International Association
for Cryptologic Research

Providing an efficient revocation mechanism for attribute-based encryption (ABE) is of

utmost importance since over time an user\'s credentials may be revealed or expired. All previously

known revocable ABE (RABE) constructions (a) essentially utilize the complete subtree (CS) scheme

for revocation purpose, (b) are bounded in the sense that the size of the public parameters depends

linearly on the size of the attribute universe and logarithmically on the number of users in the

system, and (c) are either selectively secure, which seems unrealistic in a dynamic system such as

RABE, or fully secure but built in a composite order bilinear group setting, which is undesirable from

the point of view of both efficiency and security. This paper presents the first fully secure unbounded

RABE using subset difference (SD) mechanism for revocation which greatly improves the broadcast

efficiency compared to the CS scheme. Our RABE scheme is built on a prime order bilinear group

setting resulting in practical computation cost, and its security depends on the Decisional Linear

assumption.