Abstract
Due to the high demands of data communication, the broadcasting system streams the data daily. This service not only sends out the message to the correct participant but also respects the security of the identity user. In addition, when delivered, all the information must be protected for the party who employs the broadcasting service. Currently, Attribute-Based Broadcast Encryption (ABBE) is useful to apply for the broadcasting service. (ABBE) is a combination of Attribute-Based Encryption (ABE) and Broadcast Encryption (BE), which allows a broadcaster (or encrypter) to broadcast an encrypted message, including a predefined user set and specified access policy to install the authorization mechanism. It is desirable to hide all the information when producing in the ciphertext, which has not been considered in the previous works of ABBE. Motivated by the above issue, we devise a solution to achieve anonymity for the ABBE scheme, which not only hides the access structures but also anonymizes the user’s identity. In this work, we propose two schemes as Anonymous Key Policy (AKP)-ABBE and Anonymous Ciphertext Policy (ACP)-ABBE with supporting multiple access structures by using \(\textsf {OR}/\textsf {AND}\) gates. Specifically, we present the generic constructions of AKP/ACP-ABBE on the building block of the Inner Product Encryption (\(\textsf {IPE}\)), which enables the hidden user’s identity and complex \(\textsf {OR}/\textsf {AND}\)-Gate access structure. We show that our proposed schemes are secured under the standard models.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
The resources of the broadcasting channel are protected by allowing only the authorized person to be accessible to these resources [27]. By installing the access control into this channel, the individual has the attributes that will be attested to participate in the system. In addition, the access control is set up not only by the identity’s user but also by the predicate of attributes (age, career, address, etc.). Currently, there are many broadcasting systems that integrate fine-grained access control into the authorization of user-accessible such as mobile pay-TV [35], 5G direct access via satellite [12], and Internet of Thing [24]. The incorporation of access control to the broadcasting systems not only controls the filtered users when using the service but also prevents from an unauthorized attempt to the system.
Among all the existing cryptographic tools, Attribute-Based Broadcast Encryption (ABBE) [22, 36] is well-suitable to construct an efficient mechanism. It creates the complicated access control that enables the broadcasting system. ABBE is a combination of Attribute-Based Encryption (ABE) [4, 6, 11, 16, 21, 28, 32] and Broadcast Encryption (BE) [5, 7, 14]. In the first proposal, the ABBE [22] allows the broadcaster to select groups of users defined by their attributes. This scheme is restricted the access policy for the group of users who satisfy the access policy can decrypt the ciphertext of broadcast encryption scheme. Technically, a user joint to the ABBE system is issued by a secret key \(\textsf {SK}\) associated with a user identity \(\textsf {ID}\) and a set of user’s attributes \(\textsf {L}\). Then the broadcaster who launched the ABBE system creates a ciphertext \(\textsf {CT}\), which is associated with a list \(\textsf {S}\) of the user’s identity and an access policy \(\textsf {W}\). In addition, the access policy \(\textsf {W}\) is expressed by the predicate of the specified attributes. In the end, a user whose \(\textsf {SK}\) can decrypt the ciphertext \(\textsf {CT}\) if and only if the user \(\textsf {ID}\) belongs to the set \(\textsf {S}\) of valid user’s identity, and the user’s attributes \(\textsf {L}\) satisfies access policy \(\textsf {W}\).
Motivation The Pay TV system wants to uphold customer service by offering exclusive prices and benefits. The system selects promising customers to participate in this campaign. However, all the information, including the price, benefits, and customers, cannot be unveiled publicly. Only the authorized person can intercommunicate with the system to obtain this information. For example, the broadcaster encrypts the data associated with the group of \(\textsf {k}\) customers \(\{\textsf {ID}_1, \textsf {ID}_2, \ldots , \textsf {ID}_k\}\), and the access policy as “(Town A \(\textsf {AND}\) Age > 22 \(\textsf {AND}\) No home-phone line) \(\textsf {OR}\) (Town C \(\textsf {AND}\) Registered home-phone line)”. Therefore, the broadcaster needs to protect all the information when public on the channel. Indeed, suppose the access policy is hidden when producing in the ciphertext. In that case, the competitor/the adversary can not extract the customer’s information and learn from Pay TV’s strategy to attract customers. Eventually, the customers who have satisfied the access structure can subscribe to their favorite channels. The existing ABBE schemes [10, 20, 30, 33, 36] have not considered the issue of hidden access policy when generating the ciphertext to deliver in the broadcasting channel.
Contribution In order to anonymize both the information of the group of \(\textsf {ID}\) users and the access structures, this work proposes two Anonymous Key Policy Attribute Based Broadcast Encryption (AKP-ABBE) and Anonymous Ciphertext Policy Attribute Based Broadcast Encryption (ACP-ABBE) schemes. Our proposed schemes can hide the information of the group of \(\textsf {ID}\) users and the access structures when delivering to the broadcasting system. The access structure is expressed by the predicate of positive and negative attributes, which are concatenated by the Boolean gates \((\textsf {AND}, \textsf {OR})\). Formally, both the descriptions of AKP-ABBE and ACP-ABBE are similar to KP-ABBE [2, 30] and CP-ABBE [2, 30]. To strengthen the anonymity, we devise the solution to adapt two schemes KP-ABBE, CP-ABBE with OR/AND Gates with positive, negative attributes by exploiting the “attribute-hiding” Inner Product Encryption (\(\textsf {IPE}\)) [1, 3, 9, 19, 23, 26, 29] to achieve the A-KP-ABBE and A-CP-ABBE. We then enable the generic constructions for AKP-ABBE, ACP-ABBE.
In AKP-ABBE, to generate the ciphertext, we input a set of indices \(\textsf {S}\) and an attribute list \(\textsf {L}\) containing positive, and negative attributes. We create the polynomial \(\mathcal {P}_{\textsf {S}}\) from all the n elements of set \(\textsf {S}\). In order to generate the coefficient of \(\mathcal {P}_{\textsf {S}}\), we apply the Viète theorem [31] to compute all the coefficients \((a_n, a_{n-1}, \ldots , a_1, a_0)\) of polynomial by using the all the elements of set \(\textsf {S}\). Additionally, we aggregate all the attributes in the list \(\textsf {L}\) into one value b, then generate \((b^m, b^{m - 1}, \ldots , 1)\), where m is the total attributes in \(\textsf {L}\). Subsequently, we produce the ciphertext by calling the \(\textsf {IPE}\)’s encryption with the input of \(\textbf{v} = (a_n, a_{n-1}, \ldots , a_1, a_0, b^m, b^{m - 1}, \ldots , 1)\) and message \(\textsf {M}\). In order to generate the secret key, we input a user \(\textsf {ID}\) and the complex access structure \(\textsf {W}= (\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{\textsf {W}_1} \textsf {OR}\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{\textsf {W}_2} \textsf {OR}\ldots \textsf {OR}\underbrace{({{\textbf {AND}}}_{i \in \{1, \ldots ,m\}} A_i)}_{\textsf {W}_{m}})\). We encodes \(\textsf {ID}\) to integer value \(x_{\textsf {ID}}\), then, generate as \(( x_{\textsf {ID}}^n, x_{\textsf {ID}}^{n-1}, x_{\textsf {ID}}^{n-2}, \ldots , 1)\). Similarly, we create the polynomial \(\mathcal {P}_{\textsf {W}}\) from the set of \((\textsf {W}_1, \textsf {W}_2, \ldots , \textsf {W}_m)\) by Viète theorem, and obtain \((b_m, b_{m-1}, \ldots , b_1, b_0)\). We then produce the secret key by calling the \(\textsf {IPE}\)’s key generation with the input of \(\textbf{x} = (x_{\textsf {ID}}^n, x_{\textsf {ID}}^{n-1}, x_{\textsf {ID}}^{n-2}, \ldots , 1,b_m, b_{m-1}, \ldots , b_1, b_0)\). As a result, if the inner product of \((\textbf{v}, \textbf{x})\) equals zero, the \(\textsf {IPE}\)’s decryption will return the message \(\textsf {M}\). This means that the \(\textsf {ID}\) belongs to set \(\textsf {S}\), and the attribute list \(\textsf {L}\) satisfies the access structure \(\textsf {W}\). Mathematically, \(x_{\textsf {ID}}\) and aggregated b of \(\textsf {L}\) are the roots of polynomial \(\mathcal {P}_{\textsf {S}}\) and \(\mathcal {P}_{\textsf {W}}\), respectively.
On the other hand, ACP-ABBE is a inversion form of AKP-ABBE. A set of indices \(\textsf {S}\) and a complex access structure \(\textsf {W}\) into a vector \(\textbf{v}\), which is used for encryption. The user identity \(\textsf {ID}\) and user’s attributes \(\textsf {L}\) containing positive and negative symbols is transformed into another vector \(\textbf{x}\), which is used in key generation. The decryption is successful if the \(\textsf {ID}\) belongs to set \(\textsf {S}\), and the attribute list \(\textsf {L}\) satisfies the access structure \(\textsf {W}\).
Our proposed schemes utilize the \(\textsf {IPE}\) manner to achieve the hidden access structures. Hence, we apply the security proof of \(\textsf {IPE}\) scheme in [19, 26] to prove that our AKP-ABBE and ACP-ABBE are secure in the standard model. We then compare with ABBE schemes to show our efficiency regarding hidden access structures and anonymity. Moreover, the generic constructions for AKP-ABBE, ACP-ABBE can be applied to many cryptography preliminaries to achieve the anonymous for ABBE schemes.
Related work Several ABBE schemes [2, 18, 22, 30] have been proposed in the literature. In [22], Lubicz and Sirvent proposed a CP-ABBE scheme which allows access policies to be expressed in disjunctive normal form, with the OR function provided by ciphertext concatenation. Attrapadung and Imai [2] proposed two KP-ABBE and two CP-ABBE schemes, which are constructed by algebraically combining some existing BE schemes (namely, the Boneh–Gentry–Waters BE scheme [7] and the Sahai–Waters BE scheme [29]) with some existing ABE schemes (namely, the KP-ABE scheme by Goyal et al. [16] and the CP-ABE scheme by Waters [32]). Junod and Karlov [18] also proposed a CP-ABBE scheme that supports boolean access policies with AND, OR and NOT gates. Junod and Karlov’s scheme achieved direct revocation by simply treating each user’s identity as a unique attribute in the attribute universe. In [30] scheme has proposed CP-ABBE and KP-ABBE scheme, which is constant ciphertext size with AND Gates positive, negative attributes and wildcard. In addition, [10] presented an efficient constant-size private key ciphertext-policy ABBE scheme for disjunctive normal form supporting fast decryption, and [34] proposed an efficient ciphertext-policy attribute-based encryption scheme for partially hidden policy, direct revocation, and verifiable outsourced decryption. However, most of current ABBE schemes do not concern about the anonymous access structures, which are essential when outsourcing the data in the broadcasting system.
Attribute-based encryption (ABE) [4, 6, 11, 16, 21, 28, 32], which was introduced by Sahai and Waters [28] and extensively studied in recent years [6, 16, 21, 32], provides a fine-grained access control of encrypted data. In a Ciphertext Policy Attribute Based Encryption (CP-ABE) system, the secret user key is associated with a set of attributes, and the ciphertext is associated with an access policy. The ciphertext can be decrypted by a secret key if and only if the attributes associated with the secret key satisfy the access policy. A Key Policy ABE (KP-ABE) the system can be defined in a similar way by swapping the positions of the attributes and the access policy. In BE setting, a center is allowed to broadcast a secret to any subset of privileged users out of a universe of size n so that conjunctions of k users not in the privileged set cannot learn the secret. Apart from this, several broadcast encryption schemes were adopted with many interesting problems as [7, 8, 13, 15, 17] with solutions for collusion resistance, trace, and revoke for BE.
1.1 Paper organization
We present the preliminaries and definitions in Sect. 2, which is followed by our generic constructions in Sect. 3 and our analyzing the security proof in Sect. 4. We discuss the extensions in Sect. 5, then give the comparisons in Sect. 6. The paper is concluded in Sect. 7.
2 Preliminaries
2.1 Bilinear map and its related assumptions
Let \({\mathbb {G}}\) and \(\mathbb {G_T}\) be two multiplicative cyclic groups of same prime order p. Let e: \({\mathbb {G}}\) \(\times \) \({\mathbb {G}}\) \(\rightarrow \) \(\mathbb {G_T}\) be a bilinear map with the following properties:
-
1.
Bilinearity: \(e(u^{a},v^{b}) = e(u^{b},v^{a}) = e(u,v)^{ab}.\) for any \(u, v \in {\mathbb {G}}\) and \(a, b \in {\mathbb {Z}}_p\).
-
2.
Non-degeneracy: e(g, g) \(\ne 1 \).
Definition 1
The Decisional Bilinear Diffie–Hellman (DBDH) problem in \({\mathbb {G}}\) is defined as follows: given a tuple \((g,g^a,g^b,g^c,T) \in {\mathbb {G}}^{4} \times {\mathbb {G}}_T\), decide whether \(T = e(g,g)^{abc}\) or \(T = e(g,g)^{r}\) where a, b, c, r are randomly selected from \({\mathbb {Z}}_p\). An algorithm A has advantage \(\epsilon \) in solving the DBDH problem in \({\mathbb {G}}\) if
We say that the DBDH assumptions holds in \({\mathbb {G}}\) if \(\epsilon \) is negligible for any PPT algorithm A.
Definition 2
The Decisional Linear (DLIN) problem in \({\mathbb {G}}\) defined as follows: given a tuple \((g, g^a, g^b, g^{ac}, g^{d},Z)\) \(\in {\mathbb {G}}^5 \times {\mathbb {G}}_T\), decide whether \(T = g^{b(c +d)}\) or Z in random in \({\mathbb {G}}\). An algorithm A has advantage \(\epsilon \) in solving the DLIN problem in \({\mathbb {G}}\) if
where \(a, b, c, d,r \in _R {\mathbb {Z}}_p\). We say that the DLIN assumptions holds in \({\mathbb {G}}\) if \(\epsilon \) is negligible for any PPT algorithm A.
2.2 Anonymous key-policy attribute based broadcast encryption definition
Let \(\textsf {U}\) denote the set of all user indices and \(\textsf {N}\) as the set of all user attributes. An Anonymous Key-Policy Attribute Based Broadcast Encryption (AKP-ABBE) scheme consists of four algorithms:
-
Setup(\(1^\lambda \)) The setup algorithm takes the security parameter \(1^\lambda \) as input and outputs the public parameters \(\textsf {PK}\), and a master key \(\textsf {MSK}\).
-
Encrypt(\(\textsf {M}, \textsf {S}, \textsf {L}, \textsf {PK}\)) The encryption algorithm takes as input the public parameters \(\textsf {PK}\), a message \(\textsf {M}\), a set of user index \(\textsf {S}\subseteq \textsf {U}\), a set of attributes \(\textsf {L}\subseteq \textsf {N}\), and outputs a ciphertext as \(\textsf {CT}\).
-
KeyGen(\(\textsf {ID}, \textsf {W}, \textsf {MSK}, \textsf {PK}\)) The key generation algorithm takes as input the master key \(\textsf {MSK}\), public parameters \(\textsf {PK}\), a user index \(\textsf {ID}\in \textsf {U}\), an access structure W, and outputs a user secret key \(\textsf {SK}\).
-
Decrypt(\(\textsf {CT}\), \(\textsf {SK}\)) The decryption algorithm takes as input a ciphertext \(\textsf {CT}\), and a private key \(\textsf {SK}\), then it outputs a message M or an error symbol ‘\(\bot \)’.
Security definition for AKP-ABBE We define the Selective IND-CPA security for AKP-ABBE via the following game.
-
Init The adversary commits to the challenge user indices \((\textsf {S}^*_0, \textsf {S}^*_1)\) and target attribute sets \((\textsf {L}^*_0, \textsf {L}^*_1)\).
-
Setup The challenger runs the Setup algorithm and gives \(\textsf {PK}\) to the adversary.
-
Phase 1 The adversary queries for private keys with pairs of user index and access structure \((\textsf {ID}, \textsf {W})\) following the cases:
-
\((\textsf {L}^*_0 \not \models \textsf {W}\text { and } (\textsf {L}^*_1 \not \models \textsf {W})\) or \((\textsf {ID}\notin \textsf {S}^*_0 \text { and } \textsf {ID}\notin \textsf {S}^*_1)\).
-
\((\textsf {L}^*_0 \models \textsf {W}\text { and } (\textsf {L}^*_1 \models \textsf {W})\) and \((\textsf {ID}\in \textsf {S}^*_0 \text { and } \textsf {ID}\in \textsf {S}^*_1)\).
Then the challenger gives the adversary the corresponding secret key \(\textsf {SK}\). Otherwise, it outputs \(\perp \).
-
-
Challenge The adversary submits the two messages \(\textsf {M}_0,\textsf {M}_1\) to the challenger with respect to the challenge user indices \((\textsf {S}^*_0, \textsf {S}^*_1)\) and target attribute sets \((\textsf {L}^*_0, \textsf {L}^*_1)\). The challenger flips a random coin \(\beta \) and passes the ciphertext \(\textsf {CT}^* = \textsf {Encrypt}(\textsf {PK}, \textsf {M}_{\beta }, \textsf {L}^*_\beta , \textsf {S}^*_\beta )\) to the adversary.
-
Phase 2 Phase 1 is repeated.
-
Guess The adversary outputs a guess \(\beta ^{\prime }\) of \(\beta \).
Definition 1
We say an AKP-ABBE scheme is selective IND-CPA secure if for any probabilistic polynomial time adversary
is a negligible function of \(\lambda \).
2.3 Anonymous ciphertext-policy attribute-based broadcast encryption definition
An Anonymous Ciphertext-Policy Attribute-Based Broadcast Encryption (ACP-ABBE) scheme consists of four algorithms:
-
Setup(\(1^\lambda \)): The setup algorithm takes the security parameter \(1^\lambda \) as input and outputs the public parameters \(\textsf {PK}\), and a master key \(\textsf {MSK}\).
-
Encrypt(\(\textsf {M}, \S , \textsf {W}, \textsf {PK}\)): The encryption algorithm takes as input the public parameters \(\textsf {PK}\), a message \(\textsf {M}\), a set of user index \(\textsf {S}\subseteq \textsf {U}\), and an access structure \(\textsf {W}\), then outputs a ciphertext as \(\textsf {CT}\).
-
KeyGen(\(\textsf {ID}, \textsf {L}, \textsf {MSK}, \textsf {PK}\)): The key generation algorithm takes as input the master key \(\textsf {MSK}\), public parameters \(\textsf {PK}\), a user index \(\textsf {ID}\in \textsf {U}\), and a set of attributes \(\textsf {L}\subseteq \textsf {N}\), and outputs a user secret key \(\textsf {SK}\).
-
Decrypt(\(\textsf {CT}\), \(\textsf {SK}\)): The decryption algorithm takes as input a ciphertext \(\textsf {CT}\), and a private key \(\textsf {SK}\), then outputs a message \(\textsf {M}\) or an error symbol ‘\(\bot \)’.
Security definition for ACP-ABBE We define the Selective IND-CPA security for ACP-ABBE via the following game.
-
Init The adversary commits to the challenge user indices \((\textsf {S}^*_0, \textsf {S}^*_1)\) and target access structures \((\textsf {W}^*_0, \textsf {W}^*_1)\).
-
Setup The challenger runs the Setup algorithm and gives \(\textsf {PK}\) to the adversary.
-
Phase 1 The adversary queries for private keys with pairs of user index and a user attribute list \((\textsf {ID}, \textsf {L})\) following the cases:
-
\((\textsf {L}\not \models \textsf {W}^*_0 \text { and } (\textsf {L}\not \models \textsf {W}^*_1 )\) or \((\textsf {ID}\notin \textsf {S}^*_0 \text { and } \textsf {ID}\notin \textsf {S}^*_1)\).
-
\((\textsf {L}\models \textsf {W}^*_0 \text { and } (\textsf {L}\models \textsf {W}^*_1 )\) and \((\textsf {ID}\in \textsf {S}^*_0 \text { and } \textsf {ID}\in \textsf {S}^*_1)\).
-
Challenge The adversary submits messages \(\textsf {M}_0,\textsf {M}_1\) to the challenger with respect to the challenge user indices \((\textsf {S}^*_0, \textsf {S}^*_1)\) and target access structures \((\textsf {W}^*_0, \textsf {W}^*_1)\). The challenger flips a random coin \(\beta \) and passes the ciphertext \(\textsf {CT}^*= \textsf {Encrypt}(\textsf {PK}, \textsf {M}_{\beta }, \textsf {W}^*_\beta , \textsf {S}^*_\beta )\) to the adversary.
-
Phase 2 Phase 1 is repeated.
-
Guess The adversary outputs a guess \(\beta ^{\prime }\) of \(\beta \).
Definition 2
We say a ACP-ABBE scheme is selective IND-CPA secure if for any probabilistic polynomial time adversary
is a negligible function of \(\lambda \).
2.4 Inner product encryption
Let \(\Sigma \in {\mathbb {Z}}\) be the set of attributes involving vectors \(\textbf{v}\) of dimension n, and \(\mathcal {F}\) be the class of predicates involving inner-products over vectors \( \mathcal {F} = \{f_{\textbf{v}}, \textbf{v} \in \Sigma \} \text { such that } f_{\textbf{v}}(\textbf{x}) = 1 \hbox { iff } <\textbf{v}, \textbf{x}> = 0 \). An inner-product encryption (\(\textsf {IPE}\)) scheme for the class of predicate \(\mathcal {F}\) over the set of attributes consists of four algorithms as follows:
-
IPE.Setup(\(1^\lambda ,n\)) on input a security parameter \(1^{\lambda }\) and the vector length \(n = poly(\lambda )\), the algorithm outputs a public key \(\textsf {PK}\) and a master secret key \(\textsf {MSK}\).
-
IPE.Encrypt(\(\textsf {M},\textsf {PK}, \textbf{v} = (v_1, v_2, \ldots , v_n)\)): on input a message M, the public key PK, and a vector \(\textbf{v} \in \Sigma ^n\), it outputs a ciphertext \(\textsf {CT}\).
-
IPE.KeyGen(\(\textsf {MSK},\textbf{x} = (x_1, x_2, \ldots , x_n)\)): on input the master secret key \(\textsf {MSK}\), a vector \(\textbf{x} \in \Sigma \), the algorithm outputs a secret key \(\textsf {SK}\).
-
IPE.Decrypt(\(\textsf {CT},\textsf {SK}\)): on input a secret key \(\textsf {SK}\) (w.r.t. a vector \(\textbf{x}\)) and a ciphertext \(\textsf {CT}\) (w.r.t. a vector \(\textbf{v}\)), if \(f_{\textbf{v}} (\textbf{x}) = 0\), the algorithm outputs a message \(\textsf {M}\); otherwise, it outputs \(\perp \).
Security model \(\textsf {IPE}\) scheme Following [19], we define the security, i.e., attribute-hiding property, of the IPE scheme. The security is defined by the following game interacted between an attacker \(\mathcal {A}\) and a challenger \(\mathcal {C}\). We assume that \((\Sigma , \mathcal {F})\) are given to both \(\mathcal {A}\) and \(\mathcal {C}\) in advance.
-
Init \(\mathcal {A}\) outputs two vectors \(\textbf{v}, \textbf{x} \in \Sigma \)
-
Setup \(\mathcal {C}\) runs Setup to obtain the public key \(\textsf {PK}\) and master secret key \(\textsf {MSK}\). \(\mathcal {A}\) is given \(\textsf {PK}\).
-
Query Phase 1 \(\mathcal {A}\) adaptively issues private key queries for any vectors \(\mathbf {v_1},\ldots , \mathbf {v_n} \in \Sigma \), subject to the restriction that, \(\forall i,<\mathbf {v_i}, \textbf{x}> = 0\) if and only if \(<\mathbf {v_i}, \textbf{x}> = 0\). \(\mathcal {C}\) responds with \(\textsf {SK}_{\mathbf {v_i}} \leftarrow {\textsf {KeyGen}}(\textsf {SK}, \mathbf {v_i})\).
-
Challenge \(\mathcal {A}\) outputs two messages \(\textsf {M}_0,\textsf {M}_1\) with equal length. If \(\textsf {M}_0 \ne \textsf {M}_1\), then it is required that \(<\textbf{v},\textbf{x}>\ne 0\ne <\textbf{x},\textbf{x}>\) for any \(\textbf{x}\) appeared in Query Phase 1. \(\mathcal {C}\) flips a random coin \(b \in \{0,1\}\). If \(b = 0\), \(\mathcal {C}\) returns \(\textsf {CT}\leftarrow \textsf {Encryption}(\textsf {PK},\textbf{v},\textsf {M}_0)\) to \(\mathcal {A}\); otherwise, if \(b = 1\), \(\mathcal {C}\) returns \(\textsf {CT}\leftarrow \textsf {Encrypt}(\textsf {PK},\textbf{x},\textsf {M}_1)\) to \(\mathcal {A}\).
-
Query Phase 2 Phase 1 is repeatedly.
-
Guess \( \mathcal {A}\) outputs a guess bit \(b'\) and succeeds if \(b' = b\).
The advantage of \(\mathcal {A}\) in this game is defined as \( Adv_{\mathcal {A}} (\lambda ) = {\textrm{Pr}}[b'= b] - \frac{1}{2}.\)
Definition 3
We say that an \(\textsf {IPE}\) scheme is attribute-hiding if for all polynomial time adversaries \(\mathcal {A}\), we have that \(Adv(\mathcal {A})\) is negligible.
In fact, the challenge ciphertext is given to \(\mathcal {A}\) as: if \(b = 0\) then \(\textsf {CT}\leftarrow \textsf {Encrypt}(\textsf {PK}, \textbf{v}, \textsf {M}_0)\) and if \(b = 1\) then \(\textsf {CT}\leftarrow \textsf {Encrypt}(\textsf {PK}, \textbf{x}, \textsf {M}_1)\). As well as similar \(Adv(\mathcal {A})\) to the one above, we say that a \(\textsf {IPE}\) scheme is attribute-hiding if for all polynomial time adversaries \(\mathcal {A}\), we have that \(Adv(\mathcal {A})\) is negligible.
2.5 Polynomial and roots
Consider that a polynomial \(\mathcal {P}\) has degree n is defined as:
We then extract the coefficients of P to create a vector \(\textbf{v}\) as follows:
In addition, we create the a vector \(\textbf{x}\) by choosing a integer value x randomly as follows:
If \((\textbf{v} \cdot \overrightarrow{x}) = 0\), then we conclude that x is a root of polynomial \(\mathcal {P}\) (Fig. 1).
2.6 Consequence of Viète formula
We apply consequence of the Viète’s formula to reconstruct all the coefficients of \(\mathcal {P}\) in (1) as follows:
Generally, we write: \(\sum _{1\le i_1< i_2< \cdots < i_k\le n} x_{i_1}x_{i_2}\cdots x_{i_k}=(-1)^k\frac{a_{n-k}}{a_n}\) for \(k = 1, 2,..., n\).
Apart from Sect. 2.4, we can rewrite the \(\textbf{v}\) as
Then we have the \(\textbf{x} = (x^n, x^{n-1}, \ldots , x, 1)\). If \(<\textbf{v} \cdot \overrightarrow{x}> = 0\), then we conclude that x is a root of polynomial \(\mathcal {P}\).
3 Generic constructions
3.1 \(\textsf {AND}/\textsf {OR}\) gates access structure
3.1.1 AND gates positive/negative attributes
Let \(\textsf {U}= \{\textsf {Att}_1,\textsf {Att}_2,...,\textsf {Att}_n\}\) be the universe of the attributes in the system. Each \(\textsf {Att}_i\) is represented by a unique value \(A_i\). When a user joins the system, the user is tagged with an attribute list defined as \(\textsf {S}= \{\textsf {S}_1,\textsf {S}_2,...,\textsf {S}_n\}\) where each symbol \(\textsf {S}_i\) has two possible values: ‘\(+\)’ and ‘−’. Let \(\textsf {W}= \{\textsf {S}'_1,\textsf {S}'_2,...,\textsf {S}'_n\}\) denote an AND-gate access policy where each symbol \(\textsf {S}'_i\) has two possible values: ‘\(+\)’, ‘−’. We use the notation \(\S \models \textsf {W}\) to denote that the attribute list S of a user satisfies \(\textsf {W}\).
We illustrate the \(\textsf {AND}\) gates with positive/negate attribute by the following example. Suppose that \(\textsf {U}= \{\textsf {Att}_1 = \hbox {CS}, \textsf {Att}_2 = \hbox {EE}, \textsf {Att}_3= \hbox {Professor}, \textsf {Att}_4=\hbox {Faculty}, \textsf {Att}_5=\hbox {Student}, \textsf {Att}_6=\hbox {Tutor}\}\). Alice is a student and tutor in the CS department; Bob is a faculty in the EE department; Carol is a faculty holding a joint position in the EE and CS departments. All attribute lists are expressed in Table 1. In addition, the access structure \(\textsf {W}_1\) is designed to allow all the CS students and tutors in only CS departments to access to the system.
Observably, only Alice is the student/tutor of CS departments, which is attested to access to the system since the Alice’s attributes satisfy the access structure \(\textsf {W}_1\).
3.1.2 Multiple \(\textsf {OR}/\textsf {AND}\) gates
In this work, we consider the complex access structures, which are expressed the predicate of attributes by both of the \(\textsf {OR}\) and \(\textsf {AND}\) gates.
Suppose that we have an access structures \(\textsf {W}_1\) as follows:
as the Disjunctive Normal Form (DNF). Utilizing the set of attributes \(\textsf {U}= \{\textsf {Att}_1,\textsf {Att}_2,...,\textsf {Att}_n\}\) in AND gate access structure, \(\textsf {W}_1\) is expressed as:
Regarding the Table 2, we decouple \(\textsf {W}_1\) into the two access structures \(\textsf {W}_{11}\) and \(\textsf {W}_{12}\). Then if a user has the set of attributes satisfy \(\textsf {W}_{11}\) or \(\textsf {W}_{12}\), the he is valid to decrypt the message.
Next, we consider the Conjunctive Normal Form (CNF) access structures \(\textsf {W}_2\) as follows:
In practice, \(W_2\) is expressed by the attributes in set \(\textsf {U}\) as:
We then transform the \(\textsf {W}_2\) in the other observation:
Regarding the Table 3, we interpret \(\textsf {W}_2\) into the the set of access structures \((\textsf {W}_{21}, \textsf {W}_{22}, \textsf {W}_{23}, \textsf {W}_{24})\). Then if a user has the set of attributes satisfy \(\textsf {W}_{21}\) or \(\textsf {W}_{22}\) or \(\textsf {W}_{23}\) or \(\textsf {W}_{24}\), then he is valid to decrypt the message. As a result, we realize that when a user joins the system, the user is tagged with an attribute list defined as \(\textsf {S}= \{A_i\}_{i \in \{ 1, m\}}\). We conclude the two statements as follows:
-
\(\textsf {S}\models \textsf {W}_1\), if the set attributes in \(\textsf {S}\) satisfies one of \(\textsf {AND}\) literals in \(\textsf {W}_1\).
-
\(\textsf {S}\models \textsf {W}_2\), if the set attributes in \(\textsf {S}\) satisfies all of OR literals in \(\textsf {W}_2\).
3.2 Original IPE construction
In this section, we represent the original of IPE scheme [25], which is a building block to construct our proposed work later.
Setup(\(1^k, n\)): The setup algorithm first randomly generates \((g, {\mathbb {G}}, {\mathbb {G}}_T,p, e)\) and n is the maximum length of vector. It then chooses randomly \(\gamma _1, \gamma _2, \theta _1, \theta _2, \{u_{1,i}\}_{i = 1}^{n}, t_1, \{t_{1,i}\}_{i = 1}^{n}, \{t_{2,i}\}_{i = 1}^{n}, \{w_{1,i}\}_{i = 1}^{n}, \{z_{1,i}\}_{i = 1}^{n}, \{z_{2,i}\}_{i = 1}^{n}\) in \({\mathbb {Z}}_p\) and \(g_2\) in \({\mathbb {G}}\). Then it selects a random \(\Delta \in {\mathbb {Z}}_p\) and obtains \(\{u_{2,i}\}^{n}_{i = 1}, \{w_{2,i}\}^{n}_{i = 1}, w_2, u_2\) under the condition: \(\Delta = \gamma _1 u_{2,i} - \gamma _2 u_{1,i} \Delta = \theta _1 w_{2,i} - \theta _2 w_{1,i}.\)
For i from 1 to n, it creates:
Next it sets \(g_1 = g^{\Delta }, Y=e(g,g_2)\), and the public key \(\textsf {PK}\) and master key \(\textsf {MSK}\) as
Encrypt(\(\textsf {PK}, \textbf{v}, \textsf {M}\)): The encryption algorithm chooses random \(s_1, s_2, \alpha , \beta \in {\mathbb {Z}}_p\) and creates the ciphertext as follows:
where \(\textbf{v} = (v_1, \ldots , v_n)\), then ciphertext CT is set as:
KeyGen(\(\textsf {PK},\textbf{x},\textsf {MSK}\)): The key generation algorithm chooses randomly \(r_{i,1}, r_{i,2}\) for \(i = 1\) to n, and \(f_1, f_ 2, r_1, r_2 \in {\mathbb {Z}}_p\), and then creates the secret key as follows:
where \(\textbf{x} = (x_1, \ldots , x_n)\), the secret key is set as:
Decrypt(\(\textsf {SK}, \textsf {CT}\)): The decryption algorithm returns
Therefore, the message M will be returned iff \((\textbf{v}, \textbf{x})= 0\) meaning the attributes list in user key \(\textsf {SK}\) satisfies the access policy in the ciphertext \(\textsf {CT}\).
Following the description of the above Multiple OR/AND gate access structures and the original IPE construction, we present two Anonymous Key Policy Attribute Based Broadcast Encryption and Anonymous Ciphertext Policy Attribute Based Broadcast Encryption schemes with OR/AND Gate with positive, negative attributes in access structure.
3.3 Generic construction of AKP-ABBE from IPE
In our AKP-ABBE scheme, we only consider two values, positive, negative, of attributes. In order to construct, we desire an (n + m)- dimensional \(\textsf {IPE}\) scheme, where n is the number of set indices, and m is the maximum number of access structures. In this scheme, we present the construction of DNF access structure since the CNF form can converse to the DNF.
Let \(\textsf {U}\) denote the set of all user indices, and \(\textsf {N}\) as the set of all user attributes and given an \(\textsf {IPE}\) scheme with four algorithms: (IPE.Setup, IPE.KeyGen, IPE.Enc, IPE.Dec), we construct an AKP-ABBE scheme with the corresponding four algorithms Setup, KeyGen, Encrypt, Decrypt, which we elaborate as follows:
-
Setup(\(1^k\)): The algorithm chooses a suitable encoding \(\tau _1\) sending each of the n indicies \(\textsf {ID}\in {\mathbb {N}}\) onto an element \(\tau _1(\textsf {ID}) = x_1 \in (\mathbb {Z / \hbox {p}{\mathbb {Z}}})^{*}\), and choose \(t_1, \ldots , t_{2_n}\) randomly in \({\mathbb {Z}}_p\). It runs IPE.Setup( \(1^{k}, n+m\)) with m as the number of attributes to construct to access structure, and outputs public parameters \(\textsf {PK}\) and a master key \(\textsf {MSK}\).
-
Encrypt(\(\textsf {PK}, \textsf {M}, \textsf {S}, \textsf {L}\)): The algorithm inputs a user index set \(\textsf {S}= \{\textsf {ID}_a. \textsf {ID}_b, \textsf {ID}_c,\ldots \textsf {ID}_s\} \subseteq \textsf {U}\), and message \(\textsf {M}\), attribute list \(\textsf {L}\). The algorithm transforms \((\textsf {S}, \textsf {L})\) into \(\textbf{v}\) as:
The user index set is input as \(\textsf {S}= (\textsf {ID}_a, \textsf {ID}_b, \textsf {ID}_c, \ldots , \textsf {ID}_s) \subseteq \textsf {U}\). We denote \(\Delta \) as the total number elements in set \(\textsf {S}\), then the algorithm applies the Viète’s formula to compute:
$$\begin{aligned} {\left\{ \begin{array}{ll} \tau _1(\textsf {ID}_a) + \tau _1 (\textsf {ID}_b) + \tau _1(\textsf {ID}_c) +\ldots + \tau _1(\textsf {ID}_s) &{}= a_{\Delta }\\ (\tau _1(\textsf {ID}_a) \tau _1(\textsf {ID}_b) + \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_c) + \ldots + \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_s )\\ \ldots + \tau _1(\textsf {ID}_{\Delta -1})\tau _1(\textsf {ID}_s) &{}= a_{\Delta - 1}\\ \ldots \\ \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_b)\tau _1(\textsf {ID}_c)\ldots \tau _1(\textsf {ID}_s) &{}= a_0 \end{array}\right. } \end{aligned}$$(2)The algorithm converts an attribute user list \(\textsf {L}\) by generating:
$$\begin{aligned} \hbox {If } {\left\{ \begin{array}{ll} \textsf {Att}_i \hbox { is } + &{}: r'_i= t_i\\ \textsf {Att}_i \text{ is } - &{}: r'_i = t_{2_i}\\ \end{array}\right. } \end{aligned}$$(3)Then set \(b = \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\), and it computes based on b:
$$\begin{aligned} {\left\{ \begin{array}{ll} b_m &{}= b^m\\ b_{m-1} &{}= b^{m-1}\\ b_{m-2} &{} = b^{m-2}\\ \ldots \\ b_{0} &{} = 1 \end{array}\right. } \end{aligned}$$The \(\textbf{v}\) is produced as
$$\begin{aligned} \textbf{v} = (1_0, a_{\Delta }, a_{\Delta -1}, \ldots , a_0, b_m, \ldots , 1_m). \end{aligned}$$Then it runs \(\textsf {CT}\leftarrow \textsf {IPE.Enc(PK,} \textbf{v}, \textsf {M)}\), and output the ciphertext \(\textsf {CT}\).
-
KeyGen(\(\textsf {MSK}, \textsf {ID}, \textsf {W}= (\textsf {W}_1~\textsf {OR}~\ldots ~\textsf {OR}~ \textsf {W}_{m})\)): Suppose that a user joins the system with the a given user identity \(\textsf {ID}\) and the access structure \(\textsf {W}= (\textsf {W}_1~\textsf {OR}~\ldots ~\textsf {OR}~ \textsf {W}_{m})\), the algorithm inputs \((\textsf {ID}, \textsf {W})\), and transforms them into a vector \(\textbf{z}\) by generating:
It encodes \(\textsf {ID}\) by \(\tau _1(ID) = x_{\textsf {ID}} \in ({\mathbb {Z}}/p{\mathbb {Z}})^*\). Then, we compute \(x_{\textsf {ID}}\) as the one of the roots of polynomial degree n:
$$\begin{aligned} {\left\{ \begin{array}{ll} a'_n &{}= x_{\textsf {ID}}^n\\ a'_{n-1} &{}= x_{\textsf {ID}}^{n-1}\\ a'_{n-2} &{} = x_{\textsf {ID}}^{n-2}\\ \ldots \\ a'_0 &{} = 1 \end{array}\right. } \end{aligned}$$(4)Next, the access structure \(\textsf {W}\) is interpreted as:
$$\begin{aligned} \textsf {W}= & {} (\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{W_1} \textsf {OR}\underbrace{\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{W_2} \textsf {OR}\ldots \textsf {OR}\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{\textsf {W}_{m}} ). \end{aligned}$$Then the algorithms computes as follows:
$$\begin{aligned} \hbox {Each }\textsf {W}_i, \hbox {If } {\left\{ \begin{array}{ll} \textsf {Att}_j \hbox { is } + &{}: r_{j} =t_i,\\ \textsf {Att}_j \text{ is } - &{}: r_j = t_{2_i}\\ \end{array}\right. }; \end{aligned}$$Then set \(\textsf {W}_i = \sum \limits _{\textsf {Att}_j \in \textsf {W}_i} r_j\).
Next apply the Viète’s formula as (2) to computes the whole access structure \(\textsf {W}\):
$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf {W}_1 + \textsf {W}_2 + \ldots + \textsf {W}_{m} &{}= b'_{m -1}\\ \textsf {W}_1\textsf {W}_2 + \textsf {W}_1\textsf {W}_3 + \ldots + \textsf {W}_{m-1}\textsf {W}_{m} &{}= b'_{m - 2}\\ \ldots \\ \textsf {W}_1\textsf {W}_2\ldots \textsf {W}_{m} &{}= b'_0 \end{array}\right. } \end{aligned}$$(5)The \(\textbf{z}\) is produced as
$$\begin{aligned} \textbf{z} = (a'_n, a'_{n-1}, \ldots , 1_n, 1_{m}, b'_{m - 1}, \ldots , b'_0). \end{aligned}$$Then it runs \(\textsf {SK}\leftarrow \textsf {IPE.KeyGen}(\textsf {PK}, \textbf{z}, \textsf {MSK})\), and output the secret key \(\textsf {SK}\).
-
Decrypt(\(\textsf {SK}, \textsf {CT}\)) the algorithms runs IPE.Dec( CT, SK) and outputs the message \(\textsf {M}\) iff \(<\textbf{v}, \textbf{z}> == 0\).
Correctness for the vector \(vec{v} = (1_0, a_{\Delta }, a_{\Delta -1}, \ldots , a_0, b_m, \ldots , 1_m))\) corresponding to the set user indices \(\textsf {S}\) and attribute list \(\textsf {L}\) in the ciphertext \(\textsf {CT}\) and the vector \(\textbf{z} = (a'_n, a'_{n-1}, \ldots , 1_n, 1_{m}, b'_{m - 1}, \ldots , b'_0)\) corresponding to the secret key component \(\textsf {SK}\) in the AKP-ABBE, we have:
If \(\sum \limits _{i = 0}^{n + m} v_i. x_i = 0\), the algorithm return \(\textsf {M}\). This means that the \(\textsf {ID}\) user is belongs to the set of indices \(\textsf {S}\), and the attribute list \(\textsf {L}\) satisfies the user’s access structures \({\mathbb {W}}\). Otherwise, the algorithms return \(\perp \).
Theorem 1
Our AKP-ABBE scheme is secure under the standard assumption if the underlying \(\textsf {IPE}\) is secure under the standard assumption.
3.4 Generic construction of ACP-ABBE from IPE
The ACP-ABBE scheme is a dual form of AKP-ABBE.
3.4.1 Main scheme
Given an \(\textsf {IPE}\) scheme with four algorithms: (IPE.Setup, IPE.KeyGen, IPE.Enc, IPE.Dec), we construct an ACP-AABBE scheme with the corresponding four algorithms: Setup, KeyGen, Encrypt, Decrypt) as follows:
-
Setup(\(1^k\)): The algorithm chooses a suitable encoding \(\tau _1\) sending each of the n indicies \(\textsf {ID}\in {\mathbb {N}}\) onto an element \(\tau _1(\textsf {ID}) = x_1 \in (\mathbb {Z / \hbox {p}{\mathbb {Z}}})^{*}\), and choose \(t_1, \ldots , t_{2_n}\) randomly in \({\mathbb {Z}}_p\). It runs IPE.Setup( \(1^{k}, n+m\)) with m as the number of attributes to construct to access structure, and outputs public parameters \(\textsf {PK}\) and a master key \(\textsf {MSK}\).
-
Encrypt(\(\textsf {PK}, \textsf {M}, \textsf {S}, \textsf {W}= (\textsf {W}_1~ \textsf {OR}\ldots \textsf {OR}~ \textsf {W}_m)\)): The algorithm inputs a user index set \(\textsf {S}= \{\textsf {ID}_a. \textsf {ID}_b, \textsf {ID}_c,\ldots \textsf {ID}_s\} \subseteq \textsf {U}\), and message \(\textsf {M}\), the access structure \(\textsf {W}= (\textsf {W}_1~ \textsf {OR}\ldots \textsf {OR}~ \textsf {W}_m)\).The algorithm transforms \((\textsf {S}, \textsf {W})\) into \(\textbf{v}\) as:
The user index set is input as \(\textsf {S}= (\textsf {ID}_a, \textsf {ID}_b, \textsf {ID}_c, \ldots , \textsf {ID}_s) \subseteq \textsf {U}\). We denote \(\Delta \) as the total number elements in set \(\textsf {S}\), then the algorithm applies the Viète’s formula to compute:
$$\begin{aligned} {\left\{ \begin{array}{ll} \tau _1(\textsf {ID}_a) + \tau _1 (\textsf {ID}_b) + \tau _1(\textsf {ID}_c) +\ldots + \tau _1(\textsf {ID}_s) &{}= a_{\Delta }\\ (\tau _1(\textsf {ID}_a) \tau _1(\textsf {ID}_b) + \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_c) + \ldots + \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_s )\\ \ldots + \tau _1(\textsf {ID}_{\Delta -1})\tau _1(\textsf {ID}_s) &{}= a_{\Delta - 1}\\ \ldots \\ \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_b)\tau _1(\textsf {ID}_c)\ldots \tau _1(\textsf {ID}_s) &{}= a_0 \end{array}\right. } \end{aligned}$$(6)Next, the access structure \(\textsf {W}\) is interpreted as:
$$\begin{aligned} \textsf {W}= & {} (\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} \textsf {Att}_i)}_{W_1} \textsf {OR}\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} \textsf {Att}_i)}_{W_2} \textsf {OR}\ldots \textsf {OR}\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} \textsf {Att}_i)}_{W_{m}} ). \end{aligned}$$Then the algorithms computes as follows:
$$\begin{aligned} \hbox {Each} \textsf {W}_i, \hbox {If } {\left\{ \begin{array}{ll} \textsf {Att}_j \hbox { is } + &{}: r_{j} =t_i,\\ \textsf {Att}_j \text{ is } - &{}: r_j = t_{2_i}\\ \end{array}\right. }; \end{aligned}$$Then set \(\textsf {W}_i = \sum \limits _{\textsf {Att}_j \in \textsf {W}_i} r_j\).
Next apply the Viète’s formula as (2) to computes the whole access structure \(\textsf {W}\):
$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf {W}_1 + \textsf {W}_2 + \ldots + \textsf {W}_{m} &{}= b'_{m -1}\\ \textsf {W}_1\textsf {W}_2 + \textsf {W}_1\textsf {W}_3 + \ldots + \textsf {W}_{m-1}\textsf {W}_{m} &{}= b'_{m - 2}\\ \ldots \\ \textsf {W}_1\textsf {W}_2\ldots \textsf {W}_{m} &{}= b'_0 \end{array}\right. } \end{aligned}$$(7)Then it produces a vector:
$$\begin{aligned} \textbf{v} = \big (1_0, a_{\Delta }, a_{\Delta -1}, \ldots , a_0,1_{m}, b'_{m - 1}, \ldots , b'_0\big ) \end{aligned}$$Then it runs IPE.Enc(PK, \(\textbf{v}\), M), and output the ciphertext \(\textsf {CT}\).
-
KeyGen(\(\textsf {MSK}, \textsf {ID}, \textsf {L}\)):Suppose that a user joins the system with the a given user identity \(\textsf {ID}\) and his attribute list \(\textsf {L}\), the algorithm inputs \((\textsf {ID}, \textsf {L})\), and transforms them into a vector \(\textbf{z}\) by generating:
It encodes \(\textsf {ID}\) by \(\tau _1(ID) = x_{\textsf {ID}} \in ({\mathbb {Z}}/p{\mathbb {Z}})^*\). Then, we compute \(x_{\textsf {ID}}\) as the one of the roots of polynomial degree n:
$$\begin{aligned} {\left\{ \begin{array}{ll} a'_n &{}= x_{\textsf {ID}}^n\\ a'_{n-1} &{}= x_{\textsf {ID}}^{n-1}\\ a'_{n-2} &{} = x_{\textsf {ID}}^{n-2}\\ \ldots \\ a'_0 &{} = 1 \end{array}\right. } \end{aligned}$$(8)The algorithm converts an attribute user list \(\textsf {L}\) by generating:
$$\begin{aligned} \hbox {If } {\left\{ \begin{array}{ll} \textsf {Att}_i \hbox { is } + &{}: r'_i= t_i\\ \textsf {Att}_i \text{ is } - &{}: r'_i = t_{2_i}\\ \end{array}\right. } \end{aligned}$$(9)Then set \(b = \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\), and it computes based on b:
$$\begin{aligned} {\left\{ \begin{array}{ll} b_m &{}= b^m\\ b_{m-1} &{}= b^{m-1}\\ b_{m-2} &{} = b^{m-2}\\ \ldots \\ b_{0} &{} = 1 \end{array}\right. } \end{aligned}$$We then produce a vector:
$$\begin{aligned} \textbf{z} = \big (a'_n, a'_{n-1}, \ldots , 1_n, b_m, \ldots , 1_m\big ) \end{aligned}$$Then it runs IPE.KeyGen(PK, \(\textbf{z}\), MSK), and output the secret key \(\textsf {SK}\).
-
Decrypt(\(\textsf {CT}, \textsf {SK}\)): the algorithm inputs the ciphertext \(\textsf {CT}\) and the user’s secret key \(\textsf {SK}\), then it runs IPE.Dec( CT, SK) and outputs the message \(\textsf {M}\) iff \(<\textbf{v}, \textbf{z}> == 0\). Otherwise, the algorithms the symbol \(\perp \).
Correctness: for the vector \(\textbf{v} = (1_0, a_{\Delta }, a_{\Delta -1}, \ldots , a_0,1_{m}, b'_{m - 1}, \ldots , b'_0)\) corresponding to the set user indices \(\textsf {S}\) and access structure \(\textsf {W}\) embedded in the ciphertext CT and the vector \(\textbf{z} = (a'_n, a'_{n-1}, \ldots , 1_n, b_m, \ldots , 1_m)\) corresponding to the secret key component \(\textsf {SK}\) in the ACP-AABBE., we have:
If \(\sum \limits _{i = 0}^{n + m} v_i. x_i = 0\), the algorithm return \(\textsf {M}\). This means that the \(\textsf {ID}\) user is belongs to the set of indices \(\textsf {S}\), and the user attribute list \(\textsf {L}\) satisfies the access structures \({\mathbb {W}}\). Otherwise, the algorithms return \(\perp \).
*Constructions of secret keys We assume \(\sum _{att_i \in L}^{} \gamma _1 \ne \sum _{att_i \in L'}^{} \gamma _1 \) in both of AKP-ABBE and ACP-ABBE.
If there exist \(\textsf {L}\) and \(\textsf {L}' (\textsf {L}\ne \textsf {L}')\) such that \(\sum _{\textsf {Att}_i \in \textsf {L}}^{} \gamma _1 = \sum _{\textsf {Att}_i \in \textsf {L}'}^{} \gamma _1 \), a user with attribute list \(\textsf {L}\) can decrypt a ciphertext associated with \(\textsf {W}\), where \(\textsf {L}'\not \models \textsf {W}\) and \( \textsf {L}\models \textsf {W}\).
Hence, the assumption holds with overwhelming probability:
where p is the prime number which chosen in the first step, \(N = \prod _{i = 1}^{2n} \gamma _i\). If each secret key \(\gamma _i\) is chosen at random from \({\mathbb {Z}}_p\), then our assumption is natural. Then, the advantage of \(\mathcal {A}\) in this game is defined as \({{\textbf {Adv}}}_\mathcal{} \cdot (1 - \frac{N^2}{p})\).
Theorem 2
Our ACP-ABBE scheme is secure under the standard assumption if the underlying \(\textsf {IPE}\) is secure under the standard assumption.
4 Security analysis
Our AKP-ABBE and ACP-ABBE utilize the \(\textsf {IPE}\) manner to achieve the hidden access structures. Indeed the access structure and the user index set are transformed into the vector. In this part, we choose AKP-ABBE to elaborate the security analysis. Hence, in order to prove that our AKP-ABBE scheme is access structure hiding, we apply the indistinguishability, in which the adversary cannot distinguish two vectors \(\textbf{v}\) and \(\textbf{x}\). These two vectors correspond to \((\textsf {S}^*_0, \textsf {L}^*_0)\) and \((\textsf {S}^*_1, \textsf {L}^*_1)\), respectively, which have been used to generate the two ciphertexts \(\textsf {M}_0\) and \(\textsf {M}_1\).
Based on these above games, we apply the security proof of [19] to our Theorems 1 and 2 directly. To prove the AKP-ABBE be secured in the indistinguishable chosen plaintext attack, we consider two cases \(M_0 = \textsf {M}_1\) and \(\textsf {M}_0 \ne \textsf {M}_1\):
-
\(\textsf {M}_0 = \textsf {M}_1\), we only consider the following game sequence from \({\textbf {Game}}_1\) to \({\textbf {Game}}_5\). In this case, we prove the property of attribute hiding.
-
\(\textsf {M}_0 \ne \textsf {M}_1\), we consider the whole proof from \({\textbf {Game}}_0\) to \({\textbf {Game}}_6\).
We then present a description of each game, where the challenge ciphertexts \(\textsf {CT}_1, \ldots , \textsf {CT}_6\) are generated by the IPE’s encryption scheme:
-
\({\textbf {Game}}_0:\) The challenge ciphertext \(\textsf {CT}_0\) is generated under \((\textbf{v}, \textbf{v})\) and \(\textsf {M}_0\).
-
\({\textbf {Game}}_1:\) The challenge ciphertext \(\textsf {CT}_1\) is generated under \((\textbf{v}, \textbf{v})\) and a random message R.
-
\({\textbf {Game}}_2:\) The challenge ciphertext \(\textsf {CT}_2\) is generated under \((\textbf{v}, \textbf{0})\) and a random message R.
-
\({\textbf {Game}}_3:\) The challenge ciphertext \(\textsf {CT}_3\) is generated under \((\textbf{v}, \textbf{x})\) and a random message R.
-
\({\textbf {Game}}_4:\) The challenge ciphertext \(\textsf {CT}_4\) is generated under \((\textbf{0}, \textbf{x})\) and a random message R.
-
\({\textbf {Game}}_5:\) The challenge ciphertext \(\textsf {CT}_5\) is generated under \((\textbf{x}, \textbf{x})\) and a random message R.
-
\({\textbf {Game}}_6:\) The challenge ciphertext \(\textsf {CT}_6\) is generated under \((\textbf{x}, \textbf{x})\) and message \(\textsf {M}_1\).
PROOF Suppose that the adversary commits to the challenge user indices \(\textsf {S}^*_0, = (\textsf {ID}^*_{0a}, \textsf {ID}^*_{0b}, \textsf {ID}^*_{0c},\ldots \textsf {ID}^*_{0\,s})\) and \(\textsf {S}^*_1 = (\textsf {ID}^*_{1a}, \textsf {ID}^*_{1b}, \textsf {ID}^*_{1c},\ldots ,\textsf {ID}^*_{1\,s} ) \subseteq \textsf {U}\), and the target attribute sets \(\textsf {L}^*_0 = (\textsf {Att}^*_{01}, \ldots , \textsf {Att}^*_{0m})\) and \(\textsf {L}^*_1 = (\textsf {Att}^*_{11}, \ldots , \textsf {Att}^*_{1m})\) at the beginning of the game.
The \(\textbf{v}\) is produced of \(\textsf {S}^*_0, = (\textsf {ID}^*_{0a}, \textsf {ID}^*_{0b}, \textsf {ID}^*_{0c},\ldots \textsf {ID}^*_{0\,s})\), and \(\textsf {L}^*_0 = (\textsf {Att}^*_{01}, \ldots , \textsf {Att}^*_{0\,m})\) by using (2), (3) from the original construction.
The \(\textbf{x}\) is produced of \(\textsf {S}^*_1, = (\textsf {ID}^*_{1a}, \textsf {ID}^*_{1b}, \textsf {ID}^*_{1c},\ldots \textsf {ID}^*_{1\,s})\), and \(\textsf {L}^*_1 = (\textsf {Att}^*_{11}, \ldots , \textsf {Att}^*_{1\,m})\) by using (2), (3) from the original construction.
We also note that in the query phase the adversary is issued the \(\textsf {SK}\) corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\). It is also considered that the \(\textsf {SK}\) is related to \(\textbf{y}\), where he \(\textbf{y}\) is produced of the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) by using (4), (5) from the original construction.
We use the above sequence of hybrid games to prove that the adversary cannot win the original security game with the non-negligible security. We begin with game \({\textbf {Game}}_0\).
Indistinguishability between \({\textbf {Game}}_0\) and \({\textbf {Game}}_1\) If the adversary obtain the secret key \(\textsf {SK}\) corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) satisfying such that \((\textsf {L}^*_0 \models \textsf {W}\) and \((\textsf {ID}\in \textsf {S}^*_0)\) (meanwhile \(<\textbf{v}, \textbf{y}> = 0\)), then the challenge ciphertext is generated correctly. We consider that the challenge ciphertext is distributed in \({\textbf {Game}}_0\).
On the other hand, if the adversary obtains the secret key \(\textsf {SK}\) with corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) where \((\textsf {L}^*_0 \not \models \textsf {W}\) and \((\textsf {ID}\notin \textsf {S}^*_0)\) (meanwhile \(<\textbf{v}, \textbf{y}> \ne 0\)), then the challenge ciphertext component \(C_m\) of IPE scheme is a random element in \({\mathbb {G}}_T\) regardless of the random choice, while the rest of the challenge ciphertext are generated in an original way. Then we consider that the challenge ciphertext is distributed in \({\textbf {Game}}_1\).
Indistinguishability between \({\textbf {Game}}_1\) and \({\textbf {Game}}_2\)
If the adversary obtains the secret key \(\textsf {SK}\) with corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) where \((\textsf {L}^*_0 \not \models \textsf {W}\) and \((\textsf {ID}\notin \textsf {S}^*_0)\), or \((\textsf {L}^*_0 \models \textsf {W}\) and \((\textsf {ID}\in \textsf {S}^*_0)\) or \((\textsf {L}^*_0 \not \models \textsf {W}\) and \((\textsf {ID}\in \textsf {S}^*_0)\) (meanwhile \(<\textbf{v}, \textbf{y}> \ne 0\)), or \((\textsf {L}^*_0 \models \textsf {W}\) and \((\textsf {ID}\in \textsf {S}^*_0)\) (meanwhile \(<\textbf{v}, \textbf{y}> = 0\)), then the challenge ciphertext is generated correctly. We consider that the challenge ciphertext is distributed in \({\textbf {Game}}_1\).
On the other hand, if the adversary obtains the secret key \(\textsf {SK}\) with corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) by relaxed generation, then the two challenge ciphertext components \(C_{3,i}\) and \(C_{4,i}\) are the random elements in \({\mathbb {G}}\) regardless of the random choice, while the rest of the challenge ciphertext is generated in an original way. Then we consider that the challenge ciphertext is distributed in \({\textbf {Game}}_2\).
Indistinguishability between \({\textbf {Game}}_2\) and \({\textbf {Game}}_3\) If the adversary obtain the secret key \(\textsf {SK}\) corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) satisfying such that \((\textsf {L}^*_0 \models \textsf {W}\text { and } (\textsf {L}^*_1 \models \textsf {W})\) and \((\textsf {ID}\in \textsf {S}^*_0 \text { and } \textsf {ID}\in \textsf {S}^*_1)\) (meanwhile \(<\textbf{v}, \textbf{y}> = <\textbf{x}, \textbf{y}> = = 0\)), then the challenge ciphertext is generated correctly. We consider that the challenge ciphertext is distributed in \({\textbf {Game}}_2\).
On the other hand, if the adversary did not obtain the secret key \(\textsf {SK}\) with corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) satisfying the constrain of \((\textsf {L}^*_0 \models \textsf {W}\text { and } (\textsf {L}^*_1 \models \textsf {W})\) and \((\textsf {ID}\in \textsf {S}^*_0 \text { and } \textsf {ID}\in \textsf {S}^*_1)\) (meanwhile \(<\textbf{v}, \textbf{y}> = <\textbf{x}, \textbf{y}> \ne 0\)), then the two challenge ciphertext components \(C_{3,i}\) and \(C_{4,i}\) are the random elements in \({\mathbb {G}}\) regardless of the random choice, while the rest of the challenge ciphertext are generated in a original way. Then we consider that the challenge ciphertext is distributed in \({\textbf {Game}}_3\).
Due to the symmetric observation, the rest of the proof is similar to the above proofs:
-
the indistinguishability between \({\textbf {Game}}_3\) and \({\textbf {Game}}_4\) can be proved in the same way as for \({\textbf {Game}}_2\) and \({\textbf {Game}}_3\);
-
the indistinguishability between \({\textbf {Game}}_4\) and \({\textbf {Game}}_5\) can be proved in the same way as for \({\textbf {Game}}_1\) and \({\textbf {Game}}_2\);
-
the indistinguishability of \({\textbf {Game}}_5\) and \({\textbf {Game}}_6\) can be proved in the same way as for \({\textbf {Game}}_0\) and \({\textbf {Game}}_1\).
The ACP-ABBE is proved secure under standard assumption by the similar arguments of AKP-ABBE, where \(\textbf{v}\) is produced of \(\textsf {S}^*_0, = (\textsf {ID}^*_{0a}, \textsf {ID}^*_{0b}, \textsf {ID}^*_{0c},\ldots \textsf {ID}^*_{0s})\), and \(\textsf {W}^*_0 = (\textsf {W}^*_{01}, \ldots , \textsf {W}^*_{0\,m})\) by using (4), (5) from the original construction. In addition, the \(\textbf{x}\) is produced of \(\textsf {S}^*_1, = (\textsf {ID}^*_{1a}, \textsf {ID}^*_{1b}, \textsf {ID}^*_{1c},\ldots \textsf {ID}^*_{1\,s})\), and \(\textsf {W}^*_1 = (\textsf {W}^*_{11}, \ldots , \textsf {W}^*_{1\,m})\) by using (6), (7) from the original construction. It is also considered that the \(\textsf {SK}\) is related to \(\textbf{y}\), where he \(\textbf{y}\) is produced of the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) by using (8), (9) from the original construction.
Our proposal utilizes the work of [26] as a building block to construct the AKP-ABBE and ACP-ABBE schemes. Inherently, the strategy of our security proof is also argued as [19, 26], in which we directly apply the DBDH and DLIN assumption as [26] to prove our AKP-ABBE and ACP-ABBE be secured in the standard assumption. Therefore, by underlying the secured \(\textsf {IPE}\) of [26] under the standard assumption, we conclude that our AKP-ABBE and ACP-ABBE schemes are secure under the standard assumption.
5 Extensions
We extend how our proposed scheme can also achieve the Anonymous ABBE, which access structure supports \(\textsf {AND}\) Gates with positive, negative, wildcard [means “don’t care” (i.e., both positive and negative attributes are accepted)]:
Firstly, we choose the suitable encoding \(\tau _2\) sending each of the m attributes \(\textsf {Att}\in \textsf {U}\) onto an element \(\tau _2(\textsf {Att}) = x_2 \in (\mathbb {Z / \hbox {p}{\mathbb {Z}}})^{*}\)
then we generate the \(\textbf{v}\) as:
For an attribute user list \(\textsf {L}\), it computes:
, then we generate the \(\textbf{z}\) as:
If \(<\textbf{v}, \textbf{z}> =0\), we conclude that \(\textsf {L}\models \textsf {W}\).
6 Comparisons
In this section, we give a comparison among ABBE schemes in Tables 5 and 4. The schemes are compared in terms of the order of the underlying group, ciphertext size, decryption cost, access structure, and complexity assumption. In the table, N—number of clauses in a policy, M—maximum number of attributes in the given clause, k-number of attributes for a given user, r-number of revoked users, \(k_{max}\)—maximum number of attributes in access structure, n-total of the user’s identity, m—number of universe attributes.
As can be seen in Tables 4 and 5, our encryption and decryption are linear depending on the size of the user’s indices and the size of the access structure. In fact, both two proposed schemes implement the IPE’s encryption to produce the ciphertext, and invoke the IPE’s decryption to recover the message. In addition, the cost of IPE scheme relies on the input of vectors. Our access structures are designed with flexibility by employing both AND/OR gates with negative/positive attributes and wildcards. This idea is well-suitable in practice, where the architecture of access control always requires multiple authorizations. In terms of security proof, both KP-ABBE and CP-ABBE can be proved in the standard assumptions, such as DBDH and DLinear assumptions. Specifically, we highlight that our proposed ABBEs can achieve anonymity due to the inherence of attribute hiding from the IPE scheme. Therefore, our ABBE schemes achieve anonymity with multiple access structures.
7 Conclusion
This paper proposes two new constructions of Anonymous Attribute-Based Broadcast Encryption as AKP-ABBE and ACP-ABBE for complex access structure by considering the \(\textsf {OR}/\textsf {AND}\) Gates with positive, and negative attributes. We present our proposed schemes in generic constructions, achieving anonymity. We also proved the security of our schemes be secured in the standard model. One open problem is to construct our AKP/ACP-ABBE schemes that have constant ciphertext and secret key, and we leave it as our future work.
References
Abdalla M., Bourse F., Caro A., Pointcheval D.: Public-Key Cryptography—PKC 2015, pp. 733–751. Springer, Berlin, Heidelberg (2015).
Attrapadung N., Imai H.: Conjunctive broadcast and attribute-based encryption. In: Pairing-Based Cryptography, pp. 248–265 (2009).
Attrapadung N., Libert B.: Functional encryption for inner product: achieving constant-size ciphertexts with adaptive security or support for negation. In: Public Key Cryptography—PKC 2010, pp. 384–402. Springer, Berlin, Heidelberg (2010).
Attrapadung N., Libert B., Panafieu E.: Expressive key-policy attribute-based encryption with constant-size ciphertexts. In: Public Key Cryptography—PKC 2011, Volume 6571 of Lecture Notes in Computer Science, pp. 90–108 (2011).
Berkovits S.: How to broadcast a secret. In: EUROCRYPT, pp. 535–541 (1991).
Bethencourt J., Sahai A., Waters B.: Ciphertext-policy attribute-based encryption. In: Security and Privacy, 2007. SP ’07. IEEE Symposium on, pp. 321–334 (2007).
Boneh D., Gentry C., Waters B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: CRYPTO, pp. 258–275 (2005).
Boneh D., Waters B.: A fully collusion resistant broadcast, trace, and revoke system. In: ACM CCS, pp. 211–220 (2006).
Boneh D., Waters B.: Conjunctive, subset, and range queries on encrypted data. In: Proceedings of the 4th Conference on Theory of Cryptography, TCC’07, pp. 535–554. Springer-Verlag (2007).
Canard S., Phan D.-H., Trinh V.C.: Attribute-based broadcast encryption scheme for lightweight devices. IET Inf. Secur. 12(1), 52–59 (2018).
Cheung L., Newport C.: Provably secure ciphertext policy ABE. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pp. 456–465. New York, NY, USA (2007).
Cioni S., Lin X., Chamaillard B., El Jaafari M., Charbit G., Raschkowski L.: Physical layer enhancements in 5G-NR for direct access via satellite systems. Int. J. Satell. Commun. Netw. 41(3), 262–275 (2022).
Delerablée C., Paillier P., Pointcheval D.: Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys. In: Pairing-Based Cryptography, pp. 39–59 (2007).
Fiat A., Naor M.: Broadcast encryption. In: CRYPTO, pp. 480–491 (1993).
Goodrich M.T., Sun J.Z., Tamassia R.: Efficient tree-based revocation in groups of low-state devices. In: CRYPTO, pp. 511–527 (2004).
Goyal V., Pandey O., Sahai A., Waters B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS ’06, pp. 89–98. ACM (2006).
Halevy D., Shamir A.: The LSD broadcast encryption scheme. In: CRYPTO, pp. 47–60 (2002).
Junod P., Karlov A.: An efficient public-key attribute-based broadcast encryption scheme allowing arbitrary access policies. In: ACM Workshop on Digital Rights Management, pp. 13–24 (2010).
Katz J., Sahai A., Waters B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Proceedings of the Theory and Applications of Cryptographic Techniques 27th Annual International Conference on Advances in Cryptology, EUROCRYPT’08, pp. 146–162 (2008).
Lai, J., Deng, R.H., Li, Y.: Fully secure cipertext-policy hiding CP-ABE. In: Proceedings of the 7th International Conference on Information Security Practice and Experience, ISPEC’11, pp. 24–39. Springer-Verlag.
Lewko, A.B., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: CRYPTO, pp. 180–198 (2012)
Lubicz, D., Sirvent, T.: Attribute-based broadcast encryption scheme made efficient. In: AFRICACRYPT, pp. 325–342 (2008)
Okamoto, T., Takashima, K.: Adaptively attribute-hiding (hierarchical) inner product encryption. In: Advances in Cryptology—EUROCRYPT 2012, Volume 7237 of Lecture Notes in Computer Science, pp. 591–608 (2012)
Ouaddah A., Mousannif H., Abou Elkalam A., Ouahman A.A.: Access control in the internet of things: big challenges and new opportunities. Comput. Netw. 112, 237–262 (2017).
Park J.H.: Efficient hidden vector encryption for conjunctive queries on encrypted data. IEEE Trans. Knowl. Data Eng. 23, 1483–1497 (2011).
Park J.H.: Inner-product encryption under standard assumptions. Des. Codes Cryptogr. 58(3), 235–257 (2011).
Ruzakova, O.A.: Digital platforms and media-regulatory framework. In: The Platform Economy, pp. 203–214. Springer (2022)
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Proceedings of the 24th Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’05, pp. 457–473. Springer-Verlag (2005)
Shi, E., Waters, B.: Delegating capabilities in predicate encryption systems. In: Proceedings of the 35th International Colloquium on Automata, Languages and Programming, Part II, ICALP ’08, pp. 560–578 (2008)
Phuong Tran, V.X., Yang, G., Susilo, W., Chen, X.: Attribute based broadcast encryption with short ciphertext and decryption key. In: Computer Security—ESORICS 2015, Volume 9327 of Lecture Notes in Computer Science, pp. 252–269. Springer International Publishing (2015)
Viète F.: Opera mathematica. Bonaventura et Abr, Elzevir (1970).
Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Public Key Cryptography, pp. 53–70 (2011)
Wesolowski, B., Junod, P.: Ciphertext-policy attribute-based broadcast encryption with small keys. In: ICISC 2015, pp. 53–68. Springer (2015)
Xiong H., Zhao Y., Peng L., Zhang H., Yeh K.-H.: Partially policy-hidden attribute-based broadcast encryption with secure delegation in edge computing. Future Gener. Comput. Syst. 97, 453–461 (2019).
Zhang X., Zhong H., Cui J., Gu C., Bolodurina I., Liu L.: AC-SDVN: an access control protocol for video multicast in software defined vehicular networks. IEEE Trans. Mob. Comput. (2022). https://doi.org/10.1109/TMC.2022.3180809.
Zhou Z., Huang D., Wang Z.: Efficient privacy-preserving ciphertext-policy attribute based-encryption and broadcast encryption. IEEE Trans. Comput. 64(1), 126–138 (2013).
Acknowledgements
This work is supported by the Commonwealth Cyber Initiative (CCI).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by K. Matsuura.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Phuong, T.V.X. Anonymous attribute-based broadcast encryption with hidden multiple access structures. Des. Codes Cryptogr. 92, 1925–1945 (2024). https://doi.org/10.1007/s10623-024-01373-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-024-01373-2