Insights from attribute-based encryption and ciphertext delegation schemes

Ciphertext-Policy Attribute-Based Encryption

Attribute-based encryption (ABE) is a relatively recent approach that reconsiders the concept of public-key cryptography. In traditional public-key cryptography, a message is encrypted for a specific receiver using the receiver’s public-key. Identity-based cryptography and in particular identity-based encryption (IBE) changed the traditional understanding of public-key cryptography by allowing the public-key to be an arbitrary string, e.g., the email address of the receiver. ABE goes one step further and defines the identity as a set of attributes, e.g., roles. This way messages can now be encrypted with respect to subsets of policies defined over a set of attributes (ciphertext-policy ABE – CP-ABE). The key point here is that someone is able to decrypt a ciphertext if and only if she holds a key for “matching attributes”, where user keys are always issued by some trusted party. But how exactly does this work?

Policies and Attributes

In ciphertext-policy attribute-based encryption (CP-ABE) a user’s private-key is associated with a set of attributes and a ciphertext specifies an access policy over a defined universe of attributes within the system. A user will be able to decrypt a ciphertext, if and only if her attributes satisfy the policy of the respective ciphertext. Policies may be defined over attributes using conjunction or, disjunctions For instance, let us assume that the universe of attributes is defined to be {A,B,C,D} and User 1 receives a key to attributes {A,B} and User 2 to attribute {D}. If a ciphertext is encrypted with respect to the policy (A∧C)∨D ((A AND C) OR D), then User 2 will be able to decrypt, while User 1 will not be able to decrypt the ciphertext.

Let us for example define two different polices, P={engineer ∧female} and Q={nurse ∨male}. Moreover, let Lois be and engineer and Peter be a lawyer. Then the following holds (Figure 1):

Figure 1: CP-ABE example

Ciphertext Delegation

Ciphertext delegation is a process through which the policy of a ciphertext can be changed without the need of decryption and re-encryption. However fascinating, most ABE schemes that support ciphertext delegation suffer from inefficiencies. To this end, in ASCLEPIOS we choose to use the most efficient ABE schemes and we enforce the policies using Attribute-Based Access Control (ABAC).


In ASCLEPIOS we use Attribute-Based Encryption along with Symmetric Searchable Encryption (SSE), to build a hybrid encryption scheme: First, a user generates a symmetric key for an SSE scheme and encrypts her data locally before outsourcing them to the cloud. Then, as a next step, she encrypts the SSE key using Attribute-Based Encryption and binds a policy to the resulted ciphertext. The ciphertext is also uploaded to the cloud. Finally, if a user wishes to access the encrypted data, she first needs to request the encrypted key, which she will be able to decrypt if and only if her attributes satisfy the policy bound on the ciphertext of the symmetric key.


Attribute-Based Encryption is a fascinating technique that can impose a very accurate access control mechanism in cloud-based environments. As such, it is considered to be one of the core components of the ASCLEPIOS project.

ASCLEPIOS is a project funded by the EU and will end at November 2021.