4.2 Algorithm description of ESAD scheme
The workflow of the ESAD scheme is shown in Fig.
2. The main algorithms are described as follows:
Let
GF(
p) be a finite field of order
p,
E be an elliptic curve defined in the finite field
GF(
p),
r be the order of the subgroup in the elliptic curve
E, and
G be a base point in the subgroup.
G generates a cyclic subgroup of elliptic curves
E;
Zr is an integer domain of order
r; and the one-way function
H:
\( {\left\{0,1\right\}}^{\ast}\to {\mathrm{Z}}_r^{\ast } \) is randomly selected: the user
ID is mapped to the integer domain
Zr.
$$ Setup\left(n,S,{k}_i\right)\to \left( MSK, PK\right) $$
For each attribute i in the system attribute set S, the data owner randomly selects the parameters k1, k2, ⋯, kS ∈ Zr to upload to the attribute key management system.
The key generator randomly selects
n (
n ∈
Zr) to generate the system master key.
$$ MSK=\left({k}_1,{k}_2,...,{k}_S,n,G\right), $$
Generate the system public key parameters.
$$ PK=\left({k}_1G,{k}_2G,\cdots, {k}_SG\right). $$
The attribute authorizer maintains a list of attributes that correspond to its
ID for each user in the system, as shown in Table
1.
Table 1
User attribute list
\( {k}_{At{t}_{11}} \) | \( {k}_{At{t}_{21}} \) | … | \( {k}_{At{t}_{n1}} \) |
\( {k}_{At{t}_{12}} \) | \( {k}_{At{t}_{22}} \) | … | \( {k}_{At{t}_{n2}} \) |
\( {k}_{At{t}_{13}} \) | \( {k}_{At{t}_{23}} \) | … | \( {k}_{At{t}_{n3}} \) |
… | … | … | … |
AKMSKeyGen(ki, ID, n) → {SKi, ID}
For each attribute
i in the user
ID attribute set
SID, the attribute authorizer calculates the user private key
$$ S{K}_{i, ID}={k}_i+H(ID)n. $$
The data owner encrypts the original data
M to generate the encrypted data
CT, and the encryption algorithm proceeds as follows:
$$ Encrypt\left(M,s,P{K}_i,\mathbf{A},\mathbf{v},\mathbf{u}\right)\to CT $$
The data owner randomly selects
s ∈
Zr as the encryption key; it calculates
The key s is split using the LSSS as follows:
Define the access control strategy (
A,
ρ), where
A is a linear secret sharing matrix,
ρ is the mapping function of the matrix row vector and the attribute, and
ρ maps each row
Ax of the matrix
A to the attribute
ρ(
x). As in [
22],
ρ does not map two different rows to the same attribute. Randomly select the parameters
v2,
v3, ⋯,
vl ∈
Zp, define the vector
\( \tilde{v}={\left(\tilde{s},{\tilde{v}}_2,{\tilde{v}}_3,...{\tilde{v}}_l\right)}^{\mathrm{T}} \), and calculate the inner product
λx =
Ax ⋅
v for each row
Ax of the matrix
A. Randomly select the parameters
u2,
u3, ⋯,
ul ∈
Zp, define the vector
u = (0,
u2,
u3, ⋯,
ul)
T, and calculate the inner product
ωx =
Ax ⋅
u for each row
Ax of the matrix
A.
The data owner outputs the ciphertext
$$ CT=\left(\left(\mathbf{A},\rho \right),C,{\left\{{C}_{1,x}={\lambda}_xG+{\omega}_xP{K}_{\rho (x)},{C}_{2,x}={\omega}_xG\right\}}_{x=1}^m\right). $$
$$ Decrypt\left(C,S{K}_{\rho (y), ID}\right)\to M $$
To decrypt the cloud data, the authorized user sends a ciphertext request to the cloud. After obtaining the ciphertext, the authorized user sends the
ID and the (
C2, y,
ρ(
y)) associated with each attribute
y ∈
SID to the attribute authorizer. The attribute authorizer verifies the sender identity and the attribute set based on the maintained attribute list. If the request is valid, the attribute authorizer calculates each of the requests (
C2, y,
ρ(
y))
$$ {\displaystyle \begin{array}{c}{C}_{2,y}S{K}_{\rho (y), ID}={\omega}_yG\left({k}_{\rho (y)}+H(ID)n\right)\\ {}={\omega}_y{k}_{\rho (y)}G+{\omega}_yH(ID) nG\end{array}}. $$
The attribute authorizer sends the calculated result to the authorized user, and the authorized user receives the returned result and then calculates
$$ {\displaystyle \begin{array}{l}{C}_{1,y}-{C}_{2,y}S{K}_{\rho (y), ID}\\ {}=\left({\lambda}_yG+{\omega}_yP{K}_{\rho (y)}\right)-\left({\omega}_y{k}_{\rho (y)}G+{\omega}_yH(ID) nG\right)\\ {}={\lambda}_yG-{\omega}_yH(ID) nG\end{array}}. $$
The authorized user selects the vector
c ∈
Zr, lets
c ⋅
Ay = (1, 0, ⋯, 0), and calculates
$$ \sum \limits_{y\in {S}_{ID}}c\left({\lambda}_yG-{\omega}_yH(ID) nG\right)= sG. $$
The authorized user calculates
The original data
M are obtained.
$$ Update\left(I{D}_{R{L}_x},{h}_x,{k}_x,n\right)\to \Big(P{K}_x,\left\{S{K}_{x,I{D}_{R{L}_x}}\right\},C{T}^{\hbox{'}} $$
For attribute
x, the data owner randomly selects
hx ∈
Zr and
hx ≠
kx, and sends
kx and
hx to the key generator and attribute authorizer in the attribute key management system. The key generator updates the public key:
The attribute authorizer searches for the user set
RLx that has the attribute
x according to
kx and updates the corresponding attribute value to
hx. The new user private key of the attribute
x is
$$ S{K}_{x,I{D}_{R{L}_x}}={h}_x+H\left(I{D}_{R{L}_x}\right)n. $$
The data owner randomly selects
\( \tilde{s}\in {Z}_p \), uses the same access control strategy (
A,
ρ) as previously defined, randomly selects the parameters
\( {\tilde{v}}_2,{\tilde{v}}_3,\cdots, {\tilde{v}}_l\in {Z}_p \), defines the vector
\( \tilde{v}={\left(\tilde{\mathrm{s}},{\tilde{v}}_2,{\tilde{v}}_3,...,{\tilde{v}}_l\right)}^T \), and computes the inner product
\( {\tilde{\lambda}}_x={\mathbf{A}}_x\cdot \tilde{v} \) for each row
Ax of matrix
A. The data owner then randomly selects the parameters
\( {\tilde{u}}_2,{\tilde{u}}_3,\cdots, {\tilde{u}}_l\in {Z}_p \), defines the vector
\( \tilde{\mathbf{u}}={\left(0,{\tilde{u}}_2,{\tilde{u}}_3,\cdots, {\tilde{u}}_l\right)}^{\mathrm{T}} \), and calculates the inner product
\( {\tilde{\omega}}_x={\mathbf{A}}_x\cdot \tilde{\mathbf{u}} \) for each row
Ax of the matrix
A. The data owner outputs the updated ciphertext
$$ C{T}^{\hbox{'}}=\left(\left(A,\rho \right),\tilde{C}=M+\tilde{s}G,{\left\{{\tilde{C}}_{1,x}={\tilde{\lambda}}_xG+{\tilde{\omega}}_xP{K}_{\rho (x)},{\tilde{C}}_{2,x}={\tilde{\omega}}_xG\right\}}_{x=1}^m\right) $$
$$ DeleteDate\left(I{D}_{R{L}_x},{k}_x,{h}_x,n\right)\to \left\{S{K}_{x,I{D}_{R{L}_x}}\right\} $$
The data owner sends a key update request to the attribute authorizer. First, randomly select
hx ∈
Zr and
hx ≠
kx, and then send the original attribute value
kx of the attribute
x and the updated attribute value
hx to the attribute authorizer. The attribute authorizer finds the user set
RLx, owns the attribute according to
kx, and then replaces
kx with
hx. The user private key after the attribute value is replaced is
$$ S{K}_{x,I{D}_{R{L}_x}}={h}_x+H\left(I{D}_{R{L}_x}\right)n. $$
When the authorized user in the user set
RLx decrypts the ciphertext, the attribute authorizer calculates (
C2, x,
ρ(
x)) for each attribute
\( x\in {S}_{I{D}_{R{L}_x}} \).
$$ {\displaystyle \begin{array}{c}{C}_{2,x}S{K}_{\rho (x),I{D}_{R{L}_x}}={\omega}_xG\left({h}_{\rho (x)}+H\left(I{D}_{R{L}_x}\right)n\right)\\ {}={\omega}_x{h}_{\rho (x)}G+{\omega}_xH(ID) nG\end{array}}. $$
Return the result to the authorized user. After the authorized user receives the result, it calculates
$$ {\displaystyle \begin{array}{l}{C}_{1,x}-{C}_{2,x}S{K}_{\rho (x),I{D}_{R{L}_x}}\\ {}=\left({\lambda}_xG+{\omega}_xP{K}_{\rho (x)}\right)-\left({\omega}_x{h}_{\rho (x)}G+{\omega}_xH\left(I{D}_{R{L}_x}\right) nG\right)\\ {}=\left({\lambda}_xG+{\omega}_x{k}_{\rho (x)}G\right)-\left({\omega}_x{h}_{\rho (x)}G+{\omega}_xH\left(I{D}_{R{L}_x}\right) nG\right)\\ {}\ne {\lambda}_xG-{\omega}_xH\left(I{D}_{R{L}_x}\right) nG\end{array}}. $$
Therefore, the ciphertext cannot be decrypted, and the deletion operation of the encrypted data is realized.
$$ Verify\left(R,{X}_{R{L}_x},{\varOmega}_{R{L}_x}\right)\to result $$
The attribute authorizer hashes the attribute list of each user in units of users, and then uses the hash value XID of each column of the attribute list as the leaf node of the hash tree to establish a hash tree and obtain the hash tree root value R. The data owner also maintains a list of attributes of an authorized user, uses the same hash function as the attribute authorizer to calculate the hash values \( {\tilde{X}}_{ID} \) of each attribute list of the user, and generates a hash tree. When the data owner verifies whether the attribute authorizer performs an update or delete operation, the root value R of the updated attribute list hash tree is sent to the data owner by requesting the attribute authorizer, and the data owner updates the hash value \( {\tilde{X}}_{R{L}_x} \) of the user set RLx. Calculate the local hash tree root value \( \tilde{R} \) using the hash value \( {\tilde{X}}_{R{L}_x} \) and the auxiliary authentication information \( {\varOmega}_{R{L}_x} \). If \( \tilde{R}=R \), the attribute update operation requested by the data owner is successful; otherwise, the request execution fails.