Traceable Ciphertet-Policy Attribute-Based Encryption with Constant Decryption

Abstract

We provide a traceable ciphertext-policy attribute based encryption (CP-ABE) construction for monotone access structures (MAS) based on composite order bilinear groups, which is secure adaptively under the standard model. We construct this scheme by making use of an "encoding technique" which represents the MAS by their minimal sets to encrypt the messages. To date, for all traceable CP-ABE schemes, their encryption costs grow linearly with the MAS size, the decryption costs grow linearly with the qualified rows in the span programs. However, in our traceable CP-ABE, the ciphertext is linear with the minimal sets, and decryption needs merely three bilinear pairing computations and two exponent computations, which improves the efficiency extremely and has constant decryption. At last, the detailed security and traceability proof is given.

1. Introduction

The notation of ABE, firstly put forward by Sahai et al. [1], is a summarization of fuzzy IBE[2]. Then Goyal et al. put foward a Key-Policy ABE, and further defined a CP-ABE [3]. In the CP-ABE, the private key is constructed over the attributes, and the user designs the access control policy over some attributes when encrypting data. If the attributes associating with private key achieve the access control policy, then the decryption is successful. CP-ABE provides a new method to carry out the fine-grained access policy to encrypted data so that a lot of researches have been carried out about it including [3-8], which focused on different properties including expressiveness, performance or security. Especially, Lewko et al. provided a CP-ABE scheme [8] by using the monotone span program (MSP) respectively, which were both proved adaptively secure.

As is described above, the key is related to attributes owned by multiple users so that distinct users may have the same attribute sets, namely the same decryption keys. If a key is leaked, it is hard to identify who exactly leaks it. Liu et al. [9] provided a traceable CP-ABE scheme which can identify the malicious users leaking their decryption keys. This scheme was constructed based on Lewko et al's CP-ABE [8] construction over composite order bilinear groups by drawing on Boneh and Boyen's signature technique [10]. Later, Ning et al. provided a traceable CP-ABE construction[11] in large universe by using the similar method based on Rouselakis et al's construction [12] that was proved selectively secure over prime order bilinear groups. Zhang et al. [13] took it a step further by adding authority accountability. In addition, some relevant papers are proposed also[14-16]. However, in all these traceable CP-ABE constructions, the ciphertext grows linearly with the MSP, similarly, the number of pairing computations in decryption algorithm also grows linearly with that of qualified rows in the MSP.

Note that, constant computation and low communication generally has more practical significance for some applications with limited computing resources and bandwidth. Therefore, we put forward a traceable CP-ABE based on [9] for MAS. In this scheme, we make use of an "encoding technique" which represents the MAS by their minimal sets to encrypt the messages, so the ciphertext size is polynomial with the number of minimal sets. For some access policies, this scheme may have shorter ciphertext and lower encryption cost (see Section 3.5). Additionally, the most important thing is that our construction has only three bilinear pairing operations and two exponent operations in the decryption process, which improves the efficiency extremely.

2. Preliminaries

In this part, we will take view of several facts that will be applied in our scheme including access structures, minimal set, CP-ABE, composite order bilinear maps, l − SDH assumption and traceability game.

2.1 Access Structures

Definition 1.(Access Structures). Suppose \(\mathcal{M}=\left\{m_{1}, m_{2}, \ldots, m_{n}\right\}\) is a set of members and \(\mathbb{S} \subset 2^{\mathcal{M}}\) is a collection. If for each set A and B, it satisfies if \(A \in \mathbb{S}\) and \(A \subseteq B\) , then \(B \in \mathbb{S}\) holds, then we can say \(\mathbb{S}\) is monotone. An access structure is defined as collection \(\mathbb{S} \subseteq 2^{\mathcal{M}} \)\{0}.

2.2 Minimal Set

Definition 2.(Minimal Set of a MAS). Suppose \(\mathbb{S}\) is a MAS with the attribute set \(U=\left\{u_{1}, u_{2}, \ldots, u_{n}\right\}\). For all sets A and B in \(\mathbb{S}\) , if \(\forall B \in \mathbb{S} \backslash\{A\}\), we have \(B \not \subset A\) , then A is a minimal authorized set. The collection of minimal set in \(\mathbb{S}\) composes the base of \(\mathbb{S}\).

Theorem 1. [17] If there exists a linear secret sharing scheme (LSSS) for a concrete MAS, then there must be a smallest MSP for the same MAS.

2.3 CP-ABE

Assuming the set of attributes is \(U=\left\{u_{1}, u_{2}, \ldots, u_{n}\right\}\), then the tracable CP-ABE is defined as follows:

Setup (1^λ , U).The input is security parameter 1^λ and attribute universe U, then it will output the public parameters PP and the master key MK. In addition, it sets the initial tracing table as T = \(\phi\), where \(\phi\) denotes empty.

KeyGen( MK, id, S). The input is the MK, identity idand attributes set S, then it will output the secret key SK_id,S . Finally, it will add id to the tracing table T.

Encrypt( PP , \(\mathcal{D}\) , M). The input is the PP, access structure \(\mathcal{D}\) for attributes universe U and plaintext M needing to be encrypted, then it will output the ciphertext  CT_{\(\mathcal{D}\)}  with \(\mathcal{D}\) implicitly contained.

Decrypt(   CT_{\(\mathcal{D}\)}  , SK_id,S). The input is the  CT_{\(\mathcal{D}\)}  and SK_id,S.If S satisfies \(\mathcal{D}\), then it will output the valid message M.

Trace( T , SK_id,S ). The input is the T and SK_id,S . Then it will output an identity id or a special symbol \(\phi\).

The above algorithms can be generalized as Fig. 1.

Fig. 1. Steps involved in various phases of our proposed scheme

Next, we will provide concrete definition of adaptively secure against chosen plaintext attacks for the CP-ABE construction, which is represented as a security game Game_Real between challenger \(\mathcal{C}\) and attacker \(\mathcal{A}\).

Setup: \(\mathcal{C}\) carries out Setup algorithm to generate the public parameters PP and master key MK. \(\mathcal{C}\) begins to interact with \(\mathcal{A}\) by giving PP.

Phase 1: \(\mathcal{A}\) makes a number of key queries for the identity-attribute tuples {( id₁ , S₁), ( id₂ , S₂ ), ..., ( id_q1 , S_q1 )} .

Challenge: submits two plaintexts M₀, M₁ with the equal length and access policy \(\mathcal{D}\)^* that cannot be satisfied by { S₁ , S₂ , ..., S_q1 }. Then \(\mathcal{C}\) chooses a random β∈ {0, 1} and encrypts the plaintext M_β using \(\mathcal{D}\) ^*. At last, it outputs generated ciphertext CT_{\(\mathcal{D}\)^*} to \(\mathcal{A}\).

Phase 2: \(\mathcal{A}\) proceeds to make a number of key queries for the identity-attribute tuples \(\left\{\left(i d_{q_{1}+1}, S_{q_{1}+1}\right),\left(i d_{q_{1}+2}, S_{q_{1}+2}\right), \ldots,\left(i d_{q}, S_{q}\right)\right\}\) requiring that no S_i satisfies \(\mathcal{D}\)^*.

Guess: \(\mathcal{A}\) outputs a guess β′ for β.

\(\mathcal{A}\)’ advantage is described to be \(A d v_{\text {Game }_{\text {Real }}^{\mathcal{A}}}^{(\lambda)}=\left|\operatorname{Pr}\left[\beta=\beta^{\prime}\right]-1 / 2\right|\).

Definition 3. We can know a CP-ABE is adaptively secure assuming for polynomial time attackers \(\mathcal{A}\), the advantage \(A d v_{\text {Game }_{\text {Real }}^{\mathcal{A}}}^{(\lambda)}\) is negligible.

2.4 Composite Order Bilinear Maps

Next, we will describe the composite order bilinear group firstly proposed in [18]. Suppose \(\mathcal{G}\) is a group generator, and it outputs the parameters (\(\left(p_{1}, p_{2}, p_{3}, \mathbb{G}, \mathbb{G}_{T}, e\right)\) , in which p₁, p₂ and p₃ denote three different big primes, \(\mathbb{G}\) and \(\mathbb{G}_{T}\) the groups with order N = p₁p₂p₃ . Additionally, \(e: \mathbb{G} \times \mathbb{G} \rightarrow \mathbb{G}_{T}\) represents a bilinear map which satisfies that

1.For any \(x, y \in \mathbb{Z}_{N}^{*}\) and \(u, v \in \mathbb{G}\) , we have \(e\left(u^{x}, v^{y}\right)=e(u, v)^{x y}\).

2.There exists e( g, h ) having order N in \(\mathbb{G}_{T}\), where \(g, h \in \mathbb{G}\).

Suppose \(\mathbb{G}_{p_{1}}\), \(\mathbb{G}_{p_{2}}\) and \(\mathbb{G}_{p_{3}}\) are the subgroups of \(\mathbb{G}\) with order p₁, p₂ and p₃ respectively. Let \(h_{i} \in \mathbb{G}_{p_{i}}\) and \(h_{j} \in \mathbb{G}_{p_{j}}\)be random parameters with i ≠ j, then we have \(e\left(h_{i}, h_{j}\right)=1\) according to orthogonal property [19].

Now, we will state three complexity assumptions proposed by Lewko et al. [19], on which the security proof of our scheme is based, as follows:

Assumption 1. Provided the group generator \(\mathcal{G}\), the problem of Assumption 1 is defined to be:

\(\left(N=p_{1} p_{2} p_{3}, \mathbb{G}, \mathbb{G}_{T}, e\right) \stackrel{R}{\longleftarrow} \mathcal{G}(\lambda)\)

\(g \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{1}}, X_{3} \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{3}},\)

\(L=\left(\left(N, \mathbb{G}, \mathbb{G}_{T}, e\right), g, X_{3}\right)\)

\(T \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{1} p_{2}}, T^{\prime} \stackrel{R}{\longleftarrow}\mathbb{G}_{p_{1}}\)

\(\mathcal{A}\)’s advantage to break the above assumption is:

\(\operatorname{Advl}_{\mathcal{G}, \mathcal{A}}(\lambda):=\left|\operatorname{Pr}[\mathcal{A}(L, T)=1]-\operatorname{Pr}\left[\mathcal{A}\left(L, T^{\prime}\right)=1\right]\right|\)

Assumption 2. Provided the group generator \(\mathcal{G}\), the problem of Assumption 2 is defined to be:

\(\left(N=p_{1} p_{2} p_{3}, \mathbb{G}, \mathbb{G}_{T}, e\right) \stackrel{R}{\longleftarrow} \mathcal{G}(\lambda)\)

\(g, X_{1}\stackrel{R}{\longleftarrow} \mathbb{G}_{p_{1}}, X_{2}, Y_{2}\stackrel{R}{\longleftarrow} \mathbb{G}_{p_{2}}, X_{3}, Y_{3} \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{3}},\)

\(L=\left(\left(N, \mathbb{G}, \mathbb{G}_{T}, e\right), g, X_{1} X_{2}, X_{3}, Y_{2} Y_{3}\right)\)

\(T \stackrel{R}{\longleftarrow} \mathbb{G}, T^{\prime} \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{1} p_{3}}\)

\(\mathcal{A}\)’s advantage to break the above assumption is:

\(\operatorname{Adv} 2_{\mathcal{G}, \mathcal{A}}(\lambda):=\left|\operatorname{Pr}[\mathcal{A}(L, T)=1]-\operatorname{Pr}\left[\mathcal{A}\left(L, T^{\prime}\right)=1\right]\right|\)

Assumption 3. Provided the group generator \(\mathcal{G}\), the problem of Assumption 3 is defined to be:

\(\left(N=p_{1} p_{2} p_{3}, \mathbb{G}, \mathbb{G}_{T}, e\right)\stackrel{R}{\longleftarrow} \mathcal{G}(\lambda), \alpha, s\stackrel{R}{\longleftarrow} \mathbb{Z}_{N}\)

\(g\stackrel{R}{\longleftarrow}{K} \mathbb{G}_{p_{1}}, X_{2}, Y_{2}, Z_{2} \stackrel{R}{\longleftarrow} \mathbb{G}_{p_{2}}, X_{3}\stackrel{R}{\longleftarrow} \mathbb{G}_{p_{3}},\)

\(L=\left(\left(N, \mathbb{G}, \mathbb{G}_{T}, e\right), g, g^{\alpha} X_{2}, X_{3}, g^{s} Y_{2}, Z_{2}\right),\)

\(T \stackrel{R}{\longleftarrow} e(g, g)^{\alpha s}, T^{\prime} \stackrel{R}{\longleftarrow}\mathbb{G}_{T}\)

\(\mathcal{A}\)’s advantage to break the above assumption is:′

\(\operatorname{Adv} 3_{\mathcal{G}, \mathcal{A}}(\lambda):=\left|\operatorname{Pr}[\mathcal{A}(L, T)=1]-\operatorname{Pr}\left[\mathcal{A}\left(L, T^{\prime}\right)=1\right]\right|\)

2.5 \(l\) − SDH Assumption

Next, we will describe the   \(l\) − SDH assumption [10] that is used to prove our traceability. 

  \(l\) − SDH Assumption. Assuming \(\mathbb{G}\) is a bilinear group with prime order p and generator g∈\(\mathbb{G}\), the    \(l\) − SDH is depicted as: provided a ( \(l\) + 1)-vector \(\left(g, g^{a}, g^{a^{2}}, \ldots, g^{a^{t}}\right)\) to output the tuple \(\left(c, g^{1 /(a+c)}\right) \in \mathbb{Z}_{p} \times \mathbb{G}\). The attacker, \(\mathcal{A}\), possesses an advantage at least \(\varepsilon\) if we have

\(\operatorname{Pr}\left[\mathcal{A}\left(g, g^{a}, g^{a^{2}}, \ldots, g^{a^{\prime}}\right)=\left(c, g^{1 /(a+c)}\right)\right] \geq \varepsilon\)

Definition 4. Assume there exists no algorithm possesses the advantage at least ε to solve the    \(l\) − SDH problem in time t, then we have (\(l\) , t, ε) − SDH assumption stands.

2.6 Traceabilit

Now, we will propose the concrete definition of traceability, depicted as a security game between attacker \(\mathcal{A}\) and challenger \(\mathcal{C}\), for our traceable CP-ABE:

Setup. The Setup algorithm will be run by \(\mathcal{C}\) to generate the public parameters PP, which are then sent to \(\mathcal{A}\).

Key Query. \(\mathcal{A}\) makes a number of q key queries associated with attribute sets \(\left\{\left(i d_{1}, S_{1}\right),\left(i d_{2}, S_{2}\right), \ldots,\left(i d_{q}, S_{q}\right)\right\}\)

Key Forgery. A decryption key SK^* will be given by \(\mathcal{A}\), and it wins if 

Trace ( T , SK^* ) ≠ \(\phi\) with Trace ( T , SK ) ∉ { id₁ , id₂ , ..., id_q }.

3. Traceable CP-ABE for the MAS

3.1 Our Construction

We propose our traceable CP-ABE construction by applying a simple encoding method which is adaptively secure over the composite order bilinear groups. Note that, its order of bilinear groups will be N = p₁p₂p₃. Additionally, we will employ the random members of subgroup \(\mathbb{G}_{p_{1}}\) to encode the policy and attributes, and emply the random members of subgroup \(\mathbb{G}_{p_{3}}\) to randomize the key and ciphertext.

Setup(1^λ , U). It firstly runs \(\mathcal{G}\)(1^λ ), which denotes the group parameters generator, to obtain \(\left(p_{1}, p_{2}, p_{3}, \mathbb{G}, \mathbb{G}_{\mathbb{T}}, e\right)\) that will be used, in which \(\mathbb{G}\) and \(\mathbb{G}_{T}\) are the groups with order \(N=p_{1} p_{2} p_{3} \cdot e: \mathbb{G} \times \mathbb{G} \rightarrow \mathbb{G}_{T}\) denotes the bilinear map. \(\mathbb{G}_{p_{1}}\) denotes the subgroup with order \(p_{i}\), and \(g \in \mathbb{G}_{p_{1}}, X_{3} \in \mathbb{G}_{p_{3}}\) denotes the generators of subgroup \(\mathbb{G}_{p_{1}}\) and \(\mathbb{G}_{p_{3}}\). Next, it chooses parameters \(\alpha, a \in \mathbb{Z}_{N}, h \in \mathbb{G}_{p_{1}}\) randomly, and for every i ∈ \(U\) it picks random \(u_{i} \in \mathbb{Z}_{N}\). Finally, it sets the public parameters PP to be:

\(P P=\left(N, h, g, g^{a}, e(g, g)^{\alpha},\left\{U_{i}=g^{u_{i}}\right\}_{i \in U}\right)\)

In addition, it sets the master key MK to be: 

\(M K=\left(\alpha, a, X_{3}\right)\).

Note that, the initial tracing table T is set to be \(\phi\) denoting empty.

KeyGen( MK, id, S) : It picks a parameter \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\) randomly for tracing, then chooses parameters \(t \in \mathbb{Z}_{N}, R, R_{0}, R_{0}^{\prime} \in \mathbb{G}_{p_{3}}\) randomly , and for every \(i \in S\), it picks \(R_{i} \in \mathbb{G}_{p_{3}}\). Finally, it sets the user’s secret key to be:

\(S K_{i d, S}=\left(K=g^{\frac{\alpha}{a+t r c}} h^{t} R, K^{\prime}=\operatorname{trc}, L=g^{t} R_{0}, L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i}\right\}_{i \in S}\right)\)

Here, if gcd( a + trc, N ) ≠ 1 or trc is used already , this algorithm will choose another \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\) . Finally, the algorithm adds the pair ( trc, id ) into T for traceability.

Encrypt( PP , \(\mathcal{D}\) , M) : Here, \(\mathcal{D}\) denotes the set of minimal sets generated by the MAS. Let \(\mathcal{D}=\left\{S_{1}, S_{2}, \ldots, S_{m}\right\}\), where \(S_{i} \subset U\) , \(\forall i \in[m]\) . Then it picks \(s \in \mathbb{Z}_{N}\) and further picks \(s_{i} \in \mathbb{Z}_{N}\) randomly for each i ∈ [ m] . The ciphertext is set to be:

\(\begin{gathered} C T_{\mathcal{D}}=\left(\mathcal{D}, C=M \cdot e(g, g)^{\alpha s}, C_{0}=g^{s}, C_{0}^{\prime}=g^{a s},\right. \\ \left.\left\{C_{i, 1}=h^{s}\left(\prod_{j \in S_{i}} U_{j}\right)^{s_{i}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right) \end{gathered}\)

Decrypt( CT_{\(\mathcal{D}\)} ,SK_id,S ) : Let the ciphertext be \(C T_{\mathcal{D}}=\left(\mathcal{D}, C, C_{0}, C_{0}^{\prime},\left\{C_{i, 1}, C_{i, 2}\right\}_{i=1}^{m}\right)\) and the private key be \(S K_{i d, S}=\left(K, K^{\prime}, L, L^{\prime},\left\{K_{i}\right\}_{i \in S}\right)\). Assuming the attributes set S satisfies the MAS that is generated by \(\mathcal{D}\), we have that there must be a minimal set in \(\mathcal{D}\), which is the subset of S. Let S_j ⊂ S, then we compute

\(\begin{aligned} &D=e\left(C_{j, 1}, L^{K^{\prime}} L^{\prime}\right) \\ &E=e\left(C_{0}^{K^{\prime}} C_{0}^{\prime}, K\right) \cdot e\left(C_{j, 2}, \prod_{i \in S_{j}} K_{i}\right) \end{aligned}\)

Finally, it computes C ⋅ D/E = M .

Trace( T , SK_id,S ) The tracing algorithm is defined the same as that in [9] which takes the tracing table T and the secret key SK as input. Next, it will search K′ in the tracing table T, and once K′is found, it will output the corresponding id, otherwise output \(\phi\).

Correctness. In this part, we give the correctness validation as follows:

\(\begin{aligned} &C \cdot D / E \\ &=M \cdot e(g, g)^{\alpha s} \cdot \frac{e\left(h^{s}\left(\prod_{i \in S_{j}} U_{i}\right)^{s_{j}},\left(g^{t} R_{0}\right)^{\text {trc }} g^{\text {at }} R_{0}^{\prime}\right)}{e\left(g^{\text {strc }} g^{a s}, g^{\frac{\alpha}{a+t r c}} h^{t} R\right) \cdot e\left(g^{s_{j}}, \prod_{i \in S_{j}}\left(U_{i}^{(a+r c) t} R_{i}\right)\right)} \\ &=M \cdot e(g, g)^{\alpha s} \cdot \frac{e(g, h)^{(a+t r c) t s} e\left(g^{(a+t r c) t},\left(\prod_{i \in S_{j}} U_{i}\right)^{s_{j}}\right)}{e(g, g)^{\alpha s} \cdot e(g, h)^{(a+t r c) t s} \cdot e\left(g^{s_{j}}, \prod_{i \in S_{j}}\left(U_{i}^{(a+t r c) t}\right)\right)} \\ &=M \cdot e(g, g)^{\alpha s} \cdot \frac{1}{e(g, g)^{\alpha s}} \\ &=M \end{aligned}\)

3.2 Security Proof

Assuming there exists an attacker, \(\mathcal{A}\), who carries out q key queries, then we will use 2q+ 3 games between \(\mathcal{A}\) and a challenger \(\mathcal{C}\) to prove the security of our traceable CP-ABE construction. The orthogonal element of group \(\mathbb{G}_{p_{2}}\) is used to construct the semi-functional key and ciphertext. Next, we construct the semi-functional key and ciphertext:

Semi-functional Key: The semi-functional key is divided into two styles: type 1 and type 2. We construct type 1 as follows. Suppose id is the user’s identity with attributes set S. Then we pick parameters \(d, b, b, z_{i} \in \mathbb{Z}_{N}, g_{2} \in \mathbb{G}_{p_{2}}, R, R_{0} \in \mathbb{G}_{p_{3}}\), and for each  \(i\) ∈ S pick \(R_{i} \in \mathbb{G}_{p_{3}}\) randomly. At last, we set the key of type 1 as

\(\begin{gathered} S K_{i d, S}=\left(K=g^{\frac{\alpha}{a+t r c}} h^{t} R g_{2}^{d}, K^{\prime}=\operatorname{trc}, L=g^{t} R_{0} g_{2}^{b},\right. \\ L^{\prime}=g^{a t} R_{0}^{\prime} g_{2}^{b^{\prime}},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i} g_{2}^{z_{i}}\right\}_{i \in S} \end{gathered}\)

In addition, we set the key of type 2 as:

\(\begin{gathered} S K_{i d, S}=\left(K=g^{\frac{\alpha}{a+t r c}} h^{t} R g_{2}^{d}, K^{\prime}=\operatorname{trc}, L=g^{t} R_{0},\right. \\ L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i}\right\}_{i \in S} \end{gathered}\)

Semi-functional Ciphertext: Suppose \(\mathcal{D}\) is the basis for a monotone access structure Π. Let \(\mathcal{D}=\left\{S_{1}, \ldots, S_{m}\right\}\), where for each i ∈ [m] we have S_i ⊂ U. Next, we choose random parameters \(c, c^{\prime}, c^{\prime \prime} \in \mathbb{Z}_{N}\) with the restriction that \(b \cdot c^{\prime \prime}=d \cdot c\), then chooses \(g_{2} \in \mathbb{G}_{p_{2}}\), and for each  i ∈ [m] choose \(s_{i} \in \mathbb{Z}_{N}\). Finally, wet set the semi-functional ciphertext as

\(\begin{aligned} C T_{\mathcal{D}}=&\left(\mathcal{D}, C=M \cdot e(g, g)^{\alpha s}, C_{0}=g^{s} g_{2}^{c}, C_{0}^{\prime}=g^{a s} g_{2}^{c^{\prime}},\right.\\ &\left.\left\{C_{i, 1}=h^{s}\left(\prod_{j \in S_{i}} U_{j}\right)^{s_{i}} g_{2}^{c^{\prime \prime}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right) \end{aligned}\)

As we can see that if a legitimate semi-functional ciphertext is decrypted by the corresponding semi-functional key, it will generate an additional term e\(e\left(g_{2}, g_{2}\right)^{b^{\prime} c^{\prime \prime}-c^{\prime} d}\). Moreover, if we have \(b^{\prime} c^{\prime \prime}-c^{\prime} d=0\) , then the decryption will succeed, and in this situation we call it nominally semi-functional.

In the 2q+ 3 consecutive games, Game_Real as the begining one is the actual security game defined in part 2.3 and the next one is Game₀ , in which each key is normal , however, the ciphertext is semi-functional. For k=1 to q, we define:

Game_k,1. The first k− 1 keys are type 2, the key kis type 1, the others are normal. Additionally, the challenge ciphertext will be semi-functional.

Game_k,2. The first k keys are type 2 with the rest ones normal. Additionally, the challenge ciphertext is also semi-functional.

For Game_q,1 , the keys will be type 2. Furthermore, for Game_Final , which is the last one, the keys will be type 2, however, the challenge ciphertext becomes to a semi-functional encryption on some random message. Additionally, one point needs to be noticed is that \(\mathcal{A}\)'s advantage in the game Game_Final will be 0 . Next, the indistinguishability of the games byusing the following lemmas will be proved.

Lemma 1. Assuming there is a polynomial time adversary, \(\mathcal{A}\), satisfying \(A d v_{\text {Game }_{\text {Real }}^{\mathcal{A}}}^{-1}-A d v_{\text {Game }_{0}}^{\mathcal{A}}=\varepsilon\). Then a polynomial time simulator, \(\mathcal{B}\), will be constructed with advantage ε to break Assumption 1.

Proof. We establish the simulator \(\mathcal{B}\) to take the parameters, ( g , X₃ , T ) of Assumption 1, then \(\mathcal{B}\) simulates for either Game_Real or Game₀ depending on T.

Setup: \(\mathcal{B}\) first picks \(\alpha, \beta, a \in \mathbb{Z}_{N}\)  randomly. Next, for every \(i \in U\) , it picks \(u_{i} \in \mathbb{Z}_{N}\) randomly and sets \(U_{i}=g^{u_{i}}\), then it starts to interact with \(\mathcal{A}\) by giving the public parameters as follows:

\(P P=\left(N, g, g^{a}, h=g^{\beta}, Y=e(g, g)^{\alpha},\left\{U_{i}\right\}_{i \in U}\right)\)

while the master key MK = ( α, a , X₃ ) will be kept private to \(\mathcal{B}\)

Key Query: \(\mathcal{B}\) responds to \(\mathcal{A}\) 's queries by performing KeyGen algorithm, because he keeps MK.

Challenge: \(\mathcal{B}\) will receive the challenge messages M₀ , M₁ and challenge basis \(\mathcal{D}\)^* from \(\mathcal{A}\). Then \(\mathcal{B}\) chooses \(M_{b} \in\left\{M_{0}, M_{1}\right\}\) randomly. Let \(\mathcal{D}^{*}=\left\{S_{0}, S_{1}, \ldots, S_{m}\right\}\), where each \(S_{i} \subset U\). Next, for each i ∈ [m] , \(\mathcal{B}\) chooses an exponent \(s_{i} \in \mathbb{Z}_{N}\) random and further constructs the challenge ciphertext \(C T_{\mathcal{D}^{*}}\) as follows:

\(C T_{\mathcal{D}^{*}}=\left(C=M_{b} \cdot e\left(g^{\alpha}, T\right), C_{0}=T, C_{0}^{\prime}=T^{a},\left\{C_{i, 1}=T^{\beta}\left(\prod_{j \in S_{i}} U_{j}\right)^{s_{i}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right)\)

Finally, \(C T_{\mathcal{D}^{*}}\) is sent to \(\mathcal{A}\).

Assuming that \(T \in \mathbb{G}_{p_{1} p_{2}}\), then T can be written as \(T=g^{s} g_{2}^{c}\) for some s, c∈\(\mathbb{Z}\)_N , so we have \(C=M_{b} \cdot Y^{s}, C_{0}=g^{s} g_{2}^{c}, \quad C_{0}^{\prime}=g^{a s} g_{2}^{a c}, C_{i, 1}=h^{s}\left(\prod_{j \in S_{ }} U_{j}\right)^{s_{i}} g_{2}^{\beta c}\) and \(\left\{C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\). Note that, we set c ′= ac , c ′′= βc implicitly. Since the values of a , β modelp p₂ are independent of their values modelp according to Chinese Remainder Theorem, therefore, we have \(C T_{\mathcal{D}^{*}}\) will be a semi-functional ciphertext distributed correctly. We can see that if \(T \in \mathbb{G} p_{1} p_{2}\) , \(\mathcal{B}\) simulates Game₀ , else if \(T \in \mathbb{G}_{p_{1}}\) , \(\mathcal{B}\) simulates Game_Real . This completes our proof for Lemma 1.

Lemma 2. Assuming there is a polynomial time adversary, \(\mathcal{A}\) , satisfying \(A d v_{\mathrm{Game}_{k-1,2}}^{\mathcal{A}}-A d v_{\mathrm{Game}_{k, 1}}^{\mathcal{A}}=\varepsilon\). Then a polynomial time simulator, \(\mathcal{B}\), will be constructed with advantage ε to break Assumption 2.

Proof. We establish the simulator \(\mathcal{B}\) to take the parameters, (g,X₁X₂,X₃,Y₂Y₃,T), of Assumption 2, and \(\mathcal{B}\) simulates either Game_k-1,2 or Game_k,1 depending on T.

Setup: \(\mathcal{B}\) chooses parameters \(\alpha, \beta, a \in \mathbb{Z}_{N}\)  randomly. Next, for each i ∈ U, \(\mathcal{B}\) chooses \(u_{i} \in \mathbb{Z}_{N}\) and sets \(U_{i}=g^{u_{i}}\), then it starts to interact with \(\mathcal{A}\) by giving the public parameters as follows:

\(P P=\left(N, g, g^{a}, h=g^{\beta}, Y=e(g, g)^{\alpha},\left\{U_{i}\right\}_{i \in U}\right)\)

while the master key MK = ( α, a , X₃ ) will be kept private to \(\mathcal{B}\).

Key Query: For constructing the semi-functional keys of type 2, \(\mathcal{B}\) picks \(t \in \mathbb{Z}_{N}\), \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\), elements \(R_{0}, R_{0}^{\prime}, R_{i} \text { of } \mathbb{G}_{p_{3}}\) randomly, and then constructs the key:

\(K=g^{\frac{\alpha}{a+t r c}} h^{t}\left(Y_{2} Y_{3}\right)^{t}, K^{\prime}=\operatorname{trc}, L=g^{t} R_{0}, L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i}\right\}_{i \in S}\)

Note that, the key is semi-functional of type 2 distributed correctly. Additionally, to construct the rest q − k keys that are normal, \(\mathcal{B}\) can merely perform KeyGen algorithm because he keeps MK.

For keyk, \(\mathcal{B}\) implicitly makes the \(\mathbb{G}_{p_{1}}\) part of T to be g^t, then chooses random \(R, R_{0}, R_{0}^{\prime}, R_{i}\) of \(\mathbb{G}_{p_{3}}\), \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\), and further sets the key to be:

\(K=g^{\frac{\alpha}{a+\operatorname{trc}}} T^{\beta} R, K^{\prime}=\operatorname{trc}, L=T R_{0}, L^{\prime}=T^{a} R_{0}^{\prime},\left\{K_{i}=T^{(a+\operatorname{trc}) u_{i}} R_{i}\right\}_{i \in S}\)

Assuming \(T \in \mathbb{G} p_{1} p_{3}\), it will be a normal key, and else assuming \(T \in \mathbb{G}\), it becomes a semi-functional key of type 1. Additionally, if let \(g_{2}^{b}\) be the \(\mathbb{G}_{p_{2}}\) part of T, then we have \(d=\beta b\) model p_2, \(b^{\prime}=a b\) model p₂ and \(z_{i}=(a+\operatorname{trc}) b u_{i}\).

Challenge: \(\mathcal{B}\) will two challenge messages M₀ , M and a challenge basis \(\mathcal{D}^{*}\) from \(\mathcal{A}\). Then \(\mathcal{B}\) chooses random \(M_{b} \in\left\{M_{0}, M_{1}\right\}\). Let \(\mathcal{D}^{*}=\left\{S_{0}, S_{1}, \ldots, S_{m}\right\}\), where each \(S_{i} \subset U\). Next, for each i ∈ [ m] , \(\mathcal{B}\) chooses random \(s_{i} \in \mathbb{Z}_{N}\) and constructs the challenge ciphertext \(C T_{\mathcal{D}^{*}}\) as follows:

\(\begin{aligned} C T_{\mathcal{D}^{*}}=&\left(C=M_{b} \cdot e\left(g^{\alpha}, X_{1} X_{2}\right), C_{0}=X_{1} X_{2}, C_{0}^{\prime}=\left(X_{1} X_{2}\right)^{a},\right.\\ &\left.\left\{C_{i, 1}=\left(X_{1} X_{2}\right)^{\beta}\left(\prod_{j \in S_{i}} U_{j}\right)^{s_{i}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right) \end{aligned}\)

Now suppose that \(T \in \mathbb{G}\), and let the \(\mathbb{G}_{p_{1} p_{2}}\) part of T be \(g^{s} g_{2}^{c}\). Therefore, we implicitly set c′= ac , c′'= βc. Additionally, we know that the kth semi-functional key and ciphertext are distributed correctly except for the fact that the exponent c′= ac model p₂ in L′ part of the ciphertext is correlated with a model p₂ in the K₀ part of the key, and the exponent c′′= βc modelp in C_i,1 part of the ciphertext is correlated with β model p₂ in the K part of the key. Therefore, if the correct semi-functional ciphertext is decrypted by the corresponding semi-functional key of type 1, a valid messageMwill be obtained.

Thus, if \(T \in \mathbb{G}\), we have that \(\mathcal{B}\) simulates Game_k,1, and else if \(T \in \mathbb{G}_{p_{1} p_{3}}\), \(\mathcal{B}\) simulates Game_k-1,2. This gives complete proof for Lemma 2.

Lemma 3. Assuming there is a polynomial time adversary, \(\mathcal{A}\) , satisfying \(A d v_{\text {Game }_{k, 1}}^{\mathcal{A}}-A d v_{\text {Game }_{k, 2}}^{\mathcal{A}}=\varepsilon\). Then a polynomial time simulator, \(\mathcal{B}\), will be constructed with advantage ε to break Assumption 2.

Proof. We establish the simulator \(\mathcal{B}\) to take the parameters, ( g , X₁X₂ , X₃ , Y₂Y₃ , T) Assumption 2, and \(\mathcal{B}\) simulates either Game_k,1 or Game_k,2 depending on T.

Setup: \(\mathcal{B}\) picks \(\alpha, \beta, a \in \mathbb{Z}_{N}\) randomly. Next, for every \(i \in U\) , it picks \(u_{i} \in \mathbb{Z}_{N}\) and sets \(U_{i}=g^{u_{i}}\), then it begins to interact with \(\mathcal{A}\) by giving the public parameters as follows:

\(P P=\left(N, g, g^{a}, h=g^{\beta}, Y=e(g, g)^{\alpha},\left\{U_{i}\right\}_{i \in U}\right),\)

while the master key MK = ( α, a , X₃ ) will be kept private to \(\mathcal{B}\).

Key Query: We construct the first k− 1 key using the similar method as that in Lemma 2. For the kth key query, \(\mathcal{B}\) also processes it using the similar method, however, additionally adding a term ( Y₂Y₃ )^h to K part as follows by choosing a random \(h \in \mathbb{Z}_{N}\) :

\(K=g^{\frac{\alpha}{a+\operatorname{trc}}} T^{\beta} R\left(Y_{2} Y_{3}\right)^{h}, K^{\prime}=\operatorname{trc}, L=T R_{0}, L^{\prime}=T^{a} R_{0}^{\prime},\left\{K_{i}=T^{(a+\operatorname{trc}) u_{i}} R_{i}\right\}_{i \in S}\)

It must be noted that the adding term randomizes the \(\mathbb{G}_{p_{2}}\) part of K, therefore, it is not nominally semi-functional any more.

If \(T \in \mathbb{G}\), we have that it is a semi-functional key of type 1 distributed correctly, so \(\mathcal{B}\) simulates Game_k,1 , and similarly if \(T \in \mathbb{G}_{p_{1} p_{3}}\), it becomes semi-functional key of type 2, so it simulates Game_k,2 . This completes our proof for Lemma 3.

Lemma 4. Assuming there is a polynomial time adversary, \(\mathcal{A}\) , satisfying \(A d v_{\text {Game }_{q, 2}}^{\mathcal{A}}-A d v_{\text {Game }_{\text {Final }}}^{\mathcal{A}}=\mathcal{E}\). Then a polynomial time simulator, \(\mathcal{B}\), will be constructed with advantage ε to break Assumption 3.

Proof. We establish the simulator \(\mathcal{B}\) to take the parameters, \(\left(g, X_{3}, g^{\alpha} X_{2}, g^{s} Y_{2}, Z_{2}, T\right)\) of Assumption 3, and \(\mathcal{B}\) simulates either Game_q,2 or Game_Final depending on T.

Setup: \(\mathcal{B}\) picks \(\alpha, \beta, a \in \mathbb{Z}_{N}\) randomly. Next, for every i ∈ U it picks \(u_{i} \in \mathbb{Z}_{N}\) randomly and sets \(U_{i}=g^{u_{i}}\), then it begins to interact with \(\mathcal{A}\) by giving the public parameters as follows:

\(P P=\left(N, g, g^{a}, h=g^{\beta}, Y=e\left(g, g^{\alpha} X_{2}\right)^{\alpha}=e(g, g)^{\alpha},\left\{U_{i}\right\}_{i \in U}\right),\)

while the master key MK = ( α, a , X₃ ) will be kept private to \(\mathcal{B}\).

Key Query: To generate the semi-functional key of type 2, \(\mathcal{B}\) first chooses random \(t \in \mathbb{Z}_{N}\), \(\operatorname{trc} \in \mathbb{Z}_{N}^{*}\), random elements \(R_{0}, R_{0}^{\prime}, R_{i}\) of \(\mathbb{G}_{p_{3}}\), and sets the key as:

\(\begin{aligned} &K=\left(g^{\alpha} X_{2}\right)^{\frac{1}{a+t r c}}\left(g^{\beta}\right)^{t} Z_{2}^{t} R=g^{\frac{\alpha}{a+t r c}} h^{t} X_{2}^{\frac{1}{a+t r c}} Z_{2}^{t} R \\ &K^{\prime}=\operatorname{trc}, L=g^{t} R_{0}, L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{i}=U_{i}^{(a+t r c) t} R_{i}\right\}_{i \in S} \end{aligned}\)

We can see that the above key is distributed correctly.

Challenge: \(\mathcal{B}\) will receive two challenge messages M₀ , M₁ and a challenge basis \(\mathcal{D}^{*}\) from \(\mathcal{B}\). Then \(\mathcal{B}\) chooses a random \(M_{b} \in\left\{M_{0}, M_{1}\right\}\) . Let\(\mathcal{D}^{*}=\left\{S_{0}, S_{1}, \ldots, S_{m}\right\}\), where each \(S_{i} \subset U\) . Next, for each \(i \in[m]\), \(\mathcal{B}\) chooses \(s_{i} \in \mathbb{Z}_{N}\) randomly and constructs the challenge ciphertext \(C T_{\mathcal{D}^{*}}\) as follows:

\(\begin{gathered} C T_{D^{*}}=\left(C=M_{b} \cdot T, C_{0}=g^{s} Y_{2}, C_{0}^{\prime}=\left(g^{s} Y_{2}\right)^{a}\right. \\ \left.\left\{C_{i, 1}=\left(g^{s} Y_{2}\right)^{\beta}\left(\prod_{j \in S_{j}} U_{j}\right)^{s_{i}}, C_{i, 2}=g^{s_{i}}\right\}_{i=1}^{m}\right) \end{gathered}\)

Assuming \(T=e(g, g)^{\alpha s}\) , then  \(C T_{\mathcal{D}^{*}}\) is precisely semi-functional ciphertext and \(\mathcal{B}\) simulates Game_q,2 , else assuming T is random in \(\mathbb{G}_{T}\), \(\mathcal{B}\) simulates Game_Final. This completes the proof of Lemma 4.

Theorem 2. Suppose Assumptions 1, 2 and 3 hold, then we have that our traceable CP-ABE construction proposed above for the MAS is adaptively secure in the standard model.

Proof. Suppose Assumptions 1, 2 and 3 hold, then we can say Game_Real is indistinguishable from Game_Final as shown by the above four lemmas. Moreover, the challenge message M_b is hidden by a random element of \(\mathbb{G}_{T}\) in the game. Thus, \(\mathcal{A}\) has no non-negligible advantage to break our traceable CP-ABE construction proposed above for MAS.

3.3 Traceability

This part will provide the specific traceability proof for our proposed scheme above based on two assumptions, namely the \(l-\mathrm{SDH}\) assumption and Assumption 3. Note that, this proof is similar with that in [9].

Theorem 3: Suppose the \(l-\mathrm{SDH}\) assumption and Assumption 3 hold, then we have that our traceable CP-ABE has the traceability provided q ≤ l.

Assume l = q + 1 without loss of generality, then a polynomial time simulator, \(\mathcal{B}\) , will be constructed to break either \(l-\mathrm{SDH}\) assumption or Assumption 3 as follows:

• \(\mathcal{B}\) takes a case of Assumption 3 as \(P_{A 3}=\left(N, \mathbb{G}, \mathbb{G}_{T}, e, \tilde{g}, X_{1} X_{2}, X_{3}, Y_{2} Y_{3}, T\right)\) , and if b= 1 , \(T \in \mathbb{G}_{p_{1} p_{3}}\), otherwise, \(T \in \mathbb{G}\).

• \(\mathcal{B}\) takes a case of \(l-\mathrm{SDH}\) assumption as \(P_{S D H}=\left(N, \mathbb{G}, \mathbb{G}_{T}, e, \tilde{g}, \tilde{g}^{a}, \ldots, \tilde{g}^{a^{t}}\right)\). Here, \(\mathcal{B}\)’s goal is to break at least of one of the two assumptions. So \(\mathcal{B}\) firstly chooses a random bit Γ ∈ {0, 1} , and if Γ = 0 , it takes P_A3 as input, then picks \(\tilde{a} \in \mathbb{Z}_{N}^{*}\) and sets \(A_{i}=\tilde{g}^{\tilde{a}^{i}}=\tilde{g}^{a^{t}}\). Otherwise, it takes P_SDH as input, then sets \(A_{i}=\tilde{g}^{a^{t}}\) and chooses a generator \(X_{3} \in \mathbb{G}_{p_{3}}\).

\(\mathcal{B}\) takes \(\left(N, \mathbb{G}, \mathbb{G}_{T}, e, X_{3},\left\{A_{i}\right\}_{i=0}^{l}\right)\) as input, then it begins the interaction with \(\mathcal{A}\) as follows:

• Setup. \(\mathcal{B}\) chooses q different values \(c_{1}, c_{2}, \ldots, c_{q} \in \mathbb{Z}_{N}^{*}\) uniform at random. Next, \(\square \mathcal{B}\) defines a polynomial function \(f(y)=\prod_{i=1}^{q}\left(y+c_{i}\right)\) and expand it as \(f(y)=\sum_{i=0}^{q} \alpha_{i} y^{i}\) where \(\alpha_{0}, \alpha_{1}, \ldots, \alpha_{q} \in \mathbb{Z}_{N}\). Then \(\mathcal{B}\) computes g and g^a as follows:

\(g=\prod_{i=0}^{q}\left(A_{i}\right)^{\alpha_{i}}=\tilde{g}^{f(a)}, g^{a}=\prod_{i=1}^{q+1}\left(A_{i}\right)^{\alpha_{t-1}}=\tilde{g}^{f(a) \cdot a}\)

Next, \(\mathcal{B}\) picks parameters \(\alpha, \beta \in \mathbb{Z}_{N}\) randomly, and for every attribute i ∈ U, it picks \(u_{i} \in \mathbb{Z}_{N}\) randomly. Finally, the public parameters are set as:

\(P P=\left(N, h=g^{\beta}, g, g^{a}, e(g, g)^{\alpha},\left\{U_{i}=g^{u_{i}}\right\}_{i \in U}\right)\).

• Key Query. \(\mathcal{B}\) makes key queries parameters for ( id_i , S_i ) to \(\mathcal{B}\) with i ≤ q. Let \(f_{i}(y)=f(y) /\left(y+c_{i}\right)=\prod_{j=1, j \neq i}^{q}\left(y+c_{i}\right)\), then \(\mathcal{B}\) expands f_i(y) to get \(f_{i}(y)=\sum_{j=0}^{q-1} \beta_{j} y^{j}\) and computes

\(\sigma_{i}=\prod_{j=0}^{q-1}\left(A_{j}\right)^{\beta_{j}}=\tilde{g}^{f_{i}(a)}=g^{1 /\left(a+c_{i}\right)}\)

Next, \(\mathcal{B}\) picks random parameters \(t \in \mathbb{Z}_{N}, R, R_{0}, R_{0}^{\prime} \in \mathbb{G}_{p_{3}}\), for every attribute \(x \in S_{i}\), it picks \(R_{x} \in \mathbb{G}_{p_{3}}\) randomly. Finally, it sets the key \(S K_{i d, S_{i}}\) as

\(\begin{aligned} &K=\left(\sigma_{i}\right)^{\alpha} h^{t} R=g^{\alpha /\left(a+c_{i}\right)} h^{t} R, K^{\prime}=c_{i}, L=g^{t} R_{0} \\ &L^{\prime}=g^{a t} R_{0}^{\prime},\left\{K_{x}=\left(g^{a} \cdot g^{c_{i}}\right)^{u_{t} t} R_{x}=U_{x}^{\left(a+c_{i}\right) t} R_{i}\right\}_{i \in S_{i}} \end{aligned}\)

Finally, \(\mathcal{B}\) adds the pair ( id_i , c_i ) into the tracing table T.

• Key Forgery. If \(\mathcal{A}\) does not win the game, \(\mathcal{B}\) will pick a bit β′∈ {0, 1} and tuple \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) randomly, which are used as the guess for Assumption 3 and \(l-\mathrm{SDH}\) problem. Otherwise, \(\mathcal{B}\)  will makes use of the long division method to write the function f( y ) to be \(f(y)=\eta(y)\left(y+K^{\prime}\right)+\eta_{-1}\) with the polynomial \(\eta(y)=\sum_{i=0}^{q-1} \eta_{i} y^{i}\) and \(\eta_{-1} \in \mathbb{Z}_{N}^{*}\). Next \(\mathcal{B}\) will compute \(\operatorname{gcd}\left(\gamma_{-1}, N\right)\).

(1) Assuming \(\operatorname{gcd}\left(\gamma_{-1}, N\right) \neq 1\).

If \(\mathcal{B}\) takes P_SDH as input, it will pick a bit β′∈ {0, 1} and tuple \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) randomly, which are used as the guess for Assumption 3 and \(l-\mathrm{SDH}\) problem.

If \(\mathcal{B}\) takes P_A3 as input, it will pick a random pair \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) as the guess for \(l-\mathrm{SDH}\) probem, and continues to determine β′ as follows:

\(\mathcal{B}\) obtains \(\left(n, n^{\prime}\right) \in \mathbb{Z}_{N}\) from the value of \(\operatorname{gcd}\left(\gamma_{-1}, N\right)\) satisfying \(n \cdot n^{\prime}=N\) and \(\left(n, n^{\prime}\right) \in\left\{\left(p_{1}, p_{2} p_{3}\right),\left(p_{2} p_{3}, p_{1}\right),\left(p_{2}, p_{1} p_{3}\right),\left(p_{1} p_{3}, p_{2}\right),\left(p_{3}, p_{1} p_{2}\right),\left(p_{1} p_{2}, p_{3}\right)\right\}\).

• If \(\tilde{g}^{n}=1\) and \(\left(Y_{2} Y_{3}\right)^{n^{\prime}}=1\), \(\mathcal{B}\) obtains n=p₁, otherwise obtains \(n^{\prime}=p_{1}\). Then \(\mathcal{B}\) computes \(e\left(T^{p_{1}}, X_{1} X_{2}\right)\) , and if its value equals to 1, \(\mathcal{B}\) sets β′= 1 , otherwise sets β′= 0.

• Otherwise, if \(X_{3}^{n}=1\) and \(\left(X_{1} X_{2}\right)^{n^{\prime}}=1\), \(\mathcal{B}\) obtains n = p₃ , otherwise obtains n' = p₃. Then \(\mathcal{B}\) computes \(e\left(T^{p_{3}}, Y_{2} Y_{3}\right)\), and if its value equals to 1, \(\mathcal{B}\) sets β′= 1, otherwise sets β′= 0.

• Otherwise, if \(X_{3}^{n}=1\), \(\mathcal{B}\) obtains n′= p₂ , otherwise if \(X_{3}^{n^{\prime}}=1\), it obtains n = p₂. Then \(\mathcal{B}\) computes \(T^{p_{1} p_{3}}\), and if its value equlas to 1, \(\mathcal{B}\) sets β′= 1, otherwise sets β′= 0.

(2) Assuming \(\operatorname{gcd}\left(\gamma_{-1}, N\right)=1\).

If \(\mathcal{B}\) takes P_A3 as input, it picks a bit β′∈ {0, 1} and tuple \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) randomly, which are used as the guess for Assumption 3 and \(l-\mathrm{SDH}\) problem.

If \(\mathcal{B}\) takes P_SDH as input, it picks a bit β′∈{0, 1} randomly as the guess for Assumption problem, and continues to determine \(\left(c_{r}, w_{r}\right) \in \mathbb{Z}_{p_{1}} \times \mathbb{G}_{p_{1}}\) as follows:

Let \(L=g^{t} L_{2} L_{3}\) where \(t \in \mathbb{Z}_{N}, L_{2} \in \mathbb{G}_{p_{2}}, L_{3} \in \mathbb{G}_{p_{3}}\). Additionally, we have \(L^{\prime}=g^{a t} L_{2}^{\prime} L_{3}^{\prime}\) and \(K=g^{\alpha /\left(a+K^{\prime}\right)} h^{t} K_{2} K_{3}\) where \(K_{2} \in \mathbb{G}_{p_{2}}, L_{2}^{\prime}, L_{3}^{\prime}, K_{3} \in \mathbb{G}_{p_{3}}\). Next, \(\mathcal{B}\) sets: 

\(\begin{aligned} \sigma &=\left(\left(K / L^{\beta}\right)^{p_{2} p_{3}}\right)^{\left(p_{2} p_{3} \alpha\right)^{-1}}=\tilde{g}^{1 /\left(a+K^{\prime}\right)}=\tilde{g}^{\eta(a)} \tilde{g}^{\eta_{-1} /\left(a+K^{\prime}\right)} \\ w_{r} &=\left(\sigma \cdot \prod_{i=0}^{q-1} A_{i}^{-\eta_{i}}\right)^{1 / \eta_{-1}}=\tilde{g}^{1 /\left(a+K^{\prime}\right)}, c_{r}=K^{\prime} \text { model } p_{1} \end{aligned}\)

Note that ( c_r , w_r ) is the solution for the \(l-\mathrm{SDH}\) problem.

4. Analysis

Next, the specific scheme analysis and experimental demonstration will be implemented Firstly, we describe all the symbols that will be used. S denotes a user's attributes set and |S| denotes the size; l denotes the rows of a span program \((\mathbb{A}, \rho) ;|\mathcal{D}|\) denotes the number of minimal sets for a MAS; m denotes the number of matching attributes during decryption; T_p denotes the pairing computations; \(E_{\mathbb{G}}\) and \(E_{\mathbb{G}_{T}}\) respectively denote the exponent operations in \(\mathbb{G}\) (or \(\mathbb{G}_{p_{1}}\)) and \(\mathbb{G}_{T} ;\left|\mathbb{G}_{p_{1}}\right|,\left|\mathbb{G}_{p_{1} p_{3}}\right|,|\mathbb{G}|\) and \(\left|\mathbb{G}_{T}\right|\) denote the element size in the group\(\mathbb{G}_{p_{1}}, \mathbb{G}_{p_{1}} \times \mathbb{G}_{p_{3}}, \mathbb{G}\) and \(\mathbb{G}_{T}\) respectively. \(\left|\mathbb{Z}_{p_{1}}\right|\) and \(\left|\mathbb{Z}_{N}\right|\) denote the element size in \(\mathbb{Z}_{p_{1}}\) and \(\mathbb{Z}_{N}\) respectively.

4.1 Scheme analysis

In this section, some comparisons are made between our scheme and several previous schemes to show our characteristics. From Table 1, we can see that while our scheme does not support authority accountability and large universe, it is proved adaptively secure in the standard model which is only achieved by Liu et al's traceable CP-ABE that our scheme base on.

Table 1. Troperty comparisons with other schemes

From Table 2, we can see that Zhang et al.' scheme needs more computation for generating the key in order to achieve authority accountability. Ning et al.'s scheme is constructed over prime order groups, which has high efficiency, however, just as is described above, the scheme is proved only selectively secure. Our scheme and Liu et al.'s scheme have the same public key size, user’s secret key size and key generation cost. However, the ciphertext size and encryption cost in Liu et al.s scheme are linear with l, the size of a LSSS, while in our scheme they are linear with | \(\mathcal{D}\) |, the size of minimal authorized sets in a MAS.

Table 2. Comparisons of communication and computation cost

4.2 Experimental verification

The experimental environment is 64 bit Ubuntu 14.04 operating system with Intel Core i7-3770 CPU (3.4 GHz) and memory 4G. The experimental code is modified and written based on PBC-0.5.14 [20] and cpabe-0.11 [21], and it uses the 160 bit elliptic curve group in hypersingular curve based on 512 bit finite field. The experimental result is the average value of that runs 20 times.

In this section, our proposed scheme is verified and compared with Liu's scheme [9] and Zhang's scheme [13] which are also constructed based on the composite order bilinear groups. We mainly consider the pairing and exponential operations in the groups \(\mathbb{G}\) and \(\mathbb{G}_{T}\). In the composite order bilinear groups, the time to run a pairing operation is about 1.26s, the exponential operation in the group \(\mathbb{G}\) is about 0.53s, and the exponential operation in the \(\mathbb{G}_{T}\) is about 0.18s. The specific computation time is shown in Table 3.

Table 3. Computation time

Assuming that the number of users' attributes and attributes matched during decryption are between 5 and 50.

As shown in Table 3 and Fig. 2, our scheme and Liu scheme [9] have the same key generation cost, which increases linearly with the number of users' attributes. For Zhang scheme [13], it requires zero knowledge proof of user and authorization attribute which increases communication cost, and its key generation cost is much higher than that of tour scheme and Liu scheme [9]. For decryption computation, as shown in Table 3 and Fig. 3, the decryption time of Liu scheme [9] is (3.23 m  1.79) s and Zhang scheme [13] is (3.76 m  5.55) s . The decryption cost of two schemes increases linearly with the number of matched attributes during decryption. However, the decryption cost of our scheme only needs three pairing operations and two exponential computations in the the group \(\mathbb{G}\), and the computation cost is a constant value 4.84. For encryption computation, as shown in Table 3, the encryption cost of Liu scheme [9] and Zhang scheme [13] increases linearly with the number of rows l of LSSS matrix representing monotonic access structure, while our scheme uses the set of minimum authorized subset to represent monotonic access structure, therefore, the encryption cost increases linearly with the set size of minimum authorized subset.

Fig. 2. The time of key generation

Fig. 3. The time of decryption

It must be noted that, there is not any obvious correlation between the size of minimal sets and corresponding access structure. Suppose that 1 < t < n , so |\(\mathcal{D}\)| is defined as \(|\mathcal{D}|=n ! /((n-t) ! t !)\) . It is obvious |\(\mathcal{D}\)| is greater than n, however, there is a LSSS , whose size is l = n, to achieve the (t, n ) -threshold access. Additionally, there exist some MAS for which |\(\mathcal{D}\)| is a constant value, however, the size of LSSS achieving MAS is polynomial with the number of attributes in the access structure. Take a simple example with n attributes, if we simply use the AND-gate, then |\(\mathcal{D}\)| equals to 1, however, the LSSS size equals to n, namely l = n. Next, we examples. If \(\mathbb{S}_{0}=\left\{A_{1}=\left\{s_{1}, \ldots, s_{\lceil n / 2\rceil}\right\}\right.\), \(\left.A_{2}=\left\{s_{\lceil n / 2\rceil+1}, \ldots, s_{n}\right\}\right\}\) is the collection of minimal sets for a MAS, \(\mathbb{S}\) , with attributes \(S_{1}, S_{2}, \ldots, S_{n}\), then we have  |\(\mathcal{D}\)| =2 and the size l of LSSS achieving \(\mathbb{S}\) is at least \(\mathcal{O}(n)\). Similarly, if \(\mathbb{S}_{0}=\left\{A_{1}=\left\{s_{1}, \ldots, s_{\lceil n / 3}\right\}, A_{2}=\left\{s_{\lceil n / 3\rceil+1}, \ldots, s_{\lceil 2 n / 3}\right\rceil, A_{3}=\left\{s_{\lceil 2 n / 3\rceil+1}, \ldots, s_{n}\right\}\right\}\), then we have|\(\mathcal{D}\)| =3 and l is also at least \(\mathcal{O}(n)\). Therefore, our scheme has shorter ciphertext under these circumstances.

The most important is that our decryption needs only three pairing operations and two exponent operations in \(\mathbb{G}\), which are both constant in our scheme, while they are linear with the matching attributes m in the other three schemes.