Security Weaknesses of Some Policy-Hiding Attribute-Based Encryption Schemes

Sotoudeh, Reihaneh; Eghlidos, Taraneh; Mohajeri, Javad

doi:10.22042/isecure.2025.217398

Security Weaknesses of Some Policy-Hiding Attribute-Based Encryption Schemes

Document Type : Research Article

Authors

Reihaneh Sotoudeh ¹

Taraneh Eghlidos ²

Javad Mohajeri ²

¹ Department of Electrical Engineering, Sharif University of Technology, Tehran, Iran

² Electronics Research Institute, Sharif University of Technology, Tehran, Iran

https://doi.org/10.22042/isecure.2025.217398

Abstract

In Ciphertext-Policy Attribute-Based Encryption (CP-ABE) schemes, an access structure is sent with each ciphertext to specify the intended recipients. This design can reveal sensitive information about the encrypted data and its recipients. Moreover, it may introduce new security concerns regarding user privacy. Policy-hiding CP-ABE schemes have been proposed to address this challenge and protect user privacy. In this paper, we present the cryptanalysis of two policy-hiding CP-ABE schemes. For the first scheme, we demonstrate that it leaks attribute value information through the ciphertext. An adversary can exploit this flaw to perform an offline dictionary attack, revealing the attribute values used in the access structure, and thereby exposing the entire access structure. For the second scheme, we show that its security is compromised due to the improper establishment of the decryption key component utilized in the attribute matching phase. Data users can exploit the secret key components used in the attribute matching phase to decrypt any ciphertext, regardless of their attribute set.

Keywords

Ciphertext-Policy Attribute-Based Encryption

Hidden-Policy Ciphertext-Policy Attribute-Based Encryption

Offline Dictionary Attack

Attribute Matching

[1] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In Advances in Cryptology–EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005. Proceedings 24, pages 457–473. Springer, 2005.
[2] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM conference on Computer and communications security, pages 89–98, 2006.
[3] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryption. In 2007 IEEE symposium on security and privacy (SP’07), pages 321–334. IEEE, 2007.
[4] Takashi Nishide, Kazuki Yoneyama, and Kazuo Ohta. Attribute-based encryption with partially hidden encryptorspecified access structures. In Applied Cryptography and Network Security: 6th International Conference, ACNS
2008, New York, NY, USA, June 3-6, 2008. Proceedings 6, pages 111–129. Springer, 2008.
[5] Marloes Venema, Greg Alp´ar, and Jaap-Henk Hoepman. Systematizing core properties of pairing-based attribute-based encryption to uncover remaining challenges in enforcing access control in practice. Designs, Codes and Cryptography, 91(1):165–220, 2023.
[6] Huiyong Wang, Jialing Liang, Yong Ding, Shijie Tang, and Yujue Wang. Ciphertext-policy attribute-based encryption supporting policy-hiding and cloud auditing in smart health. Computer Standards & Interfaces, 84:103696, 2023.
[7] Thomas Prantl, Timo Zeck, Lukas Horn, Lukas Iffl¨ander, Andr´e Bauer, Alexandra Dmitrienko, Christian Krupitzer, and Samuel Kounev. Towards a cryptography encyclopedia: a survey on attribute-based encryption. J. Surveill. Secur. Saf, 4:129–154, 2023.
[8] Dezhi Han, Nannan Pan, and Kuan-Ching Li. A traceable and revocable ciphertext-policy attribute-based encryption scheme based on privacy protection. IEEE Transactions on Dependable and Secure Computing, 19(1):316–327, 2022.
[9] Gongcheng Hu, Leyou Zhang, Yi Mu, and Xiaoxu Gao. An expressive “test-decrypt-verify” attribute-based encryption scheme with hidden policy for smart medical cloud. IEEE Systems Journal, 15(1):365–376, 2020.
[10] Yinghui Zhang, Dong Zheng, and Robert H Deng. Security and privacy in smart health: Efficient policy-hiding attribute-based access control. IEEE Internet of Things Journal, 5(3):2130–2145, 2018.
[11] Jonathan Katz, Amit Sahai, and Brent Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. Journal of cryptology, 26:191–224, 2013.
[12] Junzuo Lai, Robert H Deng, and Yingjiu Li. Fully secure cipertext-policy hiding cp-abe. In Information Security Practice and Experience: 7th International Conference, ISPEC 2011, Guangzhou, China, May 30–June 1, 2011. Proceedings 7, pages 24–39. Springer, 2011.
[13] Sheng Gao, Guirong Piao, Jianming Zhu, Xindi Ma, and Jianfeng Ma. Trustaccess: A trustworthy secure ciphertext-policy and attribute hiding access control scheme based on blockchain. IEEE Transactions on Vehicular Technology,
69(6):5784–5798, 2020.
[14] Yan Michalevsky and Marc Joye. Decentralized policy-hiding abe with receiver privacy. In Computer Security: 23rd European Symposium on Research in Computer Security, ESORICS 2018, Barcelona, Spain, September 3-7, 2018, Proceedings, Part II 23, pages 548–567. Springer, 2018.
[15] Fawad Khan, Hui Li, Liangxuan Zhang, and Jian Shen. An expressive hidden access policy cp-abe. In 2017 IEEE Second International Conference on Data Science in Cyberspace (DSC), pages 178–186. IEEE, 2017.
[16] Dan Boneh and Brent Waters. Conjunctive, subset, and range queries on encrypted data. In Theory of Cryptography: 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, February 21-24, 2007. Proceedings 4, pages 535–554. Springer, 2007.
[17] Intae Kim, Willy Susilo, Joonsang Baek, and Jongkil Kim. Harnessing policy authenticity for hidden ciphertext policy attribute-based encryption. IEEE Transactions on Dependable and Secure Computing, 19(3):1856–1870, 2020.
[18] Junzuo LAI, Robert H DENG, and Yingjiu LI.Expressive cp-abe with partially hidden access structures.(2012). In AsiaCCS 2012: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, May
2-4, Seoul, Korea, pages 18–19.
[19] Leyou Zhang, Gongcheng Hu, Yi Mu, and Fatemeh Rezaeibagha. Hidden ciphertext policy attribute-based encryption with fast decryption for personal health record system. IEEE Access, 7:33202–33213, 2019.
[20] Jianfeng Zong, Chen Wang, Jian Shen, Chunhua Su, and Weizheng Wang. Relac: Revocable and lightweight access control with blockchain for smart consumer electronics. IEEE Transactions on Consumer Electronics, 70(1):3994–4004, 2023.

[21] Xixi Yan, Guanghui He, Jinxia Yu, Yongli Tang, and Mingjie Zhao. Offline/online outsourced attribute-based encryption with partial policy hidden for the internet of things. Journal of Sensors, 2020(1):8861114, 2020.
[22] Qi Li, Gaozhan Liu, Qianqian Zhang, Lidong Han, Wei Chen, Rui Li, and Jinbo Xiong. Efficient and fine-grained access control with fully-hidden policies for cloud-enabled iot. Digital Communications and Networks, 2024.
[23] Weiwei Deng, Tao Xiang, and Xiaofeng Liao. Steac: Towards secure, traceable, and efficient cryptographic access control scheme in smart healthcare. Multimedia Tools and Applications, 81(21):30069–30092, 2022.