Attacking Pairing-Free Attribute-Based Encryption Schemes

Combining several results that have been published in the last years, it is known that it is impossible to design simple and secure attribute-based encryption schemes that work in (classical) settings like the RSA or the pairing-free discrete logarithm ones. The purpose of this article is to broadcast this message through a wide (maybe non-cryptographic) audience, specially now that attribute-based encryption is considered as a useful tool to secure real systems like the Internet of Things. Today, only attribute-based encryption schemes that employ tools like bilinear pairings or lattices can provide some real (and provable) level of security. As an example of the fact that this message is still unknown for many people, we revisit a (maybe non exhaustive) list of articles proposing such insecure attribute-based encryption schemes: we recall which of these schemes have already been attacked and we describe attacks for the other ones.


I. INTRODUCTION
Attribute-based encryption (ABE for short) is a cryptographic primitive that allows fine-grained access to encrypted data. Secret keys of users and ciphertexts are associated to sets of attributes and decryption policies, in such a way that a user can decrypt a ciphertext if and only if the subset of attributes satisfies the decryption policy. When secret keys are associated to sets of attributes and ciphertexts are associated to decryption policies, we have ciphertext-policy attribute-based encryption (CP-ABE) [1]. When secret keys are associated to decryption policies and ciphertexts are associated to sets of attributes, we have key-policy attribute-based encryption (KP-ABE) [5].
ABE is receiving a lot of attention in the last years, due to its potential application in several real-life settings, including the Internet of Things (IoT) one. Unfortunately, most of the proposed ABE schemes employ sophisticated mathematical objects, like bilinear pairings or lattices. This leads to schemes where either the keys are very long or the running time of encryption/decryption is a bit high, quite far from the lightweight requirements imposed by settings like IoT. To remedy this situation, several authors have proposed ABE schemes which do not employ bilinear pairings or lattices, The associate editor coordinating the review of this manuscript and approving it for publication was Mamoun Alazab . but instead employ classical cryptographic operations, like RSA operations or operations in a cyclic group of prime order where the discrete logarithm is supposed to be hard (for instance, some sets of points of elliptic curves). The list of such articles contains [9], [11], [12], [16], [17], [19] and maybe some others. These articles even come with a formal security proof that relates the difficulty of breaking the corresponding ABE scheme with the hardness of solving some well-studied (and conjectured hard) mathematical problem, like the Decisional Diffie-Hellman (DDH) or the RSA problems.
For people in the cryptographic community, these schemes should look surprising: attribute-based encryption (originally fuzzy identity-based encryption [14]) was proposed as a generalisation of identity-based encryption (IBE), a notion that had been introduced in 1984 [15]. IBE has received a lot of attention (much more than ABE) and right now people are convinced of the real difficulty of designing IBE schemes which work (in a simple way) in classical settings like the RSA one or the pairing-free discrete logarithm one. It has even been proved that it is impossible to (generically, in a black box way) design IBE schemes based on trapdoor permutations or public key encryption or assumptions like DDH [2], [13]. In particular, the only secure IBE scheme in the pairing-free discrete logarithm setting seems to be that in [4]; it is mainly of theoretical interest because it is very inefficient: it uses garbled circuits (and so, non black box operations) to bypass the aforementioned impossibility results.
A formal proof that constructing ABE schemes is more difficult than constructing IBE schemes was given in [7]. Therein, it was proved that any ABE scheme supporting at least AND policies can be transformed into an IBE scheme. All the ABE schemes in the list [9], [11], [12], [16], [17], [19] support at least AND policies. Therefore, combining any of these schemes with the construction in [7] would lead to an (efficient) IBE scheme in either the RSA or the pairing-free discrete logarithm setting. Since designing such IBE schemes in a secure way looks very hard (or impossible in some situations), the consequence is that the ABE schemes in those articles cannot be secure. A first evidence of this fact was already given in [7], where attacks on the CP-ABE schemes in [9], [12] were described. Later, an attack on the KP-ABE scheme in [19] was described in [17], where the authors propose a possible way to fix the insecurity of the scheme in [19]; the resulting KP-ABE still works in the pairing-free discrete logarithm setting, which once again should raise suspicions on its security. We note here that the KP-ABE scheme in [16] is very similar to that in [19], and that the attack described in [17] easily extends to the scheme in [16].

A. OUR CONTRIBUTIONS
The main goal of this article is to recall, once again, that designing simple and efficient ABE schemes that work in (classical) settings like the RSA or the pairing-free discrete logarithm ones is impossible, 1 given the results in [2], [7], [13]. Therefore, the purpose of this article is to discourage authors (and also journal editors and reviewers) from publishing articles with ABE schemes which will almost certainly be insecure. This is important for communities, like the IoT one, which do not necessarily have deep knowledge of sophisticated primitives like ABE. Actually many of the insecure schemes that we are discussing here are presented (sometimes even including the word IoT in the title) as a nice, secure and very efficient tool to implement IoT systems. So we hope that this manuscript may help specifically to the IoT community.
Therefore, the main contribution of this article is maybe more educational than scientific, and is contained essentially in this Section I. In any case, we give specific examples of the general message, by describing specific attacks on the ABE schemes proposed in [11], [17]. Combining these attacks with the existing attacks [7], [17] that we already mentioned in the previous section, we conclude that all the ABE schemes proposed in the above-mentioned list of articles are indeed insecure, as expected. This list of articles may be incomplete, but if there are other articles out of this list which propose similar ABE schemes, they must be insecure as well. We briefly discuss the case of two schemes in the literature which are wrongly presented as ABE schemes, but which are not [3], [10].
Summing up, encryption schemes which are really attribute-based ones and which provide a formal and provable security guarantee require the use of sophisticated (and less efficient) mathematical tools like bilinear pairings or lattices. If some article claims to provide a secure ABE scheme in a classical setting, then there are many chances that either the scheme is not secure or the scheme is not fully attribute-based.

B. ORGANIZATION OF THIS ARTICLE
The rest of this article is organized as follows. In Section II we recall the notions of attribute-based encryption schemes: we give the syntax definition and the required security properties for such schemes. In Section III we present an explicit attack against the ABE scheme proposed in [17], that works in the pairing-free discrete logarithm setting. The attack is valid also for other similar schemes [16], [19]. In Section IV we present an explicit attack against the ABE scheme proposed in [11], that works in the RSA setting. Finally in Section V we briefly discuss a couple of schemes that are wrongly presented as ABE schemes [3], [10].

II. DEFINITIONS FOR ABE: PROTOCOLS AND SECURITY
The two main notions of attribute-based encryption, ciphertext-policy ABE and key-policy ABE, are dual: the roles of attribute sets and decryption policies are swapped. The result in [7] that an ABE scheme supporting AND policies implies an IBE scheme is valid for both notions (in [7] the formal proof is given only for the CP-ABE case, but the proof for the KP-ABE case works almost in the same way).
Since the ABE schemes that we are going to attack in this article belong to the two categories, we describe the general syntax of both CP-ABE and KP-ABE encryption. Regarding security, we describe it for both notions in a unified and quite informal way, which will be enough to understand why the considered schemes [11], [17] are insecure.

A. CP-ABE: SYNTACTIC DEFINITION
A ciphertext-policy attribute-based encryption scheme CP-ABE consists of four probabilistic polynomial-time algorithms: • CP-ABE.Setup(1 λ , U, F). The setup algorithm takes as input a security parameter λ, the total universe of attributes U = {at 1 , . . . , at n } and the family F of decryption policies that the scheme supports. It outputs some public parameters pms and a master secret key msk.
• CP-ABE.KeyGen(A, msk, pms). The key generation algorithm takes as input the master secret key msk, the public parameters pms and a set of attributes A ⊂ U satisfied by the user. The output is a private key sk A .
• CP-ABE.Encrypt(m, P, , pms). The encryption algorithm takes as input the public parameters pms, VOLUME 8, 2020 a message m and a decryption policy (P, ) where P ⊂ U and ⊂ 2 P satisfies ∈ F. The output is a ciphertext C.
• CP-ABE.Decryption(C, P, , sk S , pms). The decryption algorithm takes as input a ciphertext C, a decryption policy (P, ), a secret key sk A and the public parameters pms. The output is a messagem. The property of correctness requires that, if the following four protocols are run: Regarding the family F of admitted decryption policies, F may for instance contain all the possible policies, F = { ⊂ 2 U }, or may contain all the monotone increasing A particular, more restrictive, case of threshold policies corresponds to AND policies, of the form (|P|,P) = {P}, containing only one subset, P ⊂ U.

B. KP-ABE: SYNTACTIC DEFINITION
A key-policy attribute-based encryption scheme KP-ABE consists of four probabilistic polynomial-time algorithms: • KP-ABE.Setup(1 λ , U, F). The setup algorithm takes as input a security parameter λ, the total universe of attributes U = {at 1 , . . . , at n } and the family F of decryption policies that the scheme supports. It outputs some public parameters pms and a master secret key msk.
• KP-ABE.KeyGen(P, , msk, pms). The key generation algorithm takes as input the master secret key msk, the public parameters pms and a decryption policy (P, ) where P ⊂ U and ⊂ 2 P satisfies ∈ F. The output is a private key sk (P, ) .
• KP-ABE.Encrypt(m, A, pms). The encryption algorithm takes as input the public parameters pms, a message m and a set of attributes A ⊂ U. The output is a ciphertext C.

C. SECURITY OF ABE SCHEMES
An ABE scheme is secure if an adversary who knows many secret keys is not able to obtain any information on the plaintext m encrypted in a ciphertext C, of course assuming that none of the secret keys alone is enough to decrypt C.
That is, in the CP-ABE setting, the adversary is able to query for secret keys of subsets of attributes A 1 , A 2 , . . . , A k and then he requests for an encryption C * of either m 0 or m 1 for a decryption policy (P, ) such that A i ∩ P / ∈ , for all i = 1, . . . , k. The CP-ABE scheme is secure if such an adversary cannot distinguish if the received ciphertext C * decrypts to m 0 or to m 1 .
In the KP-ABE setting, the adversary is able to query for secret keys of decryption policies (P 1 , 1 ), . . . , (P k , k ) and then he requests for an encryption C * of either m 0 or m 1 for a subset of attributes This is the basic idea, that can be formalised with an experiment involving a challenger and an adversary. The experiment can have slight modifications, for instance by requiring the adversary to choose the challenge decryption policy (in the CP-ABE case) at the beginning of the experiment or not, or by allowing the adversary to make also decryption queries to an oracle. These variations lead to different security notions like adaptive versus selective security, or security against chosen-ciphertext attacks versus security against chosen-plaintext attacks. This is not really relevant in this work, because the attacks that we are going to describe are simple selective and chosen-plaintext attacks; they work even for the most limited type of adversaries.

III. ATTACK AGAINST THE KP-ABE SCHEME [17], IN THE PAIRING-FREE DISCRETE LOGARITHM SETTING
The classical Discrete Logarithm framework consists of a cyclic group G of prime order p. Examples of such groups are some groups of points in elliptic curves or subgroups of Z q , when p|q − 1. We will use additive notation in G, that is, G = {aP, a ∈ {0, 1, . . . , p − 1}}, where P is a generator of G. The prime number p and the generator P are public information, available to everybody.
A. DESCRIPTION OF THE KP-ABE SCHEME IN [17] Article [17] has two contributions-The first one is an attack against the KP-ABE scheme in [19], which is correct. The second one is a modification of the (insecure) scheme in [19] along with a security proof for the new KP-ABE scheme. This second contribution is incorrect; maybe the new scheme cannot be attacked with the same strategy as the authors of [17] used to attack the original scheme [19], but there are other attacks as we show here.
For simplicity, we only describe the Setup and Key Generation protocols of their KP-ABE scheme, and for the particular case of policies (t,P) consisting of a single (t, P)-threshold gate on a subset P = {at i 1 , . . . , at i k } ⊂ U of k attributes inside the global universe U = {at 1 , at 2 , . . . , at n } of n attributes. This will be enough to describe our attack and to understand that the scheme in [17] is not secure (in particular, the security analysis provided in [17] must be wrong).
Setup(1 λ , U, F (t,P) ). The setup algorithm starts by choosing a cyclic group G of prime order p, such that p is λ bits long, and a generator P of G. A total of n + 1 random and independent elements s, s 1 , s 2 , . . . , s n ∈ Z p are chosen. For each i ∈ {1, . . . , n}, the value P i = s i P is computed; the value Y = sP is also computed. A suitable pseudo-random function PRF is chosen, whose outputs are elements of Z p .
The key generation algorithm takes as input a subset of attributes P ⊂ U and a threshold t satisfying 1 ≤ t ≤ |P|, which define a threshold decryption policy (t,P) , the master secret key msk and the public parameters pms.
Let us denote the subset of attributes as P = {at i 1 , . . . , at i k }. Choose at random a seed r, and compute for each j ∈ {1, . . . , k} the value α j = PRF(r, i j ).
Choose at random a polynomial f (x) ∈ Z p [X ] with degree at most t − 1 such that f (0) = s. For each at i j ∈ P define the value D i j = f (α j ) s i j mod p (here division means multiplication with the inverse modulo p).
The secret key that is sent to the user is sk (P,t) = (r, D i 1 , . . . , D i k ). Note that r must be included in the secret key of the user; otherwise, the user could not compute the values α j which are needed to run polynomial interpolation, in the decryption phase.

B. THE ATTACK
If the scheme was secure, an adversary who could make (many) queries for the (2, 2)-threshold policy defined on the set of two attributes {at 1 , at 2 } should not be able to decrypt ciphertexts that have been computed for the set {at 1 } consisting of a single attribute. However, we show that an adversary needs to make just two secret key queries for the (2, 2)-threshold policy in order to get the value s s 1 mod p, which is the value that a (honest) user with (1, 1)-threshold decryption policy on {at 1 } would get. Therefore, our adversary would be able to decrypt the same ciphertexts as that honest user, which clearly breaks the (wrongly claimed) security of the KP-ABE scheme in [17]. In other words, what we present is a key-recovery attack, which is stronger than an attack against the IND-CPA property; in any case, the conclusion is that the KP-ABE scheme in [17] is not secure.
The first key sk (1) corresponds to a random degree-1 polynomial f (1) (x) = s + a (1) x, so we have Analogously, the second key sk (2) corresponds to a random degree-1 polynomial f (2) (x) = s + a (2) x, so we have Isolating a (1) in (2) and substituting it in (1), we can write Doing the same in (3) and (4), we end up in Now we can multiply (5*) with c (2) and substract the result of multiplying (6*) with c (1) , to remove the element s 2 s 1 , obtaining the equality 1 mod p (7) Due to the random properties of the pseudo-random function PRF, we have that b (1) = 0, b (2) = 0 and b (1) (1) = 0 with all but negligible probability. In particular, the value s s 1 mod p can be computed by the adversary from equation (7), which finishes the description of the attack. [16], [19] The scheme in [19] can be seen as a simplified version of the scheme in [17], where the the pseudo-random function PRF is not used at all and computation α j = PRF(r, i j ) is (essentially) replaced with α j = i j . This simplified version was already attacked in [17], and we remark here that our attack of the previous section is obviously valid also for the scheme in [19].

C. APPLICABILITY TO THE SCHEMES IN
The KP-ABE scheme in [16] is actually a generalization of the scheme in [19] where the life of the system is divided in periods and the keys for users are updated in each period i, according to some values t i chosen by the master authority. There is also an additional factor H (U ID ) in the computation of the values D i in the secret keys, where H : {0, 1} → Z p is a hash function. It is very easy to see that both the attack in [17] and our attack in the previous section are also valid for the scheme in [16].

IV. ATTACK AGAINST THE CP-ABE SCHEME [11], IN THE RSA SETTING
Up to our knowledge, the first published ABE scheme working in the RSA setting was that in [9], which was shown to be insecure in [7]. Recently, authors of the article [11] propose a modification of the (insecure) scheme in [9] and claim that it is secure. The security analysis, however, is just a discussion on why the attack proposed in [7] is not directly applicable to the new scheme. There is no formal security proof at all, and in fact we will show that the modified scheme is clearly insecure: essentially the same attack described in [7] against [9] also works for the modified scheme of [11].
A. DESCRIPTION OF THE CP-ABE SCHEME IN [11] The RSA framework consists of a an integer N = pq, product of two big prime numbers. Any integer g satisfying gcd(g, N ) = 1 enjoys the property g φ(N ) . Factoring N is a very hard problem; this implies that computing φ(N ) from N is also very hard.
The CP-ABE schemes in [9], [11] support AND decryption policies (|P|,P) , defined on the total universe U = {at 1 , . . . , at n } of attributes. They use the following notation: any subset A ⊂ U will be represented by an n-bit string a 1 a 2 . . . a n , where a i = 1 if at i ∈ A, and a i = 0 if at i / ∈ A. For example, if n = 4 and A = {at 1 , at 4 }, then the bit string corresponding to A is 1001.
With this notation, an AND decryption policy (|P|,P) may be represented by the bit string b 1 b 2 . . . b n corresponding to subset P. If A is a subset of attributes (held by a user), with bit string a 1 a 2 . . . a n , the condition that must be satisfied in order for that user to decrypt, A ∩ P ∈ (|P|,P) , which is equivalent to P ⊂ A, becomes a i ≥ b i , ∀i = 1, . . . , n.
We describe now the relevant parts of some protocols of the scheme in [11], i.e., those necessary to understand our attack.
Setup(1 λ , U, F AND ). The setup algorithm starts by choosing two prime numbers p, q such that N = pq is λ bits long, along with a random element g satisfying gcd(g, N ) = 1. Then, if U = {at 1 , . . . , at n } contains n attributes, one considers an additional attribute at n+1 which is 1 for every user and is 0 for every policy. The algorithm chooses n+1 (prime) numbers p 1 , . . . , p n , p n+1 with gcd(p i , φ(N )) = 1, and computes their inverses modulo φ(N ), that is q i = p −1 i mod φ(N ), for i = 1, . . . , n, n + 1.
KeyGen(A, msk, pms). The key generation algorithm takes as input a subset of attributes A ⊂ U, the master secret key msk and the public parameters pms.
The value d A = at i ∈A q i is computed; remember that at n+1 ∈ A for all subsets of attributes corresponding to users of the system. The secret value for this subset A of attributes is a random pair sk A = (k 1 , k 2 ) satisfying the condition k · k 1 + x · k 2 = d A mod φ(N ) (a possible way to generate such a pair of integers is decribed in [9], [11]). Encrypt(P, m, pms). The encryption algorithm takes as input an AND policy, defined by a subset of attributes P ⊂ U, a plaintext m and the public parameters pms. The encryption consists of a one-time pad of m using the session key derived from the value K m = g r m where r m is a random value chosen by the sender. This one-time pad is combined with the standard techniques (using hash functions) to achieve chosen-ciphertext security. The ciphertext contains additional elements Y m = Y r m and R m = R r m , but the security of the encryption, in principle, is due to the fact that only users with a secret key sk A satisfying P ⊂ A will be able to compute the value K m from pms, Y m , R m and sk A .
Indeed, if sk A = (k 1 , k 2 ) satisfies k · k 1 + x · k 2 = d A mod φ(N ), then the user can compute the integer α = at i ∈A−P p i from pms (here is where we need p n+1 to be public, because this factor p n+1 always appears in α) and then compute The bad news are that this is not the only way to compute K m , as we will show in the next section: an adversary can combine secret keys for some subsets of attributes that do not contain P and still compute K m . Therefore, the scheme is insecure because an adversary controlling users who, individually, do not satisfy policy P is able to decrypt a ciphertext addressed to policy P.

B. THE ATTACK
Consider the case with n = 2 attributes in total, U = {at 1 , at 2 }. The public parameters contain, in particular, values p 1 , p 2 , p 3 . We will consider a ciphertext computed for the policy P = U = {at 1 , at 2 }, and will show that an adversary who requests a secret key for subsets B 1 = {at 1 } and B 2 = {at 2 } is able to decrypt the ciphertext.
The ciphertexts contains elements Y m = Y r m = g xr m and R m = R r m = g kr m , and the inherent one-time secret key for one-time pad is K m = g r m q 1 q 2 .
As a result of the secret key query for subset B 1 , the adversary gets sk B 1 = (k (1) 2 ) such that k · k (1) As a result of the secret key query for subset B 2 , the adversary gets sk B 2 = (k (2) 1 , k 2 ) such that k · k

Now the attacker can compute the two values
The attacker proceeds by raising these two values to the (public) element p 3 , which is the inverse of q 3 modulo φ(N ). Therefore, the attacker obtains the two values Note that these values satisfy the equalityT Since (p 1 , p 2 ) are prime numbers, they are co-prime, and by Bezout's identity, one can compute integer values a 1 , a 2 such that a 1 p 1 + a 2 p 2 = 1. Now we can writẽ Therefore, the value K :=T a 1 2 ·T a 2 1 satisfies K p 2 =T 1 . Raising this last equality to q 2 , we get K =T Summing up, the adversary can compute the one-time key K m = K =T a 1 2 ·T a 2 1 and so decrypt the ciphertext.

V. BRIEF DISCUSSION ON THE SCHEMES IN [3], [10]
The scheme in [10] is presented as being a threshold-based ABE scheme, but it is actually a (strange) realization of the concept of fuzzy-identity based encryption [14]. In fuzzy IBE, there is a fixed threshold t, secret keys are associated to a subset of attributes W , ciphertexts are associated to a subset of attributes W , and decryption is allowed whenever W ∩W ≥ t. But the scheme in [10] is not exactly a fuzzy-IBE scheme either, because the scheme requires W ∩ W ≥ t in order to give a secret key to a user with subset of attributes W . In other words, the scheme provides keys only to users who are authorized to decrypt with respect to a fixed subset W . Note that, with this restriction, phases 1 and 2 in the security game described in Section 2.2 of [10] make no sense, because all such queries would be answered with the ⊥ symbol, according to the structure of their Key Generation protocol (in Section 2.1). Summing up, the description of the scheme in [10] is very strange and may have no application at all in real systems. In any case, if the scheme was modified to be a real fuzzy-IBE scheme, in the classical pairing-free discrete logarithm setting, our claim is that the scheme would be insecure, because fuzzy-IBE is a generalization of IBE (which is obtained when t = 1) and because secure generic constructions of IBE from the Diffie-Hellman assumption are impossible [13].
Regarding the scheme in [3], it is again a non-standard CP-ABE, because the participation of the master authority is required to decrypt any single ciphertext. Their idea is that the master entity, instead of giving the secret keys to the users, stores all these secret keys, and later in the decryption phase uses the stored keys to do part of the decryption. Here we also claim that the applicability of such a scheme in real-life systems seems really poor. If one modifies their scheme so that the secret keys SK i,GID = k i + H (GID)x are sent to the users, then the resulting (and now standard) CP-ABE scheme is clearly insecure: an adversary can make two queries for different users GID 1 and GID 2 , both of them with a single attribute {at 1 }. With a simple system of two equations and two unknowns, the adversary can recover the secret values k 1 and x from the received values SK 1,GID 1 and SK 1,GID 2 . After that, the adversary can make queries for arbitrary users GID with a single attribute {at i }, and will obtain k i from the received value SK i,GID , for i = 2, 3, . . . , n. That is, the adversary can obtain all the secret values of the master entity, namelly x, k 1 , . . . , k n , with n + 1 secret key queries.

VI. CONCLUSION
Attribute-based cryptography is a very attractive concept, due to its potencial applications in real-life systems (access control, the Internet of Things. . . ). Thus, researchers try to find efficient, secure and (if possible) simple constructions of attribute-based constructions. In particular, some researchers have tried to design (simple and efficient) attribute-based encryption schemes that work in the (classical) discrete logarithm or RSA based settings. Unfortunately, simple and secure constructions in these settings are not possible even for the easier task of identity-based encryption [2], [13]. Therefore, the attribute-based encryption schemes proposed in these classical settings which are simple or efficient must be insecure, because otherwise they could be used to construct secure identity-based schemes [7].
This message is (or should be) well known by the cryptographic literature, at least from 2017. But articles proposing new candidates are still being submitted and published in prestigious journals, maybe circumventing a rigurous review process by cryptographic experts. The purpose of this article is to clarify this message to the widest possible audience; to illustrate and emphasize the message, we show explicit attacks against some attribute-based encryption schemes proposed in the last years.