Moreover, extensibility
for authorities is also supported by the scheme presented in this paper. The scheme is based on composite
order bilinear groups. A proof of security is presented that uses the dual system encryption methodology.

INDEX TERMS Attribute-based encryption, decentralizing multi-authority attribute-based encryption, dual

system encryption.

I. INTRODUCTION multi-authority ABE have been proposed to solve those

Cloud computing enables users to store their sensitive data
into untrusted remotely cloud service providers to achieve
scalable services on-demand. Prominent security require-
ments arising from this means of data storage and man-
agement include data security and privacy and require the
use of strong encryption techniques with fine-grained access
control for data security in cloud computing. Attribute-based
Encryption (ABE) is an efficient encryption system with
fine-grained access control for encrypting out-sourced data
in cloud computing. With the emergence of sharing confi-
dential corporate data on cloud servers, data are generated
by several organizations, and access policies can be defined
by several authorities. Single-authority ABE cannot meet
the demands of decentralized distribution, and decentralizing
problems.
For basic Identity-based encryption (IBE) and ABE, all
private keys are managed by an authorized centre. How-
ever, in practice, this will present a performance bottle-neck
requiring evaluation due to the huge numbers of requests.
In addition, concentrated attacks seem to be more easily
from happening. Therefore, Hierarchical IBE (HIBE) [1]–[7]
and Hierarchical ABE (HABE) [8]–[11] are now being used.
HIBE and HABE are also called levelled multi-authority IBE
and ABE. According to the main concept, the authorized
centre is managed at different levels, and domains or users
at higher levels can use their private keys to generate private
keys for the domain or users at lower levels. HIBE or HABE,
when applied at various levels, can solve the key distribution

2169-3536 2018 IEEE. Translations and content mining are permitted for academic research only.
VOLUME 6, 2018 Personal use is also permitted, but republication/redistribution requires IEEE permission. 18009
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
load problem. Because roots are ultimately trusted sources,
authorized centres at each level are based on a single trusted
root. In addition, system efficiency can be improved dynam-
ically because identity authentication and key transmission
can be performed locally.
In basic ABE systems, the information shared is always
within one domain or organization. However, in reality, infor-
mation such as drivers’ licenses and registration informa-
tion in universities are organized by different government
departments. The management of attributes and key distri-
butions cannot be undertaken by the same attribute author-
ity. Moreover, access strategies may be distributed based on
attributes of different authorities. Therefore, levelled multi-
authority ABE cannot meet distribution demands. Decen-
tralizing multi-authority ABE is used to solve the access
problem in which user attributes belong to different author-
ities. Those authorities differ from that for a levelled multi-
authorized ABE, for which the levelled multi-authority ABE
has one trust root. There is no trust between organizations,
and attribute management and key distribution always are
performed separately from each other. For some specified
work reasons such as sharing confidential corporate data
on cloud servers, trust relationships can be made between
organizations.
Single-authority ABE primarily randomizes private keys,
and the secret values are separated based on the part in the
users’ private keys (referring to a different attribute), and
decryption is performed by reconstructing the secret values.
In Single-authority ABE, each user’s keys are generated using
different random and secretly shared values such that keys
generated for different users cannot be combined, which
prevents collusion attacks.
For decentralizing multi-authority ABE, the private keys
of users can be generated by different authorities that do
not communicate. Thus, the crucial technical challenge for
decentralizing multi-authority ABE is constructing a secret-
sharing value to resist collusion attacks. The Global Identi-
fier (GID) and central authority originated to solve the resist
collusion attacks. All early schemes used central authority to
deliver secret splitting, thereby assuring collusion resistant
under circumstances wherein authorities do not trust one
another. However, a central authority should be globally trust-
worthy. Therefore, in order to avoid the security weaknesses
resulting from the use of central authorities, schemes that do
not employ central authorities have been published. There
is no reliance on single trust centres, and although each
authority distributes its own attributes and keys, they still
need common support parameters for distribution by related
organizations, or complicated trust relationships need to be
formed between each authority. User’s GID is published glob-
ally in early schemes will breach the user privacy. In order
to solve the question, some schemes used anonymous key
issuing protocol to enhance user privacy, but the protocols
usually are complex.
OUR CONTRIBUTION: Our scheme is a decentralized
multi-authority ABE that will dynamically enhance privacy
18010
and security. A central authority is not relied on to manage
users and keys. Our scheme offers some improvements by
combining a user’s identity with the identity of the Attribute
Authority (AA) where the user is located. This leads to unique
user identifiers globally, and the problem of collusion resis-
tance is also solved. In addition, user identity management
does not require support from a new management organi-
zation. In our scheme, when the user requests an attribute
secret key, if the attributes are located outside the domain,
the request by the source AA in the domain to the target
AA is used rather than by requests by users themselves. So,
user identities remain private to the AAs outside the domain,
thus avoiding privacy disclosure. The key issuing protocol
between AAs is simple as result of the trust relationship
of AAs. On the other hand, using the AA instead of users
to initialize attribute requests can greatly improve efficiency
and security. In addition, some simple parameter exchanges
only occur at the very early stage of the construction of
each attribute authority. The trust relationship can also only
be made by sharing the public key between each AA. User
management and key distribution are conducted by the AA
within the domain, and, therefore, the dynamic joining of AA
is supported in our scheme. Dual system encryption has been
used to test the security of our scheme.
II. LITERATURE REVIEW
A. LINEAR SECRET-SHARING SCHEMES
Definition 1[12]: Assume P = {P1 , P2 . . . , Pn } is a set of
parties. The secret sharing scheme 5 over P is called a Lin-
ear Secret-Sharing Scheme (LSSS) only if the requirements
described below are met.
(1) The shares for each set of P form a vector over Zp .
(2) There exists a share-generating matrix A for 5, where A
is a matrix with l rows and n columns, and (A, ρ) represents
an access structure A, For all i = 1, . . . , l, ρ is a mapping
from {1, . . . , l} to P such that the ith line of matrix A is
mapped to one participant, Pi . s is the secret sharing value,
and v2 , v3 , . . . vn are the n−1 values randomly picked from Zp
that form a vector υ = (s, v2 , v3 , . . . vn ) with n dimensions;
therefore, A · υ = (c1 , c2 , c3 , . . . cn ) is the vector of n shares
of secret s. Assuming Ai is the representative vector of the
ith line over matrix A, then ci = Ai · v can be recognized as
the secret sharing value of participant ρ(i).
For linear secret reconstruction, assume 5 is a LSSS for
accessing structure A, S is an authorized set and S ∈ A.
Define I = {i|ρ(i) ∈ S}. If the vector {1, 0 . . . , 0} is in the
span of rows of A indexed by P I and there exists a constant
{ωi ∈ Zp }i∈I , according to 5, i∈I ωi ci = s can therefore
be obtained. For unauthorized sets, such constants do not
exist.
B. COMPOSITE ORDER BILINEAR GROUPS
Definition 2[13]: Assume N = p1 p2 p3 (p1 , p2 , p3 are
prime numbers that differ from each other), G and GT are
cyclic groups of order N , and let g denote a generator of
VOLUME 6, 2018
Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
G.e : G × G → GT is then a composite order bilinear map
with the following properties:
(1) Bilinear: ∀a, b ∈ ZN , e ga , gb = e(g, g)ab .


(2) Non-degenerate: ∃g ∈ G such that e(g, g) has order N
in GT .
(3) Computable: ∀ X , Y ∈ ZN , the bilinear map e(X , Y ) is
computable in polynomial time.
We let Gpi denote the subgroups of order pi in G, ∀hi ∈ Gpi
and ∀hj ∈ Gpj and if i 6 = j, then e(hi, hj ) = 1
III. RELATED WORK
Research on decentralizing multi-authority ABE can be
distributed into two groups that are referred to as cen-
tral authority and non-central authority. The most pop-
ular central authority schemes include Chase07 and
Müller-Katzenbeisser, and Lewko-Waters, Chase09 and
Lin-Cao are representative non-central authority schemes.
A. CHASE07 SCHEME
For the Chase07 scheme [14], Chase illustrated a method
that allows multi-independent attribute authorities to manage
attributes and distribute keys. A message is encrypted such
that a user can only decrypt it if he has at least dk of the
given attributes from each authority k and those attributes
belong to different authorities. The Global Identifier (GID)
and central authority originated in the Chase07 scheme to
solve the decentralizing multi-authority ABE collusion resis-
tant problem. A trustable central authority can ensure correct
secret splitting among different authorities, which leads to
collusion resistant. Moreover, trustable relationships do not
need to be made between each authority. Each user only
has the request attributes offered by all authorities; there-
fore, the entire secret value can be obtained, and the cipher
text can be decrypted. This was the first presentation of the
idea of using GID binding with users’ private keys, and
the user tends to be unique globally. The disadvantages of
the Chase07 scheme can be summarized by the following
three points. First, the central authority needs to be trustable
under all circumstances. Second, there is a stable access
policy whereby each user needs to be offered a constant
number of the attributes that are authorized by the authority.
Third, the extensibility is weak, and once an authority needs
to be added, the keys need to be replaced throughout the
entire network. Lastly, users need to submit their own GID
information to each authority will cause privacy disclosure.
B. MÜLLER-KATZENBEISSER SCHEME
Müller et al. [15] offered a different system with a central-
ized authority that realizes any LSSS access structure in the
Müller-Katzenbeisser scheme. Unlike the Chase07 scheme,
the central authority here is mainly used to generate the public
and private keys for each user and bind those keys to the
identities of the users. For decryption, private keys and secret
attribute keys are needed. A user’s private key is generated
by a central authority that is unique within the network,
which ensures that the attributes are related to the same
VOLUME 6, 2018
user. Thus, the full process of decryption can be performed.
In addition, the collusion resistance problem can be solved
for each user, who applies a different relative secret attribute
key from the authority. The bilinear pairings are used to
achieve Va Disjunctive Normal Form (DNF) access policy such
W
as ((a1 a2 ) a3 ) in the Müller-Katzenbeisser scheme,
and the complex access policy that cannot be solved using
Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is
easily solved in this scheme. In the Müller-Katzenbeisser
scheme, each attribute authority does not need to build the
trustable relationship, and the extensibility, which refers to
the flexibility for adding new users or attribute authorities at
any time, is great. Two disadvantages can be summarized.
First, the access policies need to be presented in the DNF.
Second, complex access policies cannot be fully supported.
C. LEWKOWATERS SCHEME
Lewko and Waters [16] demonstrated a decentralizing multi-
authority ABE method that does not solely rely on the central
authority of the Lewko-Waters scheme. The secret value
segmentation for attributes required by access policy can be
achieved using the computational Monotone Boolean Formu-
las and Monotone Span Programs to construct linear secret-
sharing schemes. For decryption, the required attributes
should conform for the same user. The system uses the GID
to bind the different attributes together for the assigned user,
and collusion attack therefore cannot be undertaken by sep-
arate users based on their own attributes. The Lewko-Waters
scheme has already removed the central authority, which also
avoids performance bottlenecks and trust problems brought
about by a central authority. These can be counted as crucial
improvements to efficiency and safety. Each authority works
completely separately, and failures or disruptions for some
authorities will not affect other authorities, which makes the
system much stronger. Apart from the initial set of pub-
lic parameters that are built by all authorities, authorities
no longer need to be build trustable relationships between
each other in advance. In addition, policy depictions based
on access trees allow more complex access policies to be
depicted for support. Although the Lewko-Waters scheme
does not need a central authority but rather the uniqueness
of the user due to the GID, in order to maintain the reality
of the GID, each authority needs to be supported by the
GID organization that manages the users’ identities, and the
GID is published globally will breach the user privacy.
D. OTHER SCHEMES
Lin08 is a scheme based on thresholds with non-central
authorities, as illustrated by Lin et al. [17]. The weakness of
the scheme is that the set of authorities is fixed beforehand,
and they must interact through complex protocols during the
system setup. Collusion resistance requires that the number
of users does not exceed a system parameter that is chosen
at setup such that operational cost and key storage scale
with the parameter. In addition, user’s GID is also published
globally.
18011
 Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
Chase et al. [18] presented their Chase09 scheme, which
does not use a central authority. The Chase09 scheme
follows the Chase07 scheme for secret segmentation and
does not use a central authority for reconstructing secret
values, but it is complicated to negotiate key parameters
and build trustable relationships between authorities. The
Chase09 scheme designs the anonymous key issuing protocol
without revealing any information about that GID to the
authority, but the protocol is also complex.
Rahulamathavan et al. [19] illustrated a decentralized
multi-authority ABE with non-central authority in
Rahulamathavan-Veluru scheme. Rahulamathavan-Veluru
scheme exploited the anonymous key issuing protocol of
Chase09 scheme to strengthen the bind between decryption
keys and GID as well as to preserve the user privacy. The
disadvantage of the scheme is that the protocol still needs to
interact many times and multiple key parameters need to be
set up.
IV. MODEL DEFINITION
A. SCHEME MODEL
In cloud computing, systems are developed by information
safety cooperation and university and safety association, and
the data that are generated are encrypted and then stored by
cloud services. The data are generated by several authori-
ties, and the data access policy can be defined as follows:
(((developer at cooperation A) OR (lecturer at university B))
AND (member of safety association C)). As the system devel-
ops, the access policy may be changed constantly due to
data issues, which may require attributes from one author-
ity or various authorities. Assuming cooperation, universities
and safety associations are separate administer domains, and
due to the collaborative work, a trust domain is constructed
by those parties. In this article, an administer domain is
defined as a single authority. A trust domain is contributed
by multiple administer domains, and because information is
securely exchanged between the domains, cooperative work
and resource sharing can be achieved. The scheme model
described in this article is shown Figure 1. The core of the
scheme model is administer domain, and each administer
domain contains one or more Attribute Authorities.
Attribute Authority (AA): Each domain AA administers its
own users and attributes, generates the attribute public keys,
and distributes the user attribute secret keys to users. Each
AA contains its own public keys and secret keys; the public
keys are used as the authentications between different AAs,
and the secret keys are used to generate the public keys of the
attributes and the user attribute secret keys.
Users: The users for each domain are severed by their own
authority, and the GID of a user is formed by the combi-
nation of the AA identity and user identity inside domain
(IDAA k IDu ). Therefore, a user’s GID can be assumed to
be unique throughout the entire trust domain. The identifier
can properly solve the collusion resistance problem, and,
in addition, user identity management does not need to be
offered by a specific organization.
18012
FIGURE 1. Scheme Model.
Attribute: An attribute identifier consists of an AA identity
and an attribute identity inside a domain (IDAA k IDA ).
Thus, each attribute identifier is unique throughout the entire
trust domain. Each attribute has a public key, and the key is
distributed by each AA and used to encrypt a message.
UserAttributeKey: User attribute secret keys bind the
user’s attributes and identities together and are used for
decryption and to verify attributes distributed to users. For
collusion resistant issues, each user requires a different user
attribute secret key.
B. FLOW OF ATTRIBUTE AUTHORIZATION
The attributes distributed to a user might belong to
different AAs, but those AAs are based on the same trust
domain. The AA for each administer domain can distribute
user attribute secret keys for the users within and outside
the domain. Because the AA for each administer domain
knows the privilege of the users clearly, the user privileges
in the administer domain are managed by the AA within the
domain. The keys distributed to users outside the domain are
based on the domain-to-domain AA.
The detailed process is listed below.
(1) Once a user asks for an attribute outside the domain,
the request should be made initially to the AA within its own
domain.
(2) A request to the target domain depends on the legality of
the application, which has been made within its own domain.
(3) Once a request is accepted by an AA for a target
domain, it is decided whether the AA is from the same trust
domain. If the answer is yes, then the legalities of the attribute
requests from users are checked, and user attribute secret keys
are generated. Otherwise, the requests will be declined.
(4) Once the requested AA receives the user attribute secret
key from target AA, the key will be forwarded to the user, and
the user can then make the relative access.
The public keys of attribute are distributed by the AA
within the domain. The key distribution and the above pro-
cess are illustrated in Figure 2. The detailed key distribution
process of domain-to-domain AA is showed in Key issuing
protocol of part C of V in this paper.
VOLUME 6, 2018
Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
FIGURE 2. Key distribution scheme and process
C. SCHEME DEFINITION
The scheme presented in this essay is mainly implemented
using the following six algorithms.
(1)Global Setup: The Global Setup algorithm produces the
global parameters (GP) between the AAs.
(2)Authority Setup: Each AA runs the Authority Setup
algorithm with the GP and AA identity as inputs to generate
its own public key and secret key pair. Once the trust relation-
ships need to be made between each AA, the public keys of
the AAs will be swapped.
(3)RequestAttributePK: For the attributes of each domain,
the RequestAttributePK algorithm is executed by the AA to
generate the public key of attribute for message encryption.
(4)KeyGenUserAttribute: The KeyGenUserAttribute algo-
rithm produces the user attribute secret key using an AA. The
algorithm can be divided into two key request algorithms:
in-domain and outside domain. Once the user applies the
attribute in the domain, the AA in that domain will generate
a user attribute secret key according to the GID of the user.
If the user is applying the attribute outside the domain, the AA
for the current domain will initiate the request to the target
domain for the user, using the H2 (GID) value to generate
the user attribute secret keys. Finally, the user attribute secret
keys are bound with the user GID.
(5)Encrypt: The encryption algorithm uses the input mes-
sage M , GP, access n × l matrix A and related public keys of
attributes for the access matrix to output cipher-text (CT).
(6) Decrypt: The decryption algorithm inputs the CT, GP,
and user attribute secret key set for one user. Once the user
has attributes that meet the requirements of the access matrix,
decryption can be performed.
D. SECURITY DEFINITION
We define a game between a challenger and an attacker on
security of the model illustrated in this essay. S denotes the set
of authorities, and it is assumed that the attacker can obtain
public keys of corrupt authorities. The challenger plays the
role of the AAs.
(1) Setup: By running the Global Setup algorithm,
0
the attacker can specify a set S ⊆ S of corrupt author-
ities. For non-corrupt authorities, the challenger runs the
RequestAttributePK algorithm, which sends the public keys
of attributes to the attacker.
VOLUME 6, 2018
(2) Key Query Phase1: The attacker initializes a request
for a user attribute secret key by submitting pairs (i, GID) to
the challenger, where i is an attribute belonging to a good
authority. The challenger responds by providing the relative
key SKi,u . The attacker cannot request the key set in this
fashion, which can be used for decryption when combined
with the keys of the corrupt AAs. In addition, the request GID
of the attacker cannot belong to the corrupt AAs.
(3) Challenge Phase: The attacker specifies two messages,
M0 and M1 , and an access matrix (A, ρ) for the challenger.
The challenger flips a random coin β ∈ {0, 1} and sends
an encryption of Mβ under the access matrix (A, ρ) to the
attacker.
(4) Key Query Phase2: Identical to that for Key Query
Phase1, the attacker may submit key queries continuously.
(5) Guess: The attacker will submit a guess β 0 for β. If β =
0
β ,hthe attacker’s advantage in this game is defined to be
0
i
Pr β = β − 12 .
Definition 3(Security Definition): A decentralized multi-
authority ABE system is secure, only if the game mentioned
above, and any polynomial time attackers have, at most,
a negligible advantage, which can be ignored.
V. SCHEME CONSTRUCTION
A. BASIC CONCEPT
The core technique of the decentralizing multi-authority
ABE is collusion resistant; the users’ keys need to be sep-
arated in multiple authorities. For the Chase07 scheme,
the secret value is sliced into private keys that are suit-
able for the user, and the decryption can be achieved by
reconstructing the secret values of each domain and glob-
ally. This methodology of secret slicing is suitable for sit-
uations of simple access policies when attribute authorities
are relatively stable. For the Lewko-Waters scheme, a secret
value is sliced in the different attributes of the access pol-
icy, the access policy does not need to be considered dur-
ing key distribution, and the secret share is located in the
access policy of the cipher-text. Thus, Lewko-Waters scheme
becomes flexible and can be changed in relation to data
demands.
For the scheme in this essay, the secret slicing methodology
of the Lewko-Waters scheme is used as a reference to build
a flexible access policy. Although the Lewko-Waters scheme
does not use a central authority, it still relies on the user iden-
tity management offered by a relevant management centre to
ensure that users’ identities are globally unique. Once a user’s
identity is published globally, privacy and security issues
appear to some extent; a user outside the domain requests a
key from the AA directly, which will lead to issues of security
and reliability for the user. In addition, working capacity will
be increased dynamically. Users also need to submit their own
GID to each authority, and therefore the authorities can obtain
complete information on users according to their GIDs, which
might affect their own privacies once the GIDs are used to
recover the user’s information.
18013
 Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
User identities in our scheme are globally unique, and,
in addition, user identity management support does not need
to be offered by related organizations. For privacy and secu-
rity requirements, identity management and use all occur
inside domains, and user identities will not be published
globally. Requests for keys outside a domain are performed
by an attribute authority rather than by user requests. For
that reason, the number of key applications from outside the
domain will decrease sharply, and the probability of users
who cheat also decreases. Public key of attribute do not
require that each attribute have a pair of random numbers;
only the public and secret keys of the AA are required,
which make the algorithm simpler, and the complexity of the
system is reduced while operating. In addition, some simple
parameter exchanges only occur at the very early stage of the
construction of each attribute authority.
B. CONSTRUCTION
Let N = p1 p2 p3 (p1 , p2 , and p3 are prime numbers that differ
from each other) and G and GT represent a bilinear group
of order N . For example, G × G → GT represents a bilinear
mapping. Gp1 , Gp2 and Gp3 represent the subgroups in G, and
the orders of those groups are p1 , p2 and p3 , respectively. Two
random hash functions are represented as H1 and H2 , which
we model as random oracles. H1 : {0, 1}∗ → ZN maps the
AA identifier or attribute identifier to a random exponent,
and H2 : {0, 1}∗ → Gp1 maps the AA identifier or user
identifier to the random group elements of Gp1 . In addition,
a finite set of hash functions needs to be defined, and hash
functions are uniformly and randomly chosen from the set
Hxa : {0, 1}∗ → ZN . The index of a hash function is used as
the secret key of the AA. In addition, our scheme is similar
to that of ABE, which uses composite-order bilinear groups.
Although the scheme is based on composite-order bilinear
groups, the system is entirely limited within subgroup Gp1
in G. Subgroups Gp2 and Gp3 are only used in the security
proof and for constructing semi-functional keys and semi-
functional cipher-texts, which will not be used in the oper-
ational scheme practically.
(1) GlobalSetup(λ) → GP: Input the security parameter λ,
generating the global parameter GP. A bilinear group G
of order N is chosen. GP are N and a generator g1
of Gp1 . The random oracle functions H1 and H2 are also
included.
(2) Authority Setup (GP, a ) → PKa , SKa : Input GP and
the AA identity, and each AA chooses a random exponent
sa ∈ ZN . In addition, a hash function Hxa : {0,1}∗ → ZN
is uniformly and randomly chosen from a finite set of hash
functions. The index of the hash function in the function set
keeps the secret key of the AA. Therefore, the secret key of
AA can be represented as SKan= sa , xa , ∀a, and o the public
sa H 1 (IDAA )
key is expressed as PKa = g1 , ∀a , where the
identity of the attribute authority a is IDAA .
(3) RequestAttributePK(GP, IDi , SKa )→ PKi : The public
key of attribute is generated by AA which according to the GP,
18014
attribute identifier, and the secret key of AA. Where,
H (IDi )
PKi = {PK0i = e (g1 , g1 )sa (H xa (IDi )) , PK00i = g1 xa },
and
IDi = IDAA k IDA .
Attribute identifier IDi consists of the AA identity and
the attribute identity inside the domain. IDAA represents the
AA identity, which the user locates. IDA represents the
attribute identity inside the current domain. The attribute
identifier is unique within the entire trust domain; therefore,
the public key of each attribute can also be considered to be
unique within the entire trust domain. In addition, the public
key of attribute is generated by the AA’s secret key, which
will also ensure the reliability of the public key.
(4) KeyGenUserAttribute1(GID,IDi , IDAA , SKa , GP) −→
SKi,u : The algorithm is used to generate the user attribute
secret key by AA according to the user’s GID, attribute
identifier, AA identity, GP and secret keys of the AA inside
the domain.
SKi,u = g1
sa (H xa (IDi ))
H2 (GID)Hxa (IDi ) H2 (IDAA ),
and
GID = IDAA k IDu .
GID is the global identifier of the user and consists of the
AA identity and user identity inside the domain. IDu is the
user identity within the domain. GID is unique throughout the
entire trust domain, which also ensures that each user has a
different user attribute secret key. IDi is the attribute identity,
for which the user must apply. If the user is applying for the
attribute inside the domain, the AA in the domain first checks
whether the attribute belongs to the current AA. In the fol-
lowing, the user identity needs to be checked. Subsequently,
the user attribute secret key, SKi,u , will be generated.
(5) KeyGenUserAttribute2 (H2 (GID) , IDi , IDAA , SKa ,
GP) −→ SKi,u : The algorithm is used to generate the
user attribute secret key by an AA outside the domain. If the
requested attributes by the user is outside the domain, the AA
of the current domain will initiate the request to the target AA,
the request information includes H2 (GID) instead of GID for
issues of privacy. The target domain will check the identity of
the current AA, and once it is shown to be trusted, the user
attribute secret keys will be generated. When the current AA
obtains the keys, it will check the validity of the keys using the
public keys of the requested attributes. The detailed process
is described in the Key issuing protocol of part C of V.
(6) Encrypt(M (A, ρ), GP, {PK}) −→ CT: The encrypted
algorithm inputs message M , GP, and a n × l access matrix A.
ρ maps the row of matrix A to the attributes, and the relative
public keys are requested by the access matrix. A random
s ∈ ZN is picked, and a random vector ν ∈ ZlN is picked that
has s as its first entry. Let λx = Ax · υ, where Ax is the row x
of the access matrix A. Another random vector ω ∈ ZlN that
has 0 as its first entry is picked. Let ωx = Ax · ω. A random
VOLUME 6, 2018
Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing

FIGURE 3. Key issuing protocol outside domain.

rx ∈ ZN will be picked for Ax located in each row of the cancelled. In addition, as a matter of security, IDAA is verified
access matrix A. The calculations are conducted according to to ensure that the target AA that distributed the key to the
user outside the domain can only receive the H2 (GID) value.
C0 = M e(g1 , g1 )s ,
rx This can also prevent collusion when the attributes belong to
C1,x = e (g1 , g1 )λx (PKi )
0
different AAs.
saρ(x) (H xa (IDρ(x) )) rx
= e(g1 , g1 )λx (e (g1 , g1 ) ρ(x) ) ,
C. KEY ISSUING PROTOCOL
C2,x = gr1x ,
ω Our scheme divides the generation of the user attribute secret
C3,x = gr1x g1 x , key into two categories to solve the privacy problem of user’s
and GID is published globally. If the user is applying for the
(H xa (IDρ(x) )) rx attribute inside the domain, the AA in that domain will gener-
C4,x = (PK00i ) x gω1 x = (g1 ρ(x) ) gω1 x , ∀x.
r
ate a user attribute secret key according to the GID of the user.
 If the attribute that the user requests is outside the domain,
(7)Decrypt(CT, GP, SKi,u ) −→M : The decryption algo-
the request by the source AA in the domain to the target
rithm inputs cipher-text CT, GP, and the user attribute secret
AA is used rather than by requests by users themselves. So,
key set for one user. Decryption will occur once the user
user identities remain private to the AAs outside the domain,
has the requested user attribute secret keys that satisfied the
thus avoiding privacy disclosure. As shown in Figure 3,
access matrix during the encryption.
the detailed process is listed below.
Assume the cipher-text is encrypted under the access
matrix (A, ρ). To decrypt the message, H2 (GID) and (1) If the current AA1 requests the user attribute secret key
H2 (IDAA ) can be computed according to the random function, for target AA2 , the information that is submitted should
where IDAA is the AA’s identity at the user’s include H2 (GID) , IDi and IDAA1 . H2 (GID) replaces
 location. If GID for issues of privacy by not publishing the user
the user has the user attribute secret keys SKρ(x) ,u for a
subset of rows Ax of A such that (1, 0, . . . 0) is in the span identity and construction within the domain.
of those rows, then for each x, the following calculation is (2) Moreover, a verification value Cu =
sa1 (H1 (IDi ))
made: g1 H2 (GID), which is encrypted by the secret
key of AA1 , is passed to AA2 . sa1 is the secret key
C1,x ·e(H2 (GID) , C4,x )·e(H2 (IDAA ) ,C3,x )/e(SKρ(x) ,u , C2,x ) of AA1 .
= e (g1 , g1 )λx e(H2 (GID) , gω1 x )e(H2 (IDAA ) , gω1 x ).


(3) Once AA2 is received, whether e (g1 , Cu )H1 IDAA1 =
P e(g1 , PKAA1 )H1 (IDi ) e(g1 , H2 (IDu ))H1 (IDAA1 ) needs to be
Having chosen constant cx ∈ ZN , let x cx Ax = verified to judge whether the request is coming
(1, 0, . . . 0), yielding
from AA1 , which is trusted.
λx
(e(g1 , g1 ) e(H2 (GID) , g1 )ωx (4) The user attribute secret key is generated upon
Y
x verification.
× e(H2 (IDAA ) , g1 )ωx )cx = e(g1 , g1 )s .
sa (H xa (IDi ))
(λx = Ax · υ and ωx = Ax · ω where υ · (1, 0, . . . 0) = s and SKi,u = g1 H2 (GID)Hxa (IDi ) H2 (IDAA1 ),
ω · (1, 0, . . . 0) = 0).
The message therefore can be obtained: M = where sa and xa are the secret keys of AA2 .
C0 /e(g1 , g1 )s . (5) Once AA1 receives the user attribute secret keys,
If the user with the same GID and IDAA satisfies the the correction to the keys can be verified by
0 00
e g1 , SKi,u =PK i ·e(PK i ,H2 (IDu ))·e(g1 ,H2 (IDAA1 )).


access tree, e(H2 (GID) , g1 ) and e(H2 (IDAA ) , g1 ) can be

VOLUME 6, 2018 18015

 Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
D. SECURITY
1) BASIC CONCEPT
The proof of the security of our scheme is based on the
dual system encryption from Waters [6]. In a dual system,
keys and cipher-texts have two formats: normal and semi-
functional. The normal key can be used to decrypt the normal
cipher-text and the semi-functional cipher-text. However,
the semi-functional key only can be used to decrypt the
normal cipher-text and is not suitable for semi-functional
cipher-text.
However, a crucial problem for dual system encryption is
to ensure that game k and game k-1 are hard to distinguish.
The simulator can perform a test to determine whether the
key is a semi-functional key by using the key to decrypt the
semi-functional cipher-text that belongs to the same identity.
Therefore, the dual system encryption requires the simulator
and attacker cannot judge whether the key is semi-functional
via testing. Lewko and Waters [7] presented a method to solve
the problem mentioned above by using a nominally semi-
functional key or cipher-text. In the attack game, although the
simulator can convert the k th key to the semi-functional key,
only one nominally semi-functional key can be constructed,
and that key can be used to decrypt the semi-functional
cipher-text. Therefore, that key cannot be distinguished from
a normal key.
According to the theory illustrated in Lewko and
Waters [7], Lewko et al. [20] used the orthogonality of Com-
posite Order Bilinear Groups to develop other types of nom-
inally semi-functional cipher-texts and semi-functional keys.
For Type 1 semi-functional cipher-text and semi-functional
keys, a random value zi is defined by one attribute. One
attacker could not use the Type 1 semi-functional key to
decrypt the challenge cipher-text, and the only information
that he can obtain theoretically should be the relative infor-
mation of value zi , which is still quite limited. However,
if the attribute has been used many times, the majority of
the zi value can also be obtained by the attacker. Therefore,
no more than one semi-functional key of Type 1 is used in the
security game, and the remaining semi-functional keys are all
of Type 2, which can avoid the potential hazard of revealing
the value of zi . This is also defined in the security game.
The Lewko-Waters scheme [14] also uses the method of
nominally semi-functional cipher-text and semi-functional
keys. However, two semi-functional subgroups have been
introduced to support the multi-authority and the sub-
groups differ from semi-functional subgroups in the Lewko
scheme [20]. However, a problem remains in Lewko-Waters
scheme, whereby a large number of random values will be
revealed once the attacker frequently uses the Type 2 semi-
functional key, because the random value in each subgroup
is the core parameter of each user attribute secret key.
Therefore, in our scheme, Type 2 semi-functional keys were
redesigned, not only to retain their functionality but also
so that the core parameters of the user attribute secret key
will no longer be contained in a Type 2 semi-functional
key.
18016
2) COMPLEXITY ASSUMPTIONS
Four complexity assumptions will be illustrated in the proof
of the security of our scheme. G and GT are bilinear groups
of order N = p1 p2 p3 , and e represents a bilinear map on
G × G → GT . Assumptions 1-3 refer to assumptions 1-3
from the Lewko-Waters scheme. Assumption 4 is based
on assumption 3 in the Lewko scheme [20], which sim-
plifies the proof of lemma 4. The progress of the proof
for the given assumptions is shown in discussions of the
Lewko-Waters [14] and Lewko schemes [20].
Assumption 1: Random generator g1 is picked from Gp1 ,
with constant valued N , G, GT , e, and g1 . Random gener-
ator T1 is picked from G. Random generator T2 is picked
from Gp1 . The assumption is true if no algorithm exists that
can distinguish T1 and T2 in G and Gp1 , respectively, in
polynomial time.
Assumption 2: Random generators g1 and X1 are
picked from Gp1 . Random generator X2 is picked
from Gp2 . Random generator g3 is picked from Gp3 .
N , G, GT , e, g1 , g3 , X1 and X 2 are constant valued. Random
generator T1 is picked from Gp1 , and random generator T2 is
picked from Gp1 p2 . The assumption is true if no algorithm
exists that can distinguish T1 and T2 in Gp1 and Gp1 p2 ,
respectively, in polynomial time.
Assumption 3: Random generators g1 and X1 are picked
from Gp1 . Random generator Y2 is picked from Gp2 .
Random generators X3 and Y3 are picked from Gp3 .
N , G, GT , e, g1 , X1 , X 3 , Y2 and Y 3 are constant valued. Ran-
dom generator T1 is picked from Gp1 p2 . Random generator T2
is picked from Gp1 p3 . The assumption is true if no algorithm
exists that can distinguish T1 and T2 in Gp1 p2 and Gp1 p3 ,
respectively, in polynomial time.
Assumption 4: Random generator g1 is picked from
Gp1 . Random generators X2 , Y2 , and Z 2 are picked from
Gp2 . Random generator X3 is picked from Gp3 . Two
elements, a and b, are randomly picked from ZN .N ,
G, GT , e, g1 , ga1 , X2 , X3 , gb1 , Y2 , and Z2 are constant val-
ued Let T1 be e(g1 , g1 )ab . Random generator T2 is picked
from GT . The assumption is true if no algorithm exists that
can distinguish T1 and T2 in polynomial time.
3) PROOF OF SECURITY
(Theorem 1 If Assumptions 1-4 hold, our scheme is secure):
The detailed process of the proof of Theorem 1 is discussed
in the following. We need to define two additional struc-
tures: a semi-functional cipher-text and a semi-functional
key. These will not be used in the real system but only in
the proof. We will prove the security of our scheme from
Assumptions 1-4 using a hybrid argument over a sequence
of games.
First, every attribute i should have its own constant random
values zi , ti ∈ ZN . These two random values are common to
semi-functional cipher-text and keys. The values are bound
with the attributes and will not change as users are changed.
Our proof of security will also rely on a restriction whereby
VOLUME 6, 2018
Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
each attribute can only be used once in the row labelling of
an access matrix.
Semi-functional Cipher-texts: To create normal cipher-
texts C0 , C1,x , C2,x , C3,x and C4,x ∀x, let g2 and g3 be the
generators of Gp2 and Gp3 , respectively. Two random vectors
u1 , u2 ∈ ZlN are chosen. For each row Ax of the access
matrix A, set δx = Ax · u1 and σx = Ax · u2 . B represents the
subset of the marked relative rows of A, whose corresponding
attributes come from the corrupted AAs. B̄ represents the
subset of the marked relative rows of A, whose corresponding
attributes come from the good AAs. Two random exponents,
αx and βx are picked. The semi-functional cipher-texts are
formed as
C0 = C0 , C1,x = C1,x , C2,x = C2,x gα2 x g3
0 0 0
βx tρ
C3,x gα2 x g3 (x) ,
0
C3,x =
δx +α x zρ(x) σx +β x tρ(x)
0
C4,x = C4,x g2 g3
0 0 0 0
C0 = C0 , C1,x = C1,x , C2,x = C2,x , C3,x = C3,x and C4,x =
C4,x gδ2x gσ3x , ∀x, Ax ∈ B.
Semi-functional Keys: Choose random exponents c,
d ∈ ZN .
Semi-functional keys of Type 1:
0 0
H2 (GID) = H2 (GID)gc2 , H2 (IDAA ) = H2 (IDAA )gd2
0 d
SKi,u = SKi,u gcz i
2 g2
Semi-functional keys of Type 2:
0 0
H2 (GID) = H2 (GID)gc3 , H2 (IDAA ) = H2 (IDAA )gd3
0
SKi,u = SKi,u gc3 gd3
Using the semi-functional keys of Type 1 to decrypt the
semi-functional cipher-text, the quantitative e(g2 , g2 )cδx can-
not be cancelled out. Therefore, the decryption cannot be
made. While the secret shared value of δx is 0, the cipher-text
tends to be nominally a semi-functional cipher-text. Using
the semi-functional keys of Type 2 to decrypt the semi-
functional cipher-text, the quantitative e(g3 , g3 )cσx cannot be
gotten rid of. Therefore, the decryption cannot be made either.
The games are defined as follows.
GameReal This game is the real security game, and the
cipher-text and all the keys are normal.
Game0 This is similar to GameReal , except that the chal-
lenge cipher-text will be semi-functional.
Gamej,1 This is similar to Game0 , expect that the first j − 1
received keys are semi-functional keys of Type 2, and the jth
key is a semi-functional key of Type 1. The remaining keys
are normal. Assuming q is the number of key queries made
by the attacker, j ranges from 1 to q.
Gamej,2 : This is similar to Game0 , expect that the first
j received keys are semi-functional keys of Type 2. The
remaining keys are normal. Therefore, all keys in Gameq,2 are
all semi-functional keys of Type 2. In fact, Game0,2 denotes
another way of performing Game0 .
VOLUME 6, 2018
GameFinal : In this game, all the keys are semi-functional
keys of Type 2. The cipher-text is a semi-functional
encryption of a random message. The advantage of the
attacker in this game is 0.
We will prove that these games are indistinguishable in
the following four lemmas based on the four assumptions
mentioned above. GameReal and Game0 cannot be distin-
guished, and as a consequence, Game0 equals Game0,2 in
fact; therefore, Gamej−1,2 and Gamej,1 cannot be distin-
guished, Gamej,1 and Gamej,2 cannot be distinguished, and
Gameq,2 and GameFinal cannot be distinguished. Finally,
the security of the scheme is proven.
Lemma 1: Suppose there exists a polynomial time algo-
βx tρ(x) rithm A such that GameReal AdvA − Game0 AdvA = .
, We can then construct a polynomial time algorithm B with
advantage  for breaking Assumption 1.
Proof: Setup: B receives N g1 , and T from the challenger.
, ∀x Ax ∈ B̄ Depend on the value of T , B will simulate either
GameReal or Game0 with A. B outputs g1 as the generator
0
of Gp1 which is the output group. N is the order of the group.
0
A specifies the set S ⊆ S, where S is the set of all authorities,
0
and S is the set of all corrupted authorities. For each attribute
i of the good authorities, B chooses the random exponents
qi , yi ∈ ZN and the public parameter PK is then sent to A.
y
PK= N , g1 , e(g1 , g1 )qi , g1i

A queries H2 (GID) of the user identity and H2 (IDAA ) of
the AA identity where the user is located. B chooses random
h
exponents hGID , hAA ∈ ZN , and sets H2 (GID) = g1GID and
hAA
H2 (IDAA ) = g1 .
Key query phase1: When A makes a key query of (i, GID),
B generates the key according to the key generation algorithm
based on random exponents qi and yi .
Challenge Phase: A sends messages M0 and M1 and the
access matrix (A, ρ) to B. B tosses a random coin β ∈ {0, 1}
and sends an encryption of Mβ based on access matrix (A, ρ)
to A.
B chooses a random number s ∈ ZN . Set C0 =
M e(g1 , g1 )s . B chooses two random vectors, v =
(s, v2 , . . . , vl ) and ω = (0, ω2 , . . . , ωl ), where v2 . . .vl and
ω2 , . . . , ωl are picked from ZN randomly. Set λx = Ax · υ
and ωx = Ax · ω.
y
The public parameters e(g1 , g1 )qi and g1i of attributes from
corrupted authorities in access matrix (A, ρ) are supported
from A to B. The definitions of sub-sets B and B̄ refer to the
definitions of the semi-functional cipher-texts.
If Ax ∈ B, B chooses a random number rx ∈
ZN , and the cipher-text can be represented as C1,x =
ω
e(g1 , g1 )λx (e (g1 , g1 ) ρ(x) ) x , C2,x = gr1x , C3,x = gr1x g1 x and
q r
yρ(x)
C4,x = (g1 )rx T ωx .
0
If Ax ∈ B̄, B chooses a random number rx ∈ ZN , where
0
rx = rr x . The cipher-text then can be represented as C1,x =
0
0 0
e(g1 , g1 )λx (e (g1 , g1 ) ) , C2,x = T rx , C3,x = T rx gω1 x and
qρ(x) rrx
0
T ωx .
yρ(x) rx
C4,x = T
18017
 Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
The Gp1 , Gp2 , and Gp3 parts of T are gr1 , gc2 , and gd3 ,
respectively. Meanwhile, the random numbers r, c, and
d ∈ ZN .
The proof of Lemma 1 will be delivered via the following
two aspects.
When T ∈ Gp1 , the cipher-text is normal, When T ∈ G,
the cipher-text is semi-functional.
If T ∈ Gp1 , the Gp1 part of T is gr1 , so the cipher-text is
normal.
If T ∈ G, the Gp1 , Gp2 , and Gp3 parts of T are gr1 , gc2 and
d
g3 , respectively.
When Ax ∈ B, exponents δx and σx of g2 and g3 in C4,x are
δx = Ax · cω mod p2 and σx = Ax · dω mod p3 , respectively,
and the cipher-text is therefore semi-functional.
0
When Ax ∈ B̄, according to the Remainder Theorem, rx
0 0
modulo p1 , rx modulo p2 and rx modulo p3 are uncorrelated,
0 0 0
and rrx , crx , and drx are all random; thus C2,x and C3,x are
semi-functional cipher-texts.
Exponents δx and σx of g2 and g3 in C4,x are δx = (Ax ·
cω) mod p2 and σx = (Ax ·dω) mod p3 . yρ(x) modulo p2 refers
to zρ(x) in the semi-functional cipher-text, and yρ(x) modulo p3
0 Challenge Phase: Identical to lemma 1, B chooses the
refers to tρ(x) in the semi-functional cipher-text. rx , yρ(x) are
randomly picked, and according to the Remainder Theorem,
their values modulo p1 , modulo p2 , and modulo p3 are uncor-
related. Therefore, the cipher-text is semi-functional because
exponents αx , βx , zρ(x) , and tρ(x) of g2 and g3 are randomly
distributed.
For semi-functional cipher-text, vectors u1 and u2 of δx
and σx are random vectors. However, in this game, ω1 in the
vector ω is 0. Therefore, it is argued that ω1 appears to be
random in A’s view.
For rows Ax ∈ B, it belongs to an unauthorized set. For
the matrix in the unauthorized set, although the distributed
secret values are different, the secret sharing values are the
same because of characteristics of the monotone span and
the secret sharing [21]. Therefore, for A, we have ω =
0 The proof of lemma 2 is the same as the proof of lemma 1 in
(0, ω2 , . . . , ωl ) and ω = (k, ω2 , . . . , ωl ). Although the dis-
tributed secret value is 0 or k, the secret sharing values are
0 distribution is semi-functional.
the same as MB • ω = MB • ω . Thus, from the adver-
sary’s perspective, it cannot be discerned whether ω1 is 0
or k.
For rows Ax ∈ B̄, zρ(x) in δx + α x zρ(x) is a random value.
As long as ax modp2 is not 0, it refers to the value of δx
in g2 that can be explained by the value of zρ(x) . Therefore,
the secret sharing value is information-theoretically hidden,
and the secret sharing values δx are properly distributed in
the attacker’s view. The σx in g3 are also properly distributed
for the same reason.
Thus, if T ∈ Gp1 , B has properly simulated GameReal .
If T ∈ G, then B has properly simulated Game0 .B can use A
to attain advantage  in breaking Assumption 1.
Lemma 2: Suppose there exists a polynomial time algo-
rithm A such that Gamej−1,2 AdvA − Gamej,1 AdvA = .
We can then construct a polynomial time algorithm B with
advantage  in breaking Assumption 2.
18018
Proof:
Setup: The proof for lemma 2 is similar to the proof for
lemma 1; the difference is that g1 , g3 , X1 , X 2 and T are
received by B from the challenger.
Key query phase 1: When A queries the key of
(i, GIDk ), B randomly picks exponents hGIDk , hAAk ∈ ZN .
Then, the generated key can be represented as SKi,u =
q
g1i H2 (GIDk )yi H2 (IDAAk ) where GIDk denotes the k th iden-
tity of the queried by A.
When k
< j, B sets H2 (GIDk ) = (g1 g3 )hGIDk and
H2 IDAAk = (g1 g3 )hAAk where hGIDk yi modulop1 and
hGIDk yi modulop3 are uncorrelated and where hAAk modulo p1
and hAAk modulop3 are uncorrelated as well. Therefore,
the keys distributed by B are semi-functional keys of
Type 2.
hGID
When k > j, B sets H2 (GIDk ) = g1 k and
hAA


H2 IDAAk = g1 k , and B distributes the normal keys.
h
When k = j, B sets H2 (GIDj ) = T GIDj and H2 (IDAAj ) =
h
T AAj , If T ∈ Gp1 , B distributes the normal keys, and if
T ∈ Gp1 p2 , B distributes the semi-functional keys of Type 1.
random vector vectors v and ω.B chooses the random vector
u = (u1 , . . . , ul ), where u1 , u2 , . . . , ul are randomly picked
from ZN , and sets λx = Ax · υ, ωx = Ax · ω and σx = Ax · u.
When Ax ∈ B, B picks the random number rx ∈ ZN , and
the cipher-texts are
C1,x = e(g1 , g1 )λx (e (g1 , g1 ) ρ(x) ) x , C2,x = gr1x , C3,x =
q r
ω yρ r
gr1x g1 x and C4,x = (g1 (x) ) (X1 X2 )ωx gσ3x .
x
0
When Ax ∈ B̄, B chooses the random values ϕx , rx ∈ ZN ,
0
where rx = rr x . The cipher-text is
e(g1 , g1 )λx (e (g1 , g1 ) ρ(x) ) x , C2,x
q r
C1,x = =
0 0
rx ϕx rx ωx ϕx
(X1 X2 ) g3 , C3,x = (X1 X2 ) g1 g3 and C4,x =
0 yρ(x) ϕ
x σx
((X1 X2 ) ρ(x) ) x (X1 X2 )ωx g3
y r
g3 .
r c
X1 is g1 , and X2 is g2 , where the random value c ∈ ZN .
those two aspects. When Ax ∈ B or Ax ∈ B̄, the cipher-text
When Ax ∈ B̄, the secret sharing value of δx for the
exponent of g2 is hidden to A, but the secret sharing value still
needs to be set to 0. This ensures that the cipher-text generated
by the simulator is a nominal semi-functional cipher-text.
Thus, if simulator B performs a test to determine whether
the jth key is a semi-functional or normal key by using the
key to decrypt the nominal semi-functional cipher-text the
key can decrypt the cipher-text. Therefore, that key cannot
be distinguished from a normal key.
If T ∈ Gp1 , then B has properly simulated Gamej−1,2 .
If T ∈ Gp1 p2 , then B has properly simulated Gamej,1 .B can
use A to attain advantage  in breaking Assumption 2.
Lemma 3: Suppose there exists a polynomial time algo-
rithm A such that Gamej,1 AdvA − Gamej,2 AdvA = .
We then can construct a polynomial time algorithm B with
advantage  in breaking Assumption 3.
VOLUME 6, 2018
Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing

Proof: Setup: The proof in this section is similar to
the proof of lemma 2, the only difference being that B
receives N , g1 , X1 , X3 , Y2 , Y 3 and T , which are sent from the
challenger.
Key query phase 1 When A makes the (i, GIDk ) key query,
q
the key is generated by SKi,u = g1i H2 (GIDk )yi H2 (IDAAk ).
When k < j, B sets H2 (GIDk ) = (X 1 X3 )hGIDk and
H2 (IDAAk ) = (X1 X3 )hAAk , identical to that for the proof of
lemma 2, and the key distributed by B is a semi-functional
key of Type 2.
When k > j, B sets H2 (GIDk ) = g1 k and
hGID

hAAk
H2 IDAAk = g1 , and the key distributed by B is a normal
key.
h
For Ax ∈ B̄ the cipher-text is determined as follows.
When k = j, B sets H2 GIDj = T GIDj andH2 IDAAj =
h B chooses random vectors v1 and v2 . The first element
T AAj . If T ∈ Gp1 p2 the key distributed by B is a semi-
functional key of Type 1, and if T ∈ Gp1 p3 , the key distributed
by B is a semi-functional key of Type 2.
Challenge Phase: The phase is similar to lemma 2.
C0 and the definitions of vectors v, ω and u are the same as
for lemma 2 as well and B sets λx = Ax · υ, ωx = Ax · ω and
σx = Ax · u.
0 0
We set qi = a + qi and yi = yi .
When A makes a query of H2 (GID) and H2 (IDAA ), B picks
exponents hGID , hAA ∈ ZN randomly and sets H2 (GID) =
(g1 X3 )hGID and H2 (IDAA ) = (g1 X3 )hAA .
Key query phase 1 When A queries the key of (i,GID),
the key generated by B can be represented as SKA,u =
q
g1i (g1 X3 )hGID yi (g1 X3 )hAA where dhGID yi and dhAA represent
exponents c and d of g3 for semi-functional keys. Thus, it is
a semi-functional key of Type 2.
Challenge Phase B sets C0 = Mβ T and s = ab.
If T = e(g1 , g1 )ab it can be said as the encryption to the
message Mβ . If T is random, it can be said as the encryption
is made to a random message.
of v1 is 1, the first element of v2 is 0, and v1 is orthog-
onal to all the rows in B (According to the complexity
assumption, the vectors exist). The vectors are defined as
v = abv1 + v2 where λx = Ax · υ = abAx · v1 +
Ax · v2 .
Because B cannot form the term e (g1 , g1 )abAx ·v1 , B
0
chooses a random number rx ∈ ZN , sets rx = −bAx · v1 + r x ,
0

For each row Ax , B chooses a random number rx ∈ ZN . 0

therefore λx + qρ(x) rx = arx − bAx · v1 · qρ(x) +
0

When Ax ∈ B, the cipher-texts are C1,x = 0 0
r 0

e(g1 , g1 )λx (e (g1 , g1 ) ρ(x) ) x
q r
qρ(x) rx + Ax · v2 , and sets C1,x = e g1 , ga1 X2 x
ω
C2,x = gr1x , C3,x = gr1x g1 x and
−Ax ·v1 ·q0ρ(x) 0 0

yρ rx e g1 , gb1 Y2 e(g1 , g1 )qρ(x) rx +Ax ·v2 .

C4,x = (g1 (x) ) gω1 x (Y2 Y3 )σx ∀x. B chooses two vectors randomly; ω = (0, ω2 , . . . , ωl ) and
When Ax ∈ B̄, the cipher-texts are C1,x = e(g1 , g1 )λx u = (u1 , . . . , ul ), where ω2 , . . . , ωl and u1 , u2 , . . . , ul are
q r r ω
(e (g1 , g1 ) ρ(x) ) x ,C2,x = gr1x (Y2 Y3 ) x , C3,x = gr1x g1 x (Y2 Y3 )rx randomly picked from ZN , ωx = Ax · ω and σx = Ax · u.B
and chooses a random number ϕx ∈ ZN .
0
g1 (Z2 X 3 )ϕx
yρ rx −Ax ·v1 rx
C4,x = g1 (x) gω1 x (Y 2 Y3 ) ρ(x) rx (Y2 Y3 )σx ∀x. (gb1 Y2 )
y Set C2,x = =
0 −c2 Ax ·v1 +c3 ϕx
−bA ·v +r dϕ
The proof is similar to that for lemma 2, and the distributed g1 x 1 x g2 g3 x .
0
(gb1 Y2 ) x 1 g1x gω1 x (Z2 X 3 )ϕx
cipher-text is a semi-functional cipher-text. When k = j, −A ·v r
Set C3,x = =
the cipher-text is a semi-functional cipher-text, regardless of 0 −c2 Ax ·v1 +c3 ϕx
−bAx ·v1 +r x ωx dϕ x
whether the key is of Type 1 or Type 2, and the decryp- g1 g1 g2 g3 .
tion cannot be achieved; therefore, it is indistinguishable as The values of ϕx modulo p2 and ϕx modulo p3 are uncorre-
well. lated. Therefore, the distributed cipher-text is a suitable semi-
If T ∈ Gp1 p2 , then B has properly simulated Gamej,1 . functional cipher-text.
0
If T ∈ Gp1 p3 , then B has properly simulated Gamej,2 .B can 0 0
Because yρ(x) rx = −bAx · v1 ·yρ(x) + yρ(x) r set C4,x =
use A to attain advantage  in breaking 0 0 0 0
x
b −Ax ·v1 ·yρ(x) yρ(x) rx ωx σx σx yρ(x) ϕx
Assumption 3. ((g1 Y2 ) )g1 g1 Z 2 X3 X3 =
0 0 0 0 0
Lemma 4:Suppose there exists a polynomial time algo- −bAx ·v1 ·yρ(x) +yρ(x) rx ωx −c2 Ax ·v1 ·yρ(x) +c3 σx dσx +dyρ(x) ϕx
rithm A such that Gameq,2 AdvA − GameFinal AdvA = . g1 g1 g2 g3 .
0
We can then construct a polynomial time algorithm B with yρ(x) modulo p2 and modulo p3 in C4,x refer to the
advantage  in breaking Assumption 4. zρ(x) and tρ(x) in the semi-functional cipher-text, respec-
0
Proof: tively. The values of yρ(x) modulo p1 , modulo p2 and mod-
Setup: The proof here is similar to that for lemma 3; the dif- ulo p3 are uncorrelated. The sharing vectors of sub-groups
ference is that B accepts N , g1 , ga1 , X2 , X3 , gb1 , Y2 , Z2 , and T , Gp2 and Gp3 are c3 σx and dσx , respectively. The values
which are sent from the challenger. X2 is gc21 , Y2 is gc22 , Z2 is of c3 σx modulo p2 and dσx modulo p3 are all random.
c Therefore, this is a suitable semi-functional cipher-text for
g23 and X3 is gd3 . For each attribute i from each good authority,
0 0
B chooses exponents qi , yi ∈ ZN randomly and then sends the distribution.
public parameter PK to A.PK = N , g1 , e(g1 , g1 )qi , g1i .
 y For Ax ∈ B, B picks a random rx ∈ZN . The defini-
0 0 tions of random vectors v1 , v2 , ω, and u are same for
e(g1 , g1 )qi = e g1 , ga1 X2 e (g1 , g1 )qi = e (g1 , g1 )a+qi and


0 Ax ∈ B̄. B sets ωx = Ax · ω, σx = Ax · u, and C1,x =
y
y
g1i = g1i . e(g1 , g1 )Ax ·v2 e(g1 , g1 )qρ(x) rx , where v1 is orthogonal to all the

VOLUME 6, 2018 18019

 Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
TABLE 1. Comparison of different schemes.
rows in B; therefore λx is Ax · v2 . C2,x = gr1x , C3,x = gr1x gω1 x ,
0 0
y rx y rx c σ
and C4,x = g1ρ(x) gω1 x (Z2 X 3 )σx = g1ρ(x) gω1 x g23 x gdσx
3 .
The values of σx modulo p2 and modulo p3 are uncorrelated
σx is random as well and the cipher-text for distribution
therefore is a semi-functional.
If s = ab, then T = e(g1 , g1 )ab ; this is a semi-functional
encryption of Mβ , and B has simulated Gameq,2 . If T is
random, this is a semi-functional encryption of a random
message, and B has simulated GameFinal .B can use A to
obtain advantage  in breaking Assumption 4.
In the final attack game in lemma 4, the challenger encrypts
a random message, and the advantages for the attacker there-
fore can be ignored. If Assumptions 1, 2, 3, and 4 hold,
it has been proven that the real security game and GameFinal
cannot be distinguished. It has also been proven that the
advantages for the attacker in a real security game can be
ignored. Therefore, the scheme presented in this article can
be considered to be secure, and the proof of Theorem 1 is
complete.
E. COMPARISON OF SCHEMES
A detailed comparison among different decentralizing multi-
authority ABE schemes without central authority is given
in Table 1. These schemes all use the GID. In decentralizing
ABE, the cost of the ciphertext and key is mainly related to
the attribute, so it is mainly compared with the attribute set.
Au , Ac and Ak refer to the attribute set of a user, a ciphertext
and authority k respectively. N refers to the number of author-
ity, m refers to the maximum number of users supported in
Lin-Cao scheme, | ∗ | refers to the number of elements in the
set, P refers to the invocation of two-party protocol (2PC).
‘‘Ciphertext’’ refers to the ciphertext overhead. ‘‘Tolerance’’
refers to the maximum damaged authorities or users against
which a system remains secure. ‘‘Key Issuing Protocol for
Privacy’’ refers to the number of the key protocol is called
between the user and the AA. Trust relationships need to
be formed between each authority in these schemes without
central authority. ‘‘Trust relationship’’ refers to the number
of invocations of the distributed parameters or key generation
protocol required among the AAs in the setup stage.
18020
Lin-Cao scheme needs to invocate m + 2 key distribu-
tion protocols to realize the key sharing among the AAs.
Chase09 scheme requires the trust relationship to be estab-
lished and the seed key to be generated between any
two AAs. Lewko-Waters2011 and Rahulamathavan-Veluru
schemes need to distribute the basic parameter information
among the AAs in the setup stage. The GID is public globally
in Lin-Cao and Lewko-Waters2011 schemes. Chase09 and
Rahulamathavan-Veluru schemes all use the anonymous key
issuing protocol to prevent privacy leaks. The anonymous
protocol needs to generate new parameters, run 2PC proto-
cols, generate the information needed by users and AA, and
then interact with each other to produce the required key
information. User identity management all need to be offered
by related organizations in all above schemes without central
authority.
In our scheme, each AA has public and secret keys, private
key of attribute do not require, which reduce the quantity of
key. Only when the system is set up, the public key of each
AA and the basic parameters are distributed, which simplifies
the process of trust establishment. The key issuing protocol
for privacy, only need to use the public key of AA to realize
the trust between AA, does not require support from the 2PC
protocol, no new parameters need to be generated. In addi-
tion, users use the protocol only the requested attributes
is outside the domain, so our scheme is more simple and
efficient than Chase09 and Rahulamathavan-Veluru schemes.
The GID management and use all occur inside domains,
so there is no need for additional organizations to provide
global management of GID.
VI. CONCLUSIONS
Decentralizing multi-authority ABE can solve problems aris-
ing from security requirements of sharing confidential corpo-
rate data on cloud servers. For decentralized multi-authority
ABE schemes with non-central authority, the collusion resis-
tant can be solved using the GID. Therefore, the uniqueness
of user identities needs to be managed globally, which results
in crucial problems of privacy and security. In this essay,
a scheme without a central authority to manage keys and
VOLUME 6, 2018
Y. Yang et al.: Improving Privacy and Security in Decentralizing Multi-Authority ABE in Cloud Computing
users has been proposed, and privacy and security have been
enhanced dynamically. (1) User identities tend to be unique
globally to achieve collusion resistant, but identities need not
be published globally. Privacy has been enhanced. Moreover,
user identity management does not need to be offered by
related organizations. (2) When a user requests a user attribute
key from an attribute authority outside the domain, the cur-
rent authority, not the user, performs the task. Efficiency is
improved and user privacy is protected. In addition, the pos-
sibility of cheating suffered by users is also decreased. (3) To
build trust relations, only global parameters and public key
information need to be swapped between attribute authori-
ties. (4) Each attribute authority manages its own keys and
users, and the attribute authorities therefore can be flexibly
expanded.
For future work, once the attribute authorities in each
domain belong to a hierarchical multi-authority ABE,
the focus must be on devising a method that combines
the scheme designed in this essay with hierarchical multi-
authority ABE.
REFERENCES
[1] J. Horwitz and B. Lynn, ‘‘Toward hierarchical identity-based encryp-
tion,’’ in Proc. EUROCRYPT, Amsterdam, The Netherlands, Apr. 2002,
pp. 466–481.
[2] C. Gentry and A. Silverberg, ‘‘Hierarchical ID-based cryptography,’’ in
Proc. ASIACRYPT, Singapore, Dec. 2002, pp. 548–566.
[3] D. Boneh and X. Boyen, ‘‘Efficient selective-ID secure identity-based
encryption without random oracles,’’ in Proc. EUROCRYPT, Interlaken,
Switzerland, May 2004, pp. 223–238.
[4] D. Boneh, X. Boyen, and E.-J. Goh, ‘‘Hierarchical identity based encryp-
tion with constant size ciphertext,’’ in Proc. EUROCRYPT, Aarhus,
Denmark, May 2005, pp. 440–456.
[5] X. Boyen and B. Waters, ‘‘Anonymous hierarchical identity-based encryp-
tion (without random oracles),’’ in Proc. CRYPTO, Santa Barbara, CA,
USA, Aug. 2006, pp. 290–307.
[6] B. Waters, ‘‘Dual system encryption: Realizing fully secure IBE and HIBE
under simple assumptions,’’ in Proc. CRYPTO, Santa Barbara, CA, USA,
Aug. 2009, pp. 619–636.
[7] A. Lewko and B. Waters, ‘‘New techniques for dual system encryption
and fully secure HIBE with short ciphertexts,’’ in Proc. TCC, Zurich,
Switzerland, Feb. 2010, pp. 455–579.
[8] G. Wang, Q. Liu, and J. Wu, ‘‘Hierarchical attribute-based encryption
for fine-grained access control in cloud storage services,’’ in Proc. CCS,
Chicago, Il, USA, Oct. 2010, pp. 735–737.
[9] G. Wang, Q. Liu, J. Wu, and M. Guo, ‘‘Hierarchical attribute-based
encryption and scalable user revocation for sharing data in cloud servers,’’
Comput. Secur., vol. 30, no. 5, pp. 320–331, Jul. 2011.
[10] Z. Wan, J. Liu, and R. H. Deng, ‘‘HASBE: A Hierarchical attribute-based
solution for flexible and scalable access control in cloud computing,’’ IEEE
Trans. Inf. Forensics Security, vol. 7, no. 2, pp. 743–754, Apr. 2012.
[11] Q. Huang, L. Wang, and Y. Yang, ‘‘DECENT: Secure and fine-grained data
access control with policy updating for constrained IoT devices,’’ World
Wide Web, vol. 21, no. 1, pp. 151–167, 2018.
[12] A. Beimel, ‘‘Secure schemes for secret sharing and key distribution,’’ Ph.D.
dissertation, Israel Inst. Technol., Haifa, Israel, 1996.
[13] D. Boneh, E.-J. Goh, and K. Nissim, ‘‘Evaluating 2-DNF formulas
on ciphertexts,’’ in Proc. TCC, Cambridge, MA, USA, Feb. 2005,
pp. 325–341.
[14] M. Chase, ‘‘Multi-authority attribute based encryption,’’ in Proc. TCC,
Amsterdam, The Netherlands, Feb. 2007, pp. 515–534.
[15] S. Müller, S. Katzenbeisser, and C. Eckert, ‘‘Distributed attribute-based
encryption,’’ in Proc. ICISC, Seoul, South Korea, Dec. 2008, pp. 20–36.
[16] A. Lewko and B. Waters, ‘‘Decentralizing attribute-based encryption,’’ in
Proc. EUROCRYPT, Tallinn, Estonia, May 2011, pp. 568–588.
VOLUME 6, 2018
[17] H. Lin, Z. Cao, X. Liang, and J. Shao, ‘‘Secure threshold multi author-
ity attribute based encryption without a central authority,’’ in Proc.
INDOCRYPT, Kharagpur, India, Dec. 2008, pp. 426–436.
[18] M. Chase and S. S. M. Chow, ‘‘Improving privacy and security in multi-
authority attribute-based encryption,’’ in Proc. CCS, Chicago, IL, USA,
Nov. 2009, pp. 121–130.
[19] Y. Rahulamathavan, S. Veluru, J. Han, F. Li, M. Rajarajan, and R. Lu,
‘‘User collusion avoidance scheme for privacy-preserving decentralized
key-policy attribute-based encryption,’’ IEEE Trans. Comput., vol. 65,
no. 9, pp. 2939–2946, Sep. 2016.
[20] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, ‘‘Fully
secure functional encryption: Attribute-based encryption and (hierarchical)
inner product encryption,’’ in Proc. EUROCRYPT, Monaco Nice, France,
May 2010, pp. 62–91.
[21] A. Beimel, ‘‘Secret-sharing schemes: A survey,’’ in Proc. 3rd Int. Workshop
Coding Cryptol. (IWCC), Qingdao, China, May 2011, pp. 11–46.
YAN YANG received the M.Sc. degree in computer
application from the Zhengzhou Information Sci-
ence and Technology Institute, Zhengzhou, China.
She is currently a Professor with the Zhengzhou
Information Science and Technology Institute. Her
research interests include cloud computing secu-
rity and identity authentication and authorization
and access control.
XINGYUAN CHEN received the Ph.D. degree in
communication and information system from the
Zhengzhou Information Science and Technology
Institute, Zhengzhou, China. He is currently the
Chair, a Distinguished Professor, and a Doctoral
Supervisor with the Zhengzhou Information Sci-
ence and Technology Institute. He is also a Doc-
toral Supervisor with the School of Computer and
Information Technology, Beijing Jiaotong Univer-
sity, Beijing, China. His research interests include
cyberspace security and e-government security and secure exchange and
cloud computing security.
HAO CHEN received the M.Sc. degree in elec-
tronic and communication engineering and net-
work from the University of Birmingham, U.K.
He is currently with the State Key Laboratory
of Space-Ground Integrated Information Tech-
nology, China Academy of Space Technology,
Beijing, China. His research interests include pri-
vacy protection.
XUEHUI DU received the Ph.D. degree in com-
puter application from the Zhengzhou Informa-
tion Science and Technology Institute, Zhengzhou,
China. She is currently the Chair, a Distin-
guished Professor, and a Doctoral Supervisor with
the Zhengzhou Information Science and Tech-
nology Institute. Her research interests include
e-government security and cyberspace security
and secure exchange.
18021