As a distributed extension of ciphertext-policy attribute-based encryption (CP-ABE), multi-authority ABE (MA-ABE) does not require the participation of a trusted central authority and has a wider application prospect in the decentralized background of the cloud computing environment. We propose the first MA-ABE scheme supporting multi-fan-in circuits and collusion-resistance on prime-order bilinear groups and prove the fully adaptive security based on the matrix decision Diffie-Hellman (MDDH) assumption. Compared with the only two fully adaptively secure MA-ABE schemes, our scheme enjoys shorter parameters, which has lower ciphertext and key size, and supports many-use of attribute.
With the development of cloud computing, an increasing number of users and enterprises choose to store data in the cloud to enjoy dynamic and scalable storage services. At present, encryption is an effective means of protecting data confidentiality, but traditional encryption mechanisms cannot implement flexible and fine-grained access control while ensuring data confidentiality.
In 2005, Sahai and Waters1 introduced the concept of attribute-based encryption (ABE) to solve this problem. In 2006, Goyal et al.2 proposed the first real ABE scheme for fine-grained access control. As an advanced public key encryption primitive, ABE can achieve fine-grained access control for encrypted data. But there is a major limitation in the standard ABE scheme, that is, each user must prove to the unique authority that he or she possesses certain attributes, such as driver’s licenses and enrollment school numbers, to obtain the keys corresponding to these attributes, which means that the authority must be trusted. However, different authorities are responsible for issuing and maintaining different attributes in reality. To solve the above problem, Chase3 introduced a multi-authority attribute-based encryption (MA-ABE) scheme. In MA-ABE, multiple authorities control different attributes, and each authority can issue the corresponding key to the user who has the attribute under control without any interaction with other authorities in the system. We can divide the MA-ABE schemes into the standard model and the random oracle (RO) model according to whether the RO model is used in the security proof. We can also divide MA-ABE schemes into the static security model, the adaptive security model, and the fully adaptive security model according to the different attack capabilities of adversaries. The differences are shown in Table 1.
Comparison between different security models.
Security model
Authority corruption
Authority setup queries
Authority master key queries
Whether to declare the attack target in advance
Static
Static
Adaptive
Static
Fully adaptive
Adaptive
In 2020, Okamoto and Takashima4 constructed an MA-ABE scheme based on the prime-order bilinear group and proved the adaptive security of the scheme under the decision linear (DLin) assumption and the RO model. In 2021, Datta et al.5 proposed the first lattice-based MA-ABE scheme, which has static security under the learning with errors (LWE) assumption in the RO model. In 2022, Waters et al.6 generalized the work of Brakerski and Vaikuntanathan,9 proposed a new trapdoor sampling lemma, and designed an MA-ABE scheme with static security under the evasive LWE assumption10,11 in the standard model. However, the above schemes only consider static corruption in the security proof, that is, the attacker must complete the submission of both the honest and corrupted authorities in the global setup phase and cannot be changed later.
In 2023, Datta et al.7 first proposed a fully adaptive security model characterized by supporting adaptive authority corruption. Then, they constructed the first fully adaptively secure MA-ABE and proved its security by the dual system encryption technology. Chen et al.8 used the security model of Datta et al.7 and proposed an MA-ABE scheme with smaller parameter size, which satisfies many-use of attribute based on the NC
circuit. With the help of the Core 1-ABE component,12 the fully adaptive security of the scheme is proved based on the MDDH assumption in the RO model. Table 2 shows the characteristics of the schemes more intuitively. Note that the model in Table 1 is divided according to the different attack capabilities of the adversary, and the model in Table 2 is divided according to whether the RO model is used in the security proof.
Note: NC
denotes circuits with fan-in two and fan-out one, and DNFs denote disjunctive normal forms.
Shorter parameter is always the goal for ABE. The public and private keys are not compact enough in the scheme of Datta et al.7 and the size of the cascade matrix
used in the security proof is shown in Figure 1, where
participates in the generation of ciphertexts and keys. Chen et al.8 improved in this regard using the Core 1-ABE component in the security proof. The size of
and
is reduced, as shown in Figure 2, thereby reducing the parameter size of the scheme.
In the key generation algorithm and encryption algorithm of the above two schemes, two parallel sub-systems are introduced, called the ‘A’ sub-system and the ‘B’ sub-system. The purpose of introducing the ‘B’ sub-system is to cancel some exponents in the ‘A’ sub-system during decryption, so as to ensure the correctness. We consider that if the ‘B’ sub-system can be removed directly, the computational complexity of ciphertext and key will be reduced by about half. Therefore, the first problem to be solved in this article is that how to design the MA-ABE, which no longer uses ‘B’ sub-system, so as to shorten the parameter size and further improve the efficiency of the scheme.
It is pointed out in Benaloh and Leichter13 that the NC
circuit can be represented by a monotone LSSS matrix. Although the scheme8 is an MA-ABE scheme for NC
circuits, the LSSS matrix is actually embedded in its encryption algorithm. In 2023, Sun and Gao14 pointed out that for the same access structure, multi-fan-in circuits can reduce the total number of lines in the circuit compared to NC
circuits. Corresponding examples are shown in Section 2.3.1. If the ciphertext size of the ABE scheme is proportional to the number of lines, then the ciphertext size can be reduced, thereby improving the computational efficiency of the scheme. Therefore, it is necessary to design a fully adaptively secure MA-ABE scheme for multi-fan-in circuit.
Our contributions
In this article, we have achieved the following results:
Inspired by the secret sharing scheme for multi-fan-in circuits,14 we extend this method and embed it into the encryption algorithm, so that the LSSS matrix is no longer used. In this way, we overcome the difficulty of attribute reuse caused by the mapping in the LSSS matrix must be injective, and make the access structure of the scheme support many-use of attribute.
In the encryption algorithm, a new ciphertext component is introduced to replace the original ‘B’ sub-system. Specifically, the ciphertext and key components in the schemes of Datta et al.7 and Chen et al.8 are as follows:
While in this article, they can be replaced by . Theoretical analysis shows that our scheme can not only ensure the correctness of decryption, but also further reduce the overhead of ciphertext and key.
We introduce the user identifier universe
to replace
used in previous schemes, where
is used for the generation of user keys and the decryption, and
is only used for the decryption, which ensures that each step in the decryption contains the user’s unique identity information, thus avoiding collusion attacks between illegal users.
Combining the above techniques, we construct the first MA-ABE scheme supporting multi-fan-in circuits, and prove the fully adaptive security of the scheme using dual-system encryption technology. The experimental results show that our scheme has great advantages in the algorithm efficiency and the length of both ciphertext and key compared with the only two MA-ABE schemes,7,8 which are also fully adaptively secure based on prime-order bilinear groups.
Organization
The remainder of this article is organized as follows. We refer the reader to Section 2 for some preliminary definitions, including the secret sharing scheme for multi-fan-in circuits and the fully adaptive security model of the MA-ABE scheme. In Section 3, an MA-ABE scheme for multi-fan-in circuits is proposed, whose security is proved using dual-system encryption technology. In Section 4, the parameters of the proposed scheme are compared with those of other schemes, and the correctness of the theoretical derivation is verified by experiments. Section 5 summarizes the whole article.
Preliminary
Prime-order bilinear group and the related symbol notations
Given a generator
, whose input is a security parameter
and output is a group
, where
is a prime number.
and
are cyclic groups of order
.
are generators in their respective groups.
is an efficiently bilinear map that satisfies the following properties:
Bilinearity:
, it is true that
.
Non-degeneracy:
, where
is the identity element of the group
.
In particular, when
,
, we call
a symmetric bilinear map. Otherwise, we call
an asymmetric bilinear map.
The definition of related symbols is shown in Table 3.
Symbol notations.
Symbols
Notations
Lowercase letters bold
Column vector
Uppercase letters bold
Matrix
The cascade of
and
Row expansion of
,
, and the cascade of
and
Basis of
,
, and
Matrix with column width
and each column is taken from
For simplicity and accuracy of the description, we specify the following symbols and operations:
Given
, the
assumption holds if and only if the following advantage is negligible for any probabilistic polynomial-time (PPT) adversary
:
, where
.
Given
,
, satisfying
and
. The
assumption holds if and only if the following advantage is negligible for any probabilistic polynomial-time (PPT) adversary
:
where
,
,
,
,
.
The definition of
assumption is similar. Note that in the security proof of this article,
and
used are column vectors, so they are represented by
and
.
Access structure
Let
be the attribute universe. An access structure
on
is a collection of non-empty attribute sets of
. The sets in
are called the authorized sets and the sets not in
are called the unauthorized sets.
, when
and
,
, then
is called monotone.16 is used to denote that the attribute universe
satisfies the access structure
, while
to denote that
does not satisfy
.
circuit and multi-fan-in circuit
The nodes of the
circuit are divided into two categories: leaf nodes and nonleaf nodes. The leaf node is at the bottom of the circuit as input, and all nonleaf nodes are fan-in 2. This circuit can be defined by a tuple
, where
means that the node is an AND gate or an OR gate,
are the input lines of the node, and
is the output line of the node.
A monotone multi-fan-in circuit is a generalized form of the
circuit in which the nodes are also divided into leaf nodes and nonleaf nodes. The nonleaf nodes in the circuit can contain any number of input lines, and these nodes are defined by tuples
where
indicates that the node is an AND gate or an OR gate,
are the input lines of the node,
is the output line of the node, and
is the number of input lines.
The difference between the
circuit and the multi-fan-in circuit is that the number of input lines of a nonleaf node of the multi-fan-in circuit can be arbitrary. For some special access structures, the depth of the
circuit is completely different from that of the multi-fan-in circuit. For example, for the access structure
, the corresponding
circuit is shown in Figure 3, whose depth is
, and the corresponding multi-fan-in circuit is shown in Figure 4, whose depth is 1.
circuit.
Circuit with fan-in m.
Relationship between different sets.
For the multi-fan-in circuit, let the set of leaf nodes be
, the set of nonleaf nodes be
, where
represents the number of nonleaf nodes. In the MA-ABE scheme, different attribute categories are controlled by different authorities, since they are embedded in the leaf nodes. We assume that all attribute categories in the system constitute
, the attribute categories controlled by honest authorities constitute
, and those controlled by corrupted authorities constitute
, where
is the complement of
in
. Let the attribute value of the user about the attribute category
is
, and all the legal attribute values constitute the set
. In this article, we assume that each authority controls only one attribute category, so the terms ‘authority’ and ‘attribute category’ can be regarded as equivalent (‘authority’ is mainly used in the description of the security model, and ‘attribute category’ is mainly used in the description of the scheme). This assumption can be extended to the case where the authority controls any number of attributes.17 We use ‘honest attribute category’ to represent the attribute category controlled by honest authority, and ‘corrupted attribute category’ is similar. Therefore,
can be further divided into a set
embedded in honest attribute categories and a set
embedded in corrupted attribute categories. The relationship between the above sets is shown in Figure 5.
Given a set of user attributes
, the multi-fan-in circuit
embedded in our scheme can be transformed into the following boolean expression:
where
Next, we define two new mappings that will play a key role in the security proof.
The mapping
satisfies:
.
correspond to the elements in
one by one.
correspond to the elements in
one by one.
Obviously, the mapping
is surjective, and
denotes the node label corresponding to each nonleaf node and the honest attribute category.
The mapping
satisfies:
For nonleaf node
,
.
For the leaf node
,
denotes the attribute category embedded in
.
Since different leaf nodes may be embedded in the same attribute category, attribute reuse is allowed in multi-fan-in circuit. Therefore, mapping
must be surjective, but not necessarily bijective.
In order to facilitate understanding, we describe the corresponding mapping
and mapping
based on the access tree in Figure 6.
Access tree instance.
In Figure 6, the node label is represented by 1-9, where
,
. The leaf node contains the information of the attribute value
, where
. Suppose that
has been corrupted by the authority, so
,
,
,
,
,
. The specific mapping relationship is shown in Tables 4 and 5.
Mapping
.
Mapping
.
1
2
3
4
5
6
7
8
9
0
0
0
LSSS for multi-fan-in circuits
The extended LSSS used in this article is described in Table 6. Different from the general secret sharing scheme for multi-fan-in circuits,14 the input secret
rather than
, and the output sharing value
rather than
.
The extended LSSS
.
Input: The multi-fan-in circuit for a boolean function
, which has
nodes, and the secret
.
1. For each nonoutput line
, select a
randomly. For the uppermost output line, let
.
2. Regarding the output line
of the leaf nodes and the share
on the line.
3. For an AND gate
, let the label of its output line be
.
are the input lines of
. Then, the share of its output line is
.
4. For an OR gate
, let the label of its output line be
.
are the input lines of
. Then, the shares of its output line are
, which means
.
5. Output the shares of all nodes
and the mapping
, whose definition is consistent with Section 2.3.1.
Let the user’s attribute value of the attribute category
be represented by
.
contains all the legal attribute values of
, where
. For legitimate users in the system, there is a set of coefficients
such that
holds.
For the example given in Figure 6, the output results of the secret sharing scheme are shown in Table 7. It is assumed that the user has the attribute values
,
,
, that is,
, which obviously satisfy the access structure in Figure 6. Therefore, there is a set of coefficients
,
,
, such that
.
The output of the LSSS for the circuit in Figure 6.
1
2
3
4
5
6
7
0
8
0
0
0
Formal definition of MA-ABE and fully adaptive security model
Formal definition
We use
to represent the global identity universe of the user, and it can be seen from Section 2.3.1 that
, ‘authority’ and ‘attribute category’ are equivalent. The decentralized MA-ABE scheme consists of the following five algorithms:
: The input of the global setup algorithm is the security parameter
, and the output is the global parameter
of the system, including the user’s global identity universe
.
: When the attribute category
is initialized, the global parameter
is used as the input, and the algorithm is called to output the master public and private key pair
.
: The input of the key generation algorithm is the global parameter
, the user’s global identity
, the master private key
and the user attribute universe
, and the output is the user’s private key
.
: The encryption algorithm inputs the global parameter
, the message
, the access structure
and the public key
, and outputs the ciphertext
.
: The input of the decryption algorithm is the global parameter
, the user’s global identity
, the private key
and the ciphertext
. When the user attribute set
satisfies the access structure
, that is,
, the algorithm outputs message
.
If for any message
,
and
, the following equation holds:
we say that the MA-ABE scheme is correct.
Fully adaptive security model
We give the definition of the fully adaptive security model between adversary
and challenger
. The difference between fully adaptive security and static security is that before the setup phase, the static security model requires
to disclose the access structure to be challenged, while in the fully adaptive security model,
does not need to disclose. At the same time, we consider the following two cases of authority corruption. (a) For the corrupted authority before the setup phase, the corresponding corrupted attribute universe is represented by
. (b) When
’s multiple private key queries about
are ignored by
,
is allowed to replace
to set up
and generate the corresponding master public and private key pair
, whose corresponding corrupted attribute universe is represented by
. According to the definition in Section 2.3.1,
.
The fully adaptive security model includes the following phases:
The challenger
calls
to generate the global public parameter
and sends it to the adversary
.
When
requests to set up the authority
for the first time, it needs to send
to
.
calls
to generate the master public and private key pair
, and sends
to
. If
repeats the request later,
will ignore. If
corrupts the authority
, the authority master key query can be performed, and
needs to send
to
.
chooses the user attribute universe
by himself, and performs private key query of any polynomial time. For some authority
, if
does not set up the authority
before querying the private key,
will ignore
’s private key query. If
continues to query the private key about
, it will set up
instead of
, and send the generated master public and private key
to
. Finally,
calls
to generate
and sends it to
.
sends two equal-length messages
to
.
randomly throws a coin
, calls
to generate the challenge ciphertext
and sends it to the adversary, where the access structure
satisfies
.
The adversary continues to query the private key of polynomial degree, the same as step 3, and the attribute universe
is required to satisfy
.
outputs the challenge bit
.
Assuming that the advantage of the adversary
to break the above game is
, if for any PPT adversary
, there is a negligible function
such that
,
, the MA-ABE scheme is said to be fully adaptively secure.
MA-ABE with multi-fan-in circuits
Construction
Let the security parameter be
. Run the bilinear group generator
, where
,
and
are all cyclic groups of order
,
and
are the generators of
and
, respectively. The algorithm randomly selects
Let
, where
,
, satisfying
,
,
,
,
. The algorithm outputs the global parameter
and the user identifier universe
, where
,
, and
.
For each attribute category
, the algorithm randomly selects
and outputs the master private key
, the master public key
. In particular, let
.
The algorithm randomly selects
, where
denotes the node label in the circuit, and calls the secret sharing scheme about circuit
to generate the sharing values, that is,
, where
,
denotes that
is a leaf node, and
denotes that
is a nonleaf node. The generated ciphertext
, where
,
,
,
Taken as input the global parameter
, the user identifier
, the master private key
and the user attribute universe
. The user’s attribute value is
for the attribute category
. If
, the algorithm outputs the user’s private key
, where
. If
, the algorithm will not generate the user private key.
Taken as input the global parameter
, the user identifier universe
, the user private key
and the ciphertext
.
Firstly, when is a leaf node, compute
When
is a nonleaf node, compute
Then compute the coefficient
such that
. Therefore,
At last, compute
Security proof
Before the proof, we note that since
is public,
in the ciphertext component
can be directly regarded as the sharing value generated by the secret sharing scheme.
can be further regarded as a part of the secret to be shared and then a new secret sharing scheme
is obtained because of the linear properties of the secret sharing scheme. At this time, the information of
is embedded in the generated secret sharing values
. Therefore, the original encryption algorithm can be equivalent to the following algorithm, the difference is represented by ‘
’:
The algorithm randomly selects
and calls the secret sharing scheme about circuit
to generate the sharing values, that is,
where
denotes the node label in the circuit. The generated ciphertext
, where
,
,
.
is different from
described in Table 4 only in the range of variable, which can be seen as follows:
The secret to be shared is
rather than
.
The selected random number
rather than
.
The operation involved is the multiplication operation on
rather than the addition operation on
.
The output sharing value is
instead of
.
The reason why
scheme is adopted in the design of encryption algorithm is that the operation on
is faster than that on
, which makes it have better performance in generating shared values on nonleaf nodes. Due to the need of proof, we only regard the original encryption algorithm as
in the security proof.
Next, we will use the dual system encryption technology to prove the fully adaptive security of the scheme. Assume that the adversary
performs at most
private key queries, which
will ignore if there is no request for setting up the authority
before querying the private key. If
continues to query the private key about
, he will set up the authority
instead of
, and send the generated master public and private key pair
to
, so that
can respond to the key query and generate the challenge ciphertext, where
. Note that
mainly responds to
’s private key query by simulating
. The game sequence used in the proof is shown in Table 8, and the classification of the subscript
is shown in Table 9.
Game sequences used in the proof.
Classification of
.
Notation
Connected with the previous game
is an uncorrupted leaf node
is a nonleaf node
: As the same as our proposed scheme, note that the encryption algorithm uses the equivalent
algorithm.
: The only difference with
is that the challenger uses different
when responding to private key queries. Specifically, for
,
,
, for
,
are consistent with
. Obviously,
.
: The only difference with
is the secret shared by
scheme, thus the challenge ciphertexts
and
are different. The challenger first randomly selects
,
, where
is used to represent the node label in the circuit. Then he calls the secret sharing scheme about the circuit
to generate the sharing value, that is,
. The challenge ciphertext is as follows:
,
,
.
When
is represented a nonleaf node,
.
When
is represented a leaf node,
If
,
.
If
,
.
: The only difference with
is the partial challenge ciphertext
and
. Obviously,
. The challenger first randomly selects
,
, and calls the secret sharing scheme about the circuit
to generate the sharing value, that is,
, where
is used to represent the node label in the circuit. The challenge ciphertext is as follows:
,
.
For
,
represents the corrupted leaf node. Randomly select
, then
,
.
For
,
represents the uncorrupted leaf node.
and
will be gradually replaced with the accumulation of
.
If
, randomly select
, then
,
.
If
, randomly select
, then
,
.
For
,
represents the nonleaf node.
will be gradually replaced with the accumulation of
.
If
, randomly select
, then
,
.
If
, randomly select
, then
,
.
: The only difference with
is that the challenger uses different
when responding to private key queries. Specifically, for
, the challenger randomly selects
, then
,
. For
,
and
are consistent with
. Obviously,
.
: The only difference with
is the secret shared by
scheme, thus the challenge ciphertexts
and
are different. The challenger first randomly selects
,
and
. Then he calls the secret sharing scheme about the circuit
to generate the sharing value, that is,
where
is used to represent the node label in the circuit. The challenge ciphertext is as follows:
,
.
For
,
represents the corrupted leaf node. Randomly select
, then
,
.
For
,
represents the uncorrupted leaf node. Randomly select
, then
,
.
For
,
represents the nonleaf node. Randomly select
, then
,
.
: The only difference with
is the partial challenge ciphertext
and
. Obviously,
. The challenger first randomly selects
,
, and calls the secret sharing scheme about the circuit
to generate the sharing value, that is,
, where
is used to represent the node label in the circuit. The challenge ciphertext is as follows:
,
.
For
,
represents the corrupted leaf node. Randomly select
, then
,
.
For
,
represents the uncorrupted leaf node.
and
will be gradually replaced with the accumulation of
.
If
, randomly select
,
, then
,
.
If
, randomly select
, then
,
.
For
,
represents the nonleaf node.
will be gradually replaced with the accumulation of
.
If
, randomly select
,
, then
,
.
If
, randomly select
, then
,
.
: The only difference with
is that the challenger uses different
when responding to private key queries. Specifically, for
,
.
For
,
and
are consistent with
. Obviously,
.
: The only difference with
is the challenge ciphertext
.
For all PPT adversaries
, there exists a negligible function
such that
,
if the
assumption holds.
Supposed that there is a PPT adversary
that can distinguish
and
with a non-negligible advantage successfully, then the challenger
can solve the
assumption with a non-negligible advantage.
First,
gets an instance of the
assumption that consists of
,
, where
.
when
or
when
, where
.
proceeds as follows:
Generating the global public parameters: randomly selects
,
and implicitly sets
, where
.
further samples
and implicitly sets
,
. The global public parameter
.
Generating authority master public and private keys: When
queries the master public and private keys of attribute category
for the first time (i.e., requests to set up an authority
),
runs
: Randomly select
, keep the private key
, and send the master public key
to
. If the subsequent query about
is repeated,
aborts. If
is corrupted by
later, B will send
to
.
Generating the user identifier universe: In response to the
th user identifier query of
,
generates
as follows:
For
, randomly select
, which implicitly sets
. Then
,
.
For
, let
. Note that if
,
simulates
, which implicitly sets
. If
, then
,
.
For
, randomly select
.
Generating the user private keys: When
queries for the private keys of the user’s attribute universe
(assuming that the user identifier universe is
),
runs
: Let
consist of all the legal attribute values of the attribute category
, and
denote the user’s attribute value about
. If
, the algorithm outputs the user’s private key
, where
.
Note: (1)
will ignore the query about the private key if there is no request for setting up the authority
before. If
continues to query the private key about
, he will set up the authority
instead of
, and send the generated master public key
to
, so that
can generate the challenge ciphertext. (2)
also ignores the query about the private key if
Generating the challenge ciphertext: When
queries for the challenge ciphertext about plaintext
and
, he needs to send to
the access structure
to be challenged and the master public key
corresponding to the corrupted attribute universe
. Then run
to generate the challenge ciphertext.
Guess: eventually outputs a guess bit
.
outputs 1 if
and 0 otherwise.
When
, it implies that
simulates the global identifier
,
in response to the
th private key query, so it coincides with that in
. When
, it implies that
simulates the global identifier
in response to the
th private key query, so it coincides with that in
. If
can successfully distinguish between
and
,
must be able to solve the
assumption with a non-negligible advantage, which contradicts the hardness assumption.
For all PPT adversaries
, there exists a negligible function
such that
if the
assumption holds.
Supposed that there is a PPT adversary
that can distinguish
and
with a non-negligible advantage successfully, then the challenger
can solve the
assumption with a non-negligible advantage.
First,
gets an instance of the
assumption that consists of
,
,
.
when
or
when
.
proceeds as follows:
Generating the global public parameters: randomly selects
and a linear combination about
to generate
, and provide the following global parameter to
:
Similarly, for
,
randomly selects a linear combination about
to generate the user identifier
and
required in the
th query.
Generating authority master public and private keys: When
queries the master public and private keys of attribute category
for the first time (i.e., requests to set up an authority
),
runs
: Randomly select
, keep the private key
, and send the master public key
to
. If the subsequent query about
is repeated,
aborts. If
is corrupted by
later, B will send
to
.
Generating the user private keys: When
queries for the private keys of the user’s attribute universe
(assuming that the user identifier universe is
),
runs
: Let
consist of all the legal attribute values of the attribute category
, and
denote the user’s attribute value about
. If
, the algorithm outputs the user’s private key
, where
.
Note: (1)
will ignore the query about the private key if there is no request for setting up the authority
before. If
continues to query the private key about
, he will set up the authority
instead of
, and send the generated master public key
to
, so that
can generate the challenge ciphertext. (2)
also ignores the query about the private key if
.
Generating the challenge ciphertext: When
queries for the challenge ciphertext about plaintext
and
, he needs to send to
the access structure
to be challenged and the master public key
corresponding to the corrupted attribute universe
.
randomly selects
and runs
as follows:
First,
samples
, where
is used to represent the node label in the circuit. Then he calls the secret sharing scheme about the circuit
to generate the sharing value, that is,
. The challenge ciphertext is as follows:
,
,
.
When
is represented a nonleaf node,
.
When
is represented a leaf node,
If
,
.
If
,
.
eventually outputs a guess bit
.
outputs 1 if
and 0 otherwise.
When
, it implies that the secret shared in LSSS is
, the ciphertext components
and
, so it coincides with that in
. When
, it implies that the secret shared in LSSS is
, the ciphertext components
, and
, so it coincides with that in
. All the other components of the game are properly simulated by
. If
can successfully distinguish between
and
,
must be able to solve the
assumption with a non-negligible advantage, which contradicts the hardness assumption.
For all PPT adversaries
, there exists a negligible function
such that
if the
assumption holds.
Supposed that there is a PPT adversary
that can distinguish
and
with a non-negligible advantage successfully, then the challenger
can solve the
assumption with a non-negligible advantage.
First,
gets an instance of the
assumption that consists of
,
,
.
when
or
when
.
proceeds as follows:
is consistent with Lemma 2 in the process of generating global public parameters, user identifiers, authority master public and private keys, and user private keys.
Generating the challenge ciphertext: When
queries for the challenge ciphertext about plaintext
and
, he needs to send to
the access structure
to be challenged and the master public key
corresponding to the corrupted attribute universe
.
randomly selects
,
, and calls the secret sharing scheme about the circuit
to generate the sharing value, that is,
, where
is used to represent the node label in the circuit. It is implied that
, where
. The challenge ciphertext is as follows:
,
.
For
,
represents the corrupted leaf node. Randomly select
, then
,
.
For
,
represents the uncorrupted leaf node.
If
, randomly select
, then
,
.
If
,
,
.
If
, randomly select
, then
,
.
For
,
represents the nonleaf node.
If
, randomly select
, then
,
.
If
,
,
.
If
, randomly select
, then
,
.
eventually outputs a guess bit
.
outputs 1 if
and 0 otherwise.
When
, it implies that
, and when
,
, so it coincides with that in
. When
, it implies that
, and when
,
, so it coincides with that in
. If
can successfully distinguish between
and
,
must be able to solve the
assumption with a non-negligible advantage, which contradicts the hardness assumption.
For all PPT adversaries
, there exists a negligible function
such that
if the
assumption holds.
The proof of this lemma is similar to that of Lemma 1, so we omit the details here.
For all PPT adversaries
, there exists a negligible function
such that
if the
assumption holds.
The proof of this lemma is similar to that of Lemma 2, so we omit the details here.
For all PPT adversaries
, there exists a negligible function
such that
if the
assumption holds.
The proof of this lemma is similar to that of Lemma 3, so we omit the details here.
For all PPT adversaries
, there exists a negligible function
such that
if the
assumption holds.
The proof of this lemma is similar to that of Lemma 1, so we omit the details here.
For all PPT adversaries
,
holds.
In
, we can see that
Because
,
,
,
,
,
, it can be seen that
, and
only appear when the challenger responds to the query, which is confidential for
. Therefore,
can be regarded as a uniform distribution, which is obviously the same as
in
, and
holds.
The MA-ABE scheme proposed in this article satisfies fully adaptive security under
assumption and
assumption.
Assume that the attack advantage of MA-ABE scheme is
, the following advantage can be obtained by Lemmas 1–8:
Parameter comparison
In this section, we compare the MA-ABE scheme proposed in this article with the scheme [10,11] in terms of storage overhead and time complexity of each algorithm. The symbol notations, parameter comparison, and the time complexity comparison are shown in Tables 10–12, respectively.
Symbol notation.
Symbol
Notations
Byte lengths of the elements in groups
,
,
, and
,
,
Time complexity of the double point operation over
,
, and
Row number of LSSS matrix
The total number of shared values generated by the secret sharing scheme
Byte lengths of the plaintext
Time complexity of the bilinear operation
Time complexity of the inverse operation over
The number of shared values generated at the leaf nodes
The number of shared values generated at the nonleaf nodes
It can be directly seen from Tables 11 and 12 that the scheme in this article has obvious advantages in the length of the master public and private keys, and the user private keys, which indicates that
algorithm and
algorithm are more efficient. In order to see the advantages of this scheme in
and
algorithms more intuitively, we will give the following example.
Let
and assume
bytes, when the embedded access structure is the circuit shown in Figure 6,
,
,
,
. We compare the specific parameters and time complexity by programming, as shown in Figures 7 and 8. The experimentation is performed on a Windows 10 64-bit operating system with an Intel Core i7-9700K @ 3.60 GHz processer, 32 GB RAM and the integrated development environment is Visual Studio 2022. The basic operations in the implementation of the algorithm depend on the Pairing-based Cryptography Library (PBC-0.5.14).
Parameter length.
Running time of algorithm.
Remark
This article constructs a collusion-resistant MA-ABE scheme based on the secret sharing scheme for multi-fan-in circuit, whose access structure supports many-time of attribute. Based on the RO model, we proved the fully adaptive security of the scheme. The experimental results show that the proposed scheme has obvious advantages in parameter size and algorithm efficiency. However, the size of the matrix
cannot be further reduced due to the use of
assumption. At the same time, if the secret sharing scheme of multi-fan-in and multi-fan-out circuit can be constructed, the ciphertext size will be smaller. Therefore, our next research direction mainly considers the replacement of the hardness assumption and the design of MA-ABE for multi-fan-in and multi-fan-out circuits based on square matrix.
Footnotes
Acknowledgements
This research was funded by the National Cryptologic Science Fund of China (no. 2025NCSF02044).
Funding
The author(s) disclosed
receipt of the following financial support for the research, authorship, and/or
publication of this article: This research was funded by the National Cryptologic Science Fund of China (nos.2025NCSF02044).
Declaration of conflicting interests
The authors declared no potential conflicts of interest with respect to the research, authorship and/or publication of this article.
References
1.
SahaiAWatersB. Fuzzy identity-based encryption. In: Advances in cryptology – EUROCRYPT 2005, 24th annual international conference on the theory and applications of cryptographic techniques (ed R Cramer), LNCS, Vol. 3494, 2005, pp.457–473. Heidelberg: Springer.
2.
GoyalVPandeyOSahaA, et al.Attribute-based encryption for fine-grained access control of encrypted data. In: 13th ACM conference on computer and communications security, CCS 2006, 2006, pp.89–98. Alexandria, VA, USA: ACM.
3.
ChaseM. Multi-authority attribute based encryption. In: Theory of cryptography, 4th theory of cryptography conference (TCC), 2007, pp.515–534. Amsterdam, The Netherlands: Springer.
4.
OkamotoTTakashimaK. Decentralized attribute-based encryption and signatures. IEICE Trans Fundam Electron Commun Comput Sci2020; 103-A(1): 41–73.
5.
DattaPKomargodskiIWatersB. Decentralized multi-authority ABE for DNFs from LWE. In: Advances in cryptology – EUROCRYPT 2021 – 40th annual international conference on the theory and applications of cryptographic techniques (eds A Canteaut and FX Standaert), LNCS, Vol. 12696, 2021, pp.177–209. Heidelberg: Springer.
6.
WatersBWeeHWuDJ. Multi-authority ABE from lattices without random oracles. In: Theory of cryptography – 20th international conference, 2022, pp.651–679. Chicago, IL, USA: Springer.
7.
DattaPKomargodskiIWatersB. Fully adaptive decentralized multi-authority ABE. In: Advances in cryptology – EUROCRYPT 2023 – 42nd annual international conference on the theory and applications of cryptographic techniques, 2023, pp.447–478. Lyon, France: Springer.
8.
ChenJChuQGaoY, et al.Improved fully adaptive decentralized MA-ABE for NC1 from MDDH. In: Advances in cryptology – ASIACRYPT 2023 – 29th international conference on the theory and application of cryptology and information security, 2023, pp.3–32. Guangzhou, China: Springer.
9.
BrakerskiZVaikuntanathanV. Lattice-inspired broadcast encryption and succinct ciphertext-policy ABE. In: 13th innovations in theoretical computer science conference (ITCS), 2022, CA, USA, pp.28:1–28:20.
10.
WeeH. Optimal broadcast encryption and CP-ABE from evasive lattice assumptions. In: Advances in cryptology – EUROCRYPT 2022 – 41st annual international conference on the theory and applications of cryptographic techniques, 2022, pp.217–241. Trondheim, Norway: Springer.
11.
TsabaryR. Candidate witness encryption from lattice techniques. In: Advances in cryptology – CRYPTO 2022 – 41st annual international conference on the theory and applications of cryptographic techniques, 2022, pp.535–559. Santa Barbara, CA, USA: Springer.
12.
KowalczykLWeeH. Compact adaptively secure ABE for NC1 From k-Lin. J Cryptol2020; 33(3): 954–1002.
13.
BenalohJCLeichterJ. Generalized secret sharing and monotone functions. In: Advances in cryptology – CRYPTO 1988, 8th annual international cryptology conference, 1988, pp.27–35. Santa Barbara, CA, USA: Springer.
14.
SunKGaoH. Adaptively secure KP-ABE for circuits with fan-in n and fan-out 1. Comput J2023; 66(10): 2554–2573.
15.
EscalaAHeroldGKiltzE, et al.An algebraic framework for Diffie-Hellman assumptions. J Cryptol2017; 30(1): 242–288.
16.
KarchmerMWigdersonA. On span programs. In: Proceedings of the eighth annual structure in complexity theory conference, 1993, pp.102–111. San Diego, CA, USA: IEEE Computer Society.
17.
RouselakisYWatersB. Efficient statically-secure large-universe multi-authority attribute-based encryption. In: Financial cryptography and data security – 19th international conference, FC 2015, 2015, pp.315–332. San Juan, Puerto Rico: Springer.