Sage Journals: Discover world-class research

Abstract

Ciphertext-Policy Attribute-Based Proxy Reencryption (CP-ABPRE) has found many practical applications in the real world, because it extends the traditional Proxy Reencryption (PRE) and allows a semitrusted proxy to transform a ciphertext under an access policy to the one with the same plaintext under another access policy. The existing CP-ABPRE schemes were proven secure only in the selective security model, a limited model, which is an unnatural constraint on the attacker. The scheme proved in this model can only be called selectively secure one. However, from a security perspective, the adaptively secure CP-ABPRE scheme is more desirable. In this paper, an adaptively secure CP-ABPRE scheme is proposed, which is based on Waters’ dual system encryption technology. The proposed scheme is constructed in composite order bilinear groups and proven secure under the complexity assumptions of the subgroup decision problem for 3 primes (3P-SDP). Analyses show that our proposal provides higher computational efficiency compared with the existing schemes.

1. Introduction

With the development of Internet and open distributed networks, the Attribute-Based Encryption (ABE) scheme [1] has drawn great attention of researchers in recent years. Unlike the Public Key Encryption mechanism, ABE scheme takes attributes as the public key and associates the ciphertext and user's secret key with attributes, so that it provides more flexible access control mechanism over encrypted data. This dramatically reduces the cost of network bandwidth and sending node's operation in fine-grained access control of data sharing. Therefore, ABE has a broad prospect in the large-scale distributed applications to support one-to-many communication mode. Traditional ABE has two variants according to the form of access policy: Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE) [2]. In a KP-ABE system, ciphertexts are associated with attribute sets and secret keys are associated with access policies. However, CP-ABE is complementary, and the sender could specify access control policy, so, compared with KP-ABE schemes, CP-ABE schemes are more suitable for the realistic scenes.

As the research and application of the ABE go ahead, Proxy Reencryption (PRE) [3] has been introduced into ABE schemes. Considering such a scenario, in the email forwarding, Alice is going on vacation and wishes the others like Bob could still read the message in her encrypted emails. With an Attribute-Based Proxy Reencryption (ABPRE) system, in which a proxy is allowed to transform a ciphertext under a specified access policy into the one under another access policy, she could meet her intentions without giving her secret key to either the mail server or Bob. So ABPRE schemes [4] are needed in most of practical network applications, especially Ciphertext-Policy ABPRE (CP-ABPRE) schemes [5], which have more flexible access control policy than Key-Policy ABPRE (KP-ABPRE) schemes [4]. Generally speaking, an ABPRE scheme has an authority, a sender, a user called a delegator who needs to delegate his/her decryption ability to someone else, a proxy who helps the delegator to generate a reencrypted ciphertext, and some receivers as participants. Recently, due to their widespread use in the realistic scenes, widespread attention was paid to ABPRE schemes by researchers and some excellent ABPRE schemes have been proposed [6–12].

However, most of existing ABPRE schemes [6–12] were proven secure only in the selective security model [13], in which an adversary must firstly choose an attack target before the public parameters are published. This restriction on an attacker was not natural, which causes attackers to behave differently from the way in a real environment. And most of existing schemes [11–15] demanded a number of paring operations, which indeed costs much in the communications. Therefore, motivated by these concerns, an efficient and adaptively secure CP-ABPRE scheme is proposed in our paper. Our scheme overcomes the restriction on an attacker in a selective security model and could be better applied to the open distributed networks. In the meantime, our proposal supports any monotone access formulas and costs less computational overhead compared with the existing schemes.

The rest of this paper is organized as follows. In the next section, we shall briefly review related works in the field of ABE. In Section 3, some preliminaries including complexity assumptions, access structures, and CP-ABPRE model are provided. Then, the concrete CP-ABPRE scheme is given in Section 4. In Section 5, we analyze the correctness and security of our scheme and compare our scheme with existing schemes in terms of access structure, security, and computations efficiency. Finally, the conclusion is drawn in Section 6.

2. Related Works

In 2005, Sahai and Waters [16] proposed a new type of IBE [17] called Fuzzy IBE (FIBE) which regards identities as a set of descriptive attributes. It is often regarded as the first concept of ABE [1, 18]. ABE can be categorized as either KP-ABE or CP-ABE, and the latter is more flexible and more suitable for the realistic scenes [2]. In 2007, Cheung and Newport [19] used AND gates on positive and negative to express attributes in order to achieve their CP-ABE scheme's access policy and proved the security under the DBDH assumption. And then Nishide et al. [20] designed a new CP-ABE scheme with AND gates on multivalue attributes as its access policy. To realize fine-grained access control strategy, Bethencourt et al. [21] used the Access Tree in their scheme. In order to design CP-ABE schemes with flexible strategy under the DBDH assumption, Goyal et al. [22] and Liang et al. [23] adopted Bounded Access Tree, respectively. Later, Ibraim et al. [24] used the general Access Tree to eliminate the boundary constraints in the literature [22, 23]. In 2011, Waters [25] used Linear Secret Sharing Scheme (LSSS) access structure under q-PBDHE assumption to construct a CP-ABE scheme.

However, unfortunately, the security of those CP-ABE schemes that we mentioned above was proven in a weaker security model, called the selective-policy security model which derived from the selective-ID security model for constructing an IBE scheme without the random oracle model [26]. In the selective security model, the adversary must firstly declare which policy he wishes to be challenged on before the public parameters are published. This restriction on the attacker is not natural, which causes attacker to behave differently from the real environment [13]. Considering the restrictions of the selective security model, researchers expected that the ABE scheme should be designed and proven secure under the adaptive security model. So, in order to overcome the drawbacks of the selectively secure ABE schemes, Lewko et al. [13] proposed an adaptively (or fully) secure ABE scheme by using the dual system encryption technique [27] which is a common method for proving an adaptively secure scheme in IBE or ABE. Later, Lewko and Waters [28] provided a new methodology which can transform the selectively secure schemes to adaptively secure ones and presented a CP-ABE scheme that is proven fully secure. In 2014, Garg et al. [29] constructed the first fully secure ABE scheme that can handle access control policies expressible as polynomial-size circuits. Afterwards, some excellent adaptively secure ABE schemes were proposed [3, 30, 31].

Recently, in the field of cryptography, the concept of PRE has been proposed to make data sharing more efficient. Introduced by Mambo and Okamoto [32] and first defined by Blaze et al. [33], PRE can support the delegation of decryption rights, which is never considered in extending the traditional Public Key Encryption (PKE). In PRE, a semitrusted proxy is enabled to transform a ciphertext encrypted under one's public key into a new ciphertext intended for others with the plaintext unchanged. The decryption proxy, however, can learn nothing about the secret key or the plaintext. Due to these characteristics, PRE has many practical applications. For example, Xu et al. [34] built an encrypted cloud email system with PRE, which allows a user to send an encrypted email to multiple receivers, store his encrypted emails in an email server, and review his history. In addition, it can also be used in secure distributed files systems, cloud storage, on-line Electronic Medical Record (EMR), and so on [4, 5, 35–39].

To date, PRE has been extended to adapt different cryptographic systems. The ABPRE is one of the extensions in which a user is able to empower designated users to decrypt reencrypted ciphertext by deploying attributes. In 2008, Guo et al. [40] proposed the first ABPRE scheme and it is also the first KP-ABPRE scheme. In 2009, Liang et al. [6] proposed the first CP-ABPRE scheme, in which the proxy is enabled to transform a given ciphertext under a specified access policy into the one under another access policy. But, unfortunately, only AND gates on positive and negative attributes are supported by their access policy. In 2010, Luo et al. [7] proposed a new CP-ABPRE scheme which supports AND gates on multivalue and negative attributes. Compared with [6], it has a new property named reencryption control which means that the user can decide which ciphertext can be reencrypted later during the encryption process. Later, Seo and Kim [8] presented another CP-ABPRE scheme which only needs a constant number of bilinear pairing operations. So the computation cost and ciphertext length are reduced significantly compared to previous schemes [7, 27]. In 2013, Li [9] presented a new CP-ABPRE scheme in which the ciphertext policy is matrix access policy based on LSSS matrix access structure. In 2014, Chung et al. [10] analyzed these CP-ABPRE schemes [6–8, 33] and made comparisons of them by some criteria. The aforementioned CP-ABPRE schemes, however, are only CPA-secure. To tackle this problem, Liang et al. [11], for the first time, proposed a new single-hop unidirectional CP-ABPRE scheme supporting any monotonic access formulas. Despite being constructed in the random oracle model, it is proved to be CCA-secure. In 2015, Kawai [12] proposed a flexible CP-ABPRE scheme in which the reencryption key generation can be outsourced in Attribute-Based Encryption and proved their scheme is secure in the selective security model.

All these CP-ABPRE schemes mentioned above, unfortunately, were only proven to be selectively secure [13], which is just discussed above. A CP-ABPRE system with selective security, which limits an adversary to choose an attack target before playing a security game, might not scale well in practice as well. This is because a realistic adversary is able to adaptively choose his attack target when attacking a cryptosystem. Therefore, an adaptively secure CP-ABPRE scheme is extremely desirable in most practical network applications. In 2014, Liang et al. [14], for the first time, formalized the notion of adaptive security for CP-ABPRE systems and proposed a new CP-ABPRE scheme, which is proven adaptively secure in the standard model, but their scheme demands a number of paring operations that imply huge computational overheads. In 2015, Backes et al. [15] presented an Inner-Product Proxy Reencryption scheme. Although their scheme can easily be converted into an Attribute-Based Proxy Reencryption scheme, the ciphertext is only associated with AND gates access structure, which does not conform to the flexible access policy. Motivated by these concerns, in this paper, we propose an efficient and adaptively secure CP-ABPRE scheme which supports any monotone access formulas.

Our contributions can be briefly outlined as follows. (1) A new scheme is proposed and it overcomes the restriction on the attacker in a selective security model in the existing schemes [6–9, 11] and is proved to be adaptively secure. (2) Our proposal supports any monotone access formulas including what the AND gate access structure supports. (3) Our scheme costs less computational overhead compared with the corresponding scheme [14]. (4) We try to construct our scheme in composite order groups and use three assumptions to prove its security.

3. Preliminaries

3.1. Composite Order Bilinear Groups

Composite order bilinear groups were introduced by Boneh et al. [41]. First, let G and $G_{T}$ be a cyclic additive group and a multiplication cyclic group of order N, where $N = p_{1} p_{2} p_{3}$ and $p_{1}$ , $p_{2}$ , and $p_{3}$ are three distinct prime numbers. Let $e : G \times G \to G_{T}$ be a bilinear map.

Then, let $G_{p_{1}}$ , $G_{p_{2}}$ , and $G_{p_{3}}$ denote the subgroups of order $p_{1}$ , $p_{2}$ , and $p_{3}$ in group G, respectively. Because G is a cyclic group, it is easy to conclude that if h and l are group elements chosen from different subgroups, then $e (h, l) = 1$ . This is called the orthogonality property in composite order bilinear groups.

3.2. Complexity Assumptions

We now present three assumptions of the subgroup decision problem for 3 primes (3P-SDP) [13]. First, we let G and $G_{T}$ be two cyclic groups of order N, where $N = p_{1} p_{2} p_{3}$ and $p_{1}$ , $p_{2}$ , and $p_{3}$ are three distinct primes. And we let $G_{p_{1}}$ , $G_{p_{2}}$ , and $G_{p_{3}}$ denote the subgroups of order $p_{1}$ , $p_{2}$ , and $p_{3}$ in G, respectively. Let $e : G \times G \to G_{T}$ be a bilinear map.

Assumption 1.

We randomly choose element g as the generator of $G_{p_{1}}$ and element $X_{3}$ as the generator of $G_{p_{3}}$ . Given $D = (N, G, G_{T}, e, g, X_{3})$ , $T_{1} \in G_{p_{1} p_{2}}$ and $T_{2} \in G_{p_{1}}$ . Let λ be the security parameter and the advantage of a polynomial time algorithm A in breaking Assumption 1 is defined as

\begin{matrix} A d v_{A}^{1} (λ) = |P r [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1]| . \end{matrix}

(1)

Definition 2.

Assumption 1 holds if there is no polynomial time algorithm A which has a nonnegligible advantage $A d v_{A}^{1} (λ)$ .

Assumption 3.

We randomly choose elements $g, X_{1} \in G_{p_{1}}, X_{2}, Y_{2} \in G_{p_{2}}$ , and $X_{3}, Y_{3} \in G_{p_{3}}$ . Given $D = (N, G, G_{T}, e, g, X_{1} X_{2}, X_{3}, Y_{2} Y_{3})$ and $T_{1} \in G$ , $T_{2} \in G_{p_{1} p_{3}}$ . Let λ be the security parameter and the advantage of a polynomial time algorithm A in breaking Assumption 3 is defined as

\begin{matrix} A d v_{A}^{2} (λ) = |P r [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1]| . \end{matrix}

(2)

Definition 4.

Assumption 3 holds if there is no polynomial time algorithm A which has a nonnegligible advantage $A d v_{A}^{2} (λ)$ .

Assumption 5.

We randomly choose elements $α, s \in Z_{N}, g \in G_{p_{1}}, X_{2}, Y_{2}, Z_{2} \in G_{p_{2}}$ , and $X_{3} \in G_{p_{3}}$ . Given $D = (N, G, G_{T}, e, g, g^{α} X_{2}, X_{3}, g^{s} Y_{2}, Z_{3})$ and $T_{1} = e (g, g)^{α s}$ , $T_{2} \in G_{T}$ . Let λ be the security parameter and the advantage of a polynomial time algorithm A in breaking Assumption 5 is defined as

\begin{matrix} A d v_{A}^{3} (λ) = |P r [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1]| . \end{matrix}

(3)

Definition 6.

Assumption 5 holds if there is no polynomial time algorithm A which has a nonnegligible advantage $A d v_{A}^{3} (λ)$ .

3.3. Access Structures

In this paper, the role of the participants is taken by the attributes. As shown in [42], any monotone access structure can be represented by a Linear Secret Sharing Scheme.

Definition 7 (Linear Secret Sharing Schemes (LSSS)).

Let Π denote a secret sharing scheme over a participant collection P. One says that Π is called linear over $Z_{p}$ if (1)

the shares distributed for each participant can form a vector over $Z_{p}$ ;

(2)

for Π there always exists a share-generating matrix M, which has l rows and n columns. Now, function ρ is defined and used to each party. That is, the party labeling row i can be denoted as $ρ (i)$ for $i = 1,2, \dots, l$ . The column vector $\vec{v} = (s, y_{2}, y_{3}, \dots, y_{n})$ is randomly chosen in $Z_{p}^{n}$ . Then, ${\overset{⃑}{M}}_{i} \cdot \overset{⃑}{v}$ is the share belonging to party $ρ (i)$ . We use LSSS matrix ( $M, ρ$ ) to represent an access policy in this paper.

The linear reconstruction property can be defined as follows. Suppose that Π is an LSSS for access structure A. Let $S \in A$ denote the authorized set and define $I \subseteq {1,2, \dots, l}$ as $I = \{i ∣ ρ (i) \in S\}$ . Then, there exist ${\{w_{i} \in Z_{p}\}}_{i \in I}$ such that if $\{λ_{i}\}$ are valid shares of any secret s, we have $\sum_{i \in I} w_{i} λ_{i} = s$ [41]. But it does not hold for unauthorized sets. In our scheme, we will employ LSSS matrices over $Z_{N}$ , where N is the product of 3 different prime numbers.

3.4. CP-ABPRE

3.4.1. Algorithm Model

Generally speaking, a CP-ABPRE scheme is composed of 6 fundamental algorithms and it has an authority, a sender, a user that we call a delegator who needs to delegate his/her decryption ability to someone else, a proxy who helps the delegator to generate a reencrypted ciphertext, and some receivers as participants. The 6 algorithms are shown as follows.

$S e t u p (1^{λ}, U) \to (M S K, P K)$ . It is performed by an authority to establish a new CP-ABPRE system. With the security parameter λ and attributes U as input, it generates the public key (PK) and the master secret key (MSK).

$K e y G e n (P K, M S K, S) \to S K_{S}$ . With PK, MSK, and a set of attributes S that describe the key as input, this algorithm is executed by the authority for the purpose of generating a secret key $S K_{S}$ .

$E n c (P K, W = (M, ρ), m) \to C T_{W}$ . Performed by a sender, with PK, a message m, and an access policy $W = (M, ρ)$ as input, the algorithm generates a ciphertext $C T_{W}$ of m such that only a user whose attributes meet the access policy W can decrypt it.

$R e K e y G e n (P K, S K_{S}, W^{'} = (M^{'}, ρ^{'})) \to R K_{S \to W^{'}}$ . This algorithm is performed by the delegator. With PK, $S K_{S}$ , and an access policy $W^{'} = (M^{'}, ρ^{'})$ as input, it generates a reencryption key $R K_{S \to W^{'}}$ for the proxy.

$R e E n c (P K, R K_{S \to W^{'}}, C T_{W}) \to C T_{W^{'}}$ . It is performed by the proxy, with PK, $R K_{S \to W^{'}}$ , and $C T_{W}$ as input. Firstly, the proxy checks whether the attribute in $R K_{S \to W^{'}}$ meets the access policy of $C T_{W}$ . If yes, it outputs a reencrypted ciphertext $C T_{W^{'}}$ and otherwise ⊥.

$D e c (P K, C T_{W}, S K_{S}) \to m$ . With PK, an original ciphertext $C T_{W}$ , and a secret key $S K_{S}$ as input, it returns the plaintext message m if S satisfies the access policy W specified for $C T_{W}$ , and otherwise ⊥.

$D e c_{R} (P K, C T_{W^{'}}, S K_{S^{'}}) \to m$ . This algorithm returns the plaintext message m if $S^{'}$ meets the access policy $W^{'}$ specified for $C T_{W^{'}}$ , and otherwise ⊥.

3.4.2. Security Model

The adaptive security definition for a CP-ABPRE scheme is described by a security game between a challenger B and an adversary A, which is shown as follows.

Setup. B runs the Setup algorithm to create a new system and then sends A the public key PK.

Phase 1. A makes the following queries.

(i) Secret Key Extract Queries. B runs the KeyGen algorithm after A submitting sets of attribute $S_{1}, S_{2}, \dots, S_{q_{1}}$ and returns secret keys $S K_{S}$ to A.

(ii) Reencryption Key Extract Queries. A submits sets of attribute $S_{1}, S_{2}, \dots, S_{q_{1}}$ and an access structure $W^{'} = (M^{'}, ρ^{'})$ . Then, B runs the ReKeyGen algorithm and gives the reencryption key $R K_{S \to W^{'}}$ to A.

Challenge. A chooses two messages $M_{0}$ and $M_{1}$ with equal length and an access structure $W^{*}$ , which cannot be met by any of the queried attribute sets ${S_{1}, S_{2}, \dots, S_{q_{1}}}$ . B randomly flips coin $θ \in {0, 1}$ and encrypts $M_{θ}$ under $W^{*}$ to generate $C T^{*}$ , which is then sent to A.

Phase 2. Phase 1 is repeated. Note that there is a restriction that no sets of attributes ${S_{q_{1} + 1}, S_{q_{1} + 2}, \dots, S_{q}}$ can satisfy the access structure corresponding to B.

Guess. A outputs a guess result $θ^{'}$ for θ.

In the above game, the advantage of A is defined as $A d v_{A} = |P r [θ^{'} = θ] - 1 / 2|$ . And the above security model can be easily extended to simulate a game between a CCA adversary and a challenger by permitting Reencryption and Decryption queries during Phases 1 and 2.

Definition 8.

A Ciphertext-Policy Attribute-Based Proxy Reencryption scheme is adaptively secure (or fully secure) if the advantage of any polynomial time adversary is negligible in above game.

3.4.3. Master Secret Security

Master secret security is an important property for unidirectional PRE defined by Ateniese et al. [43]. Roughly speaking, even if the dishonest proxy colludes with the receiver who can decrypt the reencrypted ciphertext, it is still impossible for them to get any information on delegator's secret key and the plaintext [44].

Definition 9.

The master secret security of a CP-ABPRE scheme can be defined based on the following master secret security game.

Setup. The challenger B runs the Setup algorithm to create a new system and then sends the adversary A the public key (PK).

Queries. A makes the following queries.

(i) $E x t r a c t (S)$ . B runs the KeyGen algorithm after A submitting attribute sets S and returns secret keys $S K_{S}$ to A.

(ii) $R K E x t r a c t (S, W^{'}) . A$ submits attribute sets S and an access structure $W^{'} = (M^{'}, ρ^{'})$ to B. Then, B runs the ReKeyGen algorithm and returns the reencryption key $R K_{S \to W^{'}}$ to A.

Output. A outputs the secret key $S K_{S^{*}}$ corresponding to the attribute sets $S^{*}$ .

In the above game, the advantage of A is defined as $A d v_{A} = P r [A s u c c e e d s]$ . A CP-ABPRE scheme meets master secret security if there is no polynomial time adversary A who has a nonnegligible advantage in winning the above game.

Lemma 10.

For a CP-ABPRE scheme, the plaintext security implies the master secret security. That is to say, for a CP-ABPRE scheme, if there is an adversary A who can break its master secret security defined above, then there also exists an adversary $A^{'}$ who can break this CP-ABPRE scheme.

In Section 5, we will prove that there is no polynomial time adversary who can break the CP-ABPRE scheme with a nonnegligible advantage. So Lemma 10 is obvious.

4. The Proposed CP-ABPRE Scheme

In this section, we shall introduce our adaptively secure CP-ABPRE scheme. Before this, in order to facilitate understanding, notations used throughout the paper are summarized in Notations.

Our adaptively secure CP-ABPRE scheme is constructed in composite order linear groups of order $N = p_{1} p_{2} p_{3}$ ( $p_{1}$ , $p_{2}$ , and $p_{3}$ are 3 different prime numbers) with LSSS access structure. Let $G_{p_{i}}$ denote the subgroup of order $p_{i}$ in G where $i \in {1,2, 3}$ . The subgroup $G_{p_{2}}$ is only used in security proof. Our scheme is shown as follows.

(1) $S e t u p (1^{λ}, U)$ . Taking as input the security parameter λ and system attribute set U, the trusted authority chooses random elements $η, a \in Z_{N}$ , a generator $g \in G_{p_{1}}$ , an element $g_{0} \in G_{p_{1}}$ , and a generator $X_{3} \in G_{p_{3}}$ . And then it computes $g_{1} = e (g, g)^{η}$ and $g_{2} = g^{a}$ . For each attribute $x \in U$ , it also chooses a random element $h_{x} \in Z_{N}$ and computes $H_{x} = g^{h_{x}}$ . The public key is denoted as

\begin{matrix} P K = (N, g_{0}, g_{1}, g_{2}, H_{x}, \forall x \in U) . \end{matrix}

(4)

The trusted authority sets the master secret key as

M S K = (η, X_{3})

(2) $K e y G e n (P K, M S K, S)$ . Taking the public key (PK), the master secret key (MSK), and the user attribute set S as input, this algorithm first chooses a random value $t \in Z_{N}$ and another three random elements $R_{0}, R_{0}^{'}, R_{x} \in G_{p_{3}}$ . Then, it computes the secret key as

\begin{matrix} S K = (S, K = g^{η} g^{a t} R_{0}, L = g^{t} R_{0}^{'}, K_{x} = H_{x}^{t} R_{x}, \forall x \in S) . \end{matrix}

(5)

(3) $E n c (P K, W, m)$ . This algorithm takes as input the public key (PK), an access policy $W = (M, ρ)$ , and a message m, where M is an $l \times n$ matrix and the function ρ associates rows of M to attributes. This algorithm randomly chooses a column vector $\overset{⃑}{v} = (s, y_{2}, y_{3}, \dots, y_{n}) \in Z_{N}^{n}$ . These values will be used to share the encryption exponent s. For $i = 1,2, \dots, l$ , it computes $λ_{i} = {\overset{⃑}{M}}_{i} \cdot \overset{⃑}{v}$ , where ${\overset{⃑}{M}}_{i}$ denotes the ith row of M. Then, the algorithm chooses random numbers $r_{1}, r_{2}, \dots, r_{l} \in Z_{N}$ .

The ciphertext is generated as

\begin{matrix} C T = (C = m e {(g, g)}^{η s}, C^{'} = g^{s}, C^{''} = g_{0}^{s}, C_{i} = g^{a {\overset{⃑}{M}}_{i} \cdot \overset{⃑}{v}} H_{ρ (i)}^{- r_{i}}, D_{i} = g^{r_{i}}, \forall i \in \{1,2, \dots, l\}) . \end{matrix}

(6)

(4) $R e K e y G e n (P K, S K, W^{'})$ . To generate a reencryption key for another access policy $W^{'} = (M^{'}, ρ^{'})$ , this algorithm takes as input the public key PK, the secret key SK = $(S, K, L, K_{x}, \forall x \in S)$ , and another access policy $W^{'} = (M^{'}, ρ^{'})$ . It needs to choose a random element $β \in Z_{N}$ and computes $\hat{C} = E n c (P K, W^{'}, g^{β})$ . Then the reencryption key is set to

\begin{matrix} R K = (S, r k_{1} = K g_{0}^{β}, r k_{2} = L, K_{x}^{'} = K_{x}, \hat{C}, \forall x \in S) . \end{matrix}

(7)

(5) $R e E n c (P K, R K, C T)$ . This algorithm takes as input the public key (PK), a reencryption key (RK), and a ciphertext $C T = (C, C^{'}, C^{''}, C_{i}, D_{i}, \forall i)$ . It first checks whether the attribute set in RK meets the access policy of CT. It computes

\begin{matrix} C_{t} = \frac{e (C^{'}, r k_{1})}{\prod_{i \in I}^{} {(e (C_{i}, r k_{2}) e (D_{i}, K_{ρ (i)}^{'}))}^{w_{i}}} \end{matrix}

(8)

and outputs a reencrypted ciphertext

C T^{'} = (C, C^{'}, \hat{C}, C_{t})

if yes and outputs ⊥ otherwise.

(6) $D e c (P K, C T, S K)$ . The original ciphertext decryption algorithm takes the public key (PK), an original ciphertext (CT) for access policy W, and a secret key (SK) for an attribute set S as input. Assume that S meets W and $I \subset \{1,2, \dots, l\}$ is defined as $I = \{i ∣ ρ (i) \in S\}$ . Then, let ${\{w_{i} \in Z_{N}\}}_{i \in I}$ be a set of constants such that if $\{λ_{i}\}$ are valid shares of any secret s according to M, then, $\sum_{i \in I} w_{i} λ_{i} = s$ holds.

The message m can be recovered as

\begin{matrix} m = \frac{C \prod_{i \in I}^{} {(e (C_{i}, L) e (D_{i}, K_{ρ (i)}))}^{w_{i}}}{e (C^{'}, K)} = \frac{C}{e (\prod_{i \in I}^{} C_{i}^{- w_{i}}, L) e (C^{'}, K \prod_{i \in I}^{} K_{ρ (i)}^{- w_{i}})} . \end{matrix}

(9)

(7) $D e c_{R} (P K, C T^{'}, S K^{'})$ . The reencrypted ciphertext decryption algorithm takes the public key (PK), a reencrypted ciphertext ${C T}^{'}$ for access policy $W^{'}$ , and a secret key ${S K}^{'}$ for an attribute set $S^{'}$ as input. If $S^{'}$ satisfies $W^{'}$ , this algorithm computes as follows: (7.1)

Decrypt $g^{β}$ from $\hat{C}$ by the Dec algorithm.

(7.2)

Then compute the message m by $m = C e (C^{''}, g^{β}) / C_{t}$ .

5. Analyses and Proof

5.1. Correctness Analyses

The correctness of the scheme is based on the bilinear character of pairing $e : G \times G \to G_{T}$ . First, we show the correctness of the original ciphertext decryption as follows:

\begin{matrix} m = \frac{C \prod_{i \in I}^{} {(e (C_{i}, L) e (D_{i}, K_{ρ (i)}))}^{w_{i}}}{e (C^{'}, K)} = \frac{m e {(g, g)}^{η s} \prod_{i \in I}^{} {(e (g^{a {\overset{⃑}{M}}_{i} \cdot \overset{⃑}{v}} H_{ρ (i)}^{- r_{i}}, g^{t} R_{0}^{'}) e (g^{r_{i}}, H_{ρ (i)}^{t} R_{ρ (i)}))}^{w_{i}}}{e (g^{s}, g^{η} g^{a t})} = \frac{m e {(g, g)}^{η s} e {(g, g)}^{a t \sum_{i \in I} ({\overset{⃑}{M}}_{i} \cdot \overset{⃑}{v}) w_{i}}}{e {(g, g)}^{η s} e {(g, g)}^{s a t}} = m . \end{matrix}

(10)

Then, the correctness of the decryption algorithm for the reencrypted ciphertext is shown as follows:

\begin{matrix} m = \frac{C e (C^{''}, g^{β})}{C_{t}} = \frac{C e (C^{''}, g^{β}) \prod_{i \in I}^{} {(e (C_{i}, r k_{2}) e (D_{i}, K_{ρ (i)}^{'}))}^{w_{i}}}{e (C^{'}, r k_{1})} = \frac{m e {(g, g)}^{η s} e (g_{0}^{s}, g^{β}) \prod_{i \in I}^{} {(e (g^{a ({\overset{⃑}{M}}_{i} \cdot \overset{⃑}{v})} H_{ρ (i)}^{- r_{i}}, g^{t} R_{0}^{'}) e (g^{r_{i}}, H_{ρ (i)}^{t} R_{ρ (i)}))}^{w_{i}}}{e (g^{s}, g^{η} g^{a t} g_{0}^{β} R_{0})} = \frac{m e {(g, g)}^{s η} e (g_{0}^{s}, g^{β}) e {(g, g)}^{a t \sum_{i \in I}^{} ({\overset{⃑}{M}}_{i} \cdot \overset{⃑}{v}) w_{i}}}{e {(g, g)}^{s η} e {(g, g_{0})}^{s β} e {(g, g)}^{s a t}} = m . \end{matrix}

(11)

Both the original ciphertext decryption and the reencrypted ciphertext decryption processes in Section 4 are correct because the message m can be recovered correctly. Hence, our CP-ABPRE scheme is also correct.

5.2. Security Proof

Dual system encryption [27] is considered as a common and powerful tool to transform a selectively secure scheme into an adaptively secure one [13, 45, 46]. In a dual system encryption scheme, both keys and ciphertexts have two forms: normal and semifunctional [13]. A normal key can be used to decrypt normal or semifunctional ciphertexts, while a semifunctional key can only be used to decrypt normal ciphertexts. Notably, the semifunctional keys and ciphertexts are only used in security proof. To prove the security of our CP-ABPRE scheme, we firstly define the semifunctional keys and ciphertexts as follows.

Let $g_{2}$ be a generator of $G_{p_{2}}$ .

Semifunctional Ciphertexts. We firstly use the Enc algorithm to generate normal ciphertext and choose element $c \in Z_{N}$ randomly. Then, we choose random values $z_{x} \in Z_{N}$ for each attribute, random values $γ_{i} \in Z_{N}$ for the ith row of matrix M, and a random column vector $\overset{⃑}{u} \in Z_{N}^{n}$ . The semifunction ciphertext is set as

\begin{matrix} C^{'} = g^{s} g_{2}^{c}, \\ C_{i} = g^{a {\overset{⃑}{M}}_{i} \cdot \overset{⃑}{v}} H_{ρ (i)}^{- r_{i}} g_{2}^{{\overset{⃑}{M}}_{i} \cdot \overset{⃑}{u} + γ_{i} z_{ρ (i)}}, \\ D_{i} = g^{r_{i}} g_{2}^{- γ_{i}} \\ \forall i \in \{1,2, \dots, l\} . \end{matrix}

(12)

Semifunctional Key. We use KeyGen algorithm to generate normal secret key. And then we choose random exponents $b, d \in Z_{N}$ to set the semifunctional key as follows.

A semifunctional key of type 1 is

\begin{matrix} K = g^{η} g^{a t} R_{0} g_{2}^{d}, \\ L = g^{t} R_{0}^{'} g_{2}^{d}, \\ K_{x} = H_{x}^{t} R_{x} g_{2}^{b z_{x}} \forall x \in S . \end{matrix}

(13)

A semifunctional key of type 2 (in type 1 $b = 0$ ) is

\begin{matrix} K = g^{η} g^{a t} R_{0} g_{2}^{d}, \\ L = g^{t} R_{0}^{'}, \\ K_{x} = H_{x}^{t} R_{x} \forall x \in S . \end{matrix}

(14)

We should note that there will be an extra factor $e (g_{2}, g_{2})^{c d - \sum_{i \in I} b {\overset{⃑}{M}}_{i} \cdot \overset{⃑}{u} w_{i}} = e (g_{2}, g_{2})^{c d - b u_{1}}$ ( $u_{1} = (1,0, 0, \dots, 0) \cdot \overset{⃑}{u}$ ) when a semifunctional key is used to decrypt a semifunctional ciphertext. But when the formula $c d = b u_{1}$ holds, the semifunctional key of type 1 called a nominally semifunctional key can decrypt the semifunctional ciphertext successfully.

Our proof of security relies on Assumptions 1, 3, and 5 defined in Section 3. The security proof is obtained via a hybrid argument over a sequence of games defined bellow. Let Q be the maximum number of key queries that the adversary makes, and a series of games are defined as follows,

$G a m e_{r e a l}$ . It denotes the real CP-ABPRE security game defined in Section 3, with normal keys and ciphertexts.

$G a m e_{0}$ . It is similar to the above real game except that the challenge ciphertext is transformed into semifunctional one.

$G a m e_{k,1}$ . In the game, the challenge ciphertext is semifunctional, the first $k - 1$ queried keys are semifunctional ones of type 2, the kth key is semifunctional one of type 1, and the rest of the keys are normal ones.

$G a m e_{k,2}$ . The challenge ciphertext is semifunctional, the first k queried keys are semifunctional ones of type 2, and the remaining keys are normal ones.

$G a m e_{F i n a l}$ . All keys are semifunctional ones of type 2 and the challenge ciphertext is semifunctional encryption of a random message which is independent of the two messages provided by the adversary. So the advantage of the adversary in this game is negligible.

In the latter part of this section, we will prove that the above games are indistinguishable under the composite assumption.

Lemma 11.

Assume that there is a polynomial time adversary A such that $G a m e_{r e a l} A d v_{A} - G a m e_{0} A d v_{A} = ε .$ Then, we can construct another polynomial time algorithm B that can break Assumption 1 with a nonnegligible advantage ε.

Proof.

We establish a polynomial time algorithm B which receives ${g, X_{3}, T}$ to simulate either $G a m e_{r e a l}$ or $G a m e_{0}$ with A based on setting whether $T \in G_{p_{1} p_{2}}$ or $T \in G_{p_{1}}$ .

Setup. B chooses random exponents $a, η, h_{x} \in Z_{N} (\forall x)$ , sends the public key PK = $(N, g, g_{0}, e (g, g)^{η}, g^{a}, H_{x} = g^{h_{x}} \forall x)$ to the adversary A, and at the same time securely keeps the master secret key MSK = $(η, X_{3})$ .

Phase 1. B responds to whatever A's key requests by using the KeyGen algorithm to make normal keys, since it has the MSK.

Challenge. A provides two messages $M_{0}$ and $M_{1}$ with equal length and a challenge access matrix $W^{*} = (M^{*}, ρ)$ to B. For each row i of matrix $M^{*}$ , B first chooses random values $v_{2}^{'}, v_{3}^{'}, \dots, v_{n}^{'} \in Z_{N}$ and a random element $r_{i}^{'} \in Z_{N}$ to build the column vector ${\overset{⃑}{v}}^{'} = (1, v_{2}^{'}, v_{3}^{'}, \dots, v_{n}^{'})$ . Then, B chooses a random message $M_{θ}$ from $M_{0}$ and $M_{1}$ and computes the challenge ciphertext $C^{*}$ as

\begin{matrix} C = M_{θ} e {(g, g)}^{s η} = M_{θ} e {(g, T)}^{η}, \\ C^{'} = T \\ C_{i} = T^{a {\overset{⃑}{M}}_{i}^{*} \cdot {\overset{⃑}{v}}^{'}} T^{- r_{i}^{'} h_{ρ (i)}}, \\ D_{i} = T^{r_{i}^{'}}, \end{matrix}

(15)

where

θ \in {0,1}

is the random coin.

Phase 2. Repeat Phase 1.

Guess. A outputs its guess result $θ^{'}$ of θ.

If $T \in G_{p_{1}}$ , let $T = g^{s}$ . This is a normal ciphertext with $\overset{⃑}{v} = s {\overset{⃑}{v}}^{'}$ and $r_{i} = r_{i}^{'} s$ . B has simulated $G a m e_{r e a l}$ for A. If $T \in G_{p_{1} p_{2}}$ , let $T = g^{s} g_{2}^{c}$ . This is a semifunctional ciphertext with $u = c a v^{'}, γ_{i} = - c r_{i}^{'}$ , and $z_{ρ (i)} = h_{ρ (i)}$ . By the Chinese Remainder Theorem (CRT), the values of $a, v_{2}^{'}, v_{3}^{'}, \dots, v_{n}^{'}, r_{i}^{'}, h_{ρ (i)}$ modulo $p_{2}$ are uncorrelated to their values modulo $p_{1}$ . B has simulated $G a m e_{0}$ for A.

Hence, if A can distinguish $G a m e_{r e a l}$ and $G a m e_{0}$ with a nonnegligible advantage ε, B can distinguish element on $G_{p_{1}}$ and $G_{p_{1} p_{2}}$ with a nonnegligible advantage ε.

Lemma 12.

Assume that there is a polynomial time adversary A such that $G a m e_{k - 1,2} A d v_{A} - G a m e_{k,1} A d v_{A} = ε .$ Then, another polynomial time algorithm B, which can break Assumption 3 with a nonnegligible advantage ε, can be constructed.

Proof.

B receives $\{g, X_{1} X_{2}, X_{3}, Y_{2} Y_{3}, T\}$ to simulate either $G a m e_{k - 1,2}$ or $G a m e_{k, 1}$ with A based on setting whether $T \in G$ or $T \in G_{p_{1} p_{3}}$ .

Setup. B chooses random exponents $a, η, h_{x} \in Z_{N} (\forall x \in U)$ to generate the public key PK = $(N, g, g_{0}, e (g, g)^{η}, g^{a}, H_{x} = g^{h_{x}} \forall x)$ and sends it to A. At the same time, B should securely keep the master secret key MSK = $(η, X_{3})$ .

Phase 1. This phase can be divided into three parts. (1)

To form the first $k - 1$ semifunctional keys of type 2, B responds to each A's key query by randomly choosing elements $t \in Z_{N}$ and $R_{0}^{'}, R_{x} \in G_{p_{3}}$ and sets

\begin{matrix} K = g^{η} g^{a t} {(Y_{2} Y_{3})}^{t}, \\ L = g^{t} R_{0}^{'}, \\ K_{x} = H_{x}^{t} R_{x} \forall x \in S . \end{matrix}

(16)

(2)

To generate the normal keys of queries greater than k, B needs to run the KeyGen algorithm since it has the master secret key (MSK).

(3)

To answer the kth query, set $g^{t}$ equal to the $G_{p_{1}}$ part of T. Then, B randomly chooses elements $R_{0}, R_{0}^{'}, R_{x} \in G_{p_{3}}$ and computes

\begin{matrix} K = g^{η} T^{a} R_{0}, \\ L = T R_{0}^{'}, \\ K_{x} = T^{h_{x}} R_{x} \forall x \in S . \end{matrix}

(17)

T \in G_{p_{1} p_{3}}

, the above key is a normal one. And if

T \in G

, it is a semifunctional one of type 1. In this case, there exists

z_{x} = h_{x}

. If we let factor

g_{2}^{b}

denote the

G_{p_{2}}

part of T, there is

d \equiv b a m o d p_{2}

. Note that

z_{x} m o d p_{2}

is uncorrelated to

h_{x} m o d u l o p_{1}

, let

g_{2}^{b} a

be equal to the

G_{p_{2}}

part of K, let

g_{2}^{b}

be equal to the

G_{p_{2}}

part of L, and let

g_{2}^{b z_{x}}

be equal to the

G_{p_{2}}

part of

K_{x}

Challenge. A provides two messages $M_{0}$ and $M_{1}$ with equal length and a challenge access matrix ( $M^{*}, ρ$ ) for B. B sets $g^{s} = X_{1}$ and $g_{2}^{b} = X_{2}$ . Then, B chooses random values $u_{2}, u_{3}, \dots, u_{n} \in Z_{N}$ to define the vector ${\overset{⃑}{u}}^{'} = (a, u_{2}, u_{3}, \dots, u_{n})$ and randomly chooses exponent $r_{i}^{'} \in Z_{N}$ . B chooses a random message $M_{θ}$ from $M_{0}$ and $M_{1}$ and computes the challenge ciphertext $C^{*}$ as

\begin{matrix} C = M_{θ} e {(g, X_{1} X_{2})}^{η}, \\ C^{'} = X_{1} X_{2}, \\ C_{i} = {(X_{1} X_{2})}^{{\overset{⃑}{M}}_{i}^{*} \cdot u^{'}} {(X_{1} X_{2})}^{- r_{i}^{'} h_{ρ (i)}}, \\ D_{i} = {(X_{1} X_{2})}^{r_{i}^{'}}, \end{matrix}

(18)

where

θ \in {0,1}

is the random coin. We set

\overset{⃑}{v} = a^{- 1} s {\overset{⃑}{u}}^{'}

and

\overset{⃑}{u} = c {\overset{⃑}{u}}^{'}

, so s is shared in the subgroup

G_{p_{1}}

and

c \cdot a

is shared in the subgroup

G_{p_{2}}

. It also sets

r_{i} = s \cdot r_{i}^{'}

and

γ_{i} = - c \cdot r_{i}^{'}

. The values

z_{ρ (i)} = h_{ρ (i)}

match those in the kth key if it is semifunctional of type 1.

Actually, if the kth key can be used to decrypt the challenge ciphertext, then $c d - b u_{1} = c b a - b c a = 0$ modulo $p_{2}$ holds, so our key is either normal or nominally semifunctional. We must argue that this is hidden to A that cannot request any keys that can be used to decrypt the challenge ciphertext. Note that attributes are only used once in labeling the rows of the matrix. When attribute $x \notin S$ , $z_{x}$ only appeared in the kth key because all keys are semifunctional ones of type 2 except for the kth one. Because the kth key cannot be used, decrypting the challenge ciphertext, which implies the row space R formed by the rows of the matrix M whose attributes are in the key, does not include the vector ( $1,0, \dots, 0$ ). Thus, we denote a vector $\overset{⃑}{σ}$ that is orthogonal to R and not orthogonal to vector ( $1,0, \dots, 0$ ). We set an equation that $\overset{⃑}{u} = f \overset{⃑}{σ} + {\overset{⃑}{u}}^{''}$ for $f \in Z_{N}$ and $u^{''}$ is in the span of the basis elements not equal to $\overset{⃑}{σ}$ . We note that $u^{''}$ is properly distributed and reveals nothing about f. Since $u_{1} = \overset{⃑}{u} \cdot (1,0, 0, \dots, 0) = f (1,0, 0, \dots, 0) \cdot \overset{⃑}{σ} + (1,0, 0, \dots, 0) \cdot {\overset{⃑}{u}}^{''}$ and $(1,0, 0, \dots, 0) \cdot \overset{⃑}{σ} \neq 0$ , the item $\overset{⃑}{u} \cdot (1,0, 0, \dots, 0)$ is correlated to f.

For $ρ (i) \in S$ , the equation ${\overset{⃑}{M}}_{i} \cdot \overset{⃑}{u} = {\overset{⃑}{M}}_{i} \cdot (f \overset{⃑}{σ} + {\overset{⃑}{u}}^{''}) = {\overset{⃑}{M}}_{i} \cdot {\overset{⃑}{u}}^{''}$ has nothing to do with f. And for $ρ (i) \notin S$ , $f \overset{⃑}{σ}$ can be obtained only in the equation ${\overset{⃑}{M}}_{i}^{*} \cdot \overset{⃑}{u} + γ_{i} z_{ρ (i)}$ , where $ρ (i)$ is attribute which does not appear in the kth key. As long as each $γ_{i}$ mod $p_{2}$ is not congruent to 0, each equation brings a new unknown factor $z_{ρ (i)}$ that appears nowhere else, and so the adversary A can get nothing about f. More precisely, for any value of $u_{1}$ , there is the same number of solutions to these equations. Hence, as long as each $γ_{i}$ is nonzero modulo $p_{2}$ , the ciphertext and the kth key are properly distributed in the adversary's view with a probability negligibly close to 1.

Thus, if $T \in G_{p_{1} p_{3}}$ , then B has simulated $G a m e_{k - 1,2}$ with A. If $T \in G$ and $γ_{i}$ is nonzero modulo $p_{2}$ , then B has simulated $G a m e_{k, 1}$ . Hence, B can use the output result of A to distinguish between these possibilities for T. In other words, B can break Assumption 3 with advantage ε.

Hence, if the adversary A has a nonnegligible advantage ε to distinguish $G a m e_{k - 1,2}$ and $G a m e_{k, 1}$ , B can also distinguish element on $G_{p_{1} p_{3}}$ and G with a nonnegligible advantage ε.

Lemma 13.

Suppose that there is a polynomial time adversary A such that $G a m e_{k,1} A d v_{A} - G a m e_{k,2} A d v_{A} = ε .$ Then, another polynomial time algorithm B, which breaks Assumption 3 with a nonnegligible advantage ε, can be constructed.

Proof.

B receives ${g, X_{1} X_{2}, X_{3}, Y_{2} Y_{3}, T}$ to simulate either $G a m e_{k, 1}$ or ${G a m e}_{k, 2}$ with the adversary A depending on whether $T \in G$ or $T \in G_{p_{1} p_{3}}$ . This proof is very similar to that of Lemma 12, so here we only describe Phases 1 and 2.

Phase 1. The first ( $k - 1$ ) semifunctional keys of type 2 and the last ( $Q - k$ ) normal keys are constructed exactly as in Lemma 12. To answer the kth query, B randomly chooses an exponent $h \in Z_{N}$ and then computes

\begin{matrix} K = g^{η} T^{a} R_{0} {(Y_{2} Y_{3})}^{h}, \\ L = T R_{0}^{'}, \\ K_{x} = T^{h_{x}} R_{x} \forall x \in S . \end{matrix}

(19)

The only difference from Lemma 12 here is adding a term

{(Y_{2} Y_{3})}^{h}

which randomizes the

G_{p_{2}}

part of K, so the kth key is no longer a semifunctional one. It would be failed if we try to use it to decrypt the semifunctional ciphertext, because condition

c d - b u_{1}

≡ 0mod

p_{2}

is no longer established.

Phase 2. Phase 1 is repeated.

Hence, if $T \in G_{p_{1} p_{3}}$ , the kth key is a properly distributed semifunctional key of type 2 and therefore B simulates $G a m e_{k, 2}$ for A. If $T \in G$ , the kth key is a properly distributed semifunctional key of type 1 and therefore B simulates $G a m e_{k, 1}$ for A. As a result, if A has a nonnegligible advantage ε to distinguish $G a m e_{k, 2}$ and $G a m e_{k, 1}$ , B also has a nonnegligible advantage ε to distinguish element in $G_{p_{1} p_{3}}$ and G.

Lemma 14.

Assume that there is a polynomial time adversary A such that $G a m e_{Q,2} A d v_{A} - G a m e_{F i n a l} A d v_{A} = ε .$ Then, we can construct a polynomial time algorithm B, which can break Assumption 5 with a nonnegligible advantage ε, which can be constructed.

Proof.

The proof is similar to those of Lemmas 11–13. B receives ${g, g^{α} X_{2}, X_{3}, g^{s} Y_{2}, Z_{2}, T}$ to simulate $G a m e_{Q, 2}$ or $G a m e_{F i n a l}$ with A based on whether $T = e {(g, g)}^{η s}$ or T is a random element of $G_{T}$ .

Setup. B chooses random values $a, h_{x} \in Z_{N} (\forall x \in U)$ and sends the public key PK = $(N, g, g_{0}, e (g, g)^{η} = e (g, g^{η} X_{2}), g^{a}, H_{x} = g^{h_{x}} \forall x)$ to A. Note that B does not know η.

Phase 1. To form semifunctional keys of type 2, B responds to each A's key query by randomly choosing elements $t \in Z_{N}$ and $R_{0}, R_{0}^{'}, R_{x} \in G_{p_{3}}$ and sets

\begin{matrix} K = g^{η} g^{a t} Z_{2}^{t} R_{0}, \\ L = g^{t} R_{0}^{'}, \\ K_{x} = H_{x}^{t} R_{x} \forall x \in S \end{matrix}

(20)

which is similar as in the previous lemmas.

Challenge. A submits two messages $M_{0}$ and $M_{1}$ with equal length and a matrix ( $M^{*}, ρ$ ) to B. B then takes s from the assumption term $g^{s} Y_{2}$ . It randomly chooses values $u_{2}, u_{3}, \dots, u_{n} \in Z_{N}$ to define a vector $u^{'} = (a, u_{2}, u_{3}, \dots, u_{n})$ and randomly chooses an exponent $r_{i}^{'} \in Z_{N}$ . B chooses a random message $M_{θ}$ from $M_{0}$ and $M_{1}$ and generates the challenge ciphertext $C^{*}$ as

\begin{matrix} C = M_{θ} T, \\ C^{'} = g^{s} Y_{2}, \\ C_{i} = {(g^{s} Y_{2})}^{{\overset{⃑}{M}}_{i}^{*} {\overset{⃑}{u}}^{'}} {(g^{s} Y_{2})}^{- r_{i}^{'} h_{ρ (i)}}, \\ D_{i} = {(g^{s} Y_{2})}^{r_{i}^{'}}, \end{matrix}

(21)

where

θ \in {0,1}

is the random coin. We note that there exists

v = a^{- 1} s u^{'}

and

u = c u^{'}

, so s is being shared in the subgroup

G_{p_{1}}

and

c a

is being shared in the subgroup

G_{p_{2}}

. At the same time, set

r_{i} = s r_{i}^{'}

and

γ_{i} = - c r_{i}^{'}

Phase 2. Repeat Phase 1.

Guess. A outputs its guess result $θ^{'}$ of θ.

If $T = e (g, g)^{η s}$ , then this is a properly distributed semifunctional ciphertext with message $M_{θ}$ . Otherwise, this is a semifunctional ciphertext of a random message and will not give anything about θ to the attacker.

Hence, if A can distinguish $G a m e_{Q, 2}$ and $G a m e_{F i n a l}$ with a nonnegligible advantage ε, B can distinguish the element $e (g, g)^{η s}$ and a random element in $G_{T}$ with a nonnegligible advantage ε.

Theorem 15.

If Assumptions 1, 3, and 5 hold, our CP-ABPRE scheme is adaptively secure.

Proof.

If Assumptions 1, 3, and 5 hold, we have proved that the real CP-ABPRE security game $Gam e_{real}$ is indistinguishable from $Gam e_{Final}$ by previous Lemmas 11–14. And because the challenger in $Gam e_{Final}$ chooses a random message $M_{θ}$ to encrypt, the adversary could not get any information on θ. In other words, the advantage of adversary in $Gam e_{Final}$ can be negligible, so the advantage of the adversary in $Gam e_{real}$ can be also negligible. Hence, our CP-ABPRE scheme is secure.

5.3. Analyses and Discussions

5.3.1. Security Analysis

The reencryption control, which allows the encryptor to decide whether the ciphertext can be reencrypted, was first put forward by Luo et al. in [7]. In our CP-ABPRE scheme, we can see that the element $C^{''} = g_{0}^{s}$ is of no use in the original ciphertext decryption phase, and it is only used in the reencrypted ciphertext decryption phase. If the encryptor does not provide the factor $g_{0}^{s}$ , it is impossible for the decryption of reencrypted ciphertext. So in our scheme, the encryptor can control whether the ciphertext can be reencrypted (in fact he can decide whether the reencrypted ciphertext can be decrypted). In addition, our scheme overcomes the restriction on the attacker in a selective security model in the existing schemes [6–9, 11] and is proven adaptively secure in the standard model without jeopardizing the expressiveness of access policy.

5.3.2. Performance Analyses

In this part, we will make some comparisons of different CP-ABPRE schemes, and the results are summarized in Tables 1–3. A comparison of access expression and some properties is given in Table 1. In addition, we shall compare the performance and efficiency of our proposal with the existing ones in Tables 2 and 3. We use $|A_{U}|$ , $|A_{C}|$ , and n to denote the attributes held by user U, the attributes required by the ciphertext, and the number of attributes in systems, respectively. We use G to denote the operation in group G, $G_{T}$ for the operation in group $G_{T}$ , and P for the bilinear pairing operation. We use symbol $L_{*}$ to denote the bit length of element in ∗. At last, we use $N^{'} = \sum_{i = 1}^{n} n_{i}$ to denote the total number of possible values of attributes, where $n_{i}$ is the number of possible values for attribute i.

Table 1

Property comparisons.

Schemes	Access structure	Adaptive security	Complexity assumption	Supported policy
Liang et al.'s [6]	AND gate between two-value attributes	N	ADBDH CTDH	And
Luo et al.'s [7]	AND gate among multivalue attributes	N	DBDH	And
Seo and Kim's [8]	AND gate between two-value attributes	N	ADBDH CTDH	And
Li's [9]	LSSS matrix	N	DPBDHE	Any monotonic access formula
Liang et al.'s [11]	LSSS matrix	N	DPBDHE	Any monotonic access formula
Liang et al.'s [14]	LSSS matrix	Y	DPBDHE	Any monotonic access formula
Backes et al.'s [15]	LSSS matrix	Y	DPBDHE	And
Our scheme	LSSS matrix	Y	3P-SDP	Any monotonic access formula

DBDH: Decisional Bilinear Diffie-Hellman, CTDH: Complex Triple Diffie-Hellman, ADBDH: Augment Decisional Bilinear Diffie-Hellman, 3P-SDP: subgroup decision problem for 3 primes, and DPBDHE: Decisional q-Parallel Bilinear Diffie-Hellman Exponent.

Table 2

Performance comparisons (I).

Schemes	PK	MK	SK	Ciphertext
Liang et al.'s [6]	$(6 n + 2) L_{G} + L_{G_{T}}$	$(3 n + 1) L_{Z_{q}}$	$(2 n + 1) L_{G}$	$(n + 2) L_{G} + L_{G_{T}}$
Luo et al.'s [7]	$(N^{'} + 2 n + 4) L_{G} + L_{G_{T}}$	$(N^{'} + 2 n + 1) L_{Z q}$	$(4 n + 1) L_{G}$	$(n + 2) L_{G} + L_{G_{T}}$
Seo and Kim's [8]	$(3 n + 2) L_{G} + L_{G_{T}} + 3 n L_{Z_{q}}$	$(3 n + 3) L_{Z_{q}}$	$(n + 1) L_{G} + L_{Z_{q}}$	$(n + 2) L_{G} + L_{G_{T}}$
Li's [9]	$(n + 2) L_{G} + L_{G_{T}}$	$L_{G}$	$(\|A_{U}\| + 2) L_{G}$	$(2 \|A_{C}\| + 2) L_{G} + L_{G_{T}}$
Liang et al.'s [11]	$3 L_{G} + L_{G_{T}} + 6 H a s h$	$L_{G}$	$(\|A_{U}\| + 2) L_{G}$	$(2 \|A_{C}\| + 3) L_{G} + L_{{\{0, 1\}}^{2 k}}$
Liang et al.'s [14]	$(n + 6) L_{G} + L_{G_{T}}$	$2 L_{G}$	$(\|A_{U}\| + 3) L_{G}$	$(2 \|A_{C}\| + 5) L_{G} + L_{G_{T}}$
Backes et al.'s [15]	$(n + 2) L_{G} + L_{G_{T}}$	$L_{G} + (1 + n) L_{Z_{q}}$	$(n + 1) L_{G}$	$3 L_{G} + L_{G_{T}} + n L_{Z_{q}}$
Our scheme	$(n + 2) L_{G} + L_{G_{T}}$	$L_{G} + L_{Z_{q}}$	$(\|A_{U}\| + 2) L_{G}$	$(2 \|A_{C}\| + 2) L_{G} + L_{G_{T}}$

Table 3

Performance comparisons (II).

Schemes	Encryption	Decryption	Reencryption	Reencrypted decryption
Liang et al.'s [6]	$(n + 2) G + 2 G_{T}$	$(n + 2) P + 2 G_{T}$	$(n + 1) P + G_{T}$	$(n + 3) P + 4 G_{T}$
Luo et al.'s [7]	$(n + 2) G + 2 G_{T}$	$2 n P + 3 G_{T}$	$(2 n + 1) P + (n + 1) G_{T}$	$(2 n + 1) P + 5 G_{T}$
Seo and Kim's [8]	$(n + 2) G + 2 G_{T}$	$2 P + (3 n + 2) G + 2 G_{T}$	$2 P + 3 n G + G_{T}$	$3 P + 3 n G + 4 G_{T}$
Li's [9]	$(4 \|A_{C}\| + 2) G + 2 G_{T}$	$(2 \|A_{U}\| + 1) P + 3 G_{T}$	$(2 \|A_{C}\| + 1) P + 4 \|A_{C}\| G + 3 \|A_{C}\| G_{T}$	$(2 \|A_{U}\| + 1) P + (3 \|A_{U}\| + 2) G_{T}$
Liang et al.'s [11]	$(4 \|A_{C}\| + 2) G + G_{T}$	$(2 \|A_{U}\| + 1) P + 3 \|A_{U}\| G_{T}$	$(2 \|A_{U}\| + 2) P + (3 \|A_{U}\| + 1) G_{T}$	$(2 \|A_{U}\| + 2) P + 3 \|A_{U}\| G_{T}$
Liang et al.'s [14]	$(4 \|A_{C}\| + 4) G + 2 G_{T}$	$(2 \|A_{U}\| + 1) P + (2 \|A_{U}\| + 1) G_{T}$	$(2 \|A_{U}\| + 2) P + (2 \|A_{U}\| + 2) G_{T}$	$(2 \|A_{U}\| + 3) P + (2 \|A_{U}\| + 4) G_{T}$
Backes et al.'s [15]	$(n + 3) G + 2 G_{T}$	$2 P + n G$	$n P + (n - 1) G$	$n P + 2 G + G_{T}$
Our scheme	$(4 \|A_{C}\| + 2) G + 2 G_{T}$	$2 P + (4 \|A_{U}\| - 1) G + 2 G_{T}$	$2 P + (4 \|A_{U}\| - 1) G + 2 G_{T}$	$3 P + (4 \|A_{U}\| - 1) G + 4 G_{T}$

From Tables 1–3, we can draw the following conclusions. Liang et al. [6], Luo et al. [7], Seo and Kim [8], and Backes et al. [15], respectively, proposed their schemes based on the CP-ABE in which the ciphertext is associated with AND gates access structure. However, the access policy in these four schemes is not flexible enough; it can only support AND operation on attributes. The ciphertext policy realized in Li's [9], Liang et al.'s [11, 14], and our scheme is LSSS matrix access structure which supports any monotonic access formula including what the AND gate access structure supports. Different from Li's [9] and Liang et al.'s [11] schemes, our scheme is adaptively secure. And, what is more, our scheme needs only a constant number of paring operations in Reencryption and Decryption phase when compared with Liang et al.'s scheme [14]. That is, our scheme greatly reduces the computational overhead.

From the above analysis, we can conclude that our scheme is more efficient and secure than previous CP-ABPRE schemes.

6. Conclusions

CP-ABPRE employs the PRE technology in the ABE cryptographic setting and could be applicable to many real world applications, such as email forwarding. The existing CP-ABPRE systems, however, were proven secure only in the selective security model which causes attacker to behave differently from real environment. So an efficient and adaptively secure Attribute-Based Proxy Reencryption scheme is proposed in this paper. By using the dual system encryption, the proposed scheme can be proven to be adaptively secure rather than selectively secure which is much less practical. Meantime, our scheme supports any monotone access formulas including what the AND gate access structure supports. And compared with the existing schemes, our scheme needs only a constant number of paring operations in Reencryption and Decryption phase, which greatly reduces the computational overhead.

Footnotes

Notations

Competing Interests

The authors declare that there are no competing interests regarding the publication of this paper.

Acknowledgments

This work was supported by Natural Science Foundation of China under Grant no. 61103178, Natural Science Basic Research Plan in Shaanxi Province of China under Grants nos. 2015JM6294 and 2016JM6002, and the Fundamental Research Funds for the Central Universities under Grant no. 3102015JSJ0003.

References

Feng

D. G.

Chen

Research on attribute-based cryptography

Journal of Cryptologic Research 2014 1 1 1 12

Goyal

Pandey

Sahai

Waters

Attribute-based encryption for fine-grained access control of encrypted data

Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06)

October 2006

Alexandria, Va, USA

89 98

10.1145/1180405.1180418

2-s2.0-34547273527

Q. Y.

Zhang

F. L.

A fully secure attribute based broadcast encryption scheme

International Journal of Network Security 2015 17 3 263 271

2-s2.0-84929903282

Liang

K. T.

Fang

L. M.

Wong

D. S.

Susilo

A ciphertext-policy attribute-based proxy re-encryption scheme for data sharing in public clouds

Concurrency and Computation: Practice and Experience 2014 27 8 2004 2027

10.1002/cpe.3397

Chang

C.-C.

Sun

C.-Y.

Cheng

T.-F.

A dependable storage service system in cloud environment

Security and Communication Networks 2015 8 4 574 588

10.1002/sec.1004

Liang

Cao

Lin

Shao

Attribute based proxy re-encryption with delegating capabilities

Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security (ASIACCS '09)

March 2009

ACM

276 286

10.1145/1533057.1533094

2-s2.0-77952362084

Luo

Chen

Soriano

Qing

López

Ciphertext policy attribute-based proxy re-encryption

Information and Communications Security 2010 6476

Berlin, Germany

Springer

401 415 Lecture Notes in Computer Science

10.1007/978-3-642-17650-0_28

Seo

Kim

Attribute-based proxy re-encryption with a constant number of pairing operations

International Journal of Information and Communication Engineering 2012 10 1 53 60

10.6109/jicce.2012.10.1.053

K. Y.

Matrix access structure policy used in attribute-based proxy re-encryption

http://arxiv.org/abs/1302.6428

10.

Chung

P.-S.

Liu

C.-W.

Hwang

M.-S.

A study of attribute-based proxy re-encryption scheme in cloud environments

International Journal of Network Security 2014 16 1 1 13

2-s2.0-84883733928

11.

Liang

K. T.

Fang

L. M.

Wong

D. S.

Susilo

A ciphertext-policy attribute-based proxy re-encryption with chosen-ciphertext security

2013 2013/236

IACR Cryptology ePrint Archive

12.

Kawai

Outsourcing the re-encryption key generation: flexible ciphertext-policy attribute-based proxy re-encryption

Information Security Practice and Experience 2015 9065

Berlin, Germany

Springer

301 315 Lecture Notes in Computer Science

10.1007/978-3-319-17533-1_21

13.

Lewko

Okamoto

Sahai

Takashima

Waters

Gilbert

Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption

Advances in Cryptology—EUROCRYPT 2010 2010 6110

Berlin, Germany

Springer

62 91 Lecture Notes in Computer Science

10.1007/978-3-642-13190-5_4

14.

Liang

M. H.

Susilo

Wong

D. S.

Yang

An adaptively CCA-secure ciphertext-policy attribute-based proxy re-encryption for cloud data sharing

Information Security Practice and Experience: 10th International Conference, ISPEC 2014, Fuzhou, China, May 5–8, 2014. Proceedings 2014 8434

Berlin, Germany

Springer

448 461 Lecture Notes in Computer Science

10.1007/978-3-319-06320-1_33

15.

Backes

Gagné

Krishnan Thyagarajan

S. A.

Fully secure inner-product proxy re-encryption with constant size ciphertext

Proceedings of the 3rd International Workshop on Security in Cloud Computing (SCC '15)

April 2015

Singapore

31 40

16.

Sahai

Waters

Fuzzy identity-based encryption

Advances in Cryptology—EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005. Proceedings 2005 3494

Berlin, Germany

Springer

457 473 Lecture Notes in Computer Science

10.1007/11426639_27

17.

Shamir

Identity-based cryptosystems and signature schemes

Proceedings of the Advances in Cryptology (CRYPTO '84) 1985

Berlin, Germany

Springer

47 53

18.

Pang

L. J.

Yang

Jiang

Z. T.

A survey of research progress and development tendency of attribute-based encryption

The Scientific World Journal 2014 2014 13

193426

10.1155/2014/193426

2-s2.0-84904658069

19.

Cheung

Newport

Provably secure ciphertext policy ABE

Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07)

November 2007

456 465

10.1145/1315245.1315302

2-s2.0-45749116552

20.

Nishide

Yoneyama

Ohta

Attribute-based encryption with partially hidden encryptor-specified access structures

Applied Cryptography and Network Security (ACNS 2008) 2008

Berlin, Germany

Springer

111 129

21.

Bethencourt

Sahai

Waters

Ciphertext-policy attribute-based encryption

Proceedings of the IEEE Symposium on Security and Privacy (SP '07)

May 2007

Berkeley, Calif, USA

IEEE Computer Society

321 334

10.1109/SP.2007.11

22.

Goyal

Jain

Pandey

Sahai

Bounded ciphertext policy attribute-based encryption

Proceedings of the International Colloquium Automata, Languages and Programming (ICALP '08)

2008

Berlin, Germany

Springer

579 591

23.

Liang

X. H.

Cao

Z. F.

Lin

Xing

D. S.

Provably secure and efficient bounded ciphertext policy attribute based encryption

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ICCS '09)

March 2009

Sydney, Australia

343 352

10.1145/1533057.1533102

24.

Ibraim

Tang

Hartel

Jonker

Efficient and provable secure ciphertext-policy attribute-based encryption schemes

International Conference on Information Security Practice and Experience (ISPEC '09)

2009

Springer

1 12

25.

Waters

Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization

Public Key Cryptography (PKC 2011) 2011

Berlin, Germany

Springer

53 70

26.

Canetti

Halevi

Katz

A forward-secure public-key encryption scheme

Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT '03), Warsaw, Poland, May 2003 2003

Springer

27.

Waters

Halevi

Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions

Advances in Cryptology—CRYPTO 2009 2009 5677

Berlin, Germany

Springer

619 636 Lecture Notes in Computer Science

10.1007/978-3-642-03356-8_36

28.

Lewko

Waters

New proof methods for attribute-based encryption: achieving full security through selective techniques

Advances in Cryptology—CRYPTO 2012: 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2012. Proceedings 2012 7417

Berlin, Germany

Springer

180 198 Lecture Notes in Computer Science

10.1007/978-3-642-32009-5_12

29.

Garg

Gentry

Halevi

Zhandry

Fully secure attribute based encryption from multilinear maps

Cryptology ePrint Archive Report 2014 2014/622

30.

Ying

Z. B.

J. F.

Zhang

J. W.

Cui

J. T.

Adaptively secure ciphertext-policy attribute-based encryption with dynamic policy updating

Science China Information Sciences 2016 4 1 16

10.1007/s11432-015-5428-1

31.

Kitagawa

Kojima

Attrapadung

Imai

Desmedt

Efficient and fully secure forward secure ciphertext-policy attribute-based encryption

Information Security 2015 7807

Berlin, Germany

Springer

87 99 Lecture Notes in Computer Science

10.1007/978-3-319-27659-5_6

32.

Mambo

Okamoto

Proxy cryptosystems: delegation of the power to decrypt ciphertexts

IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 1997 80 1 54 63

33.

Blaze

Bleumer

Strauss

Divertible protocols and atomic proxy cryptography

Advances in Cryptology—EUROCRYPT '98: International Conference on the Theory and Application of Cryptographic Techniques Espoo, Finland, May 31–June 4, 1998 Proceedings 1998 1403

Berlin, Germany

Springer

127 144 Lecture Notes in Computer Science

10.1007/BFb0054122

34.

Jiao

T. F.

Q. H.

Wang

Jin

Conditional identity-based broadcast proxy re-encryption and its application to cloud email

IEEE Transactions on Computers 2016 65 1 66 79

10.1109/tc.2015.2417544

MR3446451

35.

Zhao

Achieving dynamic privileges in secure data sharing on cloud storage

Security and Communication Networks 2014 7 11 2211 2224

10.1002/sec.739

2-s2.0-84910644903

36.

Barolli

Chen

X. F.

Xhafa

Advances on cloud services and cloud computing

Concurrency and Computation: Practice and Experience 2015 27 8 1985 1987

10.1002/cpe.3414

37.

Shao

Cao

Liu

SCCR: a generic approach to simultaneously achieve CCA security and collusion-resistance in proxy re-encryption

Security and Communication Networks 2011 4 2 122 135

10.1002/sec.109

2-s2.0-79251541771

38.

Yang

Zhu

Weng

Zhang

Choo

K.-K. R.

Cloud based data sharing with fine-grained proxy re-encryption

Pervasive and Mobile Computing 2016 28 122 134

10.1016/j.pmcj.2015.06.017

2-s2.0-84936984467

39.

Shao

Lin

Liang

Secure bidirectional proxy re-encryption for cryptographic cloud storage

Pervasive and Mobile Computing 2016 28 113 121

10.1016/j.pmcj.2015.06.016

2-s2.0-84936818211

40.

Guo

Zeng

Wei

Attribute-based re-encryption scheme in the standard model

Wuhan University. Journal of Natural Sciences 2008 13 5 621 625

10.1007/s11859-008-0522-5

MR2536561

ZBL1199.68135

2-s2.0-57049171407

41.

Boneh

Goh

E.-J.

Nissim

Kilian

Evaluating 2-DNF formulas on ciphertexts

Theory of Cryptography 2005 3378

Berlin, Germany

Springer

325 341 Lecture Notes in Computer Science

10.1007/978-3-540-30576-7_18

42.

Beimel

Secure schemes for secret sharing and key distribution [Ph.D. thesis] 1996

Haifa, Israel

Israel Institute of Technology, Technion

43.

Ateniese

Green

Hohenberger

Improved proxy re-encryption schemes with applications to secure distributed storage

ACM Transactions on Information and System Security 2006 9 1 1 30

10.1145/1127345.1127346

ZBL1281.94070

2-s2.0-33745218758

44.

Luo

Shen

Chen

Fully secure unidirectional identity-based proxy re-encryption

Information Security and Cryptology—ICISC 2011: 14th International Conference, Seoul, Korea, November 30–December 2, 2011. Revised Selected Papers 2011 7259

Berlin, Germany

Springer

109 126 Lecture Notes in Computer Science

10.1007/978-3-642-31912-9_8

45.

Lewko

Waters

New techniques for dual system encryption and fully secure HIBE with short ciphertexts

Proceedings of the 7th Theory of Cryptography Conference (TCC '10), Zurich, Switzerland, February 2010 2010

Berlin, Germany

Springer

455 479

46.

Doshi

Jinwala

D. C.

Fully secure ciphertext policy attribute-based encryption with constant length ciphertext and faster decryption

Security and Communication Networks 2014 7 11 1988 2002

10.1002/sec.913

2-s2.0-84910611578

Efficient and Adaptively Secure Attribute-Based Proxy Reencryption Scheme

Abstract

1. Introduction

2. Related Works

3. Preliminaries

3.1. Composite Order Bilinear Groups

3.2. Complexity Assumptions

Assumption 1.

Definition 2.

Assumption 3.

Definition 4.

Assumption 5.

Definition 6.

3.3. Access Structures

Definition 7 (Linear Secret Sharing Schemes (LSSS)).

3.4. CP-ABPRE

3.4.1. Algorithm Model

3.4.2. Security Model

Definition 8.

3.4.3. Master Secret Security

Definition 9.

Lemma 10.

4. The Proposed CP-ABPRE Scheme

5. Analyses and Proof

5.1. Correctness Analyses

5.2. Security Proof

Lemma 11.

Proof.

Lemma 12.

Proof.

Lemma 13.

Proof.

Lemma 14.

Proof.

Theorem 15.

Proof.

5.3. Analyses and Discussions

5.3.1. Security Analysis

5.3.2. Performance Analyses

6. Conclusions

Footnotes

Notations

Competing Interests

Acknowledgments

References