Keywords

1 Introduction

ABE was first proposed by Sahai and Waters [1], which is an important tool for solving security and fine-grained data sharing and access control problems. It has become a research hotspot in recent years. The ABE systems can be divided into two categories: one is CP-ABE [2] and the other is key-policy ABE (KP-ABE) [3]. The most obvious difference between them is whether the private keys are related to the attribute set. In CP-ABE, a private key is associated with an attribute list, a ciphertext is related to an access structure. The users can decrypt the ciphertexts if and only if the user’s attribute set satisfies the corresponding access structure. While in KP-ABE, the situation is reversed.

Revocation is a challenge problem in the CP-ABE setting because there has opportunities to dynamically change attributes or users. Therefore, the revocation mechanism can be divided into two types, namely, attribute revocation and user revocation. So far, there are two ways to solve this problem: direct revocation and indirect revocation. Indirect method means revocation mechanism by authority, which updates the private keys of a user who has not revoked an attribute periodically or dynamically. While direct method means revocation is performed by the date owner who specified the revoked user list during the encryption process. Although direct method has less flexibility in revoking users, it has an advantage in revoking costs. Revocable ABE was first proposed in [4, 5], so far, it has made great progress, such as [6,7,8,9] and so on.

Although ABE can be directly applied to the design of secure access control, for the purpose of better protecting user’s privacy and data security, anonymous ABE was proposed in [10, 11] and further improved by [12, 13]. More related works can refer to [14,15,16,17,18,19]. In anonymous ABE, the adversary cannot obtain some meaningful information about the corresponding attributes in the access policies.

However, studies have shown that these schemes can not resist various forms of attacks, such as side-channel attacks. Because the security of these schemes is based on an idealized assumption that the adversary cannot get any information of the private keys and internal state. In fact, this assumption is actually unrealistic. The adversary can learn meaningful information about the keys by using some of the physical information that the algorithm outputs. So the adversary can easily break the security of these schemes. In order to characterize the leaked information that the adversary available and protect the security of these schemes, ABE based on various leakage models are proposed in [20,21,22,23,24,25,26,27].

Zhang et al. [22] focused on the above three issues and designed a leakage-resilient secure ABE with fine-grained attribute revocation to achieve the semantic security in the continual key leakage model. Users need to pay a big price in decryption. Subsequently, Yu et al. [25] introduced a leakage-resilient CP-ABE supporting indirect revocation which can tolerate the leakage of the private keys and the master secret keys. The security of the scheme is proved by using dual system encryption.

While above schemes cannot achieve leakage-resilience, anonymity and user revocation at the same time. Therefore, it is worthwhile to study an efficient scheme that can realize the above three performances.

1.1 Our Contribution

In this paper, an CP-ABE scheme under the continuous leakage model is constructed whose leakage bound achieves \(\lambda \le (\omega -1-2c)\log p_{2}\) during two updates, which is proved to be adaptively secure in the standard model under four static assumptions over composite order bilinear group. Moreover, this scheme can achieve the user’s direct revocation by embedding the revocation list in the ciphertexts. We also give an analysis of how the scheme achieves anonymity (Table 1).

2 Preliminaries

2.1 Linear Secret Sharing

A secret sharing scheme \(\varLambda \) over a set of attributes S is called linear on the two conditions that:

Table 1. Symbols
Full size table
  1. (1)

    The shares for each attributes form a vector from \(\mathbb {Z}_{p}\).

  2. (2)

    There exists a \(l\times n\) matrix \(\varvec{A}\) called sharing-generating matrix for \(\varLambda \). The function \(\rho \) maps the \(x^{th}\) row of \(\varvec{A}\) to an attribute value labeling \(\rho (x)\) for all \(x\in [l]\). Then we selects a vector \(\varvec{v}=(s, v_{2},...,v_{n})\in _{R}\mathbb {Z}_{p}^{n}\), where s is the secret to be shared, and \(\varvec{A}\cdot \varvec{v}\) is the vector of l shares of the secret s according to \(\varLambda \). The shares \((\varvec{A}\varvec{v})_{x}\) belongs to the attribute value \(\rho (x)\).

Linear Reconstruction. Let \(C\in \varLambda \) be any authorized set, and let \(I\subset \{1,2,...,l\}\) be defined as \(I=\{x'| \rho (x')\in C\}\). Then, there exists constants \(\{\mu _{x'}\in \mathbb {Z}_{p}\}_{x'\in I}\) such that, if \(\{\lambda _{x'}\}\) are valid shares of any s in \(\varLambda \), then \(\sum _{x'\in I}\mu _{x'}\lambda _{x'}=s\). This collection \(\{\mu _{x'}\}_{x'\in I}\) can be found in polynomial time.

2.2 Complexity Assumptions

Assumption 1

Given a instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3},g_{4},T)\), where \(g_{\check{i}}\in _{R}\mathbb {G}_{p_{\check{i}}}\) for \(\check{i}=1, 3, 4\), the advantage of \(\mathcal {A}\) distinguish \(T\in _{R}\mathbb {G}_{p_{1}p_{4}}\) from \(T\in _{R}\mathbb {G}_{p_{1}p_{2}p_{4}}\) is negligible.

Assumption 2

Given instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3},g_{4}, U_{1}U_{2}, W_{2}W_{3},T)\), where \(g_{1},U_{1}\in _{R}\mathbb {G}_{p_{1}}\), \(U_{2},W_{2}\in _{R}\mathbb {G}_{p_{2}}\), \(g_{3},W_{3}\in _{R}\mathbb {G}_{p_{3}}\) and \(g_{4}\in _{R}\mathbb {G}_{p_{4}}\), the advantage of \(\mathcal {A}\) distinguish \(T\in _{R}\mathbb {G}_{p_{1}p_{3}}\) from \(T\in _{R}\mathbb {G}_{p_{1}p_{2}p_{3}}\) is negligible.

Assumption 3

Given a instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4} ,\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{2},g_{3},g_{4}, g_{1}^{\alpha }U_{2},g_{1}^{s}W_{2},g_{2}^{r},U_{2}^{r},T)\), where \(s,\alpha ,r\in _{R}\mathbb {Z}_{N}\), \(g_{1}\in _{R}\mathbb {G}_{p_{1}}\), \(g_{2},U_{2},W_{2}\in _{R}\mathbb {G}_{p_{2}}\) and \(g_{3}\in _{R}\mathbb {G}_{p_{3}}\), the advantage of \(\mathcal {A}\) distinguish \(T=\hat{e}(g,g)^{\alpha s}\) from \(T\in _{R}\mathbb {G}_{T}\) is negligible.

Assumption 4

Given a instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{2},g_{3},g_{4}, U_{1}U_{4},U_{1}^{\hat{r}}U_{2},g_{1}^{\hat{r}}W_{2},g_{1}^{s}W_{24},U_{1}g_{3}^{\hat{s}},T)\), where \(s,\hat{r},\hat{s}\in _{R}\mathbb {Z}_{N}\), \(g_{1},U_{1}\in _{R}\mathbb {G}_{p_{1}}\), \(g_{2},U_{2}, W_{2}\in _{R}\mathbb {G}_{p_{2}}\), \(g_{3}\in _{R}\mathbb {G}_{p_{3}}\), \(g_{4},U_{4}\in _{R}\mathbb {G}_{p_{4}}\) and \(W_{24},D_{24}\in _{R}\mathbb {G}_{p_{2}p_{4}}\), the advantage of \(\mathcal {A}\) distinguish \(T\in _{R}U_{1}^{s}D_{24}\) from \(T\in _{R}\mathbb {G}_{p_{1}p_{2}p_{4}}\) is negligible.

2.3 Random Subspaces for Leakage Resilience over Arbitrary Functions

Theorem 1

For any function \(f:\mathbb {Z}_{p}^{m'\times d'}\rightarrow \phi \), there exists

$$Dist((\varvec{X}_{1},f(\varvec{X}_{1}\varvec{T})),(\varvec{X}_{1},f(\varvec{X}_{2})))\le \epsilon ,$$

where \(m',l',d'\in _{R}\mathbb {N}\), \(2d'\le l'\le m'\), \(\varvec{X}_{1}\in _{R}\mathbb {Z}_{p}^{m'\times l'}\),\(\varvec{X}_{2}\in _{R}\mathbb {Z}_{p}^{m'\times d'}\), \(\varvec{T}\in _{R}Rank_{d'}(\mathbb {Z}_{p}^{l'\times d'}),|\phi |\le 4(1-\frac{1}{p})\cdot p_{2}^{l'-2d'+1}\cdot \epsilon ^{2}\).

Claim

For any function \(f:\mathbb {Z}_{p}^{m'}\rightarrow \{0,1\}^{l'}\), there exists

$$Dist((\varDelta ,f(\varvec{\mu })),(\varDelta ,f(\varvec{\mu '})))\le \epsilon ,$$

where \(\varDelta ,\varvec{\mu }\in _{R}\mathbb {Z}_{p}^{m'},\varvec{\mu '}\cdot \varDelta =0 \mod p, l'\le 4p^{m'-3}(p-1)\cdot \epsilon ^{2}\).

3 LR-CP-ABE Supporting Direct Revocation

3.1 Model of LR-CP-ABE with Direct Revocation

Three entities are included in our construction: attribute authority (AA), data owners (DO) and users.

  • Setup\((\kappa ,\varSigma ,\lambda )\): AA takes the security parameter \(\kappa \), universe attribute set \(\varSigma \) and leakage bound \(\lambda \) as input, outputs the public keys pk and master secret keys msk.

  • KeyGen(pkmskSid): AA inputs the public keys pk, master secret keys msk, attribute list S for the user with id, outputs the private keys \(sk_{S}\).

  • UpdateUsk\((pk,sk_{S})\): AA takes the public keys pk and the secret keys \(sk_{S}\) as input, outputs the new private keys \(sk_{S}'\).

  • Encrypt\((pk,m,\varLambda ,\mathcal {R})\): DO takes the public keys pk, a message m, access structure \(\varLambda \) and revocation list \(\mathcal {R}\) as input, then outputs the ciphertexts CT.

  • Decrypt\((CT,sk_{S})\): The users inputs the ciphertexts CT and the private keys \(sk_{S}\), and outputs the message m.

3.2 Security Properties of the ANON-LR-CP-ABE with Direct Revocation

This game is played by the interaction between an adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\), the concrete process is described as follows:

  • Setup: \(\mathcal {C}\) inputs the security parameter \(\kappa \) and the leakage upper bound \(\lambda \), generates the public keys pk and the master secret keys msk. Then \(\mathcal {C}\) sends pk to \(\mathcal {A}\) while keeps msk. At the same time, \(\mathcal {C}\) creates an initial empty lists: \(\mathcal {L}=(hd,S,sk_{S},L_{sk})\), where \(L_{sk}\) means the total leakage bits.

  • Phase 1: \(\mathcal {A}\) adaptively performs the following queries:

    • KeyGen queries: \(\mathcal {A}\) sends an identity id and an attribute list S to \(\mathcal {C}\), then \(\mathcal {C}\) runs the algorithm \(\mathbf {KeyGen}\) to generate the private keys \(sk_{S}\). Finally, \(\mathcal {C}\) updates \(hd=hd+1\) and adds the item \((hd,S,sk_{S},0)\) to the list \(\mathcal {L}\).

    • Leakage queries: \(\mathcal {A}\) gives a polynomial-time computable arbitrary function \(f:\{0,1\}^{*}\rightarrow \{0,1\}^{*}\) to \(\mathcal {C}\). Assume that the set is \((hd,S,sk_{S},L_{sk_{S}})\), then \(\mathcal {C}\) checks whether \(|f(sk_{S})|+L_{sk_{S}}\le \lambda \). If this is true, it returns \(f(sk_{S})\) to \(\mathcal {A}\). Otherwise, outputs the symbol \(\bot \).

    • UpdateUsk queries: \(\mathcal {A}\) queries the new updated secret keys for hd. If there is no \((hd,S,sk_{S},L_{sk_{S}})\) found in set \(\mathcal {L}\). Then \(\mathcal {C}\) runs the algorithm KeyGen to get the private keys \(sk_{S}\) and sets \(L_{sk_{S}}=0\). Otherwise, \(\mathcal {C}\) returns re-randomized private keys \(sk_{S}'\) with UpdatedUsk and updates the corresponding \(L_{sk_{S}}=0\).

  • Challenge: \(\mathcal {A}\) outputs two messages of the same length \(m_{0},m_{1}\), revocation list \(\mathcal {R}\) and two challenge access structures \(\varLambda _{0}(\varvec{A}_{0},\rho _{0})\), \(\varLambda _{1}(\varvec{A}_{1},\rho _{1})\) to \(\mathcal {C}\), then \(\mathcal {C}\) selects \(b\in \{0,1\}\) randomly and encrypts the message \(m_{b}\) under the access structure \(\varLambda _{b}(\varvec{A}_{b},\rho _{b})\). Finally, it outputs the ciphertexts \(CT^{*}\) to \(\mathcal {A}\).

  • Phase 2: The phase is similar to \(\mathbf {Phase 1}\) except that \(\mathcal {A}\) cannot execute the Leakage queries and the KeyGen queries that the corresponding attribute set satisfies the challenge access structure.

  • Guess: \(\mathcal {A}\) outputs the guess \(b'\) of b and wins the game if \(b'=b\).

If the advantage of \(\mathcal {A}\) in the above game is negligible, then it is said that the anonymous CP-ABE scheme which supporting direct revocation is indistinguishable under the chosen plaintext attack (ANON-IND-CPA-REVO) and it is \(\lambda \) leakage-resilient, where the advantage of \(\mathcal {A}\) is defined as

$$Adv_{\mathcal {A}}^{ANON-IND-CPA-REVO}=|\Pr [b'=b]-\frac{1}{2}|$$

4 Construction

4.1 Concrete Construction

  • Setup\((\kappa ,\varSigma ,\lambda )\): AA takes a security parameter \(\kappa \) and the attribute universe description \(\varSigma \) and a leakage bound \(\lambda \) as input. Then it runs the bilinear group generator to produce \(\varTheta =(N=p_{1}p_{2}p_{3}p_{4}, \mathbb {G},\mathbb {G}_{T},\hat{e})\), defines \(negl=p_{2}^{-c}\) as the allowable maximum probability in succeeding in leakage guess and computes \(\omega =\lceil 1+2c+\frac{\lambda }{\log p_{2}}\rceil \), where c is a positive constant. Then the algorithm generates the public keys as follows. First, it selects \(g_{1},h\in \mathbb {G}_{p_{1}}\), \(g_{3}\in \mathbb {G}_{p_{3}}\) and \(a,\alpha \in \mathbb {Z}_{N}\) at random. Second, it selects \(\varvec{\rho }\in _{R} \mathbb {Z}_{N}^{\omega }\) and selects \(t_{i,j}\in _{R}\mathbb {Z}_{N}\), \(g_{4},w_{0},w_{i,j}\in _{R}\mathbb {G}_{p_{4}}\) for each \(i\in [n],j\in [n_{i}]\), the public keys are

    $$pk=\bigg (N, a_{0}, h, u, g_{3}, g_{1}^{\varvec{\rho }}, y, T_{i,j};\forall i\in [n],j\in [n_{i}] \bigg )$$

    where \(a_{0}=g_{1}w_{0}, u=g_{1}^{a}g_{4}, y=e(g_{1},g_{1})^{\alpha }, T_{i,j}=g_{1}^{t_{i,j}}w_{i,j}\).

    The master secret keys are

    $$msk=(a,\alpha ,t_{i,j},g_{1}).$$

  • KeyGen(pkmskSid): On input the public keys pk, the master keys msk, an attribute set S and users identity id, AA outputs the secret keys \(sk_{S}=\bigg (S,sk_{S,1},sk_{S,2}\bigg )=\bigg (S,\{\varvec{k}_{0},k_{1}\},\{k_{2,i},k_{3,i},k_{4,i}\}_{i\in S}\bigg )\) and sends them to users. AA selects \(r_{id},y_{1}\in _{R}\mathbb {Z}_{N}\), \(\varvec{y}_{0},\varvec{\sigma }\in _{R}\mathbb {Z}_{N}^{\omega }\) and picks \(r_{i,j}, y_{i,j,2}\), \(y_{i,j,3}, y_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\), calculates and outputs the secret keys as follows.

    $$\begin{aligned} \begin{aligned} sk_{S}&=\bigg (S,sk_{S,1},sk_{S,2}\bigg )\\&=\bigg (S,\{\varvec{k}_{0},k_{1}\},\{k_{i,j,2},k_{i,j,3},k_{i,j,4}\}_{v_{i,j}\in S}\bigg )\\&=\bigg (S,\{g_{1}^{\varvec{\sigma }}*g_{3}^{\varvec{y}_{0}},g_{1}^{\alpha +ar_{id}+\langle \varvec{\sigma },\varvec{\rho }\rangle }g_{3}^{y_{1}}\},\{g_{1}^{\alpha r_{id}+t_{i,j}r_{i,j}+ar_{i,j}}g_{3}^{y_{i,j,2}},g_{1}^{r_{i,j}}g_{3}^{y_{i,j,3}},\\ {}&(g_{1}^{aid}h)^{r_{i,j}}g_{3}^{y_{i,j,4}}\}_{v_{i,j}\in S}\bigg ) \end{aligned} \end{aligned}$$
    (1)

  • UpdateSk\((sk_{S},S)\): AA selects \(\varDelta r_{id},\varDelta y_{1}\in _{R}\mathbb {Z}_{N}\), \(\varDelta \varvec{\sigma },\varDelta \varvec{y}_{0}\in _{R}\mathbb {Z}_{N}^{\omega }\) and \(\varDelta r_{i,j},\varDelta y_{i,j,2},\varDelta y_{i,j,3},\varDelta y_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\), outputs the re-randomized keys \(sk_{S}'\):

    $$\begin{aligned} \begin{aligned} sk_{S}'&=\bigg (S,sk_{S,1}',sk_{S,2}'\bigg )\\&=\bigg (S,\{\varvec{k}_{0}',k_{1}'\},\{k_{i,j,2}',k_{i,j,3}',k_{i,j,4}\}_{v_{i,j}\in S}\bigg )\\&=\bigg (S,\{\varvec{k}_{0}*g_{1}^{\varDelta \varvec{\sigma }}*g_{3}^{\varDelta \varvec{y}_{0}},k_{1}g_{1}^{a\varDelta r_{id}+\langle \varvec{\rho },\varDelta \varvec{\sigma }\rangle }g_{3}^{\varDelta y_{1}}\},\{k_{i,j,2}g_{1}^{\alpha \varDelta r_{id}+t_{i,j}\varDelta r_{i,j}+a\varDelta r_{i,j}}\\ {}&g_{3}^{\varDelta y_{i,j,2}},k_{i,j,3}g_{1}^{\varDelta r_{i,j}}g_{3}^{\varDelta y_{i,j,3}},k_{i,j,4}(g_{1}^{aid}h)^{\varDelta r_{i,j}}g_{3}^{\varDelta y_{i,j,4}}\}_{v_{i,j}\in S}\bigg ) \end{aligned} \end{aligned}$$
    (2)

  • Encrypt\((pk,m,\varLambda )\): \(\varvec{A}\) in \(\varLambda (\varvec{A},\rho )\) is a secret sharing matrix of \(l\times n\), where \(\rho \) maps rows of \(\varvec{A}\) into attribute values. \(\mathcal {R} = \{R_{\rho (x)}\}_{x\in [l]}\) be an attribute revocation list. DO selects \(\varvec{v}=(s,v_{2},...,v_{n})\in \mathbb {Z}_{N}^{n}\) at random. The revocation list of attribute \(\rho (x)\) is \(R_{\rho (x)}=\{id_{1},id_{2},...,id_{l_{x}}\}\), where \(l_{x}\) is a variable number of revocation users. Then the algorithm selects \(s_{x,i'}\in _{R}\mathbb {Z}_{N}\) for each \(id_{i'}\in R_{\rho (x)}\) with the restriction that \(\sum _{i'=1}^{l_{x}}s_{x,i'}=\lambda _{x}\) where \(\lambda _{x}=\varvec{A}_{x}\cdot \varvec{v}\), \(g_{4},w_{1},w_{\lambda _{x},1},w_{\lambda _{x},2},w_{x,i',1},w_{x,i',2}\in _{R}\mathbb {G}_{p_{4}}\), \(\varvec{A}_{x}\) is the \(x^{th}\) row of \(\varvec{A}\). Finally, the algorithm outputs the ciphertexts CT as follows:

    $$\begin{aligned} \begin{aligned} CT&=\bigg (\varvec{A},\{I_{x}\}_{x\in [l]},\mathcal {R},c_{0},\varvec{c}_{1},c_{2},\{c_{x,0},c_{x,1},\{c_{x,i'}^{1},c_{x,i'}^{2}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg )\\&=\bigg (\varvec{A},\{I_{x}\}_{x\in [l]},\mathcal {R}, my^{s},a_{0}^{-s\varvec{\rho }}*g_{4}^{\varvec{\mu }},a_{0}^{s}\cdot w_{1},\{a_{0}^{\lambda _{x}}\cdot w_{\lambda _{x},1} ,T_{\rho (x)}^{\lambda _{x}}\cdot w_{\lambda _{x},2} ,\\ {}&\{a_{0}^{s_{x,i'}}\cdot w_{x,i',1},(u^{id_{i'}}h)^{s_{x,i'}}\cdot w_{x,i',2}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg ) \end{aligned} \end{aligned}$$
    (3)

    where \(\varvec{\mu }\in _{R}\mathbb {Z}_{N}^{\omega }\), \(\{I_{x}\}_{x\in [l]}\subset \{1,2,...,n\}\) is the index set of corresponding attribute name.

  • Decrypt\((CT,sk_{S})\): This algorithm takes the public keys pk, users identity id, the ciphertexts CT and the secret keys \(sk_{S}\) as input. If \(id\in R_{\rho (x)}\), then the algorithm aborts. Otherwise, suppose \(\mathcal {H}=\{x|\rho (x)\in S, id\not \in R_{\rho (x)}\}\). If \(S'=\{\rho (x)|x\in \mathcal {H}\}\) satisfies the access structure, then users computes \(d_{x,1},d_{x,2}\) for every \(x\in \mathcal {H}\) at first.

    $$\begin{aligned} \begin{aligned} d_{x,1}&=\prod _{i'=1}^{l_{x}}\bigg (\frac{\hat{e}(k_{\rho (x),3},c_{x,i'}^{2})}{\hat{e}(k_{\rho (x),4},c_{x,i'}^{1})}\bigg )^{\frac{1}{id-id_{i'}}}\\&=\prod _{i'=1}^{l_{x}}\bigg (\frac{\hat{e}(g_{1}^{r_{\rho (x)}}g_{3}^{y_{\rho (x),3}},(u^{id_{i'}}h)^{s_{x,i'}})}{\hat{e}((g^{a id}h)^{r_{\rho (x)}}g_{3}^{y_{\rho (x),4}},g_{1}^{s_{x,i'}})}\bigg )^{\frac{1}{id-id_{i'}}}\\&=\prod _{i'=1}^{l_{x}}\hat{e}(g_{1},g_{1})^{-ar_{\rho (x)}s_{x,i'}}\\&=\hat{e}(g_{1},g_{1})^{-a \lambda _{x}r_{\rho (x)}} \end{aligned} \end{aligned}$$
    (4)
    $$\begin{aligned} \begin{aligned} d_{x,2}&=\frac{\hat{e}(k_{\rho (x),2},c_{x,0})}{\hat{e}(k_{\rho (x),3},c_{x,1})}\\&=\frac{\hat{e}(g_{1}^{\alpha r_{id}+t_{\rho (x)}r_{\rho (x)}+ar_{\rho (x)}}g_{3}^{y_{\rho (x),2}},g^{\lambda _{x}})}{\hat{e}(g_{1}^{r_{\rho (x)}}g_{3}^{y_{\rho (x),3}},T_{\rho (x)}^{\lambda _{x}})}\\&=\hat{e}(g_{1},g_{1})^{\alpha r_{id}\lambda _{x}+a\lambda _{x}r_{\rho (x)}} \end{aligned} \end{aligned}$$
    (5)

    Obvious, there are

    $$d_{x}=d_{x,1}d_{x,2}=\hat{e}(g_{1},g_{1})^{\alpha r_{id}\lambda _{x}}$$
    $$\begin{aligned} CT'=\prod _{x\in \mathcal {H}}d_{x}^{\mu _{x}}=\hat{e}(g_{1},g_{1})^{\alpha r_{id}s} \end{aligned}$$
    (6)

    where \(\sum _{x\in \mathcal {H}}\mu _{x}\varvec{A}_{x}=(1,0,0,..,0)\). Finally, it computes the \(m=\frac{c_{0}}{\hat{e_{\omega }}(\varvec{c}_{1},\varvec{k}_{0})\hat{e}(c_{2},k_{1})}CT'.\)

4.2 Security Proof

The security proof is based on dual system encryption, so we define the semi-functional keys and semi-functional ciphertexts as follows:

Semi-functional Keys: There are two types of semi-functional keys in our proof. Firstly, we run the KeyGen to get normal private keys as: \(sk_{S}=\bigg (S,sk_{S,1}, sk_{S,2}\bigg )=\bigg (S,\{\varvec{k}_{0}',k_{1}'\},\{k_{i,j,2}',k_{i,j,3}',k_{i,j,4}\}_{v_{i,j}\in S}\bigg )\). Then it selects \(\varvec{d}_{0}\in _{R}\mathbb {Z}_{N}^{\omega },d_{1}\in _{R}\mathbb {Z}_{N}\) and \(d_{i,j,2},d_{i,j,3},d_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\) and compute two types of semi-functional private keys components as follows.

Type 1.

Type 2.

Semi-functional Ciphertexts: For an access structure \(\varLambda (\varvec{A},\rho )\) and a revocation list \(\mathcal {R}\) , we first run the encryption algorithm Encrypt to obtain normal ciphertexts \(CT=\bigg (\varvec{A},\{I_{x}\}_{x\in [l]},\mathcal {R},c_{0},\varvec{c}_{1}',c_{2}',\{c_{x,0}',c_{x,1}',\{c_{x,i'}^{1'},c_{x,i'}^{2'}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg )\) and choose some random elements \(\varvec{e}_{1}\in \mathbb {Z}_{N}^{\omega }\) and \(e_{2},e_{x,0},e_{x,1},e_{x,i',1},e_{x,i',2} \in \mathbb {Z}_{N}\). The semi-functional ciphertexts are computed as follows:

The security of the program is proved by a series of indistinguishable games. The specific game definitions are described below:

  • \(Game_{real}\): This is a real game that the private keys and ciphertexts are in normal form.

  • \(Game_{0}\): The game is similar to the \(Game_{real}\) except that the ciphertexts are semi-functional.

  • \(Game_{k-1,2}\): The first \(k-1\) private keys are semi-functional of Type 2, the rest of private keys are normal.

  • \(Game_{k,1}\): The game is similar to the \(Game_{k-1,2}\) except the \(k^{th}\) private key is semi-functional of Type 1.

  • \(Game_{k,2}\): The game is similar to the \(Game_{k,1}\) except the \(k^{th}\) private key is semi-functional of Type 2.

  • \(Game_{q,2}\): All of private keys are semi-functional of Type 2 and the ciphertexts are semi-functional, where q is the number of queries.

  • \(Game_{final,0}\): The ciphertext component \(c_{0}\) is the encryption of a random message.

  • \(Game_{final,1}\): The component \(c_{x,i',2}\) is a random element in subgroup \(\mathbb {G}_{p_{1}p_{2}p_{4}}\).

Lemma 1

Suppose that there is an adversary \(\mathcal {A}\) can distinguish the \(Game_{real}\) and \(Game_{0}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 1 with same advantage.

Proof

\(\mathcal {B}\) receives the challenge instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3}, g_{4},T)\) from the challenge \(\mathcal {C}\) and simulates the \(Game_{real}\) or \(Game_{0}\).

Setup: After receiving the challenge instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}), g_{1},g_{3},g_{4},T)\), \(\mathcal {B}\) generates the public keys as follows: \(pk=\bigg (N,a_{0}=g_{1}g_{4}^{a'},h=g_{1}^{t},u=g_{1}^{a}g_{4},g_{3},g_{1}^{\varvec{\rho }},y=e(g_{1},g_{1})^{\alpha },T_{i,j}=g_{1}^{t_{i,j}}g_{4}^{a_{i,j}};\forall i\in [n],j\in [n_{i}] \bigg ),\) where \(t,a,a',\alpha ,t_{i,j},a_{i,j}\in _{R}\mathbb {Z}_{N},\varvec{\rho }\in _{R}\mathbb {Z}_{N}^{\omega }\).

Phase 1: Because \(\mathcal {B}\) knows the master keys, so it can answer all the KeyGen queries and Leakage queries.

Challenge: \(\mathcal {A}\) sends two challenge access structure \(\varLambda _{0}^{*}(\varvec{A}_{0}^{*},\rho _{0}^{*}),\varLambda _{1}^{*}(\varvec{A}_{1}^{*},\rho _{1}^{*})\), two messages \(m_{0},m_{1}\) of equal length and a revocation list \(\mathcal {R} = \{R_{\rho (x)}\}_{x\in [l]}\) to \(\mathcal {B}\), then \(\mathcal {B}\) selects \(b\in \{0,1\}\) at random and computes the ciphertexts as follows: \(CT=\bigg (\varvec{A}_{b}^{*},\{I_{b,x}\}_{x\in [l]},\mathcal {R},c_{0}=m_{b}\hat{e}(T,g)^{\alpha },\varvec{c}_{1}'=T^{-\varvec{\rho }}g_{4}^{\varvec{u}},c_{2}'=Tg_{4}^{w_{1}'},\{c_{x,0}'=\) \(T^{\lambda _{b,x}}g_{4}^{w_{\lambda _{b,x},1}'},c_{x,1}'=T^{t_{\rho (x)}\lambda _{b,x}}g_{4}^{w_{\lambda _{b,x},2}'},\{c_{x,i'}^{1'}=T^{s_{x,i'}}g_{4}^{w_{x,i',1}'},c_{x,i'}^{2'}=T^{(aid'+t)s_{x,i'}} g_{4}^{w_{x,i',2}'}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg )\), where \(\lambda _{b,x}=\varvec{A}^{*}_{b,x}\cdot \varvec{v}' ,\varvec{u},\varvec{v}'=(1,v_{2}',\)\(v_{3}',...,v_{n}')\in _{R}\mathbb {Z}_{N}^{\omega }\), \(\sum _{i'=1}^{l_{x}}s_{x,i'}=\lambda _{b,x}\), \(w_{1}',w_{\lambda _{b,x},1}',w_{\lambda _{b,x},2}',w_{x,i',1}',w_{x,i',2}',s_{x,i'}\in _{R}\mathbb {Z}_{N}\), \(\{I_{x}\}_{x\in [l]}\) is the index set of corresponding attribute name.

Phase 2: Same as Phase 1 except that \(\mathcal {A}\) cannot execute the Leakage queries and KeyGen queries that the corresponding attribute set satisfies the challenge access structure.

Guess: \(\mathcal {A}\) outputs the guess of \(b'\) of b. If \(b'=b\), \(\mathcal {A}\) wins the game.

If \(T\in _{R}\mathbb {G}_{p_{1}p_{4}}\), then \(\mathcal {B}\) simulates the \(Game_{real}\). Otherwise, \(\mathcal {B}\) simulates the \(Game_{0}\). Therefore, if \(\mathcal {A}\) can distinguish these two games with a non-negligible advantage, then \(\mathcal {B}\) can break the Assumption 1 with same advantage.

Lemma 2

Suppose that there is an adversary \(\mathcal {A}\) can distinguish the \(Game_{k-1,2}\) and \(Game_{k,1}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 2 with same advantage.

Proof

\(\mathcal {B}\) receives the challenge instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3},g_{4}, U_{1}U_{2},W_{2}W_{3},T)\) from the challenge \(\mathcal {C}\) and simulates the \(Game_{k-1,2}\) or \(Game_{k,1}\).

Setup: The algorithm of Setup is same as that in Lemma 1.

KeyGen queries in Phase 1: To generate the first \(k-1\) semi-functional keys, \(\mathcal {B}\) chooses \(r_{id},y_{1}\in \mathbb {Z}_{N}\) at random, \(\varvec{y}_{0},\varvec{\sigma }\in _{R}\mathbb {Z}_{N}^{\omega }\) and \(r_{i,j},y_{i,j,2},y_{i,j,3},y_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\), calculates and outputs the secret keys of Type 1 as follows.

$$ \begin{aligned} sk_{S}&=\bigg (S,sk_{S,1},sk_{S,2}\bigg )\\&=\bigg (S,\{\varvec{k}_{0},k_{1}\},\{k_{i,j,2},k_{i,j,3},k_{i,j,4}\}_{v_{i,j}\in S}\bigg )\\&=\bigg (S,\{g_{1}^{\varvec{\sigma }}*(W_{2}W_{3})^{\varvec{y}_{0}},g_{1}^{\alpha +ar_{id}+\langle \varvec{\sigma },\varvec{\rho }\rangle }(W_{2}W_{3})^{y_{1}}\},\{g_{1}^{\alpha r_{id}+t_{i,j}r_{i,j}+ar_{i,j}}\\ {}&(W_{2}W_{3})^{y_{i,j,2}},g_{1}^{r_{i,j}}g_{3}^{y_{i,j,3}},(g_{1}^{aid}h)^{r_{i,j}}g_{3}^{y_{i,j,4}}\}_{v_{i,j}\in S}\bigg ) \end{aligned} $$

To generate the \(k^{th}\) private key, \(\mathcal {B}\) picks \(r_{id},y_{1}\in \mathbb {Z}_{N}\) randomly, \(\varvec{y}_{0},\varvec{\sigma }'\in _{R}\mathbb {Z}_{N}^{\omega }\) and \(r_{i,j},y_{i,j,2},y_{i,j,3},y_{i,j,4}\in _{R}\mathbb {Z}_{N}\) for \(v_{i,j}\in S\), outputs the following secret keys .

$$ \begin{aligned} sk_{S}&=\bigg (S,sk_{S,1},sk_{S,2}\bigg )\\&=\bigg (S,\{\varvec{k}_{0},k_{1}\},\{k_{i,j,2},k_{i,j,3},k_{i,j,4}\}_{v_{i,j}\in S}\bigg )\\&=\bigg (S,\{T^{\varvec{\sigma }'}*g_{3}^{\varvec{y}_{0}},g_{1}^{\alpha }T^{a+\langle \varvec{\sigma '},\varvec{\rho }\rangle }g_{3}^{y_{1}}\},\{T^{\alpha }g_{1}^{t_{i,j}r_{i,j}+a r_{i,j}}g_{3}^{ y_{i,j,2}},\\ {}&g_{1}^{r_{i,j}}g_{3}^{y_{i,j,3}},(g_{1}^{aid}h)^{r_{i,j}}g_{3}^{y_{i,j,4}}\}_{v_{i,j}\in S}\bigg ) \end{aligned} $$

The rest of private keys are normal keys.

Challenge: \(\mathcal {A}\) sends two challenge access structure \(\varLambda _{0}^{*}(\varvec{A}_{0}^{*},\rho _{0}^{*}),\varLambda _{1}^{*}(\varvec{A}_{1}^{*},\rho _{1}^{*})\), two message \(m_{0},m_{1}\) of equal length and a revocation list \(\mathcal {R} = \{R_{\rho (x)}\}_{x\in [l]}\) to \(\mathcal {B}\), then \(\mathcal {B}\) selects \(b\in \{0,1\}\) at random and calculates the ciphertexts as follows: \(CT=\bigg (\varvec{A}_{b}^{*},\{I_{b,x}\}_{x\in [l]},\mathcal {R},c_{0}=m_{b}\hat{e}(U_{1}U_{2},g)^{\alpha },\varvec{c}_{1}'=(U_{1}U_{2})^{-\varvec{\rho }}g_{4}^{\varvec{u}},c_{2}'=\) \((U_{1}U_{2})g_{4}^{w_{1}'},\{c_{x,0}'=(U_{1}U_{2})^{\lambda _{b,x}}g_{4}^{w_{\lambda _{b,x},1}'},c_{x,1}'=(U_{1}U_{2})^{t_{\rho (x)}\lambda _{b,x}}g_{4}^{w_{\lambda _{b,x},2}'},\{c_{x,i'}^{1'}=(U_{1} U_{2})^{s_{x,i}}g_{4}^{w_{x,i',1}'},c_{x,i'}^{2'}=((U_{1}U_{2})^{(a id_{i'}+t)s_{x,i'}}g_{4}^{w_{x,i',2}'}\}_{i'\in \{1,2,...,l_{x}\}}\}_{x\in [l]}\bigg )\), where \(\lambda _{b,x}=\varvec{A}^{*}_{x}\cdot \varvec{v}', \varvec{u},\varvec{v}'=(1,v_{2}',v_{3}',...,v_{n}')\in _{R}\mathbb {Z}_{N}^{\omega }\), \(\sum _{i'=1}^{l_{x}}s_{x,i'}=\lambda _{b,x}\), \(w_{1}',w_{\lambda _{b,x},1}',w_{\lambda _{b,x},2}', w_{x,i',1}',w_{x,i',2}',s_{x,i'}\in _{R}\mathbb {Z}_{N}\), \(\{I_{x}\}_{x\in [l]}\) is the index set of corresponding attribute name.

Phase 2: Same as Phase 2 in Lemma 1.

Guess: \(\mathcal {A}\) outputs the guess of \(b'\) of b. If \(b'=b\), \(\mathcal {A}\) wins the game.

It can be learn from the analysis above that \(\mathcal {B}\) simulates the \(Game_{k-1,2}\) if \(T\in _{R}\mathbb {G}_{p_{1}p_{3}}\). Vice versa. So if \(\mathcal {A}\) distinguish these two games with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) break the Assumption 2 with same advantage.

Lemma 3

Suppose that there is an adversary \(\mathcal {A}\) can distinguish the \(Game_{k,1}\) and \(Game_{k,2}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 2 with same advantage.

Proof

\(\mathcal {B}\) receives the challenge instance \((\varTheta =(N=p_{1}p_{2}p_{3}p_{4},\mathbb {G},\mathbb {G}_{T},\hat{e}),g_{1},g_{3},g_{4}, U_{1}U_{2},W_{2}W_{3},T)\) from the challenge \(\mathcal {C}\) and simulates the \(Game_{k,1}\) or \(Game_{k,2}\).

The proof of Lemma 3 is similar to that of Lemma 2 except the construction of \(k^{th}\) private key.

$$ \begin{aligned} sk_{S}&=\bigg (S,sk_{S,1},sk_{S,2}\bigg )\\&=\bigg (S,\{\varvec{k}_{0},k_{1}\},\{k_{i,j,2},k_{i,j,3},k_{i,j,4}\}_{v_{i,j}\in S}\bigg )\\&=\bigg (S,\{g_{1}^{\varvec{\sigma }'}*(W_{2}W_{3})^{\varvec{y}_{0}},g_{1}^{\alpha +a+\langle \varvec{\sigma '},\varvec{\rho }\rangle }(W_{2}W_{3})^{y_{1}}\},\{g_{1}^{\alpha r_{id}}T^{ t_{i,j}+a}(W_{2}W_{3})^{y_{i,j,2}},\\ {}&T g_{3}^{y_{i,j,3}},T^{a id+t}g_{3}^{y_{i,j,4}}\}_{v_{i,j}\in S}\bigg ) \end{aligned} $$

If \(T\in _{R}\mathbb {G}_{p_{1}p_{2}p_{3}}\), then \(\mathcal {B}\) simulates the \(Game_{k,1}\). Otherwise, \(\mathcal {B}\) simulates the \(Game_{k,2}\). So if \(\mathcal {A}\) can distinguish these two schemes with a non-negligible advantage, then there is a simulator \(\mathcal {B}\) breaks the Assumption 2 with same advantage.

Lemma 4

Suppose that there is an adversary \(\mathcal {A}\) can distinguish the \(Game_{q,2}\) and \(Game_{final,0}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 3 with same advantage.

Lemma 5

Suppose that there is an adversary \(\mathcal {A}\) distinguish the \(Game_{final,0}\) and \(Game_{final,1}\) with a non-negligible advantage \(\epsilon \), then there is a simulator \(\mathcal {B}\) breaks the Assumption 4 with same advantage.

We omitted the proof of Lemmas 4 and 5 because the space limitation.

Theorem 2

If the Assumptions 1, 2, 3 and 4 hold, then our scheme is \(\lambda \)-leakage-resilient and anonymous for \(\lambda \le (\omega -1-2c)\log p_{2}\), where c is a fixed positive constant.

Proof

If these four assumptions hold, then from the Lemmas 1, 2, 3, 4 and 5, our scheme is \(\lambda \)-leakage-resilient and anonymous for \(\lambda \le (\omega -1-2c)\log p_{2}\), where c is a fixed positive constant.

4.3 Leakage Performance

In this part, we give a concrete analysis of leakage resilience. The scheme has the same leakage bound \(\lambda \le (\omega -1-2c)\log p_{2}\) with schemes [20,21,22] and the allowable probability \(negl=p_{2}^{-c}\). Thus, the leakage rate of our scheme is \(\gamma =\frac{\omega -1-2c}{(1+c_{1}+c_{3})(\omega +1+3|S|)}\), where \(p_{\mathbbm {i}}(\mathbbm {i}\in [4])\) is large primes of \(d_{\mathbbm {i}}=c_{\mathbbm {i}}\kappa \) bits respectively. \(c_{\mathbbm {i}}\) is a positive constant.

4.4 Anonymity Analysis

To achieve the anonymity, we add the random elements in \(\mathbb {G}_{p_{4}}\) to components of public keys and the ciphertexts which has no effect on the decryption process because orthogonality. Next, we will give a concrete process to explain how to achieve anonymity.

$$\begin{aligned} \begin{aligned} \hat{e}(c_{x,1},a_{0})&=\hat{e}(T_{\rho (x)}^{\lambda _{x}}\cdot w_{\lambda _{x},2},g_{1}\cdot w_{0})\\&=\hat{e}(g_{1},g_{1})^{t_{\rho (x)}\lambda _{x}}\hat{e}(w_{\rho (x)}w_{\lambda _{x},2},w_{0})^{\lambda _{x}} \end{aligned} \end{aligned}$$
(7)
$$\begin{aligned} \begin{aligned} \hat{e}(c_{x,0},T_{i,j})&=\hat{e}(a_{0}^{\lambda _{x}}\cdot w_{\lambda _{x},1},g_{1}^{t_{i,j}}\cdot w_{i,j})\\&=\hat{e}(g_{1},g_{1})^{t_{i,j}\lambda _{x}}\hat{e}(w_{0}w_{\lambda _{x},1},w_{i,j})^{\lambda _{x}} \end{aligned} \end{aligned}$$
(8)

In this case, we cannot decide the attribute value \(\rho (x)\) in the access policy from the DDH-test even if \(v_{i,j}=\rho (x)\), where \(v_{i,j}\) is the attribute value for testing.

5 Performance Analysis

In this section, we will give a detailed analysis of the different schemes in terms of performance and efficiency in Tables 2 and 3, respectively.

As shown in Table 2, we compare these schemes [9, 22, 25, 27] with our construction in terms of revoidability, leakage-resilient and anonymity. [9, 22, 25] can support revocation, but all of them are not anonymous. In addition, [9] is not leakage-resilient. [27] cannot support revocation. However, our construction can achieve these three goals simultaneously.

Table 2. Performance comparisons among different ABE schemes
Full size table

Let \(\Vert \mathbb {G}\Vert , \Vert \mathbb {G}_{T}\Vert \) represent the size of the group \(\mathbb {G}\) and \(\mathbb {G}_{T}\) respectively. n is the number of attributes in universe attribute set, |S| is the number of attributes in an attribute list S, l is the number of rows in \(\varvec{A}\), \(n'\) is the maximum number of users in the system. \(\omega \) is the leakage parameter and P is the time of pairing operation.

Table 3. Efficiency comparisons among different ABE schemes
Full size table

6 Conclusions

In this paper, a leakage-resilient CP-ABE scheme is proposed, which supports direct revocation and achieves adaptive security under four static assumptions in the standard model. Additionally, we show the proposed scheme achieves the anonymity based on the dual system encryption and composite order group. The performance analyses confirm the feasibility of our scheme. However, the proposed scheme relies on the composite order group, which issues a higher computation cost than a scheme in a prime order group under the same security standard. Designing a scheme with the same properties which is based on prime order bilinear group will be our future work.