Keywords

1 Introduction

Attribute-based Encryption (ABE) which provides fine grained access control is a good solution to the secure sharing of cloud data. There are mainly two types of ABE schemes: the Key-Policy ABE (KP-ABE), where the ciphertexts are associated with sets of attributes while the keys are associated with access policies; the Ciphertext-Policy ABE (CP-ABE), where the keys are associated with sets of attributes and the ciphertexts are associated with access policies.

Attribute-based proxy re-encryption (AB-PRE) is an application of proxy cryptography in ABE [4, 15, 19, 26]. AB-PRE schemes allow the data owner to delegate the capability of re-encryption to the semi-trusted proxy. In this way, the proxy is capable of running the re-encryption operation, which reduces the computation cost of the data owner. An authorized user is able to decrypt the re-encrypted data just using his/her own secret key and no additional component is needed. Moreover, no sensitive data can be revealed by the proxy. However, there exists a problem in current ciphertext-policy attribute-based proxy re-encryption (CP-AB-PRE) schemes [4, 15, 19, 27]. In these schemes, the ciphertext policy which consists of the user’s attributes is exposed to the proxy, thus, the proxy can get some information of attributes about both the owner and the user. A user’s attributes may contain his/her sensitive information. These data relate to user privacy and should not be exposed to a third party.

To solve the problem mentioned above, we borrow the concept of hidden policy appeared in schemes [9, 12, 13, 21, 22] to propose a hidden ciphertext policy attribute-based proxy re-encryption scheme. By using our scheme, the proxy can obtain little sensitive data or privacy information of the user.

Our Contributions. By employing the AND-gates policy we propose the first fully secure hidden CP-AB-PRE scheme which can make a better protection of the user’s privacy. Our scheme has the following properties:

  • Unidirectionality (A ciphertext CT is able to be transformed to \(CT^{'}\) but it cannot be transformed from \(CT^{'}\)).

  • Non-Interactivity (The data owner is able to generate the re-encryption key by himself without any participation of the untrusted third party).

  • Multi-use (The encrypted data can be re-encrypted for multiple times).

  • Master key security (The proxy or the user doesn’t need to obtain the data owner’s secret key during the re-encryption and decryption process).

  • Re-encryption control (The data owner can determine whether the encrypted data can be re-encrypted).

  • Collusion resistant (Users are not able to combine their keys to obtain the plaintext which belongs to none of them).

Table 1 shows the comparison between our CP-AB-PRE scheme and other schemes on the main features.

Table 1. Comparison of features of AB-PRE schemes
Full size table

Related Work. Proxy re-encryption was first proposed by Blaze et al. [2], which can transform a key with the ciphertext into another key without revealing the secret key and the plaintext of the ciphertext. But there should be an unrealistic level of trust in the proxy to achieve the delegation because the sensitive information can be revealed during the re-encryption process. To solve this problem, Ateniese et al. proposed a new proxy re-encryption scheme in 2005 [1]. Green and Ateniese presented an identity-based proxy re-encryption (IB-PRE) scheme in 2007 [5], but it only proved to be secure in the random oracle model. Then many improved IB-PRE schemes were proposed [3, 7, 16, 20, 23]. After ABE scheme was introduced, Guo et al. proposed the first AB-PRE scheme [26], which is also the first key-policy AB-PRE scheme, but this scheme exists in bidirectional property. Then Liang et al. proposed the first CP-AB-PRE scheme [15] and realized the Multi-use property, but as the times of re-encryption increases, the size of the encrypted ciphertext grows linearly. In 2010, Luo et al. presented a CP-AB-PRE scheme [19] which allows the data owner to decide whether re-encrypting the ciphertext or not. In the same year, Yu et al. introduced a new property of Data confidentiality in their paper [27], but their scheme has a problem of Collusion Attack. Do et al. proposed a new AB-PRE scheme to support the Collusion resistant property in 2011. There were also some other AB-PRE schemes proposed in 2011 [4, 6, 8, 25]. After that, Liu et al. added the timestamp and proposed two AB-PRE schemes [17, 18] which can prevent the revoked users to get access to the encrypted data. Later in 2012, Seo et al. introduced an AB-PRE scheme with a constant number of paring operations to save the computation cost [24]. However, none of the above schemes achieved fully security. In 2014, Liang et al. proposed a fully secure CP-AB-PRE scheme by integrating the dual system encryption technology [14], then in 2016, Li et al. proposed another fully secure scheme under the same system [11]. Until now, none of the previous CP-AB-PRE schemes has obtained the property of Hidden Policy. Therefore, we focus on this problem in this work.

Organization. This paper is organized as follows. We first give the relevant access structure, complexity assumptions and security model about CP-AB-PRE in Sect. 2. In Sect. 3, we introduce the construction of our hidden policy CP-AB-PRE scheme. In Sect. 4, we prove the full security of our scheme. Then in Sect. 5, we give a conclusion of our work.

2 Access Structure and Complexity Assumptions

2.1 Access Structure

We take AND-gates as the basic access policy in our scheme, where negative attributes and wildcards are supported. A negative attribute denotes a user shouldn’t have this attribute and a wildcard means this attribute is out of consideration. Multi-valued attribute is also supported in our scheme.

We use the notation such as \(W=[W_1,\,\cdots ,\,W_n] = [1, 0, *, *, 0]\) where \(n = 5\) to specify the ciphertext policy. The wildcard * in the ciphertext policy means “not care” value, which can be considered as an AND-gate on all the attributes. For example, the above ciphertext policy means that the recipient who wants to decrypt must have the value 1 for \(W_1\), 0 for \(W_2\) and \(W_5\), and the values for \(W_3\) and \(W_4\) do not matter in the AND-gate. A recipient with policy [1, 0, 1, 0, 0] can decrypt the ciphertext, but a recipient with policy [1, 1, 1, 0, 1] can not.

To support multi-valued attribute, we use the following notation. Given an attribute list \(L=[v_{1,t_1},v_{2,t_2},\,\cdots ,\,v_{n,t_n}]\) where \(t_i\) means the \(t_i^{th}\) attribute in attribute set \(L_i\). For a ciphertext policy \(W = [W_1, W_2, \cdots , W_n]\), L satisfies W if for all \(i = 1, \cdots , n\), \(v_{i,t_i} \in W_i\) or \(W_i=*\), otherwise L does not satisfy W. We use the notation \(L\,\models \,W\) to mean that L satisfies W.

2.2 Complexity Assumptions

The Basic Generic Group Assumption. Given a group generator \(\mathcal {G}\), we define the following distribution:

$$\mathbb {G}=(N=p_1p_2p_3,G,G_T,e) \xleftarrow []{R} \mathcal {G}, \ g_1 \in G_{p_1}, g_2,X_2,Y_2 \in G_{p_2},g_3 \in G_{p_3}, \ \alpha ,s \in \mathbb {Z}_N,$$
$$D=(\mathbb {G},g_1,g_2,g_3,g_1^{\alpha }X_2,g_1^sY_2), \ T_0=e(g_1,g_1)^{\alpha s}, T_1 \in G_T.$$

We define the advantage of an algorithm \(\mathcal {A}\) in breaking this assumption to be:

$$Adv_{\mathcal {G,A}}^1(\lambda ):=|Pr[\mathcal {A}(D,T_0)=1]-Pr[\mathcal {A}(D,T_1)=1]|.$$

The General Subgroup Decision Assumption. We let \(\mathcal {G}\) denote a group generator and \(Z_0,Z_1,Z_2,\,\ldots ,\,Z_k\) denote a collection of non-empty subsets of \(\{1,2,3\}\) where each \(Z_i\) for \(i\ge 2\) satisfies \(\mathbb {G}=(N=p_1p_2p_3,G,G_T,e)\xleftarrow []{R} \mathcal {G}.\)

The Three Party Diffie-Hellman Assumption in a Subgroup. Given a group generator \(\mathcal {G}\), we define the following distribution:

$$\mathbb {G} = (N = p_1p_2p_3,G,G_T,e) \xleftarrow []{R}\mathcal {G}, \ g_1 \in G_{p_1},\ g_2 \in G_{p_2},\ g_3 \in G_{p_3}, \ x,y,z \in \mathbb {Z}_N,$$
$$D=(\mathbb {G},g_1,g_2,g_3,g_2^x,g_2^y,g_2^z), \ T_0=g_2^{xyz},\ T1 \in G_{p_2}.$$

We define the advantage of an algorithm \(\mathcal {A}\) in breaking this assumption to be:

$$Adv_{\mathcal {G,A}}^{3DH}(\lambda ):=|Pr[\mathcal {A}(D,T_0) = 1]-Pr[\mathcal {A}(D,T_1) = 1]|.$$

We say that \(\mathcal {G}\) satisfies The Three Party Diffie-Hellman Assumption if \(Adv_{\mathcal {G},\mathcal {A}}^{3DH}(\lambda )\) is a negligible function of \(\lambda \) for any PPT algorithm \(\mathcal {A}\).

The Source Group \({\varvec{q}}\)-Parallel BDHE Assumption in a Subgroup. Given a group generator \(\mathcal {G}\) and a positive integer q, we define the following distribution:

$$\mathbb {G}=(N=p_1p_2p_3,G,G_T,e) \xleftarrow []{R} \mathcal {G},\ g_1 \in G_{p_1}, g_2 \in G_{p_2}, g_3 \in G_{p_3},\ c, d, f, b_1,\,\ldots ,\,b_q \!\in \! \mathbb {Z}_N.$$

The adversary will be given:

$$\begin{aligned} D=&(\mathbb {G},g_1,g_2,g_3,g_2^f,g_2^{df},g_2^c,g_2^{c^2},\,\ldots ,\,g_2^{c^q},g_2^{c^{q+2}},\,\ldots ,\,g_2^{c^{2q}},\\&g_2^{\frac{c^i}{b_j}} \forall i \!\in \! [2q] \{q+1\}, j \in [q], g_2^{dfb_j} \forall j \in [q],g_2^{\frac{dfc^ib_{j^{'}}}{b_j}} \forall i \in [q],j,j^{'} \in [q]\ s.t. j\ \ne j^{'}). \end{aligned}$$

We additionally define \(T_0=g_2^{dc^{q+1}}, \ T_1 \in G_{p_2}\).

We define the advantage of an algorithm \(\mathcal {A}\) in breaking this assumption to be:

$$Adv_{\mathcal {G,A}}^q(\lambda ):=|Pr[\mathcal {A}(D,T_0)=1]-Pr[\mathcal {A}(D,T_1)=1]|.$$

We say that \(\mathcal {G}\) satisfies The Source Group q-Parallel BDHE Assumption in a Subgroup if \(Adv_{\mathcal {G},\mathcal {A}}^q(\lambda )\) is a negligible function of \(\lambda \) for any PPT algorithm \(\mathcal {A}\).

2.3 Security Model

The definition of full security for the CP-ABE system is described by a security game between a challenger and an attacker, which proceeds as follows:

  • Setup. The challenger runs the Setup algorithm and sends the public parameters PP to the attacker and the challenger knows the master key MSK.

  • Phase 1. The attacker adaptively makes queries for private keys corresponding to sets of attributes \(S_1,\,\ldots ,\,S_{Q_1}\) to the challenger. Each time, the challenger responds with a secret key obtained by running \(KeyGen(MSK,PP,S_k)\). The attacker may also requests the re-encryption keys for access policies \(W^{\prime }\), and the challenger will run the \(RKGen(SK_L,W^{\prime })\) algorithm to respond.

  • Challenge. The attacker selects two messages \(M_0\) and \(M_1\) with the same length and an access structure W. The challenger flips a random coin \(b\in \{0,1\}\) and encrypts \(M_b\) under W to generate CT. It sends CT to the attacker.

  • Phase 2. Phase 2 is similar to Phase 1 except that the attacker requests private keys corresponding to sets of attributes \(S_{Q_1+1},\,\ldots ,\,S_Q\) adaptively. Notice that none of the attributes should satisfy the access structure W in the challenge phase.

  • Guess. The attacker outputs a guess \(b^{'}\) for b.

The advantage of an attacker in this game is defined to be \(Pr[b=b^{'}]-\frac{1}{2}\).

3 Our Construction

\({{\varvec{Setup}}{} \mathbf (1 ^{{\varvec{k}}}, {\varvec{n}}}{} \mathbf ). \) A trusted authority generates a tuple \(G=[p,G,G_T,g \in G,e]\) and random \(w \in \mathbb {Z}_p^*\). For each attribute i where \(1\le i \le n\), the authority generates random values \(\{a_{i,t},b_{i,t} \in \mathbb {Z}_p^*\}_{1\le t \le n_i}\) and random points \(\{A_{i,t} \in G\}_{1 \le t \le n_i}\). It computes \(Y=e(g,g)^w\). The public key PK and the master key MK is

$$PK=\{ Y,p,G,G_T,g,e,\{\{A_{i,t}^{a_{i,t}},A_{i,t}^{b_{i,t}}\}_{1 \le t \le n_i} \}_{1 \le i \le n} \},$$
$$MK=\{ w,\{\{a_{i,t},b_{i,t}\}_{1 \le t \le n_i}\}_{1 \le i \le n} \}.$$

\({{\varvec{KeyGen}}\mathbf{( }{\varvec{MK,L}} \mathbf{). }}\) Let \(L=[L_1,L_2,\,\ldots ,\,L_n]=[v_{1,t_1},v_{2,t_2},\,\ldots ,\,v_{n,t_n}]\) be the attribute list for the user who obtains the corresponding secret key. The trusted authority picks up random values \(s_i,\lambda _i \in \mathbb {Z}_p^*\) and random elements \(R,R_0,R_1,R_2 \in G_{p_3}\). For \(1 \le i \le n\), sets \(s=\sum _{i=1}^{n}s_i\), and computes \(D_0=g^{w-s}R\). For \(1 \le i \le n\), the authority computes \(D_{i,0}=g^{s_i}(A_{i,t_i})^{a_{i,t_i}b_{i,t_i}\lambda _i}R_0, D_{i,1}=g^{a_{i,t_i}\lambda _i}R_1, D_{i,2}=g^{b_{i,t_i}\lambda _i}R_2\). The secret key \(SK_L\) is formed as: \(SK_L=\{ D_0,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n} \}\).

\({{\varvec{Encrypt}}\mathbf{( }{\varvec{PK,M,W}}\mathbf{) .}}\) An encryptor encrypts a message \(M\in G_T\) under a ciphertext policy \(W=[W_1,W_2,\,\ldots ,\,W_n]\). It picks up a random value \(r \in \mathbb {Z}_p^*\) and sets \(\tilde{C}=MY^r,C_0=g^r\), then picks up a random value \(h \in \mathbb {Z}_p^*\) and computes \(C_0^{'}=h^r\). For \(1 \le i \le n\), it picks up random values \(\{r_{i,t} \in \mathbb {Z}_p^*\}_{1 \le t \le n_i}\) and computes \(C_{i,t,1}, C_{i,t,2}\) as follows: if \(v_{i,t} \in W_i\), \(C_{i,t,1}=(A_{i,t}^{b_{i,t}})^{r_{i,t}}, C_{i,t,2}=(A_{i,t}^{a_{i,t}})^{r-r_{i,t}}\) (well-formed); if \(v_{i,t} \notin W_i, C_{i,t,1}, C_{i,t,2}\) are random (mal-formed). The ciphertext CT is: \(CT=\{ \tilde{C}, C_0, C_0^{'}, \{\{C_{i,t,1},C_{i,t,2}\}_{1 \le t \le n_i} \} _{1 \le i \le n} \}\).

\({{\varvec{RKGen}}\mathbf{( }{\varvec{SK}}_{{\varvec{L}}}{{\varvec{,W}}}\mathbf{). }}\) Let \(SK_L\) denote a valid secret key and W an access policy. To generate a re-encryption key for W, choose \(d \in \mathbb {Z}_p\) and compute \(g^d\), \(D_{i,0}^{'}=D_{i,0}h^d\). Set \(D_0^{'}=D_0,D_{i,1}^{'}=D_{i,1}, D_{i,2}^{'}=D_{i,2}\), and compute \(\mathbb {C}\) which is the ciphertext of \(E(g^d)\) under the access policy W, i.e., \(\mathbb {C}=Encrypt(PK,E(g^d),W)\). The re-encryption key for W is \(RK_{L \rightarrow W}=\{ D_0^{'},\{\{D_{i,j}^{'}\}_{1 \le j \le 2}\}_{1 \le i \le n}, \mathbb {C} \}\).

\({\varvec{Re-encrypt}}\mathbf{( }{{\varvec{RK}}}_{{\varvec{L}} \rightarrow {\varvec{W}}^{'}},{\varvec{CT}}_{\varvec{W}}\mathbf{). }\) Let \(RK_{L\rightarrow W^{'}}\) be a valid re-encryption key for access policy \(W^{'}\) and \(CT_W\) a well-formed ciphertext \(\tilde{C}, C_0, C_0^{'}, \{\{C_{i,t,1},C_{i,t,2}\}_{1 \le t \le n_i} \} _{1 \le i \le n}\), for \(1 \le i \le n\), compute \(E_i=\frac{e(C_0,D_{i,0}^{'})}{e(C_{i,t,1},D_{i,1}^{'})e(C_{i,t,2},D_{i,2}^{'})}=e(g,g)^{rs_i}e(g,h)^{rd}\) then compute \(\bar{C}=e(C_0,D_0^{'})\prod _{i=1}^nE_i=e(g,g)^{wr}e(g,h)^{nrd}\), the re-encrypted ciphertext is formed as \(CT^{'}=\{ \tilde{C},C_0^{'},\bar{C},\mathbb {C} \}\).

\({\varvec{Decrypt}}\mathbf{( }{{\varvec{CT}}}_{{\varvec{W}}}{\varvec{,SK}}_{{\varvec{L}}}\mathbf{). }\) The recipient tries decrypting the CT without knowing W using his/her \(SK_L\) as follows:

Assume \(L=[L_1,L_2,\,\ldots ,\,L_n]=[v_{1,t_1},v_{2,t_2},\,\ldots ,\,v_{n,t_n}]\) is the user’s attribute list.

  • If CT is an original well-formed ciphertext, then for \(1 \le i \le n\), \(C_{i,1}^{'}=C_{i,t,1},\ C_{i,2}^{'}=C_{i,t,2}\) where \(L_i=v_{i,t_i}\), \(M=\frac{\tilde{C}\prod _{i=1}^ne(C_{i,1}^{'},D_{i,1})e(C_{i,2}^{'},D_{i,2})}{e(C_0,D_0)\prod _{i=1}^ne(C_0,D_{i,0})}\).

  • Else if CT is a re-encrypted well-formed ciphertext, then

    1. 1.

      Decrypt \(E(g^d)\) from \(\mathbb {C}\) using the secret key \(SK_L\) and decode it to \(g^d\).

    2. 2.

      \(M=\tilde{C}\cdot e(C_0^{'},g^d)^n/\bar{C}\).

4 Security Proof

We prove our scheme fully secure using the dual system [10] under the general subgroup decision assumption, the three party Diffie-Hellman assumption in a subgroup, and the source group q-parallel BDHE assumption in a subgroup.

Let \(Game_{real}\) denote the real security game defined in Sect. 2.3. We assume \(g_2 \in G_{p_2}\) and give the definition of semi-functional keys and semi-functional ciphertexts.

  • Semi-function Keys. Let \(L=[L_1,L_2,\cdots ,\,L_n]=[v_{1,t_1},v_{2,t_2},\cdots ,\,v_{n,t_n}]\) be an attribute list. We first run the normal KeyGen algorithm to produce a normal key \(D_0,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\). Then we choose a random element \(W \in G_{p_2}\) and generate the semi-functional key: \(D_0W,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\).

  • Semi-functional Ciphertexts. Then we produce the semi-functional ciphertexts, we first run the normal Encrypt algorithm to produce a normal ciphertext which is formed as \(\tilde{C},C_0,C_0^{'},C_{i,t,1},C_{i,t,2}\). We assume \(A_{i,t}=g^{u_{i,t}}\), so \(C_{i,t,1}=(g^{u_{i,t}b_{i,t}})^{r_{i,t}}, C_{i,t,2}=(g^{u_{i,t}a_{i,t}})^{r-r_{i,t}}\). Then we choose random exponents \(r^{'},r_{i,t}^{'} \in \mathbb {Z}_p^*\) and the semi-functional ciphertext is formed as:

    $$\tilde{C},C_0g_2^{r^{'}},C_0^{'}g_2^{r^{'}},C_{i,t,1}g_2^{u_{i,t}^{'}b_{i,t}^{'}r_{i,t}^{'}},C_{i,t,2}g_2^{u_{i,t}^{'}a_{i,t}^{'}(r^{'}-r_{i,t}^{'})}.$$

  • Game \(_k\). Let Q denote the total number of key queries from the attacker. In this game, the ciphertext given to the attacker is semi-functional as well as the first k keys. The remaining keys are normal.

    We define some transitions to complete our security proof. At the beginning, we transit from \(Game_{real}\) to \(Game_0\), then from \(Game_0\) to \(Game_1\), and so on. We finally get the transition of \(Game_{Q-1}\) to \(Game_Q\). The ciphertext as well as all the keys given to the attacker are semi-functional in \(Game_Q\). We then transit from \(Game_Q\) to \(Game_{final}\). \(Game_{final}\) is similar to \(Game_Q\) except that the ciphertext given to the attacker is a semi-functional encryption of a random message.

    To complete the transition from \(Game_{k-1}\) to \(Game_k\), we define another two types of semi-functional keys as follows:

  • Nominal Semi-functional Keys. The nominal semi-functional keys share the values \(a_{i,t_i}^{'},b_{i,t_i}^{'},u_{i,t_i}^{'}\) with the semi-function ciphertext. Then choose random exponents \(s^{'}\) and \(s_i^{'}\). The nominal semi-functional keys are formed as:

    $$D_0g_2^{-s^{'}},D_{i,0}g_2^{s_i^{'}+u_{i,t_i}^{'}a_{i,t_i}^{'}b_{i,t_i}^{'}\lambda _i^{'}},D_{i,1}g_2^{a_{i,t_i}^{'}\lambda _i^{'}},D_{i,2}g_2^{b_{i,t_i}^{'}\lambda _i^{'}}.$$

  • Temporary Semi-functional Keys. The temporary semi-functional keys share the values \(a_{i,t_i}^{'},b_{i,t_i}^{'},u_{i,t_i}^{'}\) with the semi-function ciphertext. Then choose random \(W \in G_{p_2}\) and random exponents \(s^{'}\) and \(s_i^{'}\). The temporary semi-functional keys are formed as: \(D_0W,D_{i,0}g_2^{s_i^{'}+u_{i,t_i}^{'}a_{i,t_i}^{'}b_{i,t_i}^{'}\lambda _i^{'}},D_{i,1}g_2^{a_{i,t_i}^{'}\lambda _i^{'}},D_{i,2}g_2^{b_{i,t_i}^{'}\lambda _i^{'}}.\)

    For any k (\(1 \le k \le Q\)), we give the definition of \(Game_k^N\) and \(Game_k^T\):

  • Game \(_k^N\). \(Game_k^N\) is similar to \(Game_k\), except that the \(k^{th}\) key given to the attacker is a nominal semi-functional key.

  • Game \(_k^T\). \(Game_k^N\) is similar to \(Game_k\), except that the \(k^{th}\) key given to the attacker is a temporary semi-functional key. To achieve the transition from \(Game_{k-1}\) to \(Game_k\), we first transit from \(Game_{k-1}\) to \(Game_k^N\), then from \(Game_k^N\) to \(Game_k^T\) and finally from \(Game_k^T\) to \(Game_k\).

    Then we give the following lemmas to realize our proof.

  • Lemma 1. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_{real}\) and \(Game_0\).

    We prove this lemma under the general subgroup decision assumption.

  • Proof. Given a PPT attacker \(\mathcal {A}\) achieving a non-negligible difference in advantage between \(Game_{real}\) and \(Game_0\), we will create a PPT algorithm \(\mathcal {B}\) to break the general subgroup decision assumption. \(\mathcal {B}\) is given \(g_1\) which is a random element of \(G_{p_1}\), \(g_3\) which is a random element of \(G_{p_3}\), and T which is either a random element of \(G_{p_1}\) or a random element of \(G_{p_1p_2}\). Due to the different values of T, \(\mathcal {B}\) will simulate either \(Game_{real}\) or \(Game_0\) with \(\mathcal {A}\).

    \(\mathcal {B}\) first runs the Setup algorithm and generates the public parameters:

    $$\begin{aligned} N,p,G,G_T,g_1,e,Y=e(g_1,g_1)^w,\{\{A_{i,t}^{a_{i,t}}=g_1^{u_{i,t}a_{i,t}},A_{i,t}^{b_{i,t}}=g_1^{u_{i,t}b_{i,t}}\}_{1\le t \le n_i}\}_{1 \le i \le n}. \end{aligned}$$

    \(A_{i,t},w,u_{i,t},a_{i,t},b_{i,t}\) are selected randomly by \(\mathcal {B}\), and the master key is known to \(\mathcal {B}\). \(\mathcal {B}\) sends the public parameters to \(\mathcal {A}\). When \(\mathcal {A}\) requests a secret key, or a re-encryption key, \(\mathcal {B}\) runs the normal KeyGen algorithm or the normal RKGen algorithm to generate the requested one.

    On the other hand, \(\mathcal {A}\) is allowed to request a challenge ciphertext. \(\mathcal {A}\) first selects two messages \(M_0\) and \(M_1\) with the same length, and an access policy W, then sends them to \(\mathcal {B}\). \(\mathcal {B}\) flips coin to choose a random bit b and then encrypts \(M_b\ (b \in \{0,1\})\) under W as follows. It implicitly sets \(g^r\) equal to the \(G_{p_1}\) part of T. It also chooses \(\tilde{r}_{i,t}, r^{''} \in \mathbb {Z}_N, \forall t \in [1,n_i], \forall i \in [1,n]\) and implicitly sets \(r\tilde{r}_{i,t}=r_{i,t}\). The ciphertext is formed as:

    $${\tilde{C}=Me(g_1,T)^w},C_0=T,C_0^{'}=T^{r^{''}},C_{i,t,1}=(T^{u_{i,t}b_{i,t}})^{\tilde{r}_{i,t}},C_{i,t,2}=(T^{u_{i,t}a_{i,t}})^{1-\tilde{r}_{i,t}}.$$

    If \(T \in G_{p_1}\), this is a properly distributed normal ciphertext, and \(\mathcal {B}\) has properly simulated \(Game_{real}\) with \(\mathcal {A}\). If \(T\in G_{p_1p_2}\), then this is a semi-functional ciphertext, where \(g_2^{r^{'}}\) is the \(G_{p_2}\) part of T, \(u_{i,t}^{'}\) is equal to the value of \(u_{i,t}\) modulo \(p_2\), \(a_{i,t}^{'}\) is equal to the value of \(a_{i,t}\) modulo \(p_2\), \(b_{i,t}^{'}\) is equal to the value of \(b_{i,t}\) modulo \(p_2\), and \(r^{'}-r_{i,t}^{'}\) is equal to the value of \(1-\tilde{r}_{i,t}\) modulo \(p_2\). Then \(\mathcal {B}\) has properly simulated \(Game_0\) with \(\mathcal {A}\).

  • Lemma 2. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_{k-1}\) and \(Game_k^N\) for any \(k \in [1, Q]\).

    We prove this lemma under the general subgroup decision assumption.

  • Proof. Given a PPT attacker \(\mathcal {A}\) achieving a non-negligible difference in advantage between \(Game_{k-1}\) and \(Game_k^N\) for some k between 1 and Q, we will create a PPT algorithm \(\mathcal {B}\) to break the general subgroup decision assumption. \(\mathcal {B}\) is given \(g_1, g_3, X_1X_2, Y_2Y_3, T\) where \(g_1, X_1\) are generators of \(G_{p_1}\), \(X_2\) is a generator of \(G_{p_2}\), \(g_3, Y_3\) are generators of \(G_{p_3}\), and T is either a random element of \(G_{p_1}G_{p_3}\) or a random element of \(G_{p_1p_2p_3}\). Due to the different values of T, \(\mathcal {B}\) will simulate either \(Game_{k-1}\) or \(Game_k^N\) with \(\mathcal {A}\).

    \(\mathcal {B}\) first runs the Setup algorithm and generates the public parameters:

    $$\begin{aligned} N,p,G,G_T,g_1,e,Y=e(g_1,g_1)^w,\{A_{i,t}^{a_{i,t}}=g_1^{u_{i,t}a_{i,t}},A_{i,t}^{b_{i,t}}=g_1^{u_{i,t}b_{i,t}}\}_{1\le t \le n_i}\}_{1 \le i \le n}. \end{aligned}$$

    \(A_{i,t},w,u_{i,t},a_{i,t},b_{i,t}\) are selected randomly by \(\mathcal {B}\), and the master key is known to \(\mathcal {B}\). \(\mathcal {B}\) sends the public parameters to \(\mathcal {A}\). When \(\mathcal {A}\) requests a secret key or a re-encryption key, \(\mathcal {B}\) runs the normal KeyGen algorithm or the normal RKGen algorithm to generate the requested one.

    In response to \(\mathcal {A}\)’s first \(k-1\) key queries, \(\mathcal {B}\) produces semi-functional keys as follows. It first runs the normal KeyGen algorithm to produce a normal key \(D_0,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\), and then it chooses a random exponent \(\tau \in \mathbb {Z}_N\) and the semi-functional key is formed as: \(D_0(Y_2Y_3)^{\tau },\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\).

    Then \(\mathcal {B}\) runs the RKGen algorithm and generates the re-encryption key:

    $$D_0(Y_2Y_3)^{\tau },\{D_{i,0}h^r,D_{i,1},D_{i,2}\}_{1 \le i \le n}.$$

    Here h is a random element of \(G_{p_1}\), and r is a random element of \(\mathbb {Z}_p^*\).

    Then \(\mathcal {B}\) generates the semi-functional challenge ciphertext as in Lemma 1, which is the ciphertext of \(M_b\) under policy W. It chooses random exponents \(\tilde{r}_{i,t},\ \forall i \in [1,n],\ t \in [1,n_i]\) and implicitly sets \(g^r=X_1\), and \(r\tilde{r}_{i,t}=r_{i,t}\). It chooses a random exponent \(r^{\prime \prime }\), the semi-functional ciphertext is:

    $$\begin{aligned}&\tilde{C}=Me(g_1,X_1X_2)^w,\ C_0=X_1X_2,\ C_0^{'}=(X_1X_2)^{r^{''}},\\&C_{i,t,1}=(X_1X_2)^{u_{i,t}b_{i,t}\tilde{r}_{i,t}},\ C_{i,t,2}=(X_1X_2)^{u_{i,t}a_{i,t}(1-\tilde{r}_{i,t})}. \end{aligned}$$

    We implicitly set \(g_2^{r^{'}}=X_2\), \(u_{i,t}^{'}\) is equal to the value of \(u_{i,t}\) modulo \(p_2\), \(a_{i,t}^{'}\) is equal to the value of \(a_{i,t}\) modulo \(p_2\), \(b_{i,t}^{'}\) is equal to the value of \(b_{i,t}\) modulo \(p_2\), and \(r^{'}-r_{i,t}^{'}\) is equal to the value of \(1-\tilde{r}_{i,t}\) modulo \(p_2\).

    To produce the \(k^{th}\) requested key for an attribute list L, \(\mathcal {B}\) randomly chooses exponent \(\tilde{\lambda }_i \in \mathbb {Z}_N\) and elements \(R,R_0,R_1,R_2 \in G_{p_3}\). It sets:

    $$D_0=g^wT^{-s}R,D_{i,0}=T^{s_i}T^{u_{i,t}a_{i,t}b_{i,t}\tilde{\lambda _i}}R_0,D_{i,1}=T^{a_{i,t_i}\tilde{\lambda }_i}R_1,D_{i,2}=T^{b_{i,t_i}\tilde{\lambda }_i}R_2.$$

  • Lemma 3. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_k^N\) and \(Game_k^T\) for any \(k\in [1,Q]\).

    We prove this lemma under the three party Diffie-Hellman assumption.

  • Proof. Given a PPT attacker \(\mathcal {A}\) achieving a non-negligible difference in advantage between \(Game_k^N\) and \(Game_k^T\) for some k between 1 and \(Q_1\), we will create a PPT algorithm \(\mathcal {B}\) to break the three party Diffie-Hellman assumption in a subgroup. \(\mathcal {B}\) is given \(g_1,g_2,g_3,g_2^x,g_2^y,g_2^z,T\) where T is either \(g_2^{xyz}\) or a random element of \(G_{p_2}\). Due to the different values of T, \(\mathcal {B}\) will simulate either \(Game_k^N\) or \(Game_k^T\) with \(\mathcal {A}\).

    \(\mathcal {B}\) first runs the Setup algorithm and generate the public parameters:

    $$\begin{aligned} N,p,G,G_T,g_1,e,Y=e(g_1,g_1)^w,\{A_{i,t}^{a_{i,t}}=g_1^{u_{i,t}a_{i,t}},A_{i,t}^{b_{i,t}}=g_1^{u_{i,t}b_{i,t}}\}_{1\le t \le n_i}\}_{1 \le i \le n}. \end{aligned}$$

    \(A_{i,t},w,u_{i,t},a_{i,t},b_{i,t}\) are selected randomly by \(\mathcal {B}\), and the master key is known to \(\mathcal {B}\). \(\mathcal {B}\) sends the public parameters to \(\mathcal {A}\). When \(\mathcal {A}\) requests a secret key, or a re-encryption key, \(\mathcal {B}\) runs the normal KeyGen algorithm or the normal RKGen algorithm to generate the requested one.

    In response to \(\mathcal {A}\)’s first \(k-1\) key requests, \(\mathcal {B}\) generates semi-functional keys by first run the normal KeyGen algorithm and then multiplying \(D_0\) by a random element of \(G_{p_2}\).

    To generate the \(k^{th}\) key query by \(\mathcal {A}\), \(\mathcal {B}\) first run the normal KeyGen algorithm to generate a normal key \(D_0,\{D_{i,0},D_{i,1},D_{i,2}\}_{1 \le i \le n}\). It then chooses random exponents \(s_i^{'},u_{i,t}^{'},a_{i,t}^{'},b_{i,t}^{'},\lambda _i^{'} \in \mathbb {Z}_N\), the key is formed as:

    $$D_0T,D_{i,0}g_2^{s_i^{'}+u_{i,t}^{'}a_{i,t}^{'}b_{i,t}^{'}\lambda _{i}^{'}},D_{i,1}g_2^{a_{i,t_i}^{'}\lambda _i^{'}},D_{i,2}g_2^{b_{i,t_i}^{'}\lambda _i^{'}}.$$

    Then \(\mathcal {B}\) runs the RKGen algorithm and generates the re-encryption key:

    $$D_0T,D_{i,0}g_2^{s_i^{'}+u_{i,t}^{'}a_{i,t}^{'}b_{i,t}^{'}\lambda _{i}^{'}}h^r,D_{i,1}g_2^{a_{i,t_i}^{'}\lambda _i^{'}},D_{i,2}g_2^{b_{i,t_i}^{'}\lambda _i^{'}}.$$

    If \(T=g_2^{xyz}\), this will be a properly distributed nominal semi-functional key, and when T is random in \(G_{p_2}\), this will be a properly distributed temporary semi-functional key.

    To generate the semi-functional challenge ciphertext for message \(M_b\) and access policy W. \(\mathcal {B}\) first runs the normal Encrypt algorithm to generate a normal ciphertext \(\tilde{C}, C_0, C_0^{'}, \{\{C_{i,t,1},C_{i,t,2}\}_{1 \le t \le n_i} \}_{1 \le i \le n}\). It then chooses random exponents \(r^{'},r_{i,t}^{'} \in \mathbb {Z}_p^*\). The semi-functional ciphertext is formed as:

    $$\tilde{C}=Me(g,g)^{wr},C_0g_2^{r^{'}},C_0^{'}g_2^{r^{'}},C_{i,t,1}g_2^{u_{i,t}b_{i,t}r_{i,t}^{'}},C_{i,t,2}g^{u_{i,t}a_{i,t}r_{i,t}^{'}}.$$

  • Lemma 4. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_k^T\) and \(Game_k\) for any k from 1 to Q. We prove this lemma under the general subgroup decision assumption.

  • Proof. The proof of this lemma is similar to Lemma 2, except that \(\mathcal {B}\) uses \(Y_2Y_3\) to place a random \(G_{p_2}\) component on the \(D_0\) part of the \(k^{th}\) key to make it a semi-functional key in the case that T has no \(G_{p_2}\) component.

  • Lemma 5. There is no PPT attacker which can achieve a non-negligible difference in advantage between \(Game_Q\) and \(Game_{final}\).

    We prove this lemma under the basic generic group assumption.

  • Proof. Given a PPT attacker \(\mathcal {A}\) achieving a non-negligible difference in advantage between \(Game_Q\) and \(Game_{final}\), we will create a PPT algorithm \(\mathcal {B}\) to break the basic generic group assumption. \(\mathcal {B}\) is given \(g_1,g_2,g_3,g_1^wX_2,g_1^rY_2,T\) where T is either \(e(g_1,g_1)^{wr}\) or a random element of \(G_{p_2}\). Due to the different values of T, \(\mathcal {B}\) will simulate either \(Game_Q\) or \(Game_{final}\) with \(\mathcal {A}\).

    \(\mathcal {B}\) first runs the Setup algorithm and generate the public parameters:

    $$\begin{aligned} N,p,G,G_T,g_1,e,Y=e(g_1,g_1)^w,\{A_{i,t}^{a_{i,t}}=g_1^{u_{i,t}a_{i,t}},A_{i,t}^{b_{i,t}}=g_1^{u_{i,t}b_{i,t}}\}_{1\le t \le n_i}\}_{1 \le i \le n}. \end{aligned}$$

    In response to \(\mathcal {A}\)’s requests for a key under an attribute list L, \(\mathcal {B}\) generates the semi-functional key as follows. It chooses random exponents \(r^{'},\tilde{r}_{i,t}\) and random elements \(R,R_0,R_1,R_2 \in G_{p_3}\). The semi-functional key is formed as:

    $$D_0=(g_1^wX_2)g_1^{-s}Rg_2^{r^{'}},D_{i,0}=g_1^{s_i}g_1^{u_{i,t}a_{i,t}b_{i,t}\lambda _i}R_0,D_{i,1}=g^{a_{i,t_i}\lambda _i}R_1,D_{i,2}=g^{b_{i,t_i}\lambda _i}R_2.$$

    Then \(\mathcal {B}\) runs the RKGen algorithm and generates the re-encryption key:

    $$D_0\!=\!(g_1^wX_2)g_1^{-s}Rg_2^{r^{'}},D_{i,0}=g_1^{s_i}g_1^{u_{i,t}a_{i,t}b_{i,t}\lambda _i}h^rR_0,D_{i,1}=g^{a_{i,t_i}\lambda _i}R_1,D_{i,2}=g^{b_{i,t_i}\lambda _i}R_2.$$

    To generate the semi-functional ciphertext for \(M_b\) under access policy W, \(\mathcal {B}\) chooses random exponents \(\tilde{r}_{i,t},r^{'}\) and implicitly sets \(r=r^{'}\tilde{r}_{i,t}\), the semi-functional ciphertext is formed as:

    $$\begin{aligned}&\tilde{C}=M_bT,C_0=g_1^{r^{'}}Y_2,C_0^{'}=h^{r^{'}}Y_2,\\&C_{i,t,1}=(g_1^{r^{'}}Y_2)^{u_{i,t}b_{i,t}\tilde{r}_{i,t}},C_{i,t,2}=(g_1^{r^{'}}Y_2)^{u_{i,t}a_{i,t}(1-\tilde{r}_{i,t})}. \end{aligned}$$

    In this semi-functional ciphertext, \(g_2^{r^{'}}\) equals \(Y_2\), \(u_{i,t}^{'}\) equals \(u_{i,t}\), \(a_{i,t}^{'}\) equals \(a_{i,t}\), \(b_{i,t}^{'}\) equals \(b_{i,t}\), \(1-\tilde{r}_{i,t}\) equals \(r-r_{i,t}\) for each it modulo \(p_2\). If \(T=e(g_1,g_1)^{\alpha s}\) this is a properly distributed semi-functional encryption of \(M_b\), and \(\mathcal {B}\) has properly simulated \(Game_q\). If T is a random element of \(G_T\), then this is a properly distributed semi-functional encryption of a random message, and \(\mathcal {B}\) has properly simulated \(Game_{final}\).

5 Conclusion

In this work, we propose a hidden ciphertext-policy attribute-based proxy re-encryption scheme, which solves the problem of privacy leaking during the re-encryption process. In addition, we further prove our scheme to be fully secure in the standard model. In the future work, we intend to design a new CP-AB-PRE scheme to reduce the computation cost of the re-encryption process and provide a more expressive ability.