FDCO: attribute-based fast data cloud-outsourcing scheme for mobile devices

Abstract

We propose an attribute-based fast data cloud-outsourcing (FDCO) scheme, which shows great performance in mobile devices. Technically, this work is a CCA-secure online/offline key encapsulation scheme based on ciphertext-policy attribute-based encryption with public validity test and indirect user revocation mechanism. We adapt it to a mobile cloud-outsourcing scenario and present a concrete system. Our scheme is equipped with the following desirable properties: First, encapsulation needs only several lightweight online modular addition/multiplication operations, which is appealing to mobile users. Second, it is equipped with an efficient indirect user revocation mechanism to support access credential revocation. Third, it supports public encapsulation validity test, which enables auditors to filter invalid data, so as to prevent attackers from sending invalid data to stuff users’ accounts. Finally, we prove its security against chosen-ciphertext attacks (CCA) in the standard model. We conduct theoretical analyses and extensive experiments to show that our scheme is practical and efficient in application.

Appendix

Here, we give the details of six security games to prove that our FDCO scheme is secure under Definition 5 based on the weakly decisional q-parallel BDHE assumption.

Proof

Game 0

Game 0 is run between an adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\), which is the same as the security game defined in Sect. 4.2. Initially, given (D, G) from the weakly decisional q-parallel BDHE assumption, \(\mathcal {A}\) commits to a challenge access policy \((\mathbf M ^*, \rho ^*)\) and a challenge time \(T^*\), where \(\mathbf M ^* \in \mathbb {Z}_p^{\ell ^* \times n^*}\), \(\ell ^*, n^* \le q - 1\), and \(\rho ^*: [\ell ^*] \rightarrow [0, (p-1)/2]\). \(\mathcal {C}\) runs Setup to output (msk, pp),where \(msk = (\alpha )\), and \(pp = (\textsf {CHash}, \mathcal {R}, \textsf {Hash}\), \(g, h, u, v, w, h_r, u_r, e(g, g)^{\alpha }, BT)\), and gives pp to \(\mathcal {A}\). Then \(\mathcal {A}\) makes a number of queries. In Phase 1, \(\mathcal {A}\) adaptively issues queries, and \(\mathcal {C}\) answers correspondingly:

1. 1.

   Attribute credential query for attribute set \(\mathcal {S}\). Assume that issued attribute credential queries are \(Q_{ac}^{(1)}, \ldots , Q_{ac}^{(q_{ac})}\), where \(Q_{ac}^{(x)} = \mathcal {S}^{(x)} = \{A_1^{(x)}, \ldots , A_{n_x}^{(x)}\}\). For each query, \(\mathcal {C}\) runs ACGen to generate \(ac_{\mathcal {S}}\), and gives it to \(\mathcal {A}\). Denote the result computed on input \(Q_{ac}^{(x)}\) by \(ac_{\mathcal {S}^{(x)}}\).

2. 2.

   Decapsulation query for encapsulation (hdr, en) on time T chosen by \(\mathcal {A}\). Assume that issued decapsulation queries are \(Q_{d}^{(1)}, \ldots , Q_{d}^{(q_{d})}\), where \(Q_{d}^{(x)} = ( hdr^{(x)}, en^{(x)} )\) for time \(T^{(x)}\). For each query, \(\mathcal {C}\) runs DataDec and returns the result to \(\mathcal {A}\). Denote the key extracted from input \(Q_{d}^{(x)}\) by \(key^{(x)}\).

3. 3.

   Revocation query for attribute set \(\mathcal {S}\) and revoked time T. Assume that issued revocation queries are \(Q_{r}^{(1)}, \ldots , Q_{r}^{(q_{r})}\), where \(Q_{r}^{(x)} = \{ \mathcal {S}^{(x)}, T^{(x)}\}\). For each query, \(\mathcal {C}\) runs ACRevoke to update RL. It finds leaf node \(\eta ^{(x)}\) associated with \(\mathcal {S}^{(x)}\), updates and publishes RL.

4. 4.

   Credential updating query on time T. Assume that issued credential updating queries are \(Q_{cu}^{(1)}, \ldots , Q_{cu}^{(q_{cu})}\), where \(Q_{cu}^{(x)} = T^{(x)}\). For each query, \(\mathcal {C}\) runs CredUp to obtain credential updating. Denote the result of \(Q_{cu}^{(x)}\) by \(cu_{T^{(x)}}\).

When \(\mathcal {A}\) decides that Phase 1 is over, it makes a challenge query. It outputs two equal-length message \(M_0\), \(M_1\) of the same length. \(\mathcal {C}\) chooses a bit \(b \xleftarrow {R} \{0, 1\}\), encapsulates \(M_{b}\) with \((\mathbf M ^*, \rho ^*)\), \(T^*\), obtains the target ciphertext \((hdr^*, en^*)\), and returns it to \(\mathcal {A}\), where

$$\begin{aligned} hdr^* = \left( \begin{gathered} (\mathbf M ^*, \rho ^*), T^*, chk^*, r_{m}^*, C_0^*, C_{0, 1}^*, C_{0, 2}^*, C_{0, 3}^*, \\ \{C_{i, 1}^*, C_{i, 2}^*, C_{i, 3}^*, C_{i, 4}^*, C_{i, 5}^*\}_{i \in [\ell ^*]}, C_{R, 1}^*, C_{R, 2}^* \end{gathered} \right) , \end{aligned}$$

in which \(r_{m}^* = \textsf {Coll} (td^*, {m'}^*, r_{m'}^*, m^*)\),

$$\begin{aligned} m^* =\left( \begin{gathered} en^* \Vert C_{0, 1}^* \Vert C_{0, 2}^* \Vert C_{0, 3}^* \Vert C_{1, 1}^* \Vert \cdots \Vert C_{1, 5}^* \Vert \cdots \\ \Vert C_{\ell ^*, 1}^* \Vert \cdots \Vert C_{\ell ^*, 5}^* \Vert C_{R, 1}^* \Vert C_{R, 2}^* \Vert (\mathbf M ^*, \rho ^*) \Vert T^* \end{gathered} \right) . \end{aligned}$$

The target encrypted data is \(en^* = \textsf {SymEnc}(key, M_{b})\).

In Phase 2, \(\mathcal {A}\) continues issuing queries, with the constraint that in any decapsulation query \((hdr, en) \ne (hdr^*, en^*)\). \(\mathcal {C}\) gives responses in the same way as in Phase 1.

After making all queries, \(\mathcal {A}\) outputs a guess bit \(b^{'} \in \{0, 1\}\). If \(b' = b\), \(\mathcal {C}\) outputs 0, representing that the challenge term is \(G = e(g, g)^{sa^{q+1}}\); otherwise, \(\mathcal {C}\) outputs 1, representing that \(G \xleftarrow {R} \mathbb {G}\). Since Game 0 is the same as the game in Sect. 4.2, we have

$$\begin{aligned} Adv_{\mathcal {A}}^{\text {FDCO}}(\lambda ) = Adv_{\mathcal {A}}^{q}(\lambda ) = \left| {\Pr [X_0] - \frac{1}{2}} \right| . \end{aligned}$$

(5)

Next, we prove that \(Adv_{\mathcal {A}}^{\text {FDCO}}(\lambda )\) is negligible. We make an additional assumption about the internal structure of Game 0, that is, w and \(e(g, g)^{\alpha }\) are calculated in the following way: \(a,\widetilde{\alpha } \xleftarrow {R} \mathbb {Z}_p,~~w = g^a,~~e(g, g)^{\alpha } = e(g^a, g^{a^q}) \cdot e(g, g)^{\widetilde{\alpha }}\). Except from the computation of w and \(e(g, g)^{\alpha }\), the value of a is never directly used. Since \(a, \widetilde{\alpha }\) are randomly selected from \(\mathbb {Z}_p\), terms \(w, e(g, g)^{\alpha }\) are also properly distributed, so this change does not affect the view of \(\mathcal {A}\), thus Eq. (5) still holds.

Game 1

Game 1 is the same as Game 0, except that \(\mathcal {C}\) changes how it generates \((hdr^*, en^*)\). Here, we introduce a new technology: Instead of directly using \((\mathbf M ^*, \rho ^*)\), \(\mathcal {C}\) uses \(V^*\) as a virtual attribute to reconstruct an access policy \((\widetilde{\mathbf{M }}^*, \widetilde{\rho }^*)\), where \(\widetilde{\rho }^* {= \{\rho ^*, \ell ^*+1 \rightarrow V^*\}}\), \(V^*\) is computed as \(V^*= \textsf {Hash}(chk^* \Vert \textsf {CHash}(chk^*, {m'}^*, r_{m'}^*)) \in [\frac{p+1}{2}, p-1]\), and

$${\widetilde{\mathbf{M }}^* {= \begin{pmatrix} \mathbf M ^* \in \mathbb {Z}_p^{{\ell ^*} \times {n^*}} &{}{\varvec{0}} \in \mathbb {Z}_p^{{\ell ^*} \times 1} \\ ( {1,0, \ldots ,0} ) &{} 0 \end{pmatrix}} \in \mathbb {Z}_p^{( {{\ell ^*} + 1} ) \times ( {{n^*} + 1})} .}$$

\(\mathcal {C}\) samples a secret \(s \xleftarrow {R} \mathbb {Z}_p\), sets \({\varvec{\widetilde{y}}} = (s,{\mathbf {y}})\), and computes \(key = G \cdot e(g, g^s)^{\widetilde{\alpha }}\), \({\varvec{\widetilde{\lambda }}}^* = \widetilde{\mathbf{M }}^* \cdot {\varvec{\widetilde{y}}} = ({{\varvec{\lambda }}^{*T}},s)^T\). Here, we let \(\ell = \ell ^* + 1, n = n^* + 1\). \(\mathcal {C}\) computes the first \(\ell ^*\) groups of components \(\{\widetilde{C}_{i,1}^*, \widetilde{C}_{i,2}^*, \widetilde{C}_{i, 3}^*\}_{i \in [\ell ^*]}\) for original \(\mathbb {A}^*\), and the last group of components \(\{\widetilde{C}_{\ell ,1}^*, \widetilde{C}_{\ell ,2}^*, \widetilde{C}_{\ell , 3}^*\}\) for \(V^*\), i.e., for \(i \in [\ell ^*]\), it computes \(\widetilde{C}_{i,1}^* = w^{\lambda _i^*}v^{t_i^*}\), \( \widetilde{C}_{i,2}^* = (u^{\widetilde{\rho }^*(i)}h)^{t_i^*}\), \(\widetilde{C}_{i, 3}^* = g^{t_i^*}\); for \(i = \ell \), it computes \(\widetilde{C}_{\ell ,1}^* = w^{s}v^{t_{\ell }^*}\), \(\widetilde{C}_{\ell ,2}^* = (u^{V^*}h)^{t_{\ell }^*}\), \(\widetilde{C}_{\ell ,3}^* = g^{t_{\ell }^*}\).

After receiving challenge query \(M_0\) and \(M_1\), \(\mathcal {C}\) flips a coin \(b \xleftarrow {R} \{0, 1\}\), and computes \(en^* = \textsf {SymEnc}(key, M_{b})\). It sets \(C_0^* = \widetilde{C}_0^*\). For each \(i \in [\ell ]\), it samples \(C_{i, 4}^*, C_{i, 5}^* \xleftarrow {R} \mathbb {Z}_p\), and sets \(C_{i, 1}^* = \widetilde{C}_{i, 1}^* \cdot w^{-C_{i, 4}^*}, C_{i, 2}^* = \widetilde{C}_{i, 2}^* \cdot u^{-C_{i, 5}^*}, C_{i, 3}^* = \widetilde{C}_{i, 3}^*\). It computes \(\widetilde{C}_{R,1}^* = {({C_0^*})^{{v^{'}_r} + {v_r}{T^*}}} = {g^{s( {{v^{'}_r} + {v_r}{T^*}})}} = {( {{g^{ - a{T^*} + {v^{'}_r} + a{T^*} + {v_r}{T^*}}}})^s} = {( {u_r^{{T^*}} \cdot {h_r}})^s}\), samples \(C_{R, 2}^* \xleftarrow {R} \mathbb {Z}_p\), and then computes \({C}_{R,1}^* = \widetilde{C}_{R,1}^* \cdot u_r^{-C_{R, 2}^*}\), \(r_{m}^* = \textsf {Coll} (td^*, {m^{'}}^*, r_{m^{'}}^*, m^*)\) for

$$\begin{aligned} m^* = \left( \begin{gathered} en^* \Vert C_{0, 1}^* \Vert C_{0, 2}^* \Vert C_{0, 3}^* \Vert C_{1, 1}^* \Vert \cdots \Vert C_{1, 5}^* \Vert \cdots \\ \Vert C_{\ell ^*, 1}^* \Vert \cdots \Vert C_{\ell ^*, 5}^* \Vert C_{R, 1}^* \Vert C_{R, 2}^* \Vert (\mathbf M ^*, \rho ^*) \Vert T^* \end{gathered} \right) , \end{aligned}$$

The header is now formed as

$$\begin{aligned} hdr^* = \left( \begin{gathered} (\mathbf M ^*, \rho ^*), T^*, chk^*, r_{m}^*, C_0^*, C_{0, 1}^*, C_{0, 2}^*, C_{0, 3}^*, \\ \{C_{i, 1}^*, C_{i, 2}^*, C_{i, 3}^*, C_{i, 4}^*, C_{i, 5}^*\}_{i \in [\ell ]}, C_{R, 1}^*, C_{R, 2}^* \end{gathered} \right) . \end{aligned}$$

Finally, it outputs the challenge ciphertext \(EN^*=(hdr^*, en^*)\). The access policy is transformed into “\(\mathbb {A}^*\) OR \(V^*\)”. Since \(V^* \notin [0, (p-1)/2]\), \(V^*\) is not in the valid attribute universe. From the view of \(\mathcal {A}\), access policy remains the same, and we have

$$\begin{aligned} \Pr [X_1] = \Pr [X_0]. \end{aligned}$$

(6)

Game 2

Game 2 is the same as Game 1, except that \(\mathcal {C}\) changes the way it generates pp. Instead of randomly selecting the value of \(h,u,v,u_r,h_r\), \(\mathcal {C}\) uses items given by the assumption and the committed challenge access policy to compute pp. Following the technique of Rouselakis and Waters [21], it samples \(\widetilde{h}, \widetilde{u}, \widetilde{v} \xleftarrow {R} \mathbb {Z}_p\), and computes h, u, v as \(h = {g^{\widetilde{h}}} \prod _{(j,k) \in [\ell ,n]} {{{\left( {{g^{{a^k}/{b_j^2}}}} \right) }^{\widetilde{\rho }^*(j)\widetilde{M}_{j,k}^*}}}\), \(u = {g^{\widetilde{u}}} \prod _{(j,k) \in [\ell ,n]} {{{\left( {{g^{{a^k}/b_j^2}}} \right) }^{\widetilde{M}_{j,k}^*}}}\), \(v = {g^{\widetilde{v}}} \prod _{(j,k) \in [\ell ,n]} {{{\left( {{g^{{a^k}/b_j}}} \right) }^{\widetilde{M}_{j,k}^*}}}.\) \(\mathcal {C}\) implicitly sets \(\alpha = a^{q + 1} + \widetilde{\alpha }\) (Note that \(\mathcal {C}\) does not know the actual value of \(\alpha \)). It sets \(RL = \emptyset \), samples \(v_r, v_r' \xleftarrow {R} \mathbb {Z}_p\), and computes \(u_r = g^a \cdot g^{v_r}, ~ h_r = (g^a)^{-T^*} \cdot g^{v_r'}\). Assume that the adversary \(\mathcal {A}\) could issue at most \(q_s\) attribute credential queries.

Before responding to queries, \(\mathcal {C}\) samples a binary tree BT with at least \(q_s\) leaf nodes. Among these \(q_s\) queries, we assume that \(q_{s, 1}\) queries are for \(\mathcal {S}\) not satisfying \((\mathbf M ^*, \rho ^*)\). \(\mathcal {C}\) samples \(q_{s, 1}\) nodes and assigns them with those unsatisfied \(\mathcal {S}\) to form node set \(Q_{1}\). Other \(q_{s, 2} = q_s - q_{s, 1}\) queries are for \(\mathcal {S}\) satisfying \((\mathbf M ^*, \rho ^*)\). \(\mathcal {C}\) assigns the rest nodes with those satisfied \(\mathcal {S}\), and gathers them to form node set \(Q_{2}\). Since \(\widetilde{h}, \widetilde{u}, \widetilde{v}, v_r, v^{'}_r\) are randomly selected from \(\mathbb {Z}_p\), so \(h, u, v, u_r, h_r\) are also properly distributed. We have

$$\begin{aligned} \Pr [X_2] = \Pr [X_1]. \end{aligned}$$

(7)

Game 3

Game 3 is the same as Game 2, except that \(\mathcal {C}\) modifies its responses to attribute credential queries. When \(\mathcal {A}\) issues a query \(Q_{ac}\) for \(\mathcal {S} = \{A_1, \ldots , A_{n}\}\):

Case 1: \({\mathcal {S}}\) does not satisfy \((\mathbf{M }^*, \rho ^*)\) \({\mathcal {C}}\) randomly samples an unassigned leaf node \(\eta \in Q_1\) from BT, and assigns \({\mathcal {S}}\) to it. Then, as in RW CP-ABE scheme, \(\mathcal {C}\) generates a group of valid components \((K_{\theta , 0}, K_{\theta , 1}, \{K_{\theta , i, 2}, K_{\theta , i, 3}\}_{i \in [\kappa ]})\) with \(\kappa = |{\mathcal {S}}|\). It computes \({\varvec{\omega }} = (\omega _1, \omega _2, \ldots ,\omega _n)^{\text {T}} \in \mathbb {Z}_p^n\), s.t., \(\omega _1 = -1\), \(\forall i \in I = \{i | i \in [\ell ] \wedge \rho ^*(i) \in \mathcal {S}\}\): \(\langle {\mathbf \mathbf{M }_i^*}, {\varvec{\omega }} \rangle = 0\). It samples \(\tilde{r}_{\theta } \xleftarrow {R} \mathbb {Z}_p\), and implicitly sets \(r_{\theta } = \tilde{r}_{\theta } +\sum \nolimits _{i \in [n]} {\omega _i a^{q+1-i}}\). It computes

$$\begin{aligned} K_{\theta , 0}&= S_{\theta } g^\alpha w^{r_{\theta }}= S_\theta g^{a^{q+1}+\tilde{\alpha }}g^{a(\tilde{r_\theta }+\sum \limits _{i \in [n]}{\omega _i a^{q+1-i}})} \\&= S_\theta g^{a^{q+1}+\tilde{\alpha }}g^{-a\cdot a^q}g^{a(\tilde{r_\theta }+\sum \limits _{i=2}^n{\omega _i a^{q+1-i}})}\\&= S_\theta g^{\tilde{\alpha }}g^{a\tilde{r_\theta }}g^{\sum \limits _{i=2}^n{a^{q+2-i}}},\\ K_{\theta , 1}&= g^{r_{\theta }} = g^{\tilde{r}_{\theta }} g^{\sum \limits _{i=1}^{n}{\omega _i a^{q+1-i}}}. \end{aligned}$$

For each \(i \in [\kappa ]\), it samples \(r_i \xleftarrow {R} \mathbb {Z}_p \), and computes \(K_{\theta , i, 2} = g^{r_i}\), \(K_{\theta , i, 3} = (u^{A_i} \cdot h)^{r_i} v^{-r_{\theta }}\). We omit the construction of \(K_{\theta , i, 2}, K_{\theta , i, 3}\), and refer readers to [21]. Finally, \(\mathcal {C}\) returns corresponding attribute credential to \(\mathcal {A}\) \(ac_{\mathcal {S}} = (\mathcal {S}, \{(K_{\theta , 0}, K_{\theta , 1}, \{K_{\theta , i, 2}, K_{\theta , i, 3}\}_{i \in [\kappa ]})\}_{\theta \in \textsf {Path}(\eta )})\). \(S_{\theta }\) in Game 3 and \(g_\theta \) in Game 2 are randomly selected from \(\mathbb {G}\), so from the view of \(\mathcal {A}\), \(S_{\theta }g^\alpha \) in Game 3 and \(g_\theta ^\alpha \) in Game 2 are identically distributed. Besides, \(\widetilde{r}_\theta \) is randomly selected from \(\mathbb {Z}_p\), so \(r_\theta \) is also properly distributed. We have

$$\begin{aligned} \Pr [X_3] = \Pr [X_2] \end{aligned}$$

(8)

Case 2: \(\mathcal {S}\) satisfies \((\mathbf M ^*, \rho ^*)\) \(\mathcal {C}\) randomly samples an unassigned leaf node \(\eta \in Q_2\) from BT, and assigns \(\mathcal {S}\) to it. For each node \(\theta \in \textsf {Path}(\eta )\), if it is already defined, \(\mathcal {C}\) retrieves \(S_{\theta }\); otherwise, \(\mathcal {C}\) samples \(S_{\theta } \xleftarrow {R} \mathbb {G}\), and stores it in node \(\theta \). In this case, we cannot follow the proof of RW CP-ABE to generate valid \(ac_\mathcal {S}\). Instead, \(\mathcal {C}\) implicitly sets \(S_{\theta } = g_{\theta }^{\alpha }\) in \(K_{\theta , 0}\). It samples \(r_{\theta }, r_1, r_2, \ldots , r_{\kappa } \xleftarrow {R} \mathbb {Z}_p\), computes \(K_{\theta , 0} = S_{\theta } w^{r_{\theta }}\), \(K_{\theta , 1} = g^{r_{\theta }}\), and for each \(i \in [\kappa ]\), computes \(K_{\theta , i, 2} = g^{r_i}, K_{\theta , i, 3} = (u^{A_i} \cdot h)^{r_i} v^{-r_{\theta }}\). Finally, it returns to \(\mathcal {A}\) attribute credential

$$\begin{aligned} ac_{\mathcal {S}} = (\mathcal {S}, \{(K_{\theta , 0}, K_{\theta , 1}, \{K_{\theta , i, 2}, K_{\theta , i, 3}\}_{i \in [\kappa ]})\}_{\theta \in \textsf {Path}(\eta )}). \end{aligned}$$

\(S_{\theta }\) in Game 3 and \(g_\theta \) in Game 2 are randomly selected from \(\mathbb {G}\), so from the view of \(\mathcal {A}\), \(S_{\theta }\) in Game 3 and \(g_\theta ^\alpha \) in Game 2 are identically distributed. Here, Eq. (8) also holds.

Game 4

Game 4 is the same as Game 3, except that \(\mathcal {C}\) modifies its responses to credential updating queries. When adversary \(\mathcal {A}\) issues a query \(Q_{cu}\) on T, for each node \(\theta \in \textsf {CUNode} (\textsf {BT}, \textsf {RL}, \textsf {T})\), if \(S_{\theta }\) is already defined, \(\mathcal {C}\) retrieves \(S_{\theta }\); otherwise, \(\mathcal {C}\) samples \(S_{\theta } \xleftarrow {R} \mathbb {G}\), and stores it in node \(\theta \):

Case 1: \(\theta \in \textsf {Path}(\eta )\) for \(\eta \in Q_1\). The msk \(\alpha = a^{q+1} + \widetilde{\alpha }\) is already set in \(ac_{\mathcal {S}}\). \(\mathcal {C}\) samples \(\tau _{\theta } \xleftarrow {R} \mathbb {Z}_p\), and computes \(\widetilde{K}_{\theta , 0} = S_{\theta }^{-1} \cdot (u_r^T \cdot h_r)^{\tau _{\theta }},\) \(\widetilde{K}_{\theta , 1} = g^{\tau _{\theta }}\).

Case 2: \(\theta \in \textsf {Path}(\eta )\) for \(\eta \in Q_2\). The msk \(\alpha = a^{q+1} + \widetilde{\alpha }\) has not been implicitly set in \(ac_{\mathcal {S}}\). So here, \(\mathcal {C}\) randomly samples \(\widetilde{\tau }_{\theta } \xleftarrow {R} \mathbb {Z}_p\), and then computes

$$\begin{aligned} \widetilde{K}_{\theta ,0}&= S_\theta ^{ - 1} {g^{\widetilde{\alpha }}}{( {{g^{{a^q}}}} )^{ - \frac{{v{'_r} + {v_r}{T^*}}}{{T - {T^*}}}}}{( {{g^a}} )^{{{\widetilde{\tau }}_\theta }( {T - {T^*}} )}}{g^{{{\widetilde{\tau }}_\theta }( {v{'_r} + {v_r}{T^*}} )}} \\&= S_\theta ^{ - 1} {g^{\widetilde{\alpha }}}{g^{{a^{q + 1}}}}{( {{{( {{g^a}} )}^{T - {T^*}}}{g^{v{'_r} + {v_r}T}}} )^{ - \frac{{{a^q}}}{{T - {T^*}}} + {{\widetilde{\tau }}_\theta }}} \\&= S_\theta ^{ - 1} {g^{\widetilde{\alpha }}}{g^{{a^{q + 1}}}}{( {{{( {{g^a} \cdot {g^{{v_r}}}} )}^T}{{( {{g^a}} )}^{ - {T^*}}} \cdot {g^{v{'_r}}}} )^{ - \frac{{{a^q}}}{{T - {T^*}}} + {{\widetilde{\tau }}_\theta }}} \\&= S_\theta ^{ - 1} {g^\alpha }{( {u_r^T \cdot {h_r}} )^{{\tau _\theta }}}, \\ \widetilde{K}_{\theta ,1}&= (g^{{a^q}} )^{ - \frac{1}{T - {T^*}}}{g^{{{\widetilde{\tau }}_\theta }}} = g^{ - \frac{{{a^q}}}{{T - {T^*}}} + {{\widetilde{\tau }}_\theta }} = g^{{\tau _\theta }}, \end{aligned}$$

so that implicitly set \(\tau _{\theta } = - \frac{a^q}{T - T^*} + {\widetilde{\tau }}_\theta \), and \(\alpha = a^{q+1} + \widetilde{\alpha }\). \(S_{\theta }\) in Game 4 and \(g_\theta \) in Game 3 are randomly selected from \(\mathbb {G}\), so from the view of \(\mathcal {A}\), \(S_{\theta }^{-1}\) in Game 4 and \({(g/g_\theta )}^\alpha \) in Game 3 are identically distributed. Since \(\widetilde{\tau }_\theta \) is randomly selected from \(\mathbb {Z}_p\), \(\tau _\theta \) is properly distributed. Then, we have

$$\begin{aligned} \Pr [X_4] = \Pr [X_3] \end{aligned}$$

(9)

Game 5

Game 5 is the same as Game 4, except that \(\mathcal {C}\) modifies its response to decapsulation queries. If \(G \xleftarrow {R} \mathbb {G}_T\), Game 5 is identical to Game 4, and \(M_b\) is completely hidden in the challenge ciphertext; otherwise, Game 5 is identical to Game 4 except that when \(\mathcal {A}\) issues a decapsulation query with \(V = V^*\), which causes simulation abortion. Next, we will further explain the details.

When \(\mathcal {A}\) issues a query \(Q_d\) with (hdr, en) for time T, \(\mathcal {C}\) computes \(V = \textsf {Hash}(chk \Vert \textsf {CHash}(chk, m ,r_m))\), and checks \(V \overset{?}{=} V^*\): If \(V = V^*\), \(\mathcal {C}\) picks a coin \(b \xleftarrow {R} \{0, 1\}\), returns b to \(\mathcal {A}\), and aborts the simulation; otherwise, it obtains \(v \leftarrow \textsf {EncFilt}(pp, (hdr, en))\). If \(v = 0\), it outputs \(\perp \); otherwise, it proceeds the simulation.

\(V \notin [0, \frac{p-1}{2}]\) is an invalid attribute in our FDCO scheme, but is a valid attribute in RW CP-ABE since the attribute universe of the RW CP-ABE is \(\mathbb {Z}_p\). When \(V \ne V^*\), \(\mathcal {S} = \{V\}\) does not satisfy \(\mathbb {A}\), nor \(\widetilde{\mathbb {A}}\). Therefore, \(\mathcal {C}\) can correctly generate an attribute credential for attribute set \(\mathcal {S} = \{V\}\). This attribute credential does not appear in BT, so it does not need to contain \(S_{\theta }\). \(\mathcal {C}\) generates \(ac_\mathcal {S}\) for attribute set \(\mathcal {S} = \{V\}\) in the same way as in Case 1 in attribute credential queries of Game 3. It computes \(\widetilde{K}_{\theta , 0} = (u_r^T \cdot h_r)^{\tau _{\theta }}, \widetilde{K}_{\theta , 1} = g^{\tau _{\theta }}\). It then runs \(\textsf {DataDec}\) to extract key, and uses it to decrypt data. In the decapsulation procedure of its Case 1, we have \(K_0 = K_{\theta , 0} \widetilde{K}_{\theta , 0} = S_{\theta } g^{\alpha } w^{r_{\theta }} S_{\theta }^{-1} (u_r^T \cdot h_r)^{\tau _{\theta }} = g^{\alpha } w^{r_{\theta }} (u_r^T \cdot h_r)^{\tau _{\theta }}\). The random \(S_{\theta }\) can be canceled, so that the combination result is valid for decapsulation. Similarly, in decapsulation procedure of its Case 2, we have \({K_0} = {K_{\theta ,0}}{\widetilde{K}_{\theta ,0}} = {S_\theta }{w^{{r_\theta }}} \cdot S_\theta ^{ - 1}{g^\alpha }{( {u_r^T\cdot {h_r}} )^{{\tau _\theta }}} = {g^\alpha }{w^{{r_\theta }}}{( {u_r^T\cdot {h_r}} )^{{\tau _\theta }}}\). The random \(S_{\theta }\) can also be canceled, so that the combination result is also valid for decapsulation.

If \(G = e(g, g)^{sa^{q+1}}\), \(\mathcal {A}\) plays the proper security game for our scheme. The only event leading to abortion is that \(\mathcal {A}\) issues a query \(Q_d\) with \(V = V^*\). Let F be the event that for certain \(j \in [q_d]\), \(V = V^*\). Game 4 and Game 5 proceed identically unless F occurs. By the Difference Lemma [25], we have

$$\begin{aligned} \left| \Pr [X_5] - \Pr [X_4]\right| \le \Pr [F]. \end{aligned}$$

(10)

Given the maximal number of decapsulation query \(q_d\), the abortion probability is at most \(2q_d/p\). We have

$$\begin{aligned} \Pr [F] \le \frac{2q_{d}}{p}. \end{aligned}$$

(11)

Otherwise, where \(G \xleftarrow {R} \mathbb {G}_T\), \(M_b\) is hidden and

$$\begin{aligned} \Pr [X_5] = \Pr [X_4]. \end{aligned}$$

(12)

Combining Eqs. (5)–(12), if the weakly decisional q-parallel BDHE assumption defined in Sect. 2.5 holds, we have

$$\begin{aligned} Adv_{\mathcal {A}}^{\text {FDCO}}(\lambda ) = \left| \Pr [X_0] - 1/2 \right| \le \frac{2q_{d}}{p} + \epsilon (\lambda ), \end{aligned}$$

(13)

which is negligible.\(\square \)