A Key-Policy Attribute-Based Broadcast Encryption

A Key-Policy Attribute-Based Broadcast

Encryption

Jin Sun1,2, Yupu Hu1, and Leyou Zhang1 1

Department of Application Mathematics, Xi’an University of Technology, China 2

Key Lab of Computer Network and Information Security, Xidian University, China

Abstract: According to the broadcast encryption scheme with wide applications in the real world without considering its

security and efficiency in the model simultaneously an “unbounded”, Key-Policy Attribute-Based Broadcast Encryption scheme(KP-ABBE) was proposed by combining with waters dual system encryption, attribute-based encryption and broadcast encryption system. Based on the standard model, the scheme can achieve constant-size public parameters, the public parameters do not impose additional limitations on the functionality of the systems (unbounded) and either a small universe size or a bound on the size of attribute sets avoid to fixed at setup. The scheme is proved by using the dual system encryption argument and the four static assumptions which do not depend on the number of queries the attacker makes. The analysis results show that the scheme of this paper is selective secure.

Keywords: Attribute-based encryption, broadcast encryption, dual system, KP-ABBE, provably secure.

Received March 21, 2011; accepted June 13, 2013; published online August 5, 2012

1. Introduction

The concept of the broadcast encryption was introduceed by Fiat and Naor [8] firstly, allowing a sender who wants to send a message to a dynamically chosen subset S of users and to construct a ciphertext so that only users in S can describe. Then, the sender can safely transmit this ciphertext over a broadcast channel to all users. It has become a new hot spot of the cryptology promptly. Many broadcast encryption schemes [1, 2, 6, 7, 10, 11, 22] with special purpose were proposed consecutively. However, these schemes had some deficiency obviously, for example, their security was based on the strong assumption or non standard cryptographic assumption; the scheme only guaranteed chosen plaintext security or selective-ID security; the scheme was designed under the random oracle model, etc.

Recently, a new public-key primitive called Attribute-Based Encryption (ABE), also called fuzzy identity based encryption [4, 9, 14] has been given much attentions which has significant advantage over the traditional PKC primitives, thus it is envisioned as an important tool for addressing the problem of secure and fine-grained data sharing and access control. In ABE scheme, the sets of descriptive attributes (the

characteristic of identity, for example: “Faculty”, “CS

Dept.”, “Tenured”, etc.,) defined for the system users are labeled with the encryption keys and/or ciphertexts, and a particular user’s private key can decrypt a particular ciphertext only if the two match. Key-Policy Attribute-Based Encryption (KP-ABE) system [9], is one of the ABE systems, in which users with secret keys

are associated with access policies over a universe (the some set with some added features) of attributes and ciphertexts are associated with sets of attributes. In the ABE setting, the particular access policies and attribute sets may change over time, however, in the standard model, once the public parameters (public key) have been set, current constructions do not allow complete versatility in the choice of attributes and policies. 1.1. Our Contribution

In this work, we make the following contributions: 1. Present the definition of KP-ABBE scheme and the

security model for them.

2. By combining with Waters dual system encryption, KP-ABE and the broadcast encryption, we propose

an “unbounded", key-policy attribute-based

broadcast encryption scheme. Based on the standard model, the scheme can achieve constant-size public parameters, impose no bound on the size of attribute sets used for encryption and has a large attribute universe. It supports LSSS matrices [17], as access structures, and provides delegation capabilities to users additionally. To overcome the limitations of previous constructions by employing a secret-sharing technique and introducing fresh “local” randomness for the keys and ciphertexts, we will create many samples each of which has new randomness, avoiding the insecurity of the previous approach described above.

3. Prove the selective security for our KP-ABBE scheme from the same static, and generically secure assumptions in Composite order bilinear groups.

1.2. Related Work

There are two kinds of settings of broadcast encryption in the literature: the private key setting and the public key setting. The Public Key Broadcast Encryption (PKBE) overcomes a shortcoming of the private key broadcast encryption, which the center may be a single point of failure. By the work of Dodis and Fazio [7], using the Hierarchical Identity-Based Encryption (HIBE) scheme, some broadcast encryption schemes in the private key broadcast encryption could be transformed into schemes in the public key broadcast encryption. Boneh et al. [1], improve their method by applying the HIBE scheme, which results in PKBE

schemes with O(r) ciphertexts and O(log2n) private

keys. Recently, Boneh et al. [2], proposed an efficient PKBE scheme for large n users. More recently, Delerablee et al. [6], suggested a new PKBE scheme that features O(r) ciphertexts and O(1) private keys at the expense of computation cost on decryption and public key size.

ABE is proposed by Sahai and Waters [20] firstly.

To reduce the trust of attribute authority, Chase [5]

proposed a multi- authority attribute-based encryption scheme in which each authority controls some of the

attributes. There are two methods for access control

based on ABE: Key-Policy ABE (KP-ABE) where each attribute private key is associated with an access structure and each ciphertext is labeled with a set of attributes and Ciphertext-Policy ABE (CP-ABE) where ciphertexts are associated with access policies and keys are associated with sets of attributes. Both notions are proposed by Goyal et al. in [9], the first KP-ABE construction [9] can realize the monotonic access structures for key policies. To enable more flexible access policy, Ostrovsky et al. [18], presented the first KP-ABE system that supports the expression of non-monotone formulas in key policies. Recently, fully secure constructions were provided by Lewko et al. [14], and Okamoto and Takashima [19] proposed a predicate encryption scheme based on the primitive

called hidden vector encryption further studied in [12,

13]. The methodology of dual system encryption was introduced by Waters [21] and later used in [15, 16] to obtain adaptive security for IBE, HIBE, and ABE systems. Except that we do not consider leakage resilience and also provide only selective security in the ABE case, the abstractions we provide for dual system encryption in the HIBE and ABE settings are similar to the abstractions provided in [15].

2. Preliminaries

2.1. Linear Secret-Sharing Schemes

Our construction will employ Linear Secret-Sharing Schemes (LSSS) [17], which was defined in the following:

• LSSS: A secret sharing scheme L over a set of parties S is called linear (over Zp ) if:

1. The shares for each party form a vector over Zp.

2. There exists a matrix Am×n called the share-generating

matrix for L. The ith row of A is labeled by a party f(i)

( f is a function from {1,…,m} to S) for all i=1,…,m.

v

A
is the vector of m shares of the secret s according

to L for the column vector v =( s , r ,2 , r )n

⋯ _{, where}

s∈Zp is the secret to be shared and r2,…rn∈Zp are randomly chosen, and it belongs to party f(i).

We note the linear reconstruction property: let L denote an LSSS for access structure A. We define

U⊂{1,…,m} as U={i|f(i)∈S}, and letSdenote an authorized set. Then there exist constants {λi∈Zp}i∈U

such that

∑

_iU i i=s

∈ λτ for any valid shares {τ}i of a

secret s according to L. These constants {λi} can be found in time polynomial in the size of the share-generating matrix A.

2.2. Composite Order Bilinear Groups

Composite order bilinear groups were used in cryptographic construction in [3]. We use groups of order product of three primes and a generator G which

takes as input security parameter λ and outputs a

description of (N=p1 p2 p3,G,GT,e), where p1, p2, p3 are

distinct primes, G and GT are cyclic groups of order N,

and e:G×G→GT is a map with the following properties:

1. Bilinearity: ∀g, h∈G, a, b∈ZN, e(g a

, hb)=e(g, h)ab.

2. Non-degeneracy: ∃g∈G such that e(g, g) has order

N in GT.

Furthermore, for a,b∈{1, p1, p2, p3}we denote by Gab the subgroup of order ab. From the fact that the group is cyclic, it is simple to verify that if h1 and h2 are group elements of different order (and thus belonging to different subgroups), then e(h1,h2)=1. To see this,

suppose h1∈GP1 and h2∈GP2. We let g denote a

generator of G. Then _gp1p2 generatesGp₃, 3 1p p g generates Gp₂, and 3 2p p

g generates G . Hence, for p1

someα1,α2, 1 3 2 ₎ ( 1 α p p g h = and ₍ 13₎ 2 2 α p p g h = , we note: 2 3 1 1 32 1 3 2 1 2 3 p p p p p p p p 1 2 e( h ,h )=e( g α , g α )=e( g , gα α ) =1. This is called the orthogonality property and is a crucial tool in our constructions.

2.3. Complexity Assumptions

We use the notation x←G to express that x is chosen

uniformly randomly from the finite set G.

• Assumption 1: For a generator G returning bilinear settings of order product of three primes, we define the following distribution. First pick a random

G(1λ) and then pick g ←Gp₁, D=(Γ,g),

2 1

1 Gpp

T ← ,T ←2 Gp₁, We define the advantage of an

algorithm A in breaking Assumption 1 to be:

] 1 ) T , D ( A Pr[ ] 1 ) T , D ( A Pr[ : ) ( 1 Adv A λ = 1 = − 2 = (1)

• Definition 1: We say that Assumption 1 holds for generator G if for all probabilistic polynomial-time algorithms A, Adv1A(λ)is a negligible function of

λ.

• Assumption 2: For a generator G returning bilinear settings of order product of three primes, we define the following distribution. First pick a random bilinear setting Г=(N=p1p2p3,G,GT,e) by running

G(1λ) and then pick g←Gp₁,g2,X2,Y2←Gp2, g ←3 Gp3,

N Z s← ，

α

, D ( ,g,g₂,g₃,gαX₂,gsY₂) Γ = , s g g e T1= ( , )α , T G

T ←2 . We define the advantage of an algorithm

A in breaking Assumption 2 to be:

A 1 2

A dv 2 (λ) := Pr[ A ( D ,T )=1 ]−Pr[ A ( D ,T )=1 ] (2)

• Definition 2: We say that Assumption 2 holds for generator G if for all probabilistic polynomial-time algorithms A, Adv2A(λ)is a negligible function of λ.

• Assumption 3: For a generator G returning bilinear settings of order N product of three primes, we define the following distribution. First we pick a random bilinear setting Г=(N=p1p2p3,G,GT,e) by

running G(1λ) and then pick g,X1←Gp₁,

2

2 Gp

g ← ,g ←3 Gp₃, D=(Γ,g,g2,X1X3),T ←1 Gp1, T ←2 Gp1p3.

We define the advantage of an algorithm A in breaking Assumption 3 to be:

A 1 2

A dv 3 (λ) := Pr[ A ( D ,T ) =1 ]−Pr[ A ( D ,T )=1 ] (3)

• Definition 3: We say that Assumption 3 holds for generator G if for all probabilistic polynomial-time algorithms A, Adv3_A(λ)is a negligible function of λ. • Assumption 4: For a generator G returning bilinear

settings of order N product of three primes, we define the following distribution. First we pick a

random bilinear setting Г=(N=p1p2p3,G,GT,e) by

running G(1λ) and then pick g,X1←Gp₁, X2,Y2←Gp2,

3 3

3,Y Gp

g ← , D=(Г,g,g3,X1X2X3,Y2Y3), T ←1 Gp1p3, G

T ←2 . We define the advantage of an algorithm A

in breaking Assumption 3 to be:

A 1 2

Adv 4 (λ) :=Pr[ A( D ,T )=1 ]−Pr[ A( D ,T )=1 ] (4) • Definition 4: We say that Assumption 3 holds for generator G if for all probabilistic polynomial-time algorithms A, Adv4A(λ)is a negligible function of λ.

2.4. The Definition of Dual System Encryption KP-ABBE

A Dual System Encryption (KP-ABBE) scheme consists of the following algorithms. Because the algorithms

EncryptF and KeygenF will not be used in the normal operation of the system and only needed for the security proof, they need not run in polynomial time.

• Setup(1λ,U): The setup algorithm takes in the

security parameter 1λ and the attribute universe

description U. It outputs the public parameters Pk

and a master secret keyMk.

• KeyGen(Mk,A): The key generation algorithm takes in the master secret key Mk, an access structure A, and the public parameters. It outputs a secret key Sk.

• KeyGenF(Mk,A): The semi-functional key generation

algorithm takes in the master secret key Mk, the public parameters, an access structure A, and an attribute vector x
∈{0,1}n. It outputs a semi-functional secret keySk~.

• Encrypt(Pk,{ x }
,M): Takes as input the public key

parameters Pk, attribute assemblage {x
|x
∈{0,1}n}

and message M from the associated message space, and returns ciphertext C.

• EncryptF(Pk,{ x }

,M): The semi-functional encryption algorithm takes in a set of attributes

} } 1 , 0 { |

{x
x
∈ n , the public parameters Pk, and a

message M. It outputs a semi-functional ciphertextC~.

• Decrypt(Pk,C,Sk): The algorithm takes in a ciphertext

encrypted under a set of attributes { | {0,1}n}

x

x

∈ and

a secret key for an access structure A. It will output the message M if the key and ciphertext are not both semi-functional, and{x
|x
∈{0,1}n}satisfies A.

2.5. Selective Security Definition for KP-ABBE We let U denote the attributes universe. Later, we will

refer to this as GameKP-ABBE with delegation. We assume

that the universe of attributes is known by the attacker in the initialization phase.

• Initialization: The attacker chooses a set S’⊆U of

attributes which it will attack, and gives this to the challenger.

• Setup: The challenger obtains the public parameters

Pk by running the Setup algorithm, then gives it to

the attacker. It also initializes a set Φ=φ.

• Phase 1: The attacker can make many queries such as: create queries, delegate queries, reveal queries [17]. • Challenge: The attacker declares two equal length

messages M0 and M1. The challenger encrypts Mb

under S to produce ciphertext C by flipping a random

• Phase 2: The attacker again makes create, delegate, and reveal queries, subjecting to the same constraints as in Phase 1.

• Guess: Finally, the attacker outputs a guess b’ for b and wins the game if b=b’.

The advantage of an attacker A in this game is defined as:

KP ABBE 1

A 2

Adv − ( )λ ₌Pr[ b₌b']

− (5) Next, we define three security properties for a dual system encryption KP-ABBE scheme. We first define

GameC to be the same as GameKP-ABBE, except that the challenger will create a semi-functional ciphertext by

calling EncryptF in the challenge phase instead of

calling Encrypt. Also we define GameF to be the same

as GameKP-ABBE, except that the challenger inputting the

set{ | {0,1}n}*

x

x
∈

initially provided by the attacker and

responds to all key requests by calling KeyGenF.

• Semi-functional Ciphertext Invariance: For a dual system encryption KP-ABBE scheme Ω=( Setup,

KeyGen, KeyGenF, Encrypt, EncryptF, Decrypt) and

any PPT attacker ℑ, if the advantage of ℑ in GameC

is negligibly close to the advantage of ℑ in

GameKP-ABBE, we say it has semi-functional

ciphertext invariance. We denote this by:

) ( ) ( ) (λ Adv λ negl λ AdvKP ABBE ₋ C ₌ ℑ − ℑ (6)

• Semi-Functional Key Invariance: For any PPT

attacker ℑ and a dual system encryption KP-ABBE

scheme Ω=(Setup, KeyGen, KeyGenF, Encrypt,

EncryptF, Decrypt), if the advantage of ℑ in GameF

is negligibly close to the advantage of ℑ in GameC,

we say it has semi-functional key invariance. We denote this by:

) ( ) ( ) (λ Adv λ negl λ AdvC ₋ F ₌ ℑ ℑ (7)

• One semi-functional key invariance: For a dual system encryption KP-ABBE scheme Ω=( Setup,

KeyGen, KeyGenF, Encrypt, EncryptF, Decrypt) and

any PPT attacker ℑ, if the advantage of ℑ in Game0

is negligibly close to the advantage of ℑ in Game1,

we say it has one semi-functional key invariance. We denote this by:

0 1

A d vℑ(λ) −A d vℑ( λ) = n e g l ( λ) (8)

• Definition 5: For a key-policy attribute-based broadcast encryption system with delegation, if all polynomial time attackers have at most a negligible advantage in the above security game and with three security properties, we say it is selectively secure.

3. Constructing Key-Policy Attribute-Based

Broadcast Encryption

3.1. Our Scheme

In this section we describe our construction for a key-policy attribute-based broadcast encryption scheme. In our system, a constant number of elements from a bilinear group of Composite order N consist in the

public parameters, and the attribute universe is ZN.

Secret keys are associated with LSSS access matrices, while ciphertexts are associated with sets of attributes. Without loss of generality, we share a value a, one

employs a vectora
with first coordinate equal to a, and

the shares are obtained by multiplying the rows of the LSSS matrix. A subset of rows is capable of reconstructing the shared secret if and only if their

span includes the vector (1,0,…,0). We let gi denote a

generator of the subgroupG for i=1, 2, 3. p_i

• Setup(1λ): The setup algorithm chooses a

description of a bilinear group Г=(N=p1p2p3,G,GT,e)

by running a generator algorithm G on input 1λ. The

setup algorithm chooses uniformly random

g,h,u,v,w∈

1

p

G and a∈ZN, then the public parameters

are pk={Г,g,h,u,v,w,e(g,g)a} and the master secret

key is mk=a.

• KeyGen(mk,(A,f)): Let (A,f) is a LSSS matrix, where

A is a m×n matrix over ZN, and f is a map from each row of A to an attribute in ZN. The key generation algorithm chooses random a=(a,∗,...,∗)∈ZNn

and

random values a1,…,am,β1,…,βm∈ZN. For

i∈{1,…,m}, the algorithm use Ai denotes the i th

row

of A and use f(i) denote that attribute associated with

this row by the mapping f. We let i Ai a

⋅ =

τ denote

the share associated with the row Ai of A. The secret

key is formed as: _{d g} i_w i

i β τ = 1 , i g di β = 2 , i i _{u h} v d f i i α β ) ( () 3= , i i 4 d =g .α

• KenGenF(mk,(A,f),Z ' ): When the semi- functional N

key generation algorithm is called first time, it chooses two random values γ,θ∈ZN which it stores and uses on all subsequent calls. Each time it is called, the semi-functional key generation algorithm first calls the normal key generation algorithm

KenGen to obtain a normal secret key

' ' '

i i 1 i 2 i 3 i 4

d ={ d ' ,d ,d ,d , i∀ ={ 1 ,…, m }} .It forms the

semi-functional key as: ∀i={1,…,m}

• if f(i)∈ZN' , then ' 1 1 i i d d = ,d =i2 di'2, ' 3 3 i i d d = , ' 4 4 i i d d = . • if ' ) (i Z_N

f ∉ , algorithm chooses a random value

N i∈Z β~ , and set _{d d g g} i i i β γ~ 3 2 ' 1 1 = ⋅( ) , i g g d di i β~ 3 2 ' 2 2 = ⋅( ) , i g g d di i β θ~ 3 2 ' 3 3= ⋅( ) , ' 4 4 i i d d = .

• Encrypt(mk,{k}): In order to send a message M∈GT to the receiver collection k|k∈ZN,K=1,…,l}(l≤m)

~

{ , the

encryption algorithm takes in a message M, a set of attributesZN

~

, and the public parameters. We let l denote the size of the set ZN

~ and z zl ZN ~ , , 1… ∈

denote the elements of ZN

~

. The encryption algorithm chooses random s,r1,…,rl∈ZN and creates the ciphertext as:

l l k k k 1 k 1 k k 0 1 2 3 4 l r r z r as s s k 1 C ( C ,C ,C ,C ,C ) ( Me( g , g ) , g ,w v = , g = , ( u h ) ) = = ∑ ∑ =

_∏

(9)

• EncryptF(M,{k|k∈ZN}): In order to send a message

M∈GT to the receiver collection

m) ,l}(l 1, ,K Z k|k∈ N = … ≤ ~ { , the semi-functional

encryption algorithm first calls the normal encryption algorithm Encrypt to obtain a normal

ciphertext ( , , , , ', { | ~ }) 4 ' 3 ' 2 ' 1 ' 0 C C C C k k ZN C C= ∀ ∈ . Then, it

chooses two random values ησ∈ZN and forms the

semi-functional ciphertext as follows: '

0 0 C C = , η 2 ' 1 1 Cg C = , σ 2 ' 2 2 Cg C = , ' 3 3 C C = , ' 4 4 C C = .

• Decrypt: Upon receiving a ciphertext

C=(C0,C1,C2,C3,C4), any legitimate user’ with attribute k, check if the attributes of the ciphertext satisfy the policy of the secret key. If not, refuse to

decrypt, otherwise it computes constants λk such

that N k k f ( k ) Z∈ λA =(1,0, ,0 ).

∑

ɶ … It then computes:

∏

∈ = N k Z k f k k k k as d C e d C e d C e d C e g g e ~ ) ( 2 2 4 4 3 3 1 1 ₎ ) , ( ) , ( ) , ( ) , ( ( ) , ( λ (10)

then we can own the message M=C0/e(g,g)

as . 3.2. Correctness

Let C=(C0,C1,C2,C3,C4) is legitimate ciphertext，then the correctness can be easily verified by the following equality: as s s Z k f l k r z r s k f r s Z k f k k k k g g e g g e g g e g h u e g v w e h u v g e w g g e d C e d C e d C e d C e k N Z k f k N Z k f k k N k k k k k l k k k k l k k k k N k ) , ( ) ) , ( ( ) ) , ( ( ) ) , ) ( ( ) , ( ) ) ( , ( ) , ( ( ) ) , ( ) , ( ) , ( ) , ( ( ~ ) ( ~ ) ( 1 1 ~ ) ( 1 ) ( ~ ) ( 2 2 4 4 3 3 1 1 = = = = ∑ ∑ ∑ ∑ ∈ ∈ = =

∏

∏

∏

∈ = ∈ τ λ λ τ λ α β α β β τ λ 3.3. Efficiency

The key-policy attribute-based broadcast encryption scheme combined with Waters dual system encryption, attribute-based encryption and broadcast encryption system. Based on the standard model, the scheme can achieve constant-size public parameters, imposes no

bound on the size of attribute sets used for encryption and has a large attribute universe. It supports LSSS matrices as access structures, and provides delegation capabilities for users additionally. Encrypt algorithm does not require the bilinear pair computation where

e(g,g) can be pre-computed, and Decrypt algorithm

need four bilinear pair computation and l

multiplications in group G. The selective security of our scheme is proved by using static, generically secure assumptions in Composite order bilinear groups, which do not depend on the number of queries the attacker makes. In the course of proving, by introducing a nested dual system encryption approach, the scheme overcomes the main obstacle which the low amount of entropy provided by the short public parameters. Furthermore, the analysis results indicated that it has less implementation complexity without the increase of computing efforts.

4. Security Analysis

• Theorem: If a dual system KP-ABBE scheme

Ω=(Setup, KeyGen, KeyGenF, Encrypt, EncryptF,

Decrypt) has semi-functional ciphertext invariance,

semi-functional key invariance, and semi-functional security, then Ω=(Setup, KeyGen, Encrypt, Decrypt) is a selectively secure KP-ABBE scheme.

4.1. Semi-Functional Ciphertext Invariance • Lemma 1: Our KP-ABBE scheme with dual system

has semi-functional ciphertext invariance under Assumption 1.

• Proof: Assume there exist a PPT attacker ℑ such

that ℑ can achieve a non-negligible difference in

advantage between GameC and GameKP-ABBE. Then

we will create a PPT algorithmℜwith

non-negligible advantage to breaks Assumption 1. ℜ is

given g ∈Gp₁ and T, receives the set

'

N

Z from ℑ,

and then he chooses x, y, z, t, a∈ZN randomly. It

gives the public parameters pk={Г,g,h=gx, u=gy,

v=gz, w=gt, e(g,g)a} to ℑ. Since ℜ knows the master secret key a, it can respond toℑ's key requests by calling the key generation algorithm.

Some time, A provides two messages M0, M1 and

requests the challenge ciphertext forZN' . We use l to

denote the size of ZN' , and we let

' 1, ,zl ZN

z … ∈ _denote

the elements of '

N

Z . ℜ forms the ciphertext as follows:

It chooses randomly r1,…rl∈ZN, b∈{0,1} and sets:

l l k k k 1 k 1 k k r r a t 0 b 1 2 3 l z r 4 k 1 C M e( g ,T ) ,C T ,C T v ,C g C (u h) , k {1, ,l } = = = ∑ ∑ = = = = =

_∏

∀ ∈ … (11)

This implicitly sets gs equal to the Gp₁ part of T. If

1

p G

T ∈ , then this is a well-distributed normal

ciphertext, and ℜ has properly simulated GameKP-ABBE;

If T ∈Gp₁p₂, then this is a well-distributed

semi-functional ciphertext, and ℜ has properly simulated

GameC. Thus, simulator ℜ can use the output of ℑ to

achieve a non-negligible advantage against

Assumption 1.

4.2. Semi-Functional Security

• Lemma 2: Our KP-ABBE scheme with dual system has semi-functional security under Assumption 2.

• Proof: Suppose there exists a PPT attacker ℑ who

achieves a non-negligible advantage in GameF, and

then we will create a PPT algorithm ℜ which has a

non-negligible advantage against Assumption 2. Simulator ℜ receives g, g2, g3, gaX2, gsY2, T, and

'

N

Z from ℑ. It chooses x,y,z,t,a∈ZN randomly and gives

the public parameters pk={Г,g,h=gx, u=gy, v=gz, w=gt,

e(g, gaX2)} to ℑ. (Note that ℜ does not know the master secret key a.) In response to a KeyGen query

for a m×n LSSS matrix (A,f), ℜ will create a

semi-functional key as follows: It chooses a random vector

n N

u
∈Z up to the constraint that the first coordinate is zero, random values α1,…,αm,β'1,…,β'm∈ZN, and a

uniformly chosen vector n

N

Z

∈

v
which are orthogonal

to all rows Ai of A, where

'

) (i Z_N

f ∈ and have first entry

equal to 1, ℜ will implicitly set a
=av
+u
that this is distributed as a uniformly random vector with first entry equal to a. It also chooses random values fi∈ZN for each i such that f(i)∉Z_N' . Then the semi-functional

key is formed as: ∀i∈{1,…,m}:

• If ' ) (i ZN f ∈ , then 1 ' i i _w g d A i β µ
= , 2 ' i g d_i = β , i i _{u h} v d f i i α β ) ( () 3 ' = , i g di α = 4 . • If ' ) (i Z_N

f ∉ , algorithm chooses a random valueβi∈ZN

~ , and set Ai a t Aiv i t fi i g g X w g g d₁= µ
⋅( ₂)(+1)
⋅ β'⋅( _{2 3})(+1) , i i i a Av f i g gX gg d₂= '( ₂) ⋅( _{2 3})
β , _{d v}i _ga_X zAiv _gg zfi_ufi_h i i α β ) ( ) ( 2 3 () 2 3 ' ⋅ =
） （ _, i g di α = 4 .

This is a properly distributed semi-functional key with

γ=t+1 mod p2,p3, θ=z mod p2,p3, βi=β`iβ mod p'_i 1 for

all i s.t. f(i)∈Z_N' , 1 ' modp v aAi i i β β = ⋅ + for all i s.t. ' ) (i ZN f ∉ .

Some time, ℑ provides ℜ with two messages M0,M1.

We use l to denote the size of ZN' , and we let

' 1, ,zl ZN

z … ∈ _{denote the elements of} '

N

Z . ℜ forms the

challenge ciphertext as follows. It chooses randomly

r1,…,rl,σ’∈ZN, b∈{0,1} and sets: l l k k k 1 k 1 k k r r s s t ' 0 b 1 2 2 2 2 3 l z r 4 k 1 C M T ,C g Y ,C ( g Y ) v g ,C g , C (u h) , k {1, ,l } σ = = = ∑ ∑ = = = ⋅ = =

_∏

∀ ∈ … (12)

If T=e(g,g)as, it is a well-distributed semifunctional

encryption of Mb with η equal to log Yg2 2and σ equal

to t times this discrete log plus

σ

'.

Where

σ

'randomizes this so that there is no

correlation with t mod p2. Hence, from the exponents

modulo p2 of the semi-functional keys, this is

uncorrelated. In this case, ℜ has properly simulated

GameF. If T∈GT is a random element, then this is a semi-functional encryption of a random message, so the ciphertext contains no information about b, and

hence the advantage of ℑ must be zero. ℜ can use the

output of ℑ to obtain a non-negligible advantage

against Assumption 2 because the advantage of ℑ is

non-negligible in GameF.

4.3 Semi-Functional Key Invariance

Using a hybrid argument over the following sequence of games, we will prove one semi-functional key

invariance of our dual system ABBE schemeinstead of

semi-functional key invariance [22]. We begin with

Game0 and end with Game1. To get from Game0 to

Game1, we define the following intermediary

games，the distribution of the requested normal and

semi-functional keys are the same as in Game0 and

Game1 among these games, but the distributions of the

challenge key and ciphertext vary.

•

Game'

0: This game is exactly like Game0, except with the added restriction: for the challenge key, the attacker cannot produce an access matrix (A,f) such

that f(i)∉Z'N for some i, but when both are reduced

modulo p3, f(i) is equal to some element of

'

N

Z .

• Game : In this game, we retain the added modular ki

restriction from the previous game except that the ciphertext is semi-functional, and the challenge key is now ephemeral semi-functional with index i. • Game : In this game, we retain the added modular Ci

restriction except that the ciphertext is ephemeral semi-functional and the challenge key is ephemeral semi-functional with index i.

• Game : In this game, we retain the added modular Fi

restriction except that the ciphertext is semi-functional, and the challenge key semi-functional with index i.

• Game : This game is exactly like'1 Game , except 1

In these games, we will transit their order as follows:

We begin with Game0 and move to Game . We then '0

move to Game , then k₁ Game , then C₁ Game , F₁

thenGame , k₂ Game , C₂ Game , and so on, until we F₂

arrive at Game , which is the same as F_l Game . '1

Finally, we transit to Game1.

• Lemma 3: Our KP-ABBE scheme with dual system has one semi-functional key invariance under Assumption 3 and 4.

• Proof: By the above transitions, we will assume that

ℑ achieve a non-negligible difference in advantage

betweenGame and '0 Game . Since at most a '1

polynomial number of steps in our hybrid sequence

of games betweenGame andF₀ Game , there must F₁

exist a value of i∈{1,…,l} such that ℑ achieves a

non- negligible advantage between one of the following pairs of games: GameF_i−1 and Game , ki

i

k

Game and Game , or C_i Game and C_i Game . F_i

We assume that ℜ initially obtain the group elements

s

2 2 3 2 3 2 3

g , h, u, v , w , g g , w ( g g ) , ( gg g ) , v ( g g )η β βγ β β βθ from its

oracle. It chooses random a ∈ZN, and gives the public

parameters pk={Г, g, h, u, v, w, e(g,g)a} to ℑ. Since ℜ

knows a, he can responds by using the usual key

generation algorithm when ℑ requests a normal key.

When ℑ requests a semi-functional key for some

access matrix (A,f), ℜ creates one as follows. It

chooses random valuesα1,…,αm,β'1,…,β'm∈ZNand a

random vector n

N

Z

a ∈
with first entry equal to a, we

letτ_i= A_i⋅a
for each row Ai of A. ℜ forms the key as:

∀i∈{1,…,m}: • If f(i)∈Z'N, then ' 1 i i_w g d_i = τ β , 2 ' i g d_i = β , i i h u v di f i α β ) ( () 3 ' = , _{d g} i i α = 4 . • If f(i)∉ZN' , algorithm set ' ) ) ( ( _{2 3} 1 i i _{w gg} g d_i = τ ⋅ β βγ β , ' ) ( 2 3 2 i g gg di ββ = , _{d v gg} i _ufi_h i i α β βθ β ) ( ) ) ( ( () 3 2 3 ' = , _{d g} i i α = 4 .

When ℑ requests the challenge key for some access

matrix (A,f), ℜ makes a challenge key-type query to

the oracle with input value f(ij)∈ZN, where

ij∈{1,…,n} is the index of the j th

row Ai in A such that

N

j Z

i

f( )∉ ' . ℜ receives from its oracle four group

elements in response, which we will denote by

(T1,T2,T3,T4). ℜ chooses random values j j∈ZN

'

,β

α ,

for all j∈{1,…,n} such that j≠ij. It also chooses a

random vectora ∈ZNn

with first entry equal to a, and

we set i

A

i

a

⋅

=

τ

. ℜ forms the challenge key as:

∀i∈{1,…,m}: • If f(i)∈ZN' , then ' 1 i i_w g di β τ = , ' 2 i g di β = , i i _{u h} v d f i i α β ) ( () 3 ' = , _{d g} i i α = 4 . • If f i∉ZN∧i≠ij ' ) ( , algorithm set _{d1 g}i (_w(_g2g3) )'i i β βγ β τ_⋅ = , ' ) ( _{2 3} 2 i g gg d_i = ββ , _{d v gg} i i _uf i_h i i α β βθ β ) ( ) ) ( ( () 3 2 3 ' = , i g d_i4= α .

If ℜ has properly simulated GameF_i−1，then

(T1,T2,T3,T4) will be distributed as( , , ( ) , ) ' ' ' β β α α β g h u v g w j

forα,β'∈ZNrandomly chosen, and so this will be a

properly distributed normal key. If ℜ has properly

simulated Game ork_i GameCi，then (T1,T2,T3,T4) will

be distributed as ( , , ( ) 2 3, 2 3) ' ' ' Y Y g X X h u v g wβ β β j α α , where N Z ∈ ' ,β

α , X2,Y2∈Gp₂, and X3,Y3∈Gp3are chosen

randomly, and so this will be a properly distributed

ephemeral semi-functional key. If ℜ has properly

simulated GameF_i ，then (T1,T2,T3,T4) will be

distributed as ’ ’ 2 3 ( g g ) , β β γ ’ 2 3 ( gg g ) ,β ’ ’ j 2 3 v ( g g )β β θ( u h ) , gα α, where α,β'∈ZN are

randomly chosen, and so this will be a properly distributed semi-functional key.

When ℑ requests the challenge ciphertext for

messages M0,M1 and { 1, , }

'

l

N z z

Z = … , ℜ makes a

ciphertext-type query to the oracle for each zj (We

recall the value f(ij) from the challenge key cannot be

equal to any of these values zj modulo p3.) In response

to each query forzj, ℜ receives three group elements,

which we denote by (₁j, ₂j, ₃j)

T T

T . ℜ chooses b∈{0,1}

randomly and forms the ciphertext as:

l s a s j 0 b 2 1 2 2 1 j 1 l l j j 3 2 4 3 j 1 j 1 C M e( g g , g ) , C g g , C T , C T , C T , j { 1 , , l } η η = = = = = = = = ∀ ∈

∏

∏

∏

… (13)

If ℜ has properly simulated GameF_i−1，Game or k_i

i F Game ，then ( ₁j, ₂j, ₃j) T T T will be distributed as ) ) ( , , ( s ₂ rj rj zj rj h u g v g w σ ，where rj∈ZN is randomly

chosen, so this will be a properly distributed

semi-functional ciphertext. If ℜ has properly simulated

i C Game ，then ( 1 , 2, 3 ) j j j T T T will be distributed as ) ) ( , , ( s ₂ rj ₂rj rj ₂rj zj rj ₂rj(yzj x) g h u g g g v g w σ θ + for rj∈ZN, N Z y

x', '∈ are randomly chosen and do not vary with j.

In this case, ℜ has produced a properly distributed

ephemeral semi-functional ciphertext.

Thus, since ℑ must achieve a non-negligible

difference of advantage between at least one of these

pairs of games, ℜ will be able to distinguish the

advantage. So, our dual system encryption KP-ABBE scheme has one semi-functional key invariance under Assumptions 3 and 4.

5. Conclusions

Although ABE has been applied extensively to the area of access control, existing constructions for ABE in the standard model either a small universe size or a bound on the size of attribute sets had to be fixed at setup. Taking into consideration the broadcast encryption scheme with wide applications in the real world simultaneously, a key-policy attribute-based broadcast encryption was proposed by combining with Waters dual system encryption, attribute-based encryption and broadcast encryption system. Based on the standard model, the scheme can achieve constant-size public parameters, imposes no bound on the size of attribute sets used for encryption and has a large attribute universe. It supports LSSS matrices as access structures, and provides delegation capabilities to users additionally. The selective security of our scheme is proved by using static, generically secure assumptions in Composite order bilinear groups which do not depend on the number of queries the attacker makes. The analysis results indicated that it has less implementation complexity without increasing of computing efforts.

Acknowledgements

This research was financed by the National Natural Science Foundation of China under Grants 61173192 and 60873268, and the Scientific Research Foundation of Education Department of Shaanxi Provincial Government of China (Grant No. 2013JK1116).

References

[1] Boneh D., Boyen X., and Goh E., “Hierarchical Identity Based Encryption with Constant Size

Ciphertext,” in Proceedings of the 24th Annual

International Conference on the Theory and Applications of Cryptographic Techniques,

Denmark, pp. 440-456, 2005.

[2] Boneh D., Gentry C., and Waters B., “Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys,” in Proceedings of

the 25th Annual International Cryptology Conference, USA, pp. 258-275, 2005.

[3] Boneh D., Goh E., and Nissim K., “Evaluating 2-DNF Formulas on Ciphertexts,” in Proceedings

of the 2nd Conference on Theory of Cryptography, USA, pp. 325- 342, 2005.

[4] Charef C., Taibi M., and Vincent N., “Fuzzy and Neuro-Fuzzy Modeling of a Fermentation Process,” The International Arab Journal of

Information Technology, vol. 6, no. 4, pp.

378-385, 2009.

[5] Chase M., “Multi-Authority Attribute Based

Encrypt-Ion,” in Proceedings of the 4th

Conference on Theory of Cryptography, Berlin,

pp. 515-534, 2007.

[6] Delerablée C., Paillier P., and Pointcheval D., “Fully Collusion Secure Dynamic Broadcast Encrypt-Tion with Constant-Size Ciphertexts or

Decryption Keys,” in Proceedings of the 1st

International Conference on Pairing-Based Cryptography, Japan, pp. 39-59, 2007.

[7] Dodis Y. and Fazio N., “Public Key Broadcast Encryption Secure Against Adaptive Chosen

Cipher-Text Attack,” in Proceedings of the 6th

International Workshop on Practice and Theory in Public Key Cryptography Miami, USA, pp.

100-115, 2002.

[8] Fiat A. and Naor M., “Broadcast Encryption,” in

Proceedings of the 13th Annual International Cryptology Conference Santa Barbara, USA, pp.

480-491,1993.

[9] Goyal V., Pandey O., Sahai A., Waters B., “Attribute-Based Encryption for Fine-Grained Access Control for Encrypted Data,” in

Proceedings of the 13th Conference on Computer and Communications Security, pp. 89-98, 2006.

[10] Hu L., Liu Z., and Cheng X., “Efficient Identity-Based Broadcast Encryption without Random Oracles,” Journal of Computers, vol. 5, no. 3, pp. 331-336, 2010.

[11] Kalpana G. and Punithavalli M., “Reliable

Broadcasting using Efficient Forward Node Selection for Mobile Ad hoc Networks,” The

International Arab Journal of Information Technology, vol. 9, no. 4, pp. 299-305, 2012.

[12] Li J., Ren K., and Kim K., “A2BE: Accountable Attribute Based Encryption for Abuse Free

Access Control,” available at:

http://eprint.iacr.org/2009 /118, last visited 2009. [13] Li J., Ren K., Zhu B., and Wan Z., “Privacy-Aware Attribute Based Encryption with User

Accountability,” in Proceedings of the 12th

International Conference on Information Security, Italy, pp. 347-362, 2009.

[14] Lewko A., Okamoto T., Sahai A., Takashima K., and Brent W., “Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption,” in

Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French, pp. 62-91,

2010.

[15] Lewko A., Rouselakis Y., and Waters B., “Achieving Leakage Resilience through Dual

System Encryption,” in Proceedings of the 8th

Conference on Theory of Cryptography, USA,

[16] Lewko A. and Waters B., “New Techniques for Dual System Encryption and Fully Secure HIBE

with Short Ciphertexts,” in Proceedings of the 7th

Conference on Theory of Cryptography,

Switzerland, pp. 455-479, 2010.

[17] Lewko A. and Waters B., “Unbounded HIBE and Attribute-Based Encryption,” available at: http://

eprint.iacr.org/2011/049.pdf, last visited 2011.

[18] Ostrovsky R., Sahai A., and Waters B.,

“Attribute-Based Encryption with

Non-Monotonic Access Structures,” in Proceedings of

the 14th ACM Conference on Computer and Communications Security, New York, pp.

195-203, 2007.

[19] Okamoto T. and Takashima K., “Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption,” in

Proceedings of the 30th Conference on Annual in Cryptology, pp.191-208, 2010.

[20] Sahai A. and Waters B., “Fuzzy identity based

encryption,” in Proceedings of the 24th Annual

International Conference on the Theory and Applications of Cryptographic Techniques,

Denmark, pp.457-473, 2005.

[21] Waters B., “Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple

Assumptions,” in Proceedings of the 29th

Conference on Annual International Cryptology,

USA, pp. 619-636, 2009.

[22] Zhang L., Hu Y., and Mu N., “Identity-Based Broadcast Encryption Protocol for Ad-hoc

Networks,” in Proceedings of the 9th

International Conference for Young Computer Scientists, Hunan, pp. 1619-1623, 2009.

Jin Sun received her BA’s and MA’s degrees in mathematics from the Shaanxi Normal University, xi’an, China, in 2000 and from Xi’an University of Technology, Xi’an, China, in 2005 respectively. Since 2008, she has been a PhD degree candidate in cryptography from Xidian University, Xi’an, China. Her current research interests include the designs for PKE scheme and broadcast encryption scheme.

Yupu Hu is a professor and PhD supervisor in Key Laboratory of Computer Networks and Information Security of Ministry of Education, Xidian University, China. He held PhD degree in cryptography from Xidian University in1999. He is a member of China Institute of Communications. His current research interests include information security, stream cipher, block cipher, digital signature and network security.

Leyou Zhang received his PhD from the Xidian University in 2009.

Currently, he is an associate

professor in the Department of Mathematical science of Xidian University. His current research interests include network security, computer security, and cryptography.