Patient-Controlled Attribute-Based Encryption for Secure Electronic Health Records System

Abstract

In recent years, many countries have been trying to integrate electronic health data managed by each hospital to offer more efficient healthcare services. Since health data contain sensitive information of patients, there have been much research that present privacy preserving mechanisms. However, existing studies either require a patient to perform various steps to secure the data or restrict the patient to exerting control over the data. In this paper, we propose patient-controlled attribute-based encryption, which enables a patient (a data owner) to control access to the health data and reduces the operational burden for the patient, simultaneously. With our method, the patient has powerful control capability of his/her own health data in that he/she has the final say on the access with time limitation. In addition, our scheme provides emergency medical services which allow the emergency staffs to access the health data without the patient’s permission only in the case of emergencies. We prove that our scheme is secure under cryptographic assumptions and analyze its efficiency from the patient’s perspective.

Appendices

Appendix A: Building Blocks

A.1 IBE scheme

The IBE scheme of Boneh and Boyen [8] is described as follows:

IBE.Setup(GDS).:

Let \(GDS = ((p, \mathbb {G}, \mathbb {G}_{T}, e), g)\) be a description of a bilinear group. It first chooses random \(u_{I}, h_{I} \in \mathbb {G}\) and \(\alpha \in \mathbb {Z}_{p}\). It outputs a master key M K _{I B E} = α and public parameters \(PP_{IBE} = \big ((p, \mathbb {G}, \mathbb {G}_{T}, e), g, u_{I}, h_{I}, {\Omega } = e(g, g)^{\alpha } \big )\).

IBE.GenKey(I D, M K _{I B E} , P P _{I B E} ).:

It chooses a random exponent \(r \in \mathbb {Z}_{p}\) and outputs a private key \(SK_{ID} = \big (D_{0} = g^{\alpha } (u_{I}^{ID} h_{I})^{r}, D_{1} = g^{-r} \big )\).

IBE.RandKey(S K _{I D} , δ, P P _{I B E} ).:

Let S K _{I D} = (D ₀, D ₁). It chooses a random exponent \(r^{\prime } \in \mathbb {Z}_{p}\) and outputs a randomized private key \(SK_{ID} = \big (D^{\prime }_{0} = D_{0} \cdot g^{\delta } (u_{I}^{ID} h_{I})^{r^{\prime }}, D^{\prime }_{1} = D_{1} \cdot g^{-r^{\prime }} \big )\). Note that δ can be zero.

IBE.Enc(I D, t, P P _{I B E} ).:

It outputs a ciphertext header \(CH_{ID} = \big (C_{0} = g^{t}, C_{1} = (u_{I}^{ID} h_{I})^{t} \big )\) and a session key as E K _{I B E} = Ω^t.

IBE.Dec(\(CH_{ID}, SK_{ID^{\prime }}, PP_{IBE}\)).:

If I D ≠ I D ^′, then it outputs ⊥. Otherwise, it outputs a session key as \(EK^{\prime }_{IBE} = e(C_{0}, D_{0}) \cdot e(C_{1}, D_{1})\).

Theorem 3 (8)

The above IBE scheme is selectively secure under chosen plaintext attacks if the DBDH assumption holds.

A.2 CP-ABE scheme

We first review the definitions of access structure and a linear secret-sharing scheme.

Let \(\mathcal {U}\) be the attribute universe. An access structure on \(\mathcal {U}\) is a collection \(\mathbb {A}\) of non-empty sets of attributes, i.e. \(\mathbb {A}\subseteq 2^{\mathcal {U}}\setminus \{\}\). The sets in \(\mathbb {A}\) are called the authorized sets and the sets not in \(\mathbb {A}\) are called the unauthorized sets. In addition, an access structure is called monotone if \(\forall B, C\in \mathbb {A}\): if \(B\in \mathbb {A}\) and B⊆C, then \(C\in \mathbb {A}\).

Let p be a prime and \(\mathcal {U}\) be the attribute universe. A secret sharing scheme π with domain of secrets \(\mathbb {Z}_{p}\) realizing access structure on \(\mathcal {U}\) is linear over \(\mathbb {Z}_{p}\) if

1. 1.

   The shares of a secret \(s \in \mathbb {Z}_{p}\) for each attribute form a vector over \(\mathbb {Z}_{p}\).

2. 2.

   For each access structure \(\mathbb {A}\) on \(\mathcal {U}\), there exists a matrix \(M\in \mathbb {Z}_{p}^{l\times n}\), called the share-generating matrix, and a function ρ, that labels the rows of M with attributes from \(\mathcal {U}\), i.e. \(\rho : [l]\to \mathcal {U}\), which satisfy the following: During the generation of the shares, we consider the column vector \(\vec {v}=(s, r_{2}, \ldots , r_{n})^{\top }\), where \(r_{2}, \ldots , r_{n}\gets \mathbb {Z}_{p}\) . Then the vector of l shares of the secret s according to π is equal to \(M \vec {v} \in \mathbb {Z}_{p}^{l\times 1}\) . The share \((M\vec {v})_{j}\) where j ∈ [l] ”belongs” to attribute ρ(j).

Each secret-sharing scheme should satisfy the reconstruction and the security requirements.

We describe the CP-ABE scheme of Rouselakis and Waters [30] as follows:

ABE.Setup(GDS).:

Let \(GDS = ((p, \mathbb {G}, \mathbb {G}_{T}, e), g)\) be a description of a bilinear group. It first chooses random \(w_{A}, v_{A}, u_{A}, h_{A}, v_{S} \in \mathbb {G}\) and \(\beta \in \mathbb {Z}_{p}\) . It outputs a master key M K _{A B E} = β and public parameters \(PP_{ABE} = \big ((p, \mathbb {G}, \mathbb {G}_{T}, [0] e), g, w_{A}, v_{A}, u_{A}, [0] h_{A}, v_{S}, {\Lambda } = e(g, g)^{\beta } \big )\).

ABE.GenKey(S, M K _{A B E} , P P _{A B E} ).:

Let S={a ₁, a ₂, …,[0]a _k } be a set of attributes. It chooses random exponents \(r, r_{1}, \ldots , r_{k} \in \mathbb {Z}_{p}\) and outputs \(SK_{S} = \big (K_{0} = g^{\beta } {w_{A}^{r}}, K_{1} = g^{-r}, \big \{ K_{i,2} = g^{r_{i}}, K_{i,3} = {v_{A}^{r}} (u_{A}^{a_{i}} h_{A})^{r_{i}} \big \}_{i=1}^{k} \big )\).

ABE.RandKey(S K _S , δ, P P _{A B E} ).:

Let \(SK_{S} = (K_{0}, K_{1}, \{ K_{i,2}, K_{i,3} \}_{i=1}^{k} )\) for an attribute set S={a ₁, …,a _k }. It chooses random \(r^{\prime }, r^{\prime }_{1}, \ldots , r^{\prime }_{k} \in \mathbb {Z}_{p}\) and outputs a randomized private key \(SK_{S} = \big (K^{\prime }_{0} = K_{0} \cdot g^{\delta } w_{A}^{r^{\prime }}, K^{\prime }_{1} = K_{1} \cdot g^{-r^{\prime }}, \big \{ K^{\prime }_{i,2} = K_{i,2} \cdot g^{r^{\prime }_{i}}, K^{\prime }_{i,3} = K_{i,3} \cdot v_{A}^{r^{\prime }} (u_{A}^{a_{i}} h_{A})^{r^{\prime }_{i}} \big \}_{i=1}^{k} \big )\). Note that δ can be zero.

ABE.BlindKey(S K _S , P P _{A B E} ).:

Let \(SK_{S} = (K_{0}, K_{1}, \{ K_{i,2}, K_{i,3} \}_{i=1}^{k} )\). It chooses a random exponent \(r_{S} \in \mathbb {Z}_{p}\) and outputs a blinded private key \(BSK_{S} = \big (K^{\prime }_{0} = K_{0} \cdot v_{S}^{r_{S}}, K^{\prime }_{1} = K_{1}, \big \{ K^{\prime }_{i,2} = K_{i,2}, K^{\prime }_{i,3} = K_{i,3} \big \}_{i=1}^{k}, K^{\prime }_{4} = g^{-r_{S}} \big )\) and a blinding key B K = r _S .

ABE.VerifyBKey(B S K _S , P P _{A B E} ).:

Let \(BSK_{S} = (K_{0}, K_{1},[0] \{ K_{i,2}, K_{i,3} \}_{i=1}^{k}, K_{4})\) for an attribute set S={a ₁, …,a _k }. It checks \({\Lambda } \overset {?}{=} e(g, K_{0}) \cdot e(w, K_{1}) \cdot e(v_{S}, K_{4})\) and \(e(g, K_{i,3}) \cdot e(v, K_{1}^{-1}) \overset {?}{=} e(u_{A}^{a_{i}} h_{A}, K_{i,3})\) for all i ∈ [k]. If the equation holds, it outputs 1. Otherwise, it outputs 0.

ABE.UnblindKey(B S K _S , B K, P P _{A B E} ).:

Let \(BSK_{S} = (K_{0}, K_{1}, \{ K_{i,2}, K_{i,3} \}_{i=1}^{k}, K_{4})\) and B K = r _S . It outputs an unblinded private key \(SK_{S} = \big (K^{\prime }_{0} = K_{0} \cdot v_{S}^{-r_{S}}, K^{\prime }_{1} = K_{1}, \big \{ K^{\prime }_{i,2} = K_{i,2}, K^{\prime }_{i,3} = K_{i,3} \big \}_{i=1}^{k} \big )\).

ABE.Enc(\(\mathbb {A}, t, PP_{ABE}\)).:

Let \(\mathbb {A} = (A, \rho )\) be an LSSS access structure where A is an l×n matrix and ρ is a map that associates rows of A to attributes. It first sets a random vector \(\vec {v} = (t, v_{2}, \ldots , v_{n}) \in {\mathbb {Z}_{p}^{n}}\) by selecting random exponents \(v_{2}, \ldots , v_{n} \in \mathbb {Z}_{p}\) and obtains \(\lambda _{i} = A_{i} \vec {v}\) for all i where A _i is the ith row of A. It selects random exponents \(s_{1}, \ldots , s_{l} \in \mathbb {Z}_{p}\) and outputs a ciphertext header \(CH_{\mathbb {A}} = \big (C_{0} = g^{t}, \big \{ C_{i,1} = w_{A}^{\lambda _{i}} v_{A}^{s_{i}}, C_{i,2} = (u_{A}^{\rho (i)} h_{A})^{-s_{i}}, C_{i,3} = g^{s_{i}} \big \}_{i=1}^{l} \big )\) and a session key E K _{A B E} = Λ^t.

ABE.Dec(\(CH_{\mathbb {A}}, SK_{S}, PP_{ABE}\)).:

It computes a set of constants \(\{w_{i} \in \mathbb {Z}_{p}\}_{i\in I}\) where I={i:ρ(i)∈S} such that Σ _{i ∈ I} w _i A _i = (1,0,…,0) and outputs a session key as \(EK^{\prime }_{ABE} = e(K_{0}, C_{0}) \cdot {\prod }_{i\in I} (e(K_{1}, C_{i,1}) \cdot e(K_{i,2}, C_{i,2}) \cdot e(K_{i,3}, C_{i,3}))^{w_{i}}\).

Theorem 4 ([30])

The above CP-ABE scheme is selectively secure under chosen plaintext attacks if the n-RW1 assumption holds.

A.3 CDE scheme

The CDE scheme of Lee [17] is described as follows:

CDE.Setup(G D S, t _{m a x} ).:

Let \(GDS = \big ((p, \mathbb {G}, \mathbb {G}_{T}, e), g \big )\) be a description of a bilinear group and t _{m a x} be a maximum time. It first chooses random \(w_{T}, v_{T}, u_{T}, h_{T} \in \mathbb {G}\) and \(\gamma \in \mathbb {Z}_{p}\) . It outputs M K _{C D E} = γ and \(PP_{CDE} = \big ((p, \mathbb {G}, \mathbb {G}_{T}, e), g, w_{T},[0] v_{T}, u_{T}, h_{T}, {\Delta }= e(g, g)^{\gamma } \big )\).

CDE.GenKey(T, M K _{C D E} , P P _{C D E} ).:

Let \(L_{n} = (t_{1}, \ldots , t_{n}) [0] \in {\mathbb {Z}_{p}^{n}}\) be a label of time T. It chooses random exponents \(r, r_{1}, \ldots , r_{n} \in \mathbb {Z}_{p}\) and outputs a private key \(SK_{T} = \big (T_{0} = g^{\gamma } {w_{T}^{r}}, T_{1} = g^{-r}, \big \{ T_{i,2} = {v_{T}^{r}} (u_{T}^{t_{i}} h_{T})^{r_{i}}, T_{i,3} = g^{-r_{i}} \big \}_{i=1}^{n} \big )\).

CDE.RandKey(S K _T , δ, P P _{C D E} ).:

Let \(SK_{T} = (T_{0}, T_{1}, \big \{T_{i,2}, T_{i,3}\big \}_{i=1}^{n})\) be a private key for time T. It chooses random exponents \(r^{\prime }, r^{\prime }_{1}, \ldots , [0] r^{\prime }_{n} \in \mathbb {Z}_{p}\) and outputs a randomized private key \(SK_{T} = \big (T^{\prime }_{0} = T_{0} \cdot g^{\delta } w_{T}^{r^{\prime }}, T^{\prime }_{1} = T_{1} \cdot g^{-r^{\prime }}, \big \{ T^{\prime }_{i,2} = T_{i,2} \cdot v_{T}^{r^{\prime }} (u_{T}^{t_{i}} h_{T})^{r^{\prime }_{i}}, [0] T^{\prime }_{i,3} = T_{i,3} \cdot g^{-r^{\prime }_{i}} \big \}_{i=1}^{n} \big )\).

CDE.Enc(T, t, P P _{C D E} ).:

Let \(L_{n} = (t_{1}, \ldots , t_{n}) \in {\mathbb {Z}_{p}^{n}}\) be a label of time T. It chooses a random exponent vector \(\vec {s} = (s_{1}, \ldots , s_{n}) \in {\mathbb {Z}_{p}^{n}}\) and outputs a ciphertext header as \(CH_{T} = \big (C_{0} = g^{t}, C_{1} = {w_{T}^{t}} {\prod }_{i=1}^{n} v_{T}^{s_{i}}, \{ C_{i,2} = g^{s_{i}}, C_{i,3} = (u_{T}^{t_{i}}h_{T})^{s_{i}}\}_{i=1}^{n} \big )\) and a session key E K _{C D E} = Δ^t.

CDE.DelegCT(C H _T , T ^′,P P _{C D E} ).:

Let \(CH_{T} = \big (C_{0},[0] C_{1}, [0] \{ C_{i,2}, C_{i,3}\}_{i=1}^{n} \big )\) for time T with a label L _n = (t ₁, …,t _n ) and time T ^′ with L _n+1 = (t ₁, …,t _n , t _n+1). It chooses random \(s_{n+1} \in \mathbb {Z}_{p}\) and outputs delegated \(CH_{T^{\prime }} = \big (C^{\prime }_{0} = C_{0}, C^{\prime }_{1} = C_{1}\cdot v_{T}^{s_{n+1}}, \{ C^{\prime }_{i,2} = C_{i,2}, C^{\prime }_{i,3} = C_{i,3}\}_{i=1}^{n}, C^{\prime }_{n+1,2} [0] = g^{s_{n+1}}, [0] C^{\prime }_{n+1,3} = (u_{T}^{t_{n+1}}h_{T})^{s_{n+1}}\big )\).

CDE.Dec(\(CH_{T}, SK_{T^{\prime }}, PP_{CDE}\)).:

Let \(CH_{T} = \big (C_{0}, C_{1}, \{C_{i,2}, [0] C_{i,3}\}_{i=1}^{k} \big )\) and \(SK_{T^{\prime }} = \big (T_{0}, T_{1}, \{T_{i,2}, T_{i,3}\}_{i=1}^{n} \big )\). If k ≤ n, then it outputs a session key \(EK^{\prime }_{CDE} = e(T_{0}, C_{0})\cdot e(T_{1}, C_{1}) \cdot {\prod }_{i=1}^{k} \big (e(T_{i,2}, C_{i,2}) \cdot e(T_{i,3}, C_{i,3}) \big )\).

Theorem 5 (17)

The above CDE scheme is selectively secure under chosen plaintext attacks if the n-RW1 assumption holds.

Appendix B: security proofs of PC-ABE

To prove the security of our PC-ABE scheme, we construct a meta-simulator that runs the simulators of IBE, CP-ABE, and CDE as sub-simulators. Each sub-simulator operates identically to the simulators in [17]. The detailed description of the security proof is given as follows:

B.1 The Proofs of Theorem 1

Lemma 1

The PC-ABE scheme is selectively IND-CPA secure against an outside adversary if the n-RW1 assumption holds.

Proof

Suppose there exist an adversary \(\mathcal {A}_{O}\) defined in Section “Definitions” that attacks PC-ABE with a non-negligible advantage \(\textbf {Adv}_{\mathcal {A}}\) and a meta-simulator \(\mathcal {B}\) that solves n-RW1 problem by using \(\mathcal {A}_{O}\). Let \(\mathcal {B}_{IBE}\), \(\mathcal {B}_{ABE}\), and \(\mathcal {B}_{CDE}\) be simulators described in [17]. \(\mathcal {B}_{IBE}\) aims to solve DBDH problem. \(\mathcal {B}_{ABE}\) and \(\mathcal {B}_{CDE}\) aims to solve n-RW1 problem. Since the challenge tuple (D _{D B D H} , Z) of DBDH assumption can be derived from the challenge tuple (D _{n-R W1}, Z) of n-RW1 assumption, \(\mathcal {B}\) can run \(\mathcal {B}_{IBE}\) by giving (D _{D B D H} , Z). We build the meta-simulator \(\mathcal {B}\) which interacts with \(\mathcal {A}_{O}\) in the following security game:

Init::

\(\mathcal {A}_{O}\) initially submits a challenge I D ^∗, a challenge access structure \(\mathbb {A}^{*} = (A^{*}, \rho ^{*})\) , and a challenge time T ^∗. \(\mathcal {B}\) runs \(\mathcal {B}_{IBE}\) by giving D _{D B D H} and Z, and it also runs \(\mathcal {B}_{ABE}\) and \(\mathcal {B}_{CDE}\) by giving D _{n-R W1} and Z.

Setup::

\(\mathcal {B}\) first submits (G D S, I D ^∗) to \(\mathcal {B}_{IBE}\) and receives P P _{I B E} , and it submits \((GDS, \mathbb {A}^{*})\) to \(\mathcal {B}_{ABE}\) and receives P P _{A B E} . In addition, it submits (G D S, T ^∗) to \(\mathcal {B}_{CDE}\) and receives P P _{C D E} . \(\mathcal {B}\) chooses a random exponent \(\theta \in \mathbb {Z}_{p}\) and computes Ω^′ = Ω⋅e(g, g)^−𝜃 and Λ^′ = e(g, g)^𝜃. It replaces Ω with Ω^′ in P P _{I B E} and Λ with Λ^′ in P P _{A B E} , respectively. Then it sets P P _{I A} = (P P _{I B E} , P P _{C D E} ) and P P _{A A} = P P _{A B E} , and gives P P=(G D S, P P _{I A} , P P _{A A} ) to \(\mathcal {A}_{O}\).

Query 1::

\(\mathcal {A}_{O}\) adaptively requests a polynomial number of private key, attribute key, and decryption key queries and \(\mathcal {B}\) answers as follows:

S K _{I D} query::

If \(\mathcal {A}_{O}\) requests a private key for I D ≠ I D ^∗, then \(\mathcal {B}\) uses \(\mathcal {B}_{IBE}\) to obtain S K _{I B E, I D} and generates the private key S K _{I D} by running IBE.RandKey(S K _{I B E, I D} , [0]−𝜃, P P _{I B E} ). \(\mathcal {B}\) provides it to \(\mathcal {A}_{O}\).

A K _S query::

For every set S, \(\mathcal {B}\) creates A K _S by running ABE.GenKey(S, 𝜃, P P _{A B E} ) and provides it to \(\mathcal {A}_{O}\).

D K _{I D, S, T} query::

If \(\mathcal {A}_{O}\) requests a decryption key for a tuple (I D, S, T), then \(\mathcal {B}\) creates D K _{I D, S, T} to provide it to \(\mathcal {A}_{O}\) with the following restrictions.

• \((ID\neq ID^{*})\wedge (S\in \mathbb {A}^{*})\wedge (T\ge T^{*})\): Since the requested ID is not equal to the challenge I D ^∗, \(\mathcal {B}\) can use \(\mathcal {B}_{IBE}\) to obtain the IBE private key for ID. It first queries the private key to \(\mathcal {B}_{IBE}\) and receives S K _{I B E, I D} . Next, it chooses random exponents \(\delta , \sigma \in \mathbb {Z}_{p}\) and generates S K _{I D} by running IBE.RandKey (S K _{I B E, I D} , −δ−σ, P P _{I B E} ). \(\mathcal {B}\) then generates A K _S and S K _T by running ABE.GenKey [0] (S, δ, P P _{A B E} ) and CDE.GenKey(T, σ, P P _{C D E} ). Finally, it obtains D K _{I D, S, T} = (S K _{I D} , A K _S , S K _T ).

• \((ID = ID^{*})\wedge (S\notin \mathbb {A}^{*})\wedge (T\ge T^{*})\): Since the requested S does not satisfy the challenge \(\mathbb {A}^{*}\), \(\mathcal {B}\) can use \(\mathcal {B}_{ABE}\) to obtain the ABE private key for S. \(\mathcal {B}\) first queries the private key for a set S to \(\mathcal {B}_{ABE}\) and receives S K _{A B E, S} . Next, it chooses random exponents \(\delta , \sigma \in \mathbb {Z}_{p}\) and generates A K _S by running ABE.RandKey(S K _{A B E, S} , −δ−σ, P P _{A B E} ). Then it generates S K _{I D} and S K _T by running IBE.GenKey[0] (I D, δ, P P _{I B E} ) and CDE.GenKey [0] (T, σ, P P _{C D E} ). Finally, it obtains D K _{I D, S, T} = (S K _{I D} , [0]A K _S , S K _T ).

• \((ID = ID^{*})\wedge (S\in \mathbb {A}^{*})\wedge (T < T^{*})\): Since the requested T is less than the challenge T ^∗, \(\mathcal {B}\) can use \(\mathcal {B}_{CDE}\) to obtain the CDE private key for T. \(\mathcal {B}\) first queries the private key for T to \(\mathcal {B}_{CDE}\) and receives S K _{C D E, T} . Next, it chooses random exponents \(\delta , \sigma \in \mathbb {Z}_{p}\) and generates S K _T by running CDE.RandKey[0] (S K _{C D E, T} , −δ−σ, P P _{C D E} ). Then it generates S K _{I D} and A K _S by running IBE.GenKey [0] (I D, δ, P P _{I B E} ) and ABE.GenKey(S, σ, P P _{A B E} ). Finally, it obtains D K _{I D, S, T} = (S K _{I D} , A K _S , S K _T ).

Challenge::

\(\mathcal {A}_{O}\) submits two pairs of symmetric keys and messages \((K_{0}^{*}, M_{0}^{*}), (K_{1}^{*}, M_{1}^{*})\) of equal length. \(\mathcal {B}\) queries challenge ciphertext headers to \(\mathcal {B}_{IBE}\) , \(\mathcal {B}_{ABE}\), and \(\mathcal {B}_{CDE}\) and receives \((CH^{*}_{IBE, ID^{*}}, EK_{IBE})\), \((CH^{*}_{ABE, \mathbb {A}^{*}},[0] EK_{ABE})\), and \((CH^{*}_{CDE, T^{*}}, EK_{CDE})\), respectively. It then computes E K = e(g ^−𝜃,g ^c) where g ^c is given in the challenge tuple. Finally, \(\mathcal {B}\) chooses a random bit b ∈ {0,1} and generates C by running SKE.Enc(\(K_{b}^{*}, M_{b}^{*}\)). \(\mathcal {B}\) provides the challenge ciphertext as \(CT_{ID^{*},\mathbb {A}^{*},T^{*}}^{*} = \big (CH^{*}_{IBE, ID^{*}}, [0] CH^{*}_{ABE, \mathbb {A}^{*}}, CH^{*}_{CDE, T^{*}},[0] E_{1}^{*} = K_{b}^{*} \cdot Z \cdot EK, E_{2}^{*} = K_{b}^{*} \cdot Z, C \big )\) to \(\mathcal {A}_{O}\).

Query 2::

Same as Phase 1.

Guess::

Finally, \(\mathcal {A}_{O}\) outputs a guess b ^′. If b = b ^′, then \(\mathcal {B}\) outputs 0. Otherwise, it outputs 1.

We now show that the security game is correctly simulated. Since \(\mathcal {B}_{IBE}\), \(\mathcal {B}_{ABE}\), and \(\mathcal {B}_{CDE}\) sets P P _{I B E} , P P _{A B E} , and P P _{C D E} with the same generator g given in the assumption and they all internally sets the master key as \(g^{a^{q+1}}\), the public parameters are correctly generated. The private key is also correct since it can be transformed from the private key of IBE with the random 𝜃. Moreover, the attribute key is easily simulated with the 𝜃 as a master key. Furthermore, we show that the decryption key is correctly generated. The real format of the master key in the decryption key is g ^{α + β} and we set it as \(g^{a^{q+1}}\). We consider the cases that two out of three conditions are satisfied. In each case, \(\mathcal {B}\) uses only one sub-simulator to obtain the private key and computes the rest of the parts. Consequently, the decryption key is generated with the master key as \(g^{a^{q+1}}\). Finally, we show that the challenge ciphertext is correct. Each challenge ciphertext header is generated with the same element g ^c given in the assumption and they are correctly generated.

If \(Z = Z_{0} = e(g,g)^{a^{q+1}c}\), then \(\mathcal {A}_{O}\) plays the proper security game since \(CT_{ID^{*}, \mathbb {A}^{*}, T^{*}}^{*}\) is correctly distributed. Then we have that \(\Pr [\mathcal {B}(D, Z_{0}) = 0] = \frac {1}{2} + \textbf {Adv}_{\mathcal {A}}\). If Z = Z ₁ is a random element in \(\mathbb {G}_{T}\), then \(CT_{ID^{*}, \mathbb {A}^{*}, T^{*}}^{*}\) is independent of the chosen symmetric key and message and therefore, the advantage of \(\mathcal {A}_{O}\) is exactly 0. That is, we have that \(\Pr [\mathcal {B}(D, Z_{1}) = 0] = \frac {1}{2}\) . Thus the advantage of \(\mathcal {B}\) is obtained as

$$\begin{array}{@{}rcl@{}} \mathbf{Adv}_{\mathcal{B}} &=&\Big| \Pr \big[\mathcal{B}(D, Z_{0}) = 0 \big] - \Pr \big[ \mathcal{B}(D, Z_{1}) = 0 \big] \Big| \\ &=& \Big| \frac{1}{2} + \mathbf{Adv}_{\mathcal{A}} - \frac{1}{2} \Big| = \mathbf{Adv}_{\mathcal{A}}. \end{array} $$

Therefore, \(\mathcal {B}\) has a non-negligible advantage to solve the n-RW1 problem. □

Lemma 2

The PC-ABE scheme is selectively IND-CPA secure against an inside adversary if the n- RW1 assumption holds.

Proof

Suppose an inside adversary \(\mathcal {A}_{I}\) defined in Section “Definitions” that breaks our PC-ABE scheme with non-negligible advantage and a meta-simulator \(\mathcal {B}\) that solves the n-RW1 problem by using \(\mathcal {A}_{I}\). We build \(\mathcal {B}\) identically to the meta-simulator in the proof of Lemma 1 except Setup and Query phases. The different procedures are as follows:

Setup::

PP is generated as in the proof of Lemma 1 and \(\mathcal {B}\) gives P P=(G D S, P P _{I A} , P P _{A A} ) and M K _{A A} = 𝜃 to \(\mathcal {A}_{I}\).

Query 1::

\(\mathcal {A}_{I}\) adaptively requests a polynomial number of private key and decryption key queries. Since \(\mathcal {A}_{I}\) can create A K _S for every S of its choice, it can not request any attribute keys and decryption keys for \((ID\neq ID^{*})\wedge (S\in \mathbb {A}^{*})\wedge (T\ge T^{*})\). The rest of queries are identically simulated to the proof of Lemma 1.

The correctness of the simulation and advantages are as in the proof of Lemma 1. □

B.2 The Proof of Theorem 2

To prove that the GenDecKey protocol is secure, we show that the VBK is EUF-CAA. The VBK is generated from an attribute key and the attribute key is a private key of the CP-ABE scheme of Rouselakis and Waters [30]. Therefore, the security of VBK depends on the security of the underlying CP-ABE scheme.

Proof

Suppose there exists an adversary \(\mathcal {F}\) that forges a VBK with a non-negligible advantage and a simulator \(\mathcal {B}\) that attacks CP-ABE using \(\mathcal {F}\). In addition, there is a CP-ABE simulator \(\mathcal {S}_{ABE}\) for \(\mathcal {B}\). \(\mathcal {B}\) interacts with \(\mathcal {F}\) in the following security game:

Setup::

Given P P _{A B E} , \(\mathcal {B}\) generates \(\tilde {v} = g^{\eta }\) for a random exponent \(\eta \in \mathbb {Z}_{p}\) and sets \(PP_{AA} = (PP_{ABE}, \tilde {v})\). Then it sends P P _{A A} to \(\mathcal {F}\).

Query::

\(\mathcal {F}\) adaptively requests a polynomial number of private keys and verifiably blinded keys for any set S of attributes. For the private key queries, \(\mathcal {B}\) obtains the attribute key A K _S of the set S from \(\mathcal {S}_{ABE}\) and gives it to \(\mathcal {F}\). For the verifiably blinded key queries, \(\mathcal {B}\) first obtains the attribute key A K _S from \(\mathcal {S}_{ABE}\) and computes V B K _S by using \(\tilde {v}\). Then it provides \(\mathcal {F}\) with V B K _S as a response.

Output::

Finally, \(\mathcal {F}\) outputs a forged \(VBK_{S^{*}} = \big (BK_{0}, BK_{1}, [0] \{BK_{i,2}, BK_{i,3}\}_{i=1}^{k}, BK_{4}\big )\) on the challenge set of attributes S ^∗. \(\mathcal {F}\) must never have requested a blinded key query at S ^∗. B checks the validity of the \(VBK_{S^{*}}\) and if it is invalid, then B aborts the game. Otherwise, \(\mathcal {B}\) computes K ₀ = B K ₀⋅(B K ₄)^−η and derives the attribute key as \(AK_{S^{*}} = (K_{0}, BK_{1}, \{BK_{i,2}, BK_{i,3}\}_{i=1}^{k})\) . It submits two challenge messages \(M_{0}^{*}, M_{1}^{*}\) and the challenge access structure \(\mathbb {A}^{*}\) such that \(S^{*}\in \mathbb {A}^{*}\) to \(\mathcal {S}_{ABE}\). \(\mathcal {B}\) receives the challenge ciphertext \(CT_{b}^{*}\) and decrypts it with \(AK_{S^{*}}\). Finally, it outputs the guess b ^′.

A K ^∗ is a valid attribute key if the forged \(VBK_{S^{*}}\) is valid. Therefore, \(\mathcal {B}\) is able to decrypt the challenge ciphertext and the guess is correct whenever \(\mathcal {A}\) wins the game. □