Improving the Leakage Rate of Ciphertext-Policy Attribute-Based Improving the Leakage Rate of Ciphertext-Policy Attribute-Based Encryption for Cloud Computing Encryption for Cloud Computing

Abstract © 2013 IEEE. A Leakage-Resilient Ciphertext-Policy Attribute-based Encryption (LR-CP-ABE) not only supports the fine-grained access control to encrypted data but also guarantees the security of the data under the side-channel attacks. However, the leakage rate in the existing schemes is low or related to the number of attributes. It will make these schemes suffer from continual attacks. In addition, all of them almost not consider the leakage of the users' privacy and rely on the composite order groups which will threaten the privacy security of the users and depress the users in practice. In this paper, we aim at solving the above problems and propose a scheme with the improving leakage rate in the prime order group. In the proposed scheme, an extension of the lattice-based trapdoor is used to make it achieve the maximum leakage rate 1-o(1). Moreover, it achieves the anonymity which can protect the privacy of the receivers. The proposed scheme can be reduced to the standard assumption-Decision Linear (DLIN) assumption in the selective security model and resist the Chosen Plaintext Attacks (CPA security). At last, the performance comparisons are given to confirm the efficiency and security of the proposed scheme. ABSTRACT A Leakage-Resilient Ciphertext-Policy Attribute-based Encryption (LR-CP-ABE) not only supports the ﬁne-grained access control to encrypted data but also guarantees the security of the data under the side-channel attacks. However, the leakage rate in the existing schemes is low or related to the number of attributes. It will make these schemes suffer from continual attacks. In addition, all of them almost not consider the leakage of the users’ privacy and rely on the composite order groups which will threaten the privacy security of the users and depress the users in practice. In this paper, we aim at solving the above problems and propose a scheme with the improving leakage rate in the prime order group. In the proposed scheme, an extension of the lattice-based trapdoor is used to make it achieve the maximum leakage rate 1 − o (1). Moreover, it achieves the anonymity which can protect the privacy of the receivers. The proposed scheme can be reduced to the standard assumption-Decision Linear (DLIN) assumption in the selective security model and resist the Chosen Plaintext Attacks (CPA security). At last, the performance comparisons are given to conﬁrm the efﬁciency and security of the proposed scheme.


I. INTRODUCTION
Cloud computing [1]- [4] is favored by users and enterprises for its high speed, flexibility, low investment and reliable service. However, its dynamics and openness also lead to security problems, such as data security and privacy protection. Data leakage incidents have occurred frequently in recent years. For example, on March 18, 2018, it was revealed that during the 2016 presidential election, a company called Cambridge's Analytica illegally used the personal data of 50 million users obtained from Facebook to create archives. Later, Facebook found that up to 87 million people's information had been improperly shared by the company. And on May 20, 2019, TechCrunch reported that a database of Facebook's photo-sharing website called Instagram was leaked on the Internet, which contained private information such as phone numbers and email addresses of nearly 50 million users, including some stars and internet celebrities. Such leakage incidents are fatal.
The associate editor coordinating the review of this manuscript and approving it for publication was Petros Nicopolitidis .
In dealing with the data leakage and privacy information leakage of the users, public key cryptography technique has occupied a decisive position in the information security system. However, the general constructions from the Public Key Infrastructure (PKI) and an Identity-based Encryption (IBE) [5] are often not realistic or secure in practice. One of the reasons is their one-to-one design principle. And the more complex system which was called Attribute-based Encryption (ABE) [6] came into being in 2005 as a one-to-many encryption mechanism. It not only ensures data security but also supports expressive access control policies because attributes acts as public keys and associate them with ciphertexts and users secret keys. An ABE has mainly been classified into two categories: Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE) [7]. The other comes from the sidechannel attacks, where the adversaries can obtain the limited additional information about secret keys and other internal states. These leakage information may make the existing works be easily broken. Naturally, the Leakage-Resilient Encryption mechanism was introduced, which ensured the security of scheme under the key leakage attacks. To describe VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ the amount of leakage bits that the adversaries can know under these attacks, various leakage models are designed, such as Only Computation Leakage (OCL) model, the Continuous Memory Leakage (CML) model and so on. The concrete information of the various models are shown in Table 1. Now the Leakage-Resilient (LR) cryptosystem especially the LR-ABE has become a research hotspot. LR-ABE schemes give stronger security guarantees to the sharing data than general constructions, but most of them rarely pay attention to protecting the privacy of recipients from access policies. After an encryptor uploads the specified access policy to the cloud platform along with the encrypted data, the adversaries can obtain the attribute information contained in the access policy directly or through DDH test, thus obtaining the sensitive information of the receivers, which really poses a great threat to the privacy of the users. For the purpose of better protecting users' privacy and data security, the concept of Anonymous ABE (ANON-ABE) was introduced in [8], [9]. In ANON-ABE, the adversaries cannot grasp the meaningful information of the corresponding attributes embedded in an access policy through testing and other means.

A. RELATED WORKS 1) LEAKAGE-RESILIENT CRYPTOGRAPHY
Akavia et al. [10] firstly presented the BML model and defined an attack model called ''memory attack'' that solved the problem of [11], where they considered the amount of leaked bits that the trapdoor one-way function outputted. Subsequently, Naor and Segev [12] constructed a Leakage-Resilient Public Key Encryption (LR-PKE) scheme by utilizing Hash Proof System (HPS) that was not related to other complexity assumptions and was as efficient as the underlying scheme. They also built two complementary schemes based on Decisional Diffie-Hellman (DDH) and K-Linear assumptions whose leakage bits could be approach the bit length of private keys. Moreover, they constructed two LR-PKE schemes which came from Cramer-Shoup cryptosystem [13]. The corresponding leakage rates are 1/4 and 1/6 respectively.
In [14], Alwen et al. showed the details of LR-PKE/IBE schemes under the Bounded Retrieval Leakage (BRL) model. Additionally, a novel concept of IB-HPS was proposed.
Then, they showed that a LR-IBE scheme was derived from their IB-HPS. Afterwards, Chow et al. [15] introduced the Leakage-Resilient IBE (LR-IBE) systems under static assumptions in the standard model. Their proposals were derived from applying the hash proof technique to IBE schemes of Boneh-Boyen, Waters and Lewko-Waters. And their three schemes achieves the leakage rate 1/3, 1/3 and 1/9 respectively in the CPA security model. Lewko et al. [16] provided IBE, ABE and Hierarchical IBE (HIBE) schemes under the Continual Memory Leakage (CML) model described in [17] and [18]. All of their constructions achieve the leakage-resilience on the master secret keys and private keys simultaneously.
In 2013, a new LR-PKE scheme was put forward by Liu et al. [19] to solve the shortcoming of [20] that the leakage parameter λ is linearly correlated with the length of the plaintext l m . Specifically, the relationship between λ and l m is described as λ + l m ≤ log p − ω(log κ), while the number of leakage bits is λ ≤ log p − ω(log κ) in the scheme [19], where κ represents the security parameter and p is a big prime that denotes the order of the fundamental group. Then Zhang et al. [21] put forward two schemes which tolerated the continual leakage in the standard model. Both constructions of LR-CP-ABE and LR-KP-ABE schemes achieve fast decryption and the cost of decryption has nothing to do with the depth of the access structures. In 2017, the improved LR-CP-ABE and LR-KP-ABE were introduced by Zhang et al. [22] by employing the HPS to ABE which were proved to be adaptively secure. In addition, these two schemes overcome the shortcomings of most of schemes that the leakage rate is not only related to the size of the dependent group, but also depends on the leakage parameter ofñ. To protect the privacy of the receivers, the anonymous LR-ABE was considered in the design process of [23]. The recent works due to Li et al. [24], [25] were still not given an ideal leakage rate since the best rate of them was 1/3 when the depth of the hierarchy was 1.

2) ANONYMOUS ABE
Kapadia et al. [8] defined an ANON-ABE for the first time which has the following four characteristics: (1) Realize the data sharing between the data owner with multiple recipients through a semi-trusted server, which avoids the connection between the sender and the receiver. (2) Hide the plaintext messages and access policies. (3) Any recipients cannot know the information of the access policies. (4) Support the non-monotonic boolean access policies. Subsequently, Yu et al. [9] designed a scheme whose security could be reduced to the Symmetric External Diffie-Hellman (SXDH) assumption, in which the anonymity was achieved by hiding access policy. Then two anonymous schemes were given in [26]. But both schemes are based on inflexible AND gates and only achieved partially hidden. The [27] solved the problem of illegal sharing the keys among users, which could support user accountability by embedding additional information specified by users. However, users must calculate again and again to test whether they are legitimate users specified by the encryptor in these schemes. It will greatly increase the cost of decryption. So Zhang et al. [28] proposed a scheme with decryption test in 2013, namely, adding a matching operation with less computation before decryption phase. The [29] proposed an anonymous scheme based on a prime order group. In 2016, the [30] extended the ANON-CP-ABE to the electronic medical record system to protect the users privacy, in which the access structure was more expressive. In 2017, the idea of Hidden Vector Encryption (HVE) was used to detect whether the attribute met the requirements of legal decryption in scheme [31], where the calculation of decryption was performed by the cloud server. Additionally, the obvious difference between this solution and the previous solution was that the list of coefficients {ω x } was embedded into the ciphertexts without evaluation. The [32] proposed an ANON-CP-ABE scheme that supports fast decryption for Personal Health Record (PHR). The core technology of [29], [30], [32] is to disclose the index of attribute names and the attribute values are embed into access structures, so these schemes only can partially hide the access policies.

B. OUR CONTRIBUTIONS
Following the above trend, we aim to solve the problems of low leakage rate and recipient anonymity in the existing LR-ABE and proposed a LR-CP-ABE scheme. The detail contributions are as follows.

1) Higher leakage rate
Technically, the proposed scheme is based on the Bounded Memory Leakage (BML) model (or Relative Leakage model), in which the arbitrary information of the private keys can be obtained and there is a restriction that the total number of leaked bits cannot exceed λ. From the viewpoint of security reduction, we are motivated by the LWE-based IBE [33] and the extensions of it [34], [35]. Select randomly matrices A 0 , A 1 ∈ R Z 2×l p and set masker keys as msk = A 0 , A 1 . The system public parameters are set as The pp are different from LWE-based constructions. In addition, the private keys and ciphertexts are set as where i ∈ I and v() is attributes. These differences make the proposed LR-CP-ABE realize the maximum leakage rate 1−o(1) based the DLIN assumption. Table 2 shows some comparisons with others.

2) Recipient-anonymity
Anonymous encryption is an effective method to protect the privacy of the recipient. It requires the adversaries cannot obtain the information of the private keys from the ciphertexts under the premise of possessing the public keys. In most LR-ABE schemes, the sensitive information about attributes in access policies can be capture by DDH test when the adversary obtains the ciphertexts, which will lead to the disclosure of the user's privacy. To address this dilemma, we consider the implementation of the anonymity in the proposed scheme.

3) High efficiency on prime-order groups
According to the recent articles, a pairing computation on prime-order groups is more fast than that on composite ones, where ''a Tate pairing on a 1024-bit composite-order elliptic curve is roughly 50 times slower than the same pairing on a comparable primeorder curve''. In addition, the decryption cost in schemes over prime-order groups decreases more than that over composite-order ones. The proposed scheme is based on prime order groups which is more efficient than the available (refer to the Table 5).

C. ORGANIZATION
Arrange the remaining sections according to the following way. The 2 nd part describes some preliminaries, such as basic notations, LSSS and DLIN assumption. The definitions VOLUME 8, 2020 and security model of CP-ABE under the BML model are elaborated in the 3 rd part. The 4 th portion of article provides the specific constructions and security proofs. The detailed analyses are presented in the 5 th section. The conclusion is given at last.

II. PRELIMINARIES A. NOTATIONS
In order to facilitate understanding the specific meaning of symbols, a summary is given in Table 3.

B. LINEAR SECRET SHARING scheme (LSSS)
The specific meaning of linearity in the linear secret sharing scheme composed of attribute sets S is explained as follows: • Secret sharing:Ǎ is matrix whose number of rows and columns are l and n respectively, and this matrix also named sharing-generating matrix. The i th row of A is connected with an attribute value ρ(i ) for i ∈ [l] by a function ρ. Select a random vector ω = (s, ω 2 , . . . , ω n ) T ∈ Z n p , where s stands for the secret that the data owner wants to share, the l shares of the secret s are expressed asǍω. (Ǎω) i ∈ Z p is the share for attribute value ρ(i ).
• Secret reconstruction: C ∈ represents any authorization set, I be defined as The original decision linear assumption says that given g x 1 and g y 2 , it is difficult to distinguish g x+y from G T , in which x, y ∈ R Z p and g 1 , g 2 , g ∈ R G. For our purpose, the assumption described in [34] is converted to given the matrix g A where A ∈ Z 3×l p whose rank is 2 or 3 and the number of columns satisfies the conditionl ≥ 3, it is hard to decide the rank of A. That is to say, under the DLIN assumption, the advantage where H˜I = {h : X → Y} is a family of hash functions, then we say it is universal. Lemma 1 (Generalized Leftover Hash Lemma [33]): H˜I = {h : X → Y} means a family of universal hash functions and f : X → Z is a family of leakage functions. The statistical distance That is, if the right-side of the inequality is negligible, h(T) is still random even if h and f (T) are given. Lemma 2 (Leakage-Resilience Random Subspaces [17]): As long as |Z| ≤ q l−3 2 is satisfied, then there is

D. DEFINITIONS AND SECURITY MODEL FOR LR-CP-ABE UNDER THE BML MODEL
A CP-ABE scheme which is resilient to bounded memory leakage attacks uses the four algorithms (Setup, KeyGen, Encryption, Decryption) as constituents. A security parameter κ and a description of attribute universe set U are used as inputs in the Setup algorithm, the corresponding outputs are system public parameters pp and master secret keys msk. pp is the common input of four algorithms. The KeyGen algorithm inputs msk and an attribute value v i,x i ∈ S and outputs a secret key sk v i,x i . The Encryption algorithm takes a message m, and an access structure (Ǎ, ρ) over the universe of attributes as input and the ciphertexts CT as output.
94036 VOLUME 8, 2020 We assume that (Ǎ, where I i is the attribute name of the ρ(i ). In the Decryption algorithm, the inputs are ciphertexts CT and the private keys sk v i,x i for v i,x i ∈ S, the output is a message m on the understanding that the attribute set S corresponding to the private keys sk S satisfies the access structure (Ǎ, ρ) embedded the ciphertexts CT .
Next, a CP-ABE scheme with LR-IND-sAP-CPA security and a scheme with ANON-LR-IND-sAP-CPA security can be modeled as the following games completed by an adversary A and a challenger C interaction respectively. The specific process of games are described as follows: Definition 2 (LR-IND-sAP-CPA Security): A CP-ABE scheme is LR-IND-sAP-CPA secure with leakage rate ρ m if there is only a negligible advantage in the following game for A.
• Initialize: A sends the challenge access policy * (A * , ρ * ) to C. Then (pp, msk) are generated by C running Setup, the pp is sent to A.
• Phase 1: A adaptively performs the following queries. - maybe hold in this queries, and f is a leakage function family.
• Phase 2: A asks C some additional KeyGen queries . Then C answers in the same manner as above.
• Guess: A finally outputs a guess b about b. If b and b are equal, A is successful.

Definition 3 (ANON-LR-IND-sAP-CPA Security):
A CP-ABE scheme is ANON-IND-sAP-CPA secure with leakage rate ρ m if A has only negligible advantage.
. • Phase 1: The following queries are performed adaptively by A.
maybe hold in this queries.
• Challenge: Two messages m 0 , m 1 which has same length selected by A are transmitted to C, then C sends back Then C answers in the same manner as above. • Guess: Eventually, A outputs his guess b about b. A will succeed if b = b. The advantage of A in the above two games is defined as

III. CONCRETE CONSTRUCTIONS
The LR-CP-ABE consists of four algorithms: Setup, KeyGen, Encryption and Decryption. These algorithms are given as follows.
p for each attribute value v i,j ∈ {0, 1} * 5: Keep the system master secret keys where the matrices A 0 , A 1 ∈ R Z 2×l p 6: Return the system public parameters

1) TRAPDOOR
After receiving the challenge access policy * (A * , ρ * ), B generates the matrice A 1 instead of as above, suppose that is the trapdoor used in the security proofs. A 1 is also random because ) as follows: choose a random matrice w ∈ Z˜l ×1 p and a random vector y ∈ Z˜l ×1 p such that Obviously, it is not difficult to calculate g y from B, g A 0 and g D contained in public parameters pp.
meets requirements because there are It can be seen from above that the v v i,x i is correctly distributed whose dimension is 2l − 2. Furthermore, the dimension of w isl and the freedom of solution space isl − 2 in Eq.(2) since A 0 B ∈ Z 2×l p . Therefore, the set of above v v i,x i and the solution space of Eq.(1) are equal in practice since there is l + (l − 2) = 2l − 2.
Theorem 1: The scheme is IND-sAP-CPA secure based on the DLIN assumption, which is leakage-resilient with rate 1 − 3 2l − ζ l log p for ζ -bits. The overhead of private keys and ciphertexts are 2l|S| and 2ll respectively.
Proof: Let Game 0 be the real attack game described in Definition 3. However, some conceptual changes have been made to generate the public parameters Set A 1 as follows: As a result, D is also uniformly distributed, where v ρ * (i ) ∈ R Z 2l×1 p . Game 1 and Game 0 are similar except that the ciphertext component c * i is randomly chosen. Then we prove the theorem by the following three lemmas.
Lemma 3: Game 1 and Game 0 are indistinguishable under the DLIN assumption, ignoring leakage queries.
Proof: Suppose the ABE scheme can be broken by an adversary A, then there is a simulator B who uses g A as input to tell the rank of A ∈ Z 3×l p is 2 or 3. After A announces the challenge access structure * (A * , ρ * ), B sets the public parameters as follows: where A 0 ∈ R Z 2×l p consists of the first two rows of A, B and R v * i,x i are randomly selected from Z˜l ×l p and A 1 as in (3). It is obvious that g A 1 can be computed from g A 0 . Take note of In particular, p and sets D as in (3), so that g D can be calculated from 94038 VOLUME 8, 2020 In the challenge phase, A sends two messages m 0 , m 1 (|m 0 | = |m 1 |) to B, in response, B randomly chooses b from {0, 1} and sets y as the third row of A, and returns the ciphertexts , e * as follows. To simplify the formula description, the matrice is labeled by C, then Finally, A outputs the guess b of b. If b = b, B thinks the rank of A is 2. Otherwise, it guesses the rank of A is 3. We can prove that B simulates the Game 0 if rank(A) = 2; Game 1 is simulated when the rank(A) = 3.
Suppose that rank(A) = 2, then y and the first two rows of A are linearly related, that is to say, there exist z * ∈ Z 1×2 p that makes y = z * A 0 hold. Therefore it shows that (e * , {c * i } i ∈[l] ) are the ciphertext components in Game 0 .
If rank(A) = 3, y is a random element in Z 1×l p , namely, i,x i ))A 0 B and y . It is easy to find that is selected for any d, there will be a unique R v * i,x i which makes the equation true (the probability is negligible). That is to say, d is as random as R v * i,x i . Same with c * i . As a result, under the DLIN problem, it is impossible to make a distinction between Game 0 and Game 1 .
Lemma 4: The advantage of A against the ABE scheme is negligible under the DLIN assumption.
Proof: Let p i represent the probability · v ρ(i ) .
In Game 1 , c ρ(i ) is a random element since c * i is random, so that c ρ(i ) ∈ Z 1×2l p and the two rows of F ρ(i ) are linearly independent with a non-negligible probability 1/p 2l . In other words, α is a random value even provided c ρ(i ) , D and F ρ(i ) because of v ρ(i ) is random. So e * =ê(g, g) sα m b is random and |p 1 − 1 2 | ≤ 1 p 2l . Hence, the advantage of A attack the ABE scheme successfully is negligible under the DLIN assumption.
Now reconsider the indiscernibility of the two games with leakage queries. Because B in the DLIN assumption can generate v ρ(i ) , Game 0 and Game 1 are still indistinguishable even given f (v ρ(i ) ). Moreover, c ρ(i ) in Game 1 is random over Z 1×2l p . Set h c ρ(i ) (r) = c ρ(i ) r maps r ∈ Z 2l×1 p to Z p . The function h c ρ(i ) is universal due to Pr c ρ(i ) [h c ρ(i ) (r) = h c ρ(i ) (r )] = 1 p for r = r . According to the Lemma 1, the statistical distance of the above two distributions is at most 1 2

2) ANONYMITY OF THE SELECTIVELY SECURE ABE
Theorem 2: The ABE scheme above mentioned is ANON-IND-sAP-CPA secure under the DLIN assumption. Proof: The proof is similar to Theorem 1 and its specific description is as follows.
Game 0 be the real attack game as given in Definition 3, Game 1 is identical with Game 0 except that c * i of the challenge ciphertexts is a random value. The definition of Game 2 is as same as that of Game 1 besides e * in the challenge ciphertexts is random. So the challenge ciphertexts of Game 2 becomes random under the DLIN assumption, realizing ANON-IND-sAP-CPA security. The concrete proof process will be explained by the next two lemmas.
Lemma 6: Game 0 and Game 1 are indistinguishable under the DLIN assumption.
Proof: B is similar to that of Theorem 1 except that and as before v ∈ R Z 2l×1 ) from A, B answered basing on the following equation is unchanged, B is identical with that of Theorem 2. Therefore, it will not be described here. Lemma 7: Game 1 and Game 2 are information-theoretically indistinguishable.
Proof: From the proof of Theorem 1, we can know that e * =ê(g, g) In order to simplify the explanation, let DEPEND be express the matrix ∈ Z 3×2l p whose rank is 2, this means that there isû ∈ Z p such that c ρ b (i ) =ûF(ρ b (i ))k , where F(ρ b (i ))k denotes thek th row of F(ρ * b (i )). Because of c ρ b (i ) ∈ Z 1×2l p of Game 1 and Game 2 is random, Lemma 7 can be proved, since Game 1 and Game 2 can be distinguishable only when DEPEND occurs.

IV. ANALYSES A. PERFORMANCE ANALYSES
In this section, analyses on efficiency are given in Table 4 and 5.
Let the order of G and G T in scheme [16], [21], [22], [24], [25] be N = 3 i=1 p i , where p i (i ∈ {1, 2, 3}) is large primes of d i (d i = c i κ) bits. c, c i (i = 1, 2, 3) are any positive constants.ñ denotes the leakage parameter. ε is a constant satisfied with 0 < ε < 1.m denotes the number of minimal sets. The number of elements in attribute vectors is represented by k. Comparing our scheme with schemes [16], [21]- [25] in terms of the length of private keys and ciphertexts, the time of key generation, encryption and decryption in Table 4 and 5, one can find that our scheme has advantage in private key length and ciphertext length over the others. In addition, our scheme has lower cost in decryption. From the analyses above mentioned, our scheme is more practical than the rest of the table.

B. EXPERIMENTS ANALYSES
We will analyze the experimental results by using the PBC library. The experiment is on a 64-bits PC with Intel Core i5-6300 CPU(2.4GHz) and 8GB of RAM. To achieve better performance of leakage resilience, we set N in schemes [16], [21], [22], [25] is a number of 1024-bits, the order p of the proposed scheme is a number of 170-bits. To achieve the balance of efficiency and leakage rate, we setñ = 5 andl = 3 respectively. And set l = 2 in the simulation of private key length.

V. CONCLUSIONS
As an important encryption primitive, CP-ABE has attracted much attention in the setting of key leakage attacks. However, the leakage rate of most of the existing schemes is low and dependent on the number of attributes. It is a challenge to design a scheme with high leakage rate at present. In this paper, we proposed a scheme with the leakage rate about 1−o(1) by using the trapdoor technique. The scheme is based on DLIN assumption in the selective access policy model and achieves anonymity which can protect the privacy of users. In addition, our scheme is built in a group of prime order that more efficient than the construction of composite order. How to design a more efficient scheme is left as the future work.