Traceable-then-revocable ciphertext-policy attribute-based encryption scheme

A traceable ciphertext-policy attribute-based encryption (T-CPABE) scheme can trace a malicious user, who may leak her/his decryption privilege to a third party for some benefits. However, even if the malicious user is traced, the existing schemes cannot revoke her/him from the cryptosystems. Thus, it is necessary to embed a revocation mechanism into a T-CPABE scheme in practice. In this paper, we propose a ciphertext-policy attribute-based encryption scheme with white-box traceability and direct user revocation. In the proposed scheme, the ciphertext is related to an access structure and a revocation list R. The secret key is associated with an attribute set and a user’s identity assigned a leaf node in a binary tree. The value of a leaf node is used to trace a malicious user. Once a malicious user is caught, her/his identity is added in the revocation list R. Only the ciphertext components associated with the revocation list R are updated according to the new revocation list R′, and the updated ciphertext can provide forward security. Therefore, a user can decrypt a ciphertext if and only if she/he is not in the revocation list and her/his attribute set satisfies the access policy, simultaneously. Furthermore, our scheme is proved to be secure under selective access policy and chosen-plaintext attacks based on the decisional q-bilinear Diffie–Hellman exponent hardness assumption in the standard model.