Implementation of an Attribute-Based Encryption Scheme Based on SM9

Abstract

In recent years, attribute-based encryption (ABE) has been widely applied in mobile computing, cloud computing, and the Internet of things, for supporting flexible and fine-grained access control of sensitive data. In this paper, we present a novel attribute-based encryption scheme that is based on bilinear pairing over Barreto and Naehrig curves (BN-curves). The identity-based encryption scheme SM9, which is a Chinese commercial cryptographic standard and a forthcoming part of ISO/IEC11770-3, has been used as the fundamental building block, and thus we first introduce SM9 and present our SM9 implementation in details. Subsequently, we propose the design and implementation of the ABE scheme. Moreover, we also develop a hybrid ABE for achieving lower ciphertext expansion rate when the size of access structure or plaintext is large. The performance and energy consumption of the implementation of the proposed ABE and its hybrid version are evaluated with a workstation, a PC, a smart phone, and an embedded device. The experimental results indicated that our schemes work well on various computing platforms. Moreover, the proposed schemes and their implementations would benefit developers in building applications that fulfill the regulatory compliance with the Chinese commercial cryptographic standard since there is no existing ABE scheme compatible with any Chinese cryptographic standard.

1. Introduction

There is an increasing requirement for data sharing and processing in the distributed computing environment with fine-grained access control with the development of cloud computing, mobile computing, and the Internet of things. Public key encryption is a powerful approach towards protecting the confidentiality of sensitive data. However, there are two limitations as follows. Firstly, a public key cryptosystem relies on the public key infrastructure (PKI), which requires huge overhead on certificate management and verification. Secondly, the resource provider needs to encrypt data with the public key of each user in the receiving group and separately send the ciphertext to the corresponding user, which results in large processing overhead and bandwidth consumption.

Shamir presented the first identity-based cryptosystem [1] in 1984 to mitigate the first issue. Lately, Boneh and Franklin [2] proposed the most well-known identity-based encryption (IBE) scheme that was based on bilinear pairing, leading to a new development on identity-based cryptography. The main feature of identity-based cryptosystems is that they do not need certificates for public keys. The identity string of a user, such as the email address or phone number, can be used as the user’s public key.

To mitigate the second issue, Sahai and Waters [3] proposed a new category of encryption scheme, called attribute-based encryption (ABE), where the provider of the data can decide the access policy of the ciphertext, which implies that only the users who satisfy the specified attributes can decrypt the ciphertext. The resource providers only need to encrypt messages according to the decryptors’ attributes, without taking care of their identities and the number of qualified decryptors. This feature significantly reduces the overhead of data encryption and enables resource providers to formulate flexible and scalable access control policies to manage the sharing range of data. The first ABE scheme [3] only supports threshold access control strategies. The community further proposed key-policy ABE [4] and ciphertext-policy ABE to support more flexible access control strategies [5]. In recent years, a number of novel ABE schemes have been proposed with distinct security features [6,7,8,9]. Moreover, specialized ABE schemes for various application scenarios such as cloud computing [10,11,12], social networks [13], Internet of things (IoT) [14,15,16], blockchains [17,18], and mobile computing [19,20], have been proposed.

In this paper, we propose an ABE scheme utilizing SM9 IBE as a building block. SM9 is a cryptography standard that defines a set of identity-based cryptographic schemes, including signature, encryption, and key agreement. It originates from a Chinese cryptographic standard [21], and then its signature scheme has been adopted by the International Organization for Standardization as ISO/IEC 14888-3:2018 [22]. Currently, its encryption scheme and key agreement scheme have been formally reviewed as proposals for ISO/IEC 18033-5 [23] and ISO/IEC11770-3 [24], respectively.

There is no ABE scheme that is compatible with any Chinese cryptographic standard, as well as the forthcoming ISO standard. Therefore, the proposed ABE scheme is fully compatible with the Chinese standard and the forthcoming international standard to fulfill the regulatory compliance. The SM9 IBE is efficient and bandwidth-saving; for example, it performs better than the ISO/IEC 18033-5 [23] in terms of both computational efficiency and ciphertext size [25]. Our ABE scheme inherits such features of SM9 IBE. The scheme is implemented in Java, and experimental results on PCs, smart phones, and embedded devices indicated that our scheme performs well on typical platforms.

As a building block, the SM9 IBE scheme, which is based on bilinear pairings over the prime order elliptic curves that were proposed in [26] (i.e., BN-curves), has been implemented at first. It is worth noting that our implementation is not trivial, because this is the first Java implementation of SM9 to the best of our knowledge, and we have implemented the fundamental mathematical structures from scratch, since there is no appropriate Java library that can be utilized. We have not found any Java library that implements the R-Ate pairing [27] and the extension field specified by the SM9 standard simultaneously. For example, the most widely-used Java library for pairing-based cryptography, i.e., JPBC [28], supports neither the R-Ate pairing nor the demanded extension field. Therefore, we have implemented the R-Ate pairing over a BN-curve and the specified extension finite field, and then integrated them with the interfaces that were provided by the JPBC library to support SM9 IBE and the proposed ABE schemes.

Our contributions are briefly summarized, as follows: (i) we have proposed an ABE scheme based on the SM9 IBE scheme; (ii) we have implemented the ABE scheme as well as the SM9 IBE; and, (iii) we have presented a hybrid ABE scheme as an optimization. The proposed schemes and implementations would benefit developers in building applications that fulfill the regulatory compliance with the Chinese commercial cryptographic standard and the forthcoming ISO standard. Additionally, the ABE schemes have advantages, such as optimized ciphertext expansion rate and anonymity of receivers. The experimental results regarding performance and energy consumption indicate that the proposed scheme works well on various platforms, such as PCs, smart phones, and embedded devices.

The remainder of this paper is organized, as follows. Section 2 briefly introduces the preliminaries and the overview of the software architecture. Section 3 introduces the implementation of SM9 IBE scheme and the experimental results on performance and energy consumption. Section 4 presents an ABE scheme based on the SM9 IBE scheme, as well as the experimental results on performance and energy consumption. Section 5 presents an optimization of the ABE scheme, i.e., a hybrid ABE scheme. Section 6 concludes the paper.

2. Prerequisites and Overview

BN-curves [26] are pairing-friendly curves with prime order and the embedding degree k of 12, which present great efficiency and security in the pairing process. The equation of a BN-curve is

$$E:y^2=x^3+b,b\ne 0$$

(1)

The trace (of Frobenius) of the curve [29], the curve order, and the characteristic of F_q are parameterized as

$$\begin{array}{l}t=6x^2+1\\ n=36x^4-36x^3+18x^2-6x+1\\ p=36x^4-36x^3+24x^2-6x+1\end{array}$$

(2)

R-ate pairing [27] is a generalization of the Ate pairing. This pairing enables the loop length of Miller’s algorithm [30] to be shorter than that of the Ate pairing. This makes the computation of pairing more efficient.

Let π_q be the Frobenius endomorphism, and t be the trace (of Frobenius) of the curve. For input Q, P, the R-ate pairing algorithm on the BN-curves is shown in Algorithm 1.

$Algorithm1R_a(Q,P)$

$\begin{array}{l}\begin{array}{l}1s\leftarrow 6t+2,s\leftarrow {\displaystyle \sum _{i=0}^{L-1}{s}_i{2}^i},s_i\in \left\{-1,0,1\right\}\\ 2T\leftarrow Q,f\leftarrow 1\\ 3\mathrm{For}i=L-2\mathrm{to}0\mathrm{Do}\\ 4\hspace{1em}\hspace{1em}f\leftarrow f^2\cdot l_{T,T}\left(P\right);T\leftarrow 2T\\ 5\hspace{1em}\hspace{1em}\mathrm{IF}{s}_i=-1\\ 6\hspace{1em}\hspace{1em}\hspace{1em}f\leftarrow f\cdot l_{T,-Q}\left(P\right);T\leftarrow T-Q\\ 7\hspace{1em}\hspace{1em}\mathrm{ELSE}\mathrm{IF}{s}_i=1\\ 8\hspace{1em}\hspace{1em}\hspace{1em}f\leftarrow f\cdot l_{T,Q}\left(P\right);T\leftarrow T+Q\\ 9\mathrm{EndFor}\\ 10Q_1\leftarrow {\pi }_q(Q);Q_2\leftarrow {\pi }_{q^2}(Q)\\ 11f\leftarrow f\cdot l_{T,Q_1}\left(P\right);T\leftarrow T+Q_1\\ 12f\leftarrow f\cdot l_{T,-Q_2}\left(P\right);T\leftarrow T-Q_2\\ 13f\leftarrow f^{(p^{12}-1)/r}\\ 14\mathrm{output}f\end{array}\end{array}$

We have implemented the proposed ABE scheme and the SM9 IBE scheme in Java. The program can be easily deployed on a variety of platforms because of the strong portability of Java. The structure of the software is shown in Figure 1.

The package api, package util, package pairing and package field are the packages provided by the Java Pairing-based Cryptography Library (JPBC). The package api provides interfaces that are related to pairing operations, such as the finite field, elliptic curves, and the pairing functions. The package util provides support for mathematical operations and so on. Package pairing and package field are the specific implementations of the interfaces that are exposed in package api. We construct extension of the finite field and the particular elliptic curve specified by the SM9 standard in the package pairing. We have also implemented the R-Ate pairing in this package.

Sm9Util is a static class, and it contains all of the supporting functions, such as KDF and H2RF_i functions, which are detailed in Section 3.1. The supporting functions can be utilized by all other classes.

The KeyGeneratorCenter class is designed following the singleton pattern, where the system parameters are stored. Moreover, it generates the Sm9DecryptPrivateKey that corresponds to the user ID/attributes for decryption.

The Sm9Engine implements the SM9 hybrid encryption scheme. It contains three interfaces for users: initEncrypt, initDecrypt, and processBlock. The initEncrypt/initDecrypt function sets the ID/key for encryption/decryption. The processBlock function encrypts/decrypts the message after the initialization.

Sm9ABEEngine implements an ABE scheme supporting AND-gate-only access structure, which will be introduced in Section 4, being based on the Sm9Engine. The AND-gate-only access structure can be uniquely transformed to a user identity. The encryption and decryption processes of SM9 ABE include: (i) transforming the AND-gate-only access structure into a user Identity; and, (ii) invoking the functions that were provided by Sm9Engine.

Sm9IBBEABEEngine implements the ABE scheme that is presented in Section 4. Different from Sm9ABEEngine, Sm9IBBEABEEngine supports the generic access structure. A generic access structure, which is introduced in Section 4, is a generalization of the AND-gate-only access structure. The Sm9IBBEABEEngine has two functions: Encrypt and Decrypt. The input of the Encrypt function includes a generic access structure $A$ and the message that is to be encrypted. Users holding the private key corresponding to the attributes satisfying the access structure $A$ through the Decrypt function can only successfully decrypt the output of the Encrypt function.

Sm9ABEHybridEngine implements the hybrid ABE scheme that is proposed in Section 5, which optimizes the ciphertext size of the ABE scheme that is presented in Section 4.

3. Implementation and Evaluation of SM9 Identity-Based Encryption

3.1. Supporting Functions

Here, we describe the supporting functions that are used in the schemes, including the key derivation function, which works as KDF2 in ISO/IEC 18033-2 [31], the hash-to-range function in [25], and the block cipher and the system parameters.

3.1.1. Key Derivation Function KDF (H_v, Z, klen)

Given a hash function H_v with output bit length v, bit string Z, and an integer klen (that denotes the required bit length of the secret keys, where klen < (2³²−1) v). The output is a bit string K of length klen. The pseudocode for this function is given in Algorithm 2.

$Algorithm2KDF(H_v,Z,klen)$

$\begin{array}{l}\begin{array}{l}1ct\leftarrow 0x00000001\\ 2\mathrm{For}i=1\mathrm{to}\lceil klen/v\rceil \mathrm{Do}\\ 3\hspace{1em}\hspace{1em}H{a}_i\leftarrow H_v\left(Z\left|\right|ct\right)\\ 4\hspace{1em}\hspace{1em}ct\leftarrow ct+1\\ 5\mathrm{EndFor}\\ 6\mathrm{output}\mathrm{the}\mathrm{first}klen\mathrm{bits}\mathrm{of}H{a}_1\parallel H{a}_2\parallel \dots \parallel H{a}_{\lceil klen/v\rceil }\end{array}\end{array}$

3.1.2. Hash to Range Function H2RF_i (H_v, Z, n)

Given a hash function H_v with output bit length v, bit string Z, integer n, and integer index i. The output is an integer h_i. Algorithm 3 gives the pseudocode. The SM9 standard requires SM3 [32] to be used as the hash function.

$Algorithm3H2R{F}_i\left(H_v,Z,n\right)$

$\begin{array}{l}\begin{array}{l}1hlen\leftarrow \lceil 8\times \left(5\times \left({\log }_{2}n\right)\right)/32\rceil \\ 2Ha\leftarrow KDF\left(H_v,i\left|\right|Z,hlen\right)\\ 3\mathrm{output}{h}_i\leftarrow \left(Hamod\left(n-1\right)\right)+1\end{array}\end{array}$

3.1.3. Block Cipher

The block cipher includes the encryption algorithm Enc (K₁, m) and decryption algorithm Dec (K₁, c). Enc (K₁, m) encrypts plaintext m with key K₁ and its output is a ciphertext bit string c. Dec (K₁, c) decrypts ciphertext c using key K₁ and its output is either a plaintext bit string m or the message “error.” The bit length of the key K₁ is denoted by K₁_len. The SM9 standard requires SM4 [33] to be used as the block cipher.

3.2. Setup and Key Extraction

This section describes the algorithm that is used to set up the system and the extraction algorithm for the private decryption key.

3.2.1. Setup (1^k)

Given input k, the output of this algorithm is the master public key M_pk and master secret key M_sk. Algorithm 4 gives its pseudocode.

$Algorithm4Setup\left(1^k\right)$

$\begin{array}{l}\begin{array}{l}1\mathrm{Generate}\mathrm{three}\mathrm{groups}{G}_1,G_2\mathrm{and}{G}_T\mathrm{of}\mathrm{prime}\mathrm{order}r\\ 2\mathrm{Generate}\mathrm{a}\mathrm{bilinear}\mathrm{pairing}\mathrm{map}e:G_1\times G_2\to G_T\\ 3P_1\stackrel{\$}{\leftarrow }{G}_1\\ 4P_2\stackrel{\$}{\leftarrow }{G}_2\\ 5ke\stackrel{\$}{\leftarrow }{\mathbb{Z}}_r^{*}\\ 6P_{pub-e}\leftarrow [ke]P_1\\ 7g_e\leftarrow e\left(P_{pub-e},P_2\right)\\ 8\mathrm{Pick}\mathrm{a}\mathrm{cryptographyic}\mathrm{hash}\mathrm{function}{H}_v\\ 9 hi{d}_e\leftarrow 3\\ 10M_{pk}\leftarrow \left(\begin{array}{l}{G}_1,G_2,G_T,e,P_1,P_2,P_{pub-e},g_e,\\ H2R{F}_1(H_v,\cdot ,\cdot ),H2R{F}_2(H_v,\cdot ,\cdot ),hi{d}_e\end{array}\right)\\ 11M_{sk}\leftarrow (ke)\\ 12\mathrm{output}\left(M_{pk},M_{sk}\right)\end{array}\end{array}$

3.2.2. Private-Key-Extract (M_pk, M_sk, ID_A)

Given an identity string ID_A ∈ {0.1}^* of entity A, M_pk and M_sk, the operation outputs “error” if

$$ke+H2R{F}_1\left(H_v,I{D}_A\left|\right|hi{d}_e,r\right)modr=0$$

(3)

otherwise, it outputs decryption private key

$$D{E}_A=\left[\frac{ke}{ke+H2R{F}_1(H_v,I{D}_A\parallel hi{d}_e,r}\right]P_2$$

(4)

3.3. KEM-DEM Algorithms

The SM9 encryption is a hybrid encryption scheme [25] that is built from an identity-based key encapsulation mechanism (KEM) and a data encapsulation mechanism (DEM). The encryption and decryption schemes are described, as follows.

3.3.1. KEM-DEM-Encrypt (M_pk, ID_A, m)

Given an identity string ID_A, plain text m (of bit length mlen), and master public key M_pk, the operation runs, as shown in Algorithm 5.

$Algorithm5KEM-DEM-Encrypt\left(M_{pk},I{D}_A,m\right)$

$\begin{array}{l}\begin{array}{l}1h_1\leftarrow H2R{F}_1\left(H_v,I{D}_A\left|\right|hi{d}_e,r\right)\\ 2Q\leftarrow \left[h_1\right]P_1+P_{pub-e}\\ 3x\stackrel{\$}{\leftarrow }{\mathbb{Z}}_r^{*}\\ 4C_1\leftarrow \left[x\right]Q\\ 5t\leftarrow g_e^x\\ 6\mathrm{IF}\mathrm{DEM}\mathrm{is}\mathrm{Stream}\mathrm{cipher}\mathrm{based}\mathrm{on}\mathrm{KDF}\\ 7\hspace{1em}\hspace{1em}klen\leftarrow mlen+v\\ 8\hspace{1em}\hspace{1em}{K}_1\parallel K_2\leftarrow KDF(H_v,C_1\parallel t||I{D}_A,klen)\\ 9\hspace{1em}\hspace{1em}\mathrm{IF}{K}_1\mathrm{is}\mathrm{full}\mathrm{zero}\\ 10\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{go}\mathrm{to}\mathrm{line}3\\ 11\hspace{1em}\hspace{1em}\mathrm{ELSE}\\ 12\hspace{1em}\hspace{1em}\hspace{1em}{C}_2\leftarrow m\oplus K_1\\ 13\mathrm{ELSE}\mathrm{IF}\mathrm{DEM}\mathrm{is}\mathrm{Block}\mathrm{cipher}\mathrm{combined}\mathrm{with}\mathrm{KDF}\\ 14\hspace{1em}\hspace{1em}klen\leftarrow K_1\_len+v\\ 15\hspace{1em}\hspace{1em}{K}_1\parallel K_2\leftarrow KDF(H_v,C_1\parallel t||I{D}_A,klen)\\ 16\hspace{1em}\hspace{1em}\mathrm{IF}{K}_1\mathrm{is}\mathrm{full}\mathrm{zero}\\ 17\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{go}\mathrm{to}\mathrm{line}3\\ 18\hspace{1em}\hspace{1em}\mathrm{ELSE}\\ 19\hspace{1em}\hspace{1em}\hspace{1em}{C}_2\leftarrow Enc\left(K_1,m\right)\\ 20C_3\leftarrow H_v\left(C_2\left|\right|K_2\right)\\ 21\mathrm{output}\left(C_1,C_2,C_3\right)\end{array}\end{array}$

The encryption algorithm is a combination of KEM and DEM. It first generates and encapsulates a random key, and then uses that key to encrypt the message while using different types of DEM. Finally, a message authentication code is created to ensure the integrity and authenticity of the ciphertext. The encapsulated key, encrypted message, and authentication code make up the ciphertext. Figure 2 shows the flow chart of the encryption algorithm.

3.3.2. KEM-DEM-Decrypt (M_pk, ID_A, DE_A, (C₁, C₂, C₃))

Given the master public key M_pk, an identity string ID_A, the corresponding private key DE_A, and cipher text (C₁, C₂, C₃), and the operation runs, as shown in Algorithm 6.

$Algorithm6KEM-DEM-Decrypt(M_{pk},I{D}_A,D{E}_A,(C_1,C_2,C_3))$

$\begin{array}{l}\begin{array}{l}1\mathrm{IF}{C}_1\notin G_1^{*}\\ 2\hspace{1em}\hspace{1em}\mathrm{output}\perp \mathrm{and}\mathrm{terminate}\\ 3\mathrm{ELSE}\\ 4\hspace{1em}\hspace{1em}t\leftarrow e\left(C_1,D{E}_A\right)\\ 5\hspace{1em}\hspace{1em}\mathrm{IF}\mathrm{DEM}\mathrm{is}\mathrm{Stream}\mathrm{cipher}\mathrm{based}\mathrm{on}\mathrm{KDF}\\ 6\hspace{1em}\hspace{1em}\hspace{1em}klen\leftarrow C_2\_len+v\\ 7\hspace{1em}\hspace{1em}\hspace{1em}{K}_1\parallel K_2\leftarrow KDF(H_v,C_1\parallel t||I{D}_A,klen)\\ 8\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{IF}{K}_1\mathrm{is}\mathrm{full}\mathrm{zero}\\ 9\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{output}\perp \mathrm{and}\mathrm{terminate}\\ 10\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{ELSE}\\ 11\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}m\leftarrow C_2\oplus K_1\\ 12\hspace{1em}\hspace{1em}\mathrm{ELSE}\mathrm{IF}\mathrm{DEM}\mathrm{is}\mathrm{Block}\mathrm{cipher}\mathrm{combined}\mathrm{with}\mathrm{KDF}\\ 13\hspace{1em}\hspace{1em}\hspace{1em}klen\leftarrow K_1\_len+v\\ 14\hspace{1em}\hspace{1em}\hspace{1em}{K}_1\parallel K_2\leftarrow KDF(H_v,C_1\parallel t||I{D}_A,klen)\\ 15\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{IF}{K}_1\mathrm{is}\mathrm{full}\mathrm{zero}\\ 16\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{output}\perp \mathrm{and}\mathrm{terminate}\\ 17\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{ELSE}\\ 18\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}m\leftarrow Dec\left(K_1,C_2\right)\\ 19\hspace{1em}\hspace{1em}{C}_3\prime \leftarrow H_v\left(C_2\left|\right|K_2\right)\\ 20\hspace{1em}\hspace{1em}\mathrm{IF}{C}_3\prime \ne C_3\\ 21\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{output}\perp \mathrm{and}\mathrm{terminate}\\ 22\hspace{1em}\hspace{1em}\mathrm{ELSE}\\ 23\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{output}m\end{array}\end{array}$

Upon receiving the ciphertext, the decryption algorithm decapsulates the secret key, then decrypts the message using the same type of DEM, as used by the encryption. Finally, it verifies the authentication code. Only when the integrity and authenticity of the ciphertext are confirmed is the plaintext output. Based on the algorithm, the flow chart of this process is shown in Figure 3.

3.4. Performance Evaluation

We measured the runtime of the KEM-DEM-Encrypt and KEM-DEM-Decrypt algorithms on four devices, which ranged from a smart phone to a workstation.

Table 1. Device configurations.

Device	Operating System	Processor
Raspberry Pi 3	Raspbian 8	ARM Cortex-A53@1.2GHz
OnePlus A6000	Android 8.1	Qualcomm Snapdragon 845@2.8GHz
MacBook Pro	macOS High Sierra 10.13.4	Intel Core i5@2.9GHz
Workstation	Ubuntu 16.04 LTS	Intel Xeon E5-2640 v3@2.6GHz * 32

lists the configurations of the test devices. We ran the algorithm 100 times on these devices, recorded the total time, and then calculated the average value as the result. Two types of DEM were tested. Figure 4 shows the result of using a block cipher. Figure 5 shows the result of using a stream cipher. Note that the “Time” axis is logarithmic. For the detailed parameters, please refer to

Table 2. Detailed parameters in the experiment.

Parameter	Value
Curve equation	$y^2=x^3+5$
Curve trace	D8000000 019062ED 0000B98B 0CB27659
Curve order	B6400000 02A3A6F1 D603AB4F F58EC744 49F2934B 18EA8BEE E56EE19C D69ECF25
Characteristic of $F_q$	B6400000 02A3A6F1 D603AB4F F58EC745 21F2934B 1A7AEEDB E56F9B27 E351457D
ID length	20 bytes
Private key length	256 bits
Plaintext length	1024 bytes
DEM algorithm (block cipher)	SM4 [33], a block cipher whose block size and key size are both 128 bits.
Hash function ($H_v$)	SM3 [32], a cryptographic hash function which outputs 128-bit digestions.

.

We can see that the performances of using two types of DEM are very close when comparing Figure 4 and Figure 5. This indicates that the encryption and decryption processes of the SM4 block cipher have approximately the same speed as the stream cipher. The execution time of decryption is approximately three times as much as that of the encryption. Through further comparison and analysis, we found that the pairing operation leads to such difference in the execution time.

3.5. Energy Consumption Evaluation

The energy consumption is a major concern when executing the algorithms on low-power devices. We have evaluated the energy consumption of SM9 IBE scheme on the Raspberry Pi 3 and the OnePlus A6000 smartphone. The power consumption (mAh) is shown in Figure 6, where Enc/Dec (0) represents the KEM-DEM algorithms while using stream cipher, and Enc/Dec (1) represents the algorithms using block cipher.

Figure 6 shows that the energy consumptions of using two types of DEM are very similar. The decryption algorithms consume more energy than the encryption algorithms. OnePlus A6000 consumes more energy than Raspberry Pi 3 when executing the same algorithm.

4. Design, Implementation and Evaluation of the Attribute-Based Encryption Scheme from Identity-Based Encryption

Based on the idea in [34,35], we can transform the SM9 IBE scheme into an ABE scheme. With slight modification of the original scheme, we can construct a generic ABE scheme. Roughly speaking, we uniquely convert an access structure into an identity, and then invoke the identity-based encryption scheme with the identity.

4.1. Transformation from Access Structures to Identities

AND-gate-only Access Structure Transformation Algorithm. Here, we introduce the transformation algorithm of AND-gate-only access structure. The definition of AND-gate-only Access Structure is: The universe of attributes is denoted by $u$ and the size of the universe is $\left|u\right|$. We can use an AND-gate-only access structure $A$ such as ($at{t}_1$ AND … AND $at{t}_n$ ), where $1\le n\le \left|u\right|$. It also can be written as a set of attributes, e.g., $A=\{at{t}_1,at{t}_2,\dots ,at{t}_n\}$. Let $S=\{X_1,\dots ,X_n\}$, where $1\le n\le \left|u\right|$, be an attribute set of a user. We say that $S$ satisfies the access structure $A$ if and only if $at{t}_i=X_i$, for all $1\le i\le n$, denoted as $S\models A$.

The input includes an AND-gate-only access structure $A=\{X_1,\dots ,X_n\}$ and the universe $u$ of the attribute. It outputs an ID, which is uniquely corresponding to the access structure $A$. Algorithm 7 presents the pseudocode.

$Algorithm7\phi (A,u)$

$\begin{array}{l}\begin{array}{l}1\mathrm{Let}I{D}_A[i]\mathrm{be}\mathrm{the}\mathrm{i}\text{-}\mathrm{th}\mathrm{bit}\mathrm{of}I{D}_A\\ 2\mathrm{For}i=1\mathrm{to}|u|\mathrm{Do}\\ 3\hspace{1em}\hspace{1em}\mathrm{IF}{X}_i\in A\\ 4\hspace{1em}\hspace{1em}\hspace{1em}I{D}_A[i]\leftarrow 1\\ 5\hspace{1em}\hspace{1em}\mathrm{ELSE}\\ 6\hspace{1em}\hspace{1em}\hspace{1em}I{D}_A[i]\leftarrow 0\\ 7\mathrm{END}\mathrm{For}\\ 8\mathrm{output}I{D}_A\end{array}\end{array}$

Generic Access Structure Conversion Algorithm. Here, we present the transformation algorithm of generic access structure [36]. Let $P=\{P_1,P_2,\dots ,P_n\}$ be a set of attributes. A generic access structure is a collection $A$ of non-empty subsets of $\{P_1,P_2,\dots ,P_n\}$, i.e., $A\subseteq 2^{\{P_1,P_2,\dots ,P_n\}}\backslash \{\varnothing \}$. The sets in $A$ are called the authorized sets and the sets not in $A$ are called the unauthorized sets. We can also represent the generic access structure as a disjunction of conjunctive clauses, i.e., disjunctive normal form (DNF).

The input of the conversion algorithm includes a generic access structure $A=\{A_1,\dots ,A_n\}\subseteq 2^u$, as described before and the universe $u$ of the attribute. It outputs a set of identities $S=\{I{D}_1,I{D}_2,\dots ,I{D}_n\}$, which is uniquely corresponding to the access structure $A$. Algorithm 8 presents the pseudocode.

$Algorithm8\xi (A,u)$

$\begin{array}{l}\begin{array}{l}1\mathrm{Let}S\mathrm{be}\mathrm{a}\mathrm{null}\mathrm{set},n\mathrm{be}\mathrm{the}\mathrm{size}\mathrm{of}A\\ 2\mathrm{For}i=1\mathrm{to}\mathrm{n}\mathrm{Do}\\ 3\hspace{1em}\hspace{1em}I{D}_i\leftarrow \phi (A_i)\\ 4\hspace{1em}\hspace{1em}S\leftarrow S\cup \left\{I{D}_i\right\}\\ 5\mathrm{END}\mathrm{For}\\ 6\mathrm{output}S\end{array}\end{array}$

4.2. ABE Scheme Based on SM9 IBBE

We slightly modify the SM9 IBE scheme into an IBBE (Identity-based Broadcast Encryption) [34,35] scheme to generalize our scheme, so that we can transform it into an ABE scheme that supports the generic access structure. The setup and key generation algorithms of IBBE are the same as the original SM9 IBE scheme. We propose the IBBE encrypt and decrypt algorithms based on the SM9’s KEM-DEM-Encrypt and KEM-DEM-Decrypt algorithms. Taking the master public key $M_{pk}$, a set of identities $S=\{I{D}_1,I{D}_2,\dots ,I{D}_n\}$, and the message $M$ as input, the IBBEEncrypt algorithm proceeds as presented in Algorithm 9, and it outputs a set of ciphertexts $C=\{C{T}_1,C{T}_2,\dots ,C{T}_n\}$.

$Algorithm9\mathrm{IBBEEncrypt}(M_{pk},S,M)$

$\begin{array}{l}\begin{array}{l}1\mathrm{Let}I{D}_i\mathrm{be}\mathrm{the}\mathrm{i}\text{-}\mathrm{th}ID\mathrm{of}S,\mathrm{and}C\mathrm{be}\mathrm{a}\mathrm{null}\mathrm{set}.\\ 2\mathrm{For}i=1\mathrm{to}\left|S\right|\mathrm{Do}\\ 3 C{T}_i\leftarrow SM9.\mathbf{KEM}-\mathbf{DEM}-\mathbf{Encrypt}(M_{pk},I{D}_i,M)\\ 4\hspace{1em}\hspace{1em}\hspace{1em}C\leftarrow C\cup \left\{C{T}_i\right\}\\ 5\mathrm{END}\mathrm{For}\\ 6\mathrm{output}C\end{array}\end{array}$

Taking the master public key $M_{pk}$, the user identity $ID$, the associated private key $S{K}_{ID}$, and a set of ciphertexts $C=\{C{T}_1,C{T}_2,\dots ,C{T}_n\}$ as input, we present the IBBEDecrypt algorithm. The pseudocode is presented in Algorithm 10.

$Algorithm10\mathrm{IBBEDecrypt}(M_{pk},ID,S{K}_{ID},C)$

$\begin{array}{l}\begin{array}{l}1\mathrm{Let}C{T}_i\mathrm{be}\mathrm{the}\mathrm{i}\text{-}\mathrm{th}\mathrm{ciphertext}\mathrm{of}C\\ 2\mathrm{For}i=1\mathrm{to}\left|C\right|\mathrm{Do}\\ 3\hspace{1em}M\leftarrow SM9.\mathbf{KEM}-\mathbf{DEM}-\mathbf{Decrypt}(M_{pk},ID,S{K}_{ID},C{T}_i)\\ 4\hspace{1em}\hspace{1em}\mathrm{IF}M\ne \perp \\ 5\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{output}M\mathrm{and}\mathrm{terminate}\\ 6\hspace{1em}\hspace{1em}\mathrm{ELSE}\\ 7\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{continue}\\ 8\mathrm{END}\mathrm{For}\\ 9\mathrm{output}\perp \end{array}\end{array}$

If the user identity $ID\in S$ (of IBBEEncrypt algorithm) and $S{K}_{ID}\leftarrow SM9.Private-Key-Extract(M_{pk},M_{sk},ID)$, then we can correctly decrypt the ciphertext with the IBBEDecrypt algorithm.

We construct the ABE scheme that supports the generic access structure based on the IBBE scheme, with the following four parts:

4.2.1. Setup (1^k)

Given a security parameter $k$, this algorithm calls the Setup algorithm of SM9 scheme and it sets the ABE scheme’s master public key $M_{pk}$ and the master secret key $M_{sk}$.

$$\left(M_{pk},M_{sk}\right)\leftarrow SM9.\mathbf{Setup}\left(1^k\right)$$

(5)

4.2.2. KeyGen (M_pk, M_sk, U)

Given the master public key $M_{pk}$, the master secret key $M_{sk}$, and a set of attributes $U$, this algorithm converts the set of attributes $U$ into an identity $I{D}_U\in {\{0,1\}}^{\left|u\right|}$ by running the algorithm $\phi$, and then calls the Private-Key-Extract algorithm of SM9. It outputs the ABE’s private key $S{K}_U$.

$$S{K}_U\leftarrow SM9.\mathbf{Private}-\mathbf{Key}-\mathbf{Extract}\left(M_{pk},M_{sk},\phi (U,u)\right)$$

(6)

4.2.3. Encrypt (M_pk, A, M)

Given the master public key $M_{pk}$, an access structure $A$, and a message $M$, this algorithm converts the access structure $A=\{A_1,A_2,\dots ,A_n\}$ into a set of identities by running the algorithm $\xi$, and then gets a set of ciphertexts $C=\{C{T}_1,C{T}_2,\dots ,C{T}_n\}$ by calling the IBBEEncrypt algorithm.

$$C\leftarrow \mathbf{IBBEEncrypt}\left(M_{pk},\xi (A,u),M\right)$$

(7)

4.2.4. Decrypt (M_pk, U, SK_U, C)

Given the master public key $M_{pk}$, a set of attributes $U$, the private key $S{K}_U$, and the set of ciphertexts $C$, this algorithm converts the set of attributes $U$ into an identity $I{D}_U\in {\{0,1\}}^{\left|u\right|}$ by running the algorithm $\phi$ and then gets the plaintext $M$ by running the IBBEDecrypt algorithm.

$$M\leftarrow \mathbf{IBBEDecrypt}\left(M_{pk},\phi (U,u),S{K}_U,C\right)$$

(8)

4.3. Performance Evaluation

Here, we present the experimental results on different devices. The Figure 7 and Figure 8 show how the size of the access structure produces an impact on the performance of the ABE encryption and decryption algorithms. The former experimental result in Section 4.3 shows that the performance of using two types of DEM is very similar, and thus we only present the experimental result of the ABE scheme using block cipher. The size of the universe of attributes is 20.

The experimental result shows that the execution time and the size of access structure have a linear correlation. In summary, the proposed ABE scheme’s performance on MacBook Pro and workstation is reasonably well, and its performance on Raspberry Pi and OnePlus smart phone is acceptable.

4.4. Energy Consumption Evaluation

We have also evaluated the energy consumption of ABE scheme on a Raspberry Pi 3 and a OnePlus A6000 smartphone. Figure 9 shows the power consumption (mAh).

The battery capacity of a OnePlus A6000 is 3300 mAh. The ABE Decryption process, which is the most energy-consuming process, only takes approximately 0.13% of the capacity.

4.5. Security Analysis

The security of the ABE scheme also relies on the security of the transformation technique because we have transformed the SM9 IBE scheme into the ABE scheme following the technique in [34,35]. Theorem 4.1 in [35] claims that the ABE scheme derived from an IBBE scheme is secure against chosen ciphertext attacks (CCA) if the underlying IBBE scheme is CCA-secure, which is defined, as follows:

An IBBE scheme is secure against CCA if there exists no probabilistic polynomial-time adversary who can win the following security game in a non-negligible advantage.

(i)

Setup. The challenger $\mathcal{C}$ takes a unary security parameter $1^k$ as input, and returns the master public key $M_{pk}$ to the adversary $\mathcal{A}$ and keeps the master secret key $M_{sk}$ privately.

(ii)

Learn 1. $\mathcal{A}$ submits a series of queries $q_1,\dots ,q_n$, where $q_i(i\in 1,\cdots ,n)$ is either a private key query or a decryption query. Note that in a private key query, $\mathcal{A}$ sends an identity to $\mathcal{C}$, and then $\mathcal{C}$ returns the corresponding private key to $\mathcal{A}$; in a decryption query, $\mathcal{A}$ sends a ciphertext and an identity to $\mathcal{C}$, and then $\mathcal{C}$ decrypts the ciphertext for $\mathcal{A}$.

(iii)

Challenge. $\mathcal{A}$ submits two equal-length messages $M_0,M_1$ and a challenge set of identities $\{I{D}_1^{*},\dots ,I{D}_n^{*}\}$ to $\mathcal{C}$. Afterwards, $\mathcal{C}$ uniformly randomly selects $b^{\prime }\in \{0,1\}$, encrypts $M_{b^{\prime }}$ under $\{I{D}_1^{*},\dots ,I{D}_n^{*}\}$, and finally sends the ciphertext $C^{*}$ to $\mathcal{A}$.

(iv)

Learn 2. $\mathcal{A}$ repeats the steps in the Learn 1 phase except for querying the identities and the ciphertext involved in the challenge.

(v)

Guess. $\mathcal{A}$ outputs a guess $b^{″}\in \{0,1\}$ of $b^{\prime }$ and wins the game if and only if $b^{″}=b^{\prime }$.

$\mathcal{A}$’s advantage in the above game is defined as $\left|\mathrm{Pr}\left[b^{″}=b^{\prime }\right]-\frac{1}{2}\right|$.

Obviously, the proposed ABE scheme is derived from an underlying IBBE scheme that straightforwardly repeats the SM9 IBE for a limited number of times, and thus the IBBE scheme’s security can be reduced to the security of SM9 IBE. As a cryptographic standard, we assume that the SM9 IBE is secure against CCA.

5. Optimization on the ABE Scheme

For the ABE scheme that is presented in Section 4, a plaintext has to be encrypted n times, where n is the size of the access structure. Therefore, it may be inefficient when the length of the plaintext or the size of the access structure is large. We further develop a hybrid encryption scheme, which uses the proposed ABE scheme for key encapsulation and the SM4 block cipher for data encapsulation to optimize the scheme.

5.1. Hybrid ABE Scheme

The hybrid scheme consists of four algorithms. The Setup algorithm and the KeyGen algorithm are the same as their counterparts in the ABE scheme. The encryption and decryption algorithms work, as follows.

Encrypt (M_pk, A, M): Given the master public key $M_{pk}$, an access structure $A$ and a message $M$, this algorithm proceeds, as presented in Algorithm 11.

$Algorithm11\mathrm{Encrypt}(M_{pk},A,M)$

$\begin{array}{l}\begin{array}{l}1\mathrm{Randomly}\mathrm{generated}\mathrm{a}\mathrm{SM}4\sec \mathrm{ret}key\mathrm{and}\mathrm{an}IV\\ 2C_1\leftarrow SM4.\mathbf{Encrypt}(M,key,IV)/*\mathrm{Encrypting}\mathrm{in}\mathrm{CBC}\mathrm{mode}.*/\\ 3C_2\leftarrow ABE.\mathbf{Encrypt}(M_{pk},A,key\parallel IV)\\ 4\mathrm{Output}(C_1,C_2)\end{array}\end{array}$

Decrypt (M_pk, U, SK_U, C): Given the master public key $M_{pk}$, a set of attributes $U$, the private key $S{K}_U$, and the ciphertext $C$, the decrypt algorithm proceeds as presented in Algorithm 12.

$Algorithm12\mathrm{Decrypt}(M_{pk},U,S{K}_U,C)$

$\begin{array}{l}\begin{array}{l}1(C_1,C_2)\leftarrow C\\ 2key\parallel IV\leftarrow ABE.\mathbf{Decrypt}(M_{pk},U,S{K}_U,C_2)\\ 3M\leftarrow SM4.\mathbf{Decrypt}(C_1,key,IV)/*\mathrm{Decrypting}\mathrm{in}\mathrm{CBC}\mathrm{mode}.*/\\ 4\mathrm{Output}M\end{array}\end{array}$

The hybrid scheme is more space-economic than the scheme in the previous section. Let m be the length of plaintext and n be the access structure’s size. The size of the ciphertext of this hybrid ABE scheme is $m+n*(32+96)$ bytes, which is much smaller than before. For example, when the plaintext’s length is 1 GB and the access structure’s size is 8, the ciphertext’s length is only 1 GB + 1 KB.

5.2. Performance Evaluation

Here, we present the experimental results on different devices. We set the default size of the universe of attributes as 20 and the plaintext’s default length as 1 KB. The other parameters are inherited from the SM9 scheme. Figure 10 and Figure 11 show the performance of the encryption and decryption. Figure 12 shows the relation between the ciphertext’s size and the access structure’s size. Figure 13 shows the relation between the ciphertext’s size and the plaintext’s length under the condition that the access structure’s size is 10.

5.3. Energy Consumption Evaluation

We have also evaluated the energy consumption of the hybrid ABE scheme on a Raspberry Pi 3 and a OnePlus A6000 smartphone. Figure 14 shows the power consumption (mAh).

6. Conclusions

We present an ABE scheme that is based on the SM9 IBE scheme, which supports the generalized access structure. The proposed scheme complies with the Chinese commercial cryptographic standard and the forthcoming ISO standard. In terms of implementation, we first implement and embed the R-ate pairing on BN-curves, which is required by SM9, into the JPBC library; and, then implement SM9 as well as the proposed ABE. Moreover, we also develop a hybrid ABE for achieving lower ciphertext expansion rate when the size of access structure or plaintext is large. In general, the proposed schemes’ performance is reasonably well on PCs, and is also acceptable on smart phones and embedded devices, according to our experimental results.