Abstract
Recently a series of expressive, secure and efficient Attribute-Based Encryption (ABE) schemes, both in key-policy flavor and ciphertext-policy flavor, have been proposed. However, before being applied into practice, these systems have to attain traceability of malicious users. As the decryption privilege of a decryption key in Key-Policy ABE (resp. Ciphertext-Policy ABE) may be shared by multiple users who own the same access policy (resp. attribute set), malicious users might tempt to leak their decryption privileges to third parties, for financial gain as an example, if there is no tracing mechanism for tracking them down. In this work we study the traceability notion in the setting of Key-Policy ABE, and formalize Key-Policy ABE supporting fully collusion-resistant blackbox traceability. An adversary is allowed to access an arbitrary number of keys of its own choice when building a decryption-device, and given such a decryption-device while the underlying decryption algorithm or key may not be given, a blackbox tracing algorithm can find out at least one of the malicious users whose keys have been used for building the decryption-device. We propose a construction, which supports both fully collusion-resistant blackbox traceability and high expressivity (i.e. supporting any monotonic access structures). The construction is fully secure in the standard model (i.e. it achieves the best security level that the conventional non-traceable ABE systems do to date), and is efficient that the fully collusion-resistant blackbox traceability is attained at the price of making ciphertexts grow only sub-linearly in the number of users in the system, which is the most efficient level to date.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Note that in the setting of predicate encryption [12], which can informally be regarded as a KP-ABE system with attribute-hiding property, the decryption blackbox [13] is also modeled similarly, i.e., the tracing algorithm takes as input an attribute \(I\) and a decryption blackbox \(\mathcal{D}\) that decrypts ciphertexts associated with the attribute \(I\).
- 3.
- 4.
If the number of users is not a square, we add some “dummy” users to pad to the next square.
- 5.
This restriction is inherited from the underlying KP-ABE scheme [14], and can be removed with the techniques in [14] similarly, with some loss of efficiency. The similar restriction in CP-ABE has been efficiently eliminated recently by Lewko and Waters in [16], but fully secure KP-ABE scheme without this restriction is not proposed yet.
- 6.
The situation is similar to that of the proof in [4, 5] in the sense that the challenge is given in a subgroup of a composite order group and the factors are given to the simulator. Actually, Lewko and Waters [16] use this case explicitly as an assumption, i.e. the 3-Party Diffie-Hellman Assumption in a Subgroup.
References
Attrapadung, N., Libert, B., de Panafieu, E.: Expressive key-policy attribute-based encryption with constant-size ciphertexts. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 90–108. Springer, Heidelberg (2011)
Beimel, A.: Secure schemes for secret sharing and key distribution. Ph.D. thesis, Israel Institute of Technology, Technion, Haifa, Israel (1996)
Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005)
Boneh, D., Sahai, A., Waters, B.: Fully collusion resistant traitor tracing with short ciphertexts and private keys. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 573–592. Springer, Heidelberg (2006)
Boneh, D., Waters, B.: A fully collusion resistant broadcast, trace, and revoke system. In: ACM Conference on Computer and Communications Security, pp. 211–220 (2006)
Cheung, L., Newport, C.C.: Provably secure ciphertext policy ABE. In: ACM Conference on Computer and Communications Security, pp. 456–465 (2007)
Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attribute-based encryption for circuits from multilinear maps. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 479–499. Springer, Heidelberg (2013)
Garg, S., Kumarasubramanian, A., Sahai, A., Waters, B.: Building efficient fully collusion-resilient traitor tracing and revocation schemes. In: ACM Conference on Computer and Communications Security, pp. 121–130 (2010)
Goyal, V., Jain, A., Pandey, O., Sahai, A.: Bounded ciphertext policy attribute based encryption. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 579–591. Springer, Heidelberg (2008)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006)
Herranz, J., Laguillaumie, F., Ràfols, C.: Constant size ciphertexts in threshold attribute-based encryption. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 19–34. Springer, Heidelberg (2010)
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008)
Katz, J., Schröder, D.: Tracing insider attacks in the context of predicate encryption schemes. In: ACITA (2011). https://www.usukita.org/node/1779
Lewko, A.B., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. IACR Cryptol. ePrint Arch. 2010, 110 (2010)
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (Hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010)
Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012)
Li, J., Huang, Q., Chen, X., Chow, S.S.M., Wong, D.S., Xie, D.: Multi-authority ciphertext-policy attribute-based encryption with accountability. In: ASIACCS, pp. 386–390 (2011)
Li, J., Ren, K., Kim, K.: A2BE: accountable attribute-based encryption for abuse free access control. IACR Cryptol. ePrint Arch. 2009, 118 (2009)
Liu, Z., Cao, Z., Wong, D.S.: Blackbox traceable CP-ABE: how to catch people leaking their keys by selling decryption devices on ebay. In: ACM Conference on Computer and Communications Security, pp. 475–486 (2013)
Liu, Z., Cao, Z., Wong, D.S.: White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures. IEEE Trans. Inf. Forensics Secur. 8(1), 76–88 (2013)
Liu, Z., Cao, Z., Wong, D.S.: Fully collusion-resistant traceable key-policy attribute-based encryption with sub-linear size ciphertexts. IACR Cryptol. ePrint Arch. 2014, 676 (2014). http://eprint.iacr.org/2014/676
Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010)
Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: ACM Conference on Computer and Communications Security, pp. 195–203 (2007)
Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attribute-based encryption. In: ACM Conference on Computer and Communications Security, pp. 463–474 (2013)
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)
Wang, Y.T., Chen, K.F., Chen, J.H.: Attribute-based traitor tracing. J. Inf. Sci. Eng. 27(1), 181–195 (2011)
Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011)
Waters, B.: Functional encryption for regular languages. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 218–235. Springer, Heidelberg (2012)
Yu, S., Ren, K., Lou, W., Li, J.: Defending against key abuse attacks in KP-ABE enabled broadcast systems. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 311–329. Springer, Heidelberg (2009)
Acknowledgment
The work described in this paper was supported in part by the Research Grants Council of the HKSAR, China, under Project CityU 123511, in part by the National Natural Science Foundation of China under Grant 61161140320, Grant 61371083, and Grant 61373154, and in part by the Prioritized Development Projects, Specialized Research Fund for the Doctoral Program of Higher Education of China, under Grant 20130073130004.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Lemma 1
A Proof of Lemma 1
Proof
Suppose there exists a PPT adversary \(\mathcal A\) that can selectively break the index-hiding game for \((\bar{i}, \bar{j})\) with advantage \(\epsilon \). We build a PPT algorithm \(\mathcal B\) to solve a Decision 3-Party Diffie-Hellman problem instance as follows.
\(\mathcal B\) receives a Decision 3-Party Diffie-Hellman problem instance from the challenger as \((g, A=g^a, B=g^b, C=g^c, T)\). The problem instance will be given in the subgroup \(\mathbb {G}_{p_1}\) of prime order \(p_1\) in a composite order group \(\mathbb {G}\) of order \(N = p_1 p_2 p_3\), i.e., \(g \in \mathbb {G}_{p_1}\), \(a,b,c \in \mathbb {Z}_{p_1}\), \(\mathcal B\) is given the factors \(p_1, p_2\), and \(p_3\), and its goal is to determine whether \(T=g^{abc}\) or a random element from \(\mathbb {G}_{p_1}\) Footnote 6.
Init. \(\mathcal{A}\) gives \(\mathcal{B}\) the challenge attribute set \(S^* \subseteq \mathcal{U}\).
Setup. \(\mathcal B\) chooses random exponents
\(\mathcal B\) gives \(\mathcal A\) the following public parameter \(\mathsf{PP}\):
Note that \(\mathcal{B}\) implicitly chooses \(r_{\bar{i}}, ~ z_i (i \in [m] \setminus \{\bar{i}\}), ~ c_{\bar{j}}, ~ a_x (x \in \mathcal{U} \setminus S^*) ~ \in \mathbb {Z}_N\) such that
Key Query. To respond to a query from \(\mathcal A\) for \(((i,j), (A, \rho ))\) where \(A\) is an \(l \times n\) matrix:
-
If \((i,j) \ne (\bar{i}, \bar{j})\): \(\mathcal B\) randomly chooses \(\mathbf {u} = (\sigma _{i,j}, u_2, \dots , u_n) \in \mathbb {Z}_N^n\), \(w_2, \dots ,\) \(w_n \in \mathbb {Z}_N\) and \(\{ \xi _k \in {\mathbb Z}_N, R_{k,1}, R_{k,2}\) \(\in \mathbb {G}_{p_3} \}_{k=1}^l\). Let \(\mathbf {w} = (\alpha , w_2, \dots , w_n)\), \(\mathcal{B}\) creates a private key \(\mathsf{SK}_{(i,j),(A,\rho )}\) \(= \big ( (i,j), (A, \rho ), ~ K_{i,j}, K'_{i,j}, K''_{i,j}, \{ K_{i,j,k,1},\) \(K_{i,j,k,2} \}_{k=1 }^{l} \big )\) as
$$\begin{aligned}&K_{i,j} = {\left\{ \begin{array}{ll} g^{\alpha _i} g^{r_i c_j} f^{\sigma _{i,j}}, ~ : i \ne \bar{i}, j \ne \bar{j} \\ g^{\alpha _i} B^{r'_{\bar{i}} c_j} f^{\sigma _{i,j}}, ~ : i = \bar{i}, j \ne \bar{j} \\ g^{\alpha _i} C^{r_i c'_{\bar{j}}} f^{\sigma _{i,j}}, ~ : i \ne \bar{i}, j = \bar{j}. \end{array}\right. } \\&K'_{i,j} = g^{\sigma _{i,j}}, ~~K''_{i,j} = Z_{i}^{\sigma _{i,j}}, \\&\{ K_{i,j,k,1} =f^{(A_k \cdot \mathbf {u})} g^{(A_k \cdot \mathbf {w})} U_{\rho (k)}^{\xi _k} R_{k,1}, ~~ ~ K_{i,j,k,2} = g^{\xi _k} R_{k,2} \}_{k=1}^l. \end{aligned}$$ -
If \((i,j) = (\bar{i}, \bar{j})\): \(\mathcal B\) randomly chooses \(\sigma '_{\bar{i},\bar{j}}, u'_2, \dots , u'_n, w_2, \dots , w_n \in \mathbb {Z}_N,\) \(\{ \xi _k \in {\mathbb Z}_N \}_{k \in [l]~s.t.~\rho (k) \in S^*},\) \(\{ \xi '_k \in {\mathbb Z}_N \}_{k \in [l] ~s.t.~ \rho (k) \notin S^*},\) \(\{ R_{k,1}, R_{k,2} \in \mathbb {G}_{p_3} \}_{k=1}^l\). Let \(\mathbf {u}' = (0, u'_2, \dots , u'_n), \mathbf {w} = (\alpha , w_2, \dots , w_n)\). As \((A, \rho )\) cannot be satisfied by \(S^*\) (since \((i,j) = (\bar{i}, \bar{j})\)), \(\mathcal{B}\) can efficiently find a vector \(\mathbf {u}'' = (u''_1, u''_2, \dots , u''_n) \in {\mathbb Z}_N^n\) such that \(u''_1 = 1\) and \(A_k \cdot \mathbf {u}'' = 0 \) for all \(k\) such that \(\rho (k) \in S^*\). Implicitly setting \(\sigma _{\bar{i}, \bar{j}} \in {\mathbb Z}_N\), \(\mathbf {u} \in \mathbb {Z}_N^n\), \(\{ \xi _k \in {\mathbb Z}_N \}_{k \in [l] ~s.t.~ \rho (k) \notin S^*}\) as
$$\begin{aligned} \sigma '_{\bar{i},\bar{j}} - b r'_{\bar{i}} c'_{\bar{j}} / \eta \equiv \sigma _{\bar{i},\bar{j}}~&\mathrm{mod}~p_1,~~ \mathbf {u} = \mathbf {u}' + \sigma _{\bar{i},\bar{j}} \mathbf {u}'', \\ \xi '_k + b r'_{\bar{i}} c'_{\bar{j}} (A_k \cdot \mathbf {u}'') / a'_{\rho (k)} \equiv \xi _k~&\mathrm{mod}~p_1~\forall k \in [l] ~s.t.~ \rho (k) \notin S^*, \end{aligned}$$\(\mathcal{B}\) creates a private key \(\mathsf{SK}_{(\bar{i},\bar{j}),(A,\rho )} = \big ( (\bar{i},\bar{j}), (A, \rho ), ~ K_{\bar{i},\bar{j}}, K'_{\bar{i},\bar{j}}, K''_{\bar{i},\bar{j}},\) \( \{ K_{\bar{i},\bar{j},k,1},\) \(K_{\bar{i},\bar{j},k,2} \}_{k=1}^{l} \big )\) as:
$$\begin{aligned}&K_{\bar{i},\bar{j}} = g^{\alpha _{\bar{i}}} f^{ \sigma '_{\bar{i}, \bar{j}}}, ~~ K'_{\bar{i},\bar{j}} = g^{\sigma '_{\bar{i},\bar{j}}} B^{-r'_{\bar{i}} c'_{\bar{j}} / \eta }, ~ K''_{\bar{i},\bar{j}} = (g^{\sigma '_{\bar{i},\bar{j}}} B^{-r'_{\bar{i}} c'_{\bar{j}} / \eta })^{z_{\bar{i}}}, ~\\&\{ K_{i,j,k,1} = f^{(A_k \cdot \mathbf {u}')} g^{(A_k \cdot \mathbf {w})} U_{\rho (k)}^{\xi _k} R_{k,1}, ~ K_{i,j,k,2} = g^{\xi _k} R_{k,2} \}_{ \rho (k) \in S^*}, \\&\{ K_{i,j,k,1} = f^{(A_k \cdot \mathbf {u}') + \sigma '_{\bar{i}, \bar{j}} (A_k \cdot \mathbf {u}'')} g^{(A_k \cdot \mathbf {w})} U_{\rho (k)}^{\xi '_k} R_{k,1},\\&~ K_{i,j,k,2} = g^{\xi '_k} B^{ r'_{\bar{i}} c'_{\bar{j}} (A_k \cdot \mathbf {u}'') / a'_{\rho (k)} } R_{k,2} \}_{ \rho (k) \notin S^*}. \end{aligned}$$
Challenge. \(\mathcal A\) submits a message \(M\). \(\mathcal B\) randomly chooses
\(\mathcal{B}\) randomly chooses \(r_x, r_y, r_z \in \mathbb {Z}_N\), and sets \(\mathbf {\chi }_1 = (r_x, 0, r_z)\), \(\mathbf {\chi }_2 = (0, r_y, r_z)\), \(\mathbf {\chi }_3 = \mathbf {\chi }_1 \times \mathbf {\chi }_2 = (- r_y r_z, - r_x r_z, r_x r_y)\). Then \(\mathcal{B}\) randomly chooses
\(\mathcal{B}\) sets the value of \(\pi , \kappa , \tau , s_{\bar{i}}, t_i ( i \in [m] \setminus \{\bar{i}\}) \in \mathbb {Z}_N\), \(\mathbf {v}_c \in \mathbb {Z}_N^3\), \(\{ \mathbf {w}_j \in \mathbb {Z}_N^3 \}_{ j = \bar{j}}^m\) by implicitly setting
\(\mathcal B\) creates a ciphertext \(\langle S^*, ( \mathbf {R}_i, \mathbf {R}'_i, Q_i, Q'_i, Q''_i, T_i )_{i=1}^{m}, ( \mathbf {C}_j, \mathbf {C}'_j )_{j=1}^{m}, P, \{ P_x \}_{x \in S^*} \rangle \):
1. For each \(i \in [m]\):
-
if \(i < \bar{i}\): it randomly chooses \(\hat{s}_i \in \mathbb {Z}_N\), then sets
$$\begin{aligned}&\mathbf {R}_i = g^{\mathbf {v}_i},~ \mathbf {R}'_i = B^{\mathbf {v}_i},~~ Q_i = g^{s_i}, ~ Q'_i = f^{s_i} Z_i^{t'_i} f^{\pi '},~ Q''_i = g^{t'_i} A^{\eta \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q}) / z'_i},~~ \\&T_i = E_i^{\hat{s}_i} \cdot e(g^{\alpha }, g)^{\pi '} \cdot e(g^{\alpha }, A)^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})}. \end{aligned}$$ -
if \(i = \bar{i}\): it sets
$$\begin{aligned}&\mathbf {R_i} = g^{ r'_{\bar{i}} s'_{\bar{i}} \mathbf {v}_{\bar{i}}},~~ \mathbf {R}'_i = B^{ r'_{\bar{i}} s'_{\bar{i}} \mathbf {v}_{\bar{i}}},~~ \\&Q_i = g^{ \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,p} )} A^{ \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})},~ Q'_i = C^{\eta \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,p} )} Z_i^{t_{\bar{i}}} f^{\pi '},~ Q''_i = g^{t_{\bar{i}}},~~ \\&T_i = M \cdot e(g^{\alpha _i},Q_i) \cdot e(g^{\alpha }, g)^{\pi '} \cdot e(g^{\alpha }, A)^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})}. \end{aligned}$$ -
if \(i > \bar{i}\): it sets
$$\begin{aligned}&\mathbf {R_i} = g^{ r_i s_i \mathbf {v}_i},~~ \mathbf {R}'_i = B^{r_i s_i \mathbf {v}_i},~~ \\&Q_i = B^{\tau ' s_i (\mathbf {v}_i \cdot \mathbf {v}_{c,p})},~ Q'_i = Z_i^{t'_i} f^{\pi '},~ Q''_i = g^{t'_i} B^{- \eta \tau ' s_i (\mathbf {v}_i \cdot \mathbf {v}_{c,p} ) / z'_i} A^{ \eta \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q}) / z'_i},~ \\&T_i = M \cdot e(g^{\alpha _i},Q_i) \cdot e(g^{\alpha }, g)^{\pi '} \cdot e(g^{\alpha }, A)^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})}. \end{aligned}$$
2. For each \(j \in [m]\):
-
if \(j < \bar{j}\): it randomly chooses \(\mu '_j \in \mathbb {Z}_N\) and implicitly sets the value of \(\mu _j\) such that \((ab)^{-1} \mu '_j \nu _{3} - \nu _{3} \equiv \mu _j \,\mathrm{mod}\, p_1\), then sets
\( \mathbf {C}_j = B^{c_j \tau ' \mathbf {v}_{c,p} } \cdot g^{c_j \tau ' \mu '_j \mathbf {v}_{c,q} } \cdot B^{\mathbf {w}_j},~~ \mathbf {C}'_j = g^{\mathbf {w}_j}. \)
-
if \(j = \bar{j}\): it sets \( \mathbf {C}_j = T^{c'_{\bar{j}} \tau ' \mathbf {v}_{c,q}} \cdot B^{ \mathbf {w}'_j },~~ \mathbf {C}'_j = g^{\mathbf {w}'_{\bar{j}}} \cdot C^{-c'_{\bar{j}} \tau ' \mathbf {v}_{c,p}} . \)
-
if \(j > \bar{j}\): it sets \( \mathbf {C}_j = B^{c_j \tau ' \mathbf {v}_{c,p} } \cdot B^{\mathbf {w}'_j},~~ \mathbf {C}'_j = g^{\mathbf {w}'_j} \cdot A^{-c_j \tau ' \mathbf {v}_{c,q}}. \)
3. It sets \( P= g^{\pi '} A^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})}, ~~ P_x = (g^{\pi '} A^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})})^{a_x}~\forall x \in S^*\).
If \(T=g^{abc}\), then the ciphertext is a well-formed encryption to the index \((\bar{i}, \bar{j})\). If \(T\) is randomly chosen, say \(T=g^r\) for some random \(r \in \mathbb {Z}_{p_1}\), the ciphertext is a well-formed encryption to the index \((\bar{i}, \bar{j}+1)\) with implicitly setting \(\mu _{\bar{j}}\) such that \( (\frac{r}{abc}-1) \nu _{3} \equiv \mu _{\bar{j}}~\mathrm{mod}~p_1. \)
Guess. \(\mathcal A\) outputs a guess \(b' \in \{0,1\}\) to \(\mathcal B\), then \(\mathcal B\) outputs this \(b'\) to the challenger as its answer to the Decision 3-Party Diffie-Hellman game.
Note that the distributions of the public parameter, private keys and challenge ciphertext are same as the real scheme, \(\mathcal B\)’s advantage in the Decision 3-Party Diffie-Hellman game will be exactly equal to \(\mathcal A\)’s advantage in selectively breaking the index-hiding game.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Liu, Z., Cao, Z., Wong, D.S. (2015). Fully Collusion-Resistant Traceable Key-Policy Attribute-Based Encryption with Sub-linear Size Ciphertexts. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-16745-9_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16744-2
Online ISBN: 978-3-319-16745-9
eBook Packages: Computer ScienceComputer Science (R0)