Attacking Two Pairing-Free Ciphertext-Policy Attribute-Based Encryption Schemes

Hamednejad, Farnoosh; Mohajeri, Javad; Aref, Mohammad Reza

doi:10.22042/isecure.2025.216447

Attacking Two Pairing-Free Ciphertext-Policy Attribute-Based Encryption Schemes

Document Type : Research Article

Authors

Farnoosh Hamednejad ¹

Javad Mohajeri ²

Mohammad Reza Aref ¹

¹ Information Systems and Security Lab. (ISSL), Department of Electrical Engineering, Sharif University of Tech., Tehran, Iran

² Electronics Research Institute, Sharif University of Tech., Tehran, Iran

https://doi.org/10.22042/isecure.2025.216447

Abstract

Attribute-based encryption (ABE) is one of the recommended tools to secure real systems like the Internet of Things (IoT). Almost all the ABE schemes utilize bilinear map operations, known as pairings. The challenge with these schemes is that performing pairings results in high computation costs and IoT devices are typically resource-constrained, so, efficient pairing-free ABE schemes have been proposed to solve this issue. These schemes utilize classical cryptographic operations instead of heavy bilinear pairings. Recently, two pairing-free ciphertext-policy attribute-based encryption schemes have been proposed (by Das et al. and Sowjanya et al.). According to their claims, their schemes are secure against collusion attacks and provide indistinguishability in a selective-set security model. The first scheme also has been claimed to be secure against forgery attacks. In this paper, we show that the first scheme is vulnerable to ciphertext-only, collusion between four or more data users with specific features, and forgery attacks. We also show that the second scheme is vulnerable to a key recovery attack, which can lead to a collusion attack. So, even though they are highly efficient, they have some security vulnerabilities that can violate the claims of the authors.

Keywords

Pairing-Free Attribute-Based Encryption

Cryptanalysis

Security attacks

Data security

[1] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryption. In 2007 IEEE symposium on security and privacy (SP’07), pages 321–334. IEEE, 2007.
[2] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM conference on Computer and communications security, pages 89–98, 2006.
[3] Sangjukta Das and Suyel Namasudra. Multiauthority cp-abe-based access control model for iotenabled healthcare infrastructure. IEEE Transactions on Industrial Informatics, 19(1):821–829, 2022.
[4] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In Advances in Cryptology–EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark,
May 22-26, 2005. Proceedings 24, pages 457–473. Springer, 2005.
[5] Fucai Luo, Saif Al-Kuwari, Haiyan Wang, Fuqun Wang, and Kefei Chen. Revocable attribute-based encryption from standard lattices. Computer Standards & Interfaces, 84:103698, 2023.
[6] Susan Hohenberger, George Lu, Brent Waters, and David J Wu. Registered attribute-based encryption. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 511–542. Springer, 2023.
[7] Dezhi Han, Nannan Pan, and Kuan-Ching Li.A traceable and revocable ciphertext-policy attribute-based encryption scheme based on privacy protection. IEEE Transactions on Dependable and Secure Computing, 19(1):316–327, 2020.
[8] Sucharita Khuntia and P Syam Kumar. New hidden policy cp-abe for big data access control with privacy-preserving policy in cloud computing. In 2018 9th international conference on computing, communication and networking technologies (ICCCNT), pages 1–7. IEEE, 2018.
[9] Javier Herranz. Attacking pairing-free attribute-based encryption schemes. IEEE access, 8:222226–222232, 2020.
[10] Vanga Odelu and Ashok Kumar Das. Design of a new cp-abe with constant-size secret keys for lightweight devices using elliptic curve cryptography. Security and Communication Networks, 9(17):4048–4059, 2016.
[11] Divyashikha Sethia, Raj Sahu, Sandeep Yadav, and Ram Kumar. Attribute revocation in ecc-based cp-abe scheme for lightweight resource-constrained devices. In 2021 International Conference on Communication, Control and Information Sciences (ICCISc), volume 1, pages 1–6. IEEE, 2021.
[12] Xuanxia Yao, Zhi Chen, and Ye Tian. A lightweight attribute-based encryption scheme for the internet of things. Future Generation Computer Systems, 49:104–112, 2015.
[13] Syh-Yuan Tan, Kin-Woon Yeow, and Seong Oun Hwang. Enhancement of a lightweight attribute-based encryption scheme for the internet of things. IEEE Internet of Things Journal, 6(4):6384–6395, 2019.
[14] K Sowjanya, Mou Dasgupta, Sangram Ray, and Mohammad S Obaidat. An efficient elliptic curve cryptography-based without pairing kpabe for internet of things. IEEE Systems Journal, 14(2):2154–2163, 2019.
[15] Sheng Ding, Chen Li, and Hui Li. A novel efficient pairing-free cp-abe based on elliptic curve cryptography for iot. IEEE Access, 6:27336–27345, 2018.
[16] Yong Wang, Biwen Chen, Lei Li, Qiang Ma, Huicong Li, and Debiao He. Efficient and secure ciphertext-policy attribute-based encryption without pairing for cloud-assisted smart grid. IEEE Access, 8:40704–40713, 2020.
[17] K Sowjanya, Mou Dasgupta, and Sangram Ray. A lightweight key management scheme for key-escrow-free ecc-based cp-abe for iot health-care systems. Journal of Systems Architecture, 117:102108, 2021.
[18] Yang Ming, Baokang He, and Chenhao Wang. Efficient revocable multi-authority attribute-based encryption for cloud storage. IEEE Access, 9:42593–42603, 2021.
[19] K Sowjanya and Mou Dasgupta. A ciphertext-policy attribute based encryption scheme for wireless body area networks based on ecc. Journal of Information Security and Applications, 54:102559, 2020.
[20] M Amirthavalli, S Chithra, and R Yugha. An improved pairing-free ciphertext policy framework for iot. Computer Systems Science & Engineering, 46(1), 2023.
[21] Vanga Odelu, Ashok Kumar Das, Muhammad Khurram Khan, Kim-Kwang Raymond Choo, and Minho Jo. Expressive cp-abe scheme for mobile devices in iot satisfying constant-size keys and ciphertexts. IEEE Access, 5:3273–3283, 2017.
[22] Dhaval Khandla, Het Shahy, Manish Kumar Bz, Alwyn Roshan Pais, and Nishant Raj. Expressive cp-abe scheme satisfying constant-size keys and ciphertexts. Cryptology ePrint Archive, 2019.
[23] Javier Herranz. Attribute-based encryption implies identity-based encryption. IET information security, 11(6):332–337, 2017.
[24] Yi-Fan Tseng, Jheng-Jia Huang, Hao-Yu Yang, Tsung-Yu Chien, and Chieh-Han Wu. Crypt-analysis and discussion on two attribute-based encryption schemes. In 2022 17th Asia Joint Conference on Information Security (AsiaJCIS), pages 24–28. IEEE, 2022.
[25] Yi-Fan Tseng and Jheng-Jia Huang. Crypt-analysis on two pairing-free ciphertext-policy attribute-based encryption schemes. In 2020 International Computer Symposium (ICS), pages 403–407. IEEE, 2020.
[26] Yi-Fan Tseng. Cryptanaylsis to sowjanya et al.’s abes from ecc. In 2021 International Conference on Security and Information Technologies with AI, Internet Computing and Big-data Applications, pages 287–294. Springer, 2022.
[27] Yi-Fan Tseng, Hao-Yu Yang, Chieh-Han Wu, Tsung-Yu Chien, Raylin Tso, Zi-Yuan Liu, and Jen-Chieh Hsu. Cryptanalysis to ming et al.’s revocable multi-authority attribute-based encryption. In 2022 17th Asia Joint Conference on Information Security (AsiaJCIS), pages 29–32. IEEE, 2022.
[28] Amos Beimel. Secure schemes for secret sharing and key distribution. PhD thesis, Israel Institute of Technology, Technion, 1996.