Adaptively secure CP-ABE for circuits with fan-in n and fan-out 1

Abstract

The attribute-based encryption (ABE) scheme is suitable for access control of ciphertext in cloud computing. Kowalczyk and Wee proposed an adaptively secure attribute-based encryption scheme that supports NC\(^1\) circuits. However, the ciphertext length increases rapidly with the depth of the circuit, resulting in an increase of the computational complexity of the encryption and decryption algorithms. In this paper, to overcome this challenge, a ciphertext-policy ABE scheme that supports circuits with fan-in n is proposed. First, we design new pebble rules for secret sharing in circuits with fan-in n, improving the compactness of the security reduction. Then, the new secret sharing scheme is embedded in the encryption algorithm, which is the key to improving efficiency. Moreover, we prove the adaptive security of the scheme by using a piecewise guessing framework and dual-system encryption. Finally, by comparison analysis, this scheme exhibits a better performance.

Appendices

Appendix A

To facilitate the understanding of the strategy execution process and the method of coding the configuration, a circuit with in-degree 3 and depth 2 and its corresponding inputs (as shown in Fig. 8) is given below. We code the different configurations during the execution of the pebbling strategy (as shown in Table 11).

Fig. 8

An example of a multifan-in circuit with a depth of 2

Table 11 Coding examples

According to the coding rules formulated by Lemma 3, the following example illustrates the correspondence between pebble configurations and codings: When the configuration is \(\left\{ 4,5 \right\}\), the corresponding code is \(0100\,00\,0010\), where 0100 represents the code of node 4 in the circuit, indicating that node 4 is a pebble, and when nodes 4 and 5 are also pebbles, the left-first principle is followed. The next two bits 00 represent that the 11th and 13th nodes on the path where the 4th node is located are not pebbles. The last four bits 0010 are used to determine whether the sibling nodes of the 4th and 11th nodes; that is, node 11, node 12, node 5 and node 6, are pebbles. According to the order of top to bottom and left to right, only the 5th node is a pebble, so only the third bit is 1 in 0010.

Appendix B

For ease of understanding, Fig. 9 gives the example of the circuit with the output shares shown in Table 12.

Fig. 9

An example of a circuit with in-degree 3

Table 12 Output results of the shares for the circuit in Fig. 9

The specific process of secret reconstruction for the circuit in Fig. 9 is as follows: When the inputs of the leaf nodes are \(\left( 111110111 \right)\), the final output of the circuit is 1, so the user can recover the secret. In this case, \({{x}_{\rho \left( 6 \right) }}={{x}_{4}}=0\), so we can reconstruct the secret by using the shares of the lines other than \({{\hat{\mu }}_{6}}\). The formula is as follows:

$$\begin{aligned} \mu&={{\mu }_{1}}\oplus {{\mu }_{2}}\oplus {{\mu }_{3}}\oplus {{\mu }_{4}}\oplus {{\mu }_{7}}\oplus {{\mu }_{8}} \oplus {{\mu }_{9}}\oplus {{\mu }_{10}}\oplus \mu _{11}^{\left( 1 \right) }\oplus {{\mu }_{12}}\oplus {{\mu }_{13}} \\&={{{\hat{\mu }}}_{1}}\oplus {{{\hat{\mu }}}_{2}}\oplus {{{\hat{\mu }}}_{3}}\oplus {{{\hat{\mu }}}_{4}}\oplus {{{\hat{\mu }}}_{7}}\oplus {{{\hat{\mu }}}_{8}} \oplus {{{\hat{\mu }}}_{9}}\oplus \left( {{{\hat{\mu }}}_{1}}\oplus {{{\hat{\mu }}}_{2}}\oplus {{{\hat{\mu }}}_{3}}\oplus {{{\hat{\mu }}}_{10}} \right) \\&\oplus \left( {{{\hat{\mu }}}_{4}}\oplus {{{\hat{\mu }}}_{11}} \right) \oplus \left( {{{\hat{\mu }}}_{7}}\oplus {{{\hat{\mu }}}_{8}}\oplus {{{\hat{\mu }}}_{9}} \oplus {{{\hat{\mu }}}_{12}} \right) \oplus \left( {{{\hat{\mu }}}_{10}}\oplus {{{\hat{\mu }}}_{11}}\oplus {{{\hat{\mu }}}_{12}}\oplus \mu \right) \end{aligned}$$

When the inputs of the leaf nodes are \(\left( 111110110 \right)\), the final output of the circuit is 0, so the user cannot recover the secret. Because \({{x}_{\rho \left( 6 \right) }}={{x}_{4}}=0\) and \({{x}_{\rho \left( 9 \right) }}={{x}_{6}}=0\), \({{\hat{\mu }}_{9}}\) in the leaf node is unknown, and it is contained in the result of \({{\mu }_{12}}+{{\mu }_{13}}\).

Appendix C

This section uses dual-system encryption technology to prove the security of the scheme, where the keys (ciphertexts) take one of the following two forms: normal keys (ciphertexts) and semifunctional keys (ciphertexts). The semifunctional keys and the semifunctional ciphertexts appear only in the security proof and are not used in the real scheme. The difference is that semifunctional keys can only decrypt normal ciphertexts, while normal keys can decrypt normal ciphertexts as well as semifunctional ciphertexts. We give three forms of semi-functional keys due to the need for proof, which are called standard semifunctional (SF) keys, pseudo-standard (P-normal) keys and pseudo-semifunctional (P-SF) keys, all of which can decrypt standard ciphertexts. The specific forms of the keys and ciphertexts are as follows:

Normal keys: the keys generated by the real scheme.

SF keys: \(s{{k}_{x}}:=\left( {{\left[ \textbf{v}+\mathbf {{A}'}{{{\delta }}_{q}}+{{\textbf{U}}_{0}}\textbf{Br} \right] }_{2}},{{\left[ \textbf{Br} \right] }_{2}},{{\left\{ {{\left[ {{\textbf{W}}_{i}}\textbf{Br} \right] }_{2}} \right\} }_{{{x}_{i}}=1}} \right)\), where \({{{\delta }}_{q}}\leftarrow \mathbb {Z}_{p}^{k}\) is randomly selected in the qth SF key, while \(\mathbf {{A}'}\in \mathbb {Z}_{p}^{\text {2k}\times \text {k}}\backslash \left\{ 0 \right\}\) is fixed and \(\mathbf {A{A}'}=\textbf{0}\) holds;

P-normal keys: replace \(\textbf{Br}\) in the normal keys with \({\gamma }\leftarrow \mathbb {Z}_{p}^{k+1}\), that is: \(s{{k}_{x}}:=\left( {{\left[ \textbf{v}+{{\textbf{U}}_{0}}{\gamma } \right] }_{2}},{{\left[ {\gamma } \right] }_{2}},{{\left\{ {{\left[ {{\textbf{W}}_{i}}{\gamma } \right] }_{2}} \right\} }_{{{x}_{i}}=1}} \right)\);

P-SF keys: replace \(\textbf{Br}\) in the SF keys with \({\gamma }\leftarrow \mathbb {Z}_{p}^{k+1}\),that is:

$$s{{k}_{x}}:=\left( {{\left[ \textbf{v}+\mathbf {{A}'}{{{\delta }}_{q}}+{{\textbf{U}}_{0}}{\gamma } \right] }_{2}},{{\left[ {\gamma } \right] }_{2}},{{\left\{ {{\left[ {{\textbf{W}}_{i}}{\gamma } \right] }_{2}} \right\} }_{{{x}_{i}}=1}} \right) ;$$

Normal ciphertexts: Ciphertexts generated by the real scheme.

SF ciphertexts: replace \({{\textbf{s}}^{\text{T} }}\textbf{A}\) and \(\textbf{s}_{_{j}}^{\text{T} }\textbf{A}\) in the original ciphertext with \(\textbf{c},{{\textbf{c}}_{j}}\leftarrow \mathbb {Z}_{p}^{2k}\), and keep the rest unchanged. This yields \(c{{t}_{f}}:=\left( {{\left[ {{\textbf{c}}^{\text{T} }} \right] }_{1}},\left\{ {{\left[ {{\textbf{u}}_{j}}+\textbf{c}_{j}^{\text{T} }{{\textbf{W}}_{\rho (j)}} \right] }_{1}},{{\left[ \textbf{c}_{j}^{\text{T} } \right] }_{1}} \right\} ,e\left( {{\left[ {{\textbf{c}}^{\text{T}}} \right] }_{1}},{{\left[ \textbf{v} \right] }_{2}} \right) \cdot M \right)\).

1.1 Overview

To prove the CPA-adaptive security of the CP-ABE scheme, we construct a series of game sequences and assume that the adversary A can make at most Q key queries in a game. The specific description of the game is as follows:

1. (1)

   \({{\text {H}}_{0}}\): the standard private key is obtained by query, and the challenge ciphertext is the real ciphertext.

2. (2)

   \({{\text {H}}_{1}}\): the standard private key is obtained by query, and the challenge ciphertext is the SF ciphertext.

3. (3)

   \({{\text {H}}_{2,l,1}},l=0,\ldots ,Q\): the previous \(l-1\) key queries return an SF key, the l-th key query returns a P-normal key, and the remaining \(Q-l\) queries return a normal key. The challenge ciphertext is an SF ciphertext.

4. (4)

   \({{\text {H}}_{2,l,2}}\): the previous \(l-1\) key queries return an SF key, the l-th key query returns a P-SF key, and the remaining \(Q-l\) queries return a normal key. The challenge ciphertext is an SF ciphertext.

5. (5)

   \({{\text {H}}_{2,l,3}}\): the previous l key queries return an SF key, the remaining \(Q-l\) queries return a normal key, and the challenge ciphertext is an SF ciphertext.

6. (6)

   \({{\text {H}}_{3}}\): the SF key is obtained by query, and the challenge ciphertext is an SF ciphertext encrypted with a random number \(\tilde{M}\).

Table 13 shows the order of games in which we prove that the scheme is adaptively secure, and gives a more intuitive view of the differences between games.

Table 13 Differences between games

The proof steps are as follows:

First, based on the \(k-\text {Lin}\) hypothesis, we prove \({{\text {H}}_{0}}{{\approx }_{c}}{{\text {H}}_{1}}={{\text {H}}_{2,0,3}}\).

Second, we additionally add \({{\text {H}}_{2,l,1}}\) and \({{\text {H}}_{2,l,2}}\) when proving \({{\text {H}}_{2,l-1,3}}{{\approx }_{c}}{{\text {H}}_{2,l,3}}\) for\(\forall l\in [1,Q]\). Based on the \(k-\text {Lin}\) hypothesis, we prove \({{\text {H}}_{2,l-1,3}}{{\approx }_{c}}{{\text {H}}_{2,l,1}}\); based on the indistinguishability of the basic modules, we prove that \({{\text {H}}_{2,l,1}}{{\approx }_{c}}{{\text {H}}_{2,l,2}}\); finally, \({{\text {H}}_{2,l,2}}{{\approx }_{c}}{{\text {H}}_{2,l,3}}\) holds based on the \(k-\text {Lin}\) hypothesis again. Then \({{\text {H}}_{2,l-1,3}}\) and \({{\text {H}}_{2,l,3}}\) are indistinguishable for \(\forall l\in [1,Q]\).

Finally, we prove \({{\text {H}}_{2,\text {Q,3}}}{{\approx }_{c}}{{\text {H}}_{3}}\).

Based on the above conclusions, the adaptive security of the CP-ABE scheme is proven.

1.2 Proof details

Lemma C.7

(\({{\text {H}}_{0}}{{\approx }_{c}}{{\text {H}}_{1}} ={{\text {H}}_{2,0,3}}\))

$$\begin{aligned} \vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{0}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{1}} \right\rangle =1 \right] \vert \le \text {Adv}_{\mathcal {A}'}^{k-\text {LIN}}\left( \lambda \right) \end{aligned}$$

Proof

Given \(\textbf{A}\leftarrow \mathbb {Z}_{p}^{k\times 2k}\), assuming that the simulator \(\mathcal {A}'\) is known to the \(k-\text {Lin}\)challenge \(\left( {{\left[ \textbf{A} \right] }_{1}}{{\left[ {{\textbf{Z}}^{{\text {T}}}} \right] }_{1}} \right)\),where \({{\textbf{Z}}^{{\text {T}}}}={{\textbf{S}}^{{\text {T}}}}\textbf{A}\) (\({{\textbf{S}}^{{\text {T}}}}\leftarrow \mathbb {Z}_{p}^{\left( mn+1 \right) \times k}\)) or \({{\textbf{Z}}^{{\text {T}}}}={{\textbf{C}}^{{\text {T}}}}\) (\({{\textbf{C}}^{{\text {T}}}}\leftarrow \mathbb {Z}_{p}^{\left( mn+1 \right) \times 2k}\)). For \(j\in \left[ mn+1 \right]\), \(\textbf{z}_{j}^{{\text {T}}}\) is denoted as the j-th row of \({{\textbf{Z}}^{{\text {T}}}}\). Randomly selected \(\textbf{A},{{\textbf{U}}_{0}},{{\textbf{W}}_{i}},\textbf{v}\) as public parameters of the system, \(\mathcal {A}'\) can obtain \(\left( \left\{ {{\textbf{u}}_{j}} \right\} ,\rho \right) \leftarrow share\left( f,\textbf{z}_{mn+1}^{{\text {T}}}{{\textbf{U}}_{0}} \right)\) by calculating and construct the following ciphertext to respond to the ciphertext query of the adversary \(\mathcal {A}\):

$$\begin{aligned} c{{t}_{f}}=\left( {{\left[ \textbf{z}_{mn+1}^{{\text {T}}} \right] }_{1}},\left\{ {{\left[ {{\textbf{u}}_{j}}+\textbf{z}_{j}^{{\text {T}}}{{\textbf{W}}_ {\rho (j)}} \right] }_{1}},{{\left[ \textbf{z}_{j}^{{\text {T}}} \right] }_{1}} \right\} ,e\left( {{\left[ \textbf{z}_{mn+1}^{{\text {T}}} \right] }_{1}}, {{\left[ \textbf{v} \right] }_{2}} \right) \cdot {{M}_{b}} \right) . \end{aligned}$$

If \({{\textbf{Z}}^{{\text {T}}}}={{\textbf{S}}^{{\text {T}}}}\textbf{A}\), \(\mathcal {A}'\) simulates \({{\text {H}}_{0}}\); if \({{\textbf{z}}^{{\text {T}}}}={{\textbf{c}}^{{\text {T}}}}\), \(\mathcal {A}'\) simulates \({{\text {H}}_{1}}\equiv {{\text {H}}_{2,0,3}}\). Therefore, if the adversary can distinguish between games \({{\text {H}}_{0}}\) and \({{\text {H}}_{1}}\), the \(k-\text {Lin}\) assumption can be satisfied, so the conclusion is established. \(\square\)

Lemma C.8

(\({{\text {H}}_{2,l-1,3}}{{\approx }_{c}}{{\text {H}}_{2,l,1}}\))

$$\begin{aligned} \vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l-1,3}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,1}} \right\rangle =1 \right] \vert \le \text {Adv}_{\mathcal {A}'}^{k-\text {LIN}}\left( \lambda \right) \end{aligned}$$

Proof

Given \(\textbf{B}\leftarrow \mathbb {Z}_{p}^{\left( k+1 \right) \times k}\), assuming that the simulator \(\mathcal {A}'\) is known to the \(k-\text {Lin}\)challenge \(\left( {{\left[ \textbf{B} \right] }_{1}}{{\left[ \textbf{z} \right] }_{1}} \right)\),where \(\textbf{z}=\textbf{Br}\) (\(\textbf{r}\leftarrow \mathbb {Z}_{p}^{k}\)) or \(\textbf{z}={\gamma }\) (\({\gamma }\leftarrow \mathbb {Z}_{p}^{k+1}\)). Randomly selected \(\textbf{A},{{\textbf{U}}_{0}},{{\textbf{W}}_{i}},\textbf{v}\) as public parameters of the system, \(\mathcal {A}'\) can obtain \(\mathbf {{A}'}\in \mathbb {Z}_{p}^{2k\times k}\) by calculating \(\mathbf {A{A}'}=\textbf{0}\).

The challenge ciphertext query in \({{\text {H}}_{2,l-1,3}}\) and \({{\text {H}}_{2,l,1}}\) is given below.

When the adversary \(\mathcal {A}\) sends access structure f and challenge plaintext \({{M}_{0}},{{M}_{1}}\) to the simulator \(\mathcal {A}'\) for the ciphertext query, \(\mathcal {A}'\) needs to select \(\textbf{c}\leftarrow \mathbb {Z}_{p}^{2k}\) randomly and calculate \(\left( \left\{ {{\textbf{u}}_{j}} \right\} ,\rho \right) \leftarrow share\left( f,{{\textbf{c}}^{{\text {T}}}}{{\textbf{U}}_{0}} \right)\) using the public parameter \({{\textbf{U}}_{0}}\). For each j, \(\mathcal {A}'\) selects \({{\textbf{c}}_{j}}\leftarrow \mathbb {Z}_{p}^{2k}\), calculates the following challenge ciphertext, and returns it to \(\mathcal {A}\):

$$\begin{aligned} c{{t}_{f}}=\left( {{\left[ {{\textbf{c}}^{\text{T} }} \right] }_{1}},\left\{ {{\left[ {{\textbf{u}}_{j}}+\textbf{c}_{j}^{\text{T} }{{\textbf{W}}_{\rho (j)}} \right] }_{1}}, {{\left[ \textbf{c}_{j}^{\text{T} }\textbf{A} \right] }_{1}} \right\} ,e\left( {{\left[ {{\textbf{c}}^{\text{T} }} \right] }_{1}},{{\left[ \textbf{v} \right] }_{2}} \right) \cdot M \right) \end{aligned}$$

Next, we analyze the key queries in \({{\text {H}}_{2,l-1,3}}\) and \({{\text {H}}_{2,l,1}}\).

1. (1)

   For the first \(l-1\) key queries, \(q\in \left[ l-1 \right]\) represents the q-th key query. \(\mathcal {A}'\) selects \({{{\delta }}_{q}},{{\textbf{r}}_{q}}\leftarrow \mathbb {Z}_{p}^{k}\) randomly and returns the following SF keys:

   $$\begin{aligned} s{{k}_{x}}=\left( {{\left[ \textbf{v}+\mathbf {{A}'}{{{\delta }}_{q}}+{{\textbf{U}}_{0}}\textbf{B}{{\textbf{r}}_{q}} \right] }_{2}},{{\left[ \textbf{B}{{\textbf{r}}_{q}} \right] }_{2}}, {{\left\{ {{\left[ {{\textbf{W}}_{i}}\textbf{B}{{\textbf{r}}_{q}} \right] }_{2}} \right\} }_{{{x}_{i}}=1}} \right) \end{aligned}$$
2. (2)

   For the last \(Q-l\) key queries, the operation of the simulator \(\mathcal {A}'\) is basically the same as that in the previous \(l-1\) queries, except that \(\textbf{v}+\mathbf {{A}'}{{{\delta }}_{q}}\) is replaced by \(\textbf{v}\). The key generated in this way is indistinguishable from the real key.

3. (3)

   For the l-th key query, the simulator \(\mathcal {A}'\) generates the following key:

   $$\begin{aligned} s{{k}_{x}}=\left( {{\left[ \textbf{v}+{{\textbf{U}}_{0}}\textbf{z} \right] }_{2}},{{\left[ \textbf{z} \right] }_{2}},{{\left\{ {{\left[ {{\textbf{W}}_{i}}\textbf{z} \right] }_{2}} \right\} }_{{{x}_{i}}=1}} \right) \end{aligned}$$

   If \(\textbf{z}=\textbf{Br}\), the l-th key returned is a normal key and \(\mathcal {A}'\) simulates \({{\text {H}}_{2,l-1,3}}\); if \(\textbf{z}={\gamma }\), the l-th key returned is a P-normal key and \(\mathcal {A}'\) simulates \({{\text {H}}_{2,l,1}}\). \(\square\)

Lemma C.9

(\({{\text {H}}_{2,l,1}}{{\approx }_{c}}{{\text {H}}_{2,l,2}}\))

$$\begin{aligned} \vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,1}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,2}} \right\rangle =1 \right] \vert \le {{2}^{3d\left( \left\lceil \log n \right\rceil +n \right) }}\cdot N\cdot Adv_{{{\mathcal {B}}^{*}}}^{\text {k-LIN}}\left( \lambda \right) \end{aligned}$$

Proof

The key point before proceeding with the proof is that while acting as the simulator of the CP-ABE scheme, \(\mathcal {A}'\) is also the adversary in the game \(G_{\beta }^{BM}\), so when \(\mathcal {A}'\) responds to the query of the adversary \(\mathcal {A}\), it can send an inquiry to the oracles \({{\mathcal {O}}_{F}}\left( f \right) {{\mathcal {O}}_{X}}\left( x \right)\) to obtain certain parameters.

First, \(\mathcal {A}'\) randomly generates \(\textbf{A}\leftarrow \mathbb {Z}_{p}^{k\times 2k},\textbf{B}\leftarrow \mathbb {Z}_{p}^{\left( k+1 \right) \times k},{{\tilde{\textbf{U}}}_{0}},{{\tilde{\textbf{W}}}_{i}} \leftarrow \mathbb {Z}_{p}^{2k\times \left( k+1 \right) },\tilde{\textbf{v}}\leftarrow \mathbb {Z}_{p}^{2k},{\gamma }\leftarrow \mathbb {Z}_{p}^{k+1},\textbf{u}\leftarrow \mathbb {Z}_{p}^{k}\), and then it calculates \(\mathbf {{b}'}\in \mathbb {Z}_{p}^{k+1}\) and the nonzero vector \(\mathbf {{A}'}\in \mathbb {Z}_{p}^{2k\times k}\) such that \({{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}}\textbf{B}=\textbf{0}\),\(\mathbf {A{A}'}=\textbf{0}\). At this time, the following relationships corresponding with the original program parameters are implied:

$$\begin{aligned} \textbf{v}=\tilde{\textbf{v}}-\frac{{{\mu }^{\left( 0 \right) }}\left( {{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}}{\gamma } \right) }{\left( {{\textbf{c}}^{{\text {T}}}}\mathbf {{A}'u} \right) } \mathbf {{A}'u},{{\textbf{U}}_{0}}={{\tilde{\textbf{U}}}_{0}}+\frac{{{\mu }^{\left( \beta \right) }}}{\left( {{\textbf{c}}^{{\text {T}}}}\mathbf {{A}'u} \right) }\mathbf {{A}'u}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}},{{\textbf{W}}_{i}}={{\tilde{\textbf{W}}}_{i}}+\mathbf {{A}'}{{\textbf{w}}_{i}}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \end{aligned}$$

(A1)

where \(\mathcal {A}'\) gets \({{\textbf{w}}_{i}}\in \mathbb {Z}_{p}^{k}\),\({{\mu }^{\left( \beta \right) }}\in {{\mathbb {Z}}_{p}}\) by querying oracle in the game \(G_{\beta }^{BM}\). Then, \(\mathcal {A}'\) generates the following parameters:

$$\begin{aligned} mpk=\left( {{\left[ \textbf{A} \right] }_{1}},{{\left[ \textbf{A}{{{\tilde{\textbf{U}}}}_{0}} \right] }_{1}},{{\left[ \textbf{A}{{{\tilde{\textbf{W}}}}_{1}} \right] }_{1}},\ldots , {{\left[ \textbf{A}{{{\tilde{\textbf{W}}}}_{N}} \right] }_{1}},e\left( {{\left[ \textbf{A} \right] }_{1}},{{\left[ {\tilde{\textbf{v}}} \right] }_{2}} \right) \right) \end{aligned}$$

The challenge ciphertext query in \({{\text {H}}_{2,l,1}}\) and \({{\text {H}}_{2,l,2}}\) is given below.

When the adversary \(\mathcal {A}\) sends access structure f and challenge plaintext \({{M}_{0}},{{M}_{1}}\) to the simulator \(\mathcal {A}'\) for the ciphertext query, \(\mathcal {A}'\) needs to select \(\textbf{c}\leftarrow \mathbb {Z}_{p}^{2k},{{{\tau }}_{j}}\leftarrow \mathbb {Z}_{p}^{k},b\leftarrow \left\{ 0,1 \right\}\) randomly and obtains \(\left\{ {{\left[ {{\mu }_{j}}+\textbf{r}_{j}^{{\text {T}}}{{\textbf{w}}_{\rho \left( j \right) }} \right] }_{1}},{{\left[ {{\textbf{r}}_{j}} \right] }_{1}} \right\}\) by querying oracle \({{\mathcal {O}}_{F}}\left( f \right)\). \(\textbf{K}:=\left[ \begin{matrix} {{\left( {\mathbf {{A}'}} \right) }^{{\text {T}}}} \\ {\alpha } \\ \end{matrix} \right] \in \mathbb {Z}_{p}^{2k\times 2k}\) is defined, where the choice of \({\alpha }\in \mathbb {Z}_{p}^{k\times 2k}\) makes \(\textbf{K}\) invertible. \(\mathcal {A}'\) calculates \({{\left[ {{\textbf{c}}_{j}} \right] }_{1}}={{\left[ {{\textbf{K}}^{-1}}\left( \begin{matrix} {{\textbf{r}}_{j}} \\ {{{\tau }}_{j}} \\ \end{matrix} \right) \right] }_{1}}\), obtains \(\left( \left\{ \tilde{\textbf{u}}_{j}^{{\text {T}}} \right\} ,\rho \right) \leftarrow share\left( f,{{\textbf{c}}^{{\text {T}}}}{{{\tilde{\textbf{U}}}}_{0}} \right)\) by the secret sharing scheme, and returns the following ciphertexts:

$$\begin{aligned} c{{t}_{f}}&:=\left( {{\left[ {{\textbf{c}}^{\text{T} }} \right] }_{1}},\left\{ {{\left[ \tilde{\textbf{u}}_{j}^{{\text {T}}}+\left( {{\mu }_{j}}+ \textbf{r}_{j}^{{\text {T}}}{{\textbf{w}}_{\rho \left( j \right) }} \right) {{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}}+\textbf{c}_{j}^{\text{T} }{{{\tilde{\textbf{W}}}}_{\rho (j)}} \right] }_{1}}, {{\left[ \textbf{c}_{j}^{\text{T} } \right] }_{1}} \right\} ,e\left( {{\left[ {{\textbf{c}}^{\text{T} }} \right] }_{1}},{{\left[ \textbf{v} \right] }_{2}} \right) \cdot {{M}_{b}} \right) \\&=\left( {{\left[ {{\textbf{c}}^{\text{T} }} \right] }_{1}},\left\{ {{\left[ \tilde{\textbf{u}}_{j}^{{\text {T}}}+{{\mu }_{j}}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}}+ \textbf{c}_{j}^{\text{T} }{{{\tilde{\textbf{W}}}}_{\rho (j)}}+\textbf{r}_{j}^{{\text {T}}}{{\textbf{w}}_{\rho \left( j \right) }}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \right] }_{1}}, {{\left[ \textbf{c}_{j}^{\text{T} } \right] }_{1}} \right\} ,e\left( {{\left[ {{\textbf{c}}^{\text{T} }} \right] }_{1}},{{\left[ \textbf{v} \right] }_{2}} \right) \cdot {{M}_{b}} \right) \end{aligned}$$

\(\left\{ {{\mu }_{j}}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \right\}\) can be generated by \(share\left( f,{{\mu }^{\left( \beta \right) }}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \right)\) because of \(\left( \left\{ {{\mu }_{j}} \right\} ,\rho \right) \leftarrow share\left( f,{{\mu }^{\left( \beta \right) }} \right) .\) Due to the linear property of our secret sharing scheme,

$$\begin{aligned} \left( \left\{ \tilde{\textbf{u}}_{j}^{{\text {T}}}+{{\mu }_{j}}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \right\} ,\rho \right) \leftarrow share\left( f,{{\textbf{c}}^{{\text {T}}}}{{{\tilde{\textbf{U}}}}_{0}}+ {{\mu }^{\left( \beta \right) }}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \right) \end{aligned}$$

(A2)

From Eq. (A1), we can see that \(share\left( f,{{\textbf{c}}^{{\text {T}}}}{{{\tilde{\textbf{U}}}}_{0}}+{{\mu }^{\left( \beta \right) }}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \right) \equiv share\left( f,{{\textbf{c}}^{{\text {T}}}}{{\textbf{U}}_{0}} \right)\). At the same time, \(\textbf{c}_{j}^{{\text {T}}}\mathbf {{A}'}=\textbf{r}_{j}^{{\text {T}}}\) holds because of

$$\begin{aligned} {{\left( {\mathbf {{A}'}} \right) }^{{\text {T}}}}{{\textbf{c}}_{j}}={{\left( {\mathbf {{A}'}} \right) }^{{\text {T}}}}{{\textbf{K}}^{-1}}\left( \begin{matrix} {{\textbf{r}}_{j}} \\ {{{\tau }}_{j}} \\ \end{matrix} \right) ={{\left( {\mathbf {{A}'}} \right) }^{{\text {T}}}}{{\left[ \begin{matrix} {{\left( {\mathbf {{A}'}} \right) }^{{\text {T}}}} \\ {\alpha } \\ \end{matrix} \right] }^{-1}}\left( \begin{matrix} {{\textbf{r}}_{j}} \\ {{{\tau }}_{j}} \\ \end{matrix} \right) =\left( {{\textbf{I}}_{k\times k}},{{\textbf{0}}_{k\times k}} \right) \left( \begin{matrix} {{\textbf{r}}_{j}} \\ {{{\tau }}_{j}} \\ \end{matrix} \right) ={{\textbf{r}}_{j}}. \end{aligned}$$

Then, from Eq. (A1), we have

$$\begin{aligned} \textbf{c}_{j}^{{\text {T}}}{{\textbf{W}}_{\rho (j)}}=\textbf{c}_{j}^{{\text {T}}}{{\tilde{\textbf{W}}}_{\rho (j)}}+\textbf{c}_{j}^{{\text {T}}}\mathbf {{A}'}{{\textbf{w}}_{\rho (j)}} {{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}}=\textbf{c}_{j}^{{\text {T}}}{{\tilde{\textbf{W}}}_{\rho (j)}}+\textbf{r}_{j}^{{\text {T}}}{{\textbf{w}}_{\rho (j)}}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \end{aligned}$$

(A3)

According to Eqs. (A2) and (A3), the ciphertexts can be seen as below, which are SF ciphertexts obviously:

$$\begin{aligned} c{{t}_{f}}=\left( {{\left[ {{\textbf{c}}^{\text{T} }} \right] }_{1}},\left\{ {{\left[ \textbf{U}_{j}^{*}+\textbf{c}_{j}^{{\text {T}}}{{\textbf{W}}_{\rho (j)}} \right] }_{1}},{{\left[ \textbf{c}_{j}^{\text{T} } \right] }_{1}} \right\} ,e\left( {{\left[ {{\textbf{c}}^{\text{T} }} \right] }_{1}},{{\left[ \textbf{v} \right] }_{2}} \right) \cdot {{M}_{b}} \right) , \end{aligned}$$

where \(\left( \left\{ \textbf{U}_{j}^{*} \right\} ,\rho \right) \leftarrow share\left( f,{{\textbf{c}}^{{\text {T}}}}{{\textbf{U}}_{0}} \right) .\)

Next, we analyze the key queries in \({{\text {H}}_{2,l,1}}\) and \({{\text {H}}_{2,l,2}}\).

1. (1)

   For the first \(l-1\) key queries, \(q\in \left[ l-1 \right]\) represents the q-th key query. \(\mathcal {A}'\) selects \({{{\delta }}_{q}},{{\textbf{r}}_{q}}\leftarrow \mathbb {Z}_{p}^{k}\) randomly, and returns the following keys:

   $$\begin{aligned} s{{k}_{x}}=\left( s{{{{k}'}}_{1}},s{{{{k}'}}_{2}},{{\left\{ s{{{{k}'}}_{3,i}} \right\} }_{{{x}_{i}}=1}} \right) \end{aligned}$$

   where \(s{{{k}'}_{1}}={{\left[ \textbf{v}+\mathbf {{A}'}{{{\delta }}_{q}}+\left( {{{\tilde{\textbf{U}}}}_{0}}+\frac{{{\mu }^{\left( \beta \right) }}}{\left( {{\textbf{c}}^{{\text {T}}}}\mathbf {{A}'u} \right) } \mathbf {{A}'u}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \right) \textbf{B}{{\textbf{r}}_{q}} \right] }_{2}}\), \(s{{{k}'}_{2}}={{\left[ \textbf{B}{{\textbf{r}}_{q}} \right] }_{2}},\) \(s{{{k}'}_{3,i}}={{\left[ \left( {{{\tilde{\textbf{W}}}}_{i}}+\mathbf {{A}'}{{\textbf{w}}_{i}}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \right) \textbf{B}{{\textbf{r}}_{q}} \right] }_{2}}\). According to Eq. (A1), the keys returned are SF keys obviously.

2. (2)

   For the last \(Q-l\) key queries, the operation of the simulator \(\mathcal {A}'\) is basically the same as that in the previous \(l-1\) queries, except that \(\textbf{v}+\mathbf {{A}'}{{{\delta }}_{q}}\) is replaced by \(\textbf{v}\). The key generated in this way is indistinguishable from the real key.

3. (3)

   For the l-th key query, the simulator \(\mathcal {A}'\) uses the oracle \({{\mathcal {O}}_{X}}\left( x \right)\) to obtain \({{\left\{ {{\textbf{w}}_{i}} \right\} }_{{{x}_{i}}=1}}\) in the game \(G_{\beta }^{BM}\), thereby forming the following key:

   $$\begin{aligned} s{{k}_{x}}=\left( {{\left[ \tilde{\textbf{v}}+{{{\tilde{\textbf{U}}}}_{0}}{\gamma } \right] }_{2}},{{\left[ {\gamma } \right] }_{2}},{{\left\{ {{\left[ \left( {{{\tilde{\textbf{W}}}}_{i}}+\mathbf {{A}'} {{\textbf{w}}_{i}}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}} \right) {\gamma } \right] }_{2}} \right\} }_{{{x}_{i}}=1}} \right) . \end{aligned}$$

   From Eq. (A1), \({{\textbf{W}}_{i}}={{\tilde{\textbf{W}}}_{i}}+\mathbf {{A}'}{{\textbf{w}}_{i}}{{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}}\).When \(\beta =0\), \(\tilde{\textbf{v}}+{{\tilde{\textbf{U}}}_{0}}{\gamma }=\textbf{v}+\frac{\left( {{\mu }^{\left( 0 \right) }}-{{\mu }^{\left( 0 \right) }} \right) \left( {{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}}{\gamma } \right) }{\left( {{\textbf{c}}^{{\text {T}}}}\mathbf {{A}'u} \right) }\mathbf {{A}'u}+{{\textbf{U}}_{0}}{\gamma }=\textbf{v}+{{\textbf{U}}_{0}}{\gamma }.\) The l-th key returned is a P-normal key. When \(\beta =1\), let \({{{\delta }}_{l}}=\frac{\left( {{\mu }^{\left( 0 \right) }}-{{\mu }^{\left( 1 \right) }} \right) \left( {{\left( {\mathbf {{b}'}} \right) }^{{\text {T}}}}{\gamma } \right) }{\left( {{\textbf{c}}^{{\text {T}}}}\mathbf {{A}'u} \right) }\textbf{u},\) the l-th key returned is a P-SF key. In summary, for \(\beta \in \left\{ 0,1 \right\}\), \(\mathcal {A}'\) simulates \({{\text {H}}_{2,l,1+\beta }}\) when interacting with \(G_{\beta }^{BM}\). Therefore,

   $$\begin{aligned} \vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,1}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,2}} \right\rangle =1 \right] \vert \le \vert \Pr \left[ \left\langle \mathcal {A}', \text {G}_{0}^{BM} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A}',\text {G}_{1}^{BM} \right\rangle =1 \right] \vert . \end{aligned}$$

   From theorem 1, we have \(\vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l-1}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l}} \right\rangle =1 \right] \vert \le {{2}^{3d\left( \left\lceil \log n \right\rceil +n \right) }}\cdot N\cdot Adv_{{{\mathcal {B}}^{*}}}^{\text {k-LIN}}\left( \lambda \right) .\) \(\square\)

Lemma C.10

(\({{\text {H}}_{2,l,2}}{{\approx }_{c}}{{\text {H}}_{2,l,3}}\))

$$\begin{aligned} \vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,2}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,3}} \right\rangle =1 \right] \vert \le \text {Adv}_{\mathcal {A}'}^{k-\text {LIN}}\left( \lambda \right) \end{aligned}$$

Proof

When returning the l-th key query, replace \(\textbf{v}\) with \(\textbf{v}+\mathbf {{A}'}{{{\delta }}_{l}}\) in the proof of lemma C.8, and the rest of the proof process is similar to lemma C.8. \(\square\)

Lemma C.11

(\({{\text {H}}_{2,Q,3}}{{\approx }_{c}}{{\text {H}}_{3}}\))

$$\begin{aligned} \vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,Q,3}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{3}} \right\rangle =1 \right] \vert \le \frac{1}{p} \end{aligned}$$

Proof

Since the keys used by \({{\text {H}}_{2,Q,3}}\) and \({{\text {H}}_{3}}\) are both semifunctional and the difference is only in whether the encrypted message is a real plaintext or a random number, we construct it in the following way:

Suppose that the first key component is \({{\left[ \tilde{\textbf{v}}+\mathbf {{A}'}{{{\tilde{\delta }}}_{1}}+{{\textbf{U}}_{0}}\textbf{Br} \right] }_{2}}\) in \({{\text {H}}_{2,Q,3}}\), and the first key component is \({{\left[ \tilde{\textbf{v}}+\mathbf {{A}'}{{{\tilde{\delta }}}_{2}}+{{\textbf{U}}_{0}}\textbf{Br} \right] }_{2}}\) in \({{\text {H}}_{3}}\). Then the corresponding last ciphertext component is \(e({{\left[ {{\textbf{c}}^{\textbf{T}}} \right] }_{1}},{{\left[ \tilde{\textbf{v}}+\mathbf {{A}'}{{{\tilde{\delta }}}_{1}} \right] }_{2}})\cdot M\) in \({{\text {H}}_{2,Q,3}}\) and the corresponding last ciphertext component is \(e({{\left[ {{\textbf{c}}^{\textbf{T}}} \right] }_{1}},{{\left[ \tilde{\textbf{v}}+\mathbf {{A}'}{{{\tilde{\delta }}}_{2}} \right] }_{2}})\cdot \tilde{M}\) in \({{\text {H}}_{3}}\). Let \(\tilde{M}=e({{\left[ {{\textbf{c}}^{{\text {T}}}} \right] }_{1}},{{\left[ \mathbf {{A}'}{{{\tilde{\delta }}}_{1}}-\mathbf {{A}'}{{{\tilde{\delta }}}_{2}} \right] }_{2}})\cdot M\). Because both \({{\tilde{\delta }}_{1}}\) and \({{\tilde{\delta }}_{2}}\) are randomly selected, under the premise of \(e({{\left[ {{\textbf{c}}^{{\text {T}}}} \right] }_{1}}, {{\left[ \mathbf {{A}'}{{{\tilde{\delta }}}_{1}}-\mathbf {{A}'}{{{\tilde{\delta }}}_{2}} \right] }_{2}})\ne 1\), \(\tilde{M}\) is also random, which means the adversary is unable to distinguish whether the ciphertext is the challenge ciphertext in \({{\text {H}}_{2,Q,3}}\) against M or that in \({{\text {H}}_{3}}\) against the random message \(\tilde{M}\); that is, it is impossible to distinguish between \({{\text {H}}_{2,Q,3}}\) and \({{\text {H}}_{3}}\). Therefore, we can obtain

$$\begin{aligned} \vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,Q,3}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{3}} \right\rangle =1 \right] \vert \le \frac{1}{p}. \end{aligned}$$

It should be noted that in \({{\text {H}}_{3}}\), since the challenge ciphertext is the result of encrypting the random number \(\tilde{M}\), the adversary’s advantage in attacking \({{\text {H}}_{3}}\) is 0; that is, \(\vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{3}} \right\rangle =1 \right] {-}1/2 \vert =0\). \(\square\)

Theorem C.2

(Adaptive security of the scheme) The CP-ABE scheme satisfies adaptive security under the \(k-\text {Lin}\) assumption.

Proof

Let the attack advantage of CP-ABE be \(Ad{{v}_{\mathcal {A}}}(\lambda )\). The game against the CP-ABE scheme is known to be \({{\text {H}}_{0}}\), and then the attack advantage against the CP-ABE scheme is \(Ad{{v}_{\mathcal {A}}}(\lambda )=\vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{0}} \right\rangle =1 \right] -1/2 \vert\). Since

$$\begin{aligned} \vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{0}} \right\rangle =1 \right] -1/2 \vert&\le \vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{0}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{1}} \right\rangle =1 \right] \vert \\&\quad +\sum \limits _{l=1}^{Q}{\vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l-1,3}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,1}} \right\rangle =1 \right] \vert } \\&\quad +\sum \limits _{l=1}^{Q}{\vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,1}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,2}} \right\rangle =1 \right] \vert } \\&\quad +\sum \limits _{l=1}^{Q}{\vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,2}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,l,3}} \right\rangle =1 \right] \vert } \\&\quad +\vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{2,Q,3}} \right\rangle =1 \right] -\Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{3}} \right\rangle =1 \right] \vert +\vert \Pr \left[ \left\langle \mathcal {A},{{\text {H}}_{3}} \right\rangle =1 \right] -1/2 \vert , \end{aligned}$$

using the conclusions of Lemmas C.7–C.11, we can obtain:

$$\begin{aligned} Ad{{v}_{\mathcal {A}}}(\lambda )\le \left( 2Q+1 \right) \cdot \text {Adv}_{{{B}^{*}}}^{k-\text {Lin}}\left( \lambda \right) +Q\cdot {{2}^{3d\left( \left\lceil \log n \right\rceil +n \right) }}\cdot N\cdot Adv_{{{B}^{*}}}^{\text {k-LIN}}\left( \lambda \right) +\frac{1}{p} \end{aligned}$$

\(\square\)