Ciphertext-Delegatable CP-ABE for a Dynamic Credential: A Modular Approach

We introduce a new technique converting Ciphertext-policy Attribute-based Encryption (CP-ABE) to Ciphertext-delegatable CP-ABE (CD-CP-ABE). Ciphertext delegation is an important technique to deal with dynamic credentials, which enable users to be joined and revoked at any time while the system is operating. The delegation of CD-CP-ABE allows third parties such as cloud or proxy servers to convert a ciphertext to the other one with a more restrictive policy. Therefore, it can be used to revoke users dynamically in an access control system. Prior to our work, a delegation algorithm of CD-CP-ABE is not generic and the completeness of the delegation is shown when the size of the delegated access structure increases quadratically with the sizes of original and revocation access structures. In this paper, we provide a generic delegation algorithm to reform CP-ABE to CD-CP-ABE. We generalize properties necessary for the ciphertext delegation using the syntax of encodings for the modularity and construct a generic delegation algorithm based on those properties. In our new technique, we build the delegated access structures, which generally determines the size of the ciphertext, in a defined way. The size of delegated access structures grows only linearly with those of original and revocation access structures. Through presenting instances, we show that our technique is readily applicable to existing CP-ABE schemes including CP-ABE scheme with non-monotonic access structures.