Combining CP-ABE and KP-ABE by wrapping one with the other?

Question

I've looked around but can't find any discussion on using both CP-ABE and KP-ABE by simply wrapping one with the other. It seems like you'd be able to get more fine grained access control with a scheme like that. The lack of any information makes me suspect that I'm missing something. Would this be a advantageous setup and would there be any problems associated with doing something like that?

Answer 1

The question is old, but I leave the answer in case someone needs it in the future.

KP-ABE and CP-ABE are complementary cryptographic algorithms, and they exist not because one is better than the other but because they offer different advantages depending on what you are looking for.

The main advantage of CP-ABE is that the user who encrypts the information retains complete control over who accesses it. After all, they are the ones who decide the policy under which their data is accessed. For example, Alice wants to send a message to all users who are Engineers of Company A. Therefore; she defines a policy such that $AP = (Engineer\ AND\ Company_A)$.

KP-ABE, on the other hand, gives control to the key generator. The idea is not so much that the one who encrypts the information decides who accesses it, but that control is determined by the one who generates the keys. For example, Alice has an international delivery company and decides that Bob can access all information related to shipments to China and Kenya. She will define Bob's key under the policy $AP = (China\ AND\ Kenya)$.

So, let's consider the situation you describe and assume we use CP-ABE first and then KP-ABE.

We define $AP = (att_1\ AND\ att_2)$ and operate: $Enc_{CP-ABE}\ (PT,\ AP) = CT_{CP-ABE}$.

Only users whose key is $SK_{CP} = (att_1\|att_2)$ can access the information.

We continue with the KP-ABE encryption: We define $\mathbb{A} = (att_3 \| att_4)$ and operate: $Enc_{KP-ABE}\ (CT_{CP-ABE}, \mathbb{A}) = CT_{KP-ABE}$.

Only users whose key is such that $SK_{KP} = (att_3\ AND\ att_4)$ can access it.

When would it be useful? When you want a User to only be able to access information related to $att_3$ and $att_4$ and when that user is defined by $att_1$ and $att_2$.

• Drawback 01: users must have two SKs, one for CP-ABE and one for KP-ABE.
• Drawback 02: the above case can be done in CP-ABE as follows.

$Enc_{CP-ABE}(PT,\ AP) = CT_{CP-ABE}$

$KeyGen_{CP-ABE} (\mathbb{A}) =SK_{CP}$

where $AP = (att_1\ AND\ att_2\ AND\ att_3\ AND\ att_4)$ and $\mathbb{A} = (att_1\|att_2\|att_3\|att_4)$

• Drawback 3: two encryption and two decryption operations.

In addition, ABE schemes are often combined with symmetric ciphers to be deployed in a system. (Symmetric ciphers protect the information, and ABE protects the symmetric key.) This causes another type of inconvenience:

• Drawback 4: ABE schemes expand the ciphertext. A 256-bit AES key encrypted with CP-ABE can reach Byte sizes. This expansion is usually related to the number of attributes (KP-ABE) or the complexity of the policy (CP-ABE). When combining CP-ABE and KP-ABE, the expansion would be enormous.
• Disadvantage 5: ABE schemes have CPA security, so they are often combined with techniques that give them CCA security. These techniques tend to increase the computational cost of the algorithm. When combining KP-ABE and CP-ABE, you should consider how to implement that transformation from CPA to CCA and consider the increased computational complexity.

Of course, it all depends on the chosen use case, but at first glance, it offers few advantages while it has notable computational disadvantages.

If it's fine-grained access you're after, you can always look at combinations of access control and encryption.