Abstract
Attribute-based encryption (ABE) schemes and their variations are often applied to preserve the privacy of data. In particular, ABE schemes proposals are resilient to multiple attacks, including attacks in interception, interruption, modification, fabrication, unauthorized authentication, and access of data. Existing proposals have several limitations, such as the generation, verification, and distribution of digital certificates incur extra computation and communication overhead which are not suitable for resource-constrained computing. Furthermore, in most of the ABE schemes, a certification authority (CA) generates the public/secret keys according to a set of attributes. However, the compromise of CA can endanger the secret keys, therefore, the secrecy of encrypted messages. Some of the existing ABE schemes are based on bilinear pairing that requires large security parameters, which make ABE schemes unsuitable for resource-constrained computing devices.
The current ABE proposals [1, 2, 3, 4] are complex because they require implementing large-number security parameters (i.e., 2048-bit or 4096-bit size) to achieve 2128 security. Besides that, those ABE schemes consider a CA with an active role in the application process. The CA generates and distributes secret keys to devices or users. Nonetheless, sharing private attributes with the CA can risk data and user privacy, since the CA can also decrypt messages, depending on the application scenario, and retrieve the data. Moreover, the compromise of CA poses a risk to the communication secrecy between the sender and the receiver. In addition, some studies propose symmetric key schemes for resource-constrained devices. However, in large-scale networked systems, the symmetric key management becomes very complex and inefficient. The symmetric-key deployment often requires a separate protocol for session key agreement and generation. In IoT networks where mostly short-sized data is exchanged, symmetric key encryption schemes are often subject to ciphertext-only attacks.
In this paper, we will discuss how we can generate efficient ABE schemes based on elliptic curve cryptographic (ECC) techniques without the use of a CA. ECC-based ABE schemes require smaller-number security parameters (i.e., 256 or 512 bits) for achieving at least 2128 computational security that makes them efficient in resource-constrained computing devices. In particular, efficient ABE schemes, such as [5], are based on the computational Diffie-Hellman assumptions and their derivatives. Using such an assumption, we can perform elliptic curve operations, addition and multiplication, in a group without compromising the security of the ABE scheme. In other words, an adversary or oracle cannot efficiently “guess” or “find” the secret asymmetric key.
ABE schemes are usually enclosed by assumptions that are necessary for the deployed systems. In addition, ABE schemes consist of the Key pair generation, encryption, and decryption algorithms, even though few ABE proposals additionally include key pair update and key pair revocation algorithms [5]. The key pair generation algorithm considers the secret attributes of a device or user. The algorithm takes as input a security parameter λ and a set of secret attributes AS. λ consists of a long string of 1s in a chosen finite field that defines the access structure and the length of the secret keys and messages. It outputs the public/secret key pair (PK, SK) that is either offline or online and is distributed to the involved entities, i.e., devices or users.
The encryption algorithm takes as input the public key of a device PK, the access policy P, and a message M. It outputs a ciphertext CT that is exchanged in a hostile environment. On the contrary, the decryption algorithm takes as input the secret key SK and ciphertext CT and outputs the plaintext message M. Obviously, the key pair generation algorithm sets the mathematical foundations that connect the key pair, whereas encryption and decryption algorithms conceal and reveal the actual data during online transmission and exposure.
If the secret or shared attributes of an entity are changed, for any reason, then all the keys should be updated. The key pair update algorithm will regenerate the public/secret (PK/SK) key pair. In the key pair update procedure, the updated secret attributes AS are considered as input to the algorithm and new key pair (PK ́/ SK ́) is regenerated. In the key pair revocation algorithm, the keys are revoked by an entity or due to the malicious behaviour of some users/devices. Three cases for key revocation have been identified:
(1) Legitimate revoke: in this case, the key pair can be revoked due to a system update, expiration date, and scheduled maintenance of the networked system. (2) Malicious activity: in this case, the key revocation may take place due to the malicious behaviour which might be observed and/or reported by an entity of the networked system. (3) Attribute update: in this case, the change in the attribute set can trigger a new key revocation procedure.
In literature, the ABE algorithms are theoretically assessed by proving that the mathematical foundations hold in a malicious environment. Likewise, the ABE algorithms are assessed by their computational and memory complexity as well as by their practical implementation in real devices or the simulated network. In principle, the security of the ABE schemes is carefully analysed to ensure security against popular attacks: (i) Computing the secret key SK from the public key PK, (ii) Computing the secret key SK from multiple ciphertexts (i.e., chosen ciphertext attack), (iii) it can be shown by a reduction that the computational problem in an ABE scheme is at least as hard as the discrete logarithm problem (DLP) and (iv) the ABE scheme is secure against an adversary A with knowledge of the shared attribute set AK for deriving the secret key SK by a collision attack.
The security and privacy challenges posed by resource-constrained systems affect the heterogeneous nature of devices with varying degrees of computation and storage capacity. It is therefore essential to find lightweight solutions which eliminate the need for applying different security schemes per system. The existing public-key encryption and attribute-based encryption schemes are often computationally expensive, therefore, not suitable for resource-constrained devices. Moreover, the sharing of attributes with a certification authority risks the privacy of devices if CA has been compromised. New ABE schemes should not endanger the secrecy of messages among devices if CA is compromised.
It is also essential for researchers to propose schemes based on mathematical constructions that are proven to be secure and light, such as elliptic curve cryptography which supports smaller key sizes and is highly suitable for resource-constrained devices.
