Improving Security in Ciphertext-Policy Attribute-Based Encryption with Hidden Access Policy and Testing

Abstract

Ciphertext-policy attribute-based encryption (CP-ABE) is one of the practical technologies to share data over cloud since it can protect data confidentiality and support fine-grained access control on the encrypted data. However, most of the previous schemes only focus on data confidentiality without considering data receiver privacy preserving. Recently, Li et al.(in TIIS, 10(7), 2016.7) proposed a CP-ABE with hidden access policy and testing, where they declare their scheme achieves privacy preserving for the encryptor and decryptor, and also has high decryption efficiency. Unfortunately, in this paper, we show that their scheme fails to achieve hidden access policy at first. It means that any adversary can obtain access policy information by a simple decisional Diffie-Hellman test (DDH-test) attack. Then we give a method to overcome this shortcoming. Security and performance analyses show that the proposed scheme not only achieves the privacy protection for users, but also has higher efficiency than the original one.

1. Introduction

As one of the research hotspots of public key encryption, attribute-based encryption (ABE) [1] is considered an effective way to achieve fine-grained access control of encrypted data in Cloud storage. In ABE schemes, access policies are represented by attribute sets, and it can be specified by data owners to allow those users whose attribute set satisfies the specified policy to access the encrypted data.

Generally speaking, the ABE schemes can be divided into two types: key-policy attribute-based encryption and ciphertext-policy attribute-based encryption, abbreviated as CP-ABE and KP-ABE respectively. In the KP-ABE schemes [2-4], ciphertexts are associated with attributes set, and users’ secret keys are related to access structures. Conversely, in the CP-ABE schemes [5-7], attributes are associated with secret keys and access structures are related to the ciphertexts. In particular, this paper only focus on CP-ABE.

In traditional CP-ABE schemes [5-7], access policies are sent to users as a part of the ciphertext. It means that any user, whether he/she is legal or not, can know the access policy as long as he/she gets the ciphertexts. In some cases, however, the access policy itself is the sensitive information. For instance, Alice shares her encrypted data and sets the access policy so that the mental health counselor will be able to decrypt her health records. So, the attributes "mental health” and “counselor” included in the access policy. And anyone, although he or she cannot decrypt the ciphertext, may guess that Alice is suffering some mental health problems.

In order to further prevent users from revealing their privacy, the concept of ABE with partially hidden policy was introduced by Nishide et al. in [10]. They presented two schemes to hide the policy of CP-ABE. In these schemes, a decryptor neither decrypt the data nor guess the access policy information, if the decryptor’s attributes set do not satisfy the ciphertext policy. In addition, their schemes have proved to be selective security. Since then, some other CP-ABE schemes with policy hidden have been proposed one after another. In [11], under composite order group, the authors constructed a ciphertext-policy hiding CP-ABE scheme. This scheme is fully security and supports AND-gate access policy. In order to enhance the flexibility of access policy, Wang and He [12] proposed a hidden policy scheme with LSSSmatrix access structure. Recent works in this area focused on constructing more efficient ciphertext-policy hidden CP-ABE with short ciphertext size [13-14], developing schemes with additional applications such as keyword search [15-16].

However, in the ciphertext-policy hiding CP-ABE proposals, users need to do excessive calculation for decryption no matter their attribute sets match the ciphertext-policy or not, which makes the users do too many useless computations when their attribute sets do not match the hidden policy. To enhance the efficiency of previous schemes, a novel access policy hidden CP-ABE scheme was introduced in [17]. In their scheme, users can test whether their attributes match the ciphertext-policy or not before performing the decryption operation. Furthermore, the consumption of test operation is much less than that of decryption calculation. Unfortunately, we found that their scheme cannot hide the access policy. In particular, any adversary can use public parameters, such as public keys and ciphertexts, to get attribute information about access policy, easily.

1.1 Our Contributions

In this paper, there are two main contributes. Firstly, a detailed security analysis of the literature [17] is given to illustrate that access policy hidden cannot be realized in this scheme. Secondly, an improved access policy hidden scheme is constructed to solve the shortcomings of literature [17]. In our scheme, the problem of user privacy leakage can be avoided by hiding the access policy. In addition, the security of the proposed scheme is reduced to DBDHassumption under the standard model. Security analyses and performance comparison show that our scheme not only realizes users’ privacy protection, but also has higher efficiency than the original one.

1.2 Organization

Some preliminaries are given in section 2. The security analysis of the scheme in [17] is given in section3. Section 4 proposes the improved CP-ABE with policy hidden. Security proof and some comparisons between our scheme and previous works are introduced in section 5 and 6, respectively. The conclusions are given in section 7 finally.

2. Preliminaries

2.1 Bilinear Mapping

Let \(G\) and \(G_{T}\) be cyclic groups of prime order p. g is the random generator of the group \(G\). \(e: G \times G \rightarrow G_{T}\) is called a bilinear mapping if the following properties are satisfied:

(i) Bilinearity: for all \(g, h \in G \text { and } a, b \in Z_{N}, e\left(g^{a}, h^{b}\right)=e(g, h)^{a b}\) ;

(ii) Non-degeneracy:\(e(g, g) \neq 1\);

(iii) Computability: \(\forall g, h \in G\), there are efficient algorithms to compute \(e(g, h)\).

2.2 Hardness Assumption

Let \(a, b, c, z \in_{R} Z_{p}\), and \(g \in_{R} G\) be a generator. The decisional bilinear Diffie-Hellman(DBDH) assumption holds in group \(G\): if no probabilistic polynomial-time algorithm candistinguish the tuple \(\left[g, g^{a}, g^{b}, g^{c}, e(g, g)^{a b c}\right]\) from \(\left[g, g^{a}, g^{b}, g^{c}, e(g, g)^{z}\right]\) with non-negligible advantage.

2.3 Access Policy

Following [11], the access structure type of our construction is AND-gate with multi-valued attributes. This access policy is described as follows.

Let \(\widetilde{U}=\left\{a t t_{1}, a t t_{2}, \cdots, a t t_{n}\right\}\) be an attributes set. \(S_{i}=\left\{v_{i, 1}, v_{i, 2}, \cdots, v_{i, n_{i}}\right\}\) are all possible values of attribute \(a t t_{i} \in \tilde{U}\) . Let \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\) be user’s attribute list where \(L_{i} \in S_{i}\) . The access policy \(W=\left[W_{1}, W_{2}, \cdots, W_{n}\right]\), where \(W_{i} \in S_{i}\) . In this paper, we use \(L |=W\) to represent that \(L\) satisfies \(W\), and |≠ indicates unsatisfactory symbol.

2.4 Definition of CP-ABE with Hidden Access Policy and Testing

The formal definition of CP-ABE with hidden access policy and testing scheme is given as follows. There are four algorithms in this scheme.

-Setup(\(1^{\lambda}\)): Taking security parameter \(1^{\lambda}\) as inputs, then this algorithm generates public key \(PK\) and master secret key \(MSK\).

-KeyGen(PK, MSK, L): The KeyGen takes as inputs PK, MSK as well as user attribute set L, and generates the attribute list L’s auxiliary information and some other secret keys.

-Encrypt(PK, M, W): It inputs the message M, public parameter PK and policy W and outputs the corresponding ciphertexts CT_W. Here the access policy W’s auxiliary information is a part of the ciphertext CT_W.

-Decrypt(PK, CT_W, SK_L): This algorithm consists of two phases: access policy testing and decryption phase. This algorithm takes as inputs the public parameter PK, ciphertexts CT_W as well as the secret key SK_L. It first runs the Testing phase to check whether user attributes setsatisfies the ciphertext- policy about CT_W or not. If the testing matches well, this algorithm runs the Decryption phase and outputs M.

2.5 Security Model

Similar to literature [21], the following is the definition of the indistinguishability against selective ciphertext-policy and chosen-plaintext attacks (IND-sCP-CPA) model. This model is simulated between adversary A and a challenger B.

Initial: A chooses challenge policies \(W_{0}^{*}\) and \(W_{1}^{*}\) and submits them to B.

Setup: The challenger picks a security parameter \(1^{\lambda}\), and runs Setup algorithm to get a master secret key MSK and public parameter PK. The challenger reserves MSK and sends PK to the adversary.

Phase 1: A submits an attribute list L for the KeyGen query. B returns SK_L to A only if L |≠ \(W_{0}^{*} \wedge L | \neq W_{1}^{*}\). Otherwise, it outputs ⊥.

Challenge: A submits two equal length messages \(M_{0}^{*}\) and \(M_{1}^{*}\) to the challenger on which it wishes to challenge with respect to \(W_{0}^{*}\) and \(W_{1}^{*}\). B picks a random bit \(\rho \in\{1,0\}\) and sends CT = Encrypt(\(P K, M_{\rho}^{*}, W_{\rho}^{*}\)) to A.

Phase 2: It is similar to Phase 1.

Guess. Finally, the adversary outputs its guess \(\rho^{\prime} \in\{1,0\}\), and wins the game if \(\rho^{\prime}=\rho\). The advantage of adversary in this game can be defined \(\left|\operatorname{Pr}\left[\rho^{\prime}=\rho\right]-\frac{1}{2}\right|\).

Definition 1. A hidden access policy CP-ABE scheme is secure against selectively chosen plaintext attack if all polynomial time adversaries have a negligible advantage in the above game.

3. Review and Security Analysis of Li et al.’s Scheme

3.1 Review of Li et al.’s Scheme

The following is a brief review of the scheme in [17], and it contains four algorithms as follows.

-Setup(\(1^{\lambda}\)): It takes as inputs the security parameter \(1^{\lambda}\) and outputs a bilinear mapping \(e\) and two cyclic groups \(G\) and \(G_{T}\). The trusted authority (TA) picks \(\alpha, \beta \in_{R} Z_{p} \text { and } a_{i, j} \in_{R} Z_{p}\) where \(i \in[1, n], j \in\left[1, n_{i}\right]\). TA computes \(Y=e(g, g)^{\alpha}, X=g^{\beta} \text { and } T_{i, j}=g^{a_{i, j}}\), where \(i \in[1, n], j \in\left[1, n_{i}\right]\). The public parameters PK and the master secret key MSK are are published as follows:

\(\begin{array}{c} P K=\left\langle e, G, G_{T}, g, Y, X,\left\{T_{i, j}\right\}_{i \in[1, n], j \in\left[1, n_{i}\right]}\right\rangle \\ M S K=\left\langle\alpha, \beta,\left\{a_{i, j}\right\}_{i \in[1, n], j \in\left[1, n_{i}\right]}\right\rangle \end{array}\).

-KeyGen(PK, MSK, L): Taking the master secret key MSK, public key PK, and a set of attributes \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\) as inptus, this algorithm performs the following computing: The trusted authority chooses , \(u, r^{*} \in_{R} Z_{p}, \text { and } \lambda_{i} \in_{R} Z_{p}\) for the user, where \(1 \leq i \leq n\) . Then trusted authority computes \(D_{0}=g^{\alpha+\beta u}, D_{i, 1}=g^{u+a_{i, j} \lambda_{i}}, D_{i, 2}=X^{\lambda_{i}}\) for decryption. Furthermore, the trusted authority computes \(D_{i}^{*}=T_{i, j}^{r^{*}}, i \in[1, n], D_{0}^{*}=g^{r^{*}}\), which are used to test whether users’ attribute set L satisfies the policy W or not. Finally, this algorithm delives the secret key SK_L to user.

\(S K_{L}=\left\langle D_{0},\left\{D_{i, 1}, D_{i, 2}, D_{i}^{*}\right\}_{1 \leq i \leq n}, D_{0}^{*}\right\rangle\).

-Encrypt(PK, M, W): This algorithm takes as inputs the public key PK, a message \(M \in G_{T}\) and access policy \(W=\left[W_{1}, W_{2}, \cdots W_{n}\right]\). The encryptor randomly chooses \(s, s^{*} \in Z_{p}\), then it computes \(\tilde{C}=M Y^{S}, C_{0}=g^{S}, C_{0}^{*}=g^{S^{*}}\). The encryptor picks up random values \(\mathrm{S}_{i} \in Z_{p}\) such that \(s=\sum_{1}^{n} s_{i}\) and computes \(C_{i, 1}=X^{s_{i}}\) where \(i \in[1, n]\). If \(v_{i, j} \in W_{i}\) the encryptor computes \(C_{i, j, 2}=T_{i, j}^{s_{i}} \text { and } C_{i, j}^{*}=T_{i, j}^{s}\); else \(v_{i, j} \notin W_{i}, C_{i, j, 2} \text { and } C_{i, j}^{*}\) are randomly chosen elements in group G. Finally, this algorithm outputs the corresponding ciphertext CT_W,

\(C T_{W}=\left\langle\tilde{C}, C_{0}, C_{0}^{*},\left\{\left\{C_{i, 1}\right\},\left\{C_{i, j, 2}, C_{i, j}^{*}\right\}_{j \in\left[1, n_{i}\right]}\right\}_{i \in[1, n]}\right\rangle\).

-Decrypt(PK, CT_W, SK_L): Taking \(P K, C T_{W}, \text { and } S K_{L}\) as inputs, the decryptor runs the following operations:

(i) Testing phase: The user checks whether attribute list satisfies policy W or not. \(L |=W\) if and only if \(e\left(C_{0}^{*}, \prod_{i=1}^{n} D_{i}^{*}\right)=e\left(D_{0}^{*}, C_{i, j}^{*}\right)\) holds. If \(L | \neq W\) , it returns ⊥ and terminates. If \(L |=W\) , it enters into the decryption operation.

(ii) Decryption phase: Users decrypt the ciphertext to get the massage M by the following eqution.

\(M=\frac{\tilde{C} \prod_{i=1}^{n} e\left(C_{i, 1}, D_{i, 1}\right)}{e\left(C_{0}, D_{0}\right) \prod_{i=1}^{n} e\left(C_{i, j, 2}, D_{i, 2}\right)}\)

3.2 Security Analysis of Li et al.’s Scheme

In literature [17], authors have introduced a CP-ABE scheme, in which the policy is hidden. In order to enhance the decryption efficiency, their scheme adds the testing phase before the decryption procedure. However, we found that the ciphertext components used for testing phase disclose the underlying ciphertext access policy, in other words, their scheme will leak ciphertext receivers’ identity privacy. Next, we explain why the above scheme cannot realize access policy hidden.

Suppose there is an adversary who has knowledge of universe of attributes. The adversary can employ some parts of public parameters and ciphertexts to check if a guess access policy is encrypted in ciphertext, successfully. More concretely, let \(T_{i, j}, X, C_{i, 1} \text { and } C_{i, j}^{*}\) be a decisional Diffie-Hellman (DDH) tuple, the adversary runs the following DDH test attack to determine whether the guess policy W^∗ is same as the access policy used in ciphertext or not.

\(e\left(C_{i, 1}, \Pi_{W^{*}} T_{i, j}\right) \stackrel{?}{=} e\left(X, \Pi_{W} C_{i, j}^{*}\right)\)

If the above equation holds, the adversary can conclude that \(W^{*}=W\). That is to say, the DDH test attack works successfully due to ciphertext components \(C_{i, 1} \text { and } C_{i, j}^{*}\).

4. The Proposed Scheme

This section will present a novel ciphertext-policy hidden CP-ABE scheme.

4.1 Construction

-Setup(\(1^{\lambda}\)): To generate the system parameters, the setup algorithm takes the security parameters \(1^{\lambda}\) as inputs and outputs a bilinear mapping as well as two cyclic groups of prime order p, G and G_T. This algorithm randomly chooses a generator g in group G, and elements \(\alpha\), \(\tau \in_{R} Z_{p} \text { and } a_{i, j} \in_{R} Z_{p}\) where \(i \in[1, n], j \in\left[1, n_{i}\right]\). Finally, it computes \(g_{1}=g^{\tau}, Y=e(g, g)^{\alpha} \text { and } T_{i, j}=g^{a_{i, j}}\), where \(i \in[1, n], j \in\left[1, n_{i}\right]\).

\(\begin{array}{c} P K=\left\langle e, G, G_{T}, g, g_{1}, Y,\left\{T_{i, j}\right\}_{i \in[1, n], j \in\left[1, n_{i}\right]}\right\rangle \\ \operatorname{MSK}=\left\langle\alpha, \tau,\left\{a_{i, j}\right\}_{i \in[1, n], j \in\left[1, n_{i}\right]}\right\rangle \end{array}\)

-KeyGen(PK, MSK, L): To get the secret keys, user U submits his/her attribute list \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\). This algorithm inputs PK, \(MSK\)as well as the user attributes set L. Then it outputs secret keys fou U as follows.

Firstly, the KeyGen algorithm randomly picks \(\beta \in Z_{p} \text { and } \alpha_{k}, \beta_{k} \in_{R} Z_{p}(k \in[1, t])\). This algorithm computes \(D_{0}=g^{\alpha-\beta} \text { and } D_{i, j}=g^{\frac{\beta}{a_{i, j}}}\). Furthermore, for all \(L_{i} \in L\) , we assume that \(L_{i}=L_{i, 1} L_{i, 2} \cdots L_{i, l}\), where each \(L_{i, m} \in\{0,1\}(m \in[1, l])\). Therefore, the user attributes list \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\) can be described by a binary array \(L=\left[L_{1,1} \cdots L_{1, l} \cdots L_{n, 1} \cdots L_{n, l}\right]\). For convenience, we set \(L=\left[l_{1} l_{2} \cdots l_{t}\right]\left(l_{k} \in\{0,1\}\right)\). Let \(h_{0}=g, \text {for i=1 to t}\), and the KeyGen algorithm computes \(h_{i}=\left(h_{i-1}\right)^{\alpha_{i}^{l_{i}} \beta_{i}^{1-l_{i}}}\) and sets the attribute list L’s auxiliary information ℎ_L = ℎ_t . Finally, this algorithm computes \(D^{*}=h_{L}^{\tau}\) and outputs user U′ s secret keys SK_L,

\(S K_{L}=\left\langle D_{0},\left\{D_{i, j}\right\}_{v_{i, j} \in L}, D^{*}\right\rangle\).

-Encrypt(PK, M, W): Firstly, the data owner randomly selects \(r \in Z_{p}, \mathbf{s}_{i} \in Z_{p}\) and sets \(s=\sum_{1}^{n} s_{i}\). Then he/she runs the encrypt algorithm and encrypts the message \(M \in G_{T}\) with aeecss policy \(W=\left[W_{1}, W_{2}, \cdots W_{n}\right]\) as follows:̃

\(\tilde{C}=M Y^{S}, C_{0}=g^{S}, C_{0}^{*}=g^{r} \text { and } C_{1}^{*}=e\left(g_{1}, h_{W}\right)^{r}\).

And for \(v_{i, j} \in W\), the encryptor computes \(C_{i, j}=T_{i, j}^{s_{i}}\). Finally he outputs the ciphertexts as

\(C T_{W}=\left\langle\tilde{C}, C_{0}, C_{0}^{*}, C_{1}^{*},\left\{C_{i, j}\right\}_{v_{i, j} \in W}\right\rangle\).

-Decrypt(PK, CTW, SKL): To decrypt the ciphertext, decryptor inputs its secret key SK_L and some other public parameters and runs the following operations.

(i) Testing phase: The decryptor computes the following equation to check whether its attirbutes satisfy the ciphertext policy.

\(e\left(C_{0}^{*}, D^{*}\right) \stackrel{?}{=} C_{1}^{*}\)       (1)

If the above equation does not hold, then the decryption calculations terminate. Otherwise, the decryptor continues the next phase.

(ii) Decryption phase: The decryptor recovers the message M as follows.

\(M=\frac{\tilde{C}}{e\left(C_{0}, D_{0}\right) \cdot \Pi_{a_{i j \in L}} e\left(C_{i, j}, D_{i, j}\right)}\)       (2)

4.2 Correctness of the Proposed Construction

If attribute list L satisfies the ciphertext-policy, it means that \(L_{i}=W_{i} \text { and } h_{L}=h_{W}\) hold. We first show that the Eq.(1) holds as follows.

\(\begin{aligned} &e\left(C_{0}^{*}, D^{*}\right)\\ &=e\left(g^{r}, h_{L}^{\tau}\right)\\ &=e\left(g_{1}, h_{L}\right)^{r}\\ &=e\left(g_{1}, h_{W}\right)^{r}=C_{1}^{*} \end{aligned}\)

Then the message M can be computed by the following equation.

\(\begin{aligned} & \frac{\tilde{C}}{e\left(C_{0}, D_{0}\right) \cdot \prod_{a_{i, j \in L}} e\left(C_{i, j}, D_{i, j}\right)} \\ =&=\frac{M \cdot e(g, g)^{\alpha_{S}}}{e\left(g^{s}, g^{\alpha-\beta}\right) \cdot \prod_{a_{i, j} \in L} e\left(g^{a_{i, j} s_{i}}, g^{\frac{\beta}{a_{i, j}}}\right)} \\ =& \frac{M \cdot e(g, g)^{\alpha_{S}}}{e(g, g)^{\alpha s} \cdot e(g, g)^{-\beta s} \cdot \prod_{a_{i, j} \in L} e(g, g)^{\beta s_{i}}} \\ =& \frac{M}{e(g, g)^{-\beta s} \cdot e(g, g)^{\beta \sum_{i=1}^{n} s_{i}}}=M \end{aligned}\)

4.3 Access Policy Hiding

Next, we will expound that the proposed scheme achieves access policy hiding. Suppose there is an adversary who has knowledge of universe of attributes. The adversary wants to employ public parameters and ciphertexts to check whether a guess access policy is encrypted in ciphertexts or not.

Suppose the adversary is given ciphertexts \(C T_{W}=\left\langle\tilde{C}, C_{0}, C_{0}^{*}, C_{1}^{*},\left\{C_{i, j}\right\}_{v_{i j} \in W}\right\rangle\), which is the outputs of the encryption algorithm under an access policy W. Then it makes a guess W^∗ of W. The DDH-like test is \(e\left(C_{0}^{*}, h_{W^{*}}\right) \stackrel{?}{=} C_{1}^{*}\), it can also be represented as \(\frac{e\left(C_{0}^{*}, h_{W^{*}}\right)}{C_{1}^{*}} \stackrel{?}{=} 1\) . Because

\(\frac{e\left(C_{0}^{*}, h_{W^{*}}\right)}{c_{1}^{*}}=\frac{e\left(g^{r}, h_{W^{*}}\right)}{e\left(g^{\tau}, h_{W}\right)^{r}}=\frac{e\left(g, h_{W^{*}}\right)^{r}}{e\left(g, h_{W}\right)^{\tau \cdot r}}\) and \(\tau\) is one of the master secret key in the scheme. In this case, no matter whether \(W^{*}=W\) or not, \(\frac{e\left(C_{0}^{*}, h_{W^{*}}\right)}{C_{1}^{*}} \neq 1\). Thus, the adversary can not determine which access policy is used in the ciphertexts and our proposed construction preserves access policy hiding.

5. Security Analysis

This section will prove that the proposed scheme is selective security under the DBDHassumption.

Game₀ is the original game. Game₁ is like Game₀ expect the challenge ciphertexts. In this game, \(\tilde{C}\) is selected randomly G_T from when the attribute list \(L\left|\neq W_{0}^{*} \wedge L\right| \neq W_{1}^{*}\), and the other ciphertexts are created normally. When \(L\left|=W_{0}^{*} \wedge L\right|=W_{1}^{*}\), the challenge ciphertexts are generated correctly. That is, Game₀ = Game₁ in this case.

Theorem 1. If there is an adversary that is able to distinguish Game₀ and Game1 with the advantage \(\varepsilon\), then we can simulate an algorithm that can solve the DBDH assumption with the advantage \(\varepsilon\).

Proof:

Init: A submits two challenge policies \(W_{0}^{*}\) and \(W_{1}^{*}\), and the challenger B chooses a random bit \(\rho \in\{1,0\}\).

Setup: To generate PK, the challenger picks \(x^{*} \in_{R} Z_{p}\) at random sets \(\alpha=a b+x^{*}\), then \(Y=e(g, g)^{a b}\). The challenger B picks \(\tau \in_{R} Z_{p}\) at random and computes \(g_{1}=g^{\tau}\). For any attributr \(\mathcal{V}_{i, j}\), B picks random elements \(k_{i, j} \in_{R} Z_{p}\) where \(i \in[1, n], j \in\left[1, n_{i}\right]\). If \(v_{i, j} \in W_{\rho, i}^{*}\), then \(a_{i, j}=k_{i, j}, T_{i, j}=g^{a_{i, j}}\); if \(v_{i, j} \notin W_{\rho, i}^{*}\), then\(a_{i, j}=\frac{b}{k_{j, i}}, T_{i, j}=g^{\frac{b}{k_{i, j}}}\). Finaly, the challenger sends the \(P K=\left\langle e, G, G_{T}, g, g_{1}, Y,\left\{T_{i, j}\right\}_{i \in[1, n], j \in\left[1, n_{i}\right]}\right\rangle\) to A.

Phase 1: Firstly, the adversary A with an attribute set \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\) makes the secretkey query. In this Here, the case\(L\left|\neq W_{0}^{*} \wedge L\right| \neq W_{1}^{*}\) is only consided. Because, by our definition, if \(L\left|=W_{0}^{*} \wedge L\right|=W_{1}^{*}\), then Game₀ = Game₁. Therefore, in this case, B terminates the game and takes a random guess. When \(L\left|\neq W_{0}^{*} \wedge L\right| \neq W_{1}^{*}\), there must be \(i^{*} \in\{1, \cdots, n\}\)} such that \(L_{i^{*}}\left(v_{i^{*}, j_{i^{*}}}\right) \notin W_{\rho, i^{*}}^{*}\). The challenger random selects \(\beta, \alpha_{k}, \beta_{k} \in_{R} Z_{p}(k \in[1, t])\).

The component D₀ and D^∗ are computed as D₀ = \(g^{\alpha-\beta}\) and \(D^{*}=h_{L}^{\tau}\) . For \(i=i^{*}\), the challenger random picks \(\beta^{*} \in_{R} Z_{p}\) and sets \(\beta=a b+\beta^{*} b\), then it computes \(D_{0}=g^{x^{*}-\beta^{*} b}=g^{\alpha-a b-\beta^{*} b}\) and \(D_{i, j}=T_{i, j}^{a} \cdot g^{\beta^{*} k_{i, j}}=g^{\left(a+\beta^{*}\right) k_{i, j}}=g^{\overline{a_{i, j}}}\); for \(i \neq i^{*}\) , B computes \(D_{0}=g^{\alpha-\beta}\) and \(D_{i, j}=g^{\frac{\beta}{a_{i, j}}}\).

Challenge: After receiving two equal length messages \(M_{0}^{*}\) and \(M_{1}^{*}\) from A, the challengersets C₀ = g^c and \(\tilde{C}=M_{\rho}^{*} \cdot e(g, g)^{\alpha c}\) which implies s = c. In addition, the challenger picks randomly \(r \in_{R} Z_{p}\) and computes \(C_{0}^{*}=g^{r}\) and \(C_{1}^{*}=e\left(g_{1}, h_{W_{\rho}^{*}}\right)^{r}\) . For \(\forall i \in[1, n], i \neq i^{*}\), the challenger selects randomly \(s_{i} \in_{R} Z_{p}\) ; for \(i=i^{*}\) , the challenger computes \(s_{i^{*}}=c-\sum_{i=1, i \neq i}^{n} * S_{i}\). The rest of ciphertexts is generated as follows.

● For \(i=i^{*}\) , the challenger computes \(C_{i^{*}, j}=T_{i, j}^{s_{i}}=g^{\frac{b s_{i}}{k_{i, j}}}\). 

● For \(i \neq i^{*}\) , the challenger computes \(C_{i, j}=T_{i, j}^{s_{i}}=g^{a_{i, j} s_{i}}\).

Finally the challenger sends the challenge ciphertext \(C T_{W_{\rho}^{*}}=\left\langle\tilde{C}, C_{0}, C_{0}^{*}, C_{1}^{*},\left\{C_{i, j}\right\}_{v_{i j} \in W}\right\rangle\) to the adversary A.

Phase 2: It is similar to Phase 1.

Guess: A outputs a guess \(\rho^{\prime}\) of \(\rho\). Then the challenger B outputs 1 if \(\rho^{\prime}=\rho\) and 0 otherwise. When \(Z=e(g, g)^{a b c}\), A is in Game₀; when Z is random, A is in Game₁. Therefore, challenger has advantage \(\varepsilon\) in the DBDH game.

6. Performance Comparison

Some comparisons between our scheme and some previous schemes will be given in this section, all of them are ciphertext-policy hiding CP-ABE schemes.

Some previous policy hiding CP-ABE schemes are compared with ours in storage cost, computational cost and security properties in Table 1, 2 and 3, respectively. For convenience, let \(\widetilde{U}=\left\{a t t_{1}, a t t_{2}, \cdots, a t t_{n}\right\}\) be a attributes set, and n is the number of attributes in universe. is n_i the number of \(a t t_{i}\). Set \(N=\prod_{i=1}^{n} n_{i}\) and let it expresse the total number of possible values of all attributes. |PK|, |SK| and |CT| are used to denote the length of publick parameter, secret key and ciphertext. Let the notation \(k \mathrm{TE}_{\mathrm{G}}\) and \(k \mathrm{TE}_{\mathrm{GT}}\) be k-times calculations over the group G and group G_T. TP means the time for one pairing.

From Table 1, 2 and 3, it is easy to see that the proposed scheme is efficient in the size of public parameters, secret keys and ciphertexts. Although the efficiency of scheme in [11]looks just as good as ours, there is no testing phase in their scheme and it is constructed in groups of composite order.

In particular, the computation cost of our testing phase is just TP+TEGT, which means that the user only needs to perform one pairing computation if his/her attribute list does not satisfy the ciphertext-policy. It is an efficient way to avoid excessive computations before decryption and improve the efficiency for the decryptor.

Table 1. Storage Cost of Different Schemes

 

Table 2. Computational Cost of Different Schemes

 

Table 3. Security Comparison among Different Schemes

 

7. Conclusion

This paper, firstly expounds that Li’s scheme has disadvantages under the DDH-test attack, and their scheme cannot realize access policy hidden. Subsequently, a novel and improved scheme is proposed to resist the DDH-test attack. In this novel scheme, a testing phase is added before decryption. The cost of its testing phase is only one pairing. In addition, our scheme can be reduced to the standard assumptions.