Mitigating Key Escrow in Attribute-Based Encryption

The notion of accountable authority introduced by Goyal (Crypto 2007) in identity-based encryption (IBE) setting is a novel approach to mitigate the (inherent) key escrow problem in identity based cryptosystems. As far as we know, the (inherent) key escrow problem also exists in attribute based encryption (ABE), for example ciphertext policy ABE (CP-ABE). In this paper, the concept of accountable authority is generalized to ABE setting. We first formalize the definitions and security models for accountable authority attribute-based encryption (AABE), and then present two concrete constructions. One is designed for the threshold ABE with large universe attributes, and the other is built for ciphertext policy ABE. In our scheme, a user will be identified by a pair (id, ω), where id denotes the identity of a user and ω denotes a attribute set associated to the user. In addition, both constructions are shown to be secure in the standard model under some reasonable assumptions.