An Efficient Ciphertext-Policy Attribute-Based Encryption Scheme with Policy Update

Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic solution to the problem for enforcing fine-grained access control over encrypted data in the cloud. However, when applying CP-ABE to data outsourcing scenarios, we have to address the challenging issue of policy updates because access control elements, such as users, attributes, and access rules may change frequently. In this paper, we propose a notion of access policy updatable ciphertext-policy attribute-based encryption (APU-CP-ABE) by combining the idea of ciphertext-policy attribute-based key encapsulation and symmetric proxy re-encryption. When an access policy update occurs, data owner is no longer required to download any data for re-encryption from the cloud, all he needs to do is generate a re-encryption key and produce a new encapsulated symmetric key, and then upload them to the cloud. The cloud server executes re-encryption without decryption. Because the re-encrypted ciphertext is encrypted under a completely new key, users cannot decrypt data even if they keep the old symmetric keys or parts of the previous ciphertext. We present an APU-CP-ABE construction based on Syalim et al.’s Syalim, Nishide and Sakurai (2017)] improved symmetric proxy re-encryption scheme and Agrawal et al.’s Agrawal and Chase (2017)] attribute-based message encryption scheme. It requires only 6 bilinear pairing operations for decryption, regardless of the number of attributes involved. This makes our construction particularly attractive when decryption is time-critical.