Weighted Attribute Based Conditional Proxy Re-Encryption in the Cloud

Xixi Yan; Jing Zhang; Pengyu Cheng

doi:10.32604/cmc.2025.059969

icon Open Access

ARTICLE

Weighted Attribute Based Conditional Proxy Re-Encryption in the Cloud

Xixi Yan¹, Jing Zhang^2,*, Pengyu Cheng²

1 Henan Key Laboratory of Network Cryptography Technology, Network Information Security and Cryptography Laboratory, School of Software, Henan Polytechnic University, Jiaozuo, 454003, China
2 School of Computer Science and Technology, Henan Polytechnic University, Jiaozuo, 454000, China

* Corresponding Author: Jing Zhang. Email: email

(This article belongs to the Special Issue: Challenges and Innovations in Multimedia Encryption and Information Security)

Computers, Materials & Continua 2025, 83(1), 1399-1414. https://doi.org/10.32604/cmc.2025.059969

Received 21 October 2024; Accepted 21 January 2025; Issue published 26 March 2025

Abstract

Conditional proxy re-encryption (CPRE) is an effective cryptographic primitive language that enhances the access control mechanism and makes the delegation of decryption permissions more granular, but most of the attribute-based conditional proxy re-encryption (AB-CPRE) schemes proposed so far do not take into account the importance of user attributes. A weighted attribute-based conditional proxy re-encryption (WAB-CPRE) scheme is thus designed to provide more precise decryption rights delegation. By introducing the concept of weight attributes, the quantity of system attributes managed by the server is reduced greatly. At the same time, a weighted tree structure is constructed to simplify the expression of access structure effectively. With conditional proxy re-encryption, large amounts of data and complex computations are outsourced to cloud servers, so the data owner (DO) can revoke the user’s decryption rights directly with minimal costs. The scheme proposed achieves security against chosen plaintext attacks (CPA). Experimental simulation results demonstrated that the decryption time is within 6–9 ms, and it has a significant reduction in communication and computation cost on the user side with better functionality compared to other related schemes, which enables users to access cloud data on devices with limited resources.

Keywords

Cloud service; conditional proxy re-encryption; user revocation; weighted attribute

1 Introduction

Proxy re-encryption (PRE) refers to a cryptographic system with secure ciphertext transformation, where the agent acts as an intermediary for the ciphertext transformation, allowing the user to obtain the intended ciphertext. At the same time, in the process of ciphertext transformation, the agent can neither obtain the plaintext information nor the encryption key of the DO, so the agent can carry out ciphertext transformation in an untrustworthy environment. However, the disadvantage of the traditional PRE is that if the agent has the correct key for the DO, the agent can change all the ciphertexts of the DO to be decrypted by the user directly. The more granular delegation of decryption permissions that are required in a lot of application scenarios is not satisfied by this.

It was not until 2009 that Weng et al. [1] introduced the idea of Conditional proxy re-encryption (CPRE) to address this issue. This approach allows the DO to define a condition during the encryption process, which is then used to construct ciphertext with a transformation condition that can only be satisfied if the agent has a re-encryption key that satisfies that condition. The introduction of CPRE limits the ability of the agent to re-encrypt data, limiting it to transforming the partially satisfied ciphertexts of the DO even when the agent possesses the re-encryption key. Subsequently, various attribute-based conditional proxy re-encryption (AB-CPRE) schemes emerged to restrict the user’s decryption rights further. In the AB-CPRE scheme, the access structure will be used as a condition to restrict the agent from transforming the ciphertext. This optimizes the CPRE scheme in conjunction with the granular access control structure of attribute-based encryption (ABE), which provides a more granular delegation of decryption permissions than before.

The AB-CPRE scheme currently in use assumes that two users with identical attributes have the same access rights. For instance, an access policy should be set so that only physicians over 45 years old can access encrypted files. However, the physician attribute may comprise ‘director physician’, ‘associate director physician’, ‘house physician’, ‘doctor in charge of a case’. If we were to allow the director physician, associate director physician, or house physician over 45 years old to access the file, we would have to add three of the four sub-attributes divided under the physician attribute to the access structure. This access policy is {{“Director Physician” OR “Associate Director Physician” OR “house physician”} AND “Age > 45”}. Considering all possible situations will inevitably lead to a greater number of characteristics in the management system, making the access structure more complicated. The current AB-CPRE adopts the same access structure as its predecessor, treating attribute characteristics at the same level without hierarchical classification based on importance.

According to the needs of the actual situation, each attribute of the user is given a weight according to its own importance so that the user gets a set of weighted attributes. Assign weights of 4, 3, 2, and 1 to ‘director physician’, ‘associate director physician’, ‘house physician’, ‘doctor in charge of a case’, respectively. If a weighted access policy is constructed, it can only satisfy the above three cases. This weighted access policy is {“Physician {2}” AND “Age > 45”}, where “Physician {2}” indicates that the node requirement can only be satisfied if the user’s attribute weight is not less than 2. As shown in Fig. 1, the improved weighted access tree is simpler, and the effect is more pronounced as the user attributes are divided into more levels.

images

Figure 1: Comparison of access policy

By assigning appropriate weights to the attributes, the identity characteristics of each user are further refined, and the agent can more accurately restrict the user’s decryption rights through the weighted access policy. At the same time, setting a weighted access policy can further simplify the access structure. Therefore, in order to granular delegation of decryption permissions for AB-CPRE, it is meaningful to propose a weighted attribute-based conditional proxy re-encryption (WAB-CPRE) scheme at this stage.

1.1 Related Work

Blaze et al. [2] first presented the idea of PRE, who created a scheme that was fundamentally comparable to the ElGamal encryption method [3] by using a public-key cryptography algorithm with straightforward proxies. As PRE is slowly becoming an important cryptographic primitive in secure cloud computing and cloud storage, PRE is required to support a more granular delegation of decryption permissions for practical applications at this stage. Weng et al. [1] presented the idea of CPRE for the first time and proved that the scheme satisfies CCA security. However, early CPRE schemes used simple keywords or “AND” joins of multiple keywords as conditions for re-encryption by the agent, but these CPRE schemes are still somewhat unsatisfactory for the granular delegation of decryption permissions required by practical examples.

An AB-CPRE system was initially presented by Zhao et al. [4] in 2010. It allows attribute-based management of decryption delegation by allowing access structures and attribute sets to be established. The scheme embeds access structure in the re-encryption key, the collection of attributes into the ciphertext, for the first time realizing granular conditions than the keyword. A new AB-CPRE technique was suggested by Yang et al. [5], who also showed how useful the scheme is for cloud deployment. This scheme uses a ciphertext policy to realize AB-CPRE, which is more natural and flexible compared to the literature [4]. An identity-based CPRE will be presented by Yao et al. [6] in 2021. It solves the problem that the traditional PRE scheme focuses on access authorization and ignores key updates and ciphertext evolution. Subsequently, a granular certificateless CPRE scheme without pairings was proposed by Yang et al. [7]. It not only solves the problem of the traditional certificates CPRE scheme that does not support one-to-many transformations but also improves the efficiency of the scheme through the without pairings approach.

In 2023, Tang et al. [8] proposed an attribute-based verifiable CPRE scheme, which is based on homomorphic signatures, and introduced a verification server so that the re-encrypted ciphertext can be verified by a verification server. The scheme can determine whether the original ciphertext has been correctly transformed and thus can effectively detect the agent’s illegal activities. First, in 2024, a single-hop directly revocable AB-CPRE was proposed based on standard LWE assumptions [9], which provides more flexible access control while allowing the delegate to dynamically authorize and revoke a user’s decryption privileges.

However, none of the existing AB-CPRE schemes describe the importance of attributes, but in reality, the access rights of different users with the same attribute may not be the same. Liu et al. [10] generalized the traditional ABE and proposed a weighted ABE scheme by performing weighting operations on attributes according to their importance. Only when the ciphertext contains a set of attributes with different weights that satisfy the access structure can the user decrypt the ciphertext. However, this scheme is only an improvement of the traditional ABE, and there is no function for a semi-trusted agent to securely transfer the decryption right of its ciphertext. Therefore, this scheme, compared to the scheme [10], in addition to supporting the delegation of decryption rights, also has a more fine-grained delegation of decryption rights than the current AB-CPRE. Meanwhile, this program supports the direct revocation of user access rights, which solves the complex revocation work of traditional attribute-based encryption. High user-side efficiency is also a major advantage of this scheme, which enables users to decrypt access to data on cloud services on resource-constrained devices.

1.2 Contribution

A WAB-CPRE scheme will be presented in conjunction with Liu et al. [10] approach to achieve a more flexible and granular delegation of decryption permissions in a cloud computing environment. The following are the principal contributions:

• By introducing the concept of weighted attributes, the user’s identity characteristics are refined, and the decryption delegation of the AB-CPRE scheme is fine-grained. Assigning weights to each user’s attributes according to the degree of importance can relieve the number of system attributes and ease the server management burden. The effect of this simplification is more pronounced when the user hierarchizes more attributes or has more levels at which each attribute is hierarchized.

• In conjunction with CPRE technology, a weighted access tree will be set up to control user access rights. The cloud service provider (CSP) can successfully transform the ciphertext decryption permission to the user as long as the user’s collection of weighted attributes satisfies the weighted access structure set by the DO.

• By assigning the re-encryption procedures to the server, outsourcing techniques help the DO cut down on computational and communication expenses. At the same time, the scheme supports the direct revocation of the user’s decryption right, eliminating the tedious procedure of updating the ciphertext data and distributing re-encryption keys in the original revocation function.

• The security of the CPA is accomplished under decision $l$ $l$ -Expanded Bilinear Diffie-Hellman exponent ( $l$ $l$ -Expanded DBDH) assumptions. To illustrate the greater user-side computing and communication efficiency of the proposed method, simulation experiments are carried out in addition to a comparison and analysis of its functionality and performance.

1.3 Organization

The remainder of the document is arranged as follows: Section 2 focuses on basic preparatory knowledge. Section 3 gives the algorithm definition and security model, and the application scenarios are specifically analyzed at the end of this section. Section 4 details the specific construction and security analysis. Then, in Section 4, the performance analysis is made by comparing the scheme with the existing schemes. Lastly, Section 6 provides the paper’s conclusion.

2 Preliminaries

2.1 Access Structure

Definition 1: If there are $n$ $n$ participants, let ${P_{1}, P_{2}, \dots, P_{n}}$ ${P1,P2,…,Pn}$ be a collection of participants. The set $P⊆2{P1,P2,⋯,Pn}$ is monotone if $∀D,E$ : $D∈P$ , $D⊆E$ then $E∈P$ , where the access structure is a nonempty subset of ${P1,P2,…,Pn}$ , $P⊆2{P1,P2,⋯,Pn}∖(∅)$ . Assume that there is an authorized subset of set $P$ and that there are illegal sets for the other sets that are not in $P$ .

2.2 Weighted Access Tree

In the WAB-CPRE scheme, the DO uses a collection of descriptive weighted attributes $A$ to structure the associated re-encryption key. DO specifies the desired $P$ for the message and creates the ciphertext under $P$ . When a collection of descriptive weighted attributes $A$ satisfies $P$ , the CSP successfully transforms the ciphertext and transmits it to the user. We name $Γ$ , which contains both leaf and non-leaf nodes, as its weighted access tree. The non-leaf node $x$ consists of the number of sub-nodes $numx$ and the threshold $kx$ , where $0≤kx≤numx$ . When $kx=numx$ and $kx=1$ are set to “AND” and “OR” gates, the leaf node represents a weighted attribute, and the $kx$ of its parent node is increased by 1 if the user’s weight for that attribute is satisfied. The function $parent(x)$ can be called on the parent of node $x$ , while the function $att(x)$ can extract the weighted attribute connected to the leaf node. Assign a unique index value to each child node of a non-leaf node in order from 1 to $numx$ , and the function $index(x)$ is used to represent the index value of that child node.

2.3 Satisfying a Weighted Access Tree

$Γn$ is defined as a weighted access tree with root $x$ . Define a collection of attributes $A$ satisfies $Γx$ as $Γx(A)=1$ . We define a recursive algorithm to compute the value of $Γx(A)$ . The $Γx$ of a non-leaf node $x$ returns 1, and a specific number of its leaf nodes must be required to all have a $Γx′$ of 1. If $x$ is a leaf node, the value of $Γx′$ is 1 when the weight of the attribute attribute $λx$ in $A$ is not less than the weight of the attribute of the leaf node, that is, $weight(λx)≥weight(att(x))$ .

2.4 The Decisional $l$ -Expanded BDHE Assumption

We introduce the paper [11] constructing the decision $l∗$ -Expanded Bilinear Diffie-Hellman Exponent problem. The $a,b,c0,⋯,cl+1,d∈ZP$ chosen randomly and $g$ is a generating element of the cyclic group $G$ . Assume that an opponent is provided $X=$

$g,ga,gb,gab/d,gb/d∀i∈[0,2l+1],i≠l+1,j∈[0,l+1]gais,gaibs/cj∀i∈[0,l+1]gaib/ci,gci,gaid,gabci/d,gbci/d∀i∈[0,2l+1],j∈[0,l+1]gaibd/cj∀i∈[0,l+1],i≠jgaibcj/ci$

Define random tuple $(X,R)∈GT$ and tuple $(X,T=e(g,g)al+1bs)∈GT$ , where $R$ is chosen independently from $GT$ . Let Algorithm B have an advantage in solving the decision $l$ -Expanded BDHE in $G$ is $ϵ$ .

$|Pr[B(X,T=e(g,g)al+1bs)=0]−Pr[B(X,T=R)=0]|≥ϵ$

Definition 2: The assumption of decision $l$ -Expanded BDHE is valid if no algorithm is able to obtain a non-negligible advantage in polynomial time when addressing the problem.

3 Definition and Application

3.1 Algorithm Definition

$Setup(1λ,W)→Params$ : After inputting the master entity’s security parameters $1λ$ and attribute universe $W$ , this algorithm produces the scheme’s public parameters, and the public parameters are published by the master entity.

$KenGen(u)→Sku,Pku$ : The algorithm outputs the key pairs $Sku$ , $Pku$ for the user $u$ .

$Enc(PkA,m,Γ)→CA$ : Given an access tree $Γ$ input the message $m$ that you want to encrypt and the DO’s public key $PkA$ . The algorithm generates ciphertext $CA$ .

$ReKenGen(SkA,AB,PkB)→SkA→B$ : After inputting the private key $SkA$ of the DO and a collection of weighted attributes $AB$ and public key $PkB$ of the user $B$ . Subsequently, the algorithm outputs $SkA→B$ associated with the set of weighted attributes.

$ReEnc(SkA→B,CA)→CB$ : The algorithm is performed by the CSP. Enter the ciphertext $CA$ and the user’s re-encryption key $SkA→B$ . If the collection of weighted attributes $AB$ satisfies the weighted access structure $P$ , the algorithm sends the ciphertext $CB$ to the user.

$Dec(SkB,CB)→m$ : The decryption algorithm takes the key $SkB$ and the converted ciphertext $CB$ as input, which produces the plaintext $m$ if $SkB$ is a working decryption key.

3.2 Security Model Definition

Init. The adversary $𝒜$ chooses and declares a weighted access structure $P∗$ .

Setup. Challenger $ℬ$ executes the $Setup$ algorithm and outputs $params$ and then performs the $KenGen$ algorithm to obtain the key pairs $PkQ/SkQ$ . Finally, $𝒜$ sends the output $params$ to $ℬ$ .

Phase 1. Using a different collection of weight attributes $A1,A2,A3,…,Aq1$ , respectively, adversary $𝒜$ asks challenger $ℬ$ for the re-encryption keys. Subsequently, challenger $ℬ$ responds by executing the $KenGen$ algorithm to distribute the key pairs $PkJ/SkJ$ a for adversary $𝒜$ and by using the $ReKenGen(SkQ,Aj,PkQ)→rkQ→J$ algorithm to create a re-encryption key for $𝒜$ . Finally, the key pairs $PkJ/SkJ$ and $rk$ are returned to the adversary.

Challenge. Two challenge messages of identical length, $m1$ and $m2$ , are sent by the adversary. The challenger $ℬ$ tosses a coin $β$ at random and encrypts the message $mβ$ by running an $Enc$ algorithm under a weighted access structure $P∗$ and submits the ciphertext $C∗$ to $𝒜$ .

Phase 2. Using a different collection of weight attributes $Aq1+1,Aq1+2,Aq1+3,…,Aq2$ again, adversary $𝒜$ asks the challenger for the re-encryption keys. As in phase 1, the challenger returns $PkJ$ and $rk$ to the adversary if $Ai$ satisfies $P∗$ ; otherwise, $PkJ/SkJ$ and $rk$ are returned to the adversary.

Guess. A guess about $β$ is output by the adversary.

Definition 3: A WAB-CPRE scheme satisfies CPA security if, for any PPT adversary $𝒜$ , there exists a negligible function $ϵ(K)$ such that $AdvA≤ϵ(K)$ , which defines $𝒜$ ’s advantage in this game to be $AdvA=Pr[β′=β]−12$ .

3.3 Application Scenario

The system model of the WAB-CPRE scheme includes four entities: the data owner (DO), the user, the cloud service provider (CSP), and the key generation center (KGC). Using the hospital employee system as an example, we can better demonstrate the system model by designating the DO Alice and the user Bob as the medical staff and the hospital administration, respectively. Assuming that the collection of weighted attributes of the healthcare worker meets the weighted access structure set by the hospital administrator, Fig. 2a shows the data sharing procedure from the hospital administrator (Alice) to the healthcare worker (Bob), and Fig. 2b illustrates the multiple operations involved between the various entities.

images

Figure 2: System model and workflow

First, Alice sets the access rights for each file according to the roles of the accessors and delivers the encrypted ciphertext to the CSP. Subsequently, Alice assigns re-encryption keys to healthcare workers (which includes Bob) at different position levels in each department and uploads them to the CSP. The CSP stores a large amount of received ciphertext data and keys in two separate tables. Bob notifies the CSP of his requirement for access to the pertinent files by sending a request. The CSP extracts the appropriate ciphertext file and Bob’s re-encryption key from a lookup table and performs the $ReEnc$ algorithm. If Bob’s collection of attributes meets the weighted access structure, the CSP successfully transforms the ciphertext and transmits it to Bob. At last, Bob runs the algorithm to decrypt and extract the plaintext data.

The system takes advantage of cloud services by outsourcing large amounts of data and complex calculations to a CSP, which acts as a semi-trusted platform and will not extract any information from the uploaded data. Having the correct re-encryption key is an important condition for CSP to securely translate decryption permissions. When a healthcare worker leaves the hospital or joins the staff, there is no revocation of the role attribute in the system, but rather the revocation of the old healthcare worker’s access rights and the granting of the new healthcare worker’s access rights. Therefore, when a healthcare worker leaves and joins the staff, the system can remove or add the re-encryption key for that healthcare worker directly from the cloud.

4 Construction and Security Analysis

4.1 The Construction

$Setup(1λ,W)$ : First, the security parameter $1λ$ and the attribute domain $W$ are input for the algorithm. Define a bilinear map $e:G0×G0→GT$ , where $G0$ and $GT$ are cyclic groups of prime order $p$ , and $g$ is chosen as the generators of $G0$ , a hash function $H:{0,1}→G0$ . The scheme assigns a maximum weight of $li$ to each attribute separately. The random number $zi,h(i0),h(i1),…,h(ili)∈G0$ is generated for $∀wi∈W$ and published (Table 1 shows the meaning of each symbol in this scheme):

$Params={e(g,g),g,H(⋅),∀wi∈W{zi,h(i0),…,h(ili)}}$

images

$KenGen(u)$ : The key generation center first selects $xu,αu,βu∈Zp$ for user $u$ randomly and computes $yu=gxu,hu=gβu,fu=e(g,g)αu$ , then outputs user’s key pairs $Pku$ , $Sku$ .

$Sku={xu,αu,βu}$ , $Pku={yu,hu,fu}$ .

$Enc(PkA,m,Γ)$ : The DO inputs the public key $PkA$ , the message $m$ , and the weighted access tree $Γ$ . Let $Y$ be the collection of leaf nodes of a weighted access tree $Γ$ . Each leaf node $λi$ represents an attribute that has a weight value of $ωi$ , where $0<ωi<li$ . For $∀λi∈Y$ , the encryption algorithm randomly generates $s(i0),s(i1),…,s(iωi−1)∈ZP$ . Generates the secret value $s∈ZP$ of the root node $R$ and generates a polynomial $qR$ of order $kR−1$ such that $qR(0)=s$ . Then, a $kx−1$ order polynomial is generated for all child nodes $x$ of the root node $R$ , setting $qx(0)=qparent(x)(index(x))$ finally until all leaf nodes are assigned the unique secret value $s(iωi)$ . The function $att(x)$ , which indicates the attributes connected to that leaf node $x$ , is defined exclusively in cases when $x$ is a leaf node.

First, set $c=m⋅fAs$ and $c′=hAs$ .

Then let $0≤j≤ωi$ , when $j=0$ , for $∀λi∈Y$ set:

$c(i0)=gs(i0),c~(i0)=(h(i0))s(i0)$

when $0<j<ωi$ , for $∀λi∈Y$ set:

$c(ij)=gs(ij),c˜(ij)=(h(ij))s(ij)⋅H(att(λi))s(ij−1)$

when

$j=ωi$ , for

$∀λi∈Y$ set:

$c(ij)=gqλi(0),c~(ij)=(h(ij))qλi(0)⋅H(att(λi))s(ij−1)$

Finally, output ciphertext:

$CA={c,c′,∀λi∈Y{c(ij),c~(ij)}j∈[0,ωi]}$

$ReKenGen(SkA,AB,PkB)$ : The algorithm starts by picking a random number $r∈Zp$ for $∀wi∈AB$ pick $r(ij)∈Zp$ , where $j∈[0,ωi′]$ ( $ωi′$ denotes the magnitude of the weight of the weighted attribute $wi$ ).

Firstly, set $k=(yBαAgr)−βA$

Secondly, for $∀wi∈AB$ , when $j=0$ set:

$k(i0)=gr(h(i0))r(i0),k~(i0)=gr(i0)$

when $j∈(0,ωi′]$ set:

$k(ij)=g−rH(wi)r(ij),k~(ij)=gr(ij),k~~(ij)=gr(h(ij))r(ij)$

Finally, output the re-encryption key:

$SkA→B={k,k(i0),k~(i0),∀wi∈P{k(ij),k~(ij),k~~(ij)}j∈(0,ωi′]}$

$ReEnc(SkA→B,CA)$ : First, define a recursive algorithm $ReEncNdn(SkA→B,CA)$ , where $n$ is a node of the tree $Γ$ . ① In the case where $n$ is a leaf node, then define $z=att(n)$ and give the following definition: If $z∉AB$ , then $ReEncNdn(SkA→B,CA)=⊥$ ; otherwise, let $ReEncNdn(SkA→B,CA)=Fn$ . Then, run the recursive algorithm $ReEncNdn(SkA→B,CA)$ to find the specific value of $Fn$ .

First, when $j=0$ set:

$B(i0)=e(c(i0),k(i0))⋅e(c~(i0),k~(i0))−1=e(g,g)r⋅s(i0)$

Second, when $j∈(0,ωi]$ set:

$B(ij)=B(ij−1)⋅e(c(ij−1),k(ij))⋅e(c~(ij),k~(ij))−1⋅e(c(ij),k~~(ij))=e(g,g)rs(ij)$

Finally, if $ωi≤ωi′$ is satisfied, then $B(iωi)=e(g,g)r⋅qλi(0)$ and let $Fn=B(iωi)=e(g,g)r⋅qn(0)$ .

② In the case where $n$ is a non-leaf node, the recursive algorithm $ReEncNdx(SkA→B,CA)$ is called. Let $Sn$ be the set of $Fv$ of size not less than $tn$ , where $v$ is a leaf node of $n$ and $Fv≠⊥$ . Then $Fn=⊥$ if there isn’t such a collection, otherwise:

$Fn=∏v∈SnFv△i,Sn′(0),whereSn′={index(v):v∈Sn}i=index(v),=∏v∈Sn(e(g,g)r⋅qv(0))△i,Sn′(0)=∏v∈Sn(e(g,g)r⋅qparent(v)(index(v)))△i,Sn′(0)=∏v∈Sn(e(g,g)r⋅qn(i))△i,Sn′(0)=e(g,g)r⋅qn(0)$

③ If $n$ is the root node, then $Fn=e(g,g)r⋅s$ .

At last compute $c~=e(k,c′)e(g,g)r⋅s=fAs⋅xB$ and $c=m⋅fAs$ , then outputs the re-encrypted ciphertext as $CB={c,c~}$ .

$Dec(SkB,CB)$ : The user performs the decryption algorithm. After entering a valid private key $SkB$ and the re-encrypted ciphertext $CB$ , the following computation is performed to obtain the plaintext message:

$c(c~)xB−1=m⋅fAs(fAs⋅xB)xB−1=m$

4.2 Security Analysis

There are two separate situations to take into account. ① The first case is when none of the collection of attributes $Aj$ satisfies the $P∗$ . Adversary $𝒜$ would receive the key pairs $PkJ/SkJ$ and the re-encryption key $rkQ→J$ that challenger $ℬ$ provided to the user. ② The second case is when at least one of the attribute collections $Aj$ satisfies the weighted access structure $P∗$ . Therefore, the challenger $ℬ$ returns the user’s public keys $PkJ$ and $rkQ→J$ to $𝒜$ .

Assume, for the first example, that there is a polynomial-time $𝒜$ whose advantage in attacking the selective access tree model in this scheme is $AdvA$ . The security model for this case is the same as in the paper [10]. The following describes in detail the parameterization, ciphertext generation, and re-encryption key request of adversary $𝒜$ by simulator $ℬ$ during the simulation process. The simulation process is shown below:

Definition 4: Assume that the decisional $l∗$ -Expanded BDHE assumption is valid. Then, given a challenge access tree $Γ∗$ , no adversary with polynomial time could selectively compromise our system.

First, challenger $ℬ$ chooses two cyclic groups, $G0$ and $GT$ , where $g$ is the generator of $G0$ . $ℬ$ flips an arbitrary binary coin $μ$ . When $μ=0$ , $𝒜$ sets $(X,T=e(g,g)aω∗+1bs)$ ; when $μ=1$ , the challenger $ℬ$ sets $(X,R)$ , where $R$ is chosen independently from $GT$ .

Init. $𝒜$ selects and declares a weighted access structure $P∗$ .

Setup. Choose random indices $v(k0)⋯v(kω∗),vzk,a,cj,b,d,r∈Zp$ , and $ω∗$ is the weight value of attribute $k$ , $k∈U$ ( $U$ is attribute universe). The challenger uses an empty table in order to mimic the hash function $H$ . When $𝒜$ asks a query $k$ that has never been asked before, $ℬ$ computes $gvzk$ and adds a table entry $(k,gvzk)$ to the table, returning $gvzk$ to $𝒜$ . The challenger chooses a random identity $Q$ and executes the $KenGen$ algorithm to obtain key pairs $PkQ/SkQ$ , where $e(g,g)r=e(ga,gb)$ is defined and parameterized:

$h(k0)=gv(k0)⋅∏j∈[1ω∗]g−ajb/cj,h(ki)=gv(ki)⋅∏j∈[0ω∗+1],i≠jg−a(ω∗+1−j)b/c(ω∗+1−j).$

Phase 1. Adversary $𝒜$ makes a key query to the challenger. $ℬ$ implicitly setting $r(k0)=∑i∈S(k0)gci+1$ and executes the $KenGen$ algorithm using a random user identity and generates the key pairs $PkJ/SkJ$ for adversary $𝒜$ . For $∀k∈S∗$ , define a set $S(kt)$ , where $t∈[0,ω∗]$ .

When $t=0$ , set $K~(k0)=gr(k0)=∏i∈S(k0)gci+1$

$K(k0)=gab(h(k0))r(k0)=gab⋅(K~(k0))v(k0)⋅∏j∈[1ω∗],i∈S(k0)j≠i+1g−ajbci+1/cj$

When $t∈(0,ω∗]$ , set $K~(kt)=gr(kt)=∏i∈S(kt)gaid$

$K(kt)=g−ab⋅(K~(kt))vzk$

$K~~(kt)=gab(h(kt))r(kt)=gab(K~(kt))vzk⋅∏j∈[0ω∗+1],i∈S(kt)j≠ig−aω∗+1−j+ibd/cω∗+1−j.$

Challenge. When $ℬ$ starts to create a challenge ciphertext, it is necessary first to establish the individual node polynomials of the access tree $Γx$ . If the collection $S$ does not satisfy $Γx$ , then $Γx(S)=0$ . To access all sub-nodes $x′$ of the tree $Γx$ , define $λx′∈Zp$ and compute $λx′=qx(index(x′))$ . Ultimately, polynomials for the remaining nodes are recursively created.

When $x′$ is a sub-node of $x$ that satisfies the collection of weighted attributes, the value of $qx(index(x′))$ can be calculated. The simulator subsequently runs the recursive algorithm $RecSat(Γx′,S,qx(index(x′)))$ to generate a polynomial for that node. If the node $x′$ is an unsatisfiable child node, the value of $gqx(index(x′)$ can be computed by interpolation algorithm. The simulator then runs the recursive algorithm $RecUnsat(Γx′,S,gqx(index(x′)))$ to generate a polynomial for the node. At last, the value of $qk(0)$ for each leaf node is output, $k$ .

Let $s(ki)=airk′∈Zp$ . Two equal-length challenge messages $m1$ and $m2$ , are submitted by adversary $𝒜$ , and the challenger tosses a coin, $β$ .

$Cm=mβ⋅T,c(k0)=grk′,$

$c~(k0)=(h(k0))rk′=(grk′)v(k0)⋅∏j∈[1,ωk∗]gaibrk′/cj.$

When $i∈(0,ω∗]$ , it set:

$c(ki)=gai⋅rk′,c~(ki)=(gai⋅rk′)v(ki)⋅(gai−1⋅rk′)vzk⋅∏j∈[1,ωk∗]gaω∗+1−j+ibrk′/cω∗+1−j.$

If $T=e(g,g)aω∗+1bs$ is a correct Expanded BDHE tuple, then $Cm$ is the ciphertext encrypted by $mβ$ . If not, then $Cm$ is a random element in $GT$ , and $𝒜$ will not have access to valid information about $β$ .

Guess. $𝒜$ will provide a guess $β′$ . Judge the output according to the following rules: If $β′=β$ , the simulator outputs 1. If not, the simulator outputs 0.

When the simulator outputs 1, the simulation attack view of adversary $𝒜$ is the same as the actual attack view, so that we can get $Pr[B(y,T=e(g,g)aω∗+1bs)=0]=12+AdvA$ . On the other hand, if the simulator returns 0, then the message $mβ$ is concealed from $𝒜$ , where $T$ is a random selection from $GT$ . As a result, the simulator is able to play that game with a non-negligible advantage.

For the second scenario, the collection of weighted attributes $Aj$ of the key query performed by $𝒜$ all satisfy the challenge weighted access structure $P∗$ . Thus, $𝒜$ can obtain the transformed ciphertext. A detailed description of the proposed scheme’s security game under the CPA follows.

Init. $𝒜$ selects and declares a weighted access structure $P∗$ .

Setup. As in the same case, challenger $ℬ$ sets the public parameters and sends them to $𝒜$ . Subsequently, $ℬ$ selects a random identity $Q$ and executes the $KenGen$ algorithm to obtain the public $PkQ$ and private key $SkQ$ .

Phase 1. The adversary $𝒜$ performs a re-encryption key lookup operation by providing a weighted attribute set $Aj$ to the challenger $ℬ$ (This weighted attribute set $Aj$ satisfies the weighted access structure $P∗$ ). For the weighted access structure $Aj$ received by the challenger for the $j$ th time, $ℬ$ first randomly chooses $xJ,αJ,βJ∈Zp$ and generates the private key $SkJ$ of $𝒜$ . Subsequently, select $r,r(it)$ , where $i∈Aj,t∈[0,ωi∗]$ , and return $PkQ$ , $PkJ$ , $rk={k=(yJαQgr)−βQ,k(it),k~(it),∀i∈A{k(it),k~(it),k~~(it)}t∈(0,ωi∗]}$ to $𝒜$ .

Challenge. Challenger $ℬ$ chooses $s,s(it)∈ZP$ , where $i∈Aj,t∈[0,ωi∗−1]$ . Then, the challenger distributes secret values according to $P∗$ declared by $𝒜$ so that each leaf node of $Γ$ is assigned a unique secret value. Finally, after $𝒜$ sends two challenge messages $m1,m2$ , $ℬ$ chooses $ϑ∈ZP$ , and computes $c=e(g,g)ϑ,c′=gβ⋅s$ to return the ciphertext $C$ to $𝒜$ .

Phase 2. The challenger keeps answering A’s questions on re-encryption key generation.

Guess. A guess about $β$ is output by the adversary $𝒜$ .

We will cite a game [12] where the challenged ciphertext $c$ is either $e(g,g)α⋅s$ or $e(g,g)ϑ$ , where $ϑ∈ZP$ . The adversary $𝒜$ has to guess which is correct. Next, we prove with likelihood $1−O(q2/p)$ that A’s guess is $c=e(g,g)α⋅s$ in the simulation. Adversary $𝒜$ has an advantage of at most $O(q2/p)$ given $c=e(g,g)α⋅s$ , since the challenge message $c=e(g,g)ϑ$ is independent of the encrypted message.

When $𝒜$ requests the group oracles, we require $𝒜$ to obtain values only from the simulation. Here we consider an oracle query as a rational function $π=γ/η$ and $𝒜$ queries only in the variables $xA,xB,αA,αB,βA,βB,s,s(it),r,r(i,t)$ . Since the adversary’s two different formal rational functions $γ/η$ , $γ′/η′$ will have an accidental collision caused by the random choice of variables, the condition is set that no collision of this kind occurs in any of the groups $G0$ , $GT$ . A collision occurs if and only if for different rational functions $γ/η$ and $γ′/η′$ of the query satisfy $γη′−ηγ′=0$ . Note that the total degree of $γη′−ηγ′$ is in our case at most 5, the likelihood of this event, according to the Schwartz-Zippel Lemma [13,14], is $O(1/p)$ . By a union bound, the probability of a collision occurring is maximized to $O(q2/p)$ so that it can be calculated that there is a $1−O(q2/p)$ probability that no accidental collision will occur.

Conditional on the absence of collisions, if the challenger sets $ϑ=α⋅s$ , we must show that the opponents’ views are identically distributed. In particular, under the above setup conditions, the only way to make an adversary’s viewpoint different is two queries $π$ , $π′$ in $G0$ such that $π≠π′$ but $π|ϑ=α⋅s≠π′|ϑ=α⋅s$ . However, that case will not occur since only $e(g,g)ϑ$ is computed from the element $ϑ$ in $G0$ . Thus, for some constant $ψ≠0$ , one must have $π−π′=ψαs−ψϑ$ . When we provide a query a to the adversary, the adversary $𝒜$ will never be able to construct a query for $e(g,g)ψαs$ as long as there is no accidental collision, which contradicts the above theory, thus proving the theorem.

4.3 Correctness Analysis

This subsection demonstrates the correctness of the scheme. First, this subsection shows the process of DO $A$ decrypting the original ciphertext $CA$ using the original key $SkA$ . Secondly, a correctness proof of the evolution of the ciphertext from the original ciphertext $CA$ to $CB$ is given. Finally, evidence of the correctness of the evolved ciphertext $CB$ in the decryption process is presented.

(1) Decryption of original ciphertext $CA$ : The original encrypted message and the public-private key pair obtained by the DO are $CA={c,c′,∀λi∈Y{c(ij),c~(ij)}j∈[0,ωi]}$ , $SkA={xA,αA,βA}$ and $PkA={yA,hA,fA}$ respectively. The decryption of original ciphertext is given as follows:

$m⋅fAse(g,hAs)αA⋅βA−1=m⋅e(g,g)αAe(g,gβA)αA⋅βA−1=m$

(2) The agent acquires the evolved ciphertext $CB$ : Upload the original ciphertext $CA={c,c′,∀λi∈Y{c(ij),c~(ij)}j∈[0,ωi]}$ and the re-encryption key $SkA→B={k,k((i0)),k~((i0)),∀w∈P{k(ij),k~(ij),k~~(ij)}j∈(0,ωi′]}$ to the cloud server. Only the process of calculating $c~$ is given below, and $c$ is the same as the original ciphertext:

$c~=e((yBαAgr)−βA,hAs)e(g,g)rs(ij−1)⋅e(c(ij−1),k(ij))⋅e(c~(ij),k~(ij))−1⋅e(c(ij),k~~(ij))=e((yBαAgr)−βA,hAs)e(g,g)rs(ij−1)⋅e(gs(ij−1),g−rH(wi)r(ij))⋅e((h(ij))s(ij)⋅H(att(λi))s(ij−1),gr(ij))−1⋅e(gs(ij),gr(h(ij))r(ij))=e((yBαAgr)−βA,hAs)e(g,g)rs(ij−1)⋅e(gs(ij−1),g−r)⋅e(gs(ij−1),H(wi)r(ij))⋅e((h(ij))s(ij),gr(ij))−1⋅e(H(att(λi))s(ij−1),gr(ij))−1⋅e(gs(ij),gr)⋅e(gs(ij),(h(ij))r(ij))=e((yBαAgr)−βA,hAs)e(gs(ij),gr)=e((gxBαAgr)−βA,gβA⋅s)e(g,g)r⋅s=fAs⋅xB$

(3) Decryption of delegated ciphertext $CB$ :When the user wants to access the ciphertext $CA$ , the agent will use the re-encryption key $SkA→B$ of user $B$ to obtain the evolved ciphertext $CB$ . Subsequently, the user decrypts it using his private key $SkB={xB,αB,βB}$ and the $CB={m⋅fAs,fAs⋅xB}$ obtained from the agent. The derivation process is as follows:

$m⋅fAs(fAs⋅xB)−xB=m$

5 Performance Analysis

5.1 Performance Comparison

As shown in Table 2, it demonstrates the functionality and performance comparison of the proposed scheme with Xiong’s scheme [16], Yao’s scheme [6,15,17]. Let $tw,tv,tm,te$ and $tp$ denote the computation time of signature verification, ciphertext verification, multiplication operation, modular exponentiation, and pairing, respectively.

images

Firstly, Table 2 shows the comparison of two key features, namely “whether to support weighting of attributes” and “whether to support direct revocation by the user.” In real-application scenarios, CSP usually requires fine-grained data sharing and efficient user revocation. Therefore, the two functions in Table 2 are important in cloud storage services today, and only the proposed scheme supports both functions. Second, the proposed scheme has high efficiency on the user side because the complex pairing operation in the previous decryption algorithms is replaced by the re-encryption algorithm, which is implemented by the CSP. The length of the ciphertext obtained at the user side is only 2 $|GT|$ . As shown in Table 2, decryption requires only power and multiplication operations, making the decryption cost much lower than other related schemes.

In summary, compared with other relative schemes, the proposed scheme has the smallest re-encrypted ciphertext size, which effectively enhances the communication efficiency on the user side, and adds additional functions such as weighting of attributes and attribute revocation so that the proposed scheme has a far wider range in the realm of health care.

5.2 Experimental Results

In this paper, the experimental environment is IntelliJ IDEA Community Edition 2023, and Java Pairing Based Cryptography Library and elliptic curves chosen as class $A$ curves $y2=x3+x$ of $Fq$ over the domain. It runs on a computer with parameters of 2.30 GHz Inter(R) Core (TM) i7-12700H, 16.0 GB of RAM, and operating system Windows 11.

The time consumed in running the decryption algorithm 100 times in the simulation experiment is listed as shown in Fig. 3a. The maximum time required to decrypt the ciphertext is 8.9 ms, and the minimum is 6.03 ms. The time consumed for user decryption is kept in the range of 6–9 ms and does not grow with the magnitude of user attributes. In addition, we perform communication overhead tests of the scheme’s decryption algorithm on a smartphone with a 2.4 GHz CPU and 8 GB RAM. The experimental results demonstrate that the communication overhead for the user is 2 $|GT|$ , which is about 0.8 kb in the implementation.

images

Figure 3: (a) Decryption time cost; (b) Comparison of decryption time cost [6,15–17]

We use the average of one hundred decryption times as the decryption time for this scheme. As can be seen in Fig. 3b, the proposed scheme has the least user decryption time overhead compared to other schemes. Although this scheme is constructed based on bilinear mapping, the decryption algorithm does not have a pairing operation with high overhead. Therefore, the proposed scheme has less computation and communication overhead on the user side, making it feasible for users to access cloud servers with resource-constrained devices.

6 Conclusion

In order to make cloud servers satisfy as high as possible access control mechanisms, a WAB-CPRE scheme is proposed. By combining weighted attribute-based encryption, the proposed scheme provides more granularity and a more flexible access structure for decryption. The scheme also supports CSP in performing direct revocation of user access rights, and there is no computational cost to achieve revocation. In addition, the user side of the scheme has low computational and communication overhead, enabling users to access cloud service data even in device-constrained environments. In the future, our motivation is to construct a more effective CPRE scheme where the DO can directly revoke a user’s weighted attributes.

Acknowledgement: Thanks to my tutor for careful guidance and the help of my classmates.

Funding Statement: Programs for Science and Technology Development of Henan Province, grant number 242102210152. The Fundamental Research Funds for the Universities of Henan Province, grant number NSFRF240620. Key Scientific Research Project of Henan Higher Education Institutions, grant number 24A520015. Henan Key Laboratory of Network Cryptography Technology, grant number LNCT2022-A11.

Author Contributions: Xixi Yan: the main idea, conceptualization and methodology. Jing Zhang: The framework was built, the encryption scheme was written, the security proof was derived, and the experimental analysis and test were carried out. Pengyu Cheng: Integration and analysis of experimental data. All authors reviewed the results and approved the final version of the manuscript.

Availability of Data and Materials: The authors confirm that the data supporting the findings of this study are available within the article.

Ethics Approval: Not applicable.

Conflicts of Interest: The authors declare no conflicts of interest to report regarding the present study.

References

1. Weng J, Deng RH, Ding X, Chu CK, Lai J. Conditional proxy re-encryption secure against chosen-ciphertext attack. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security; 2009; Sydney Australia: ACM. p. 322–32. doi:10.1145/1533057.1533100. [Google Scholar] [CrossRef]

2. Blaze M, Bleumer G, Strauss M. Divertible protocols and atomic proxy cryptography. In: Advances in cryptology-EUROCRYPT’98. Berlin, Heidelberg; 1998. p. 127–44. [Google Scholar]

3. Elgamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans Inf Theory. 1985;31(4):469–72. doi:10.1109/TIT.1985.1057074. [Google Scholar] [CrossRef]

4. Zhao J, Feng D, Zhang Z. Attribute-based conditional proxy re-encryption with chosen-ciphertext security. In: 2010 IEEE Global Telecommunications Conference GLOBECOM 2010; 2010 Dec 6–10; Miami, FL, USA: IEEE; 2010. p. 1–6. doi:10.1109/GLOCOM.2010.5684045. [Google Scholar] [CrossRef]

5. Yang Y, Zhu H, Lu H, Weng J, Zhang Y, Choo KR. Cloud based data sharing with fine-grained proxy re-encryption. Pervasive Mob Comput. 2016;28(1):122–34. doi:10.1016/j.pmcj.2015.06.017. [Google Scholar] [CrossRef]

6. Yao S, Dayot RVJ, Kim HJ, Ra IH. A novel revocable and identity-based conditional proxy re-encryption scheme with ciphertext evolution for secure cloud data sharing. IEEE Access. 2021;9:42801–16. doi:10.1109/ACCESS.2021.3064863. [Google Scholar] [CrossRef]

7. Yang H, Li L, Yang C. A fine-grained certificateless conditional proxy broadcast re-encryption scheme without pairing. In: 2022 IEEE 10th Joint International Information Technology and Artificial Intelligence Conference (ITAIC); 2022 Jun 17–19; Chongqing, China: IEEE; 2022. p. 1414–23. doi:10.1109/ITAIC54216.2022.9836814 [Google Scholar] [CrossRef]

8. Tang Y, Jin M, Meng H, Yang L, Zheng C. Attribute-based verifiable conditional proxy re-encryption scheme. Entropy. 2023;25(5):822. doi:10.3390/e25050822. [Google Scholar] [PubMed] [CrossRef]

9. Wang Y, Wang M. Improved AB-CPREs with revocability and HRA security under LWE. IET Inf Secur. 2024;2024(1):4333883. doi:10.1049/2024/4333883. [Google Scholar] [CrossRef]

10. Liu X, Ma J, Xiong J, Li Q, Ma J. Ciphertext-policy weighted attribute based encryption for fine-grained access control. In: 2013 5th International Conference on Intelligent Networking and Collaborative Systems; 2013 Sep 9–11; Xi’an, China: IEEE; 2013. p. 51–7. doi:10.1109/INCoS.2013.18. [Google Scholar] [CrossRef]

11. Waters B. Functional encryption for regular languages. In: Annual International Cryptology Conference; 2012; Berlin/Heidelberg: Springer; p. 218–35. [Google Scholar]

12. Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy (SP ‘07); 2007 May 20–23; Berkeley, CA, USA: IEEE; 2007. p. 321–34. doi:10.1109/SP.2007.11. [Google Scholar] [CrossRef]

13. Schwartz JT. Fast probabilistic algorithms for verification of polynomial identities. J ACM. 1980;27(4):701–17. doi:10.1145/322217.322225. [Google Scholar] [CrossRef]

14. Zippel R. Probabilistic algorithms for sparse polynomials. In: Proceedings of the International Symposiumon on Symbolic and Algebraic Computation; 1979; Berlin/Heidelberg: Springer. p. 216–26. [Google Scholar]

15. Yao S, Dayot RVJ, Ra IH, Xu L, Mei Z, Shi J. An identity-based proxy re-encryption scheme with single-hop conditional delegation and multi-hop ciphertext evolution for secure cloud data sharing. IEEE Trans Inf Forensics Secur. 2023;18(2):3833–48. doi:10.1109/TIFS.2023.3282577. [Google Scholar] [CrossRef]

16. Xiong H, Wang Y, Li W, Chen CM. Flexible, efficient, and secure access delegation in cloud computing. ACM Trans Manage Inf Syst. 2019;10(1):1–20. doi:10.1145/3318212. [Google Scholar] [CrossRef]

17. Yao S, Sankar R, Ra IH. A collusion-resistant identity-based proxy reencryption scheme with ciphertext evolution for secure cloud sharing. Secur Commun Netw. 2020;2020:8833693. doi:10.1155/2020/8833693. [Google Scholar] [CrossRef]

Cite This Article

APA Style

Yan, X., Zhang, J., Cheng, P. (2025). Weighted attribute based conditional proxy re-encryption in the cloud. Computers, Materials & Continua, 83(1), 1399–1414. https://doi.org/10.32604/cmc.2025.059969

Vancouver Style

Yan X, Zhang J, Cheng P. Weighted attribute based conditional proxy re-encryption in the cloud. Comput Mater Contin. 2025;83(1):1399–1414. https://doi.org/10.32604/cmc.2025.059969

IEEE Style

X. Yan, J. Zhang, and P. Cheng, “Weighted Attribute Based Conditional Proxy Re-Encryption in the Cloud,” Comput. Mater. Contin., vol. 83, no. 1, pp. 1399–1414, 2025. https://doi.org/10.32604/cmc.2025.059969

BibTex EndNote RIS

Copyright © 2025 The Author(s). Published by Tech Science Press.
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Table of Content

Weighted Attribute Based Conditional Proxy Re-Encryption in the Cloud

Abstract

Keywords

References

Cite This Article

227

75

0

Related articles

Further Information

Guidelines

Follow Us

Join Us

Share Link