Fully Secure Decentralized Ciphertext-Policy Attribute-Based Encryption in Standard Model

Abstract

In this paper, we introduce a new multi-authority ciphertext policy attribute-based encryption (MA-CP-ABE) system. In our system, there are multiple central authorities (CAs) and attribute authorities (AAs). The CAs will not need to coordinate or even be aware of each other, and so do the AAs. In particular, we present two constructions that will be proved secure in the standard model. Our first scheme is fully secure under static assumptions in composite-order bilinear group, and can work for any monotone access structure. The second one achieves constant size ciphertexts for AND-gate policy in prime-order group. The security can be proved under the decisional linear (DLIN) assumption.

Supported by the National Natural Science Foundation of China (No. 61379150, No. 61502529 and No. 61502533).

Appendices

A Proof of Security for Scheme I

We first define the semi-functional ciphertexts and semi-functional keys as follows.

Semi-functional Ciphertexts. We let \( C'_{0},C'_{1,x},C'_{2,x},C'_{3,x} \) denote the normal ciphertexts. We define \( V_{G}=\{\mathbf {M}_{x}|\rho (x)\) belongs to good authorities}, \( V_{C}=\{\mathbf {M}_{x}|\rho (x)\) belongs to corrupted authorities}. We choose random values \(y_i,z_i \in \mathbb {Z}_{N}\) for each attribute \(att_i\), two random vectors \( \varvec{u}_2,\varvec{u}_3 \in \mathbb {Z}_{N}^{l} \), and set \(\delta _x=\mathbf {M}_x\cdot \varvec{u}_2, \sigma _x=\mathbf {M}_x\cdot \varvec{u}_3\). For each row \( \mathbf {M}_x \in V_{G} \), we choose \( \gamma _x,\psi _x \in \mathbb {Z}_{N}\) randomly. We define the semi-functional ciphertexts as follows: \( C_{0}=C'_{0} \),

$$\begin{aligned} C_{1,x}&=C'_{1,x},C_{2,x}=C'_{2,x}g_{2}^{\gamma _x}g_{3}^{\psi _x},C_{3,x}=C'_{3,x}g_{2}^{\delta _x+\gamma _xy_{\rho (x)}}g_{3}^{\sigma _x+\psi _xz_{\rho (x)}}, \mathbf {M}_x \in V_{G}\\ C_{1,x}&=C'_{1,x},C_{2,x}=C'_{2,x},C_{3,x}=C'_{3,x}g_{2}^{\delta _x}g_{3}^{\sigma _x}, \mathbf {M}_x \in V_{C} \end{aligned}$$

Semi-functional Keys. There are two types of semi-functional keys. They are defined as follows. Pick random value \( c \in \mathbb {Z}_{N} \), then set

$$\begin{aligned} \mathrm {Type \ 1 }: SK_{GID,S}&=\{GID,S,g_{1}^{r}g_{2}^{c},j,\mathsf {Sign}(Signkey,GID||S||g_{1}^{r}g_{2}^{c}||j)\} \\ SK_{GID,i}&=g_{1}^{\alpha _{i}}g_{1}^{rt_{i}}g_{2}^{cy_{i}} \\ \mathrm {Type \ 2 }: SK_{GID,S}&=\{GID,S,g_{1}^{r}g_{3}^{c},j,\mathsf {Sign}(Signkey,GID||S||g_{1}^{r}g_{3}^{c}||j)\} \\ SK_{GID,i}&=g_{1}^{\alpha _{i}}g_{1}^{rt_{i}}g_{3}^{cz_{i}} \end{aligned}$$

Game Sequence. We let \(\mathsf {Adv}^{\mathsf {Game}_{X}}_{\mathcal {A}}\) denote the advantage of \(\mathcal {A}\) in \(\mathsf {Game}_{X}\).

• \(\mathsf {Game}_{\mathsf {0}}\): the real security game.

• \(\mathsf {Game}_{\mathsf {1}}\): the challenge ciphertext becomes semi-functional.

• \(\mathsf {Game}_{\mathsf {2,\eta ,1}}\) for \(\eta \) = 1,...,q : the first \(\eta \)-1 queried identities, the received keys become semi-functional of type 2, and the received key for the \(\eta \)’th queried identity becomes semi-functional of type 1.

• \(\mathsf {Game}_{\mathsf {2,\eta ,2}}\) for \( \eta \) = 0,...,q : the first \( \eta \) queried identities, the received keys become semi-functional of type 2. We let \(\mathsf {Game}_{\mathsf {2,0,2}}\) denote \(\mathsf {Game}_{\mathsf {1}}\).

• \(\mathsf {Game}_{\mathsf {3}}\): generate a semi-functional ciphertext of a random message \(m'\in \mathbb {G}_{T}\) as the challenge ciphertext.

Theorem 1 is accomplished in the following lemmas.

Lemma 4

(from \(\mathsf {Game}_{\mathsf {0}}\) to \(\mathsf {Game}_{\mathsf {1}}\)). For any \(\mathrm {PPT}\) adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \( \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {0}}}_{\mathcal {A}}(\lambda )-\mathsf {Adv}^{\mathsf {Game}_{\mathsf {1}}}_{\mathcal {A}}(\lambda ) \right| \le \mathsf {Adv}^{Assu1}_{\mathcal {B}}(\lambda ). \)

Proof

The adversary \(\mathcal {B}\) gets input \((N,g_1,T)\), where T is from \(G_{p_1}\) or G, \(\mathcal {B}\) proceeds as follows.

\(\mathsf {Setup}\): Pick \(\alpha _{i},t_i\in \mathbb {Z}_{N}\), a UF-CMA secure signature scheme \(\varSigma _{sign}=(\mathsf {KeyGen},\) \(\mathsf {Sign},\mathsf {Verify})\). Output \( GPK =\{N,G,G_{T},e,g_{1},\varSigma _{sign}\}, CPK_j= \mathsf {Verifykey}_{j}, APK_{j}=\{e(g_{1},g_{1})^{\alpha _{i}},g_{1}^{t_{i}}\}_{att_{i}\in U_{j}} \). In addition, \(\{\alpha _{i},t_{i}|att_{i}\in U \backslash U_{1}\}\) are given to the adversary \(\mathcal {A}\).

\(\mathsf {Key Queries}\): \( \mathcal {B}\) answers \( \mathcal {A}\) by executing \( \mathsf {CKeyGen}\), \( \mathsf {AKeyGen}\) algorithm for \(\mathsf {CKeyGen}\) \(\mathsf { Query}\) and \(\mathsf {AKeyGen \ Query}\), respectively.

\(\mathsf {Challenge}\): Upon receiving challenge \( m_{0},m_{1} \) and \((\mathbf {M},\rho )\), \( \mathcal {B}\) picks a random bit \(\beta \in \{0,1\}\). \( \mathcal {B}\) chooses two random vectors \( \varvec{v}=(s,v_2,\ldots ,v_l) \) and \( \varvec{w}'=(0,w_2,\ldots ,w_l) \). We let \(\lambda _{x}=\mathbf {M}_{x}\cdot \varvec{v}\) and \( w'_{x}=\mathbf {M}_{x}\cdot \varvec{w}' \). For \( \mathbf {M}_x \in V_G\), \( \mathcal {B}\) chooses random number \( s'_x \in \mathbb {Z}_{N} \). For \( \mathbf {M}_x \in V_C\), \( \mathcal {B}\) chooses random number \( s_x \in \mathbb {Z}_{N} \). Then set \( C_{0}=m_\beta \cdot e(g_{1},g_{1})^{s} \). \(\mathrm{For} \ \mathbf {M}_x \in V_C, C_{1,x}=e(g_1,g_1)^{\lambda _x}e(g_1,g_1)^{\alpha _{\rho (x)} s_x},C_{2,x}=g_{1}^{s_x},C_{3,x}=g_{1}^{s_x t_{\rho (x)}}T^{w'_x};\mathrm{For} \ \mathbf {M}_x \in V_G,C_{1,x}=e(g_1,g_1)^{\lambda _x}e(g_1,T)^{\alpha _{\rho (x)} s'_x},C_{2,x}=T^{s'_x},C_{3,x}=T^{s'_x t_{\rho (x)}}T^{w'_x}.\)

If \( T \in G_{p_1} \), suppose that \( T=g_1^a \) where a is a random value. We have a well distributed normal ciphertext with \( s_x=as'_x \) (for rows in \( V_G \)), \( w_x=aw'_x=\mathbf {M}_x\cdot a\varvec{w} \).

If \( T \in G \), suppose that \( T=g_1^ag_2^bg_3^c \) where a, b, c are random values. We have \( w_x=aw'_x=\mathbf {M}_x\cdot a\varvec{w} \) mod \( p_1 \), \( \delta _x=bw'_x=\mathbf {M}_x\cdot b\varvec{w}' \) mod \( p_2 \), \( \sigma _x=cw'_x=\mathbf {M}_x\cdot c\varvec{w}' \) mod \( p_3 \). For rows in \( V_G \), \( s_x=as'_x \) mod \( p_1 \), \( \gamma _x=bs'_x \) mod \( p_2 \), \( \psi _x=cs'_x \) mod \( p_3 \), \( y_{\rho (x)}=t_{\rho (x)} \) mod \( p_2 \), \( z_{\rho (x)}=t_{\rho (x)} \) mod \( p_3 \).

Since \( s'_x,t_{\rho (x)} \) are chosen randomly in \( \mathbb {Z}_{N} \), by Chinese Remainder Theorem, \( \gamma _x,\psi _x,y_{\rho (x)},z_{\rho (x)} \) are randomly distributed. In addition, \( \delta _x \) and \( \sigma _x \) are also well distributed except that the shares of them are 0. We now argue that this looks no difference with shares of a random value to the adversary.

We let R denote the space spanned by rows in \( V_C \). We note that the vector \( (1,0,\ldots ,0) \) does not belong to R. Then there is some vector \( \varvec{u} \) meet the condition that \( \varvec{u} \) is orthogonal to R but not orthogonal to \( (1,0,\ldots ,0) \). We fix a basis including the vector \( \varvec{u} \), and write \( b\varvec{w}'=\varvec{w}''+ f\varvec{u}\) mod \( p_2 \), where \( f \in \mathbb {Z}_{p_2} \) and \( \varvec{w}'' \) is in the span of the basis elements exclude vector \( \varvec{u} \). Since \( \varvec{u} \) is not orthogonal to \( (1,0,\ldots ,0) \), the first entry of \( b\varvec{w}' \) mod \( p_2 \) has a relationship with f. As \( \varvec{u} \) is orthogonal to R, the only places \( f\varvec{u} \) appears are in equations of the form: \( \delta _x+\gamma _xz_{\rho (x)} .\) Recall that \( \rho \) is injective, each of these equations increase a new unknown \( z_{\rho (x)} \) that appears nowhere else as long as \( \gamma _x \ne 0 \) mod \( p_2 \), and so no information about f is leaked to \( \mathcal {A}\). Thus the shares \( \delta _x \) are properly distributed in \( \mathcal {A}\)’s view. Similarly, we can prove that \( \sigma _x \) are also properly distributed in \( \mathcal {A}\)’s view. Observe that, \(\mathcal {B}\) perfectly simulates \(\mathsf {Game}_{\mathsf {0}}\) when \(T \in G_{p_1}\), and \(\mathsf {Game}_{\mathsf {1}}\) when \(T \in G\). Hence, \(\mathcal {B}\) can determine the distribution of T by using \(\mathcal {A}\).

Lemma 5

(from \(\mathsf {Game}_{\mathsf {2,\eta -1,2}}\) to \(\mathsf {Game}_{\mathsf {2,\eta ,1}}\)). For any \(\mathrm {PPT}\) adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \( \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta -1,2}}}_{\mathcal {A}}(\lambda )\! -\! \mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta ,1}}}_{\mathcal {A}}(\lambda ) \right| \le \mathsf {Adv}^{Assu2}_{\mathcal {B}}(\lambda ). \)

Proof

The adversary \(\mathcal {B}\) gets input \((N,g_1,g_3,X_1X_2,T)\), where T is from \(G_{p_1}\) or \(G_{p_1p_2}\), \(\mathcal {B}\) proceeds as follows.

\(\mathsf {Setup}\): Pick \(\alpha _{i},t_i\in \mathbb {Z}_{N}\), a UF-CMA secure signature scheme \(\varSigma _{sign}=(\mathsf {KeyGen}\), \(\mathsf {Sign},\mathsf {Verify})\). Output \(GPK =\{N,G,G_{T},e,g_{1},\varSigma _{sign}\},CPK_j= \mathsf {Verifykey}_{j}, APK_{j}=\{e(g_{1},g_{1})^{\alpha _{i}},g_{1}^{t_{i}}\}_{att_{i}\in U_{j}}\) In addition, \(\{\alpha _{i},t_{i}|att_{i}\in U \backslash U_{1}\}\) are given to the adversary \(\mathcal {A}\).

\(\mathsf {Key \ Queries}:\) We let \(GID_{\theta }\) denote the \(\theta \)’th identity queried by \(\mathcal {A}\).

• \(\mathsf {CKeyGen \ Query}{:}\) When \(\mathcal {A}\) queries an identity key of \(GID_{\theta }\) along with attribute set \(S_{\theta }\), \(\mathcal {B}\) chooses random values \( r_\theta ,c_\theta \in \mathbb {Z}_{N} \) and outputs

  $$\begin{aligned} SK_{GID_{\theta },S_{\theta }}=\left\{ \begin{array}{lll} \{GID_\theta ,S_\theta ,g_{1}^{r_\theta }g_3^{c_\theta },k,\mathsf {Sign}(Signkey,*)\} \quad &{} \theta < \eta \\ \{GID_\theta ,S_\theta ,T^{r_\theta },k,\mathsf {Sign}(Signkey,*)\} \quad &{} \theta = \eta \\ \{GID_\theta ,S_\theta ,g_1^{r_\theta },k,\mathsf {Sign}(Signkey,*)\} \quad &{} \theta > \eta \end{array} \right. \end{aligned}$$

• \(\mathsf {AKeyGen \ Query}{:}\) When \(\mathcal {A}\) queries an attribute key of \(att_{i}\) of \(GID_{\theta }\), \(\mathcal {B}\) first verifies the signature. If true, then outputs

  $$\begin{aligned} SK_{GID_{\theta },i}=\left\{ \begin{array}{lll} g_{1}^{\alpha _{i}}g_{1}^{r_\theta t_{i}}g_{3}^{c_\theta t_i} \quad &{} \theta < \eta \\ g_{1}^{\alpha _{i}}T^{r_\theta t_{i}} \quad &{} \theta = \eta \\ g_{1}^{\alpha _{i}}g_{1}^{r_\theta t_{i}} &{} \theta > \eta \end{array} \right. \end{aligned}$$

\(\mathsf {Challenge}{:}\) Upon receiving challenge \( m_{0},m_{1} \) and \((\mathbf {M},\rho )\), \( \mathcal {B}\) picks a random bit \(\beta \in \{0,1\}\). \( \mathcal {B}\) chooses three random vectors \( \varvec{v}=(s,v_2,\ldots ,v_l) \), \( \varvec{w}'=(0,w_2,\ldots ,w_l) \) and \( \varvec{u}_3 \). We let \( \lambda _{x}=\mathbf {M}_{x}\cdot \varvec{v} \), \( w'_{x}=\mathbf {M}_{x}\cdot \varvec{w}' \) and \( \sigma _{x}=\mathbf {M}_{x}\cdot \varvec{u}_3 \). For \( \mathbf {M}_x \in V_G\), \( \mathcal {B}\) chooses random number \( s'_x,\psi _x \in \mathbb {Z}_{N} \). For \( \mathbf {M}_x \in V_C\), \( \mathcal {B}\) chooses random number \( s_x \in \mathbb {Z}_{N} \). Then set \( C_{0}=m_\beta \cdot e(g_{1},g_{1})^{s} \). For \(\mathbf {M}_x \!\in \!V_C,\) \(C_{1,x}\!=\!e(g_1,g_1)^{\lambda _x}e(g_1,g_1)^{\alpha _{\rho (x)} s_x},\) \(C_{2,x}\!=\!g_{1}^{s_x},C_{3,x}=g_{1}^{s_x t_{\rho (x)}}(X_1X_2)^{w'_x}g_3^{\sigma _x}.\) For \(\mathbf {M}_x \!\in \! V_G,\) \(C_{1,x}=\!e(g_1,g_1)^{\lambda _x}e(g_1,X_1X_2)^{\alpha _{\rho (x)} s'_x},\) \(C_{2,x}=\!(X_1X_2)^{s'_x}g_3^{\psi _x},\) \(C_{3,x}=(X_1X_2)^{s'_xt_{\rho (x)}} (X_1X_2)^{w'_x}g_3^{\psi _xt_{\rho (x)}+\sigma _x}.\)

Suppose that \( X_1X_2=g_1^ag_2^b \) where a, b are random values. We have \( w_x=aw'_x=\mathbf {M}_x\cdot a\varvec{w} \) mod \( p_1 \), \( \delta _x=bw'_x=\mathbf {M}_x\cdot b\varvec{w}' \) mod \( p_2 \). For rows in \( V_G \), \( s_x=as'_x \) mod \( p_1 \), \( \gamma _x=bs'_x \) mod \( p_2 \), \( y_{\rho (x)}=t_{\rho (x)} \) mod \( p_2 \), \( z_{\rho (x)}=t_{\rho (x)} \) mod \( p_3 \).

Since \( s'_x,t_{\rho (x)},\psi _x \) are chosen randomly in \( \mathbb {Z}_{N} \), by Chinese Remainder Theorem, \( \gamma _x,\psi _x,y_{\rho (x)},z_{\rho (x)} \) are randomly distributed. \( \sigma _x \) is properly distributed since \( \varvec{u}_3 \) is a random vector. However, \( \delta _x \)’s are shares of 0. We now argue that this looks no difference with shares of a random value to the adversary.

We let R denote the space spanned by rows in \( V_C \) and the rows whose attributes \(\rho (x)\) are queried by \(\mathcal {A}\) with identity \( GID_j \). We note that the vector \( (1,0,\ldots ,0) \) does not belong to R. Then there is some vector \( \varvec{u} \) meet the condition that \( \varvec{u} \) is orthogonal to R but not orthogonal to \( (1,0,\ldots ,0) \). We fix a basis including the vector \( \varvec{u} \), and write \( b\varvec{w}'=\varvec{w}''+ f\varvec{u}\) mod \( p_2 \), where \( f \in \mathbb {Z}_{p_2} \) and \( \varvec{w}'' \) is in the span of the basis elements exclude vector \( \varvec{u} \). Since \( \varvec{u} \) is not orthogonal to \( (1,0,\ldots ,0) \), the first entry of \( b\varvec{w}' \) mod \( p_2 \) has a relationship with f. As \( \varvec{u} \) is orthogonal to R, the only places \( f\varvec{u} \) appears are in equations of the form: \( \delta _x+\gamma _xz_{\rho (x)} \). Recall that \( \rho \) is injective, each of these equations increase a new unknown \( z_{\rho (x)} \) that appears nowhere else as long as \( \gamma _x \ne 0 \) mod \( p_2 \), and so no information about f is leaked to \( \mathcal {A}\). Thus the shares \( \delta _x \) are properly distributed in \( \mathcal {A}\)’s view. Observe that, \(\mathcal {B}\) perfectly simulates \(\mathsf {Game}_{\mathsf {2,\eta -1,2}}\) when \(T \in G_{p_1}\), and \(\mathsf {Game}_{\mathsf {2,\eta ,1}}\) when \(T \in G_{p_1p_2}\). Hence, \(\mathcal {B}\) can determine the distribution of T by using adversary \(\mathcal {A}\).

Lemma 6

(from \(\mathsf {Game}_{\mathsf {2,\eta ,1}}\) to \(\mathsf {Game}_{\mathsf {2,\eta ,2}}\)). For any \(\mathrm {PPT}\) adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \( \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta ,1}}}_{\mathcal {A}}(\lambda )-\mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta ,2}}}_{\mathcal {A}}(\lambda ) \right| \le \mathsf {Adv}^{Assu3}_{\mathcal {B}}(\lambda ). \)

Proof

The adversary \(\mathcal {B}\) gets input \((N,g_1,X_1X_3,Y_2Y_3,T)\), where T is from \(G_{p_1p_2}\) or \(G_{p_1p_3}\), \(\mathcal {B}\) proceeds as follows.

\(\mathsf {Setup}\): Pick \(\alpha _{i},t_i\in \mathbb {Z}_{N}\), a UF-CMA secure signature scheme \(\varSigma _{sign}=(\mathsf {KeyGen}\), \(\mathsf {Sign},\mathsf {Verify})\). Output \(GPK =\{N,G,G_{T},e,g_{1},\varSigma _{sign}\},CPK_k= \mathsf {Verifykey}_{k}, APK_{k}=\{e(g_{1},g_{1})^{\alpha _{i}},g_{1}^{t_{i}}\}_{att_{i}\in U_{k}} \) In addition, \(\{\alpha _{i},t_{i}|att_{i}\in U \backslash U_{1}\}\) are given to the adversary \(\mathcal {A}\).

\(\mathsf {Key \ Queries}:\) We let \(GID_{\theta }\) denote the \(\theta \)’th identity queried by \(\mathcal {A}\).

• \(\mathsf {CKeyGen \ Query}{:}\) When \(\mathcal {A}\) queries an identity key of \(GID_{\theta }\) along with attribute set \(S_{\theta }\), \(\mathcal {B}\) chooses a random value \( r_\theta \in \mathbb {Z}_{N} \) and outputs

  $$\begin{aligned} SK_{GID_{\theta },S_{\theta }}=\left\{ \begin{array}{lll} \{GID_\theta ,S_\theta ,(X_1X_3)^{r_\theta },k,\mathsf {Sign}(Signkey,*)\} \quad &{} \theta < \eta \\ \{GID_\theta ,S_\theta ,T^{r_\theta },k,\mathsf {Sign}(Signkey,*)\} \quad &{} \theta = \eta \\ \{GID_\theta ,S_\theta ,g_1^{r_\theta },k,\mathsf {Sign}(Signkey,*)\} \quad &{} \theta > \eta \end{array} \right. \end{aligned}$$

• \(\mathsf {AKeyGen \ Query}{:}\) When \(\mathcal {A}\) queries an attribute key of \(att_{i}\) of \(GID_{\theta }\), \(\mathcal {B}\) first verifies the signature. If true, then outputs

  $$\begin{aligned} SK_{GID_{\theta },i}=\left\{ \begin{array}{lll} g_{1}^{\alpha _{i}}(X_1X_3)^{r_\theta t_{i}} \quad &{} \theta < \eta \\ g_{1}^{\alpha _{i}}T^{r_\theta t_{i}} \quad &{} \theta = \eta \\ g_{1}^{\alpha _{i}}g_{1}^{r_\theta t_{i}} &{} \theta > \eta \end{array} \right. \end{aligned}$$

\(\mathsf {Challenge}{:}\) Upon receiving challenge \( m_{0},m_{1} \) and \((\mathbf {M},\rho )\), \( \mathcal {B}\) picks a random bit \(\beta \in \{0,1\}\). \( \mathcal {B}\) chooses three random vectors \( \varvec{v}=(s,v_2,\ldots ,v_l) \), \( \varvec{w}=(0,w_2,\ldots ,w_l) \) and \( \varvec{u}=(u_1,\ldots ,u_l) \). We let \( \lambda _{x}=\mathbf {M}_{x}\cdot \varvec{v} \), \( w_{x}=\mathbf {M}_{x}\cdot \varvec{w} \) and \( \delta '_{x}=\mathbf {M}_{x}\cdot \varvec{u} \). For each row \( \mathbf {M}_x \), \( \mathcal {B}\) chooses random number \( s_x \in \mathbb {Z}_{N} \). Then set \( C_{0}=m_\beta \cdot e(g_{1},g_{1})^{s} \). For \(\mathbf {M}_x \in V_C,\) \(C_{1,x}=e(g_1,g_1)^{\lambda _x}e(g_1,g_1)^{\alpha _{\rho (x)} s_x},\) \(C_{2,x}=g_{1}^{s_x},C_{3,x}=g_{1}^{s_x t_{\rho (x)}}g_1^{w_x}(Y_2Y_3)^{\delta '_x}.\) For \( \mathbf {M}_x \in V_G,\) \(C_{1,x}=e(g_1,g_1)^{\lambda _x}e(g_1,g_1)^{\alpha _{\rho (x)} s_x},\) \(C_{2,x}=g_1^{s_x}(Y_2Y_3)^{s_x},\) \(C_{3,x}=g_1^{s_xt_{\rho (x)}}g_1^{w_x}(Y_2Y_3)^{s_xt_{\rho (x)}+\delta '_x}.\)

Suppose that \( Y_2Y_3=g_2^bg_3^c \) where b, c are random values. We have \( \delta _x=b\delta '_x=\mathbf {M}_x\cdot b\varvec{u} \) mod \( p_2 \), \( \sigma _x=c\delta '_x=\mathbf {M}_x\cdot c\varvec{u} \) mod \( p_3 \), \( \gamma _x=bs_x \) mod \( p_2 \), \( \psi _x=cs_x \) mod \( p_3 \), \( y_{\rho (x)}=t_{\rho (x)} \) mod \( p_2 \), \( z_{\rho (x)}=t_{\rho (x)} \) mod \( p_3 \).

Since \( s_x,t_{\rho (x)},\psi _x \) are chosen randomly in \( \mathbb {Z}_{N} \), \( \gamma _x,\psi _x,y_{\rho (x)},z_{\rho (x)} \) are randomly distributed. We note that \( \delta _x , \sigma _x \) are also properly distributed since \( \varvec{u} \) is a random vector. Observe that, \(\mathcal {B}\) perfectly simulates \(\mathsf {Game}_{\mathsf {2,\eta ,1}}\) when \(T \in G_{p_1p_2}\), and \(\mathsf {Game}_{\mathsf {2,\eta ,2}}\) when \(T \in G_{p_1p_3}\). Hence, \(\mathcal {B}\) can determine the distribution of T by using adversary \(\mathcal {A}\).

Lemma 7

(from \(\mathsf {Game}_{\mathsf {2,\textit{q},2}}\) to \(\mathsf {Game}_{\mathsf {3}}\)). For any \(\mathrm {PPT}\) adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \( \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\textit{q},3}}}_{\mathcal {A}}(\lambda )-\mathsf {Adv}^{\mathsf {Game}_{\mathsf {3}}}_{\mathcal {A}}(\lambda ) \right| \le \mathsf {Adv}^{Assu4}_{\mathcal {B}}(\lambda ).\)

Proof

The adversary \(\mathcal {B}\) gets input \((N,g_1,g_2,g_3,g_1^a,g_1^bg_3^b,g_1^c,g_1^{ac}g_3^d,T)\), where \(T=e(g,g)^{abc}\) or T is a random element in \( G_T \), \(\mathcal {B}\) proceeds as follows.

\(\mathsf {Setup}\): We assume that \(\mathcal {A}\) corrupts all AAs but \( AA_1 \), for each attribute \( att_i \) belonging \( AA_1 \), \( \mathcal {B}\) picks \(\alpha _{i}',t'_i\in \mathbb {Z}_{N}\), and implicitly sets \( \alpha _i=\alpha '_i+ab, t_i=t'_i+a \). For each attribute \( att_i \) belonging to a corrupted authority, \( \mathcal {B}\) picks \(\alpha _{i},t_i\in \mathbb {Z}_{N}\) . \( \mathcal {B}\) also chooses a UF-CMA secure signature scheme \(\varSigma _{sign}=(\mathsf {KeyGen},\mathsf {Sign},\mathsf {Verify})\) and outputs \( GPK =\{N,G,G_{T},e,g_{1},\varSigma _{sign}\}, CPK_j= \mathsf {Verifykey}_{j},\)

\(APK_{j}=\left\{ \begin{array}{ll} \{e(g_1^a,g_1^bg_3^b)e(g_{1},g_{1})^{\alpha '_{i}},g_1^ag_{1}^{t'_{i}}\}_{att_{i}\in U_{j}} \quad &{}j=1\\ \{e(g_{1},g_{1})^{\alpha _{i}},g_{1}^{t_{i}}\}_{att_{i}\in U_{j}} \quad &{}j \ne 1 \end{array} \right. \)

In addition, \(\{\alpha _{i},t_{i}|att_{i}\in U \backslash U_{1}\}\) are given to the adversary \(\mathcal {A}\).

\(\mathsf {CKeyGen \ Query}:\) When \(\mathcal {A}\) queries an identity key of GID along with attribute set S, \(\mathcal {B}\) chooses random values \( f,h \in \mathbb {Z}_{N} \) and outputs

\(SK_{GID,S}=\{GID,S,(g_1^bg_3^b)^{-1}g_1^fg_3^h,k,\mathsf {Sign}(Signkey,*)\}\)

\(\mathsf {AKeyGen \ Query}:\) When \(\mathcal {A}\) queries an attribute key of \(att_{i}\) of GID, \(\mathcal {B}\) first verifies the signature. If true, then outputs

$$SK_{GID,i}=g_{1}^{\alpha '_{i}+ft'_i}(g_1^a)^f(g_1^bg_3^b)^{-t'_i}g_3^{ht'_i}=g_1^{\alpha }g_1^{(f-b)t_i}g_3^{(h-b)t'_i} $$

\(\mathsf {Challenge}{:}\) Upon receiving challenge \( m_{0},m_{1} \) and \((\mathbf {M},\rho )\), \( \mathcal {B}\) picks a random bit \(\beta \in \{0,1\}\). \( \mathcal {B}\) chooses random vectors \( \varvec{v}_1=(1,v_{1,2},\ldots ,v_{1,l}) \) satisfies the condition that \( \varvec{v}_1 \) is orthogonal to the rows in \( V_C \), \( \varvec{v}_2=(0,v_{2,2},\ldots ,v_{2,l}) \), \( \varvec{w}=(0,w_2,\ldots ,w_l) \) and \( \varvec{u}=(u_1,\ldots ,u_l) \). We let \( \varvec{v}=abc\varvec{v}_1+\varvec{v}_2 \), \( \lambda _{x}=\mathbf {M}_{x}\cdot \varvec{v} \), \( w_{x}=\mathbf {M}_{x}\cdot \varvec{w} \) and \( \delta _{x}=\mathbf {M}_{x}\cdot \varvec{u} \). Then set \( C_{0}=m_\beta \cdot T \).

For \( \mathbf {M}_x \in V_C \), \( \mathcal {B}\) chooses random values \( s_x \in \mathbb {Z}_{N} \) and sets

\( C_{1,x}=e(g_1,g_1)^{\mathbf {M}_x\cdot \varvec{v}_2}e(g_1,g_1)^{\alpha _{\rho (x)} s_x},\) \(C_{2,x}=g_{1}^{s_x},C_{3,x}=g_{1}^{s_x t_{\rho (x)}}g_1^{w_x}(g_2g_3)^{\delta _x}. \)

For \( \mathbf {M}_x \in V_G \), \( \mathcal {B}\) chooses random values \( s'_x,\gamma _x \in \mathbb {Z}_{N} \) and implicitly sets \( s_x=-c\mathbf {M}_x\cdot \varvec{v}_1+s'_x \), then outputs

\( C_{1,x}=e(g_1,g_1^c)^{-\alpha '_{\rho (x)}\mathbf {M}_x\cdot \varvec{v}_1}e(g_1^a,g_1^bg_3^b)^{s'_x}e(g_1,g_1)^{\mathbf {M}_x\cdot \varvec{v}_2+\alpha '_{\rho (x)}s'_x},\)

\(C_{2,x}=(g_1^c)^{-\mathbf {M}_x\cdot \varvec{v}_1+s'_x}(g_2g_3)^{\gamma _x},\)

\(C_{3,x}=g_1^{w_x}(g_1^c)^{- t'_{\rho (x)}\mathbf {M}_x\cdot \varvec{v}_1}(g_1^a)^{s'_x}g_1^{t'_{\rho (x)}s'_x}(g_1^{ac}g_3^d)^{-\mathbf {M}_x\cdot \varvec{v}_1}(g_2g_3)^{\gamma _xt'_{\rho (x)}+\delta _x}.\)

If \( T=e(g_1,g_1)^{abc} \), then this is a well distributed semi-functional ciphertext of \( m_\beta \) with \( s=abc \). If T is a random element in \( G_T \), then this is a semi-functional ciphertext of a random message. Observe that, \(\mathcal {B}\) perfectly simulates \(\mathsf {Game}_{\mathsf {2,\textit{q},2}}\) when \(T=e(g_1,g_1)^{abc}\), and \(\mathsf {Game}_{\mathsf {3}}\) when T is a random element in \( G_T \). Hence, \(\mathcal {B}\) can determine the distribution of T by using adversary \(\mathcal {A}\).

B Proof of Security for Scheme II

We first define two auxiliary algorithms and then the semi-functional distributions via these auxiliary algorithms.

Auxiliary algorithms

\(\widehat{\mathsf {Enc}}(\mathsf {pp},m,Y;g_{2}^{\varvec{k}_{i}},\varvec{t})\): On input \(\varvec{t}:=(T_{0},T_{1},\ldots ,T_{n}) \in \mathbb {G}^{n+1}\), output

$$\begin{aligned} C_{0}=m\cdot \prod \limits _{att_{i}\in \varOmega }e(T_{0},g_{2}^{\varvec{k}_{i}}),C_{1}=\prod \limits _{att_{i}\in \varOmega }T_{i},C_{2}=T_{0} \end{aligned}$$

\(\widehat{\mathsf {CKeyGen}}(\mathsf {pp},CSK,GID,S;\varvec{t})\): On input \(\varvec{t}:=(T_{0},\ldots ,T_{n}) \in \mathbb {H}^{n+1}\), output

$$\begin{aligned} SK_{GID,S}=\{GID,S,T_{0},\mathsf {Sign}(Signkey,GID||S||T_{0})\} \end{aligned}$$

\(\widehat{\mathsf {AKeyGen}}(\mathsf {pp},C\!P\!K,g_{2}^{\varvec{k}_{i}},SK_{GID,S},att_{i};\varvec{t})\): On input \(\varvec{t}\!:\!=\!(T_{0},\ldots ,T_{n})\! \in \! \mathbb {H}^{n+1}\), output \( SK_{GID,i}=g_{2}^{\varvec{k}_{i}}\cdot T_{i} \)

Auxiliary distributions

Normal ciphertext: \( \widehat{\mathsf {Enc}}(\mathsf {pp},m,Y;g_{2}^{\varvec{k}_{i}},\varvec{g}), \) where \( \varvec{g} \leftarrow \mathsf {SampG}(\mathsf {pp}) \).

Semi-functional ciphertext: where \( \varvec{g} \leftarrow \mathsf {SampG}(\mathsf {pp}),\) \(\hat{\varvec{g}} \leftarrow \widehat{\mathsf {SampG}}(\mathsf {pp},\mathsf {sp}) \).

Normal secret key:

$$\begin{aligned} SK_{GID,S}&=\widehat{\mathsf {CKeyGen}}(\mathsf {pp},CSK,GID,S;\varvec{h}),\\ SK_{GID,i}&=\widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\varvec{k}_{i}},SK_{GID,S},att_{i};\varvec{h}), \end{aligned}$$

where \( \varvec{h} \leftarrow \mathsf {SampH}(\mathsf {pp}) \).

Pseudo-normal secret key:

where \( \varvec{h} \leftarrow \mathsf {SampH}(\mathsf {pp}), \hat{\varvec{h}} \leftarrow \widehat{\mathsf {SampH}}(\mathsf {pp},\mathsf {sp}) \).

Pseudo-semi-functional secret key:

where \( \varvec{h} \leftarrow \mathsf {SampH}(\mathsf {pp}), \hat{\varvec{h}} \leftarrow \widehat{\mathsf {SampH}}(\mathsf {pp},\mathsf {sp}), \alpha _{i}\leftarrow \mathbb {Z}_{p} \).

Semi-functional secret key:

where \( \varvec{h} \leftarrow \mathsf {SampH}(\mathsf {pp}), \alpha _{i}\leftarrow \mathbb {Z}_{p} \).

Game Sequence. We let \(\mathsf {Adv}^{\mathsf {Game}_{X}}_{\mathcal {A}}\) denote the advantage of \(\mathcal {A}\) in \(\mathsf {Game}_{X}\).

• \(\mathsf {Game}_{\mathsf {0}}\): the real security game.

• \(\mathsf {Game}_{\mathsf {1}}\): the challenge ciphertext becomes semi-functional.

• \(\mathsf {Game}_{\mathsf {2,\eta ,1}}\) for \(\eta \) = 1,...,q : the first \(\eta \)-1 queried identities, the received keys become semi-functional, and the received key for the \(\eta \)’th queried identity becomes pseudo-normal.

• \(\mathsf {Game}_{\mathsf {2,\eta ,2}}\) for \(\eta \) = 1,...,q : the first \( \eta \)-1 queried identities, the received keys become semi-functional, and the received key for the \(\eta \)’th queried identity becomes pseudo-semi-functional.

• \(\mathsf {Game}_{\mathsf {2,\eta ,3}}\) for \( \eta \) = 0,...,q : the first \( \eta \) queried identities, the received keys become semi-functional. We let \(\mathsf {Game}_{\mathsf {2,0,3}}\) denote \(\mathsf {Game}_{\mathsf {1}}\).

• \(\mathsf {Game}_{\mathsf {3}}\): generate a semi-functional ciphertext of a random message \(m'\in \mathbb {G}_{T}\) as the challenge ciphertext.

Theorem 2 is accomplished in the following lemmas.

Lemma 8

(from \(\mathsf {Game}_{\mathsf {0}}\) to \(\mathsf {Game}_{\mathsf {1}}\)). For any \(\mathrm {PPT}\) adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \( \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {0}}}_{\mathcal {A}}(\lambda )-\mathsf {Adv}^{\mathsf {Game}_{\mathsf {1}}}_{\mathcal {A}}(\lambda ) \right| \le \mathsf {Adv}^{LS}_{\mathcal {B}}(\lambda ). \)

Proof

The adversary \(\mathcal {B}\) gets input \((\mathsf {pp},\varvec{t})\), where \(\varvec{t}\) is \(\varvec{g}\) or \(\varvec{g}\cdot \hat{\varvec{g}}\) with \(\varvec{g}\leftarrow \mathsf {SampG}(\mathsf {pp})\) and \(\hat{\varvec{g}}\leftarrow \widehat{\mathsf {SampG}}(\mathsf {pp},\mathsf {sp})\), \(\mathcal {B}\) proceeds as follows:

\(\mathsf {Setup}\): Pick \(\varvec{k}_{i}\leftarrow \mathbb {H}\), a UF-CMA secure signature scheme \(\varSigma _{sign}=(\mathsf {KeyGen}\), \(\mathsf {Sign},\mathsf {Verify})\), and for those attributes belong to corrupted authorities, pick \(\mathbf {W}_{i}\leftarrow \mathbb {Z}_{p}^{(k+1)\times (k+1)}\). Output \( GPK =\{p,G_{1}^{k+1},G_{2}^{k+1},G_{T},e;g_{1}^\mathbf {A},g_{2}^\mathbf {B},\varSigma _{sign}\},\) \(CPK_j= Verifykey_j,\) \(APK_{j}=\{e(g_{1},g_{2})^{\varvec{k}_{i}^{{\!\scriptscriptstyle {\top }}}\mathbf {A}},g_{1}^{\mathbf {W}_{i}\mathbf {A}}\}_{att_{i}\in U_{j}}\) In addition, \(\{\varvec{k}_{i},\mathbf {W}_{i}|att_{i}\in U \backslash U_{1}\}\) are given to the adversary \(\mathcal {A}\).

\(\mathsf {Key \ Queries}:\) In this phase, \(\mathcal {A}\) queries on two occasions

• \(\mathsf {CKeyGen \ Query}:\) When \(\mathcal {A}\) queries an identity key of GID along with attribute set S, \(\mathcal {B}\) sample \(\varvec{h}\leftarrow \mathsf {SampH}(\mathsf {pp})\) and stores \((GID,S,\varvec{h})\) so that it can respond consistently. Then, \(\mathcal {B}\) outputs \( SK_{GID,S}=\widehat{\mathsf {CKeyGen}}(\mathsf {pp},CSK,GID,S;\varvec{h}) \)

• \(\mathsf {AKeyGen \ Query}:\) When \(\mathcal {A}\) queries an attribute key of \(att_{i}\) of GID, \(\mathcal {B}\) first verifies the signature. Then outputs \(SK_{GID,i}\!=\!\widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\varvec{k}_{i}},SK_{GID,S},att_{i};\varvec{h})\)

\(\mathsf {Challenge}{:}\) Upon receiving challenge \((Y^*,M_{0},M_{1})\), pick a random bit \(\beta \in \{0,1\}\) and output \( CT_{Y^*}=\widehat{\mathsf {Enc}}(\mathsf {pp},M_{\beta },Y^*;g_{2}^{\varvec{k}_{i}},\varvec{t}). \)

Observe that, \(\mathcal {B}\) perfectly simulates \(\mathsf {Game}_{\mathsf {0}}\) when \(\varvec{t}=\varvec{g}\), and \(\mathsf {Game}_{\mathsf {1}}\) when \(\varvec{t}=\varvec{g}\cdot \hat{\varvec{g}}\). Hence, \(\mathcal {B}\) can determine the distribution of \(\varvec{t}\) by using adversary \(\mathcal {A}\).

Lemma 9

(from \(\mathsf {Game}_{\mathsf {2,\eta -1,3}}\) to \(\mathsf {Game}_{\mathsf {2,\eta ,1}}\)). For any \(\mathrm {PPT}\) adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \( \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta -1,3}}}_{\mathcal {A}}(\lambda )-\mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta ,1}}}_{\mathcal {A}}(\lambda ) \right| \le \mathsf {Adv}^{RS}_{\mathcal {B}}(\lambda ). \)

Proof

Given (\(\mathsf {pp},h^{*},\varvec{g}\cdot \hat{\varvec{g}},\varvec{t}\)), where \(\varvec{t}\) is either \(\varvec{h}\) or \(\varvec{h}\cdot \hat{\varvec{h}}\) with \(\varvec{h}\leftarrow \mathsf {SampH}(\mathsf {pp})\) and \(\hat{\varvec{h}}\leftarrow \widehat{\mathsf {SampH}}(\mathsf {pp},\mathsf {sp})\), \(\mathcal {B}\) proceeds as follows.

\(\mathsf {Setup}\): Pick \(\varvec{k}_{i}\leftarrow \mathbb {H}\), a UF-CMA secure signature scheme \(\varSigma _{sign}=(\mathsf {KeyGen}\), \(\mathsf {Sign},\mathsf {Verify})\), and for those attributes belong to corrupted authorities, pick \(\mathbf {W}_{i}\leftarrow \mathbb {Z}_{p}^{(k+1)\times (k+1)}\). Output \( GPK =\{p,G_{1}^{k+1},G_{2}^{k+1},G_{T},e;g_{1}^\mathbf {A},g_{2}^\mathbf {B},\varSigma _{sign}\}, \) \(CPK_j= Verifykey_j,\) \(APK_{j}=\{e(g_{1},g_{2})^{\varvec{k}_{i}^{{\!\scriptscriptstyle {\top }}}\mathbf {A}},g_{1}^{\mathbf {W}_{i}\mathbf {A}}\}_{att_{i}\in U_{j}}\). In addition, \(\{\varvec{k}_{i},\mathbf {W}_{i}|att_{i}\in U/U_{1}\}\) are given to the adversary \(\mathcal {A}\).

\(\mathsf {Key \ Queries}:\) We let \(GID_{\theta }\) denote the \(\theta \)’th identity queried by \(\mathcal {A}\).

• \(\mathsf {CKeyGen \ Query}:\) When \(\mathcal {A}\) queries an identity key of \(GID_{\theta }\) along with attribute set \(S_{\theta }\), \(\mathcal {B}\) samples \(\varvec{h}_{\theta }\leftarrow \mathsf {SampH}(\mathsf {pp})\) and outputs

  $$\begin{aligned} SK_{GID_{\theta },S_{\theta }}=\left\{ \begin{array}{ll} \widehat{\mathsf {CKeyGen}}(\mathsf {pp},CSK,GID_{\theta },S_{\theta };\varvec{h}_{\theta }) \qquad &{} \theta \ne \eta \\ \widehat{\mathsf {CKeyGen}}(\mathsf {pp},CSK,GID_{\theta },S_{\theta };\varvec{t}) \qquad &{} \theta = \eta \\ \end{array} \right. \end{aligned}$$

• \(\mathsf {AKeyGen \ Query}:\) When \(\mathcal {A}\) queries an attribute key of \(att_{i}\) of \(GID_{\theta }\), \(\mathcal {B}\) first verifies the signature. If true, then outputs

  $$\begin{aligned} SK_{GID_{j},i}=\left\{ \begin{array}{lll} \widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\varvec{k}_{i}}\cdot (h^*)^{\alpha _{i}},SK_{GID_{\theta },S_{\theta }},att_{i};\varvec{h}_{\theta }) \quad &{} \theta < \eta \\ \widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\varvec{k}_{i}},SK_{GID_{\theta },S_{\theta }},att_{i};\varvec{t}) \quad &{} \theta = \eta \\ \widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\varvec{k}_{i}},SK_{GID_{\theta },S_{\theta }},att_{i};\varvec{h}_{\theta }) \quad &{} \theta > \eta \end{array} \right. \end{aligned}$$

\(\mathsf {Challenge}:\) Upon receiving challenge \((Y^*,m_{0},m_{1})\), pick a random bit \(\beta \in \{0,1\}\) and output \( CT_{Y^*}=\widehat{\mathsf {Enc}}(\mathsf {pp},m_{\beta },Y^*;\varvec{k}_{i},\varvec{g}\cdot \hat{\varvec{g}}) \).

Observe that, \(\mathcal {B}\) perfectly simulates \(\mathsf {Game}_{\mathsf {2,\eta ,3}}\) when \(\varvec{t}=\varvec{h}\), and \(\mathsf {Game}_{\mathsf {2,\eta ,1}}\) when \(\varvec{t}=\varvec{h}\cdot \hat{\varvec{h}}\). Hence, \(\mathcal {B}\) can determine the distribution of \(\varvec{t}\) by using adversary \(\mathcal {A}\).

Lemma 10

(from \(\mathsf {Game}_{\mathsf {2,\eta ,1}}\) to \(\mathsf {Game}_{\mathsf {2,\eta ,2}}\)). For \( \eta =1,\ldots ,q \), we have

$$\begin{aligned} \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta ,1}}}_{\mathcal {A}}(\lambda )-\mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta ,2}}}_{\mathcal {A}}(\lambda ) \right| = 0. \end{aligned}$$

Proof

\(\mathsf {Setup}:\) \(\mathcal {A}\) specifies a set of corrupt authorities. For each attribute \(att_{i}\) belongs to a corrupted authority, \(\mathcal {B}\) picks \(\mathbf {W}_{i}\leftarrow \mathbb {Z}_{p}^{(k+1)\times (k+1)}\). Given \((\mathsf {pp},\varvec{k}_{i},\) \((h^{*})^{\alpha _{i}})\), and a UF-CMA secure signature scheme \(\varSigma _{sign}=(\mathsf {KeyGen}\),\(\mathsf {Sign},\mathsf {Verify})\), we can output \(GPK=\{p,G_{1}^{k+1},G_{2}^{k+1},G_{T},e;g_{1}^\mathbf {A},g_{2}^\mathbf {B},\varSigma _{sign}\}, CPK_j \! =\! Verifykey_j, APK_{j}\! =\!\{e(g_{1},g_{2})^{\varvec{k}_{i}^{{\!\scriptscriptstyle {\top }}}\mathbf {A}},g_{1}^{\mathbf {W}_{i}\mathbf {A}}\}_{att_{i}\in U_{j}},\) \(\{\varvec{k}_{i},\mathbf {W}_{i}|att_{i}\in U/U_{1}\}\) are given to \(\mathcal {A}\).

\(\mathsf {Key \ Queries}:\) We let \(GID_{\theta }\) denote the \(\theta \)’th identity queried by \(\mathcal {A}\). When \(\mathcal {A}\) queries an identity key of \(GID_{\theta }\) along with attribute set \(S_{\theta }\), \(\mathcal {B}\) samples \(\varvec{h}_{\theta }\leftarrow \mathsf {SampH}(\mathsf {pp})\).

For \(\theta < \eta \), \(\mathcal {B}\) answers the queries \(SK_{GID_{\theta },S_{\theta }}=\widehat{\mathsf {CKeyGen}}(\mathsf {pp},CSK,GID_{\theta },\) \(S_{\theta };\varvec{h}_{\theta })\), \(SK_{GID_{\theta },i}=\widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\varvec{k}_{i}}\cdot (h^*)^{\alpha _{i}},SK_{GID_{\theta },S_{\theta }},att_{i};\varvec{h}_{\theta }).\)

For \(\theta > \eta \), \(\mathcal {B}\) answers the queries \(SK_{GID_{\theta },S_{\theta }}=\widehat{\mathsf {CKeyGen}}(\mathsf {pp},CSK,GID_{\theta },\) \(S_{\theta };\varvec{h}_{\theta })\),

\(SK_{GID_{\theta },i}=\widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\varvec{k}_{i}},SK_{GID_{\theta },S_{\theta }},att_{i};\varvec{h}_{\theta }).\)

For \(\theta = \eta \), \(\mathcal {B}\) answers the key queries by using

$$\begin{aligned} SK_{GID_{\theta },S_{\theta }}&=\widehat{\mathsf {CKeyGen}}(\mathsf {pp},CSK,GID_{\theta },S_{\theta };\varvec{h}\cdot \hat{\varvec{h}})\\ SK_{GID_{\theta },i}&=\widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\varvec{k}_{i}},SK_{GID_{\theta },S_{\theta }},att_{i};\varvec{h}\cdot \hat{\varvec{h}})\\ \mathrm{or} \ SK_{GID_{\theta },i}&=\widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\varvec{k}_{i}}\cdot (h^*)^{\alpha _{i}},SK_{GID_{\theta },S_{\theta }},att_{i};\varvec{h}\cdot \hat{\varvec{h}}) \end{aligned}$$

\(\mathsf {Challenge}:\) Upon receiving challenge \((Y^*,m_{0},m_{1})\), pick a random bit \(\beta \!\in \! \{0,1\}\) and output

$$\begin{aligned} CT_{Y^*}=\widehat{\mathsf {Enc}}(\mathsf {pp},m_{\beta },Y^*;g_{2}^{\varvec{k}_{i}},\varvec{g}\cdot \hat{\varvec{g}}) \end{aligned}$$

By linearity, we rewrite the \(\eta \)’th key and the challenge ciphertext as follows:

By parameter-hiding, we may replace \( (\mathsf {pp},h^{*},\hat{\varvec{g}},\hat{\varvec{h}}) \) with \( (\mathsf {pp},h^{*},\hat{\varvec{g}} \cdot \hat{\varvec{g}}' ,\hat{\varvec{h}} \cdot \hat{\varvec{h}}') \). We expand \(\widehat{\mathsf {Enc}}\) and \(\widehat{\mathsf {AKeyGen}}\) as follows:

$$\begin{aligned} \widehat{\mathsf {Enc}}(\mathsf {pp},1,Y^*;g_{2}^{\varvec{k}_{i}},\hat{\varvec{g}}\! \cdot \! \hat{\varvec{g}}')\!=\!\{C_{0}\!=\!\!\!\prod \limits _{att_{i}\in \varOmega }\!\!e(\hat{g}_{0},\!g_{2}^{\varvec{k}_{i}}),C_{1}&\!=\!\hat{g}_{0}^{\sum _{att_{i}\in \varOmega }\hat{u}_{i}}\!\cdot \!\!\prod \limits _{att_{i}\in \varOmega }\hat{g}_{i}\!,\!C_{2}\!=\!\hat{g}_{0}\}\\ \widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,1,SK_{GID_{\eta },S_{\eta }},att_{i};\hat{\varvec{h}}\! \cdot \! \hat{\varvec{h}}')&\!=\! \hat{h}_{i}\cdot \hat{h}_{0}^{\hat{u}_{i}}\\ \widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,(h^{*})^{\alpha _{i}},SK_{GID_{\eta },S_{\eta }},att_{i};\hat{\varvec{h}} \cdot \hat{\varvec{h}}')&= (h^*)^{\alpha _{i}}\hat{h}_{i}\cdot \hat{h}_{0}^{\hat{u}_{i}}=\hat{h}_{i}\cdot \hat{h}_{0}^{\alpha '_{i}+\hat{u}_{i}} \end{aligned}$$

As the attribute in \(S_{\eta } \cup V\) cannot satisfies \(Y^*\), there must exists some other attributes appeared in \(C_{1}\) except the attribute appeared in \(S_{\eta }\). That is to say, \(\{\hat{u}_{i}|att_{i}\in U_{1}\}\) are hidden from \(\mathcal {A}\), and \(\alpha '_{i}\) are perfectly hided by \(\hat{u}_{i}\). The lemma then follows readily.

Lemma 11

(from \(\mathsf {Game}_{\mathsf {2,\eta ,2}}\) to \(\mathsf {Game}_{\mathsf {2,\eta ,3}}\)). For any \(\mathrm {PPT}\) adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \( \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta ,2}}}_{\mathcal {A}}(\lambda )-\mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\eta ,3}}}_{\mathcal {A}}(\lambda ) \right| \le \mathsf {Adv}^{RS}_{\mathcal {B}}(\lambda ). \)

Proof

The proof is analogous to Lemma 9.

Lemma 12

(from \(\mathsf {Game}_{\mathsf {2,\textit{q},3}}\) to \(\mathsf {Game}_{\mathsf {3}}\) ). For any \(\mathrm {PPT}\) adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \( \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\textit{q},3}}}_{\mathcal {A}}(\lambda )-\mathsf {Adv}^{\mathsf {Game}_{\mathsf {3}}}_{\mathcal {A}}(\lambda ) \right| = 0. \)

Proof

\(\mathsf {Setup}\): For each \(att_{i}\in U_{1}\), \(\mathcal {B}\) picks \(\hat{\varvec{k}}_{i}\leftarrow _{R}\mathbb {H},\alpha _{i}\leftarrow _{R}\mathbb {Z}_{p}\), and set \(g_{2}^{\varvec{k}_{i}}=g_{2}^{\hat{\varvec{k}}_{i}}\cdot (h^*)^{-\alpha _{i}}\). For other attributes, \(\mathcal {B}\) picks \(\varvec{k}_{i}\leftarrow _{R}\mathbb {H}\). A UF-CMA secure signature scheme \(\varSigma _{sign}=(\mathsf {KeyGen},\mathsf {Sign},\mathsf {Verify})\) is chosen. Output

\(GPK=\{p,G_{1}^{k+1},G_{2}^{k+1},G_{T},e;g_{1}^\mathbf {A},g_{2}^\mathbf {B},\varSigma _{sign}\}, CPK_j= Verifykey_j, APK_{j}=\{e(g_{1},g_{2})^{\varvec{k}_{i}^{{\!\scriptscriptstyle {\top }}}\mathbf {A}},g_{1}^{\mathbf {W}_{i}\mathbf {A}}\}_{att_{i}\in U_{j}}.\) In addition, \(\{\varvec{k}_{i},\mathbf {W}_{i}|att_{i}\in U/U_{1}\}\) are given to the adversary \(\mathcal {A}\).

\(\mathsf {Key \ Queries}:\) For the j’th query, output \(SK_{GID,S}=\widehat{\mathsf {CKeyGen}}(CSK,GID,S;\varvec{h})\). When \(\mathcal {A}\) queries an attribute key of \(att_{i}\) of GID, \(\mathcal {B}\) first verifies the signature. If true, then outputs \(SK_{GID,i}=\widehat{\mathsf {AKeyGen}}(\mathsf {pp},CPK,g_{2}^{\hat{\varvec{k}}_{i}},SK_{GID,S},att_{i};\varvec{h})\).

\(\mathsf {Challenge}:\) Upon receiving challenge \((Y^*,m_{0},m_{1})\), pick a random bit \(\beta \in \{0,1\}\) and output \( C_{0}=m_{\beta }\cdot \prod \limits _{att_{i}\in \varOmega }e(g_{1}^{\mathbf {A}\varvec{s}+\varvec{b}^{{\!\scriptscriptstyle {\perp }}}\hat{s}},g_{2}^{\varvec{k}_{i}}),C_{1}=\prod \limits _{att_{i}\in \varOmega }g_{1}^{\mathbf {W}_{i}^{{\!\scriptscriptstyle {\top }}}(\mathbf {A}\varvec{s}+\varvec{b}^{{\!\scriptscriptstyle {\perp }}}\hat{s})},\) \(C_{2}=g_{1}^{\mathbf {A}\varvec{s}+\varvec{b}^{{\!\scriptscriptstyle {\perp }}}\hat{s}}\) We note that \(U_{1}\cap \varOmega \ne \varPhi \), there must exist at least one attribute in \(U_{1}\). Then we have

$$\begin{aligned} C_{0}&=m_{\beta }\cdot \prod \limits _{att_{i}\in \varOmega /U_{1}}e(g_{1}^{\mathbf {A}\varvec{s}+\varvec{b}^{{\!\scriptscriptstyle {\perp }}}\hat{s}},g_{2}^{\varvec{k}_{i}})\cdot \prod \limits _{att_{i}\in U_{1}}e(g_{1}^{\mathbf {A}\varvec{s}+\varvec{b}^{{\!\scriptscriptstyle {\perp }}}\hat{s}},g_{2}^{\varvec{k}_{i}}) \\&=m_{\beta }\!\cdot \!\!\prod \limits _{att_{i}\in \varOmega /U_{1}}\!e(g_{1}^{\mathbf {A}\varvec{s}\!+\varvec{b}^{{\!\scriptscriptstyle {\perp }}}\hat{s}}\!,\!g_{2}^{\varvec{k}_{i}})\!\cdot \!\!\prod \limits _{att_{i}\in U_{1}}\!e(g_{1}^{\mathbf {A}\varvec{s}+\varvec{b}^{{\!\scriptscriptstyle {\perp }}}\hat{s}},g_{2}^{\hat{\varvec{k}}_{i}})\!\cdot \!\!\prod \limits _{att_{i}\in U_{1}}e(g_{1}^{\varvec{b}^{{\!\scriptscriptstyle {\perp }}}\hat{s}}\!,\!g_{2}^{\varvec{a}^{{\!\scriptscriptstyle {\perp }}}})^{-\alpha _{i}}. \end{aligned}$$

Recall that \((\mathsf {pp},\hat{\varvec{k}}_{i},\varvec{g}\cdot \hat{\varvec{g}})\) are all statistically independent of \(\alpha _{i}\leftarrow \mathbb {Z}_{p}\), then \(\prod \limits _{att_{i}\in U_{1}}e(g_{1}^{\varvec{b}^{{\!\scriptscriptstyle {\perp }}}\hat{s}},g_{2}^{\varvec{a}^{{\!\scriptscriptstyle {\perp }}}})^{-\alpha _{i}}\) distributes uniformly in \(\mathbb {G}_{T}\). This means that the distribution of challenge ciphertext and a semi-functional encryption of a random message are identical. Hence, \( \left| \mathsf {Adv}^{\mathsf {Game}_{\mathsf {2,\textit{q},3}}}_{\mathcal {A}}(\lambda )-\mathsf {Adv}^{\mathsf {Game}_{\mathsf {3}}}_{\mathcal {A}}(\lambda ) \right| = 0\).