1. Introduction
The notation of ABE, firstly put forward by Sahai et al. [1], is a summarization of fuzzy IBE[2]. Then Goyal et al. put foward a Key-Policy ABE, and further defined a CP-ABE [3]. In the CP-ABE, the private key is constructed over the attributes, and the user designs the access control policy over some attributes when encrypting data. If the attributes associating with private key achieve the access control policy, then the decryption is successful. CP-ABE provides a new method to carry out the fine-grained access policy to encrypted data so that a lot of researches have been carried out about it including [3-8], which focused on different properties including expressiveness, performance or security. Especially, Lewko et al. provided a CP-ABE scheme [8] by using the monotone span program (MSP) respectively, which were both proved adaptively secure.
As is described above, the key is related to attributes owned by multiple users so that distinct users may have the same attribute sets, namely the same decryption keys. If a key is leaked, it is hard to identify who exactly leaks it. Liu et al. [9] provided a traceable CP-ABE scheme which can identify the malicious users leaking their decryption keys. This scheme was constructed based on Lewko et al's CP-ABE [8] construction over composite order bilinear groups by drawing on Boneh and Boyen's signature technique [10]. Later, Ning et al. provided a traceable CP-ABE construction[11] in large universe by using the similar method based on Rouselakis et al's construction [12] that was proved selectively secure over prime order bilinear groups. Zhang et al. [13] took it a step further by adding authority accountability. In addition, some relevant papers are proposed also[14-16]. However, in all these traceable CP-ABE constructions, the ciphertext grows linearly with the MSP, similarly, the number of pairing computations in decryption algorithm also grows linearly with that of qualified rows in the MSP.
Note that, constant computation and low communication generally has more practical significance for some applications with limited computing resources and bandwidth. Therefore, we put forward a traceable CP-ABE based on [9] for MAS. In this scheme, we make use of an "encoding technique" which represents the MAS by their minimal sets to encrypt the messages, so the ciphertext size is polynomial with the number of minimal sets. For some access policies, this scheme may have shorter ciphertext and lower encryption cost (see Section 3.5). Additionally, the most important thing is that our construction has only three bilinear pairing operations and two exponent operations in the decryption process, which improves the efficiency extremely.
2. Preliminaries
In this part, we will take view of several facts that will be applied in our scheme including access structures, minimal set, CP-ABE, composite order bilinear maps, l − SDH assumption and traceability game.
2.1 Access Structures
Definition 1.(Access Structures). Suppose \(\mathcal{M}=\left\{m_{1}, m_{2}, \ldots, m_{n}\right\}\) is a set of members and \(\mathbb{S} \subset 2^{\mathcal{M}}\) is a collection. If for each set A and B, it satisfies if \(A \in \mathbb{S}\) and \(A \subseteq B\) , then \(B \in \mathbb{S}\) holds, then we can say \(\mathbb{S}\) is monotone. An access structure is defined as collection \(\mathbb{S} \subseteq 2^{\mathcal{M}} \)\{0}.
2.2 Minimal Set
Definition 2.(Minimal Set of a MAS). Suppose \(\mathbb{S}\) is a MAS with the attribute set \(U=\left\{u_{1}, u_{2}, \ldots, u_{n}\right\}\). For all sets A and B in \(\mathbb{S}\) , if \(\forall B \in \mathbb{S} \backslash\{A\}\), we have \(B \not \subset A\) , then A is a minimal authorized set. The collection of minimal set in \(\mathbb{S}\) composes the base of \(\mathbb{S}\).
Theorem 1. [17] If there exists a linear secret sharing scheme (LSSS) for a concrete MAS, then there must be a smallest MSP for the same MAS.
2.3 CP-ABE
Assuming the set of attributes is \(U=\left\{u_{1}, u_{2}, \ldots, u_{n}\right\}\), then the tracable CP-ABE is defined as follows:
Setup (1λ , U).The input is security parameter 1λ and attribute universe U, then it will output the public parameters PP and the master key MK. In addition, it sets the initial tracing table as T = \(\phi\), where \(\phi\) denotes empty.
KeyGen( MK, id, S). The input is the MK, identity idand attributes set S, then it will output the secret key SKid,S . Finally, it will add id to the tracing table T.
Encrypt( PP , \(\mathcal{D}\) , M). The input is the PP, access structure \(\mathcal{D}\) for attributes universe U and plaintext M needing to be encrypted, then it will output the ciphertext CT\(\mathcal{D}\) with \(\mathcal{D}\) implicitly contained.
Decrypt( \(\mathcal{D}\) , SKid,S). The input is the CT\(\mathcal{D}\) and SKid,S.If S satisfies \(\mathcal{D}\), then it will output the valid message M.
CTTrace( T , SKid,S ). The input is the T and SKid,S . Then it will output an identity id or a special symbol \(\phi\).
The above algorithms can be generalized as Fig. 1.
Fig. 1. Steps involved in various phases of our proposed scheme
Next, we will provide concrete definition of adaptively secure against chosen plaintext attacks for the CP-ABE construction, which is represented as a security game GameReal between challenger \(\mathcal{C}\) and attacker \(\mathcal{A}\).
Setup: \(\mathcal{C}\) carries out Setup algorithm to generate the public parameters PP and master key MK. \(\mathcal{C}\) begins to interact with \(\mathcal{A}\) by giving PP.
Phase 1: \(\mathcal{A}\) makes a number of key queries for the identity-attribute tuples {( id1 , S1), ( id2 , S2 ), ..., ( idq1 , Sq1 )} .
Challenge: submits two plaintexts M0, M1 with the equal length and access policy \(\mathcal{D}\)* that cannot be satisfied by { S1 , S2 , ..., Sq1 }. Then \(\mathcal{C}\) chooses a random β∈ {0, 1} and encrypts the plaintext Mβ using \(\mathcal{D}\) *. At last, it outputs generated ciphertext CT\(\mathcal{D}\)* to \(\mathcal{A}\).
Phase 2: \(\mathcal{A}\) proceeds to make a number of key queries for the identity-attribute tuples \(\left\{\left(i d_{q_{1}+1}, S_{q_{1}+1}\right),\left(i d_{q_{1}+2}, S_{q_{1}+2}\right), \ldots,\left(i d_{q}, S_{q}\right)\right\}\) requiring that no Si satisfies \(\mathcal{D}\)*.
Guess: \(\mathcal{A}\) outputs a guess β′ for β.
\(\mathcal{A}\)’ advantage is described to be \(A d v_{\text {Game }_{\text {Real }}^{\mathcal{A}}}^{(\lambda)}=\left|\operatorname{Pr}\left[\beta=\beta^{\prime}\right]-1 / 2\right|\).
Definition 3. We can know a CP-ABE is adaptively secure assuming for polynomial time attackers \(\mathcal{A}\), the advantage \(A d v_{\text {Game }_{\text {Real }}^{\mathcal{A}}}^{(\lambda)}\) is negligible.
2.4 Composite Order Bilinear Maps
Next, we will describe the composite order bilinear group firstly proposed in [18]. Suppose \(\mathcal{G}\) is a group generator, and it outputs the parameters (\(\left(p_{1}, p_{2}, p_{3}, \mathbb{G}, \mathbb{G}_{T}, e\right)\) , in which p1, p2 and p3 denote three different big primes, \(\mathbb{G}\) and \(\mathbb{G}_{T}\) the groups with order N = p1p2p3 . Additionally, \(e: \mathbb{G} \times \mathbb{G} \rightarrow \mathbb{G}_{T}\) represents a bilinear map which satisfies that
1.For any \(x, y \in \mathbb{Z}_{N}^{*}\) and \(u, v \in \mathbb{G}\) , we have \(e\left(u^{x}, v^{y}\right)=e(u, v)^{x y}\).
2.There exists e( g, h ) having order N in \(\mathbb{G}_{T}\), where \(g, h \in \mathbb{G}\).
Suppose \(\mathbb{G}_{p_{1}}\), \(\mathbb{G}_{p_{2}}\) and \(\mathbb{G}_{p_{3}}\) are the subgroups of \(\mathbb{G}\) with order p1, p2 and p3 respectively. Let \(h_{i} \in \mathbb{G}_{p_{i}}\) and \(h_{j} \in \mathbb{G}_{p_{j}}\)be random parameters with i ≠ j, then we have \(e\left(h_{i}, h_{j}\right)=1\) according to orthogonal property [19].
Now, we will state three complexity assumptions proposed by Lewko et al. [19], on which the security proof of our scheme is based, as follows:
Assumption 1. Provided the group generator \(\mathcal{G}\), the problem of Assumption 1 is defined to be:
\(\left(N=p_{1} p_{2} p_{3}, \mathbb{G}, \mathbb{G}_{T}, e\right) \stackrel{R}{\longleftarrow} \mathcal{G}(\lambda)\)
\(g \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{1}}, X_{3} \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{3}},\)
\(L=\left(\left(N, \mathbb{G}, \mathbb{G}_{T}, e\right), g, X_{3}\right)\)
\(T \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{1} p_{2}}, T^{\prime} \stackrel{R}{\longleftarrow}\mathbb{G}_{p_{1}}\)
\(\mathcal{A}\)’s advantage to break the above assumption is:
\(\operatorname{Advl}_{\mathcal{G}, \mathcal{A}}(\lambda):=\left|\operatorname{Pr}[\mathcal{A}(L, T)=1]-\operatorname{Pr}\left[\mathcal{A}\left(L, T^{\prime}\right)=1\right]\right|\)
Assumption 2. Provided the group generator \(\mathcal{G}\), the problem of Assumption 2 is defined to be:
\(\left(N=p_{1} p_{2} p_{3}, \mathbb{G}, \mathbb{G}_{T}, e\right) \stackrel{R}{\longleftarrow} \mathcal{G}(\lambda)\)
\(g, X_{1}\stackrel{R}{\longleftarrow} \mathbb{G}_{p_{1}}, X_{2}, Y_{2}\stackrel{R}{\longleftarrow} \mathbb{G}_{p_{2}}, X_{3}, Y_{3} \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{3}},\)
\(L=\left(\left(N, \mathbb{G}, \mathbb{G}_{T}, e\right), g, X_{1} X_{2}, X_{3}, Y_{2} Y_{3}\right)\)
\(T \stackrel{R}{\longleftarrow} \mathbb{G}, T^{\prime} \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{1} p_{3}}\)
\(\mathcal{A}\)’s advantage to break the above assumption is:
\(\operatorname{Adv} 2_{\mathcal{G}, \mathcal{A}}(\lambda):=\left|\operatorname{Pr}[\mathcal{A}(L, T)=1]-\operatorname{Pr}\left[\mathcal{A}\left(L, T^{\prime}\right)=1\right]\right|\)
Assumption 3. Provided the group generator \(\mathcal{G}\), the problem of Assumption 3 is defined to be:
\(\left(N=p_{1} p_{2} p_{3}, \mathbb{G}, \mathbb{G}_{T}, e\right)\stackrel{R}{\longleftarrow} \mathcal{G}(\lambda), \alpha, s\stackrel{R}{\longleftarrow} \mathbb{Z}_{N}\)
\(g\stackrel{R}{\longleftarrow}{K} \mathbb{G}_{p_{1}}, X_{2}, Y_{2}, Z_{2} \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{2}}, X_{3}\stackrel{R}{\longleftarrow} \mathbb{G}_{p_{3}},\)
\(L=\left(\left(N, \mathbb{G}, \mathbb{G}_{T}, e\right), g, g^{\alpha} X_{2}, X_{3}, g^{s} Y_{2}, Z_{2}\right),\)
\(T \stackrel{R}{\longleftarrow} e(g, g)^{\alpha s}, T^{\prime} \stackrel{R}{\longleftarrow}\mathbb{G}_{T}\)
\(\mathcal{A}\)’s advantage to break the above assumption is:′
\(\operatorname{Adv} 3_{\mathcal{G}, \mathcal{A}}(\lambda):=\left|\operatorname{Pr}[\mathcal{A}(L, T)=1]-\operatorname{Pr}\left[\mathcal{A}\left(L, T^{\prime}\right)=1\right]\right|\)
2.5 \(l\) − SDH Assumption
Next, we will describe the \(l\) − SDH assumption [10] that is used to prove our traceability.
\(l\) − SDH Assumption. Assuming \(\mathbb{G}\) is a bilinear group with prime order p and generator g∈\(\mathbb{G}\), the \(l\) − SDH is depicted as: provided a ( \(l\) + 1)-vector \(\left(g, g^{a}, g^{a^{2}}, \ldots, g^{a^{t}}\right)\) to output the tuple \(\left(c, g^{1 /(a+c)}\right) \in \mathbb{Z}_{p} \times \mathbb{G}\). The attacker, \(\mathcal{A}\), possesses an advantage at least \(\varepsilon\) if we have
\(\operatorname{Pr}\left[\mathcal{A}\left(g, g^{a}, g^{a^{2}}, \ldots, g^{a^{\prime}}\right)=\left(c, g^{1 /(a+c)}\right)\right] \geq \varepsilon\)
Definition 4. Assume there exists no algorithm possesses the advantage at least ε to solve the \(l\) − SDH problem in time t, then we have (\(l\) , t, ε) − SDH assumption stands.
2.6 Traceabilit
Now, we will propose the concrete definition of traceability, depicted as a security game between attacker \(\mathcal{A}\) and challenger \(\mathcal{C}\), for our traceable CP-ABE:
Setup. The Setup algorithm will be run by \(\mathcal{C}\) to generate the public parameters PP, which are then sent to \(\mathcal{A}\).
Key Query. \(\mathcal{A}\) makes a number of q key queries associated with attribute sets \(\left\{\left(i d_{1}, S_{1}\right),\left(i d_{2}, S_{2}\right), \ldots,\left(i d_{q}, S_{q}\right)\right\}\)
Key Forgery. A decryption key SK* will be given by \(\mathcal{A}\), and it wins if
Trace ( T , SK* ) ≠ \(\phi\) with Trace ( T , SK ) ∉ { id1 , id2 , ..., idq }.
3. Traceable CP-ABE for the MAS
3.1 Our Construction
We propose our traceable CP-ABE construction by applying a simple encoding method which is adaptively secure over the composite order bilinear groups. Note that, its order of bilinear groups will be N = p1p2p3. Additionally, we will employ the random members of subgroup \(\mathbb{G}_{p_{1}}\) to encode the policy and attributes, and emply the random members of subgroup \(\mathbb{G}_{p_{3}}\) to randomize the key and ciphertext.
Setup(1λ , U). It firstly runs \(\mathcal{G}\)(1λ ), which denotes the group parameters generator, to obtain \(\left(p_{1}, p_{2}, p_{3}, \mathbb{G}, \mathbb{G}_{\mathbb{T}}, e\right)\) that will be used, in which \(\mathbb{G}\) and \(\mathbb{G}_{T}\) are the groups with order \(N=p_{1} p_{2} p_{3} \cdot e: \mathbb{G} \times \mathbb{G} \rightarrow \mathbb{G}_{T}\) denotes the bilinear map. \(\mathbb{G}_{p_{1}}\) denotes the subgroup with order \(p_{i}\), and \(g \in \mathbb{G}_{p_{1}}, X_{3} \in \mathbb{G}_{p_{3}}\) denotes the generators of subgroup \(\mathbb{G}_{p_{1}}\) and \(\mathbb{G}_{p_{3}}\). Next, it chooses parameters \(\alpha, a \in \mathbb{Z}_{N}, h \in \mathbb{G}_{p_{1}}\) randomly, and for every i ∈ \(U\) it picks random \(u_{i} \in \mathbb{Z}_{N}\). Finally, it sets the public parameters PP to be:
\(P P=\left(N, h, g, g^{a}, e(g, g)^{\alpha},\left\{U_{i}=g^{u_{i}}\right\}_{i \in U}\right)\)
In addition, it sets the master key MK to be:
\(M K=\left(\alpha, a, X_{3}\right)\).
Note that, the initial tracing table T is set to be \(\phi\) denoting empty.
KeyGen( MK, id, S) : It picks a parameter \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\) randomly for tracing, then chooses parameters \(t \in \mathbb{Z}_{N}, R, R_{0}, R_{0}^{\prime} \in \mathbb{G}_{p_{3}}\) randomly , and for every \(i \in S\), it picks \(R_{i} \in \mathbb{G}_{p_{3}}\). Finally, it sets the user’s secret key to be:
\(S K_{i d, S}=\left(K=g^{\frac{\alpha}{a+t r c}} h^{t} R, K^{\prime}=\operatorname{trc}, L=g^{t} R_{0}, L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i}\right\}_{i \in S}\right)\)
Here, if gcd( a + trc, N ) ≠ 1 or trc is used already , this algorithm will choose another \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\) . Finally, the algorithm adds the pair ( trc, id ) into T for traceability.
Encrypt( PP , \(\mathcal{D}\) , M) : Here, \(\mathcal{D}\) denotes the set of minimal sets generated by the MAS. Let \(\mathcal{D}=\left\{S_{1}, S_{2}, \ldots, S_{m}\right\}\), where \(S_{i} \subset U\) , \(\forall i \in[m]\) . Then it picks \(s \in \mathbb{Z}_{N}\) and further picks \(s_{i} \in \mathbb{Z}_{N}\) randomly for each i ∈ [ m] . The ciphertext is set to be:
\(\begin{gathered} C T_{\mathcal{D}}=\left(\mathcal{D}, C=M \cdot e(g, g)^{\alpha s}, C_{0}=g^{s}, C_{0}^{\prime}=g^{a s},\right. \\ \left.\left\{C_{i, 1}=h^{s}\left(\prod_{j \in S_{i}} U_{j}\right)^{s_{i}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right) \end{gathered}\)
Decrypt( CT\(\mathcal{D}\) ,SKid,S ) : Let the ciphertext be \(C T_{\mathcal{D}}=\left(\mathcal{D}, C, C_{0}, C_{0}^{\prime},\left\{C_{i, 1}, C_{i, 2}\right\}_{i=1}^{m}\right)\) and the private key be \(S K_{i d, S}=\left(K, K^{\prime}, L, L^{\prime},\left\{K_{i}\right\}_{i \in S}\right)\). Assuming the attributes set S satisfies the MAS that is generated by \(\mathcal{D}\), we have that there must be a minimal set in \(\mathcal{D}\), which is the subset of S. Let Sj ⊂ S, then we compute
\(\begin{aligned} &D=e\left(C_{j, 1}, L^{K^{\prime}} L^{\prime}\right) \\ &E=e\left(C_{0}^{K^{\prime}} C_{0}^{\prime}, K\right) \cdot e\left(C_{j, 2}, \prod_{i \in S_{j}} K_{i}\right) \end{aligned}\)
Finally, it computes C ⋅ D/E = M .
Trace( T , SKid,S ) The tracing algorithm is defined the same as that in [9] which takes the tracing table T and the secret key SK as input. Next, it will search K′ in the tracing table T, and once K′is found, it will output the corresponding id, otherwise output \(\phi\).
Correctness. In this part, we give the correctness validation as follows:
\(\begin{aligned} &C \cdot D / E \\ &=M \cdot e(g, g)^{\alpha s} \cdot \frac{e\left(h^{s}\left(\prod_{i \in S_{j}} U_{i}\right)^{s_{j}},\left(g^{t} R_{0}\right)^{\text {trc }} g^{\text {at }} R_{0}^{\prime}\right)}{e\left(g^{\text {strc }} g^{a s}, g^{\frac{\alpha}{a+t r c}} h^{t} R\right) \cdot e\left(g^{s_{j}}, \prod_{i \in S_{j}}\left(U_{i}^{(a+r c) t} R_{i}\right)\right)} \\ &=M \cdot e(g, g)^{\alpha s} \cdot \frac{e(g, h)^{(a+t r c) t s} e\left(g^{(a+t r c) t},\left(\prod_{i \in S_{j}} U_{i}\right)^{s_{j}}\right)}{e(g, g)^{\alpha s} \cdot e(g, h)^{(a+t r c) t s} \cdot e\left(g^{s_{j}}, \prod_{i \in S_{j}}\left(U_{i}^{(a+t r c) t}\right)\right)} \\ &=M \cdot e(g, g)^{\alpha s} \cdot \frac{1}{e(g, g)^{\alpha s}} \\ &=M \end{aligned}\)
3.2 Security Proof
Assuming there exists an attacker, \(\mathcal{A}\), who carries out q key queries, then we will use 2q+ 3 games between \(\mathcal{A}\) and a challenger \(\mathcal{C}\) to prove the security of our traceable CP-ABE construction. The orthogonal element of group \(\mathbb{G}_{p_{2}}\) is used to construct the semi-functional key and ciphertext. Next, we construct the semi-functional key and ciphertext:
Semi-functional Key: The semi-functional key is divided into two styles: type 1 and type 2. We construct type 1 as follows. Suppose id is the user’s identity with attributes set S. Then we pick parameters \(d, b, b, z_{i} \in \mathbb{Z}_{N}, g_{2} \in \mathbb{G}_{p_{2}}, R, R_{0} \in \mathbb{G}_{p_{3}}\), and for each \(i\) ∈ S pick \(R_{i} \in \mathbb{G}_{p_{3}}\) randomly. At last, we set the key of type 1 as
\(\begin{gathered} S K_{i d, S}=\left(K=g^{\frac{\alpha}{a+t r c}} h^{t} R g_{2}^{d}, K^{\prime}=\operatorname{trc}, L=g^{t} R_{0} g_{2}^{b},\right. \\ L^{\prime}=g^{a t} R_{0}^{\prime} g_{2}^{b^{\prime}},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i} g_{2}^{z_{i}}\right\}_{i \in S} \end{gathered}\)
In addition, we set the key of type 2 as:
\(\begin{gathered} S K_{i d, S}=\left(K=g^{\frac{\alpha}{a+t r c}} h^{t} R g_{2}^{d}, K^{\prime}=\operatorname{trc}, L=g^{t} R_{0},\right. \\ L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i}\right\}_{i \in S} \end{gathered}\)
Semi-functional Ciphertext: Suppose \(\mathcal{D}\) is the basis for a monotone access structure Π. Let \(\mathcal{D}=\left\{S_{1}, \ldots, S_{m}\right\}\), where for each i ∈ [m] we have Si ⊂ U. Next, we choose random parameters \(c, c^{\prime}, c^{\prime \prime} \in \mathbb{Z}_{N}\) with the restriction that \(b \cdot c^{\prime \prime}=d \cdot c\), then chooses \(g_{2} \in \mathbb{G}_{p_{2}}\), and for each i ∈ [m] choose \(s_{i} \in \mathbb{Z}_{N}\). Finally, wet set the semi-functional ciphertext as
\(\begin{aligned} C T_{\mathcal{D}}=&\left(\mathcal{D}, C=M \cdot e(g, g)^{\alpha s}, C_{0}=g^{s} g_{2}^{c}, C_{0}^{\prime}=g^{a s} g_{2}^{c^{\prime}},\right.\\ &\left.\left\{C_{i, 1}=h^{s}\left(\prod_{j \in S_{i}} U_{j}\right)^{s_{i}} g_{2}^{c^{\prime \prime}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right) \end{aligned}\)
As we can see that if a legitimate semi-functional ciphertext is decrypted by the corresponding semi-functional key, it will generate an additional term e\(e\left(g_{2}, g_{2}\right)^{b^{\prime} c^{\prime \prime}-c^{\prime} d}\). Moreover, if we have \(b^{\prime} c^{\prime \prime}-c^{\prime} d=0\) , then the decryption will succeed, and in this situation we call it nominally semi-functional.
In the 2q+ 3 consecutive games, GameReal as the begining one is the actual security game defined in part 2.3 and the next one is Game0 , in which each key is normal , however, the ciphertext is semi-functional. For k=1 to q, we define:
Gamek,1. The first k− 1 keys are type 2, the key kis type 1, the others are normal. Additionally, the challenge ciphertext will be semi-functional.
Gamek,2. The first k keys are type 2 with the rest ones normal. Additionally, the challenge ciphertext is also semi-functional.
For Gameq,1 , the keys will be type 2. Furthermore, for GameFinal , which is the last one, the keys will be type 2, however, the challenge ciphertext becomes to a semi-functional encryption on some random message. Additionally, one point needs to be noticed is that \(\mathcal{A}\)'s advantage in the game GameFinal will be 0 . Next, the indistinguishability of the games byusing the following lemmas will be proved.
Lemma 1. Assuming there is a polynomial time adversary, \(\mathcal{A}\), satisfying \(A d v_{\text {Game }_{\text {Real }}^{\mathcal{A}}}^{-1}-A d v_{\text {Game }_{0}}^{\mathcal{A}}=\varepsilon\). Then a polynomial time simulator, \(\mathcal{B}\), will be constructed with advantage ε to break Assumption 1.
Proof. We establish the simulator \(\mathcal{B}\) to take the parameters, ( g , X3 , T ) of Assumption 1, then \(\mathcal{B}\) simulates for either GameReal or Game0 depending on T.
Setup: \(\mathcal{B}\) first picks \(\alpha, \beta, a \in \mathbb{Z}_{N}\) randomly. Next, for every \(i \in U\) , it picks \(u_{i} \in \mathbb{Z}_{N}\) randomly and sets \(U_{i}=g^{u_{i}}\), then it starts to interact with \(\mathcal{A}\) by giving the public parameters as follows:
\(P P=\left(N, g, g^{a}, h=g^{\beta}, Y=e(g, g)^{\alpha},\left\{U_{i}\right\}_{i \in U}\right)\)
while the master key MK = ( α, a , X3 ) will be kept private to \(\mathcal{B}\)
Key Query: \(\mathcal{B}\) responds to \(\mathcal{A}\) 's queries by performing KeyGen algorithm, because he keeps MK.
Challenge: \(\mathcal{B}\) will receive the challenge messages M0 , M1 and challenge basis \(\mathcal{D}\)* from \(\mathcal{A}\). Then \(\mathcal{B}\) chooses \(M_{b} \in\left\{M_{0}, M_{1}\right\}\) randomly. Let \(\mathcal{D}^{*}=\left\{S_{0}, S_{1}, \ldots, S_{m}\right\}\), where each \(S_{i} \subset U\). Next, for each i ∈ [m] , \(\mathcal{B}\) chooses an exponent \(s_{i} \in \mathbb{Z}_{N}\) random and further constructs the challenge ciphertext \(C T_{\mathcal{D}^{*}}\) as follows:
\(C T_{\mathcal{D}^{*}}=\left(C=M_{b} \cdot e\left(g^{\alpha}, T\right), C_{0}=T, C_{0}^{\prime}=T^{a},\left\{C_{i, 1}=T^{\beta}\left(\prod_{j \in S_{i}} U_{j}\right)^{s_{i}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right)\)
Finally, \(C T_{\mathcal{D}^{*}}\) is sent to \(\mathcal{A}\).
Assuming that \(T \in \mathbb{G}_{p_{1} p_{2}}\), then T can be written as \(T=g^{s} g_{2}^{c}\) for some s, c∈\(\mathbb{Z}\)N , so we have \(C=M_{b} \cdot Y^{s}, C_{0}=g^{s} g_{2}^{c}, \quad C_{0}^{\prime}=g^{a s} g_{2}^{a c}, C_{i, 1}=h^{s}\left(\prod_{j \in S_{ }} U_{j}\right)^{s_{i}} g_{2}^{\beta c}\) and \(\left\{C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\). Note that, we set c ′= ac , c ′′= βc implicitly. Since the values of a , β modelp p2 are independent of their values modelp according to Chinese Remainder Theorem, therefore, we have \(C T_{\mathcal{D}^{*}}\) will be a semi-functional ciphertext distributed correctly. We can see that if \(T \in \mathbb{G} p_{1} p_{2}\) , \(\mathcal{B}\) simulates Game0 , else if \(T \in \mathbb{G}_{p_{1}}\) , \(\mathcal{B}\) simulates GameReal . This completes our proof for Lemma 1.
Lemma 2. Assuming there is a polynomial time adversary, \(\mathcal{A}\) , satisfying \(A d v_{\mathrm{Game}_{k-1,2}}^{\mathcal{A}}-A d v_{\mathrm{Game}_{k, 1}}^{\mathcal{A}}=\varepsilon\). Then a polynomial time simulator, \(\mathcal{B}\), will be constructed with advantage ε to break Assumption 2.
Proof. We establish the simulator \(\mathcal{B}\) to take the parameters, (g,X1X2,X3,Y2Y3,T), of Assumption 2, and \(\mathcal{B}\) simulates either Gamek-1,2 or Gamek,1 depending on T.
Setup: \(\mathcal{B}\) chooses parameters \(\alpha, \beta, a \in \mathbb{Z}_{N}\) randomly. Next, for each i ∈ U, \(\mathcal{B}\) chooses \(u_{i} \in \mathbb{Z}_{N}\) and sets \(U_{i}=g^{u_{i}}\), then it starts to interact with \(\mathcal{A}\) by giving the public parameters as follows:
\(P P=\left(N, g, g^{a}, h=g^{\beta}, Y=e(g, g)^{\alpha},\left\{U_{i}\right\}_{i \in U}\right)\)
while the master key MK = ( α, a , X3 ) will be kept private to \(\mathcal{B}\).
Key Query: For constructing the semi-functional keys of type 2, \(\mathcal{B}\) picks \(t \in \mathbb{Z}_{N}\), \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\), elements \(R_{0}, R_{0}^{\prime}, R_{i} \text { of } \mathbb{G}_{p_{3}}\) randomly, and then constructs the key:
\(K=g^{\frac{\alpha}{a+t r c}} h^{t}\left(Y_{2} Y_{3}\right)^{t}, K^{\prime}=\operatorname{trc}, L=g^{t} R_{0}, L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i}\right\}_{i \in S}\)
Note that, the key is semi-functional of type 2 distributed correctly. Additionally, to construct the rest q − k keys that are normal, \(\mathcal{B}\) can merely perform KeyGen algorithm because he keeps MK.
For keyk, \(\mathcal{B}\) implicitly makes the \(\mathbb{G}_{p_{1}}\) part of T to be gt, then chooses random \(R, R_{0}, R_{0}^{\prime}, R_{i}\) of \(\mathbb{G}_{p_{3}}\), \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\), and further sets the key to be:
\(K=g^{\frac{\alpha}{a+\operatorname{trc}}} T^{\beta} R, K^{\prime}=\operatorname{trc}, L=T R_{0}, L^{\prime}=T^{a} R_{0}^{\prime},\left\{K_{i}=T^{(a+\operatorname{trc}) u_{i}} R_{i}\right\}_{i \in S}\)
Assuming \(T \in \mathbb{G} p_{1} p_{3}\), it will be a normal key, and else assuming \(T \in \mathbb{G}\), it becomes a semi-functional key of type 1. Additionally, if let \(g_{2}^{b}\) be the \(\mathbb{G}_{p_{2}}\) part of T, then we have \(d=\beta b\) model p2, \(b^{\prime}=a b\) model p2 and \(z_{i}=(a+\operatorname{trc}) b u_{i}\).
Challenge: \(\mathcal{B}\) will two challenge messages M0 , M and a challenge basis \(\mathcal{D}^{*}\) from \(\mathcal{A}\). Then \(\mathcal{B}\) chooses random \(M_{b} \in\left\{M_{0}, M_{1}\right\}\). Let \(\mathcal{D}^{*}=\left\{S_{0}, S_{1}, \ldots, S_{m}\right\}\), where each \(S_{i} \subset U\). Next, for each i ∈ [ m] , \(\mathcal{B}\) chooses random \(s_{i} \in \mathbb{Z}_{N}\) and constructs the challenge ciphertext \(C T_{\mathcal{D}^{*}}\) as follows:
\(\begin{aligned} C T_{\mathcal{D}^{*}}=&\left(C=M_{b} \cdot e\left(g^{\alpha}, X_{1} X_{2}\right), C_{0}=X_{1} X_{2}, C_{0}^{\prime}=\left(X_{1} X_{2}\right)^{a},\right.\\ &\left.\left\{C_{i, 1}=\left(X_{1} X_{2}\right)^{\beta}\left(\prod_{j \in S_{i}} U_{j}\right)^{s_{i}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right) \end{aligned}\)
Now suppose that \(T \in \mathbb{G}\), and let the \(\mathbb{G}_{p_{1} p_{2}}\) part of T be \(g^{s} g_{2}^{c}\). Therefore, we implicitly set c′= ac , c′'= βc. Additionally, we know that the kth semi-functional key and ciphertext are distributed correctly except for the fact that the exponent c′= ac model p2 in L′ part of the ciphertext is correlated with a model p2 in the K0 part of the key, and the exponent c′′= βc modelp in Ci,1 part of the ciphertext is correlated with β model p2 in the K part of the key. Therefore, if the correct semi-functional ciphertext is decrypted by the corresponding semi-functional key of type 1, a valid messageMwill be obtained.
Thus, if \(T \in \mathbb{G}\), we have that \(\mathcal{B}\) simulates Gamek,1, and else if \(T \in \mathbb{G}_{p_{1} p_{3}}\), \(\mathcal{B}\) simulates Gamek-1,2. This gives complete proof for Lemma 2.
Lemma 3. Assuming there is a polynomial time adversary, \(\mathcal{A}\) , satisfying \(A d v_{\text {Game }_{k, 1}}^{\mathcal{A}}-A d v_{\text {Game }_{k, 2}}^{\mathcal{A}}=\varepsilon\). Then a polynomial time simulator, \(\mathcal{B}\), will be constructed with advantage ε to break Assumption 2.
Proof. We establish the simulator \(\mathcal{B}\) to take the parameters, ( g , X1X2 , X3 , Y2Y3 , T) Assumption 2, and \(\mathcal{B}\) simulates either Gamek,1 or Gamek,2 depending on T.
Setup: \(\mathcal{B}\) picks \(\alpha, \beta, a \in \mathbb{Z}_{N}\) randomly. Next, for every \(i \in U\) , it picks \(u_{i} \in \mathbb{Z}_{N}\) and sets \(U_{i}=g^{u_{i}}\), then it begins to interact with \(\mathcal{A}\) by giving the public parameters as follows:
\(P P=\left(N, g, g^{a}, h=g^{\beta}, Y=e(g, g)^{\alpha},\left\{U_{i}\right\}_{i \in U}\right),\)
while the master key MK = ( α, a , X3 ) will be kept private to \(\mathcal{B}\).
Key Query: We construct the first k− 1 key using the similar method as that in Lemma 2. For the kth key query, \(\mathcal{B}\) also processes it using the similar method, however, additionally adding a term ( Y2Y3 )h to K part as follows by choosing a random \(h \in \mathbb{Z}_{N}\) :
\(K=g^{\frac{\alpha}{a+\operatorname{trc}}} T^{\beta} R\left(Y_{2} Y_{3}\right)^{h}, K^{\prime}=\operatorname{trc}, L=T R_{0}, L^{\prime}=T^{a} R_{0}^{\prime},\left\{K_{i}=T^{(a+\operatorname{trc}) u_{i}} R_{i}\right\}_{i \in S}\)
It must be noted that the adding term randomizes the \(\mathbb{G}_{p_{2}}\) part of K, therefore, it is not nominally semi-functional any more.
If \(T \in \mathbb{G}\), we have that it is a semi-functional key of type 1 distributed correctly, so \(\mathcal{B}\) simulates Gamek,1 , and similarly if \(T \in \mathbb{G}_{p_{1} p_{3}}\), it becomes semi-functional key of type 2, so it simulates Gamek,2 . This completes our proof for Lemma 3.
Lemma 4. Assuming there is a polynomial time adversary, \(\mathcal{A}\) , satisfying \(A d v_{\text {Game }_{q, 2}}^{\mathcal{A}}-A d v_{\text {Game }_{\text {Final }}}^{\mathcal{A}}=\mathcal{E}\). Then a polynomial time simulator, \(\mathcal{B}\), will be constructed with advantage ε to break Assumption 3.
Proof. We establish the simulator \(\mathcal{B}\) to take the parameters, \(\left(g, X_{3}, g^{\alpha} X_{2}, g^{s} Y_{2}, Z_{2}, T\right)\) of Assumption 3, and \(\mathcal{B}\) simulates either Gameq,2 or GameFinal depending on T.
Setup: \(\mathcal{B}\) picks \(\alpha, \beta, a \in \mathbb{Z}_{N}\) randomly. Next, for every i ∈ U it picks \(u_{i} \in \mathbb{Z}_{N}\) randomly and sets \(U_{i}=g^{u_{i}}\), then it begins to interact with \(\mathcal{A}\) by giving the public parameters as follows:
\(P P=\left(N, g, g^{a}, h=g^{\beta}, Y=e\left(g, g^{\alpha} X_{2}\right)^{\alpha}=e(g, g)^{\alpha},\left\{U_{i}\right\}_{i \in U}\right),\)
while the master key MK = ( α, a , X3 ) will be kept private to \(\mathcal{B}\).
Key Query: To generate the semi-functional key of type 2, \(\mathcal{B}\) first chooses random \(t \in \mathbb{Z}_{N}\), \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\), random elements \(R_{0}, R_{0}^{\prime}, R_{i}\) of \(\mathbb{G}_{p_{3}}\), and sets the key as:
\(\begin{aligned} &K=\left(g^{\alpha} X_{2}\right)^{\frac{1}{a+t r c}}\left(g^{\beta}\right)^{t} Z_{2}^{t} R=g^{\frac{\alpha}{a+t r c}} h^{t} X_{2}^{\frac{1}{a+t r c}} Z_{2}^{t} R \\ &K^{\prime}=\operatorname{trc}, L=g^{t} R_{0}, L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i}\right\}_{i \in S} \end{aligned}\)
We can see that the above key is distributed correctly.
Challenge: \(\mathcal{B}\) will receive two challenge messages M0 , M1 and a challenge basis \(\mathcal{D}^{*}\) from \(\mathcal{B}\). Then \(\mathcal{B}\) chooses a random \(M_{b} \in\left\{M_{0}, M_{1}\right\}\) . Let\(\mathcal{D}^{*}=\left\{S_{0}, S_{1}, \ldots, S_{m}\right\}\), where each \(S_{i} \subset U\) . Next, for each \(i \in[m]\), \(\mathcal{B}\) chooses \(s_{i} \in \mathbb{Z}_{N}\) randomly and constructs the challenge ciphertext \(C T_{\mathcal{D}^{*}}\) as follows:
\(\begin{gathered} C T_{D^{*}}=\left(C=M_{b} \cdot T, C_{0}=g^{s} Y_{2}, C_{0}^{\prime}=\left(g^{s} Y_{2}\right)^{a}\right. \\ \left.\left\{C_{i, 1}=\left(g^{s} Y_{2}\right)^{\beta}\left(\prod_{j \in S_{j}} U_{j}\right)^{s_{i}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right) \end{gathered}\)
Assuming \(T=e(g, g)^{\alpha s}\) , then \(C T_{\mathcal{D}^{*}}\) is precisely semi-functional ciphertext and \(\mathcal{B}\) simulates Gameq,2 , else assuming T is random in \(\mathbb{G}_{T}\), \(\mathcal{B}\) simulates GameFinal. This completes the proof of Lemma 4.
Theorem 2. Suppose Assumptions 1, 2 and 3 hold, then we have that our traceable CP-ABE construction proposed above for the MAS is adaptively secure in the standard model.
Proof. Suppose Assumptions 1, 2 and 3 hold, then we can say GameReal is indistinguishable from GameFinal as shown by the above four lemmas. Moreover, the challenge message Mb is hidden by a random element of \(\mathbb{G}_{T}\) in the game. Thus, \(\mathcal{A}\) has no non-negligible advantage to break our traceable CP-ABE construction proposed above for MAS.
3.3 Traceability
This part will provide the specific traceability proof for our proposed scheme above based on two assumptions, namely the \(l-\mathrm{SDH}\) assumption and Assumption 3. Note that, this proof is similar with that in [9].
Theorem 3: Suppose the \(l-\mathrm{SDH}\) assumption and Assumption 3 hold, then we have that our traceable CP-ABE has the traceability provided q ≤ l.
Assume l = q + 1 without loss of generality, then a polynomial time simulator, \(\mathcal{B}\) , will be constructed to break either \(l-\mathrm{SDH}\) assumption or Assumption 3 as follows:
• \(\mathcal{B}\) takes a case of Assumption 3 as \(P_{A 3}=\left(N, \mathbb{G}, \mathbb{G}_{T}, e, \tilde{g}, X_{1} X_{2}, X_{3}, Y_{2} Y_{3}, T\right)\) , and if b= 1 , \(T \in \mathbb{G}_{p_{1} p_{3}}\), otherwise, \(T \in \mathbb{G}\).
• \(\mathcal{B}\) takes a case of \(l-\mathrm{SDH}\) assumption as \(P_{S D H}=\left(N, \mathbb{G}, \mathbb{G}_{T}, e, \tilde{g}, \tilde{g}^{a}, \ldots, \tilde{g}^{a^{t}}\right)\). Here, \(\mathcal{B}\)’s goal is to break at least of one of the two assumptions. So \(\mathcal{B}\) firstly chooses a random bit Γ ∈ {0, 1} , and if Γ = 0 , it takes PA3 as input, then picks \(\tilde{a} \in \mathbb{Z}_{N}^{*}\) and sets \(A_{i}=\tilde{g}^{\tilde{a}^{i}}=\tilde{g}^{a^{t}}\). Otherwise, it takes PSDH as input, then sets \(A_{i}=\tilde{g}^{a^{t}}\) and chooses a generator \(X_{3} \in \mathbb{G}_{p_{3}}\).
\(\mathcal{B}\) takes \(\left(N, \mathbb{G}, \mathbb{G}_{T}, e, X_{3},\left\{A_{i}\right\}_{i=0}^{l}\right)\) as input, then it begins the interaction with \(\mathcal{A}\) as follows:
• Setup. \(\mathcal{B}\) chooses q different values \(c_{1}, c_{2}, \ldots, c_{q} \in \mathbb{Z}_{N}^{*}\) uniform at random. Next, \(\square \mathcal{B}\) defines a polynomial function \(f(y)=\prod_{i=1}^{q}\left(y+c_{i}\right)\) and expand it as \(f(y)=\sum_{i=0}^{q} \alpha_{i} y^{i}\) where \(\alpha_{0}, \alpha_{1}, \ldots, \alpha_{q} \in \mathbb{Z}_{N}\). Then \(\mathcal{B}\) computes g and ga as follows:
\(g=\prod_{i=0}^{q}\left(A_{i}\right)^{\alpha_{i}}=\tilde{g}^{f(a)}, g^{a}=\prod_{i=1}^{q+1}\left(A_{i}\right)^{\alpha_{t-1}}=\tilde{g}^{f(a) \cdot a}\)
Next, \(\mathcal{B}\) picks parameters \(\alpha, \beta \in \mathbb{Z}_{N}\) randomly, and for every attribute i ∈ U, it picks \(u_{i} \in \mathbb{Z}_{N}\) randomly. Finally, the public parameters are set as:
\(P P=\left(N, h=g^{\beta}, g, g^{a}, e(g, g)^{\alpha},\left\{U_{i}=g^{u_{i}}\right\}_{i \in U}\right)\).
• Key Query. \(\mathcal{B}\) makes key queries parameters for ( idi , Si ) to \(\mathcal{B}\) with i ≤ q. Let \(f_{i}(y)=f(y) /\left(y+c_{i}\right)=\prod_{j=1, j \neq i}^{q}\left(y+c_{i}\right)\), then \(\mathcal{B}\) expands fi(y) to get \(f_{i}(y)=\sum_{j=0}^{q-1} \beta_{j} y^{j}\) and computes
\(\sigma_{i}=\prod_{j=0}^{q-1}\left(A_{j}\right)^{\beta_{j}}=\tilde{g}^{f_{i}(a)}=g^{1 /\left(a+c_{i}\right)}\)
Next, \(\mathcal{B}\) picks random parameters \(t \in \mathbb{Z}_{N}, R, R_{0}, R_{0}^{\prime} \in \mathbb{G}_{p_{3}}\), for every attribute \(x \in S_{i}\), it picks \(R_{x} \in \mathbb{G}_{p_{3}}\) randomly. Finally, it sets the key \(S K_{i d, S_{i}}\) as
\(\begin{aligned} &K=\left(\sigma_{i}\right)^{\alpha} h^{t} R=g^{\alpha /\left(a+c_{i}\right)} h^{t} R, K^{\prime}=c_{i}, L=g^{t} R_{0} \\ &L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{x}=\left(g^{a} \cdot g^{c_{i}}\right)^{u_{t} t} R_{x}=U_{x}^{\left(a+c_{i}\right) t} R_{i}\right\}_{i \in S_{i}} \end{aligned}\)
Finally, \(\mathcal{B}\) adds the pair ( idi , ci ) into the tracing table T.
• Key Forgery. If \(\mathcal{A}\) does not win the game, \(\mathcal{B}\) will pick a bit β′∈ {0, 1} and tuple \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) randomly, which are used as the guess for Assumption 3 and \(l-\mathrm{SDH}\) problem. Otherwise, \(\mathcal{B}\) will makes use of the long division method to write the function f( y ) to be \(f(y)=\eta(y)\left(y+K^{\prime}\right)+\eta_{-1}\) with the polynomial \(\eta(y)=\sum_{i=0}^{q-1} \eta_{i} y^{i}\) and \(\eta_{-1} \in \mathbb{Z}_{N}^{*}\). Next \(\mathcal{B}\) will compute \(\operatorname{gcd}\left(\gamma_{-1}, N\right)\).
(1) Assuming \(\operatorname{gcd}\left(\gamma_{-1}, N\right) \neq 1\).
If \(\mathcal{B}\) takes PSDH as input, it will pick a bit β′∈ {0, 1} and tuple \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) randomly, which are used as the guess for Assumption 3 and \(l-\mathrm{SDH}\) problem.
If \(\mathcal{B}\) takes PA3 as input, it will pick a random pair \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) as the guess for \(l-\mathrm{SDH}\) probem, and continues to determine β′ as follows:
\(\mathcal{B}\) obtains \(\left(n, n^{\prime}\right) \in \mathbb{Z}_{N}\) from the value of \(\operatorname{gcd}\left(\gamma_{-1}, N\right)\) satisfying \(n \cdot n^{\prime}=N\) and \(\left(n, n^{\prime}\right) \in\left\{\left(p_{1}, p_{2} p_{3}\right),\left(p_{2} p_{3}, p_{1}\right),\left(p_{2}, p_{1} p_{3}\right),\left(p_{1} p_{3}, p_{2}\right),\left(p_{3}, p_{1} p_{2}\right),\left(p_{1} p_{2}, p_{3}\right)\right\}\).
• If \(\tilde{g}^{n}=1\) and \(\left(Y_{2} Y_{3}\right)^{n^{\prime}}=1\), \(\mathcal{B}\) obtains n=p1, otherwise obtains \(n^{\prime}=p_{1}\). Then \(\mathcal{B}\) computes \(e\left(T^{p_{1}}, X_{1} X_{2}\right)\) , and if its value equals to 1, \(\mathcal{B}\) sets β′= 1 , otherwise sets β′= 0.
• Otherwise, if \(X_{3}^{n}=1\) and \(\left(X_{1} X_{2}\right)^{n^{\prime}}=1\), \(\mathcal{B}\) obtains n = p3 , otherwise obtains n' = p3. Then \(\mathcal{B}\) computes \(e\left(T^{p_{3}}, Y_{2} Y_{3}\right)\), and if its value equals to 1, \(\mathcal{B}\) sets β′= 1, otherwise sets β′= 0.
• Otherwise, if \(X_{3}^{n}=1\), \(\mathcal{B}\) obtains n′= p2 , otherwise if \(X_{3}^{n^{\prime}}=1\), it obtains n = p2. Then \(\mathcal{B}\) computes \(T^{p_{1} p_{3}}\), and if its value equlas to 1, \(\mathcal{B}\) sets β′= 1, otherwise sets β′= 0.
(2) Assuming \(\operatorname{gcd}\left(\gamma_{-1}, N\right)=1\).
If \(\mathcal{B}\) takes PA3 as input, it picks a bit β′∈ {0, 1} and tuple \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) randomly, which are used as the guess for Assumption 3 and \(l-\mathrm{SDH}\) problem.
If \(\mathcal{B}\) takes PSDH as input, it picks a bit β′∈{0, 1} randomly as the guess for Assumption problem, and continues to determine \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) as follows:
Let \(L=g^{t} L_{2} L_{3}\) where \(t \in \mathbb{Z}_{N}, L_{2} \in \mathbb{G}_{p_{2}}, L_{3} \in \mathbb{G}_{p_{3}}\). Additionally, we have \(L^{\prime}=g^{a t} L_{2}^{\prime} L_{3}^{\prime}\) and \(K=g^{\alpha /\left(a+K^{\prime}\right)} h^{t} K_{2} K_{3}\) where \(K_{2} \in \mathbb{G}_{p_{2}}, L_{2}^{\prime}, L_{3}^{\prime}, K_{3} \in \mathbb{G}_{p_{3}}\). Next, \(\mathcal{B}\) sets:
\(\begin{aligned} \sigma &=\left(\left(K / L^{\beta}\right)^{p_{2} p_{3}}\right)^{\left(p_{2} p_{3} \alpha\right)^{-1}}=\tilde{g}^{1 /\left(a+K^{\prime}\right)}=\tilde{g}^{\eta(a)} \tilde{g}^{\eta_{-1} /\left(a+K^{\prime}\right)} \\ w_{r} &=\left(\sigma \cdot \prod_{i=0}^{q-1} A_{i}^{-\eta_{i}}\right)^{1 / \eta_{-1}}=\tilde{g}^{1 /\left(a+K^{\prime}\right)}, c_{r}=K^{\prime} \text { model } p_{1} \end{aligned}\)
Note that ( cr , wr ) is the solution for the \(l-\mathrm{SDH}\) problem.
4. Analysis
Next, the specific scheme analysis and experimental demonstration will be implemented Firstly, we describe all the symbols that will be used. S denotes a user's attributes set and |S| denotes the size; l denotes the rows of a span program \((\mathbb{A}, \rho) ;|\mathcal{D}|\) denotes the number of minimal sets for a MAS; m denotes the number of matching attributes during decryption; Tp denotes the pairing computations; \(E_{\mathbb{G}}\) and \(E_{\mathbb{G}_{T}}\) respectively denote the exponent operations in \(\mathbb{G}\) (or \(\mathbb{G}_{p_{1}}\)) and \(\mathbb{G}_{T} ;\left|\mathbb{G}_{p_{1}}\right|,\left|\mathbb{G}_{p_{1} p_{3}}\right|,|\mathbb{G}|\) and \(\left|\mathbb{G}_{T}\right|\) denote the element size in the group\(\mathbb{G}_{p_{1}}, \mathbb{G}_{p_{1}} \times \mathbb{G}_{p_{3}}, \mathbb{G}\) and \(\mathbb{G}_{T}\) respectively. \(\left|\mathbb{Z}_{p_{1}}\right|\) and \(\left|\mathbb{Z}_{N}\right|\) denote the element size in \(\mathbb{Z}_{p_{1}}\) and \(\mathbb{Z}_{N}\) respectively.
4.1 Scheme analysis
In this section, some comparisons are made between our scheme and several previous schemes to show our characteristics. From Table 1, we can see that while our scheme does not support authority accountability and large universe, it is proved adaptively secure in the standard model which is only achieved by Liu et al's traceable CP-ABE that our scheme base on.
Table 1. Troperty comparisons with other schemes
From Table 2, we can see that Zhang et al.' scheme needs more computation for generating the key in order to achieve authority accountability. Ning et al.'s scheme is constructed over prime order groups, which has high efficiency, however, just as is described above, the scheme is proved only selectively secure. Our scheme and Liu et al.'s scheme have the same public key size, user’s secret key size and key generation cost. However, the ciphertext size and encryption cost in Liu et al.s scheme are linear with l, the size of a LSSS, while in our scheme they are linear with | \(\mathcal{D}\) |, the size of minimal authorized sets in a MAS.
Table 2. Comparisons of communication and computation cost
4.2 Experimental verification
The experimental environment is 64 bit Ubuntu 14.04 operating system with Intel Core i7-3770 CPU (3.4 GHz) and memory 4G. The experimental code is modified and written based on PBC-0.5.14 [20] and cpabe-0.11 [21], and it uses the 160 bit elliptic curve group in hypersingular curve based on 512 bit finite field. The experimental result is the average value of that runs 20 times.
In this section, our proposed scheme is verified and compared with Liu's scheme [9] and Zhang's scheme [13] which are also constructed based on the composite order bilinear groups. We mainly consider the pairing and exponential operations in the groups \(\mathbb{G}\) and \(\mathbb{G}_{T}\). In the composite order bilinear groups, the time to run a pairing operation is about 1.26s, the exponential operation in the group \(\mathbb{G}\) is about 0.53s, and the exponential operation in the \(\mathbb{G}_{T}\) is about 0.18s. The specific computation time is shown in Table 3.
Table 3. Computation time
Assuming that the number of users' attributes and attributes matched during decryption are between 5 and 50.
As shown in Table 3 and Fig. 2, our scheme and Liu scheme [9] have the same key generation cost, which increases linearly with the number of users' attributes. For Zhang scheme [13], it requires zero knowledge proof of user and authorization attribute which increases communication cost, and its key generation cost is much higher than that of tour scheme and Liu scheme [9]. For decryption computation, as shown in Table 3 and Fig. 3, the decryption time of Liu scheme [9] is (3.23 m 1.79) s and Zhang scheme [13] is (3.76 m 5.55) s . The decryption cost of two schemes increases linearly with the number of matched attributes during decryption. However, the decryption cost of our scheme only needs three pairing operations and two exponential computations in the the group \(\mathbb{G}\), and the computation cost is a constant value 4.84. For encryption computation, as shown in Table 3, the encryption cost of Liu scheme [9] and Zhang scheme [13] increases linearly with the number of rows l of LSSS matrix representing monotonic access structure, while our scheme uses the set of minimum authorized subset to represent monotonic access structure, therefore, the encryption cost increases linearly with the set size of minimum authorized subset.
Fig. 2. The time of key generation
Fig. 3. The time of decryption
It must be noted that, there is not any obvious correlation between the size of minimal sets and corresponding access structure. Suppose that 1 < t < n , so |\(\mathcal{D}\)| is defined as \(|\mathcal{D}|=n ! /((n-t) ! t !)\) . It is obvious |\(\mathcal{D}\)| is greater than n, however, there is a LSSS , whose size is l = n, to achieve the (t, n ) -threshold access. Additionally, there exist some MAS for which |\(\mathcal{D}\)| is a constant value, however, the size of LSSS achieving MAS is polynomial with the number of attributes in the access structure. Take a simple example with n attributes, if we simply use the AND-gate, then |\(\mathcal{D}\)| equals to 1, however, the LSSS size equals to n, namely l = n. Next, we examples. If \(\mathbb{S}_{0}=\left\{A_{1}=\left\{s_{1}, \ldots, s_{\lceil n / 2\rceil}\right\}\right.\), \(\left.A_{2}=\left\{s_{\lceil n / 2\rceil+1}, \ldots, s_{n}\right\}\right\}\) is the collection of minimal sets for a MAS, \(\mathbb{S}\) , with attributes \(S_{1}, S_{2}, \ldots, S_{n}\), then we have |\(\mathcal{D}\)| =2 and the size l of LSSS achieving \(\mathbb{S}\) is at least \(\mathcal{O}(n)\). Similarly, if \(\mathbb{S}_{0}=\left\{A_{1}=\left\{s_{1}, \ldots, s_{\lceil n / 3}\right\}, A_{2}=\left\{s_{\lceil n / 3\rceil+1}, \ldots, s_{\lceil 2 n / 3}\right\rceil, A_{3}=\left\{s_{\lceil 2 n / 3\rceil+1}, \ldots, s_{n}\right\}\right\}\), then we have|\(\mathcal{D}\)| =3 and l is also at least \(\mathcal{O}(n)\). Therefore, our scheme has shorter ciphertext under these circumstances.
The most important is that our decryption needs only three pairing operations and two exponent operations in \(\mathbb{G}\), which are both constant in our scheme, while they are linear with the matching attributes m in the other three schemes.
References
- A. Sahai and B. Waters, "Fuzzy Identity-Based Encryption," in Proc. of International Conference on Theory and Applications of Cryptographic Techniques, Heidelberg, Berlin, Germany: Springer, pp. 457-473, 2005.
- A. Shamir, "Identity-Based Cryptosystems and Signature Schemes," in Proc. of Workshop on the Theory and Application of Cryptographic Techniques, Heidelberg, Berlin, Germany: Springer, pp. 47-53, 1984.
- V. Goyal, O. Pandey, A. Sahai and B. Waters, "Attribute-based encryption for fine-grained access control of encrypted data," in Proc. of the 13th ACM Conference on Computer and Communications Security, Alexandria, USA, pp. 89-98, 2006.
- J. Bethencourt, A. Sahai and B. Waters, "Ciphertext-Policy Attribute-Based Encryption," in Proc. of IEEE Symposium on Security & Privacy, Berkeley, USA, pp. 321-334, 2007.
- V. Goyal, A. Jain A, O. Pandey O and A. Sahai, "Bounded Ciphertext Policy Attribute Based Encryption," in Proc. of International Colloquium on Automata, Languages, and Programming, Heidelberg, Berlin, Germany: Springer, pp. 579-591, 2008.
- L. Cheung and C. Newport, "Provably secure ciphertext policy ABE," in Proc. of the 2007 ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, pp. 456-465, 2007.
- B. Waters, "Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization," in Proc. of International Workshop on Public Key Cryptography, Heidelberg, Berlin, Germany: Springer, pp. 53-70, 2011.
- A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima and B. Waters, "Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption," in Proc. of International Conference on Theory & Applications of Cryptographic Techniques, Berlin, Germany: Springer, pp. 62-91, 2010.
- Z. Liu, Z. Cao and D.S. Wong, "White-Box Traceable Ciphertext-Policy Attribute-Based Encryption Supporting Any Monotone Access Structures," IEEE Transactions on Information Forensics & Security, vol. 8, no. 1, pp. 76-88, 2013. https://doi.org/10.1109/TIFS.2012.2223683
- B. Dan and X. Boyen, "Short Signatures Without Random Oracles," in Proc. of Advances in Cryptology - EUROCRYPT 2004, Berlin, Germany: Springer, pp. 56-73, 2004.
- J. Ning, Z. Cao, X. Dong, L. Wei and X. Lin, "Large Universe Ciphertext-Policy Attribute-Based Encryption with White-Box Traceability," in Proc. of Computer Security - ESORICS 2014, Berlin, Germany: Springer, pp. 55-72, 2014.
- Y. Rouselakis and B. Waters, "Practical constructions and new proof methods for large universe attribute-based encryption," in Proc. of ACM Sigsac Conference on Computer & Communications Security, Berlin, Germany, ACM, pp. 463-474, 2013.
- Y. Zhang, J. Li, D. Zheng, X. Chen and L. Hui, "Accountable Large-Universe Attribute-Based Encryption Supporting Any Monotone Access Structures," in Proc. of Australasian Conference on Information Security and Privacy, Berlin, Germany: Springer, pp. 509-524, 2016.
- V. Odelu, A. K. Das , Y. S. Rao , S. Kumari, M. K. Khan and K. K. R. Choo, "Pairing-based CP-ABE with constant-size ciphertexts and secret keys for cloud environment," Computer Standards & Interfaces, vol. 54, pp. 3-9, 2016. https://doi.org/10.1016/j.csi.2016.05.002
- V, Odelu, A. K. Das, M, Khurram Khan, K. K. R. Choo and M. Jo, "Expressive CP-ABE Scheme for Mobile Devices in IoT satisfying Constant-size Keys and Ciphertexts," IEEE Access, vol. 5, pp. 3273-3283, 2017. https://doi.org/10.1109/ACCESS.2017.2669940
- V. Odelu and A. K. Das, "Design of a new CP-ABE with constant-size secret keys for lightweight devices using elliptic curve cryptography," Security & Communication Networks, vol. 9, no. 17, pp. 4048-4059, 2016. https://doi.org/10.1002/sec.1587
- T. Pandit and R. Barua, "Efficient Fully Secure Attribute-Based Encryption Schemes for General Access Structures," Provable Security, Heidelberg, Berlin: Springer, pp. 193-214, 2013.
- B. Dan, E. J. Goh and K. Nissim, "Evaluating 2-DNF Formulas on Ciphertexts," in Proc. of International Conference on Theory of Cryptography, Heidelberg, Berlin: Springer, pp. 325-341, 2005.
- A. Lewko and B. Waters, "New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts," in Proc. of International Conference on Theory of Cryptography, Heidelberg, Berlin: Springer, pp. 455-479, 2010.
- B. Lynn, "The pairing-based cryptography (PBC) library," 2006, [Online]: http://crypto.stanford.edu/pbc.
- J. Bethencourt, A. Sahai and B. Waters, "Advanced crypto software collection: the cpabetoolkit," 2011,[Online]:http://acsc.cs.utexas.edu/cpabe.