Keywords

1 Introduction

As an extension and development of cloud computing, cloud storage has solved the problems in big data storage and sharing, which allows users to store their data in cloud server and access data whenever and wherever through any networked device linking to the cloud. However, security and privacy problems are more and more serious at present. No users would like to share their documents containing sensitive information to a public cloud with no guarantee for security or privacy. It means that more flexible cryptosystem is demanded, where security and privacy protection must be both considered. Attribute-based encryption is one of the encryption techniques which can meet this requirement.

In 2005, Sahai and Waters introduced Attribute Based Encryption (ABE) [1], firstly. In attribute-based encryption, the ciphertext and decryption key are generated by the collection of attributes and data owner can establish a specific access control policy to limit who can decrypt the encrypted data. There are two categories of ABE schemes [2], one is ciphertext-policy ABE (CP-ABE) where user’s attributes are used for key generation and the ciphertext is associated with a specific access policy, the other is the key-policy ABE (KP-ABE), in which the user can only decrypt encrypted data when his attributes satisfy the access policy embedded in the secret key. Because of the favorable feature of enabling data owner to set specific access policies to control who can decrypt the encrypted data, CP-ABE provides a novel way to solve the problem above. In 2007, Bethencourt et al. [3] proposed the first CP-ABE scheme with tree-access polices. To improve the efficiency, Emura [4] proposed a CP-ABE scheme with constant size ciphertexts with AND-gates on multi-valued attributes access structure. Then Waters [5] proposed an efficient and expressive CP-ABE scheme, by employing linear secret share scheme (LSSS). There have been many CP-ABE schemes [3,4,5] at present. However, in most of CP-ABE proposals, the access policy must be sent along with the ciphertext which means that anyone who can obtain the ciphertext will get the access policy. While, in some applications access policy may contain sensitive information of the users. For example, a data owner intends to upload a medical record to the cloud and wish that the record can only be accessed by a diabetologist in Central Hospital or a patient with the social security number NY12345678. If the data owner encrypts the record by a traditional CP-ABE scheme, with the access policy “(Patient: NY12345678 AND Hospital: Central Hospital) OR (Doctor: Diabetologist AND Hospital: Central Hospital)”. Everyone who can get the access policy can infer that a patient with social security number NY12345678 is suffering diabetes. Obviously, the data owner would not like this as in Fig. 1. Thus, the CP-ABE schemes should not only guarantee the security of encrypted data but also must can satisfy the access structure protection.

Fig. 1.
figure 1

Privacy leakage in traditional CP-ABE

Full size image

For addressing the problem above, in 2008, Nishide et al. [6] proposed the idea of hiding the access policies of CP-ABE schemes and proposed two CP-ABE schemes partly hidden access policies with AND-gates on multi-valued attributes with wildcard access policy. However, both schemes have high computational complexity. Following Nishide, Li et al. [7] proposed an anonymous CP-ABE scheme with the ability of forbidden illegal key sharing among users, but the computational complexity in this scheme is still very high. Later, Lai et al. [8, 9] proposed two fully secure CP-ABE schemes with hidden access policy in standard model. The first one only supports AND-gates on multi-valued attributes with wildcards, while the other one supports any monotone access policy. In addition, the size of ciphertexts and secret keys is linearly growing with the number of attributes. In order to tackle the problem, in 2013, Rao et al. [10] proposed a fully secure scheme with constant size ciphertexts and secret keys. However, their scheme only supports restrict access structures. Additionally, these schemes [8,9,10] are all over composite-order groups. In 2013, Zhang et al. [11] proposed a novel anonymous CP-ABE scheme over prime order groups under standard assumptions with match phase to allow data users to test whether their attributes satisfy the access policy before decryption, which can decrease the computational overhead of users. However, it has been found that the match phase will reveal the attributes belonging to the access policy. In 2016, Li et al. [12] proposed a more efficient scheme with decryption test to decrease the computational complexity before successful decryption. But the decryption phase destroyed its anonymity. Recently, CP-ABE scheme with hidden access structure can also be constructed from attribute hiding Inner-product Predicate Encryption (IPE) [13, 14], nevertheless this transformation will cause a super-polynomial growth in size of arbitrary access policy, which is extremely inefficient. Phuong et al. [15] introduced a way to construct hidden access policy CP-ABE from IPE under standard assumptions, but the communication cost is too high as that the size of secret keys and ciphertexts are linear to the number of attributes.

1.1 Our Technique and Contribution

Motivated by the above challenges, a construction of hidden access policy CP-ABE over prime-order groups in standard model is proposed. Our technique is based on anonymous IBE schemes in [16,17,18,19]. In [18], a splitting technique is used to protect the privacy of ciphertexts and result the following ciphertexts:

$$ C = (A^{s} M,(g_{0} g_{1}^{ID} )^{s} ,v_{1}^{{s - s_{1} }} ,v_{2}^{{s_{1} }} ,v_{3}^{{s - s_{3} }} ,v_{4}^{{s_{2} }} ) $$
(1)

Based on this construction, the authors in [16] introduced “double exponent” technique and issued the following ciphertexts:

$$ C = (A^{{s_{1} }} M,(h_{0} h_{1}^{ID} )^{{s_{1} }} y_{2}^{{s_{2} }} ,w^{{s_{1} }} y_{3}^{{s_{2} }} ,g^{{s_{2} }} ) $$
(2)

Both schemes achieve high efficiency and protect the test of the ciphertexts. Inspired by these good features, they are used to construct anonymous CP-ABE, where we aim at both solving the shortcomings in existing works and reserving the high efficiency of original schemes in [16, 18]. Our contributions are given as follows.

  1. 1.

    The security of the proposed scheme is reduced to the decisional n-BDHE and decisional linear assumption in the standard model.

  2. 2.

    For the hidden control access policy, the user does not know whether his/her attributes satisfy the access policy, which makes him/her need to decrypt again and again to match the plaintexts. While, decryption in our scheme only needs four pairing computations, which can decrease the computation complexity efficiently. Moreover, the secret key size in our scheme achieves constant which is independent with the number of attributes.

2 Preliminaries

2.1 Complexity Assumptions

The Decisional n-Bilinear Diffie-Hellman Exponent (BDHE) Problem

Let \( g \) and \( h \) be two random generators of \( {\mathbb{G}} \) and \( \alpha \) be random element in \( {\mathbb{Z}}_{p}^{*} \). The decisional n-BDHE assumption is defined as follows: given a tuple \( (h,g,g^{\alpha } , \ldots ,g^{{\alpha^{n} }} ,g^{{\alpha^{n + 1} }} , \ldots ,g^{{\alpha^{2n} }} ,Z) \), there is no probabilistic polynomial-time algorithm can distinguish whether \( Z = e(g,h)^{{\alpha^{n + 1} }} \) or \( Z \) is a random element in \( {\mathbb{G}}_{T} \).

The Decisional Linear Assumptions

The D-Linear assumption was first proposed in [18]. The security of our scheme is reduced to Assumption 4. The confidence of these assumptions has been provided in [17, 19,20,21].

Assumption 1.

Let \( g \in_{R} {\mathbb{G}} \) be a random generator and \( z_{1} ,z_{2} ,z_{3} ,z_{4} \in_{R} {\mathbb{Z}}_{p}^{*} \). When given a tuple \( (g,g^{{z_{1} }} ,g^{{z_{2} }} ,g^{{z_{1} z_{3} }} ,g^{{z_{2} z_{4} }} ,Z) \), there is no probabilistic polynomial-time algorithm can distinguish whether \( Z = g^{{(z_{3} + z_{4} )}} \) or \( Z \) is a random element in \( {\mathbb{G}} \).

Assumption 2.

Let \( g \in_{R} {\mathbb{G}} \) be a random generator and \( z_{1} ,z_{2} ,z_{3} \in_{R} {\mathbb{Z}}_{p}^{*} \). When given \( (g,g^{{z_{1} }} ,g^{{z_{2} }} ,g^{{z_{2}^{2} }} , \ldots ,g^{{z_{2}^{n} + 1}} ,g^{{z_{2}^{n} /z_{1} }} ,g^{{z_{2}^{n + 1} z_{3} }} ,g^{{z_{4} }} ,Z) \), there is no probabilistic polynomial-time algorithm can distinguish whether \( Z = g^{{z_{1} (z_{3} + z_{4} )}} \) or \( Z \) is a random element in \( {\mathbb{G}} \).

Assumption 3.

Let \( g \in_{R} {\mathbb{G}} \) be a random generator and \( z_{1} ,z_{2} ,z_{3} \in_{R} {\mathbb{Z}}_{p}^{*} \). When given a tuple \( (g,g^{{z_{1} }} ,g^{{z_{2} }} ,g^{{z_{2}^{2} }} , \ldots ,g^{{z_{2}^{n} }} ,g^{{z_{2}^{n + 2} }} ,g^{{z_{2}^{2n} }} ,g^{{z_{3} }} ,g^{{z_{4} }} ,g^{{z_{2} z_{4} }} , \ldots ,g^{{z_{2}^{n} z_{4} }} ,Z) \), there is no probabilistic polynomial-time algorithm can distinguish whether \( Z = g^{{z_{1} (z_{3} + z_{4} )}} \) or \( Z \) is a random element in \( {\mathbb{G}} \).

Assumption 4.

Let \( g \in_{R} {\mathbb{G}} \) be a random generator and \( z_{1} ,z_{2} ,z_{3} \in_{R} {\mathbb{Z}}_{p}^{*} \). When given a tuple \( (g,g^{{z_{1} }} ,g^{{z_{2} }} ,g^{{z_{2}^{2} }} , \ldots ,g^{{z_{2}^{n} + 1}} ,g^{{z_{2}^{n} /z_{1} }} ,g^{{z_{2} z_{3} }} , \ldots ,g^{{z_{2}^{n + 1} z_{3} }} ,g^{{z_{4} }} ,Z) \), there is no probabilistic polynomial-time algorithm can distinguish whether \( Z = g^{{z_{1} (z_{3} + z_{4} )}} \) or \( Z \) is a random element in \( {\mathbb{G}} \).

2.2 Definition and Security Model

2.2.1 Definition of Hidden Access Policy CP-ABE

A hidden access policy CP-ABE scheme consists of the following four algorithms:

  • Setup \( (\kappa ,{\mathcal{U}}) \to (PK,MK) \): The setup algorithm takes security parameter \( \kappa \) and the universe of attribute \( {\mathcal{U}} \) as input. Then it outputs the public parameters \( PK \) and the master key \( MK \).

  • KeyGen \( (PK,MK,L) \to SK_{L} \): The keygen algorithm takes public parameters \( PK \), the master key \( MK \) and a user’s attribute set \( L \subset {\mathcal{U}} \) as input. It outputs the secret keys \( SK_{L} \) associated with the attribute set \( L \).

  • Encrypt \( (PK,M,W) \to CT \): The encrypt algorithm takes public parameters \( PK \), a message \( M \) and an access policy \( W \), then it generates the ciphertext \( CT \) as the encryption of \( M \) under \( W \). Note that in a hidden access policy CP-ABE scheme, the access policy would not be included in the ciphertext.

  • Decrypt \( (SK_{L} ,CT) \to M \) or \( \bot \): The algorithm takes public parameters \( PK \), secret keys \( SK_{L} \) and a ciphertext \( CT \) under a ciphertext policy \( W \) as input. If and only if the use’s attribute set satisfies the access policy, it outputs the message \( M \). Else it outputs \( \bot \).

2.2.2 Security Model

Now we give the security model of the hidden access policy CP-ABE. It is presented as a security game between an adversary \( {\mathcal{A}} \) and a simulator \( {\mathcal{B}} \) as follows:

  • Init: The adversary \( {\mathcal{A}} \) submits two challenge ciphertext policies \( W_{0}^{*} \) and \( W_{1}^{*} \).

  • Setup: The simulator \( {\mathcal{B}} \) runs the Setup algorithm and gives \( PK \) to the adversary \( {\mathcal{A}} \).

  • Phase 1: The adversary \( {\mathcal{A}} \) submits the attribute list \( L \), if \( L{ \vDash }W_{0}^{*} \wedge L{ \vDash }W_{1}^{*} \) or \( L{ \nvDash }W_{0}^{*} \wedge L{ \nvDash }W_{1}^{*} \), the simulator gives the secret key \( SK_{L} \) to \( {\mathcal{A}} \). And \( {\mathcal{A}} \) can repeat this for polynomial times.

  • Challenge: The adversary \( {\mathcal{A}} \) submits two equal length messages \( M_{0} \) and \( M_{1} \). If \( L{ \vDash }W_{0}^{*} \wedge L{ \vDash }W_{1}^{*} \), then \( M_{0} = M_{1} \). Else \( {\mathcal{B}} \) flips a random coin \( b \in \{ 0,1\} \), and sends Encrypt \( (PK,M_{b} ,W_{b}^{*} ) \) to \( {\mathcal{A}} \).

  • Phase 2: Phase 1 is repeated.

Guess: The adversary outputs a guess \( b' \in \{ 0,1\} \) of \( b \).

2.3 Access Policy

Assume that there are n categories of attributes as: \( Att_{1} ,Att_{2} , \ldots ,Att_{n} \) and \( Att_{i} = \{ v_{i,1} ,v_{i,2} , \ldots ,v_{{i,k_{i} }} \} (\forall i \in [1,n]) \) be the set of possible attributes belonging to \( Att_{i} \). And each user has n attributes and different attribute belongs to different category. So that the universe of attributes can be donated as \( {\mathcal{U}} = \bigcup\nolimits_{i = 1}^{n} {Att_{i} } \). For an access policy is donated as \( W = \{ W_{1} ,W_{2} , \ldots ,W_{n} \} \), in which \( W_{i} \subset Att_{i} \) for \( i \in [1,n] \). User’s attribute set is donated as \( L = \{ L_{1} ,L_{2} , \ldots ,L_{n} \} \) in which \( L_{i} \in Att_{i} \) for \( i \in [1,n] \). If and only if \( L_{i} \in W_{i} (\forall i \in [1,n]) \) then it means that \( L \) satisfies \( W \), denoted as \( L{ \vDash }W \), else it means that \( L \) does not satisfy \( W \), denoted as \( L{ \nvDash }W \).

3 The Proposed Construction

3.1 Construction

  • Setup \( \to (PK,MK) \): Let \( {\mathbb{G}} \) and \( {\mathbb{G}}_{T} \) be two cyclic groups of prime order \( p \) and \( e:{\mathbb{G}} \times {\mathbb{G}} \to {\mathbb{G}}_{T} \) be a bilinear map. It picks a random generator \( g \in {\mathbb{G}} \) and random elements \( u,\omega ,h_{0} ,h_{1} ,h_{2} , \ldots ,h_{n} \) from \( {\mathbb{G}} \). Then it chooses \( z_{1} ,z_{2} ,z_{3} ,a_{i,j} \in {\mathbb{Z}}_{p} \) randomly, where \( i \in [1,n],\,j \in [1,k_{i} ] \) and sets \( y_{1} = g^{{z_{1} }} ,\,\,y_{2} = g^{{z_{2} }} ,\,\,\,y_{3} = g^{{z_{3} }} ,\,A = e(u,y_{1} ) \). The public parameters \( PK \) and master keys \( MK \) are given as:

$$ PK = (g,\omega ,h_{0} ,h_{1} ,h_{2} , \ldots ,h_{n} ,y_{1} ,y_{2} ,y_{3} ,A),\,MK = (u,z_{1} ,z_{2} ,z_{3} ,\{ a_{i,j} \}_{{i \in [1,n],j \in [1,k_{i} ]}} ). $$
(3)

  • KeyGen \( (PK,MK,L)\, \to \,SK_{L} \): Let \( L = \{ L_{1} ,L_{2} , \ldots ,L_{n} \} (L_{i} \in Att_{i} ) \) be a set of attributes of a user who is going to obtain secret keys corresponding to \( L \). Let \( k_{i} = h_{0}^{{t_{i} }} \cdot h_{i}^{{a_{i,j} }} \), where \( \sum\nolimits_{i = 1}^{n} {t_{i} = 1} \). Last it picks \( r_{1} ,\,r_{2} \) at random from \( {\mathbb{Z}}_{p} \) and constructs the secret keys as:

$$ \begin{aligned} SK_{L} = & (\{ k_{i}^{{r_{1} }} \}_{i \in [1,n]} ,g^{{r_{1} z_{1} z_{2} + r_{2} z_{ 1} z_{3} }} ,g^{{r_{1} z_{ 1} }} ,g^{{r_{2} z_{1} }} ,u\omega^{{r_{2} }} ) \\ = & (\{ sk_{1,i} \}_{i \in [1,n]} ,sk_{2} ,sk_{3} ,sk_{4} ,sk_{5} ). \\ \end{aligned} $$
(4)

  • Encrypt \( (PK,M,W) \to CT \): The algorithm takes as input the public parameters \( PK \), a message \( M \in {\mathbb{G}}_{T} \) and a ciphertext policy \( W = \{ W_{1} ,W_{2} , \ldots ,W_{n} \} ,\,\,W_{i} \subset Att_{i} \), the data owner chooses \( s_{1,i} ,s_{2,i} \in {\mathbb{Z}}_{p} \) randomly for \( 1 \le i \le n \) and sets \( s_{1} = \sum\nolimits_{i = 1}^{n} {s_{1,i} } ,\,s_{2} = \sum\nolimits_{i = 1}^{n} {s_{2,i} } \). Then the data owner computes

$$ C_{1} = y_{1}^{{s_{1} }} ,\,C_{2} = g^{{s_{2} }} ,\,C_{4} = \omega^{{s_{1} }} y_{3}^{{s_{2} }} \,,\,C_{5} = A^{{s_{1} }} . $$

If \( v_{i,j} \in W_{i} ,\,C_{i,j} = h_{0}^{{s_{1,i} }} h_{i}^{{a_{i,j} s_{1} }} y_{2}^{{s_{2,i} }} \), else \( C_{{i,j}} \) is a random element in \( {\mathbb{G}} \). Then \( C_{3} \) is computed as: \( C_{3} = \{ C_{i,j} \}_{{\{ 1 \le i \le n,1 \le j \le k_{i} \} }} \). Finally, it outputs the ciphertexts as

$$ CT = \{ C_{1} ,C_{2} ,C_{3} ,C_{4} ,C_{5} \} $$
(5)

  • Decrypt \( (SK_{L} ,CT) \to M \) or \( \bot \): In this algorithm, user’s secret key \( SK_{L} \) and ciphertext \( CT \) are taken as input. If user’s attribute set satisfies the access policy then he/she can decrypt as follows:

$$ M = C_{5} /\frac{{\prod\nolimits_{i = 1}^{n} {e(sk_{1,i} } ,C_{1} ) \cdot e(sk_{5} ,C_{1} ) \cdot e(sk_{2} ,C_{2} )}}{{\prod\nolimits_{{i = 1,v_{i,j} \in W_{i} }}^{n} {e(C_{i,j} } ,sk_{3} ) \cdot e(sk_{4} ,C_{4} )}} $$
(6)

3.2 Correctness and Anonymity

Correctness

Assuming the ciphertext is well-formed for \( W \) and \( L \). The verification is run as follows.

$$ \begin{aligned} & \frac{{\prod\nolimits_{i = 1}^{n} {e(sk_{1,i} } ,C_{1} ) \cdot e(sk_{5} ,C_{1} ) \cdot e(sk_{2} ,C_{2} )}}{{\prod\nolimits_{{i = 1,v_{i,j} \in W_{i} }}^{n} {e(C_{i,j} } ,sk_{3} ) \cdot e(sk_{4} ,C_{4} )}} \\ & = \frac{{e((h_{0} \prod\nolimits_{i = 1}^{n} {h_{i}^{{a_{i,j} }} )}^{{r_{1} }} ,)e(u\omega^{{r_{2} }} ,y_{1}^{{s_{1} }} ) \cdot e(g^{{r_{1} z_{1} z_{2} + r_{2} z_{1} z_{3} }} ,g^{{s_{2} }} )}}{{e(g^{{r_{1} z_{1} }} ,(h_{0} \prod\nolimits_{i = 1}^{n} {h_{i}^{{a_{i,j} }} } )^{{s_{1} }} \cdot y_{2}^{{s_{2} }} ) \cdot e(g^{{r_{2} z_{1} }} ,\omega^{{s_{1} }} y_{3}^{{s_{2} }} )}} \\ & = \frac{{e(u,g^{{s_{1} z_{1} }} ) \cdot e((h_{0} \prod\nolimits_{i = 1}^{n} {h_{i}^{{a_{i,j} }} )}^{{r_{1} }} ,g^{{s_{1} z_{1} }} ) \cdot e(\omega^{{r_{2} }} ,g^{{s_{1} z_{1} }} )}}{{e(g^{{r_{1} z_{1} }} ,(h_{0} \prod\nolimits_{i = 1}^{n} {h_{i}^{{a_{i,j} }} )}^{{s_{1} }} ) \cdot e(g^{{r_{1} z_{1} }} ,g^{{z_{2} s_{2} }} ) \cdot e(g^{{r_{2} z_{1} }} ,\omega^{{s_{1} }} )}} \cdot \frac{{e(g^{{r_{1} z_{1} z_{2} + r_{2} z_{1} z_{3} }} ,g^{{s_{2} }} )}}{{e(g^{{r_{2} z_{1} }} ,g^{{z_{3} s_{2} }} )}} \\ & = e(u,g^{{z_{1} s_{1} }} ) \cdot \frac{{e((h_{0} \prod\nolimits_{i = 1}^{n} {h_{i}^{{a_{i,j} }} )}^{{r_{1} }} ,g^{{s_{1} z_{1} }} )}}{{e(g^{{r_{1} z_{1} }} ,(h_{0} \prod\nolimits_{i = 1}^{n} {h_{i}^{{a_{i,j} }} )}^{{s_{1} }} )}} \cdot \frac{{e(\omega^{{r_{2} }} ,g^{{s_{1} z_{1} }} )}}{{e(g^{{r_{2} z_{1} }} ,\omega^{{s_{1} }} )}} \cdot \frac{{e(g^{{r_{1} z_{1} z_{2} + r_{2} z_{1} z_{3} }} ,g^{{s_{2} }} )}}{{e(g^{{r_{1} z_{1} }} ,g^{{z_{2} s_{2} }} ) \cdot e(g^{{r_{2} z_{1} }} ,g^{{z_{3} s_{2} }} )}} \\ & = e(u,g^{{z_{1} s_{1} }} ) = A^{{s_{1} }} . \\ \end{aligned} $$
(7)

Anonymity

By using the technique in [17] multiplying \( h_{0}^{{s_{1,i} }} h_{i}^{{a_{i,j} s_{1} }} \) by \( y_{2}^{{s_{2,i} }} \), and \( \omega^{{s_{1} }} \) by \( y_{3}^{{s_{2} }} \), if an adversary intends to test whether an attribute \( v_{i,j} \) is embed into \( C_{i,j} \), he has to use \( C_{1} ,C_{2} \) and \( C_{4} \), which are comprised in \( C_{i,j} \) and \( C_{4} \), respectively. It can resist the DDH-test. The specific proof will be given in Sect. 4.

4 Security Proof

Theorem 1.

Under the decisional n-BDHE and Decisional Linear assumption, our scheme achieves selective secure and user’s privacy protection.

Proof.

In this section we will give the security proof using hybrid argument over a sequence of games as follows:

  • \( Game_{0} \): This game is the real security game as described in security model, in which the challenge ciphertext is normal as \( CT_{0}^{*} = \{ C_{1}^{*} ,C_{2}^{*} ,C_{3}^{*} ,C_{4}^{*} ,C_{5}^{*} \} \).

  • \( Game_{1} \): In this game \( C_{5} \) is replaced by a random element \( R_{5} \in {\mathbb{G}}_{T} \), the challenge ciphertext is: \( CT_{1}^{*} = \{ C_{1}^{*} ,C_{2}^{*} ,C_{3}^{*} ,C_{4}^{*} ,R_{5} \} \).

  • \( Game_{2} \): In this game both \( C_{4} \) and \( C_{5} \) are replaced by a random element \( R_{4} \in {\mathbb{G}} \) and a random element \( R_{5} \in {\mathbb{G}}_{T} \), the challenge ciphertext is: \( CT_{2}^{*} = \{ C_{1}^{*} ,C_{2}^{*} ,C_{3}^{*} ,R_{4} ,R_{5} \} \).

Then we modify \( Game_{2} \) by changing the way to generate the components \( \{ C_{i,j} \}_{{\{ 1 \le i \le n,1 \le j \le k_{i} \} }} \) and define a sequence of games as follows. For \( v_{{i,j }} \) such that \( (v_{i,j} \in W_{0,i} \wedge v_{i,j} \in W_{1,i} ) \) or \( (v_{i,j} \notin W_{0,i} \wedge v_{i,j} \notin W_{1,i} ) \) the ciphertext component \( C_{{i,j }} \) is obtained from the real game. But for \( v_{{i,j }} \) such that \( (v_{i,j} \in W_{0,i} \wedge v_{i,j} \notin W_{1,i} ) \) or \( (v_{i,j} \notin W_{0,i} \wedge v_{i,j} \in W_{1,i} ) \), the ciphertext component \( C_{{i,j }} \) which is generated normally in \( Game_{2,\ell - 1} \) is replaced by random value in \( Game_{2,\ell } \). We will not define a new game by replacing ciphertext component \( C_{{i,j }} \), until there is no \( v_{{i,j }} \) satisfies \( (v_{i,j} \in W_{0,i} \wedge v_{{i,j }} \notin W_{1,i} ) \) or \( (v_{i,j} \notin W_{0,i} \wedge v_{i,j} \in W_{1,i} ) \).

Lemma 1.

Under the decisional n-BDHE assumption, there is no adversary can distinguish the difference from \( Game_{0} \) and \( Game_{1} \) with non-negligible advantage in polynomial time.

Lemma 2.

Under the Decisional Linear assumption, there is no adversary can distinguish the difference from \( Game_{1} \) and \( Game_{2} \) with non-negligible advantage in polynomial time.

Lemma 3.

Under the Decisional Linear assumption, there is no adversary can distinguish the difference from \( Game_{2,\ell - 1} \) and \( Game_{2,\ell } \) with non-negligible advantage in polynomial time.

Thus, the proposed scheme is IND-sCP-CPA secure under decisional n-BDHE assumption and Decisional Linear assumption.

5 Performance Comparison

In this section, the proposed construction will be compared with previous works. Tables 1 and 2 give the detailed comparisons between the proposed scheme in Sect. 3.1 and the others. For ease of expression the size of the public parameter, the secret key, and the ciphertext length excepting the access policy are denoted by PK, SK, and CT, respectively. Let N be the order of bilinear group, generally it is a big prime order number, but in some schemes, it is a composite number \( N = pqr \), where \( p,q,r \) are prime order numbers. \( \left| {\mathbb{G}} \right|,\left| {{\mathbb{G}}_{T} } \right|,\left| {{\mathbb{Z}}_{N} } \right| \) are the bit-length of the element belonging to each group, respectively. Let \( {\mathcal{U}} = \{ Att_{1} ,Att_{2} , \cdots ,Att_{n} \} \) be the universe of the attributes \( k_{i} \) is the number of attributes in \( Att_{i} \) and \( K = \sum\nolimits_{i = 1}^{n} {k_{i} } \) is the number of all the attributes in \( {\mathcal{U}} \).

Table 1. Security comparisons with previous works
Full size table
Table 2. Comparisons of the computation cost with others
Full size table

Our scheme is efficient in commutation overhead where the size of SK and the size of PK and CT is relatively small.

6 Conclusion

We proposed an efficient hidden access policy CP-ABE scheme over prime-order groups. The security of the proposed scheme is selectively secure and anonymous under the decisional n-BDHE and the Decision Linear assumptions.

Unfortunately, the proposed scheme only supports AND gate and achieves selectively security. It is also desirable to construct a strong secure and more flexible CP-ABE scheme with fully hidden access structures using pairings in the prime-order groups.