Short CCA-Secure Attribute-Based Encryption

www.astesj.com

Special issue on Advancement in Engineering Technology

ISSN: 2415-6698

Short CCA-Secure Attribute-Based Encryption

1_{Department of Information Security, University of Nagasaki, 851–2195, Japan}

2_{Graduate School of Information Security, Institute of Information Security, 221–0835, Japan}

A R T I C L E I N F O A B S T R A C T

Article history:

Received: 16 November, 2017 Accepted: 16 January, 2018 Online: 31 January, 2018 Keywords:

Role-based access control Attribute-based encryption Direct chosen-ciphertext security Twin Diffie-Hellman

Chosciphertext attacks (CCA) are typical threat on public-key en-cryption schemes. We show direct chosen-ciphertext security modifi-cation in the case of attribute-based encryption (ABE), where an ABE scheme secure against chosen-plaintext attacks (CPA) is converted into an ABE scheme secure against CCA by individual techniques. Our mod-ification works in the setting that the Diffie-Hellman tuple to be verified in decryption is in the target group of a bilinear map. The employed techniques result in expansion of the secret-key length and the decryp-tion cost by a factor of four, while the public-key and the ciphertext lengths and the encryption cost remain almost the same.

1

Introduction

Access control is one of the fundamental processes and requirements in cybersecurity. Attribute-based encryption (ABE) invented by Sahai and Waters [1], where attributes mean authorized credentials, enables to realize access control which is functionally close to role-based access control (RBAC), but by encryption. In key-policy ABE (KP-ABE) introduced by the sub-sequent work of Goyal, Pandey, Sahai and Waters [2], a secret key is associated with an access policy over attributes, while a ciphertext is associated with a set of attributes. In a dual manner, in ciphertext-policy ABE (CP-ABE) [2, 3, 4], a ciphertext is associated with an access policy over attributes, while a secret key is associated with a set of attributes. In a KP-ABE or CP-ABE scheme, a secret key works to decrypt a ci-phertext if and only if the associated set of attributes satisfies the associated access policy. The remarkable feature of ABE is attribute privacy; that is, in decryp-tion, no information about the access policy and the identity of the secret key owner in the case of KP-ABE (or, the attributes and the identity of the secret key owner in the case of CP-ABE) leaks except the fact that the set of attributes satisfies the access pol-icy. Since the proposals, it has been studied to attain certain properties such as indistinguishability against chosen-plaintext attacks (IND-CPA) in the standard model [4] and adaptive security against adversary’s

choice of a target access policy [5].

In this paper1, we work through resolving a prob-lem of constructing a shorter ABE scheme that attains indistinguishability against chosen-ciphertext attacks (IND-CCA) in the standard model. Here CCA means that an adversary can collects decryption results of ciphertexts of its choice through adversaries’ attack-ing. Note that “provable security” of a cryptographic primitive is now a must requirement when we em-ploy the primitive in a system, where it means that an appropriately defined security is polynomially re-duced to the hardness of a computational problem. Moreover, the CCA security of an encryption scheme is preferable to attain because the CCA security is one of the theoretically highest securities and hence the scheme can be used widely.

To capture the idea of our approach, let us re-call the case of identity-based encryption (IBE). The CHK transformation of Canetti, Halevi and Katz [7] is a generic tool for obtaining IND-CCA secure IBE scheme. It transforms any hierarchical IBE (HIBE) scheme that is selective-ID IND-CPA secure [8] into an IBE scheme that is adaptive-ID IND-CCA secure [8]. A point of the CHK transformation is that it in-troduces a dummy identity vk that is a verification key of a one-time signature. Then a ciphertext is at-tached withvkand a signatureσ, which is generated each time one executes encryption. In contrast, the direct chosen-ciphertext security technique for IBE of

*_{Hiroaki Anada, 1–1–1, Manabino, Nagayo-cho, Nishisonogi-gun, Nagasaki, +81-95-813-5113 & [email protected]}

1_{This paper is an extension of the work originally presented in SMARTCOMP 2017 [6]. The schemes of KP-ABKEM and KP-ABE have}

been newly proposed.

Boyen, Mei and Waters [9] is individual modification for obtaining an IND-CCA secure IBE scheme. It con-verts a HIBE scheme that is adaptive-ID IND-CPA secure into an IBE scheme that is adaptive-ID IND-CCA secure. Though the technique needs to treat each scheme individually, the obtained scheme attains bet-ter performance than that obtained by the generic tool (the CHK transformation). Let us transfer into the case of ABE. The transformation in [10] is a generic tool for obtaining IND-CCA secure ABE scheme. It transforms any ABE scheme (with the delegatability or the verifiability [10]) that is IND-CPA secure into an ABE scheme that is IND-CCA secure. A point of their transformation is, similar to the case of IBE, that it introduces a dummy attributevkthat is a verifica-tion key of a one-time signature. Then a ciphertext is attached withvkand a signatureσ. Notice here that discussing direct chosen-ciphertext security modifi-cation for ABE (in the standard model) is a missing piece. One of the reasons seems that there is an obsta-cle that a Diffie Hellman tuple to be verified is in the target group of a bilinear map. In that situation, the bilinear map looks of no use.

1.1

Our Contribution

A contribution is that we fill in the missing piece; we demonstrate direct chosen-ciphertext security modi-fication in the case of the Waters CP-ABE scheme [4] and the KP-ABE scheme of Ostrovsky, Sahai and Wa-ters [11] To overcome the above obstacle, we employ the technique of the Twin Diffie-Hellman Trapdoor Test of Cash, Kiltz and Shoup [12]. In addition, we also utilize the algebraic trick of Boneh and Boyen [13] and Kiltz [14] to reply for adversary’s decryption queries.

1.2

Related Works

Waters [4] pointed out that IND-CCA security would be attained by the CHK transformation. Gorantla, Boyd and Nieto [15] constructed a IND-CCA secure CP-ABKEM in the random oracle model. In [10] the authors proposed a generic transformation of a IND-CPA secure ABE scheme into a IND-CCA secure ABE scheme. Their transformation is considered to be an ABE-version of the CHK transformation, and it is ver-satile. Especially, it can be applied to non-pairing-based scheme.

The Waters ABE [4] can be captured as a CP-ABKEM: the blinding factor can be considered as a random one-time key. This Waters CP-ABKEM is IND-CPA secure because the Waters CP-ABE is proved to be IND-CPA secure. For theoretical simplicity, we demonstrate an individual conversion of the Waters CP-ABKEM into a CP-ABKEM which is IND-CCA se-cure. Then we provide a CP-ABE scheme which is IND-CCA secure. As for KP-ABE, we demonstrate an individual conversion of KP-ABKEM of Ostrovsky, Sa-hai and Waters [11], which is IND-CPA secure, into a

KP-ABKEM which is IND-CCA secure. Then we pro-vide a KP-ABE scheme which is IND-CCA secure.

Finally, we note that there is a remarkable work of CP-ABE schemes and KP-ABE schemes with constant-sizeciphertexts [16, 17]. Our direct chosen-ciphertext security modification is not constant-size ciphertexts but a different approach for easier implementation in engineering.

1.3

Organization of the Paper

In Section 2, we survey concepts, definitions and tech-niques needed. In Section 3, we revisit the concept, the algorithm and the security of the twin Diffie-Hellman technique. In Section 4, we construct a CCA-secure ABKEM from the Waters CPA-CCA-secure CP-ABKEM [4], and provide a security proof. Also, we describe the encryption version, a CCA-secure CP-ABE. In Section 5, we construct a CCA-secure KP-ABKEM from the Ostrovsky-Sahai-Waters CPA-secure KP-ABKEM [11], and provide a security proof. Also, we describe the encryption version, a CCA-secure KP-ABE. In Section 6, we compare efficiency of our CP-ABE and KP-CP-ABE schemes with the original schemes, and also, with the schemes obtained by applying the generic transformation [10] to the original schemes. In Section 7, we conclude our work.

2

Preliminaries

The security parameter is denotedλ. A prime of bit lengthλis denotedp. A multiplicative cyclic group of orderpis denotedG. The ring of exponent domain ofG, which consists of integers from 0 top−1 with modulopoperation, is denotedZ_p.

2.1

Bilinear Map

We remark first that our description in the subsequent sections is in the setting of a symmetric bilinear map for simplicity, but we can employ an asymmetric bi-linear map instead for better efficiency as is noted in Section 6. LetGandG_T be two multiplicative cyclic groups of prime orderp. Letgbe a generator ofGand

ebe a bilinear map,e:G×G→G_T. The bilinear map

ehas the following properties:

1. Bilinearity: for allu, v∈G anda, b∈Z_p, we have

e(ua, vb) =e(u, v)ab.

2. Non-degeneracy: e(g, g),idG_T (: the identity

ele-ment of the groupG_T).

Parameters of a bilinear map are generated by a probabilistic polynomial time (PPT) algorithmGrpon inputλ: (p,G,G_T, g, e)←_Grp(λ).

2.2

Access Structure

LetU₌{_{χ1, . . . , χu}}_{be a set of attributes, or simply set} U₌{_{1, . . . , u}}_{by numbering. Anaccess structure, which}

corresponds to an access policy, is defined as a collec-tionAof non-empty subsets ofU; that is,A⊂2U\{φ}. An access structure A is called monotone if for any

B ∈ A and B ⊂ C, C ∈ A holds. The sets inA are called authorized sets, and the sets not inAare called unauthorized sets. We will consider in this paper only monotone access structures.

2.3

Linear Secret-Sharing Scheme

We only describe a linear secret-sharing scheme (LSSS) in our context of attribute-based schemes. A secret-sharing schemeΠover the attribute universeU

is called linear overZ_pif:

1. The shares for each attribute form a vector overZ_p, 2. There exists a matrixMof sizel×_{ncalled the}

share-generating matrix forΠand a functionρwhich maps each row indexiofMto an attribute inU₌{_{1, . . . , u}}_:

ρ:{_{1, ..., l}} → U_.

To make shares, we first choose a random vector

~

v = (s, y2, . . . , yn)∈Zn

p: sis a secret to be shared. For

i= 1 tol, we calculate each shareλi =~v·Mi, whereMi

denotes thei-th row vector ofMand·_{denotes the}

for-mal inner product. LSSSΠ= (M, ρ) defines an access structureAthroughρ.

Suppose that an attribute setSsatisfiesA(S∈A) and letIS =ρ−1(S)⊂ {1, . . . , l}. Then, let{ωi ∈Z_p;i∈

IS}be a set of constants (linear reconstruction constants)

such that if{_λi∈Z_p;i∈I_S}are valid shares of a secret

saccording toM, thenP

i∈_ISωiλi =s. It is known that

these constants{_ωi}_i∈I

S can be found in time polyno-mial inl: the row size of the share-generating matrix

M. IfS does not satisfyA(S_<A), then no such con-stants{_ωi}_i∈I

S exist.

2.4

Attribute-Based Key Encapsulation

Mechanism

Ciphertext-policy attribute-based key encapsula-tion mechanism (CP-ABKEM). A CP-ABKEM con-sists of four PPT algorithms (Setup, Encap, KeyGen, Decap)2_.

Setup(λ,U_{). A setup algorithm Setup takes as input}

the security parameter λ and the attribute universe

U₌{_{1, . . . , u}}_{. It returns a public key PK and a master}

secret key MSK.

Encap(PK,A). An encapsulation algorithm Encap takes as input the public key PK and an access struc-tureA. It returns a random stringκand its encapsu-lationψ. Note thatAis contained inψ.

KeyGen(PK,MSK, S). A key generation algorithm KeyGen takes as input the public key PK, the mas-ter secret key MSK and an attribute setS. It returns a secret key SKS corresponding to S. Note that S is

contained in SKS.

Decap(PK,SK_S, ψ).A decapsulation algorithm Decap takes as input the public key PK, an encapsulation (we also call it a ciphertext according to context)ψand a secret key SKS. It first checks whetherS∈A, where

S andAare contained in SK_S andψ, respectively. If the check result isFalse, it puts ˆκ=⊥. It returns a decapsulation result ˆκ.

Chosen-Ciphertext Attack on CP-ABKEM. Accord-ing to previous works (for example, see [15]), the chosen-ciphertext attack on a CP-ABKEM is formally defined as the indistinguishability game (IND-CCA game). In this paper, we consider theselective game on a target access structure(IND-sel-CCA game); that is, the adversaryA_{declares a target access structure}

A∗beforeAreceives a public key PK, which is defined as the following experiment.

Experimentind-sel-ccaA_,CP-ABKEM(λ,U)

A∗← A(λ,U),(PK,MSK)←Setup(λ,U)

← AKeyGen(PK,MSK,·),Decap(PK,SK·,·)_(PK)

(κ∗, ψ∗)←_Encap(PK,A∗), κ←KeySp(λ), b← {0,1} Ifb= 1 then ˜κ=κ∗else ˜κ=κ

b0← AKeyGen(PK,MSK,·),Decap(PK,SK·,·)_{( ˜κ, ψ}∗₎ Ifb0=bthen returnWinelse returnLose.

In the above experiment, two kinds of queries are is-sued byA_{. One is key-extraction queries. Indicating}

an attribute setSi,Aqueries its key-extraction oracle

KeyGen(PK,MSK,·_{) for the secret key SKS}

i. Here we do not require any input attribute setsSi1andSi2to be distinct. Another is decapsulation queries. Indicating a pair (Sj, ψj) of an attribute set and an encapsulation, A_{queries its decapsulation oracle Decap(PK,SK}·,·) for

the decapsulation result ˆκj. Here an access structure

A_j, which is used to generate an encapsulationψ_j, is implicitly included inψj. In the case thatS<A, ˆκ_j=⊥ is replied toA_{. Both kinds of queries are at mostqk}

andqdtimes in total, respectively, which are

polyno-mial inλ.

The access structureA∗ declared byAis called a

target access structure. Two restrictions are imposed on

A_concerningA∗. In key-extraction queries, each at-tribute setSi must satisfySi <A∗. In decapsulation queries, each pair (Sj, ψj) must satisfySj <A∗∨ψ_{j ,}

ψ∗.

Theadvantageof the adversaryA_overCP-ABKEMin the IND-CCA game is defined as the following proba-bility:

Advind-sel-ccaA_,CP-ABKEM(λ,U) def

= Pr[Experimentind-sel-ccaA_,CP-ABKEM(λ,U) returnsWin].

CP-ABKEMis calledselectively secure against chosen-ciphertext attacksif, for any PPT adversaryA_{and for}

any attribute universeU_,Advind-sel-cca_A

,CP-ABKEM(λ,U) is

negli-gible in λ. Here we must distinguish the two cases; the case thatU _{is small (i.e.} |U |_{=uis bounded by a}

polynomial ofλ) and the case thatU _{is large (i.e. u}

2_{In Gorantla, Boyd and Nieto [15], they sayencapsulation-policyattribute-based-KEM (EP-AB-KEM) instead of saying ciphertext-policy}

is not necessarily bounded by a polynomial ofλ). We assume thesmall casein this paper.

In the indistinguishability game against chosen-plaintext attack(IND-CPA game), the adversaryA

is-sues no decapsulation query (that is,qd= 0).

Ciphertext-Policy Attribute-Based Encryption Scheme (CP-ABE). In the case of the encryp-tion version (i.e. CP-ABE), Encap(PK,A) and Decap(PK,SKS, ψ) are replaced by PPT algorithms

Encrypt(PK,A, m) and Decrypt(PK,SK_S,CT), respec-tively, wheremand CT mean a message and a cipher-text, respectively.

The IND-CCA game for CP-ABE is defined in the same way as for CP-ABKEM above, except the fol-lowing difference. In Challenge phase, the adversary

A_{submits two equal length messages (plaintexts)m0}

andm1. Then the challenger flips a coinb∈ {0,1}and

gives an encryption result CT of mb to A. In Guess

phase, the adversaryA _{returns b}0 ∈ {_0,1}_{. Ifb}0 _=b,

then A _{wins in the IND-CCA game. Otherwise,} A

loses.

Key-Policy Attribute-Based Key Encapsulation Mechanism (KP-ABKEM) and Encryption Scheme (KP-ABE).Thekey-policycase is analogously defined as the case of the ciphertext-policy case. We state only the syntax and the security experiment of the key-policy ABKEM.

Setup(λ,U_{). A setup algorithm Setup takes as input}

the security parameter λ and the attribute universe

U₌{_{1, . . . , u}}_{. It returns a public key PK and a master}

secret key MSK.

Encap(PK, S). An encapsulation algorithm Encap takes as input the public key PK and an attribute set

S. It returns a random stringκand its encapsulation

ψ. Note thatSis contained inψ.

KeyGen(PK,MSK,A). A key generation algorithm KeyGen takes as input the public key PK, the master secret key MSK and an access structureA. It returns a secret key SKA corresponding toS. Note thatAis

contained in SKA.

Decap(PK,SKA, ψ). A decapsulation algorithm De-cap takes as input the public key PK, an enDe-capsula- encapsula-tion (we also call it a ciphertext according to context)

ψand a secret key SKA. It first checks whetherS∈A.

If the check result isFalse, it puts ˆκ=⊥. It returns a decapsulation result ˆκ.

Chosen-Ciphertext Attack on KP-ABKEM.The selec-tive game on a target attribute set(IND-sel-CCA game) is defined by the following experiment.

Experimentind-sel-ccaA_,KP-ABKEM(λ,U)

S∗← A_(λ,U_),(PK,MSK)←_Setup(λ,U₎

← AKeyGen(PK,MSK,·),Decap(PK,SK·,·)_(PK)

(κ∗, ψ∗)←_{Encap(PK, S}∗_{), κ}←_{KeySp(λ), b}← {_0,1}

Ifb= 1 then ˜κ=κ∗else ˜κ=κ

b0← AKeyGen(PK,MSK,·),Decap(PK,SK·,·)_{( ˜κ, ψ}∗₎ Ifb0=bthen returnWinelse returnLose.

2.5

Target Collision Resistant Hash

Func-tions

Target collision resistant (TCR) hash functions [18] are treated as a family. Let us denote a function fam-ily asHfam(λ) ={_Hµ}_{µ∈HKey(λ). HereHKey(λ) is a hash}

key space,µ∈_{HKey(λ) is a hash key andHµis a}

func-tion from{_0,1}∗_to{_0,1}λ_{. We may assume thatHµis}

from{_0,1}∗_toZ_p, wherepis a prime of lengthλ. Given a PPT algorithmCF_{, a collision finder, we}

consider the following experiment (the target colli-sion resistance game).

ExperimenttcrCF_,Hfam(λ)

m∗← CF_{(λ), µ}←_{HKey(λ), m}← CF_(µ)

Ifm∗,m∧Hµ(m ∗

) =Hµ(m)

then returnWinelse returnLose.

Then we defineCF_{’s advantage overHfamin the game} of target collision resistanceas follows.

AdvtcrCF_,Hfam(λ) def

= Pr[ExperimenttcrCF_,Hfam(λ) returnsWin].

We say thatHfamisa TCR function familyif, for any PPT algorithmCF_,Advtcr

CF_,Hfam(λ) is negligible inλ.

TCR hash function families can be constructed based on the existence of a one-way function [18].

3

The Twin Di

ffi

e-Hellman

Tech-nique Revisited

A 6-tuple (g, X1, X2, Y , Z1, Z2) ∈ G6 is called a

twin Diffie-Hellman tuple if the tuple is written as (g, gx1_{, g}x2_{, g}y_{, g}x1y_{, g}x2y_{) for some elementsx1, x2, y in} Z_p. In other words, a 6-tuple (g, X₁, X₂, Y , Z₁, Z₂) is a twin Diffie-Hellman tuple (twin DH tuple, for short) ifY=gy_andZ

1=X y

1 andZ2=X y 2.

The following lemma of Cash, Kiltz and Shoup will be used in the security proof to decide whether a tuple is a twin DH tuple or not.

Lemma 1 (“Trapdoor Test”[12]) LetX1, r, sbe mutu-ally independent random variables, whereX1takes values inG, and each ofr, s is uniformly distributed overZ_p.

Define the random variable X2 =X1−rgs. Suppose that

ˆ

Y ,Zˆ1,Zˆ2 are random variables taking values in G, each

of which is defined independently ofr. Then the probabil-ity that the truth value ofZˆ1

r _ˆ

Z2= ˆYsdoes not agree with the truth value of(g, X1, X2,Y ,ˆ Zˆ1,Zˆ2)being a twin DH tuple is at most1/p. Moreover, if(g, X1, X2,Y ,ˆ Zˆ1,Zˆ2)is a twin DH tuple, thenZˆ1

r _ˆ

Z2= ˆYscertainly holds.

Note that Lemma 1 is a statistical property. Espe-cially, Lemma 1 holds without any number theoretic assumption. To be precise, we consider the follow-ing experiment of an algorithmCheatwithunbounded computational power (not limited to PPT), whereCheat, given a triple (g, X1, X2), tries to complete a 6-tuple

(g, X1, X2,Y ,ˆ Zˆ1,Zˆ2) which passes the “Trapdoor Test”

ExperimenttwinDH-test_Cheat,G (λ)

(g, X1)←G2,(r, s)←Z2_p, X₂=X−r

1 gs

G33( ˆY ,Zˆ₁,Zˆ₂)←Cheat(g, X₁, X₂) If ˆZ1

r _ˆ

Z2= ˆYs∧(g, X1, X2,Y ,ˆ Zˆ1,Zˆ2)

is NOT a twin DH tuple, then returnWinelse returnLose

Let us define the advantage ofCheatoverGas follows.

AdvtwinDH-test_Cheat,G (λ) def

= Pr[ExperimenttwinDH-test_Cheat,G (λ) returnsWin].

Now we are ready to complement Lemma 1.

Lemma 2 (Complement for “Trapdoor Test” [12]) For any algorithmCheatwith unbounded computational power,AdvtwinDH-test_Cheat,G (λ)is at most1/p.

For a proof of Lemma 2, see Appendix A.

4

Securing the Waters CP-ABKEM

against Chosen-Ciphertext

At-tacks

In this section, we describe our direct chosen-ciphertext security technique by applying it to the Waters CP-ABE [4].

Overview of Our Modification The Waters CP-ABE is proved to be secure in the IND-sel-CPA game [4]. We convert it into a scheme that is secure in the IND-sel-CCA game by employing the Twin Diffie-Hellman technique of Cash, Kiltz and Shoup [12] and the alge-braic trick of Boneh and Boyen [13] and Kiltz [14].

In encryption, a ciphertext becomes to contain ad-ditional two elements (d1, d2), which function in

de-cryption as a “check sum” to verify that a tuple is cer-tainly a twin DH tuple.

In security proof, the Twin Diffie-Hellman Trap-door Test does the function instead. It is noteworthy that we are unable to use the bilinear map instead be-cause the tuple to be verified is in the target group. In addition, the algebraic trick enables to answer for ad-versary’s decryption queries. Note also that the both technique become compatible by introducing random variables.

Key Encapsulation and Encryption. The Waters CP-ABE can be captured as a CP-ABKEM: the blind-ing factor of the forme(g, g)αs _{in the Waters CP-ABE}

can be considered as a random one-time key. So we call it the Waters CP-ABKEM hereafter and denote it as CP-ABKEM_cpa. Likewise, we distinguish parame-ters and algorithms of CP-ABKEM_cpa by the indexcpa.

For theoretical simplicity, we first develop a KEM

CP-ABKEM.

4.1

Our Construction

OurCP-ABKEMconsists of the following four PPT al-gorithms (Setup, Encap, KeyGen, Decap). Roughly speaking, the Waters original scheme CP-ABKEM_cpa

(the first scheme in [4]) corresponds to the casek= 1 below excluding the “check sum” (d1, d2).

Setup(λ,U_{). Setup takes as input the security}

pa-rameter λ and the attribute universe U ₌ {_{1, . . . , u}}_.

It runsGrp(λ) to get (p,G,G_T, g, e), where G andG_T are cyclic groups of order p, e : G×G → G_T is a bilinear map and g is a generator of G. These be-come public parameters. Then Setup choosesu ran-dom group elements h1, . . . , hu ∈ G that are associ-ated with the u attributes. In addition, it chooses random exponents αk ∈Z_p, k = 1, . . . ,4, a∈ Z_p and a hash keyη∈_{HKey(λ). The public key is published as}

PK = (g, ga, h1, . . . , hu, e(g, g)α1, . . . , e(g, g)α4, η). The

au-thority sets MSK = (gα1_{, . . . , g}α4_{) as the master secret} key.

Encap(PK,A). The encapsulation algorithm Encap takes as input the public key PK and an LSSS access structureA= (M, ρ), whereM is anl×nmatrix and

ρis the function which maps each row indexi ofM

to an attribute inU ₌{_{1, . . . , u}}_{. Encap first chooses a}

random values∈Z_p that is the encryption random-ness, and chooses random valuesy2, . . . , yn∈Z_p. Then Encap forms a vector v~= (s, y2, . . . , yn). For i = 1 to

l, it calculatesλi =~v·Mi, whereMi denotes thei-th

row vector ofM. In addition, Encap chooses random valuesr1, . . . , rl ∈ Z_p. Then, a pair of a random one-time key and its encapsulation (κ, ψ) is computed as follows.

PutC0=gs; Fori= 1 tol:Ci=gaλih −_ri

ρ(i), Di =gri;

ψcpa= (A, C0,((C_i, D_i);i= 1, . . . , l)), τ←H_η(ψ_cpa); Fork= 1 to 4 :κk=e(g, g)αks;d1=κτ1κ3, d2=κ2τκ4;

(κ, ψ) = (κ1,(ψcpa, d1, d2)).

KeyGen(MSK,PK, S). The key generation algorithm KeyGen takes as input the master secret key MSK, the public key PK and a setSof attributes. KeyGen first chooses a randomtk∈Z_p, k= 1, . . . ,4. It generates the secret key SKS as follows.

Fork= 1 to 4 :Kk=gαkgatk, Lk=gtk

Forx∈_S:Kk,x=htk

x;

SKS= ((Kk, Lk,(Kk,x;x∈S));k= 1, . . . ,4).

Decap(PK, ψ,SKS). The decapsulation algorithm

De-cap takes as input the public key PK, an enDe-capsula- encapsula-tionψfor an access structureA= (M, ρ) and a private key SKS for an attribute setS. It first checks whether

S∈A. If the result isFalse, put ˆκ=⊥. Otherwise, let

IS =ρ −₁

decapsu-lation ˆκis computed as follows.

Parseψinto (ψcpa= (A, C0,((C_i, D_i);i= 1, . . . , l)), d₁, d₂);

τ←_Hη(ψcpa);

Fork= 1 to 4 : ˆ

κk=e(C 0

, Kk)/

Y

i∈_IS

(e(Lk, Ci)e(Di, Kk,ρ(i)))ωi=e(g, g)αks

If ˆκ1τκˆ3,d1∨κˆ2τκˆ4,d2,

then put ˆκ=⊥_{,else put ˆκ= ˆκ1.}

4.2

Security and Proof

Theorem 1 If the WatersCP-ABKEM_cpa[4] is selectively secure against chosen-plaintext attacks and an employed hash function familyHfamhas target collision resistance, then our CP-ABKEM is selectively secure against chosen-ciphertext attacks. More precisely, for any given PPT adversaryA_{that attacksCP-ABKEMin the IND-sel-CCA} game where decapsulation queries are at mostqd times,

and for any small attribute universeU_{, there exist a PPT} adversary B _{that attacks} CP-ABKEM_cpa in the IND-sel-CPA game and a PPT target collision finderCF _onHfam that satisfy the following tight reduction.

Advind-sel-ccaA_,CP-ABKEM(λ,U)

≤_Advind-sel-cpa

B,CP-ABKEMcpa(λ,U) +Adv

tcr

CF_,Hfam(λ) +

qd

p.

Proof. Given any adversary A _{that attacks our}

schemeCP-ABKEMin the IND-sel-CCA game, we con-struct an adversaryB_{that attacks the Waters scheme} CP-ABKEM_cpain the IND-sel-CPA game as follows.

Commit to a Target Access Structure. B _{is given}

(λ,U_{) as inputs, where λ is the security parameter}

andU₌{_{1, . . . , u}}_{is the attribute universe.} B_invokes A _{on input (λ,}U_{) and gets a target access structure}

A∗ = (M∗, ρ∗) fromA, where M∗ is of sizel∗×n∗. B usesA∗as the target access structure of itself and out-putsA∗.

Set up.In return to outputtingA∗,Breceives the pub-lic key PKcpa for CP-ABKEMcpa, which consists of the

following components.

PKcpa= (g, ga, h1, . . . , hu, e(g, g)α).

To set up a public key PK forCP-ABKEM,B_hereinneeds

a challenge instance:B_{queries its challenger and gets}

a challenge instance ( ˜κ, ψcpa∗ ). It consists of the

follow-ing components.

˜

κ=e(g, g)αs∗ OR a random one-time keyκ∈_KeySp(λ),

ψcpa∗ = (A ∗

, C0∗=gs∗,((C_i∗, D_i∗);i= 1, . . . , l∗)).

ThenB_{makes the rest of parameters of PK as follows.}

Chooseη←_{HKey(λ) and takeτ}∗←_Hη(ψ∗ cpa);

Pute(g, g)α1_{=e(g, g)}α_;

Chooseγ1, γ2←Z_p,pute(g, g)α2=e(g, g)γ2/e(g, g)α1γ1; Chooseµ1, µ2←Z_p,pute(g, g)α3=e(g, g)µ1/e(g, g)α1τ

∗

,

e(g, g)α4_{=e(g, g)}µ2_{/e(g, g)}α2τ∗_.

Note we have implicitly set relations in the exponent domain:

α2=γ2−α1γ1, α3=µ1−α1τ ∗

, α4=µ2−α2τ

∗

=µ2−(γ2−α1γ1)τ ∗

. (1) A public key PK forCP-ABKEMbecome:

PK = (PKcpa, e(g, g)α2, e(g, g)α3, e(g, g)α4, η).

ThenB _{inputs PK into} A_{. Note that PK determines}

the corresponding MSK uniquely.

Phase 1. B _{answers for two types of}A_{’s queries as}

follows.

(1) Key-Extraction Queries.In the case thatA_issues

a key-extraction query for an attribute set S ⊂ U_, B

has to simulateA_{’s challenger. To do so,}B_issues

key-extraction queries toB_{’s challenger forSrepeatedly up} to four times. As replies,B_{gets four secret keys of the}

WatersCP-ABKEM_cpafor a single attribute setS: SKcpa,S,k= (Kcpa,k, Lcpa,k,(Kcpa,k,x;x∈ S)), k= 1, . . . ,4.

We remark that, according to the randomness in the key-generation algorithm of the WatersCP-ABKEMcpa,

all four secret keys SKcpa,S,1, . . . ,SKcpa,S,4 are random

and mutually independent. To reply a secret key SKS

of ourCP-ABKEMtoA_,B_{converts the four secret keys}

as follows.

K1=Kcpa,1, L1=Lcpa,1, K1,x=Kcpa,1,x, x∈S;

K2=gγ2K −_γ1

cpa,2, L2=L −_γ1

cpa,2, K2,x=K −_γ1

cpa,2,x, x∈S;

K3=gµ1K −_τ∗

cpa,3, L3=L −_τ∗

cpa,3, K3,x=Kτ

∗

cpa,3,x, x∈S;

K4=gµ2 −_γ2τ∗

Kγ1τ ∗

cpa,4, L4=L γ1τ

∗

cpa,4, K4,x=K γ1τ

∗

cpa,4,x, x∈S.

ThenB_{replies SKS= ((Kk, Lk,(Kk,x;x}∈_{S));k= 1, . . . ,4)}

toA_.

(2) Decapsulation Queries.In the case thatA_issues

a decapsulation query for (S, ψ), where S ⊂ U _{is an}

attribute set andψ= (ψcpa, d1, d2) is an encapsulation

concerningA,Bhas to simulateA’s challenger. To do so,B_{computes the decapsulation result ˆκas follows.}

IfS<Athen put ˆκ=⊥, else

τ←_Hη(ψcpa);

ˆ

Y =e(C0, g)τ−τ∗,Zˆ1=d1/e(C 0

, g)µ1_,Zˆ

2=d2/e(C 0

, g)µ2_; If ˆZ1

γ1_Zˆ

2,Yˆγ2(: call this checkingTwinDH-Test) then put ˆκ= ˆκ1=⊥

else

Ifτ=τ∗then abort (: call this caseAbort) else ˆκ= ˆκ1= ˆZ1

1/(τ−_τ∗₎

.

Challenge. In the case thatA_{queries its challenger}

for a challenge instance,B_{makes a challenge instance}

as follows.

Putd∗₁=e(C0∗, g)µ1_{, d}∗

2=e(C 0∗

, g)µ2_; Putψ∗= (ψ∗cpa, d

∗ 1, d

ThenB_{feeds ( ˜κ, ψ}∗_{) to}A_{as a challenge instance.} Phase 2.The same as in Phase 1.

Guess. In the case thatA_returnsA_{’s guess ˜b,} B

re-turns ˜bitself asB_{’s guess.}

In the above construction of B_, B _{can perfectly}

simulate the real view ofA_{until the case}Abort hap-pens, except for a negligible case, and hence the algo-rithmA_{works as designed. To see the perfect}

simula-tion with a negligible excepsimula-tional case, we are enough to prove the following seven claims.

Claim 1 The reply SKS = ((Kk, Lk,(Kk,x;x ∈ S));k =

1, . . . ,4)for a key-extraction query ofA_{is a perfect} simu-lation.

Proof. We must consider the implicit relations (1). For the index 2, we have implicitly set the randomness

t2=tcpa,2(−γ1) and we get:

K2=gγ2K −γ1

cpa,2=gγ2(gα1gatcpa,2) −_γ1

=gγ2_(gα1_gat2/(−γ1)₎−γ1_=gγ2−α1γ1_gat2_=gα2_gat2_,

L2=L −_γ1

cpa,2= (gtcpa,2) −_γ1

=gt2_,

K2,x=K −_γ1 cpa,2,x= (h

tcpa,2

x ) −_γ1

=ht2

x, x∈S.

For the index 3 and 4, see Appendix B.

Claim 2 (e(g, g), e(g, g)α1_{, e(g, g)}α2_{, Y ,}ˆ _Zˆ

1, Zˆ2) is a twin Diffie-Hellman tuple if and only if (e(g, g), e(g, g)α1τ_{e(g, g)}α3_{, e(g, g)}α2τ_{e(g, g)}α4_{, e(C}0_{, g), d}

1, d2) is a twin Diffie-Hellman tuple.

Proof. This claim can be proved by a short calculation.

See Appendix C.

Claim 3 If(e(g, g), e(g, g)α1_{, e(g, g)}α2_{,Y ,}ˆ _Zˆ_1,Zˆ_{2)is a twin}

Diffie-Hellman tuple, then( ˆY ,Zˆ1,Zˆ2)certainly passes the

TwinDH-Test:Zˆ₁γ1Zˆ₂= ˆYγ2_.

Proof. This claim is a direct consequence of Lemma 1.

Claim 4 Consider the following event which we name as

Overlook_i:

In thei-thTwinDH-Test, the following condition holds:

          

ˆ

Z1γ1Zˆ2= ˆYγ2holds and

(e(g, g), e(g, g)α1_{, e(g, g)}α2_{,Y ,}ˆ _Zˆ_1,Zˆ₂₎

is NOT a twin DH tuple.

Then, for at mostqdtimes decapsulation queries ofA, the

probability that at least oneOverlook_i occurs is

negligi-ble inλ. More precisely, the following inequality holds:

Pr[

qd

_

i=1

Overlook_i]≤q_d/p. (2)

Proof. To apply Lemma 2, we construct an al-gorithm Cheatλ,U with unbounded computational

power, which takes as input (e(g, g), e(g, g)α1_{, e(g, g)}α2₎

and returns ( ˆY ,Zˆ1,Zˆ2) employing the adversaryAas

a subroutine. Fig. 1 shows the construction.

First, note that the view of A _{in Cheatλ,U is the}

same as the real view ofA _{and hence the algorithm} A_{works as designed.}

Second, note that the return ( ˆY ,Zˆ1,Zˆ2) ofCheatλ,U

is randomized in TABLE. Hence:

qd

X

i=1

1

qd

Pr[Overlook_i] = 1

qd qd

X

i=1

Pr[Overlook_i]

=AdvtwinDH-test_Cheat

λ,U,G (λ). (3)

Third, applying Lemma 2 toCheatλ,U, we get:

AdvtwinDH-test_Cheat

λ,U,G (λ)≤1/p. (4)

Combining (3) and (4), we have:

Pr[

qd

_

i=1

Overlook_i]≤

qd

X

i=1

Pr[Overlook_i]

≤_qdAdvtwinDH-test

Cheatλ,U,G (λ)≤

qd

p.

Claim 5 The probability that Overlook_i never occurs

inTwinDH-Testfor everyiandAbortoccurs is

negligi-ble inλ. More precisely, the following inequality holds:

Pr[

^qd

i=1

¬Overlook_i

∧Abort]≤Advtcr_CF

,Hfam(λ). (5)

Proof. This claim is proved by constructing a collision

finderCF _{onHfam. See Appendix D.}

Claim 6 The replyκˆtoA_{as an answer for a} decapsula-tion query is correct.

Claim 7 The challenge instanceψ∗= (ψ∗cpa, d

∗ 1, d

∗ 2)is cor-rectly distributed.

Proof. These two claims are proved by a direct calcu-lation. See Appendices E and F, respectively.

Evaluation of the Advantage ofB_{.Now we are ready}

to evaluate the advantage of B _{in the IND-sel-CPA}

game. ThatA_{wins in the IND-sel-CCA game means}

that ( ˜κ, ψ∗ = (ψ∗cpa, d ∗ 1, d

∗

2)) is correctly guessed. This

is equivalent to that ( ˜κ, ψcpa∗ ) is correctly guessed

be-causeψ∗cpadetermines the consistent blinding factor

κ∗=e(g, g)αs∗ uniquely. This means thatB_{wins in the}

IND-sel-CPA game.

Therefore, the probability thatB _{wins is equal to}

Given (e(g, g), e(g, g)α1_{, e(g, g)}α2_{) as input :}

Set up

Initialize the inner state, put TABLE =φ; Get a target access structureA∗← A(λ,U); Compute the baseg∈Gfrom (e(g, g), e); Choosea∈Z_pandh₁, . . . , h_u∈G; Put PKcpa= (g, ga, h1, . . . , hu, e(g, g)α1);

Get (κ∗, ψcpa∗ )←Encapcpa(PKcpa,A∗);

Chooseη←_{HKey(λ) and computeτ}∗←_Hη(ψcpa∗ _);

Compute discrete logarithmsα1, α2∈Z_pofe(g, g)α1_{, e(g, g)}α2_{to the basee(g, g);} Chooseµ1, µ2←Z_p,putα₃=µ₁−α₁τ∗, α₄=µ₂−α₂τ∗;

Put PK = (PKcpa, e(g, g)α2, e(g, g)α3, e(g, g)α4, η),MSK = (gα1, gα2, gα3, gα4);

Give PK toA_; Phase 1

In the case thatA_{makes a key-extraction query forS}⊂ U_;

Reply SKStoAin the same way asKeyGendoes using MSK;

In the case thatA_{makes a decapsulation query for (}A, ψ= (ψ_cpa, d₁, d₂), S); Reply ˆκtoA_{in the same way asDecapdoes using MSK;}

Compute ˆY =e(C0, g)τ−τ∗,Zˆ1=d1/e(C0, g)µ1,Zˆ2=d2/e(C0, g)µ2;

Update TABLE = TABLE∪_{( ˆY ,Z}ˆ_1,Zˆ_2); Challenge

In the case thatA_{makes a challenge instance query;}

Putd₁∗=e(C0∗, g)µ1_{, d}∗

2=e(C 0∗

, g)µ2_{, ψ}∗_{= (ψ}∗

cpa, d ∗ 1, d

∗ 2);

Chooseκ←_{KeySp(λ), b}← {_0,1}_;

Ifb= 1 then put ˜κ=κ∗else put ˜κ=κ; Reply ( ˜κ, ψ∗

) toA_; Phase 2

The same as in Phase 1;

Return

In the case thatA_{returns its guessb}∗_;

Choose one triple ( ˆY ,Zˆ1,Zˆ2) from TABLE at random;

Return ( ˆY ,Zˆ1,Zˆ2).

Figure 1: An AlgorithmCheatλ,U with Unbounded Computational Power for a Proof of Claim 4.

we have: Pr[B_wins]

= Pr[(A_wins)∧

^qd

i=1

¬Overlook_i

∧₍¬Abort)]

= Pr[A_wins]

−_Pr[(A_wins)∧ ¬

_^qd

i=1

¬Overlook_i

∧₍¬Abort)

]

≥_Pr[A_wins]−_Pr[¬

^qd

i=1

¬Overlook_i

∧₍¬Abort)

]

= Pr[A_wins]

−_(Pr[ qd

_

i=1

Overlook_i] + Pr[

^qd

i=1

¬Overlook_i

∧Abort]).

Substituting (2), (5) and advantages into the above, we have:

Advind-sel-cpaB_,CP-ABKEMcpa(λ,U) ≥_Advind-sel-cca

A_,CP-ABKEM(λ,U)−

qd

p −Adv

tcr

CF_,Hfam(λ).

This is what we should prove in Theorem 1.

4.3

Encryption Scheme from KEM

It is straightforward to construct our encryption schemeCP-ABEfromCP-ABKEM. The IND-sel-CCA se-curity ofCP-ABEis proved based on IND-sel-CPA se-curity of the WatersKEMCP-ABKEM_cpa.

Setup(λ,U_{). The same as Setup ofCP-ABKEM.}

Encrypt(PK,A, m). The same as Encap of _CP-ABKEM except that Encrypt multipliesmby the blinding fac-tor κ in the group G_T. Encrypt returns CT = (C =

mκ, ψ= (ψcpa, d1, d2)).

KeyGen(MSK,PK, S). The same as KeyGen of

CP-ABKEM.

Decrypt(PK,CT,SKS). The same as Decap of CP-ABKEM except that Decrypt divides out C by the decapsulated blinding factor ˆκ. Decrypt returns the result ˆm.

4.4

Security and Proof

ad-versaryA_{that attacksCP-ABEin the IND-sel-CCA game} where decryption queries are at mostqdtimes, and for any

small attribute universeU_{, there exist a PPT adversary}B that attacksCP-ABKEM_cpain the IND-sel-CPA game and a PPT target collision finderCF _{onHfamthat satisfy the} following inequality.

Advind-sel-ccaA,CP-ABE(λ,U)

≤_2Advind-sel-cpa_B

,CP-ABKEMcpa(λ,U) +Adv

tcr

CF_,Hfam(λ) +

qd

p

.

Proof. Given any adversaryA_{that attacks our scheme} CP-ABEin the IND-sel-CCA game, we construct an ad-versaryB_{that attacks the Waters KEMCP-ABKEMcpain}

the IND-sel-CPA game as follows.

Commit to a Target Access Structure. The same as that ofCP-ABKEM.

Set up.In return to outputtingA∗,Breceives the pub-lic key PKcpaforCP-ABKEMcpa. To set up a public key

PK for CP-ABE, B _{hereinneeds a challenge instance:} B_{queries its challenger and gets a challenge instance}

( ˜κ, ψ∗

cpa). The rest of procedure is the same as that of CP-ABKEM, andB_{inputs PK into}A_.

Phase 1. The same as that ofCP-ABKEMexcept thatB

replies a decrypted message ˆmtoA_{for a decryption}

query.

Challenge. In the case thatA_{submits two plaintexts}

(m∗₀, m∗₁) of equal length,B_{makes a challenge}

cipher-text CT∗as follows and feeds CT∗toA_.

Chooseb0← {_0,1}_{,put ˜C}∗

=m∗_b0κ˜; Putd₁∗=e(C0∗, g)µ1_{, d}∗

2=e(C 0∗

, g)µ2_; Put CT∗= ( ˜C∗

, ψ∗= (ψcpa∗ , d ∗ 1, d

∗ 2)). Phase 2.The same as in Phase 1.

Guess. In the case thatA_returnsA_{’s guess ˜b,} B

re-turns ˜basB_{’s guess.}

Evaluation of the Advantage ofB_{. A standard}

argu-ment deduces a loss of tightness by a factor of 1/2. That is;

Advind-sel-cpaB_,CP-ABKEM_cpa(λ,U)

≥1

2Adv

ind-sel-cca

A_,CP-ABE (λ,U)−

qd

p −Adv

tcr

CF_,Hfam(λ).

5

Securing the

Ostrovsky-Sahai-Waters

KP-ABKEM

against

Chosen-Ciphertext Attacks

In this section, we describe our direct chosen-ciphertext security modification by applying it to the Ostrovsky-Sahai-Waters KP-ABE [11].

Overview of Our ModificationThe Ostrovsky-Sahai-Waters KP-ABE is proved to be secure in the IND-sel-CPA game [11]. We convert it into a scheme that is se-cure in the IND-sel-CCA game by employing the Twin Diffie-Hellman technique of Cash, Kiltz and Shoup [12] and the algebraic trick of Boneh and Boyen [13] and Kiltz [14].

In encryption, a ciphertext becomes to contain ad-ditional two elements (d1, d2), which function in

de-cryption as a “check sum” to verify that a tuple is cer-tainly a twin DH tuple.

In security proof, the Twin Diffie-Hellman Trap-door Test does the function instead. It is noteworthy that we are unable to use the bilinear map instead be-cause the tuple to be verified is in the target group. In addition, the algebraic trick enables to answer for ad-versary’s decryption queries. Note also that the both technique become compatible by introducing random variables.

Key Encapsulation and Encryption. The Ostrovsky-Sahai-Waters ABE can be captured as a KP-ABKEM: the blinding factor of the form e(g, g)aαs in the Ostrovsky-Sahai-Waters KP-ABE can be consid-ered as a random one-time key. So we call it the Ostrovsky-Sahai-Waters KP-ABKEM hereafter and de-note it as KP-ABKEM_cpa. Likewise, we distinguish parameters and algorithms of KP-ABKEM_cpa by the indexcpa. For theoretical simplicity, we first develop

a KEMKP-ABKEM.

5.1

Our Construction

OurKP-ABKEMconsists of the following four PPT al-gorithms (Setup, Encap, KeyGen, Decap). Roughly speaking, the Ostrovsky-Sahai-Waters original scheme KP-ABKEM_cpa (the first scheme in [11]) cor-responds to the casek= 1 below excluding the “check sum” (d1, d2).

Setup(λ,U_{). Setup takes as input the security}

pa-rameter λ and the attribute universe U ₌ {_{1, . . . , u}}_.

It runsGrp(λ) to get (p,G,G_T, g, e), where G andG_T are cyclic groups of order p, e :G → G_T is a bilin-ear map and g is a generator of G. These become public parameters. Then Setup chooses u random group elementsh1, . . . , hu ∈Gthat are associated with theu attributes. In addition, it chooses random ex-ponents αk ∈ Z_p, k = 1, . . . ,4, a ∈ Z_p and a hash key

η ∈ _{HKey(λ). The public key is published as PK =}

(g, ga_{, h}

1, . . . , hu, e(g, g)aα1, . . . , e(g, g)aα4, η). The

author-ity sets MSK = (α1, . . . , α4) as the master secret key. Encap(PK, S). The encapsulation algorithm Encap takes as input the public key PK and a set S of at-tributes. Encap first chooses a random values∈ Z_p that is the encryption randomness. Then, a pair of a random one-time key and its encapsulation (κ, ψ) is computed as follows.

PutC0=gs; Forx∈_S:Cx=hs_x

ψcpa= (S, C 0

,(Cx;x∈S)), τ←Hη(ψcpa);

Fork= 1 to 4 :κk=e(g, g)aαks;d1=κτ1κ3, d2=κ2τκ4;

(κ, ψ) = (κ1,(ψcpa, d1, d2)).

KeyGen(MSK,PK,A). The key generation algorithm KeyGen takes as input the master secret key MSK, the public key PK and an LSSS access structureA= (M, ρ), whereMis anl×_{nmatrix andρis the function}

which maps each row indexiofMto an attribute in

random values yk,2, . . . , yk,n ∈ Z_p and forms a vector

~

vk= (αk, yk,2, . . . , yk,n). Then, fori= 1 tol, it calculates

λk,i =~vk·Mi, whereMi denotes thei-th row vector of

M, and it chooses random valuesrk,i ∈Z_p. KeyGen generates the secret key SKAas follows.

Fork= 1 to 4 : Forl= 1 tol:

Kk,i=gaλk,ih rk,i

ρ(i), Lk,i=g rk,i

SKA= (((Kk,i, Lk,i);i= 1, . . . , l)k= 1, . . . ,4). Decap(PK, ψ,SKA).The decapsulation algorithm De-cap takes as input the public key PK, an enDe-capsulation

ψfor an attribute set Sand a private key SKAfor an

access structure A= (M, ρ). It first checks whether

S∈A. If the result isFalse, put ˆκ=⊥. Otherwise, let

IS =ρ−1(S)⊂ {1, . . . , l}and let{ωi ∈Z_p;i∈I_S}be a set of linear reconstruction constants. Then, the decapsu-lation ˆκis computed as follows.

Parseψinto (ψcpa= (S, C 0

,(Cx;x∈S)), d1, d2);

τ←_Hη(ψcpa);

Fork= 1 to 4 : ˆ

κk=

Y

i∈_IS

(e(C0, Kk,i)/e(Lk,i, Cρ(i)))ωi=e(g, g)aαks

If ˆκ1τκˆ3,d1∨κˆ2τκˆ4,d2,

then put ˆκ=⊥_{,else put ˆκ= ˆκ1.}

5.2

Security and Proof

Theorem 3 If the Ostrovsky-Sahai-WatersKP-ABKEM_cpa [11] is selectively secure against chosen-plaintext attacks and an employed hash function familyHfamhas target collision resistance, then ourKP-ABKEM is selectively se-cure against chosen-ciphertext attacks. More precisely, for any given PPT adversaryA_{that attacks}KP-ABKEMin the IND-sel-CCA game where decapsulation queries are at mostqdtimes, and for any small attribute universeU,

there exist a PPT adversaryB_{that attacks}KP-ABKEM_cpain the IND-sel-CPA game and a PPT target collision finder CF _{onHfamthat satisfy the following tight reduction.}

Advind-sel-ccaA_,KP-ABKEM(λ,U)

≤_Advind-sel-cpa

B_,KP-ABKEM_cpa(λ,U) +Adv

tcr

CF_,Hfam(λ) +

qd

p.

Proof. We will omit the description of the proof be-cause the proof goes analogously to the case of

CP-ABKEM in Section 4.2.

5.3

Encryption Scheme from KEM

It is straightforward to construct our encryption schemeKP-ABEfromKP-ABKEM. The IND-sel-CCA se-curity ofKP-ABEis proved based on IND-sel-CPA se-curity of the WatersKEMKP-ABKEM_cpa.

Setup(λ,U_{).The same as Setup ofKP-ABKEM.}

Encrypt(PK,A, m). The same as Encap of _KP-ABKEM except that Encrypt multipliesmby the blinding fac-tor κ in the group G_T. Encrypt returns CT = (C =

mκ, ψ= (ψcpa, d1, d2)).

KeyGen(MSK,PK, S). The same as KeyGen of

KP-ABKEM.

Decrypt(PK,CT,SK_S). The same as Decap of

KP-ABKEM except that Decrypt divides out C by the decapsulated blinding factor ˆκ. Decrypt returns the result ˆm.

5.4

Security and Proof

Theorem 4 If the Ostrovsky-Sahai-WatersKP-ABKEM_cpa [11] is selectively secure against chosen-plaintext attacks and an employed hash function familyHfamhas target collision resistance, then ourKP-ABEis selectively secure against chosen-ciphertext attacks. More precisely, for any given PPT adversaryA_{that attacksKP-ABEin the} IND-sel-CCA game where decryption queries are at most qd

times, and for any small attribute universeU_{, there} ex-ist a PPT adversary B _{that attacksKP-ABKEMcpa in the} IND-sel-CPA game and a PPT target collision finderCF onHfamthat satisfy the following inequality.

Advind-sel-ccaA_,KP-ABE(λ,U)

≤_2Advind-sel-cpa

B_,KP-ABKEM_cpa(λ,U) +Adv

tcr

CF_,Hfam(λ) +

qd

p

.

Proof. We will omit the description of the proof be-cause the proof goes in the same way as the case of

CP-ABE in Section 4.4.

6

E

ffi

ciency Discussion

First of all, we remark that our individual modifica-tion to attain CCA security is applicable when a Diffie-Hellman tuple to be verified is in the target group of a bilinear mape:G×G→G_T. Especially, it is applica-ble even when an original CPA secure scheme is based on asymmetric pairing [19],e:G₁×G₂→G_T. For ex-ample, the Type 3 version [19] of the Waters CP-ABE scheme [4] can be found in [20]. Detailed discussions and results on real implementations are found for the case of CPA-secure ABE schemes [21, 20]. We note here that the efficiency comparison below enables to guess the implementation results of CCA-secure ABE schemes via our modification.

Table 1: Efficiency comparison of IND-sel-CCA secure ABEs ([10] and ours) with the original IND-sel-CPA secure ABEs [4, 11].

Scheme L(PK) L(SKS) L(CT) C(Enc) C(Dec)

Generic transform [10], CP-ABE +4λ2(G) +4λ2(G) +3λ2(bit) +2λ2exp.(G) +2λ2pair.(e)

Our individual modification(CP-ABE) +3(G_T) ×4 +2(G_T) +4exp.(G_T) ×4 Generic transform [10], KP-ABE +4λ2(G) +0 +3λ2(bit) +2λ2exp.(G) +2λ2pair.(e)

Our individual modification(KP-ABE) +3(G_T) ×4 +2(G_T) +4exp.(G_T) ×4 1)λis the security parameter. (For instance,λ= 224 or 256.)

2)L(data) denotes the length of the data.C(algorithm) denotes the computational amount of the algorithm. 3) + and×_{mean the increment and the multiplier to the length or to the computational amount of the Waters} CP-ABKEM_cpaand the Ostrovsky-Sahai-WatersKP-ABE_cpa.

4) (G), (G_T) and (bit) mean that the lengths are evaluated in the number of elements inG, elements inG_T and bits, respectively.

5) exp.(G) and pair.(e) mean the computational amount of one exponentiation inGand one pairing computa-tion by the mape, respectively.

Our individual modification results in expansion of the length of a secret-key and the amount of de-cryption computation by a factor of four, while the length of a public-key, the length of a ciphertext and the amount of encryption computation are almost the same as those of the original CPA-secure schemes. In the case that the size of an attribute set is up to (2₃ of) the square of the security parameter λ, the amount of decryption computation of ourCP-ABEandKP-ABE

are smaller than those of the CP-ABE and KP-ABE obtained by the generic transformation [10], respec-tively.

7

Conclusion

We demonstrated direct chosen-ciphertext secu-rity modification for ABE in the standard model in the case of the Waters scheme (CP-ABKEM_cpa,

CP-ABE_cpa) and the Ostrovsky-Sahai-Waters scheme (KP-ABKEM_cpa,KP-ABE_cpa). We utilized the Twin

Diffie-Hellman Trapdoor Test of Cash, Kiltz and Shoup and the algebraic trick of Boneh and Boyen [13] and Kiltz [14]. Our modification worked for the setting that the Diffie-Hellman tuple to be verified in decryption was in the target group of the bilinear map. We com-pared the efficiency of our CCA-secure ABE schemes with the original CPA-secure ABE schemes and with the CCA-secure ABE schemes obtained by the versa-tile generic transformation.

Acknowledgment This work was supported by JSPS KAKENHI Grant Number JP15K00029.

References

[1] Amit Sahai and Brent Waters. Fuzzy identity-based encryp-tion. InAdvances in Cryptology - EUROCRYPT 2005, 24th An-nual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, pages 457–473, 2005.

[2] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. InProceedings of the 13th ACM Conference on

Computer and Communications Security, CCS 2006, Alexandria, VA, USA, Ioctober 30 - November 3, 2006, pages 89–98, 2006. [3] John Bethencourt, Amit Sahai, and Brent Waters.

Ciphertext-policy attribute-based encryption. In2007 IEEE Symposium on Security and Privacy (S&P 2007), 20-23 May 2007, Oakland, California, USA, pages 321–334, 2007.

[4] Brent Waters. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. In

Public Key Cryptography - PKC 2011 - 14th International Con-ference on Practice and Theory in Public Key Cryptography, Taormina, Italy, March 6-9, 2011. Proceedings, pages 53–70, 2011.

[5] Allison B. Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters. Fully secure functional en-cryption: Attribute-based encryption and (hierarchical) inner product encryption. InAdvances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30 - June 3, 2010. Proceedings, pages 62–91, 2010.

[6] Hiroaki Anada and Seiko Arita. Short cca-secure ciphertext-policy attribute-based encryption. In2017 IEEE International Conference on Smart Computing, SMARTCOMP 2017, Hong Kong, China, May 29-31, 2017, pages 1–6, 2017.

[7] Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from identity-based encryption. In Ad-vances in Cryptology - EUROCRYPT 2004, International Confer-ence on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2-6, 2004, Proceedings, pages 207– 222, 2004.

[8] Dan Boneh and Xavier Boyen. Efficient selective-id secure identity-based encryption without random oracles. In Ad-vances in Cryptology - EUROCRYPT 2004, International Confer-ence on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2-6, 2004, Proceedings, pages 223– 238, 2004.

[9] Xavier Boyen, Qixiang Mei, and Brent Waters. Direct chosen ciphertext security from identity-based techniques. In Pro-ceedings of the 12th ACM Conference on Computer and Commu-nications Security, CCS 2005, Alexandria, VA, USA, November 7-11, 2005, pages 320–329, 2005.

[10] Shota Yamada, Nuttapong Attrapadung, Goichiro Hanaoka, and Noboru Kunihiro. Generic constructions for chosen-ciphertext secure attribute based encryption. In Public Key Cryptography - PKC 2011 - 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, March 6-9, 2011. Proceedings, pages 71–89, 2011.

[11] Rafail Ostrovsky, Amit Sahai, and Brent Waters. Attribute-based encryption with non-monotonic access structures. In