Fully Collusion-Resistant Traceable Key-Policy Attribute-Based Encryption with Sub-linear Size Ciphertexts

Abstract

Recently a series of expressive, secure and efficient Attribute-Based Encryption (ABE) schemes, both in key-policy flavor and ciphertext-policy flavor, have been proposed. However, before being applied into practice, these systems have to attain traceability of malicious users. As the decryption privilege of a decryption key in Key-Policy ABE (resp. Ciphertext-Policy ABE) may be shared by multiple users who own the same access policy (resp. attribute set), malicious users might tempt to leak their decryption privileges to third parties, for financial gain as an example, if there is no tracing mechanism for tracking them down. In this work we study the traceability notion in the setting of Key-Policy ABE, and formalize Key-Policy ABE supporting fully collusion-resistant blackbox traceability. An adversary is allowed to access an arbitrary number of keys of its own choice when building a decryption-device, and given such a decryption-device while the underlying decryption algorithm or key may not be given, a blackbox tracing algorithm can find out at least one of the malicious users whose keys have been used for building the decryption-device. We propose a construction, which supports both fully collusion-resistant blackbox traceability and high expressivity (i.e. supporting any monotonic access structures). The construction is fully secure in the standard model (i.e. it achieves the best security level that the conventional non-traceable ABE systems do to date), and is efficient that the fully collusion-resistant blackbox traceability is attained at the price of making ciphertexts grow only sub-linearly in the number of users in the system, which is the most efficient level to date.

A Proof of Lemma 1

Proof

Suppose there exists a PPT adversary \(\mathcal A\) that can selectively break the index-hiding game for \((\bar{i}, \bar{j})\) with advantage \(\epsilon \). We build a PPT algorithm \(\mathcal B\) to solve a Decision 3-Party Diffie-Hellman problem instance as follows.

\(\mathcal B\) receives a Decision 3-Party Diffie-Hellman problem instance from the challenger as \((g, A=g^a, B=g^b, C=g^c, T)\). The problem instance will be given in the subgroup \(\mathbb {G}_{p_1}\) of prime order \(p_1\) in a composite order group \(\mathbb {G}\) of order \(N = p_1 p_2 p_3\), i.e., \(g \in \mathbb {G}_{p_1}\), \(a,b,c \in \mathbb {Z}_{p_1}\), \(\mathcal B\) is given the factors \(p_1, p_2\), and \(p_3\), and its goal is to determine whether \(T=g^{abc}\) or a random element from \(\mathbb {G}_{p_1}\) ⁶.

Init. \(\mathcal{A}\) gives \(\mathcal{B}\) the challenge attribute set \(S^* \subseteq \mathcal{U}\).

Setup. \(\mathcal B\) chooses random exponents

$$\begin{aligned}&\eta , \alpha \in \mathbb {Z}_N, ~ \{ \alpha _i \in \mathbb {Z}_N \}_{i \in [m]}, ~ \{ r_i, ~z'_i \in \mathbb {Z}_N \}_{i \in [m] \setminus \{\bar{i}\}}, ~ \{c_j \in \mathbb {Z}_N\}_{j \in [m] \setminus \{ \bar{j} \}}, ~~\\&r'_{\bar{i}}, ~ z_{\bar{i}}, ~ c'_{\bar{j}} \in \mathbb {Z}_N, ~~ \{ a_x \in \mathbb {Z}_N \}_{ x \in S^* }, ~~ \{ a'_x \in \mathbb {Z}_N \}_{ x \in \mathcal{U} \setminus S^* }. \end{aligned}$$

\(\mathcal B\) gives \(\mathcal A\) the following public parameter \(\mathsf{PP}\):

$$\begin{aligned}&g, ~f = C^{\eta }, ~E = e(g,g)^{\alpha }, ~~\{ E_i = e(g,g)^{\alpha _i} \}_{i \in [m]}, ~~ \\&\{ G_i = g^{r_i}, ~Z_i = C^{z'_i} \}_{ i \in [m] \setminus \{ \bar{i} \} }, \{ H_j = g^{c_j} \}_{ j \in [m] \setminus \{ \bar{j} \} }, ~ G_{\bar{i}} = B^{r'_{\bar{i}}}, Z_{\bar{i}} = g^{z_{\bar{i}}}, H_{\bar{j}} = C^{c'_{\bar{j}}}, \\&\{ U_x = g^{a_x} \} _{ x \in S^* }, ~~ \{ U_x = C^{a'_x} \}_{x \in \mathcal{U} \setminus S^*}. \end{aligned}$$

Note that \(\mathcal{B}\) implicitly chooses \(r_{\bar{i}}, ~ z_i (i \in [m] \setminus \{\bar{i}\}), ~ c_{\bar{j}}, ~ a_x (x \in \mathcal{U} \setminus S^*) ~ \in \mathbb {Z}_N\) such that

$$\begin{aligned}&b r'_{\bar{i}} \equiv r_{\bar{i}}~\mathrm{mod}~p_1,~ cz'_i \equiv z_i~\mathrm{mod}~p_1 ~ \forall i \in [m] \setminus \{\bar{i}\}, ~ c c'_{\bar{j}} \equiv c_{\bar{j}}~\mathrm{mod}~p_1, ~\\&c a'_x \equiv a_x~\mathrm{mod}~p_1 ~ \forall x \in \mathcal{U} \setminus S^*. \end{aligned}$$

Key Query. To respond to a query from \(\mathcal A\) for \(((i,j), (A, \rho ))\) where \(A\) is an \(l \times n\) matrix:

• If \((i,j) \ne (\bar{i}, \bar{j})\): \(\mathcal B\) randomly chooses \(\mathbf {u} = (\sigma _{i,j}, u_2, \dots , u_n) \in \mathbb {Z}_N^n\), \(w_2, \dots ,\) \(w_n \in \mathbb {Z}_N\) and \(\{ \xi _k \in {\mathbb Z}_N, R_{k,1}, R_{k,2}\) \(\in \mathbb {G}_{p_3} \}_{k=1}^l\). Let \(\mathbf {w} = (\alpha , w_2, \dots , w_n)\), \(\mathcal{B}\) creates a private key \(\mathsf{SK}_{(i,j),(A,\rho )}\) \(= \big ( (i,j), (A, \rho ), ~ K_{i,j}, K'_{i,j}, K''_{i,j}, \{ K_{i,j,k,1},\) \(K_{i,j,k,2} \}_{k=1 }^{l} \big )\) as

  $$\begin{aligned}&K_{i,j} = {\left\{ \begin{array}{ll} g^{\alpha _i} g^{r_i c_j} f^{\sigma _{i,j}}, ~ : i \ne \bar{i}, j \ne \bar{j} \\ g^{\alpha _i} B^{r'_{\bar{i}} c_j} f^{\sigma _{i,j}}, ~ : i = \bar{i}, j \ne \bar{j} \\ g^{\alpha _i} C^{r_i c'_{\bar{j}}} f^{\sigma _{i,j}}, ~ : i \ne \bar{i}, j = \bar{j}. \end{array}\right. } \\&K'_{i,j} = g^{\sigma _{i,j}}, ~~K''_{i,j} = Z_{i}^{\sigma _{i,j}}, \\&\{ K_{i,j,k,1} =f^{(A_k \cdot \mathbf {u})} g^{(A_k \cdot \mathbf {w})} U_{\rho (k)}^{\xi _k} R_{k,1}, ~~ ~ K_{i,j,k,2} = g^{\xi _k} R_{k,2} \}_{k=1}^l. \end{aligned}$$

• If \((i,j) = (\bar{i}, \bar{j})\): \(\mathcal B\) randomly chooses \(\sigma '_{\bar{i},\bar{j}}, u'_2, \dots , u'_n, w_2, \dots , w_n \in \mathbb {Z}_N,\) \(\{ \xi _k \in {\mathbb Z}_N \}_{k \in [l]~s.t.~\rho (k) \in S^*},\) \(\{ \xi '_k \in {\mathbb Z}_N \}_{k \in [l] ~s.t.~ \rho (k) \notin S^*},\) \(\{ R_{k,1}, R_{k,2} \in \mathbb {G}_{p_3} \}_{k=1}^l\). Let \(\mathbf {u}' = (0, u'_2, \dots , u'_n), \mathbf {w} = (\alpha , w_2, \dots , w_n)\). As \((A, \rho )\) cannot be satisfied by \(S^*\) (since \((i,j) = (\bar{i}, \bar{j})\)), \(\mathcal{B}\) can efficiently find a vector \(\mathbf {u}'' = (u''_1, u''_2, \dots , u''_n) \in {\mathbb Z}_N^n\) such that \(u''_1 = 1\) and \(A_k \cdot \mathbf {u}'' = 0 \) for all \(k\) such that \(\rho (k) \in S^*\). Implicitly setting \(\sigma _{\bar{i}, \bar{j}} \in {\mathbb Z}_N\), \(\mathbf {u} \in \mathbb {Z}_N^n\), \(\{ \xi _k \in {\mathbb Z}_N \}_{k \in [l] ~s.t.~ \rho (k) \notin S^*}\) as

  $$\begin{aligned} \sigma '_{\bar{i},\bar{j}} - b r'_{\bar{i}} c'_{\bar{j}} / \eta \equiv \sigma _{\bar{i},\bar{j}}~&\mathrm{mod}~p_1,~~ \mathbf {u} = \mathbf {u}' + \sigma _{\bar{i},\bar{j}} \mathbf {u}'', \\ \xi '_k + b r'_{\bar{i}} c'_{\bar{j}} (A_k \cdot \mathbf {u}'') / a'_{\rho (k)} \equiv \xi _k~&\mathrm{mod}~p_1~\forall k \in [l] ~s.t.~ \rho (k) \notin S^*, \end{aligned}$$

  \(\mathcal{B}\) creates a private key \(\mathsf{SK}_{(\bar{i},\bar{j}),(A,\rho )} = \big ( (\bar{i},\bar{j}), (A, \rho ), ~ K_{\bar{i},\bar{j}}, K'_{\bar{i},\bar{j}}, K''_{\bar{i},\bar{j}},\) \( \{ K_{\bar{i},\bar{j},k,1},\) \(K_{\bar{i},\bar{j},k,2} \}_{k=1}^{l} \big )\) as:

  $$\begin{aligned}&K_{\bar{i},\bar{j}} = g^{\alpha _{\bar{i}}} f^{ \sigma '_{\bar{i}, \bar{j}}}, ~~ K'_{\bar{i},\bar{j}} = g^{\sigma '_{\bar{i},\bar{j}}} B^{-r'_{\bar{i}} c'_{\bar{j}} / \eta }, ~ K''_{\bar{i},\bar{j}} = (g^{\sigma '_{\bar{i},\bar{j}}} B^{-r'_{\bar{i}} c'_{\bar{j}} / \eta })^{z_{\bar{i}}}, ~\\&\{ K_{i,j,k,1} = f^{(A_k \cdot \mathbf {u}')} g^{(A_k \cdot \mathbf {w})} U_{\rho (k)}^{\xi _k} R_{k,1}, ~ K_{i,j,k,2} = g^{\xi _k} R_{k,2} \}_{ \rho (k) \in S^*}, \\&\{ K_{i,j,k,1} = f^{(A_k \cdot \mathbf {u}') + \sigma '_{\bar{i}, \bar{j}} (A_k \cdot \mathbf {u}'')} g^{(A_k \cdot \mathbf {w})} U_{\rho (k)}^{\xi '_k} R_{k,1},\\&~ K_{i,j,k,2} = g^{\xi '_k} B^{ r'_{\bar{i}} c'_{\bar{j}} (A_k \cdot \mathbf {u}'') / a'_{\rho (k)} } R_{k,2} \}_{ \rho (k) \notin S^*}. \end{aligned}$$

Challenge. \(\mathcal A\) submits a message \(M\). \(\mathcal B\) randomly chooses

$$\begin{aligned} \pi ', ~ \tau ', ~ s_1, \dots , s_{\bar{i}-1}, s'_{\bar{i}}, s_{\bar{i}+1}, \dots , s_m, ~ t'_1, \dots , t'_{\bar{i}-1}, t_{\bar{i}}, t'_{\bar{i}+1}, \dots , t'_m ~ \in \mathbb {Z}_N,\\ \mathbf {w}_1, \dots , \mathbf {w}_{\bar{j}-1}, \mathbf {w}'_{\bar{j}}, \dots , \mathbf {w}'_m ~ \in \mathbb {Z}_N^3. \end{aligned}$$

\(\mathcal{B}\) randomly chooses \(r_x, r_y, r_z \in \mathbb {Z}_N\), and sets \(\mathbf {\chi }_1 = (r_x, 0, r_z)\), \(\mathbf {\chi }_2 = (0, r_y, r_z)\), \(\mathbf {\chi }_3 = \mathbf {\chi }_1 \times \mathbf {\chi }_2 = (- r_y r_z, - r_x r_z, r_x r_y)\). Then \(\mathcal{B}\) randomly chooses

$$\begin{aligned}&\mathbf {v}_i \in \mathbb {Z}_N^3 ~\forall i \in \{1, \dots , \bar{i}\}, ~~ \mathbf {v}_i \in span\{\mathbf {\chi }_1, \mathbf {\chi }_2\} ~\forall i \in \{\bar{i}+1, \dots , m\}, \\&\mathbf {v}_{c,p} \in span\{\mathbf {\chi }_1, \mathbf {\chi }_2\}, ~ \mathbf {v}_{c,q} = \nu _3 \mathbf {\chi }_3 \in span\{\mathbf {\chi }_3\}. \end{aligned}$$

\(\mathcal{B}\) sets the value of \(\pi , \kappa , \tau , s_{\bar{i}}, t_i ( i \in [m] \setminus \{\bar{i}\}) \in \mathbb {Z}_N\), \(\mathbf {v}_c \in \mathbb {Z}_N^3\), \(\{ \mathbf {w}_j \in \mathbb {Z}_N^3 \}_{ j = \bar{j}}^m\) by implicitly setting

$$\begin{aligned} \mathbf {v}_c = a^{-1} \mathbf {v}_{c,p} + \mathbf {v}_{c,q},~~ \pi ' - a \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q}) \equiv \pi ~&\mathrm{mod}~p_1, ~~ \\ b \equiv \kappa ~\mathrm{mod}~p_1, ~~ ab \tau ' \equiv \tau ~&\mathrm{mod}~p_1, ~~ s'_{\bar{i}} / b \equiv s_{\bar{i}}~\mathrm{mod}~p_1, ~~\\ t'_i + \eta a \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q}) / z'_i \equiv t_i~&\mathrm{mod}~p_1 ~ \forall i \in \{ 1, \dots , \bar{i} - 1 \}, ~~\\ t'_i - \eta b \tau ' s_i (\mathbf {v}_i \cdot \mathbf {v}_{c,p} ) / z'_i + \eta a \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q}) / z'_i \equiv t_i~&\mathrm{mod}~p_1 ~ \forall i \in \{ \bar{i}+1, \dots , m \}, ~~\\ \mathbf {w}'_{\bar{j}} - c c'_{\bar{j}} \tau ' \mathbf {v}_{c,p} \equiv \mathbf {w}_{\bar{j}}~&\mathrm{mod}~p_1,\\ \mathbf {w}'_j - a c_j \tau ' \mathbf {v}_{c,q} \equiv \mathbf {w}_j~&\mathrm{mod}~p_1 ~ \forall j \in \{ \bar{j}+1, \dots , m \}. \end{aligned}$$

\(\mathcal B\) creates a ciphertext \(\langle S^*, ( \mathbf {R}_i, \mathbf {R}'_i, Q_i, Q'_i, Q''_i, T_i )_{i=1}^{m}, ( \mathbf {C}_j, \mathbf {C}'_j )_{j=1}^{m}, P, \{ P_x \}_{x \in S^*} \rangle \):

1. For each \(i \in [m]\):

• if \(i < \bar{i}\):  it randomly chooses \(\hat{s}_i \in \mathbb {Z}_N\), then sets

  $$\begin{aligned}&\mathbf {R}_i = g^{\mathbf {v}_i},~ \mathbf {R}'_i = B^{\mathbf {v}_i},~~ Q_i = g^{s_i}, ~ Q'_i = f^{s_i} Z_i^{t'_i} f^{\pi '},~ Q''_i = g^{t'_i} A^{\eta \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q}) / z'_i},~~ \\&T_i = E_i^{\hat{s}_i} \cdot e(g^{\alpha }, g)^{\pi '} \cdot e(g^{\alpha }, A)^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})}. \end{aligned}$$

• if \(i = \bar{i}\):  it sets

  $$\begin{aligned}&\mathbf {R_i} = g^{ r'_{\bar{i}} s'_{\bar{i}} \mathbf {v}_{\bar{i}}},~~ \mathbf {R}'_i = B^{ r'_{\bar{i}} s'_{\bar{i}} \mathbf {v}_{\bar{i}}},~~ \\&Q_i = g^{ \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,p} )} A^{ \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})},~ Q'_i = C^{\eta \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,p} )} Z_i^{t_{\bar{i}}} f^{\pi '},~ Q''_i = g^{t_{\bar{i}}},~~ \\&T_i = M \cdot e(g^{\alpha _i},Q_i) \cdot e(g^{\alpha }, g)^{\pi '} \cdot e(g^{\alpha }, A)^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})}. \end{aligned}$$

• if \(i > \bar{i}\):  it sets

  $$\begin{aligned}&\mathbf {R_i} = g^{ r_i s_i \mathbf {v}_i},~~ \mathbf {R}'_i = B^{r_i s_i \mathbf {v}_i},~~ \\&Q_i = B^{\tau ' s_i (\mathbf {v}_i \cdot \mathbf {v}_{c,p})},~ Q'_i = Z_i^{t'_i} f^{\pi '},~ Q''_i = g^{t'_i} B^{- \eta \tau ' s_i (\mathbf {v}_i \cdot \mathbf {v}_{c,p} ) / z'_i} A^{ \eta \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q}) / z'_i},~ \\&T_i = M \cdot e(g^{\alpha _i},Q_i) \cdot e(g^{\alpha }, g)^{\pi '} \cdot e(g^{\alpha }, A)^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})}. \end{aligned}$$

2. For each \(j \in [m]\):

• if \(j < \bar{j}\): it randomly chooses \(\mu '_j \in \mathbb {Z}_N\) and implicitly sets the value of \(\mu _j\) such that \((ab)^{-1} \mu '_j \nu _{3} - \nu _{3} \equiv \mu _j \,\mathrm{mod}\, p_1\), then sets

  \( \mathbf {C}_j = B^{c_j \tau ' \mathbf {v}_{c,p} } \cdot g^{c_j \tau ' \mu '_j \mathbf {v}_{c,q} } \cdot B^{\mathbf {w}_j},~~ \mathbf {C}'_j = g^{\mathbf {w}_j}. \)

• if \(j = \bar{j}\): it sets \( \mathbf {C}_j = T^{c'_{\bar{j}} \tau ' \mathbf {v}_{c,q}} \cdot B^{ \mathbf {w}'_j },~~ \mathbf {C}'_j = g^{\mathbf {w}'_{\bar{j}}} \cdot C^{-c'_{\bar{j}} \tau ' \mathbf {v}_{c,p}} . \)

• if \(j > \bar{j}\): it sets \( \mathbf {C}_j = B^{c_j \tau ' \mathbf {v}_{c,p} } \cdot B^{\mathbf {w}'_j},~~ \mathbf {C}'_j = g^{\mathbf {w}'_j} \cdot A^{-c_j \tau ' \mathbf {v}_{c,q}}. \)

3. It sets \( P= g^{\pi '} A^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})}, ~~ P_x = (g^{\pi '} A^{- \tau ' s'_{\bar{i}} (\mathbf {v}_{\bar{i}} \cdot \mathbf {v}_{c,q})})^{a_x}~\forall x \in S^*\).

If \(T=g^{abc}\), then the ciphertext is a well-formed encryption to the index \((\bar{i}, \bar{j})\). If \(T\) is randomly chosen, say \(T=g^r\) for some random \(r \in \mathbb {Z}_{p_1}\), the ciphertext is a well-formed encryption to the index \((\bar{i}, \bar{j}+1)\) with implicitly setting \(\mu _{\bar{j}}\) such that \( (\frac{r}{abc}-1) \nu _{3} \equiv \mu _{\bar{j}}~\mathrm{mod}~p_1. \)

Guess. \(\mathcal A\) outputs a guess \(b' \in \{0,1\}\) to \(\mathcal B\), then \(\mathcal B\) outputs this \(b'\) to the challenger as its answer to the Decision 3-Party Diffie-Hellman game.

Note that the distributions of the public parameter, private keys and challenge ciphertext are same as the real scheme, \(\mathcal B\)’s advantage in the Decision 3-Party Diffie-Hellman game will be exactly equal to \(\mathcal A\)’s advantage in selectively breaking the index-hiding game.