Dynamic Multi Target Homomorphic Attribute-Based Encryption

Abstract

We propose multi target homomorphic attribute-based encryption (MT-HABE) with dynamic homomorphic evaluation: it can take as input arbitrary additional ciphertexts during homomorphic computation. In the previous MT-HABE of Brakerski et al. (TCC 2016-B), the output of homomorphic computation, which is related to a policy set, cannot be computed with a fresh ciphertext whose attribute does not satisfy any policy in the set. This is because the underlying multi-key fully homomorphic encryption (MKFHE) is single-hop: some keys are related to the output of homomorphic computation, which cannot be combined with ciphertexts encrypted under other keys. To implement dynamic homomorphic evaluations, we construct MT-HABE from a dual variant of multi-hop MKFHE proposed by Peikert and Shiehian (TCC 2016-B).

A Correctness and Security

In this section, we discuss about correctness and security of the proposed MT-HABE described in Sect. 3. In Appendix A.1, we consider parameter settings of the proposed scheme for the correctness and security, and the proofs of them are described in Appendix A.2.

1.1 A.1 Parameter Settings

The DLWE parameters \(n, q, \chi \) are chosen according to the conditions decided by the correctness and security.

It is required to set \(n\ge \lambda \) and \(q\le 2^{n}\). We also set \(\ell , d = \mathsf {poly}(\lambda )\). We estimate the worst-case noise growth when homomorphically evaluating a depth-\(d_{\mathcal {G}}\) circuit consisting only of the NAND gate under d different policies of depth at most \(d_{\mathcal {F}}\). We define the max error \(B_{max}\) of the ciphertext \((\mathbf {C}, \mathbf {F}, \mathbf {D})\) output by the algorithm \(\mathsf {ApplyF}\) or \(\mathsf {Eval}\):

$$ B_\mathrm{max}:=\max (B_{\mathbf {C}}, B_{\mathbf {F}}, B_{\mathbf {D}}). $$

From Sect. 3.2, the ciphertext generated by homomorphically evaluating a NAND gate has noise at most

$$ \begin{aligned}&M\cdot B_{\mathbf {D}_{1}}+d(m+N+1)\lceil \log q\rceil B_{\mathbf {C}_{1}}+\mu _{1}B_{\mathbf {D}_{2}}\\&\le \{M\cdot (d+1) +1\}\cdot B_\mathrm{max}\\&=\mathsf {poly}(d,n,\lceil \log q\rceil )\cdot B_\mathrm{max}. \end{aligned} $$

for some polynomial \(\mathsf {poly}(\cdot )\). The ciphertext generated by the ciphertext expansion algorithm described in Sect. 3.2 also has noise at most

$$ \begin{aligned}&B_{\mathbf {C}}+N\cdot B_{\mathbf {D}} + ||\mathbf {t}_{f}||_{\infty }\cdot (m+N+1)\cdot B_{\mathbf {F}}\\&\le (1+N+||\mathbf {t}_{f}||_{\infty }\cdot (m+N+1))\cdot B_\mathrm{max}\\&= \mathsf {poly}'(n, \lceil \log q \rceil )\cdot B_\mathrm{max}. \end{aligned} $$

for some polynomial \(\mathsf {poly}'(\cdot )\).

Since the max error \(B_\mathrm{max}\) of fresh functioned ciphertexts is at most \(||\mathbf {t}_{f}||_{\infty }\cdot ((N+1)^{d_{\mathcal {F}}}\cdot \ell N+1)mB\), the noise of the evaluated ciphertexts obtained by homomorphic evaluation of a depth-\(d_{\mathcal {G}}\) circuit under different d policies is at most

$$ \begin{aligned}&\mathsf {poly}(d, n, \lceil \log q \rceil )^{d}\cdot \mathsf {poly}'(n, \lceil \log q \rceil )^{d_{\mathcal {G}}}\cdot ||\mathbf {t}_{f}||_{\infty }\cdot ((N+1)^{d_{\mathcal {F}}}\cdot \ell N+1)mB\\&\le \mathsf {poly}(d, n, \lceil \log q \rceil )^{d}\cdot \mathsf {poly}'(n, \lceil \log q \rceil )^{d_{\mathcal {G}}}\cdot O(\ell ^2 m^2\sqrt{n}N^{3}(N+1)^{2d_{\mathcal {F}}})B. \end{aligned} $$

For the correctness and security, we select the parameters so that the above quantity by a factor of eight is less than \(2^{n^{\epsilon }}\) for some \(0<\epsilon <1\). To hold this, we set \(n=\tilde{O}(d\cdot \log d + d_{\mathcal {G}} + d_{\mathcal {F}}\cdot \log \ell )^{1/\epsilon }\) and choose q and \(\chi \) so that they satisfy \(q/B \ge 2^{n^{\epsilon }}\), where B is the upper bound of the noise distribution \(\chi \). Selecting such parameters leads the reduction from the \(\mathsf {DLWE}_{n, q, \chi }\) problem to approximate a short vector on the n dimensional lattice by a factor of \(\tilde{O}(n\cdot 2^{n^{\epsilon }})\).

1.2 A.2 Proofs

Correctness and security of our \(\mathsf {dMTHABE}\) scheme can be proven in a very similar way to [BCTW16].

Theorem 1

(Correctness). The scheme \(\mathsf {dMTHABE}\) with parameters \(\ell , d_{\mathcal {F}}, d_{\mathcal {G}}, d\) is correct for policy class \(\mathcal {F}_{\ell , d_{\mathcal {F}}}\) and homomorphism class \(\mathcal {G}_{d_{\mathcal {G}}}\).

Proof

Let \((\mathsf {pp}, \mathsf {msk})\leftarrow \mathsf {dMTHABE}.\mathsf {Setup}(1^{\lambda }, 1^{\ell }, 1^{d_{\mathcal {F}}}, 1^{d_{\mathcal {G}}}, 1^{d})\). Consider k ciphertexts \(\mathsf {ct}^{(i)}\leftarrow \mathsf {dMTHABE}.\mathsf {Enc}_{\mathsf {pp}}(\mu _{i}, x_{i})\) of message \(\mu _{i}\in \{0,1\}\) with attribute \(x_{i}\in \{0,1\}^{\ell }\). For a set of d policies \(F:=\{f_{i}\}_{i\in [d]}\subseteq \mathcal {F}_{\ell , d_{\mathcal {F}}}\) and operation \(g\in \mathcal {G}_{d_{\mathcal {G}}}\), consider an evaluated ciphertext

$$ \mathsf {ct}^{(F)}:=(\hat{\mathbf {C}}_{F}, \mathbf {F}_{F}, \hat{\mathbf {D}_{F}}) :=\mathsf {dMTHABE}.\mathsf {Eval}(\{\mathsf {ct}^{(i)}\}_{i\in [k]}, F, g). $$

By the process of \(\mathsf {Eval}\) in Sect. 3.2, it holds that

$$ \mathbf {c}:=\mathbf {t}_{F}\hat{\mathbf {C}}_{F}\approx \mu _{g}(\mathbf {t}_{F}^{T}\otimes \mathbf {g}^{T}) $$

for \(\mu _{g}:=g(\mu _{1},\ldots ,\mu _{k})\) and \(\mathbf {t}_{F}^{T}:=[\mathbf {t}_{f_{1}}^{T}, \ldots , \mathbf {t}_{f_{d}}^{T}]\) where \(\mathbf {r}_{f_{i}}\leftarrow \mathsf {dMTHABE}.\mathsf {Keygen}_{\mathsf {msk}}(f_{i})\), \(\mathbf {r}_{f_{i}}'=H(\mathbf {A}, f_{i})\), and \(\mathbf {t}_{f_{i}}^{T}:=[\mathbf {r}_{f_{i}}^{T}, \mathbf {r}_{f_{i}}'^{T}, 1]\). Let \(\mathbf {u}^{T}:=(0,\ldots ,0,\lfloor q/2\rfloor )\), then

$$ \tilde{\mu }:=\mathbf {c}^{T}(\mathbf {I}_{d(m+N+1)}\otimes \mathbf {g}^{-T})(\mathbf {u})\approx \mu _{g}\lfloor q/2\rfloor . $$

Choosing the parameters as described in Appendix A.1, the noise in \(\hat{\mathbf {C}}_{F}\) is of size at most q/8. Hence, it holds that

$$ \Pr [\mathsf {dMTHABE}.\mathsf {Dec}_{\mathsf {sk}_{f_{1}},\ldots ,\mathsf {sk}_{f_{d}}}(\mathsf {ct}^{(F)})\ne \mu _{g}]=\mathsf {negl}(\lambda ). $$

Theorem 2

(Security). The scheme \(\mathsf {dMTHABE}\) scheme is selectively secure for function classes \(\mathcal {F}, \mathcal {G}\) in the random oracle model if the \(\mathsf {DLWE}_{n,q,\chi }\) assumption holds.

Proof

In a similar way to [BCTW16], we prove this theorem by considering about the indistinguishability of a column vector in the challenge ciphertext \(\mathbf {C}, \mathbf {C}_{x^{*}}, \mathbf {F}\), \(\mathbf {D}, \{\mathbf {D}^{(k)}_{x^{*}}\}_{k\in [N]}\), where we let \(x^{*}\) be the challenge attribute. That is, we consider the game in which the adversary is given the following vectors

$$ \begin{aligned} \mathbf {c} := \begin{bmatrix} \mathbf {A}^{T}\\ \mathbf {B}_{0}^{T}\\ \mathbf {v}^{T} \end{bmatrix} \cdot \mathbf {s} + \begin{bmatrix} \mathbf {e}_{A}\\ \mathbf {e}_{0}\\ e_{v} \end{bmatrix},&\mathbf {c}_{x^{*}} := (\mathbf {\mathbf {B}}_{x^{*}}-x^{*}\mathbf {\mathbf {G}})^{T}\cdot \mathbf {s} + \begin{bmatrix} \mathbf {e}_{1}\\ \vdots \\ \mathbf {e}_{\ell } \end{bmatrix},&\mathbf {f} := \begin{bmatrix} \mathbf {A}^{T}\\ \mathbf {B}^{T}\\ \mathbf {v}^{T} \end{bmatrix} \cdot \mathbf {r} + \begin{bmatrix} \mathbf {e}_{A}^{(F)}\\ \mathbf {e}^{(F)}\\ e_{v}^{(F)} \end{bmatrix} \end{aligned} $$

$$ \begin{aligned} \begin{bmatrix} \mathbf {d}^{(1)}\\ \vdots \\ \mathbf {d}^{(N)} \end{bmatrix} :=\mathbf {d}:= \left( \mathbf {I}_{N}\otimes \begin{bmatrix} \mathbf {A}^{T}\\ \mathbf {B}_{0}^{T}\\ \mathbf {v}^{T} \end{bmatrix} \right) \cdot \begin{bmatrix} \mathbf {s}^{(1)}\\ \vdots \\ \mathbf {s}^{(N)} \end{bmatrix} + \begin{bmatrix} \mathbf {e}^{(1)}\\ \vdots \\ \mathbf {e}^{(N)} \end{bmatrix},&\mathbf {d}_{x^{*}}^{(k)} := (\mathbf {\mathbf {B}}_{x^{*}}-x^{*}\mathbf {\mathbf {G}})^{T}\cdot \mathbf {s}^{(k)} + \begin{bmatrix} \mathbf {e}^{(k)}_{1}\\ \vdots \\ \mathbf {e}^{(k)}_{\ell } \end{bmatrix} \ (\forall k\in [N]). \end{aligned} $$

or the uniformly random vectors, and distinguishes them. We call this game column game, and define the advantage of the adversary in this game as \(\mathsf {Adv}_{\mathcal {A}}^{\mathsf {column}}(\lambda )\). Without loss of generality, we can prove the security in the column game instead of proving the selective security game defined in Definition 3.

We now consider the following sequence of games. Let \(\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{i}}(\lambda )\) be the advantage of the adversary \(\mathcal {A}\) in \(\mathsf {Game}_i\).

• \(\mathsf {Game}_{0}\): This game is the same as the column game, so it holds that

  $$ \mathsf {Adv}_{\mathcal {A}}^{\mathsf {column}}(\lambda ) = \mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{0}}(\lambda ). $$

• \(\mathsf {Game}_{1}\): This game is the same as \(\mathsf {Game}_{0}\) except that the challenger aborts if the adversary sends the random oracle query \((\mathbf {D}, f)\) such that \(\mathbf {D}=\mathbf {A}\) and \(f(x^{*}) = 1\) before the challenger outputs the challenge attribute \(x^{*}\).

  Since the probability that the adversary sends such query is \(\mathsf {negl}(\lambda )\), we have

  $$ |\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{1}}(\lambda ) - \mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{0}}(\lambda )| = \mathsf {negl}(\lambda ). $$

• \(\mathsf {Game}_{2}\): This game is the same as \(\mathsf {Game}_{1}\) except that for every \(\mathsf {Keygen}\) query the challenger uniformly chooses the randomness and use it for \(\mathbf {A}_{\tau _{0}}^{-1}\) instead of generating the randomness for \(\mathbf {A}_{\tau _{0}}^{-1}\) by using PRF. To answer the oracle query consistently, the challenger stores the \(\mathsf {Keygen}\) query and its secret key to the table. By the property of the PRF, this game is indistinguishable from \(\mathsf {Game}_{1}\):

  $$ |\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{2}}(\lambda ) - \mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{1}}(\lambda )| = \mathsf {negl}(\lambda ). $$

• \(\mathsf {Game}_{3}\): This game is the same as \(\mathsf {Game}_{2}\) except for the generation of the public parameters \(\mathbf {B}, \mathbf {B}_{0}, \mathbf {B}_{1}, \ldots , \mathbf {B}_{\ell }\). Here, there exist matrices \(\mathbf {R}_{0}, \mathbf {R}_{1},\ldots ,\mathbf {R}_{\ell }\) such that they are distributed uniformly over \(\{0,1\}^{m\times N}\)and satisfies \(\mathbf {e}_{i}=\mathbf {R}_{i}^{T}\mathbf {e}_{A}\) and \(\mathbf {e}^{(k)}_{i}=\mathbf {R}_{i}^{T}\mathbf {e}^{(k)}_{A}\). There exists a matrix \(\mathbf {R}^{(F)}\) such that it is distributed uniformly over \(\{0,1\}^{m\times N}\) and satisfies \(\mathbf {e}^{(F)}=(\mathbf {R}^{(F)})^{T}\mathbf {e}_{A}^{(F)}\). In this game, the public matrices \(\mathbf {B}, \mathbf {B}_{0}, \mathbf {B}_{1},\ldots ,\mathbf {B}_{\ell }\) are computed as \(\mathbf {B}:=\mathbf {A}\mathbf {R}^{(F)}, \mathbf {B}_{0}:=\mathbf {A}\mathbf {R}_{0}, \mathbf {B}_{i}:=\mathbf {A}\mathbf {R}_{i}+x^{*}_{i}(\mathbf {I}_{n}\otimes \mathbf {g}^{T})\) (\(\forall i\in [\ell ]\)) instead of choosing them uniformly at random. By the leftover hash lemma, every distribution of \(\mathbf {B}, \mathbf {B}_{0}, \mathbf {B}_{1},\ldots ,\mathbf {B}_{\ell }\) is indistinguishable from uniform over \(\mathbb {Z}_{q}^{n\times N}\). Hence we have

  $$ |\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{3}}(\lambda )-\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{2}}(\lambda )|=\mathsf {negl}(\lambda ). $$

• \(\mathsf {Game}_{4}\): This game is the same as \(\mathsf {Game}_{3}\) except that the return \(\mathsf {sk}_{f}\) for the key generation query \((\mathbf {A}, f)\) is generated without using the trapdoor \(\mathbf {A}^{-1}_{\tau }\).

  Without loss of generality, we can assume that the tuple \((\mathbf {A}, f)\) is queried to the \(\mathsf {Keygen}\) oracle before querying to the random oracle. By the definition of selective security, the policy f satisfies \(f(x^{*}) = 1\) for the challenge attribute \(x^{*}\), and \([\mathbf {r}_{f}, \mathbf {r}'_{f}]\) is generated as \(\mathbf {r}'_{f}\leftarrow \{0,1\}^{N}\) and \(\mathbf {r}_{f}\leftarrow \mathbf {A}^{-1}_{\tau }(-\mathbf {v}-(\mathbf {B}_{0}+\mathbf {B}_{f})\mathbf {r}'_{f})\).

  Let \(\mathbf {H}:=\mathsf {EvRelation}(f, x^{*}, \mathbf {\mathbf {B}_{x^{*}}})\). Then it holds that \(\mathbf {B}_{f}-f(x^{*})(\mathbf {I}_{n}\otimes \mathbf {g}^{T}) = (\mathbf {\mathbf {B}_{x^{*}}}-x^{*}\mathbf {\mathbf {G}})\mathbf {H}\). From \(f(x^{*}) = 1\), we have \(\mathbf {B}_{f}=\mathbf {A}\mathbf {\mathbf {R}}\mathbf {H}+(\mathbf {I}_{n}\otimes \mathbf {g}^{T})\). Hence we have \([\mathbf {A}, \mathbf {B}_{0}+\mathbf {B}_{f}] =[\mathbf {A}, \mathbf {A}(\mathbf {R}_{0}+\mathbf {\mathbf {R}}\mathbf {H})+(\mathbf {I}_{n}\otimes \mathbf {g}^{T})]\). By Corollary 2, when given \(\mathbf {R}_{0}\), \(\mathbf {\mathbf {R}}\) and \(\mathbf {H}\), for any \(\tau \ge \tau '=O(\sqrt{mn}\cdot N\cdot ||(\mathbf {R}_{0}+\mathbf {\mathbf {R}}\mathbf {H})||_{\infty })\), we can sample from \([\mathbf {A}, \mathbf {B}_{0}+\mathbf {B}_{f}]^{-1}_{P}\) for \(P=D_{\mathbb {Z}^{m}, \tau }\times \{0,1\}^{N}\).

  We generate \([\mathbf {r}_{f}, \mathbf {r}'_{f}]\) by \([\mathbf {r}_{f}, \mathbf {r}'_{f}]\leftarrow [\mathbf {A}, \mathbf {B}_{0}+\mathbf {B}_{f}]^{-1}_{P}(-\mathbf {v})\). Then, \(\mathbf {r}_{f}'\) is stored as the reply for the random oracle query \((\mathbf {A}, f)\). By Corollary 2, the marginal distribution of \(\mathbf {r}'_{f}\) is statistically indistinguishable from uniform over \(\{0,1\}^{N}\), and the probability distribution of \(\mathbf {r}_{f}\) conditioned on \(\mathbf {r}'_{f}\) is a discrete Gaussian distribution over the appropriate coset of the integer lattice. Since the view of the adversary in this game is statistically indistinguishable from that of \(\mathsf {Game}_{3}\), we have

  $$ |\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{4}}(\lambda )-\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{3}}(\lambda )| = \mathsf {negl}(\lambda ). $$

• \(\mathsf {Game}_{5}\): This game is the same as \(\mathsf {Game}_{4}\) except for the way to choose \(\mathbf {A}\). The challenger chooses random \(\mathbf {A}\) from \(\mathbb {Z}_{q}^{n\times m}\) instead of generating it by using \(\mathsf {TrapGen}\). By Corollary 1, the distribution of the matrix \(\mathbf {A}\) generated by \(\mathsf {TrapGen}\) is statistically indistinguishable from uniform over \(\mathbb {Z}_{q}^{n\times m}\), so we have

  $$ |\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{5}}(\lambda )-\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{4}}(\lambda )| = \mathsf {negl}(\lambda ). $$

• \(\mathsf {Game}_{6}\): We change the contents of the challenge ciphertexts as follows:

  $$ \begin{aligned} \mathbf {u}_{A}^{(C)}:=\mathbf {A}^{T}\mathbf {s}+\mathbf {e}_{A},&u_{v}^{(C)}:=\mathbf {v}^{T}\mathbf {s} + e_{v},&\mathbf {u}_{A}^{(F)}:=\mathbf {A}^{T}\mathbf {r}+\mathbf {e}_{A}^{(F)}, \end{aligned} $$
  $$ \begin{aligned} u_{v}^{(F)}:=\mathbf {v}^{T}\mathbf {r}+e_{v}^{(F)},&\mathbf {u}_{A}^{(D, k)}:=\mathbf {A}^{T}\mathbf {s}^{(k)}+\mathbf {e}_{A}^{(k)},&u_{v}^{(D, k)}:=\mathbf {v}^{T}\mathbf {s}^{(k)}+e_{v}^{(k)}. \end{aligned} $$

  The challenge ciphertexts can be rewritten as

  $$ \begin{aligned} \mathbf {c} := \begin{bmatrix} \mathbf {u}_{A}^{(C)}\\ \mathbf {R}_{0}^{T}\mathbf {u}_{A}^{(C)}\\ u_{v}^{(C)} \end{bmatrix},&\mathbf {c}_{x^{*}} := \begin{bmatrix} \mathbf {R}_{1}^{T}\mathbf {u}_{A}^{(C)}\\ \vdots \\ \mathbf {R}_{\ell }^{T}\mathbf {u}_{A}^{(C)} \end{bmatrix},&\mathbf {f} := \begin{bmatrix} \mathbf {u}_{A}^{(F)}\\ (\mathbf {R}^{(F)})^{T}\mathbf {u}_{A}^{(F)}\\ u_{v}^{(F)} \end{bmatrix}, \end{aligned} $$
  $$ \begin{aligned} \mathbf {d}^{(k)} := \begin{bmatrix} \mathbf {u}^{(D, k)}_{A}\\ \mathbf {R}_{0}^{T}\mathbf {u}^{(D, k)}_{A}\\ u_{v}^{(D, k)} \end{bmatrix},&\mathbf {d}_{x^{*}}^{(k)} := \begin{bmatrix} \mathbf {R}_{1}^{T}\mathbf {u}^{(D, k)}_{A}\\ \vdots \\ \mathbf {R}_{\ell }^{T}\mathbf {u}^{(D, k)}_{A} \end{bmatrix} \ \ \ \ (\forall k\in [N]). \end{aligned} $$

  This game is equivalent to \(\mathsf {Game}_{5}\), so we have

  $$ \mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{6}}(\lambda )=\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{5}}(\lambda ). $$

• \(\mathsf {Game}_{7}\): We change the distribution of \(\mathbf {u}_{A}^{(C)}, u_{v}^{(C)}, \mathbf {u}_{A}^{(F)}, u_{v}^{(F)}, \mathbf {u}_{A}^{(D, k)}, u_{v}^{(D, k)}\) to the uniform distribution. By the \(\mathsf {DLWE}_{n, q, \chi }\) assumption, this change cannot be distinguished by the adversary \(\mathcal {A}\) and so we have

  $$ |\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{7}}(\lambda ) - \mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{6}}(\lambda )| = \mathsf {negl}(\lambda ). $$

• \(\mathsf {Game}_{8}\): In this game, we change the distribution of the challenge ciphertexts to the uniform. By the leftover hash lemma, the view of the adversary in this game is statistically indistinguishable from \(\mathsf {Game}_{7}\), so we have

  $$ |\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{8}}(\lambda ) - \mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{7}}(\lambda )| = \mathsf {negl}(\lambda ). $$

  The advantage of the adversary in this game is 0, that is, \(\mathsf {Adv}_{\mathcal {A}}^{\mathsf {Game}_{8}}(\lambda )=0\).

From the above sequences of the games, we can see that \(\mathsf {Adv}_{\mathcal {A}}^{\mathsf {column}}(\lambda )=\mathsf {negl}(\lambda )\), and therefore the proposed MT-HABE is selectively secure.