Keywords

1 Introduction

In the era of cloud computing, multi-user scenarios have become increasingly common, and traditional one-to-one encryption mechanisms, such as RSA [13] and ElGamal encryption [3], are no longer suitable for applications nowadays. As a result, many cryptographers are turning to attribute-based encryption (ABE) [4, 20] as a solution.

ABE is a type of encryption that enables access control based on attributes, rather than specific identities. This makes it ideal for multi-user scenarios where different users may have varying access rights based on their attributes. For example, in a financial setting, employees with different roles may require different levels of access to sensitive data.

While ABE has many advantages over traditional encryption methods, one of the main challenges is reducing the computational complexity involved in the encryption and decryption process. In response to this challenge, many pairing-free ABE schemes [1, 2, 8, 9, 11, 12, 14,15,16, 19, 21], i.e. schemes built over elliptic curves, have been proposed to simplify the process. Unfortunately, these schemes have all been shown to be insecure. In 2017, Herranz [6] broke the schemes of [11, 12]. In 2020, Tseng and Huang demonstrated a collusion attack to [2, 19], and Herranz [7] further give cryptanalysis to [2, 8, 9, 15, 16, 21]. Later in 2021, Tseng [17] give a attack method to [15] so that in [15] a ciphertext can be decrypted by an unauthorized user.

In this manuscript, we further show the cryptanalysis to two pairing-free ABE schemes, [5, 10]. Both these two schemes are in key-policy setting, i.e., an access structure is associated with the private key, and an attribute set is related to the ciphertext. The access structures supported by both the two schemes are weighted threshold gates \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\), which can be satisfied by a set of weighted attributes if the summation of the weight is greater then a pre-defined threshold value k. Unfortunately, we found that both [5, 10] are insecure. In this manuscript, we propose two attack methods, which can be applied to these two ABE schemes, due to the structural similarity between [5, 10]. Our first attack allows a malicious user with a private key for \((\mathbb {A}^{\textsf{WT}}_{1, n}, \textsf{S}_K)\) to compute a private key for \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\) without the knowledge of the master secret key. Furthermore, our second attack method allows an attacker colluding with several users to recover the master secret key. Moreover, an improved scheme to fix the security flaws is also given in this manuscript.

1.1 Organization

The rest of the manuscript is organized as follows. In Sect. 2, we introduce the preliminaries for our work, including notations, complexity assumption, definition for ABE, etc. In Sect. 3, we briefly review on the scheme of [5], and show our proposed two attacks to [5]. An improved scheme is demonstrated in Sect. 4. For [10], we only give the high-level description for the scheme and the cryptanalysis, in order to avoid the unnecessary duplication. Finally, we conclude our work in Sect. 6.

2 Preliminaries

In this section, we give the notation used in this manuscript, and the definition of key-policy attribute-based encryption for weighted threshold gate (KP-ABE-WT).

2.1 Notations

The notations used in this manuscript are listed as follows.

  • For a set S, by “\(x\xleftarrow {\$} S\)” we mean uniformly randomly choose an element x from S.

  • For an algorithm A, we denote by “\(y\leftarrow A\)” that y is the output obtained by running A.

  • By PPT we mean “probabilistic polynomial-time”.

  • By [nm] for some integers \(n \le m\), we mean \(\{n, n+1, \dots , m\}\).

  • A function \(f: \mathbb {N} \rightarrow \mathbb {R}\) is said negligible in n, if for every \(k \in \mathbb {N}\), there is \(n_0 \in \mathbb {N}\) such that for every \(n \ge n_0, |f(n)|< \frac{1}{n^k}\).

2.2 Bilinear Maps and Complexity Assumption

Let \(\mathbb {G}\) and \(\mathbb {G}_T\) be multiplicative groups with prime order p. Let g be a generator of \(\mathbb {G}\). A bilinear map e, aka pairing, is defined as \(e: \mathbb {G} \times \mathbb {G} \rightarrow \mathbb {G}_T\), where the following properties are satisfied.

  1. 1.

    For all \(a, b \in \mathbb {Z}_p, e(g^a, g^b) = e(g,g)^{ab}\).

  2. 2.

    There is an efficient algorithm to compute e(uv) for all \(u, v \in \mathbb {G}\).

  3. 3.

    e(gg) is not the identity of \(\mathbb {G}_T\).

We also give a complexity assumption which the security of our improved scheme bases on.

Definition 1 (Discrete-Log Assumption)

The discrete-log assumption says that, no PPT algorithm is able to compute \(\log _{g}h\) from a given \(h \in \mathbb {G}\).

Definition 2

(M-DDH\(_{\mathbb {G}_T}\) Assumption [18]). Let \(a, b \xleftarrow {\$} \mathbb {Z}_p\). Let \(e(g,g) = \mathfrak {g}\) The M-DDH\(_{\mathbb {G}_T}\) assumption states that, there is no PPT algorithm, given \((g, \mathfrak {g}, g^a, \mathfrak {g}^a, \mathfrak {g}^b)\), tells the difference between \(\mathfrak {g}^{ab}\) and an element \(Z\xleftarrow {\$} \mathbb {G}_T\).

2.3 Access Structure

In both [5, 10], the authors propose a KP-ABE scheme for weighted threshold gates, which is defined as follows. Let \(\textsf{S}\) be a set of attributes. A weighted threshold gate is defined by

$$ (\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}) = \{(k, n), \{w_x~|~x \in \textsf{S}\}\}, $$

where

  • \(w_x \ge 1\) is the weight of the attribute x;

  • n is the total weight of the attributes in an attribute set \(\textsf{S}\);

  • \(k\in [1,n]\) is the threshold.

A threshold gate is a special case of weighted threshold gate when \(w_x = 1\) for all \(x\in \textsf{S}\). For a set \(\textsf{S}' \subseteq \textsf{S}\), we say that \(\textsf{S}'\) satisfies \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S})\) if

$$ \sum _{x\in \textsf{S}'} w_x \ge k. $$

2.4 Lagrange Polynomial Interpolation

Lagrange polynomial interpolation is an algorithm to compute a polynomial f of \(k-1\) degree given k points. More precisely, given k points \((x_1, y_1), \dots , (x_k, y_k)\), the polynomial f passing the k points can be computed by

$$ f(x) = \sum _{i=1}^{k} y_i \varDelta _{i}(x), $$

where \(\varDelta _i(x) = \prod _{j \in [1,k]\setminus \{i\}} \frac{x-x_j}{x_i - x_j}\).

2.5 Key-Policy Attribute-Based Encryption for Weighted Threshold Gates

A KP-ABE scheme for weighted threshold gates consists of the following four algorithms \(\textsf{Setup}, \textsf{Encrypt}, \textsf{KeyGen}, \textsf{Decrypt}\).

\(\textsf{Setup}(1^\lambda )\). Taking as input the security parameter, the algorithm outputs the system parameter \(\textsf{params}\) and the master secret key \(\textsf{msk}\). Note that \(\textsf{params}\) will be a implicitly input for the following algorithms.

\(\textsf{Encrypt}(\textsf{S}, \textsf{M})\). Taking as inputs an attribute set \(\textsf{S}\) and a message \(\textsf{M}\), the algorithm outputs a ciphertext \(\textsf{CT}\).

\(\textsf{KeyGen}(\textsf{msk}, (\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}))\). Taking as inputs the master secret key \(\textsf{msk}\) and an access structure \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S})\) described in Sect. 2.3, the algorithm outputs a private key \(\textsf{D}\).

\(\textsf{Decrypt}(\textsf{CT}, \textsf{D})\). Taking as inputs a ciphertext \(\textsf{CT}\) and a private key \(\textsf{D}\), the algorithm outputs a message.

Correctness. For \(\textsf{CT}\leftarrow \textsf{Encrypt}(\textsf{S}_C, \textsf{M}), \textsf{D}\leftarrow \textsf{KeyGen}(\textsf{msk}, (\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K))\), we have \(\textsf{M}\leftarrow \textsf{Decrypt}(\textsf{CT}, \textsf{D})\) if \(\textsf{S}_C\) satisfies \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\), denoted by \(\textsf{S}_C \models (\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\).

3 Review and Cryptanalysis on Gu and Lin’s KP-ABE-WT Scheme

In this section, we briefly review on the KP-ABE-WT scheme (named \(\textsf{GL22}\) ) proposed by Gu and Lin [5] in 2022, and give the attacks to break their scheme.

3.1 Review on \(\textsf{GL22}\)

\(\textsf{GL22}\) supports small universe, i.e., the set of all attributes in the system is polynomially large. Let \(\mathcal {U}\) be the universe in \(\textsf{GL22}\). We omit the description of \(\textsf{Decrypt}\) algorithm since our attack method does not depend on it.

\(\textsf{Setup}(1^\lambda )\). Taking as input the security parameter, the algorithm performs as follows.

  1. 1.

    Choose a group \(\mathbb {G}\) over an elliptic curve. Let g be a generator of \(\mathbb {G}\) and p be the prime order of \(\mathbb {G}\).

  2. 2.

    Choose \(t \xleftarrow {\$} \mathbb {Z}_p\) and choose \(t_x \xleftarrow {\$} \mathbb {Z}_p\) for each attribute \(x \in \mathcal {U}\).

  3. 3.

    Compute \(T = g^t\) and \(T_x = g^{t_x}\) for each attribute \(x \in \mathcal {U}\).

  4. 4.

    Choose a cryptographic hash function \(H: \mathbb {G} \rightarrow \mathbb {Z}_p\).

  5. 5.

    Output \(\textsf{params} = (p, g, T, \{T_x\}_{x \in \mathcal {U}}, H)\) and \(\textsf{msk} = (t, \{t_x\}_{x \in \mathcal {U}})\).

\(\textsf{Encrypt}(\textsf{S}, \textsf{M})\). Taking as inputs an attribute set \(\textsf{S}_C\) and a message \(\textsf{M}\in \mathbb {Z}_p\), the algorithm performs as follows.

  1. 1.

    Choose \(s \xleftarrow {\$} \mathbb {Z}_p\).

  2. 2.

    Compute \(C = \textsf{M}\cdot H(T^s), C' = g^s\).

  3. 3.

    Compute \(C_x = T_x^{s}\) for each \(x \in \textsf{S}_C\).

  4. 4.

    Output \(\textsf{CT}= (C, C' \{C_x\}_{x \in \textsf{S}_C})\).

\(\textsf{KeyGen}(\textsf{msk}, (\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K))\). Taking as inputs the master secret key \(\textsf{msk}\) and an access structure \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K) = \{(k, n), \{w_x~|~x \in \textsf{S}_K\}\}\), the algorithm performs as follows.

  1. 1.

    For each attribute \(x \in \textsf{S}_K\) and \(y \in [1, w_x]\), choose \(r_{x,y} \xleftarrow {\$} \mathbb {Z}_p\). Let \(R = \{r_{x,y}~|~x \in \textsf{S}_C, y \in [1, w_x]\}\).

  2. 2.

    For each \(r_{x,y} \in R\), compute the corresponding Lagrange basis polynomial

    $$ \varDelta _{r_{x, y}}(z) = \prod _{r \in R\setminus \{r_{x,y}\}} \frac{z - r}{r_{x,y} - r}. $$
  3. 3.

    Choose a \((k-1)\)-degree polynomial q such that \(q(0) = t\).

  4. 4.

    For each \(r_{x,y} \in R\), compute \(q_{x, y} = q(r_{x,y}), D_{x,y} = q_{x,y} + t_x\).

  5. 5.

    Output \(\textsf{D}= ((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K), \{D_{x, y}, \varDelta _{r_{x, y}}(0)\})\).

3.2 Cryptanalysis on \(\textsf{GL22}\)

Our attack algorithms focus on collusion attacks, that is, to recover the master secret \(\textsf{msk}\) or generate another private key without knowing \(\textsf{msk}\), given enough amount of private keys \(\textsf{D}\). For simplicity, we will consider access structures for threshold gate, i.e., \(w_x = 1\) for all \(x \in \textsf{S}_K\) for describing the intuition of our attack algorithms.

Attack 1. Suppose a user query a private key for the access structure \((\mathbb {A}^{\textsf{WT}}_{1, 2}, \textsf{S}_K) = \{(1, 2), \{w_x = 1~|~x \in \textsf{S}_K\}\}\) and \(\textsf{S}_K = \{A, B\}\) for some attributes \(A, B \in \mathcal {U}\). Observe that when \(k = 1\), the polynomial chosen in Step 2 of \(\textsf{KeyGen}\) algorithm is actually a constant polynomial \(q(z) = t\), and henceFootnote 1

$$\begin{aligned} D_A & = q(r_{A}) + t_A = t + t_A \\ D_B & = q(r_{B}) + t_B = t + t_B. \end{aligned}$$

Then the user is able to generate a private key for \((\mathbb {A}^{\textsf{WT}}_{2, 2}, \textsf{S}_K) = \{(2, 2), \{w_x = 1~|~x \in \textsf{S}_K\}\}\) and \(\textsf{S}_K = \{A, B\}\), given the private key \(\textsf{D}' = ((\mathbb {A}^{\textsf{WT}}_{1, 2}, \textsf{S}_K), \{D_{A}, \varDelta _{r_{A}}(0), D_{B}, \varDelta _{r_{B}}(0)\})\). The details are shown as follows.

  1. 1.

    Choose \(r_A, r_B \xleftarrow {\$} \mathbb {Z}_p\).

  2. 2.

    Compute \(\varDelta _{r_A}(z) = \frac{z - r_B}{r_A - r_B}, \varDelta _{r_B}(z) = \frac{z - r_A}{r_B - r_A}\).

  3. 3.

    Choose \(a \xleftarrow {\$} \mathbb {Z}_p\) and compute \(D_A = ar_A + (t + t_A), D_B = ar_B + (t + t_A)\).

  4. 4.

    Output the private key for \((\mathbb {A}^{\textsf{WT}}_{2, 2}, \textsf{S}_K) = \{(2, 2), \{w_x = 1~|~x \in \textsf{S}_K\}\}\).

In Step 3, our attack algorithm implicitly set the polynomial \(q(z) = az + t\). and no master secret is needed since \((t+t_A, t+t_B)\) has been given to the user in the private key \(\textsf{D}'\). Besides, our attack algorithm can be extended into any general weighted threshold gate \((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K)\), given a private key \(\textsf{D}_{\mathcal {U}}\) for \((\mathbb {A}^{\textsf{WT}}_{1, |\mathcal {U}|}, \mathcal {U}) = \{(1, |\mathcal {U}|), \{w_x = 1~|~x \in \textsf{S}_K\}\}\), since

  • the computation of \(\varDelta _{r_x}(0)\) for \(x \in \textsf{S}_K\) depends only on the choice of randomness in Step 1, which is fully controlled by the attack algorithm;

  • the computation of \(D_x = q(r_x) + t_x = a_{k-1}(r_x)^{k-1} + \dots + a_1r_A + (t + t_A)\) can be done given \(\textsf{D}_{\mathcal {U}}\).

Attack 2. Consider a private keyFootnote 2 \(\textsf{D}= ((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K), \{D_{x}, \varDelta _{r_{x}}(0)\})\) for an access structure \(\{(k, n), \{w_x = 1~|~x \in \textsf{S}_K\}\}\) and \(\textsf{S}_K \subseteq \mathcal {U}\), where \(D_x = q(r_x) + t_x\) for \(x \in \textsf{S}_K\). By the correctness of Lagrange polynomial interpolation, we have that, for any subset \(U \subset \textsf{S}_K\) with \(|U| = k\),

$$\begin{aligned} \sum _{x \in U} q(r_x)\varDelta _{r_{x}}(0) = q(0) = t. \end{aligned}$$
(1)

Therefore, by Eq. (1), we have

$$\begin{aligned} \sum _{x \in U} D_x\varDelta _{r_{x}}(0) = \sum _{x \in U} (q(r_x) + t_x)\varDelta _{r_{x}}(0) = t + \sum _{x \in U}\varDelta _{r_{x}}(0)\cdot t_x. \end{aligned}$$
(2)

As \(D_x, \varDelta _{r_{x}}(0)\) for \(x \in U\) is given in \(\textsf{D}\), there are only \(|U|+1 = k+1\) unknown variables in Eq. (2), i.e. \(t, \{t_x\}_{x \in U}\). Therefore, given private keys \(\textsf{D}^{(1)}, \dots , \textsf{D}^{(k+1)}\) for \(\{(k, n), \{w_x = 1~|~x \in \textsf{S}_K^{(1)}\}\}, \dots , \{(k, n), \{w_x = 1~|~x \in \textsf{S}_K^{(k+1)}\}\}\), respectively, such that \(U \subseteq \textsf{S}_K^{(1)} \cap \dots \cap \textsf{S}_K^{(k+1)}\), anyone is able to recover \(t, \{t_x\}_{x \in U}\) by solving a linear equation system.

We give the following simple example to illustrate Attack 2. Let

$$ \begin{array}{ll} \textsf{D}^{(1)} &{} = (({\mathbb {A}^{\textsf{WT}}_{2, 3}}^{(1)}, \textsf{S}_K^{(1)}), \{ D^{(1)}_A, \varDelta _{r^{(1)}_A}(0), D^{(1)}_B, \varDelta _{r^{(1)}_B}(0), D^{(1)}_C, \varDelta _{r^{(1)}_C}(0) \}), \\ \textsf{D}^{(2)} &{} = (({\mathbb {A}^{\textsf{WT}}_{2, 3}}^{(2)}, \textsf{S}_K^{(2)} ), \{ D^{(2)}_A, \varDelta _{r^{(2)}_A}(0), D^{(2)}_B, \varDelta _{r^{(2)}_B}(0), D^{(2)}_D, \varDelta _{r^{(2)}_D}(0) \}), \\ \textsf{D}^{(3)} &{} = (({\mathbb {A}^{\textsf{WT}}_{2, 3}}^{(3)}, \textsf{S}_K^{(3)}), \{ D^{(3)}_A, \varDelta _{r^{(3)}_A}(0), D^{(3)}_B, \varDelta _{r^{(3)}_B}(0), D^{(3)}_E, \varDelta _{r^{(3)}_E}(0) \}), \\ \end{array} $$

be the private keys for

$$ \begin{array}{ll} {\mathbb {A}^{\textsf{WT}}_{2, 3}}^{(1)} = \{(2, 3), \{w_x = 1~|~x \in \textsf{S}_K^{(1)}\}\}, &{} \textsf{S}_K^{(1)} = \{A, B, C\}, \\ {\mathbb {A}^{\textsf{WT}}_{2, 3}}^{(2)} = \{(2, 3), \{w_x = 1~|~x \in \textsf{S}_K^{(2)}\}\}, &{} \textsf{S}_K^{(2)} = \{A, B, D\}, \\ {\mathbb {A}^{\textsf{WT}}_{2, 3}}^{(3)} = \{(2, 3), \{w_x = 1~|~x \in \textsf{S}_K^{(3)}\}\}, &{} \textsf{S}_K^{(3)} = \{A, B, E\}. \\ \end{array} $$

In this example, \(U = \{A,B\} \subseteq \textsf{S}_K^{(1)} \cap \textsf{S}_K^{(2)} \cap \textsf{S}_K^{(3)}\). By Eq. (2) we have

$$\left\{ \begin{array}{ll} D^{(1)}_A \cdot \varDelta _{r^{(1)}_A}(0) + D^{(1)}_B \cdot \varDelta _{r^{(1)}_B}(0) &{} = t + \varDelta _{r^{(1)}_A}(0) \cdot t_A + \varDelta _{r^{(1)}_B}(0) \cdot t_B, \\ D^{(2)}_A \cdot \varDelta _{r^{(2)}_A}(0) + D^{(2)}_B \cdot \varDelta _{r^{(2)}_B}(0) &{} = t + \varDelta _{r^{(2)}_A}(0) \cdot t_A + \varDelta _{r^{(2)}_B}(0) \cdot t_B, \\ D^{(3)}_A \cdot \varDelta _{r^{(3)}_A}(0) + D^{(3)}_B \cdot \varDelta _{r^{(3)}_B}(0) &{} = t + \varDelta _{r^{(3)}_A}(0) \cdot t_A + \varDelta _{r^{(3)}_B}(0) \cdot t_B. \\ \end{array} \right. $$

Thus \((t, t_A, t_B)\) can be easily recovered by solving the linear equation systems shown above.

4 An Improved Scheme

The main reason causing the security flaws shown in Sect. 3.2 is that, the information of the master secret key has been directly exposed in a private key. Equation (2) shows the linear relation between \(\textsf{D}\) and \(\textsf{msk}\). A straightforward way to fix the problem is to raise \(\textsf{D}\) to the power of g. However, this method would make the number of pairings be \(\mathcal {O}(\textsf{S}_K)\) in \(\textsf{Decrypt}\) algorithm.

To reduce the number of pairings as possible, we move the most of the computations of \(\textsf{GL22}\) to the group \(\mathbb {G}_T\), and randomize the components \(D_{x, y}\) in \(\textsf{D}\) with a new randomness \(\beta \). We give our improved version below. Let \(\mathfrak {g} = e(g, g)\).

\(\textsf{Setup}\) is the same as \(\textsf{GL22}\), except that \(T = \mathfrak {g}^t\) and \(T_x = \mathfrak {g}^{t_x}\) for \(x \in \mathcal {U}\).

\(\textsf{Encrypt}\) is the same as \(\textsf{GL22}\), except that \(C' = \mathfrak {g}^s\) and an additional component \(C'' = g^s\) is added.

\(\textsf{KeyGen}\) is the same as \(\textsf{GL22}\), except that

  1. 1.

    a random number \(\beta \) is chosen from \(\mathbb {Z}_p\);

  2. 2.

    \(D_{x,y}\) is computed as \(q_{x,y}+t_x+\beta \);

  3. 3.

    an additional component \(E = g^\beta \) is added.

\(\textsf{Decrypt}(\textsf{CT}, \textsf{D})\). Taking as inputs a ciphertext \(\textsf{CT}= (C, C', C'' \{C_x\}_{x \in \textsf{S}_C})\) and a private key \(\textsf{D}= ((\mathbb {A}^{\textsf{WT}}_{k, n}, \textsf{S}_K^{(1)}), \{D_{x, y}, \varDelta _{r_{x, y}}(0)\}, E)\), the algorithm performs as follows.

  1. 1.

    Compute \(F = e(C'', E) = e(g^s, g^\beta ) = \mathfrak {g}^{s\beta }\).

  2. 2.

    For \(x \in \textsf{S}_K\) and \(y \in [1, w_x]\), compute

    $$ F_{x,y} = \frac{(C')^{D_{x,y}}}{C_x\cdot F} = \frac{\mathfrak {g}^{s(q_{x,y}+t_x+\beta )}}{\mathfrak {g}^{st_x}\cdot \mathfrak {g}^{s\beta }} = \mathfrak {g}^{sq_{x,y}}. $$
  3. 3.

    Compute

    $$ T^s = \mathfrak {g}^{st} = \prod _{x\in \textsf{S}_K} F_{x,y}^{ \varDelta _{r_{x, y}}(0) }. $$
  4. 4.

    Recover \(\textsf{M}= C/H(T^s)\).

Correctness. The correctness nearly follows that of \(\textsf{GL22}\), except the difference due the newly-added randomness \(\beta \). Thus, we cancel the term \(\mathfrak {g}^{s\beta }\) in Step 2 of \(\textsf{Decrypt}\) algorithm, with the cost of only 1 pairing.

Security Analysis. To see why the attacks shown in Sect. 3.2 do not work in our improved scheme, note that there is a newly-added randomness \(\beta \) is added in \(\textsf{KeyGen}\) algorithm. \(\beta \) will be sampled each time \(\textsf{KeyGen}\) algorithm is perform. Besides, the information of \(\beta \) is hidden in E, which is impossible to be retrieved due to the discrete-log assumption. Therefore, Eq. (2) shown in Sect. 3.2 will become

$$\begin{aligned} \sum _{x \in U} D_x\varDelta _{r_{x}}(0) = t + \sum _{x \in U}\varDelta _{r_{x}}(0)\cdot t_x + \beta \cdot \left( \sum _{x \in U}\varDelta _{r_{x}}(0) \right) . \end{aligned}$$
(3)

Thanks to the existence of \(\beta \), the number of unknown variable now increases with the number of private keys obtained by the attacker, which makes the attacker impossible to recover \(\textsf{msk}\) by solving a linear equation system. Furthermore, according to the M-DDH\(_{\mathbb {G}_T}\) assumption, even with the knowledge of \((g, \mathfrak {g}, C'' = g^s, C' = \mathfrak {g}^s, T = \mathfrak {g}^t)\), no PPT algorithm distinguishes \(T^s =\mathfrak {g}^{st}\) from an uniformly random element in \(\mathbb {G}_T\). This fact implies that the information of \(\textsf{M}\) is hidden from the attacker’s view, and thus guarantees the security of our improved scheme.

5 Cryptanalysis on Lin et al.’s KP-ABE-WT Scheme

In this section, we show the insecurity of the KP-ABE-WT scheme (named \(\textsf{LHXS17}\) ) proposed by Lin et al. [10] in 2017. Due to the conceptual similarity of \(\textsf{GL22}\) and \(\textsf{LHXS17}\), we only give the high-level description for \(\textsf{LHXS17}\) to avoid the unnecessary duplication, and show the intuition for the corresponding cryptanalysis.

\(\textsf{LHXS17}\) is almost identical to \(\textsf{GL22}\), except that, in \(\textsf{GL22}\) the Langrange coefficients \(\varDelta _{r_x, y}(0)\) is included as a part of the private key \(\textsf{D}\), while in \(\textsf{LHXS17}\) \(\varDelta _{r_x, y}(0)\) is computed in \(\textsf{Decrypt}\) algorithm. By this operation, \(\textsf{GL22}\) has lower computation cost in \(\textsf{Decrypt}\) algorithm than \(\textsf{LHXS17}\), with the cost of doubling the private key size. Besides, since \(\varDelta _{r_x, y}(0)\) needs to be computed by user, in \(\textsf{LHXS17}\) the randomness \(r_x\) used in \(\textsf{KeyGen}\) algorithm is set to be some public indices instead of fresh random numbers, which allows anyone to compute \(\varDelta _{r_x, y}(0)\) for any user. Therefore, our attack methods shown in Sect. 3.2 work well for \(\textsf{LHXS17}\).

6 Conclusion

With the raise of cloud computing, ABE has become one of the most suitable cryptographic primitives for multi-user scenario. In order to reduce the computation cost, lots of ABE schemes are designed without using pairings. However, all of these schemes are either flawed or lacking of security proofs. In this manuscript, we find out the security issues of [5, 10] by giving two attack methods. Our attack methods are generate private keys without \(\textsf{msk}\), and even recover \(\textsf{msk}\). Moreover, an improved scheme have been given to fix the security problem of [5, 10]. Our improved scheme requires only one pairing, which may be an optimal result when constructing ABE in pairing groups. In the future, we will prove the security of the improved scheme, and attempt to further improve the efficiency and the expressiveness of the proposed scheme.