Practical Attribute-Based Encryption: Traitor Tracing, Revocation, and Large Universe

Transcription

1 Practcal Attrbute-Based Encrypton: Trator Tracng, Revocaton, and Large Unverse Zhen Lu 1 and Duncan S Wong 2 1 Cty Unversty of Hong Kong, Hong Kong SAR, Chna zhenlu7-c@myctyueduhk 2 Securty and Data Scences, ASTRI, Hong Kong SAR, Chna duncanwong@astrorg Abstract In Cphertext-Polcy Attrbute-Based Encrypton (CP-ABE, a user s decrypton key s assocated wth attrbutes whch n general are not related to the user s dentty, and the same set of attrbutes could be shared between multple users From the decrypton key, f the user created a decrypton blackbox for sale, ths malcous user could be dffcult to dentfy from the blackbox Hence n practce, a useful CP-ABE scheme should have some tracng mechansm to dentfy ths trator from the blackbox In addton, beng able to revoke compromsed keys s also an mportant step towards practcalty, and for scalablty, the scheme should support an exponentally large number of attrbutes However, none of the exstng traceable CP-ABE schemes smultaneously supports revocaton and large attrbute unverse In ths paper, we construct the frst practcal CP-ABE whch possesses these three mportant propertes: (1 blackbox traceablty, (2 revocaton, and (3 supportng large unverse Ths new scheme acheves the fully colluson-resstant blackbox traceablty, and when compared wth the latest fully colluson-resstant blackbox traceable CP-ABE schemes, ths new scheme acheves the same effcency level, enjoyng the sub-lnear overhead of O( N, where N s the number of users n the system, and attans the same securty level, namely, the fully colluson-resstant traceablty aganst polcy-specfc decrypton blackbox, whch s proven n the standard model wth selectve adversares The scheme supports large attrbute unverse, and attrbutes do not need to be pre-specfed durng the system setup In addton, the scheme supports revocaton whle keepng the appealng capablty of conventonal CP-ABE, e t s hghly expressve and can take any monotonc access structures as cphertext polces We also present the analogous results n the Key-Polcy Attrbute-Based Encrypton (KP-ABE settng, where users descrpton keys are descrbed by access polces and cphertexts are assocated wth attrbutes We construct the frst practcal KP-ABE whch possesses the three mportant propertes: (1 blackbox traceablty, (2 revocaton, and (3 supportng large unverse The scheme s hghly expressve and can take any monotonc access structures as key polces, and s effcent, namely, enjoys the sub-lnear overhead of O( N whle supportng fully colluson-resstant blackbox traceablty and revocaton, and does not need to pre-specfy the attrbutes durng the system setup The scheme s proven selectvely secure n the standard model Keywords: Attrbute-Based Encrypton, Trator Tracng, Revocaton, Large Attrbute Unverse 1 Introducton In some emergng applcatons such as user-sde encrypted cloud storage, users may store encrypted data on a publc untrusted cloud and let other users who have elgble credentals decrypt and access the data The decrypton credentals could be based on the users roles and do not have to be ther denttes For example, a user Alce wants to encrypt some documents, upload to the cloud, and let all PhD students and alumn n the Department of Mathematcs download and decrypt Attrbute-Based Encrypton (ABE, ntroduced by Saha and Waters [29], provdes a soluton to

2 ths applcaton In a Cphertext-Polcy ABE (CP-ABE [12,3] scheme 3, each user possesses a set of attrbutes and a decrypton key, the encryptng party can encrypt the documents usng an access polcy (eg a Boolean formula on attrbutes, and a user can decrypt f and only f the user s attrbutes satsfy the polcy Hence n ths example, Alce can encrypt the documents under (Mathematcs AND (PhD Student OR Alumn, whch s an access polcy defned over descrptve attrbutes, so that only those recevers whose attrbutes satsfy ths polcy can decrypt Among the recently proposed CP-ABE schemes [3,8,11,31,17,25,13,19], one of the latest works s due to Lewko and Waters [19,20] Ther scheme acheves hgh expressvty (e can take any monotonc access structures as cphertext polces, and s provably secure aganst adaptve adversares n the standard model The scheme s also effcent and removes the one-use restrcton that other comparable schemes have [17,25] As of the current Publc Key Infrastructure whch mandates the capabltes of key generaton, revocaton, and certfed bndng between denttes and publc keys, before the CP-ABE beng able to deploy n practce, we should provson a practcal CP-ABE scheme wth three mportant features: (1 traceablty, (2 revocaton, and (3 large unverse Very recently, a handful of research works have been done on each one of these whle the fundamental open problem remans s the exstence of an effcent scheme whch supports these three features at once Traceablty / Trator Tracng Access polces n CP-ABE do not have to contan any recevers denttes, and more commonly, a CP-ABE polcy s role-based and attrbutes are shared between multple users In practce, a malcous user, wth attrbutes shared wth multple other users, mght leak a decrypton blackbox/devce, whch s made of the user s decrypton key, for the purpose of fnancal gan or some other forms of ncentves, as the malcous user has lttle rsk of beng dentfed out of all the users who can buld a decrypton blackbox wth dentcal decrypton capablty Beng able to dentfy ths malcous user s crucal towards the practcalty of a CP-ABE system Gven a well-formed decrypton key, f the tracng algorthm of a CP-ABE scheme can dentfy the malcous user who created the key, the scheme s called Whtebox Traceable CP-ABE [22] Gven a decrypton blackbox, whle the decrypton key and even the decrypton algorthm could be hdden nsde the blackbox, f the tracng algorthm can stll fnd out the trator whose key has been used n constructng the blackbox, the scheme s called Blackbox Traceable CP-ABE [21] In ths stronger noton, there are two types of blackboxes: key-lke decrypton blackbox and polcyspecfc decrypton blackbox A key-lke decrypton blackbox has an attrbute set assocated and can decrypt encrypted messages wth polces beng satsfed by the attrbute set A polcy-specfc decrypton blackbox has a polcy assocated and can decrypt encrypted messages wth the same polcy Lu et al [23] formally proved that f a CP-ABE scheme s traceable aganst polcy-specfc decrypton blackbox then t s also traceable aganst key-lke decrypton blackbox, and proved that the CP-ABE scheme n [21] s fully colluson-resstant traceable aganst polcy-specfc decrypton blackbox n the standard model wth selectve adversares The scheme n [21] s hghly expressve, and as a fully colluson-resstant blackbox traceable CP-ABE scheme, t acheves the most effcent level to date, e the overhead for the fully colluson-resstant traceablty s n O( N, where N s the number of users n the system Note that fully colluson-resstant traceablty means that the number of colludng users n constructng a decrypton blackbox s not lmted and can be arbtrary Another recent blackbox traceable CP-ABE scheme s due to Deng et al [9], but the scheme s 3 Here we focus on CP-ABE, whle skppng dscussons about Key-Polcy ABE 2

3 only t-colluson-resstant traceable, where the number of colludng users s lmted, e, less than a parameter t, and the scheme s securty s proven n the random oracle model Revocaton For any encrypton systems that nvolve many users, prvate keys mght get compromsed, users mght leave or be removed from the systems When any of these happens, the correspondng user keys should be revoked In the lterature, several revocaton mechansms have been proposed n the context of CP-ABE In [28] 4, Saha et al proposed an ndrect revocaton mechansm, whch requres an authorty to perodcally broadcast a key update nformaton so that only the non-revoked users can update ther keys and contnue to decrypt messages In [1], Attrapadung and Ima proposed a drect revocaton mechansm, whch allows a revocaton lst to be specfed drectly durng encrypton so that the resultng cphertext cannot be decrypted by any decrypton key whch s n the revocaton lst even though the assocated attrbute set of the key satsfes the cphertext polcy The drect revocaton mechansm does not need any perodc key updates that an ndrect revocaton mechansm requres It does not affect any non-revoked users ether In drect revocaton, a system-wde revocaton lst could be made publc and revocaton could be taken nto effect promptly as the revocaton lst could be updated mmedately once a key s revoked In ths paper, we focus on achevng drect revocaton n CP-ABE Large Attrbute Unverse In most CP-ABE schemes, the sze of the attrbute unverse s polynomally bounded n the securty parameter, and the attrbutes have to be fxed durng the system setup In a large unverse CP-ABE, the attrbute unverse can be exponentally large, any strng can be used as an attrbute, and attrbutes do not need to be pre-specfed durng setup Although somewhat large unverse CP-ABE schemes have been proposed or dscussed prevously [31,17,1,26], as explaned by Rouselaks and Waters [27], lmtatons exst The frst truly large unverse CP-ABE constructon, n whch there s no restrcton on cphertext polces or attrbutes assocated wth the decrypton keys, was proposed n [27] 11 Our Results We propose the frst practcal CP-ABE scheme that smultaneously supports (1 traceablty aganst polcy-specfc decrypton blackbox, (2 (drect revocaton and (3 truly large attrbute unverse The scheme s traceablty s fully colluson-resstant, that s, the number of colludng users n constructng a decrypton blackbox s not lmted and can be arbtrary Furthermore, the traceablty s publc, that s, anyone can run the tracng algorthm The scheme s also hghly expressve that allows any monotonc access structures to be the cphertext polces The scheme s proven selectvely secure and traceable n the standard model Ths s comparable to the polcy-specfc blackbox traceablty of the fully colluson-resstant traceable CP-ABE [23] and also to the securty of the truly large unverse CP-ABE [27] The selectve securty s ndeed a weakness when compared wth the full securty of [19,21], but as dscussed n [27], selectve securty s stll a meanngful noton and can be a reasonable trade off for performance n some crcumstances Furthermore, n lght of the proof method of [19] that acheves full securty through selectve technques, we can see that developng selectvely secure schemes could be an mportant steppng stone towards buldng fully secure ones Table 1 compares ths new scheme wth the representatve results n conventonal CP-ABE [19], blackbox traceable CP-ABE [21], revocable CP-ABE [1], and large unverse CP-ABE [27], all of 4 Note that n ths paper we focus on the the conventonal revocaton, whch s to prevent a compromsed or revoked user from decryptng newly encrypted messages In [28], revokng access on prevously encrypted data s also consdered 3

4 1 Blackbox Revocaton Large Publc Key Cphertext Prvate Key Parngs 2 Traceablty Unverse Sze Sze Sze n Decrypton [19,20] U 7 + 6l S I [1, Sec 51] 4 4 2N m + l m 3 + l 2 + S I [1, Sec 52] m + l m 2 + l + 2 R S I + 2 R 4 [27] l S I [21,23] N + U 17 N + 2l 4 + S I ths work N 16 N + 3l 2 + N + 2 S I 1 All the sx schemes are provably secure n the standard model and hghly expressve 2 Let N be the number of users n the system, U the sze of the attrbute unverse, l the number of rows of the LSSS matrx for an access polcy, S the sze of the attrbute set of a decrypton key, and I the number of attrbutes for a decrypton key to satsfy a cphertext polcy 3 The effcency evaluaton here s based on the prme order constructon n [20], whch s the full verson of [19] 4 The CP-ABE schemes n [1] are not truly large unverse, as some lmtatons are mposed and some correspondng parameters have to be fxed durng the setup Let m be the maxmum sze of an attrbute set assocated wth a key, l m the maxmum number of rows n the LSSS matrx of a polcy, and R the number of revoked users n a revocaton lst R 5 The constructon n [21,23] s on composte order groups where the group order s the product of three large prmes, and the effcency evaluaton s based on the composte order groups As a result, the actual szes of publc key and cphertext n [21,23] are larger than that of ths work, and the encrypton and decrypton n [21,23] are slower than that of ths work Table 1 Features and Effcency Comparson whch are provably secure n the standard model and hghly expressve The scheme s overhead s n O( N, where N s the number of users n a system, and for fully colluson-resstant blackbox traceable CP-ABE, ths s the most effcent one to date Furthermore, when compared wth the exstng fully colluson-resstant blackbox traceable CP-ABE scheme n [21], at the cost of N addtonal elements n prvate key, our constructon acheves revocaton and truly large unverse For achevng better performance, ths new scheme s constructed on prme order groups, rather than composte order groups, as t has been showed (eg n [10,16] that constructons on composte order groups wll result n sgnfcant loss of effcency Paper Outlne In Sec 2, we propose a defnton for CP-ABE supportng polcy-specfc blackbox traceablty, drect revocaton and large attrbute unverse As of [21], the defnton s functonal, namely each decrypton key s unquely ndexed by k {1,, N} (N s the number of users n the system and gven a polcy-specfc decrypton blackbox, the tracng algorthm Trace can return the ndex k of a decrypton key whch has been used for buldng the decrypton blackbox On drect revocaton, n our defnton, the Encrypt algorthm takes a revocaton lst R {1,, N} as an addtonal nput so that a message encrypted under the (revocaton lst, access polcy par (R, A would only allow users whose (ndex, attrbute set par (k, S satsfes (k / R (S satsfes A to decrypt On the constructon, we refer to the functonal CP-ABE n Sec 2 as Revocable CP-ABE (or R-CP-ABE for short, then extend the R-CP-ABE to a prmtve called Augmented R-CP-ABE (or AugR-CP-ABE for short, whch wll lastly be transformed to a polcy-specfc blackbox traceable R-CP-ABE More specfcally, n Sec 3, we defne the encrypton algorthm of AugR-CP-ABE as Encrypt A (PP, M, R, A, k whch takes one more parameter k {1,, N +1} than the orgnal one n R-CP-ABE Ths also changes the decrypton crtera n AugR-CP-ABE n such a way that an encrypted message can be recovered usng a decrypton key SK k,s, whch s dentfed by ndex 4

5 k {1,, N} and assocated wth an attrbute set S, only f (k / R (S satsfes A (k k On the securty, we formalze and show that a message-hdng and ndex-hdng AugR-CP-ABE can be transformed to a secure R-CP-ABE wth polcy-specfc blackbox traceablty In Sec 4, we propose a large unverse AugR-CP-ABE constructon, and prove ts message-hdng and ndex-hdng propertes n the standard model Combnng t wth the results n Sec 3, we obtan a large unverse R-CP-ABE constructon, whch s effcent (wth overhead sze n O( N, hghly expressve, and provably secure and traceable n the standard model To construct the AugR-CP-ABE, we borrow deas from the CP-ABE constructons n [21,27] and Trace&Revoke scheme n [10] However, the combnaton s not trval and may result n neffcent or nsecure systems In partcular, besdes achevng the mportant features for practcalty, such as trator tracng, revocaton, large unverse, hgh expressvty and effcency, we acheve provable securty and traceablty n the standard model As we wll dscuss later n Sec 4, provng the blackbox traceablty whle supportng the large attrbute unverse s one of the most challengng tasks n ths work As we can see, the proof technques for blackbox traceablty n [21] are no longer applcable for large unverse, whle that for large unverse n [27] are only for confdentalty rather than for blackbox traceablty Followng a smlar route, we also present the analogous results n Key-Polcy ABE settng, as shown n Sec 5 2 Revocable CP-ABE and Blackbox Traceablty In ths secton, we defne Revocable CP-ABE (or R-CP-ABE for short and ts securty, whch are based on conventonal (non-traceable, non-revocable CP-ABE (eg [19,27] Smlar to the traceable CP-ABE n [21], n our functonal defnton, we explctly assgn and dentfy users usng unque ndces Then we formalze traceablty aganst polcy-specfc decrypton blackbox on R-CP-ABE 21 Revocable CP-ABE Gven a postve nteger n, let [n] be the set {1, 2,, n} A Revocable Cphertext-Polcy Attrbute- Based Encrypton (R-CP-ABE scheme conssts of four algorthms: Setup(λ, N (PP, MSK The algorthm takes as nput a securty parameter λ and the number of users n the system N, runs n polynomal tme n λ, and outputs a publc parameter PP and a master secret key MSK We assume that PP contans the descrpton of the attrbute unverse U 5 KeyGen(PP, MSK, S SK k,s The algorthm takes as nput PP, MSK, and an attrbute set S, and outputs a secret key SK k,s correspondng to S The secret key s assgned and dentfed by a unque ndex k [N] Encrypt(PP, M, R, A CT R,A The algorthm takes as nput PP, a message M, a revocaton lst R [N], and an access polcy A over U, and outputs a cphertext CT R,A (R, A s ncluded n CT R,A Decrypt(PP, CT R,A, SK k,s M or The algorthm takes as nput PP, a cphertext CT R,A, and a secret key SK k,s If (k [N] \ R AND (S satsfes A, the algorthm outputs a message M, otherwse t outputs ndcatng the falure of decrypton 5 For large unverse and also n our work, the attrbute unverse depends only on the sze of the underlyng group G, whch depends on λ and the group generaton algorthm 5

6 Correctness For any attrbute set S U, ndex k [N], revocaton lst R [N], access polcy A, and message M, suppose (PP, MSK Setup(λ, N, SK k,s KeyGen(PP, MSK, S, CT R,A Encrypt(PP, M, R, A If (k [N] \ R (S satsfes A then Decrypt(PP, CT R,A, SK k,s = M Securty The securty of the R-CP-ABE s defned usng the followng message-hdng game, whch s a typcal semantc securty game and s smlar to that for conventonal CP-ABE [19,27] securty Game MH The message-hdng game s defned between a challenger and an adversary A as follows: Setup The challenger runs Setup(λ, N and gves the publc parameter PP to A Phase 1 For = 1 to Q 1, A adaptvely submts (ndex, attrbute set par (k, S k to ask for secret key for attrbute set S k For each (k, S k par, the challenger responds wth a secret key SK k,s k, whch corresponds to attrbute set S k and has ndex k Challenge A submts two equal-length messages M 0, M 1 and a (revocaton lst, access polcy par (R, A The challenger flps a random con b {0, 1}, and sends CT R,A Encrypt(PP, M b, R, A to A Phase 2 For = Q to Q, A adaptvely submts (ndex, attrbute set par (k, S k to ask for secret key for attrbute set S k For each (k, S k par, the challenger responds wth a secret key SK k,s k, whch corresponds to attrbute set S k and has ndex k Guess A outputs a guess b {0, 1} for b A wns the game f b = b under the restrcton that none of the quered {(k, S k } Q =1 can satsfy (k [N]\R AND (S k satsfes A The advantage of A s defned as MHAdv A = Pr[b = b] 1 2 Defnton 1 An N-user R-CP-ABE scheme s secure f for all probablstc polynomal tme (PPT adversares A, MHAdv A s neglgble n λ We say that an N-user R-CP-ABE scheme s selectvely secure f we add an Int stage before Setup where the adversary commts to the access polcy A Remark: (1 Although the KeyGen algorthm s responsble for determnng/assgnng the ndex of each user s secret key, to capture the securty that an adversary can adaptvely choose secret keys to corrupt, the above model allows A to specfy the ndex when queryng for a key, e, for = 1 to Q, A submts pars of (k, S k for secret keys wth attrbute sets correspondng to S k, and the challenger wll assgn k to be the ndex of the correspondng secret key, where Q N, k [N], and k k j 1 j Q (ths s to guarantee that each user/key can be unquely dentfed by an ndex (2 For k k j we do not requre S k S kj, e, dfferent users/keys may have the same attrbute set Remark: (1 The R-CP-ABE defned above extends the conventonal defnton for non-revocable CP-ABE [19,21,27], where the revocaton lst R s always empty (2 When the revocaton lst R needs an update due to, for example, some secret keys beng compromsed or some users leavng the system, the updated R needs to be dssemnated to encryptng partes In practce, ths can be done n a smlar way to the certfcate revocaton lst dstrbuton n the exstng Publc Key Infrastructure, namely an authorty may update R, and publsh t together wth the authorty s sgnature generated on t (3 From the vew of the publc, R s just a set of numbers (n [N] These numbers (or ndces do not have to provde any nformaton on the correspondng users, n fact, besdes the authorty who runs KeyGen, each user only knows hs/her own ndex Also, encryptng partes do not need to know the ndces of any users n order to encrypt but only the access polces Although assocatng a revocaton lst wth a cphertext mght make the resultng CP-ABE look less purely attrbute-based, t does not undermne the capablty of CP-ABE, that s, enablng fne-graned access control on encrypted messages 6

7 22 Blackbox Traceablty A polcy-specfc decrypton blackbox D s descrbed by a (revocaton lst, access polcy par (R D, A D and a non-neglgble probablty value ɛ (e ɛ = 1/f(λ for some polynomal f, and ths blackbox D can decrypt cphertexts generated under (R D, A D wth probablty at least ɛ Such a blackbox can reflect most practcal scenaros, whch nclude the key-lke decrypton blackbox for sale and decrypton blackbox found n the wld, whch are dscussed n [21,23] In partcular, once a blackbox s found beng able to decrypt cphertexts (regardless of how ths s found, for example, an explct descrpton of the blackbox s decrypton ablty s gven, or the law enforcement agency fnds some clue, we can regard t as a polcy-specfc decrypton blackbox wth the correspondng (revocaton lst, access polcy par (whch s assocated to the cphertext We now defne the tracng algorthm and traceablty aganst polcy-specfc decrypton blackbox Trace D (PP, R D, A D, ɛ K T [N] Trace s an oracle algorthm that nteracts wth a polcy-specfc decrypton blackbox D By gven the publc parameter PP, a revocaton lst R D, an access polcy A D, and a probablty value ɛ, the algorthm runs n tme polynomal n λ and 1/ɛ, and outputs an ndex set K T [N] whch dentfes the set of malcous users Note that ɛ has to be polynomally related to λ, e ɛ = 1/f(λ for some polynomal f Traceablty The followng tracng game captures the noton of fully colluson-resstant traceablty aganst polcy-specfc decrypton blackbox In the game, the adversary targets to buld a decrypton blackbox D that can decrypt cphertexts under some (revocaton lst, access polcy par (R D, A D Game TR The tracng game s defned between a challenger and an adversary A as follows: Setup The challenger runs Setup(λ, N and gves the publc parameter PP to A Key Query For = 1 to Q, A adaptvely submts (ndex, attrbute set par (k, S k to ask for secret key for attrbute set S k For each (k, S k par, the challenger responds wth a secret key SK k,s k, whch corresponds to attrbute set S k and has ndex k Decrypton Blackbox Generaton A outputs a decrypton blackbox D assocated wth a (revocaton lst, access polcy par (R D, A D and a non-neglgble probablty value ɛ Tracng The challenger runs Trace D (PP, R D, A D, ɛ to obtan an ndex set K T [N] Let K D = {k 1 Q} be the ndex set of secret keys corrupted by the adversary We say that A wns the game f the followng two condtons hold: 1 Pr[D(Encrypt(PP, M, R D, A D = M] ɛ, where the probablty s taken over the random choces of message M and the random cons of D A decrypton blackbox satsfyng ths condton s sad to be a useful polcy-specfc decrypton blackbox 2 K T =, or K T K D, or ((k t R D OR (S kt does not satsfy A D k t K T We denote by TRAdv A the probablty that A wns Remark: For a useful polcy-specfc decrypton blackbox D, the traced K T must satsfy (K T (K T K D ( k t K T st (k t [N] \ R D AND (S kt satsfes A D for traceablty (1 (K T (K T K D captures the prelmnary traceablty that the tracng algorthm can extract at least one malcous user and the coalton of malcous users cannot frame any nnocent user (2 ( k t K T st (k t [N] \ R D AND (S kt satsfes A D captures the strong traceablty that the tracng algorthm can extract at least one malcous user whose secret key enables D to have the 7

8 decrypton ablty correspondng to (R D, A D, e whose ndex s not n R D and whose attrbute set satsfes A D We refer to [15,21] on why strong traceablty s desrable Note that, as of [6,7,10,15,21], we are modelng a stateless (resettable decrypton blackbox such a blackbox s just an oracle and mantans no state between actvatons Also note that we are modelng publc traceablty, namely, the Trace algorthm does not need any secrets and anyone can perform the tracng Defnton 2 An N-user R-CP-ABE scheme s traceable aganst polcy-specfc decrypton blackbox f for all PPT adversares A, TRAdv A s neglgble n λ We say that an N-user R-CP-ABE s selectvely traceable aganst polcy-specfc decrypton blackbox f we add an Int stage before Setup where the adversary commts to the access polcy A D In the traceable CP-ABE of [21], gven a decrypton blackbox, t s guaranteed that at least one secret key n the blackbox wll be traced But n the traceable R-CP-ABE above, t s possble to trace all the actve secret keys n the blackbox In partcular, gven a decrypton blackbox D descrbed by (R D, A D and non-neglgble probablty ɛ, we can run Trace to obtan an ndex set K T so that (K T (K T K D ( k t K T st (k t [N]\R D AND (S kt satsfes A D Then, we can set a new revocaton lst R D = R D {k t K T (k t [N] \ R D AND (S kt satsfes A D } and test whether D can decrypt cphertexts under (R D, A D If D can stll decrypt the cphertexts wth non-neglgble probablty ɛ, we can run Trace on (R D, A D, ɛ and obtan a new ndex set K T, where (K T (K T K D ( k t K T st (k t [N] \ R D AND (S k t satsfes A D By repeatng ths process, teratvely expandng the revocaton lst, untl D can no longer decrypt the correspondng cphertexts, we have fnshed fndng out all the actve malcous users of D 3 Augmented R-CP-ABE As outlned n Sec 11, we now defne Augmented R-CP-ABE (or AugR-CP-ABE for short from the R-CP-ABE above, formalze ts securty notons, then show that a secure AugR-CP-ABE can be transformed to a secure R-CP-ABE wth blackbox traceablty In Sec 4, we propose a concrete constructon of AugR-CP-ABE 31 Defntons An AugR-CP-ABE scheme has four algorthms: Setup A, KeyGen A, Encrypt A, and Decrypt A The setup algorthm Setup A and key generaton algorthm KeyGen A are the same as that of R-CP-ABE For the encrypton algorthm, t takes one more parameter k [N + 1] as nput, and s defned as follows Encrypt A (PP, M, R, A, k CT R,A The algorthm takes as nput PP, a message M, a revocaton lst R [N], an access polcy A, and an ndex k [N + 1], and outputs a cphertext CT R,A (R, A s ncluded n CT R,A, but the value of k s not The decrypton algorthm Decrypt A s also defned n the same way as that of R-CP-ABE However, the correctness defnton s changed to the followng Correctness For any attrbute set S U, ndex k [N], revocaton lst R [N], access polcy A over U, encrypton ndex k [N +1], and message M, suppose (PP, MSK Setup A (λ, N, SK k,s 8

9 KeyGen A (PP, MSK, S, CT R,A Encrypt A (PP, M, R, A, k If (k [N]\R (S satsfes A (k k then Decrypt A (PP, CT R,A, SK k,s = M Note that durng decrypton, as long as (k [N] \ R (S satsfes A, the decrypton algorthm outputs a message, but only when k k, the output message s equal to the correct message, that s, f and only f (k [N] \ R (S satsfes A (k k, can SK k,s correctly decrypt a cphertext under (R, A, k If we always set k = 1, the functons of AugR-CP-ABE are dentcal to that of R-CP-ABE In fact, the dea behnd transformng an AugR-CP-ABE to a traceable R-CP-ABE, that we wll show shortly, s to construct an AugR-CP-ABE wth ndex-hdng property, and then always sets k = 1 n normal encrypton, whle usng k [N + 1] to generate cphertexts for tracng Securty We defne the securty of AugR-CP-ABE n two games The frst game s a messagehdng game and says that a cphertext created usng ndex N + 1 s unreadable by anyone The second game s an ndex-hdng game and captures the ntuton that a cphertext created usng ndex k reveals no non-trval nformaton about k Game A MH The message-hdng game GameA MH s smlar to Game MH except that the Challenge phase s Challenge A submts two equal-length messages M 0, M 1 and a (revocaton lst, access polcy par (R, A The challenger flps a random con b {0, 1}, and sends CT R,A Encrypt A (PP, M b, R, A, N + 1 to A A wns the game f b = b The advantage of A s defned as MH A Adv A = Pr[b = b] 1 2 Defnton 3 An N-user Augmented R-CP-ABE scheme s message-hdng f for all PPT adversares A the advantage MH A Adv A s neglgble n λ Game A IH In the ndex-hdng game, we requre that, for any (revocaton lst, access polcy par (R, A, an adversary cannot dstngush between a cphertext under (R, A, k and (R, A, k+1 wthout a secret key such that ( k [N] \ R SK k,s k (S k satsfes A The game takes as nput a parameter k [N] whch s gven to both the challenger and the adversary The game s smlar to Game MH except that the Challenge phase s Challenge A submts a message M and a (revocaton lst, access polcy par (R, A The challenger flps a random con b {0, 1}, and sends CT R,A Encrypt A(PP, M, R, A, k + b to A A wns the game f b = b under the restrcton that none of the quered pars {(k, S k } Q =1 can satsfy (k = k (k [N] \ R (S k satsfes A The advantage of A s defned as IH A Adv A [ k] = Pr[b = b] 1 2 Defnton 4 An N-user Augmented R-CP-ABE scheme s ndex-hdng f for all PPT adversares A the advantages IH A Adv A [ k] for k = 1,, N are neglgble n λ We say that an Augmented R-CP-ABE scheme s selectvely ndex-hdng f we add an Int stage before Setup where the adversary commts to the challenge access polcy A 9

10 32 The Reducton of Traceable R-CP-ABE to Augmented R-CP-ABE Let Σ A = (Setup A, KeyGen A, Encrypt A, Decrypt A be an AugR-CP-ABE, defne Encrypt(PP, M, R, A = Encrypt A (PP, M, R, A, 1, then Σ = (Setup A, KeyGen A, Encrypt, Decrypt A s a R-CP-ABE derved from Σ A In the followng, we show that f Σ A s message-hdng and ndex-hdng, then Σ s secure (wrt Def 1 Furthermore, we propose a tracng algorthm Trace for Σ and show that f Σ A s message-hdng and ndex-hdng, then Σ (equpped wth Trace s traceable (wrt Def R-CP-ABE Securty Theorem 1 If Σ A s message-hdng and ndex-hdng (resp selectvely ndex-hdng, then Σ s secure (resp selectvely secure Proof Frst we need a slghtly more elaborate message-hdng game for Σ A In addton to N, λ, ths extended game, denoted as Game A EMH, takes as nput a parameter k [N + 1] whch s only gven to the challenger Game A EMH s smlar to the orgnal GameA MH except that the Challenge phase s Challenge A submts two equal-length messages M 0, M 1 and a (revocaton lst, access polcy par (R, A The challenger flps a random con b {0, 1}, and sends CT R,A Encrypt A (PP, M b, R, A, k to A Ths s the only place where k s used n the game The adversary A wns the game f b = b under the restrcton that none of the quered pars {(k, S k } Q =1 can satsfy (k [N] \ R (S k satsfes A The advantage of A s defned as EMH A Adv A [ k] = Pr[b = b] 1 2 When k = 1, the game above, ncludng the restrcton, s exactly dentcal to the messagehdng game Game MH for Σ, thus we have EMH A Adv A [1] = MHAdv A When k = N + 1, we have that EMH A Adv A [N + 1] MH A Adv A, snce Game A MH s dentcal to GameA EMH for k = N + 1, but there s no restrcton n Game A MH In the followng proof sketch, we wll make use of the facts that Σ A s message-hdng and ndex-hdng to show that EMH A Adv A [1] s neglgble, whch mples that MHAdv A s neglgble (e Σ s secure wrt Def 1 Suppose that Σ s not secure, e MHAdv A > ɛ for some adversary A and non-neglgble ɛ MHAdv A > ɛ mples that EMH A Adv A [1] > ɛ As Σ A s message-hdng, MH A Adv A s neglgble (for smplcty, say MH A Adv A = 0, thus EMH A Adv A [N + 1] = 0 Then, by the standard hybrd argument there exsts a k [N] such that EMH A Adv A [ k] EMH A Adv A [ k + 1] > ɛ/n In other words, wth non-neglgble probablty, A s able to dstngush Encrypt A (PP, M, R, A, k from Encrypt A (PP, M, R, A, k + 1 for some M and (R, A But then A can drectly be used to wn the ndex-hdng game Game A IH More specfcally, by reducton (the detals are gven n Appendx A where an adversary B n Game A IH wth nput k makes use of an adversary A through smulatng Game A EMH, we show that for any A, there exsts B such that for all k = 1,, N, we have Then we have EMH A Adv A [ k] EMH A Adv A [ k + 1] 2 IH A Adv B [ k] (1 EMH A Adv A [1] EMH A Adv A [N + 1] 10

11 N N EMH A Adv A [ k] EMH A Adv A [ k + 1] 2 IH A Adv B [ k] k=1 But snce Σ A s message-hdng and ndex-hdng, we have that MH A Adv A ( EMH A Adv A [N + 1] and IH A Adv B [ k] for k = 1,, N are neglgble for any PPT adversary Therefore, EMH A Adv A [1] s neglgble The selectve case s smlar k=1 322 R-CP-ABE Traceablty We now propose a tracng algorthm Trace, whch uses a general tracng method prevously used n [5,24,6,7,10,21], and show that equpped wth Trace, Σ s traceable (wrt Def 2 Trace D (PP, R D, A D, ɛ K T [N]: Gven a polcy-specfc decrypton blackbox D assocated wth a (revocaton lst, access polcy par (R D, A D and probablty ɛ > 0, the tracng algorthm works as follows: 1 For k = 1 to N + 1, do the followng: (a Repeat the followng 8λ(N/ɛ 2 tmes: Sample M from the message space at random Let CT RD,A D Encrypt A (PP, M, R D, A D, k Query oracle D on nput CT RD,A D, and compare the output of D wth M (b Let ˆp k be the fracton of tmes that D decrypted the cphertexts correctly 2 Let K T be the set of all k [N] for whch ˆp k ˆp k+1 ɛ/(4n Output K T Theorem 2 If Σ A s message-hdng and ndex-hdng (resp selectvely ndex-hdng, then Σ s traceable (resp selectvely traceable Proof We show that f the blackbox output by the adversary s a useful one then K T wll satsfy (K T (K T K D ( k t K T st (k t [N] \ R D (S kt satsfes A D wth overwhelmng probablty, whch mples that the adversary cannot wn Game TR, e, TRAdv A s neglgble The selectve case wll be smlar Let D be the polcy-specfc decrypton blackbox output by the adversary, and (R D, A D be the (revocaton lst, access polcy par descrbng D Defne p k = Pr[D(Encrypt A (PP, M, R D, A D, k = M], where the probablty s taken over the random choce of message M and the random cons of D We have that p 1 ɛ and p N+1 s neglgble (for smplcty let p N+1 = 0 The former follows from the fact that D s useful, and the latter s because Σ A s message-hdng n Game A MH Then there must exst some k [N] such that p k p k+1 ɛ/(2n By the Chernoff bound t follows that wth overwhelmng probablty, ˆp k ˆp k+1 ɛ/(4n Hence, we have K T For any k K T (e, ˆp k ˆp k+1 ɛ 4N, we know, by Chernoff, that wth overwhelmng probablty p k p k+1 ɛ/(8n Clearly (k K D (k [N] \ R D (S k satsfes A D snce otherwse, D can drectly be used to wn the ndex-hdng game for Σ A Hence, we have (K T K D ((k [N] \ R D (S k satsfes A D k K T 11

12 4 An Effcent Augmented R-CP-ABE We propose an AugR-CP-ABE scheme whch s hghly expressve and effcent wth sub-lnear overhead n the number of users n the system It s also large unverse, where attrbutes do not need to be enumerated durng setup, and the publc parameter sze s ndependent of the attrbute unverse sze We prove that ths AugR-CP-ABE scheme s message-hdng and selectvely ndexhdng n the standard model Combnng ths AugR-CP-ABE wth the results n Sec 32, we obtan a large unverse R- CP-ABE whch s selectvely secure and traceable, and for a fully colluson-resstant blackbox traceable CP-ABE, the resultng R-CP-ABE acheves the most effcent level to date, wth sublnear overhead To obtan ths practcal CP-ABE scheme supportng trator tracng, revocaton and large unverse, we borrow deas from the Blackbox Traceable CP-ABE of [21], the Trace and Revoke scheme of [10] and the Large Unverse CP-ABE of [27], but the work s not trval as a straghtforward combnaton of the deas would result n a scheme whch s neffcent, nsecure, or s not able to acheve strong traceablty Specfcally, by ncorporatng the deas from [10] and [27] nto the Augmented CP-ABE of [21], we can obtan a large unverse AugR-CP-ABE whch s message-hdng, but provng the ndex-hdng property s a challengng task The proof technques for ndex-hdng n [21] only work f the attrbute unverse sze s polynomal n the securty parameter and the parameters of attrbutes have to be enumerated durng setup They are not applcable to large unverse The proof technques n [27] are applcable to large unverse, but work only for message-hdng, whle not applcable to ndex-hdng To prove ndex-hdng n the large unverse settng, we ntroduce a new assumpton that the ndex-hdng of our large unverse AugR-CP-ABE can be based on In partcular, n the underlyng q-1 assumpton of [27] on blnear groups (p, G, G T, e, the challenge term T G T s e(g, g caq+1 or a random element, and such a term n the target group could be used to prove the message-hdng as the message space s G T To prove the ndex-hdng, whch s based on the cphertext components n the source group G, we need the challenge term to be n the source group G so that the smulator can embed the challenge term nto these cphertext components Inspred by the Source Group q-parallel BDHE Assumpton n [20], whch s a close relatve to the (target group Decsonal Parallel BDHE Assumpton n [31], we modfy the q-1 assumpton to ts source group verson where the challenge term s g caq+1 or a random element n G Based on ths new assumpton and wth a new crucal proof dea, we prove the ndex-hdng property for our large unverse AugR-CP-ABE We prove that ths new assumpton holds n the generc group model 41 Prelmnares Lnear Secret-Sharng Schemes (LSSS An LSSS s a share-generatng matrx A whose rows are labeled by attrbutes va a functon ρ An attrbute set S satsfes the LSSS access matrx (A, ρ f the rows labeled by the attrbutes n S have the lnear reconstructon property, namely, there exst constants {ω } such that, for any vald shares {λ } of a secret s, we have ω λ = s The formal defntons of access structures and LSSS can be found n Appendx E Blnear Groups Let G be a group generator, whch takes a securty parameter λ and outputs (p, G, G T, e where p s a prme, G and G T are cyclc groups of order p, and e : G G G T s a map such that: (1 (Blnear g, h G, a, b Z p, e(g a, h b = e(g, h ab, (2 (Non-Degenerate 12

13 g G such that e(g, g has order p n G T We refer to G as the source group and G T as the target group We assume that group operatons n G and G T as well as the blnear map e are effcently computable, and the descrpton of G and G T ncludes a generator of G and G T respectvely Complexty Assumptons Besdes the Decson 3-Party Dffe-Hellman Assumpton (D3DH and the Decsonal Lnear Assumpton (DLIN that are used n [10] to acheve traceablty n broadcast encrypton, the ndex-hdng property of our AugR-CP-ABE constructon wll rely on a new assumpton, whch s smlar to the Source Group q-parallel BDHE Assumpton [20] and s closely related to the q-1 assumpton n [27] We refer to t as the Extended Source Group q-parallel BDHE Assumpton Here we only revew ths new assumpton, and refer to Appendx F for the detals of the D3DH and DLIN The Extended Source Group q-parallel BDHE Assumpton and a postve nteger q, defne the followng dstrbuton: (p, G, G T, e R G(λ, g R R G, a, c, d, b 1,, b q Zp, D = ( (p, G, G T, e, g, g cd, g d, g daq, g a, g b j, g a b j, g a /b 2 j, g cdb j g a /b j, j [q], [2q] \ {q + 1}, j [q], g a b j /b 2 j [2q], j, j [q] st j j, g cda b j /b j, g cda b j /b 2 j [q], j, j [q] st j j, T 0 = g caq+1, T 1 R G Gven a group generator G The advantage of an algorthm A n breakng the Extended Source Group q-parallel BDHE Assumpton s Adv q G,A (λ := Pr[A(D, T 0 = 1] Pr[A(D, T 1 = 1] Defnton 5 G satsfes the Extended Source Group q-parallel BDHE Assumpton f Adv q G,A (λ s a neglgble functon of λ for any PPT algorthm A Ths new assumpton s closely related to the q-1 assumpton n [27], except that the challenge term g caq+1 remans n the source group, all the nput terms (n D replace c wth cd, and addtonal nput terms g d and g daq are gven to the adversary The relaton between ths assumpton and the q-1 assumpton s analogous to that between the Source Group q-parallel BDHE Assumpton [20] and the Decsonal Parallel BDHE Assumpton [31], e the challenge term changes from a term n the target group (e e(g, g caq+1 to a term n the source group (e g caq+1, and the nput terms are modfed accordngly (e replacng c wth cd, and addng g d The man dfference s that n ths new assumpton, there s an addtonal nput term g daq Note that gvng the term g daq does not pose any problem n the generc group model Intutvely, there are two ways that the adversary may make use of the term g daq : (1 parng g daq wth the challenge term: snce the parng result of any two nput terms would not be e(g, g cda2q+1, the adversary cannot break ths new assumpton n ths way; (2 parng the challenge term wth another nput term whose exponent contans d: however, the result could be a random element or one of { e(g, g c2 da q+1, e(g, g cdaq+1, e(g, g c2 db j a q+1, e(g, g c2 da q+1+ b j /b j, e(g, g c2 da q+1+ b j /b 2 j }, and as there s no nput term whch can be pared wth g daq to obtan any of these terms, the adversary cannot break ths new assumpton by ths way ether In Appendx D, we prove that ths assumpton holds n the generc group model 13

14 It s worth mentonng that Lu et al [23] modfed the Source Group q-parallel BDHE Assumpton [20] by addng g daq to and removng g aq+2,, g a2q from the nput terms Notatons Suppose that the number of users N n the system equals to m 2 for some m In practce, f N s not a square, we can add some dummy users untl t pads to the next square We arrange the users n an m m matrx and unquely assgn a tuple (, j, where, j [m], to each user A user at poston (, j of the matrx has ndex k = ( 1 m + j For smplcty, we drectly use (, j as the ndex where (, j (ī, j means that (( > ī ( = ī j j Let [m, m] be the set {(, j, j [m]} The use of parwse notaton (, j s purely a notatonal convenence, as k = ( 1 m + j defnes a bjecton between {(, j, j [m]} and [N] For a gven vector v = (v 1,, v d, by g v we mean the vector (g v 1,, g v d Furthermore, for g v = (g v 1,, g v d and g w = (g w 1,, g w d, by g v g w we mean the vector (g v 1+w 1,, g v d+w d, e g v g w = g v+w, and by e d (g v, g w we mean d k=1 e(gv k, g w k, e e d (g v, g w = e(g, g (v w, where (v w s the nner product of v and w Gven a prme p, one can randomly choose r x, r y, r z Z p, and set χ 1 = (r x, 0, r z, χ 2 = (0, r y, r z, χ 3 = χ 1 χ 2 = ( r y r z, r x r z, r x r y Let span{χ 1, χ 2 } = {ν 1 χ 1 + ν 2 χ 2 ν 1, ν 2 Z p } be the subspace spanned by χ 1 and χ 2 We can see that χ 3 s orthogonal to the subspace span{χ 1, χ 2 } and Z 3 p = span{χ 1, χ 2, χ 3 } = {ν 1 χ 1 + ν 2 χ 2 + ν 3 χ 3 ν 1, ν 2, ν 3 Z p } For any v span{χ 1, χ 2 }, (χ 3 v = 0, and for random v Z 3 p, (χ 3 v 0 happens wth overwhelmng probablty 42 Augmented R-CP-ABE Constructon Now we propose a large unverse Augmented R-CP-ABE, where the attrbute unverse s U = Z p Setup A (λ, N = m 2 (PP, MSK The algorthm calls the group generator G(λ to get (p, G, G T, e, where p s the prme order of G and G T and e s the blnear map, and sets the attrbute unverse to U = Z p It then randomly pcks g, h, f, f 1,, f m, G, H G, {α, r, z Z p } [m], {c j Z p } j [m], and outputs the publc parameter PP and master secret key MSK as ( PP = (p, G, G T, e, g, h, f, f 1,, f m, G, H, {E = e(g, g α, G = g r, Z = g z } [m], {H j = g c j } j [m], ( MSK = α 1,, α m, r 1,, r m, c 1,, c m A counter ctr = 0 s mplctly ncluded n MSK KeyGen A (PP, MSK, S Z p SK (,j,s The algorthm frst sets ctr = ctr + 1 and computes the correspondng ndex n the form of (, j where 1, j m and ( 1 m + j = ctr Then t pcks random exponents σ,j Z p, {δ,j,x Z p } x S, and outputs a secret key SK (,j,s = ( (, j, S, K,j, K,j, K,j, { K,j,j } j [m]\{j}, {K,j,x, K,j,x } x S where K,j = g α g r c j (ff j σ,j, K,j = g σ,j, K,j = Z σ,j, { K,j,j = f σ,j {K,j,x = g δ,j,x, K,j,x = (H x h δ,j,x G σ,j } x S j } j [m]\{j}, 14

15 Encrypt A (PP, M, R, A = (A, ρ, (ī, j CT R,(A,ρ R [m, m] s a revocaton lst A = (A, ρ s an LSSS matrx where A s an l n matrx and ρ maps each row A k of A to an attrbute ρ(k U = Z p The encrypton s for recpents whose (ndex, attrbute set pars ((, j, S (,j satsfy ( (, j [m, m] \ R ( S (,j satsfes (A, ρ ( (, j (ī, j Let R = [m, m] \ R and for [m], R = {j (, j R}, that s, R s the non-revoked ndex lst, and R s the set of non-revoked column ndex on the -th row The algorthm randomly chooses κ, τ, s 1,, s m, t 1,, t m Z p, v c, w 1,, w m Z 3 p, ξ 1,, ξ l Z p, u = (π, u 2,, u n Z n p In addton, t randomly chooses r x, r y, r z Z p, and sets χ 1 = (r x, 0, r z, χ 2 = (0, r y, r z, χ 3 = χ 1 χ 2 = ( r y r z, r x r z, r x r y Then t randomly chooses v Z 3 p {1,, ī}, v span{χ 1, χ 2 } {ī + 1,, m}, and computes a cphertext R, (A, ρ, (R, R, Q, Q, Q, T m =1, (C j, C j m j=1, (P k, P k, P as follows: 1 For each row [m]: f < ī: randomly chooses ŝ Z p, and sets f ī: sets R = g v, R = g κv, R = G s v, R = G κs v, Q = g τs (v v c, Q = (f Q = g s, Q = (f f j s Z t f π, Q = g t, j R j R f j τs(v vc Z t T = Eŝ f π, Q = g t, T = M E τs (v v c 2 For each column j [m]: f j < j: randomly chooses µ j Z p, and sets C j = H τ(vc+µ jχ 3 j g κw j, C j = gw j f j j: sets C j = H τvc j g κw j, C j = gw j 3 For each k [l]: sets P k = f Ak u G ξ k, P k = (Hρ(k h ξ k, P k = gξ k, T m =1, (C j, C j m j=1, (P k, P k, P k l k=1 and secret key SK (,j,s = k l k=1 Decrypt A (PP, CT R,(A,ρ, SK (,j,s M or For cphertext CT R,(A,ρ = R, (A, ρ, (R, R, Q, Q (, Q (, j, S, K,j, K,j, K,j,, f (, j R or S does not satsfy (A, ρ, the algorthm { K,j,j } j [m]\{j}, {K,j,x, K,j,x } x S outputs, otherwse: 1 Snce S satsfes (A, ρ, the algorthm can effcently compute constants {ω k Z p } such that ρ(k S ω ka k = (1, 0,, 0, then compute D P = ρ(k S ( e(k,j, P k e(k,j,ρ(k, P k e(k,j,ρ(k, P k ω k 15

16 = ρ(k S = ρ(k S ( e(g σ,j, f A k u G ξ k e(g δ,j,ρ(k, (H ρ(k h ξ k e((h ρ(k h δ,j,ρ(k G σ,j, g ξ k ω k ( e(g σ,j, f A k u ω k = e(g σ,j, f ρ(k S ω k(a k u = e(g σ,j, f π Note that f S does not satsfy (A, ρ, no such constants {ω k Z p } would exst 2 Snce (, j R(= [m, m] \ R mples j R, the algorthm can compute K,j = K,j ( j R \{j} K,j,j = g α g r c j (ff j σ,j ( j R \{j} f σ,j j = g α g r cj (f f j σ,j j R Note that f (, j R (mplyng j / R, the algorthm cannot produce such a K,j The algorthm then computes D I = e( K,j, Q e(k,j, Q e(k,j, Q e3(r, C j e 3 (R, C j 3 Computes M = T /(D P D I as the output message Suppose that the cphertext s generated from message M and encrypton ndex (ī, j, t can be verfed that only when ( > ī or ( = ī j j, M = M Ths s because for > ī, we have (v χ 3 = 0 (snce v span{χ 1, χ 2 }, and for = ī, we have that (v χ 3 0 happens wth overwhelmng probablty (snce v s randomly chosen from Z 3 p The correctness s gven n Appendx B 43 Augmented R-CP-ABE Securty The followng theorem states that the AugR-CP-ABE proposed above s message-hdng Then n Theorem 4, we state that the AugR-CP-ABE s also selectvely ndex-hdng Theorem 3 No PPT adversary can wn Game A MH wth non-neglgble advantage Proof The argument for message-hdng n Game A MH s straghtforward snce an encrypton to ndex N +1 (e (m+1, 1 contans no nformaton about the message The smulator smply runs Setup A and KeyGen A and encrypts M b under the challenge (revocaton lst, access polcy par (R, A and ndex (m + 1, 1 Snce for all = 1 to m, T = Eŝ contans no nformaton about the message, the bt b s perfectly hdden and MH A Adv A = 0 Theorem 4 Suppose that the D3DH, the DLIN and the Extended Source Group q-parallel BDHE Assumpton hold Then no PPT adversary can selectvely wn Game A IH wth non-neglgble advantage, provded that the challenge LSSS matrx s sze l n satsfes l, n q Proof It follows Lemma 1 and Lemma 2 below Lemma 1 If the D3DH and the Extended Source Group q-parallel BDHE Assumpton hold, then for j < m, no PPT adversary can selectvely dstngush between an encrypton to (ī, j and (ī, j+1 n Game A IH wth non-neglgble advantage, provded that the challenge LSSS matrx s sze l n satsfes l, n q 16

17 Proof In Game A IH wth ndex (ī, j, let (R, (A, ρ be the challenge (revocaton lst, access polcy par, the restrcton s that the adversary A does not query a secret key for (ndex, attrbute set par ((, j, S (,j such that ( (, j = (ī, j ( (, j [m, m]\r ( S (,j satsfes (A, ρ Under ths restrcton, there are two ways for A to take: Case I: In Phase 1 and Phase 2, A does not query a secret key wth ndex (ī, j Case II: In Phase 1 or Phase 2, A queres a secret key wth ndex (ī, j Let S (ī, j be the correspondng attrbute set Case II has the followng sub-cases: 1 (ī, j / [m, m] \ R, S (ī, j satsfes (A, ρ 2 (ī, j / [m, m] \ R, S (ī, j does not satsfy (A, ρ 3 (ī, j [m, m] \ R, S (ī, j does not satsfy (A, ρ If A s n Case I, Case II1 or Case II2, t follows the restrctons n the ndex-hdng game for Augmented Broadcast Encrypton (AugBE n [10], where the adversary does not query the key wth ndex (ī, j or (ī, j s not n the recever lst [m, m] \ R Case II3 captures the ndexhdng requrement of Augmented R-CP-ABE n that even f a user has a key wth ndex (ī, j and (ī, j / R, the user cannot dstngush between an encrypton to (R, (A, ρ, (ī, j and (R, (A, ρ, (ī, j + 1 f the correspondng attrbute set S (ī, j does not satsfy (A, ρ Ths s the most challengng part of provng the ndex-hdng when we attempt to securely ntertwne the tracng technques of broadcast encrypton (eg [10] nto the large unverse CP-ABE (eg [27] Compared to the proof of [21], the challenge here s to prove the ndex-hdng n the large unverse settng, as dscussed prevously To prove ths lemma, we flp a random con c {0, 1} as our guess on whch case that A s n In partcular, f c = 0, we guess that A s n Case I, Case II1 or Case II2, and make a reducton that uses A to solve a D3DH problem nstance, usng a proof technque smlar to that of [10] Actually, n ths proof, we reduce from our AugR-CP-ABE to the AugBE n [10] If c = 1, we guess that A s n Case I, Case II2 or Case II3, and use A to solve an Extended Source Group q-parallel BDHE problem nstance, whch s where the man novelty resdes among all the proofs n ths work Please refer to Appendx C for detals Lemma 2 If the D3DH, the DLIN and the Extended Source Group q-parallel BDHE Assumpton hold, then for 1 ī m, no PPT adversary can selectvely dstngush between an encrypton to (ī, m and (ī + 1, 1 n Game A IH wth non-neglgble advantage, provded that the challenge LSSS matrx s sze l n satsfes l, n q Proof Smlar to the proof of Lemma 63 n [10], to prove ths lemma we defne the followng hybrd experment: H 1 : encrypt to (ī, j = m; H 2 : encrypt to (ī, j = m + 1; and H 3 : encrypt to (ī + 1, 1 Ths lemma follows Clam 1 and Clam 2 below Clam 1 If the D3DH and the Extended Source Group q-parallel BDHE Assumpton hold, then no PPT adversary can selectvely dstngush between experment H 1 and H 2 wth non-neglgble advantage, provded that the challenge LSSS matrx s sze l n satsfes l, n q Proof The proof s dentcal to that for Lemma 1 Clam 2 If the D3DH and the DLIN hold, then no PPT adversary can dstngush between experment H 2 and H 3 wth non-neglgble advantage 17