Anonymous Data Collection System with Mediators

Abstract

Nowadays, sensitive data is treated for a constellation of purposes, e.g., establishing the presence or absence of causal association among certain diseases. Then, statistics of sensitive data needs to be computed, and a number of methods for computing such statistics with concerning privacy so far have been investigated, e.g., secure computation, differential privacy, k-anonymity, etc. On the contrary, it seems not clear how to collect sensitive data with concerning privacy in the first place. Moreover, the cost for data collection should be considered if the number of data suppliers is relatively large.

In this paper, we propose an anonymous data collection system with mediators, where no mediator knows actual data, but simultaneously mediators can check a data format whether data belongs to a certain range. Then, data with the expected format can be collected in a “secure” and “efficient” way. For constructing this system, we employ public key encryption with an additional functionality which is called restrictive public key encryption (RPKE). Finally, we estimate the performance of the proposed system in which existing concrete constructions are used and confirm it is sufficiently efficient for practical use.

Appendices

Appendix

A Security Definitions of RPKE

Here, we give definitions of indistinguishability with restrictive message space under chosen plaintext attack (IND-MSR-CPA) and verification soundness. The former, IND-MSR-CPA security, captures confidentiality of RPKE, and guarantees that no adversary, who chooses two plaintexts that belong to the same message space and is given an encryption of one of the plaintexts, can guess which plaintext is encrypted significantly better than random guess. The security model allows an adversary to obtain \(\mathsf {sk}_{MRA}\) in order to guarantee that even MRA cannot obtain information of plaintexts.

Definition 6

(IND-MSR-CPA). We say that a RPKE scheme \(\mathcal {RPKE}\) is IND-MSR-CPA secure if for all probabilistic polynomial-time (PPT) adversaries \(\mathcal {A}\) the following advantage \(\mathsf{Adv}_{\mathcal {A},\mathcal {RPKE}}^{\mathtt {ind}}(\kappa )\) is negligible.

$$\begin{aligned}&\mathsf{Adv}_{\mathcal {A},\mathcal {RPKE}}^{\mathtt {ind}}(\kappa ):=\\&\Pr \left| \left[ \begin{array}{l} (\mathsf {pk}_{MRA},\mathsf {sk}_{MRA}) \leftarrow \mathsf{MRASetup}(1^\kappa )\\ (\mathsf {pk}_{d},\mathsf {sk}_{d}) \leftarrow \mathsf{RKeyGen}(\mathsf {pk}_{MRA})\\ (M^{*}_0,M^{*}_1,\mathsf {MS}^{*},\mathcal {MS}^*,st) \leftarrow \mathcal {A}(\mathsf {pk}_{MRA},\mathsf {sk}_{MRA},\mathsf {pk}_d)\\ b\mathop {\leftarrow }\limits ^{\$} \{0,1\}\\ \mathsf {pk}_{\mathcal {MS}^{*}} := (\mathsf {pk}_{\mathsf {MS}_1}, \dots , \mathsf {pk}_{\mathsf {MS}_m}) \leftarrow \mathsf{MSSetup}(\mathsf {pk}_{MRA},\mathsf {sk}_{MRA},\mathcal {MS}^{*})\\ C^*\leftarrow \mathsf{REnc}(\mathsf {pk}_{MRA}, \mathsf {pk}_d,\mathsf {MS}^{*}, \mathsf {pk}_{\mathsf {MS}^{*}}, M^*_b)\\ b^\prime \leftarrow \mathcal {A}(st,C^*):~b=b^\prime \end{array} \right] -1/2\right| \end{aligned}$$

where it is required that \(\mathsf {MS}^* \in \mathcal {MS} = (\mathsf {MS}_1, \dots , \mathsf {MS}_m)\), and \(M_0^*, M^*_1 \in \mathsf {MS}^*\).

Next, we define verification soundness which guarantees that \(\mathsf{VerifyMS} (\mathsf {pk}_{MRA}, \mathsf {pk}_d,\mathsf {MS}, \mathsf {pk}_{\mathsf {MS}}, C)=0\) if the decryption result of C does not belong to \(\mathsf {MS}\). The following definition is exactly the same as that of Sakai et al.’s. However, it captures multiple message spaces since an adversary \(\mathcal {A}\) can prepare multiple message spaces via the \(\mathsf{MSSetup}\) oracle.

Definition 7

(Verification Soundness). We say that a RPKE scheme \(\mathcal {RPKE}\) has verification soundness if for all PPT adversaries \(\mathcal {A}\) the following advantage \(\mathsf{Adv}_{\mathcal {A},\mathcal {RPKE}}^{\mathtt {vs}}(\kappa )\) is negligible.

$$\begin{aligned}&\mathsf{Adv}_{\mathcal {A},\mathcal {RPKE}}^{\mathtt {vs}}(\kappa ):=\\&\Pr \left[ \begin{array}{l} (\mathsf {pk}_{MRA},\mathsf {sk}_{MRA}) \leftarrow \mathsf{MRASetup}(1^\kappa );\\ (\mathsf {pk}_{d}, \mathsf {sk}_{d}) \leftarrow \mathsf{RKeyGen}(\mathsf {pk}_{MRA}); \\ (\mathsf {MS}^*,\mathsf {pk}_{\mathsf {MS}^*},C^*) \leftarrow \mathcal {A}^{\mathsf{MSSetup}(\mathsf {pk}_{MRA},\mathsf {sk}_{MRA},{\cdot })}(\mathsf {pk}_{MRA},\mathsf {pk}_{d},\mathsf {sk}_{d})\\ : \mathsf{VerifyMS}(\mathsf {pk}_{MRA},\mathsf {pk}_d,\mathsf {MS}^*,\mathsf {pk}_{\mathsf {MS}^*},C^*)=1\wedge \\ ~~\mathsf{RDec}(\mathsf {pk}_{MRA},\mathsf {pk}_d,\mathsf {sk}_d,\mathsf {MS}^*,\mathsf {pk}_{\mathsf {MS}^*},C^*)\not \in {\mathsf {MS}^*}\\ \end{array} \right] \end{aligned}$$

where \(\mathsf {pk}_{\mathsf {MS}^*}\) is required to be one of the public verification keys that \(\mathcal {A}\) has received from the \(\mathsf{MSSetup}\) oracle by querying \(\mathsf {MS}^*\).

B Security Analysis

Theorem 1

Our system is semantically secure if the underlying RPKE scheme is IND-MSR-CPA secure.

Proof

We prove Theorem 1 using the standard hybrid argument. Let \(\mathcal {A}\) be an adversary that attacks the semantic security of our system. For \(i \in [1,m]\), let Game i be the semantic security game in which \(C^*_D = (c^*_{D,1}, \dots , c^*_{D,m})\) is generated in such a way that the first i elements are generated by encrypting the elements in \(V^*_1\), and the rest of \(m-i\) elements are generated by encrypting the elements in \(V^*_0\). Let \(p_i\) be the probability that \(\mathcal {A}\) outputs 1 in Game i. By definition, Game 0 is equivalent to the semantic security game in which elements in \(V^*_0\) are encrypted, while Game m is equivalent to the semantic security game in which elements in \(V^*_1\) are encrypted. Therefore, \(\mathcal {A}\)’s semantic security advantage is upperbounded by the difference between the probability that \(\mathcal {A}\) outputs 1 in Game 0 and that in Game 1, namely, \(|p_0-p_m|\). Note that by the triangle inequality, we have \(|p_0 - p_m| \le \sum _{i \in [1,m]}|p_{i-1} - p_i|\). Then, we show that for every \(i \in [1,m]\), we can construct an algorithm \(\mathcal {B}\) that breaks IND-MSR-CPA security with the advantage \((1/2)|p_{i-1} - p_i|\). The description of \(\mathcal {B}\) that runs in the IND-MSA-CPA game is as follows:

• The first stage algorithm \(\mathcal {B}(\mathsf{pk}_{MRA}, \mathsf{sk}_{MRA}, \mathsf{pk}_d)\) : \(\mathcal {B} \) specifies \(\mathcal {MS}:=(\mathsf {MS}_1, \ldots ,\mathsf {MS}_m)\), runs \(\mathsf{MSSetup}(\mathsf {pk}^*_{MRA}, \mathsf {sk}^*_{MRA},\mathcal {MS})\), and obtains \(\mathsf {pk}^*_{\mathcal {MS}}:=(\mathsf {pk}_{\mathsf {MS}_1}, \ldots ,\mathsf {pk}_{\mathsf {MS}_m})\). \(\mathcal {B}\) sets \(\mathsf {pk}^*_{DC}:=(\mathsf {pk}^*_{MRA},\mathsf {pk}^*_{d}, \mathsf {pk}^*_{\mathcal {MS}})\), and runs \(\mathcal {A}\) on input \((\mathsf {pk}^*_{DC},\mathcal {MS})\). When \(\mathcal {A}\) outputs the challenge data \((V^*_0,V^*_1)\) and its state information st, where \(V^*_0,V^*_1\in \mathcal {MS}\), \(\mathcal {B}\) parses \(V^*_0 =(v^*_{0,1},\ldots ,v^*_{0,m})\in \mathsf {MS}_1\times \cdots \times \mathsf {MS}_m\) and \(V^*_1=(v^*_{1,1},\ldots ,v^*_{1,m})\in \mathsf {MS}_1\times \cdots \times \mathsf {MS}_m\). Then \(\mathcal {B}\) outputs \((v^*_{0,i}, v^*_{1,i})\) as \(\mathcal {B}\)’s challenge and \(st'\) as its state information, where \(st'\) is the entire view of \(\mathcal {B}\) so far.

• The second stage algorithm \(\mathcal {B}(st', c^*)\) : If \(i \ge 2\), then \(\mathcal {B}\) runs \(c^*_j \leftarrow \mathsf{REnc}( \mathsf{pk}_{MRA},\mathsf{pk}_d, \mathsf{MS}_j, \mathsf{pk}_{\mathsf{MS}_j}, v_{1,j})\) for \(j \in [1, i-1]\). Furthermore, if \(i \le m-1\), then \(\mathcal {B}\) runs \(c^*_j \leftarrow \mathsf{REnc}(\mathsf{pk}_{MRA}, \mathsf{pk}_d, \mathsf{MS}_j, \mathsf{pk}_{\mathsf{MS}_j}, v_{0,j})\) for \(j \in [i+1, m]\). Then \(\mathcal {B}\) sets \(C^*_D := (c^*_j)_{j = 1}^m\), and runs \(\mathcal {A}\) on input \((C^*_D, st)\). When \(\mathcal {A}\) terminates with output its guess bit \(b'\), \(\mathcal {B}\) output this \(b'\) and terminates.

It is easy to see that if \(\mathcal {B}\)’s challenge bit is 0, then \(\mathcal {B}\) simulates Game \(i-1\) perfectly for \(\mathcal {A}\), and thus the probability that \(\mathcal {B}\) outputs 1 is exactly \(p_{i-1}\). On the other hand, if \(\mathcal {B}\)’s challenge bit is 1, then \(\mathcal {B}\) simulates Game i perfectly for \(\mathcal {B}\), and thus the probability that \(\mathcal {B}\) outputs 1 in this case is exactly \(p_i\). Therefore, \(\mathcal {B}\)’s IND-MSR-CPA advantage is (1 / 2) times \(|p_{i-1} -p_i|\). This means that \(|p_{i-1} - p_i|\) is negligible due to our assumption that the RPKE scheme is IND-MSR-CPA security. We can show this for every \(i \in [1,m]\), which means that \(\mathcal {A}\)’s semantic security advantage is upper-bounded to be negligible.

Theorem 2

Assume that data does not contain any identifier that uniquely determines the corresponding Data supplier. Then, our system is anonymous.

It is straightforward to see that Theorem 2 holds, because \(\mathsf{TableGen}\) uses a random permutation, and thus the distributions of \((C'_{D,i})_{i=1}^n\) in case \(b=0\) and \(b=1\) are identical.

Theorem 3

Our system has format-check soundness if the underlying RPKE scheme has verification soundness.

Proof

Let \(\mathcal {A}\) be an adversary that breaks format-check soundness of our system. Then, we construct an algorithm \(\mathcal {B}\) that, using \(\mathcal {A}\) as a building block, breaks the verification soundness of the underlying RPKE scheme as follows:

• \(\mathcal {B}^{\mathsf{MSSetup}(\mathsf {pk}_{MRA}, \mathsf {sk}_{MRA}, \cdot )}(\mathsf {pk}_{MRA}, \mathsf {pk}_{d}, \mathsf {sk}_{d})\) : \(\mathcal {B}\) specifies \(\mathcal {MS}:=(\mathsf {MS}_1,\ldots ,\mathsf {MS}_m)\), and for each \(j\in [1,m]\) submits a \(\mathsf{MSSetup}\) query \(\mathsf {MS}_j\) to the oracle, and obtains \(\mathsf {pk}_{\mathsf {MS}_j}\). Then \(\mathcal {B}\) sets \(\mathsf {pk}_{\mathcal {MS}}:=(\mathsf {pk}_{\mathsf {MS}_1},\ldots , \mathsf {pk}_{\mathsf {MS}_m})\) and \(\mathsf {pk}_{DC}:=(\mathsf {pk}_{MRA}, \mathsf {pk}_{d},\mathsf {pk}_{\mathcal {MS}})\), and runs \(\mathcal {A}\) on input \((\mathsf {pk}_{DC},\mathcal {MS})\). When \(\mathcal {A}\) outputs \((C_D^*:=(c_j^*)_{j=1}^m)\), \(\mathcal {B}\) runs \(\mathsf{f\text {-}index}^*\leftarrow \mathsf{FormatCheck} (\mathsf{pk}_{DC}, C^*_D)\). \(\mathcal {B}\) guesses \(j\in [1,m]\) uniformly at random, sets \(\mathsf {MS}^*:=\mathsf {MS}_j\), \(\mathsf {pk}_{\mathsf {MS}^*}:=\mathsf {pk}_{\mathsf {MS}_j}\), and \(c^*:=c^*_j\), and terminates with output \((\mathsf {MS}^*, \mathsf {pk}_{\mathsf {MS}^*},c^*)\).

It is easy to see that \(\mathcal {B}\) perfectly simulates the format-check soundness game for \(\mathcal {A}\), and conditioned on the event that \(\mathcal {A}\) succeeds in breaking the format-check soundness of our system, \(\mathcal {B}\) succeeds in breaking the verification soundness of the underlying RPKE scheme with probability at least 1 / m. Therefore, if \(\mathcal {A}\) succeeds in breaking the format-check soundness of our system with non-negligible advantage, \(\mathcal {B}\) succeeds in breaking the verification soundness of the RPKE scheme also with non-negligible advantage.

C A Concrete RPKE Scheme

In this section, we review the Sakai et al. RPKE scheme [28]. They apply the revocation technique of the Nakanishi et al. group signature scheme [23]. Briefly, a plaintext is regarded as a user in the group signature context, and the revocation functionality is used to exclude the case in which prohibited plaintexts are encrypted. We remark that there are two types of revocable group signature: (1) any users can generate a valid group signature, but anyone can check whether the signer has been revoked or not [11, 21, 24, 25], and (2) no revoked user can generate a valid group signature [6, 19, 20, 23, 26]. The former type usually has the feature that the signing or verification costs that are dependent on the number of revoked users. On the contrary, the latter type can achieve constant signing/verification costs. Thus, from the viewpoint of efficiency, the Sakai et al. RPKE scheme employs the latter type revocation technique. We remark that we may construct an RPKE scheme, where the encryption algorithm works for any plaintext but the verification algorithm can detect whether \(M\in \mathsf {MS}\) or not, by applying the former type revocation technique.

We note that the message space [1, N] must be small so that M can be computed from \((\hat{f},\hat{f}^M)\). In our usage, such a small message space is acceptable, e.g., if \( 30\,\text {s}:=\{30,31,\ldots ,39\}\), then the size of the message space is just 10. Moreover, we can assume that the number of disease name is also fairly small. So, under such an assumption, we can ignore the computation cost of solving discrete logarithm. Without loss of generality, we assume that all message spaces \(\mathsf {MS}\in \mathcal {MS}\) can be represented as \([1,N]\setminus \{m_1,\ldots ,m_r\}\), i.e., for \(i\in [1,r]\), \(m_i\in [1,N]\) is excluded from the message space. We describe the \(\mathsf{REnc}\) algorithm and the \(\mathsf{RDnc}\) algorithm for each message space \(\mathsf {MS}\in \mathcal {MS}\), and in our system these algorithms are run for all \(\mathsf {MS}\in \mathcal {MS}\) separately.

• \(\mathsf{MRASetup}(1^\kappa )\) : Let \((\mathbb {G}, \mathbb {G}_T)\) be a bilinear group with a \(\kappa \)-bit prime order p and \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) be a bilinear map. In addition, let \(\mathbb {G}^\prime \) be a DDH-hard group with the same order p. Let \(H : \{0,1\}^*\rightarrow \mathbb {Z}_p\) be a cryptographic hash function (such as SHA-series) that will be modeled as a random oracle in the security proofs. Choose generators \(g,\tilde{g},\dot{g},g_1,\tilde{g}_1,g_2,g_3,g_4,g_5\mathop {\leftarrow }\limits ^{\$} \mathbb {G}\), \(\hat{f}\mathop {\leftarrow }\limits ^{\$} \mathbb {G}^\prime \), a signing key of BBS+ signatures [9, 15] \(X_1\mathop {\leftarrow }\limits ^{\$} \mathbb {Z}_p\), and signing keys of BB signatures [8] \(X_2, X_3\mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p\), and compute the a verification key of BBS+ signatures \(Y_1=g^{X_1}\), and verification keys of BB signatures \(Y_2=g^{X_2}\) and \(Y_3=g^{X_3}\). For \(k\in [1,\lfloor \sqrt{N}\rfloor ]\), compute \(F_{1,k}=\tilde{g}^{\frac{1}{X_2+k}}\). For \(k\in [0,\lfloor 2\sqrt{N}\rfloor ]\), compute \(F_{2,k}=\dot{g}^{\frac{1}{X_3+k}}\). Output \(\mathsf {pk}_{MRA}=\big (p,e,\mathbb {G},\mathbb {G}_T,\mathbb {G}^\prime , H \), \(Y_1\), \(Y_2\), \(Y_3\), \(\{F_{1,k}\}_{k=1}^{}\), \(\{F_{2,k}\}_{k=0}^{\lfloor 2\sqrt{N}\rfloor }\), \(\hat{f}\big )\), and \(\mathsf {sk}_{MRA}=(X_1\), \(X_2\), \(X_3\)).

• \(\mathsf{RKeyGen}(\mathsf {pk}_{MRA})\) : Choose \(\hat{g}_1,\hat{g}_2\mathop {\leftarrow }\limits ^{\$} \mathbb {G}^\prime \) and \(z\mathop {\leftarrow }\limits ^{\$} \mathbb {Z}_p\), and compute \(\hat{h}=\hat{g}_1^z\). Output \(\mathsf {pk}_d=(\hat{g}_1,\hat{g}_2,\hat{h})\) and the corresponding secret key \(\mathsf {sk}_d=z\).

• \(\mathsf{MSSetup}(\mathsf {pk}_{MRA},\mathsf {sk}_{MRA},\mathcal {MS})\) : For all \(\mathsf {MS}\in \mathcal {MS}\), run the following procedure: Let \(\mathsf {MS}:=[1,N]\setminus \{m_1,m_2,\ldots , m_r\}\). Set \(m_{0} = 0\), and \(m_{r+1} = N+1\). Choose a current serial number \(t\in \mathbb {Z}_p\). For \(\ell \in [0,r]\), compute \((B_{\ell },y_{\ell },z_{\ell })\), where \(B_{\ell }=(g_1^tg_2^{m_{\ell }}g_3^{m_{\ell +1}}g_4^{y_{\ell }}g)^{\frac{1}{X_1+z_{\ell }}}\), and \(y_{\ell }\), \(z_{\ell }\in \mathbb {Z}_p\). Output \(\mathsf {pk}_{MS}=(t,\{(m_{\ell }\), \(m_{\ell +1}\), \(B_{\ell }\), \(y_{\ell }\), \(z_{\ell })\}_{\ell =0}^{r})\).

• \(\mathsf{REnc}(\mathsf {pk}_{MRA},\mathsf {pk}_d,\mathsf{MS},\mathsf {pk}_{\mathsf {MS}},M)\) : For \(M\in \mathsf{MS}\), find the position j such that \(m_{j}<M<m_{j+1}\). If there is no such \(m_{j}\) (which means \(M\not \in \mathsf{MS}\)), output \(\bot \). Choose \(\alpha \), \(\beta _{1,1}\), \(\beta _{1,2}\), \(\beta _{2,1}\), \(\beta _{2,2}\), u, \(\xi _{1}\), \(\xi ^\prime _{1}\), \(\xi _{2}\), \(\xi ^\prime _{2}\mathop {\leftarrow }\limits ^{\$} \mathbb {Z}_p\), compute \(C_{1}=B_{j}g_5^{\alpha }\), \(C_{2}=F_{1,\delta _{1,1}}g_5^{\beta _{1,1}}\), \(C_{3}=F_{2,\delta _{1,2}}g_5^{\beta _{1,2}}\), \(C_{4}=F_{1,\delta _{2,1}}g_5^{\beta _{2,1}}\), \(C_{5}=F_{2,\delta _{2,2}}g_5^{\beta _{2,2}}\), \(C_{6}=\tilde{g}^{\delta _{1,1}}\tilde{g}_1^{\xi _{1}}\), \(C_{7}=\tilde{g}^{\delta ^2_{1,1}}\tilde{g}_1^{\xi ^\prime _{1}}\), \(C_{8}=\tilde{g}^{\delta _{2,1}}\tilde{g}_1^{\xi _{2}}\), \(C_{9}=\tilde{g}^{\delta ^2_{2,1}}\tilde{g}_1^{\xi ^\prime _{2}}\), \(\xi ^{\prime \prime }_{1}:=\xi ^\prime _{1}-\xi _{1}\delta _{1,1}\), \(\xi ^{\prime \prime }_{2}:=\xi ^\prime _{2}-\xi _{2}\delta _{2,1}\), \(C_{10}=\hat{g}_1^{u}\), \(C_{11}=\hat{g}_2^{u}\), \(C_{12}=\hat{f}^{M}\hat{h}^{u}\), \(\zeta =\alpha z_{j}\), \(\theta _{1,1}:=\beta _{1,1}\delta _{1,1}\), \(\theta _{1,2}:=\beta _{1,2}\delta _{1,2}\), \(\theta _{2,1}:=\beta _{2,1}\delta _{2,1}\), and \(\theta _{2,2}:=\beta _{2,2}\delta _{2,2}\). In addition, compute

  

  Concretely, \(\pi \) is computed as follows. Note that all pairing values are pre-computable.

  1. 1.

     Choose \(r_{M}\), \(r_{\zeta }\), \(r_{\alpha }\), \(r_{y_{j}}\), \(r_{{z}_{j}}\), \(r_{m_{j}}\), \(r_{m_{j+1}}\), \(r_{\delta _{1,1}}\), \(r_{\delta _{1,2}}\), \(r_{\delta _{2,1}}\), \(r_{\delta _{2,2}}\), \(r_{\theta _{1,1}}\), \(r_{\theta _{1,2}}\), \(r_{\theta _{2,1}}\), \(r_{\theta _{2,2}}\), \(r_{\beta _{1,1}}\), \(r_{\beta _{1,2}}\), \(r_{\beta _{2,1}}\), \(r_{\beta _{2,2}}\), \(r_{\xi _{1}}\), \(r_{\xi _{1}^\prime }\), \(r_{\xi _{1}^{\prime \prime }}\), \(r_{\xi _{2}}\), \(r_{\xi _{2}^\prime }\), \(r_{\xi _{2}^{\prime \prime }}\), \(r_{u}\mathop {\leftarrow }\limits ^{\$} \mathbb {Z}_p\).

  2. 2.

     Compute

     $$\begin{aligned} R_1&=e(g_5,Y_1)^{r_{\alpha }}e(g_5,g)^{r_{\zeta }-\alpha r_{z_{j}}}e(g_1,g)^t e(g_2,g)^{r_{m_{j}}}e(g_3,g)^{r_{m_{j+1}}}\\&\qquad e(g_4,g)^{r_{y_{j}}}/e(B_{j},g)^{r_{z_{j}}},\\ R_2&=e(g_5,Y_2)^{r_{\beta _{1,1}}}e(g_5,g)^{r_{\theta _{1,1}}-\beta _{1,1}r_{\delta _{1,1}}}/e(F_{1,\delta _{1,1}},g)^{r_{\delta _{1,1}}}, \\ R_3&=e(g_5,Y_3)^{r_{\beta _{1,2}}}e(g_5,g)^{r_{\theta _{1,2}-\beta _{1,2}r_{\delta _{1,2}}}}/e(F_{2,\delta _{1,2}},g)^{r_{\delta _{1,2}}}, \\ R_4&=e(g_5,Y_2)^{r_{\beta _{2,1}}}e(g_5,g)^{r_{\theta _{2,1}}-\beta _{2,1}r_{\delta _{2,1}}}/e(F_{1,\delta _{2,1}},g)^{r_{\delta _{2,1}}}, \\ R_5&=e(g_5,Y_3)^{r_{\beta _{2,2}}}e(g_5,g)^{r_{\theta _{2,2}-\beta _{2,2}r_{\delta _{2,2}}}}/e(F_{2,\delta _{2,2}},g)^{r_{\delta _{2,2}}}, \\ R_6&=\tilde{g}^{r_{\delta _{1,1}}}\tilde{g}_1^{r_{\xi _{1}}}, R_7=C_{6}^{r_{\delta _{1,1}}}\tilde{g}_{1}^{r_{\xi ^{\prime \prime }_{1}}}, R_8=\tilde{g}^{-r_{\delta _{1,2}}+r_{M}-r_{m_{j}}}\tilde{g}_1^{r_{\xi _{1}^\prime }}, \\ R_9&=\tilde{g}^{r_{\delta _{2,1}}}\tilde{g}_1^{r_{\xi _{2}}}, R_{10}=C_{8}^{r_{\delta _{2,1}}}\tilde{g}_1^{r_{\xi ^{\prime \prime }_{2}}}, R_{11}=\tilde{g}^{-r_{\delta _{2,2}}+r_{m_{j+1}}-r_{M}}\tilde{g}_1^{r_{\xi _{2}^\prime }}, \\ R_{12}&=\hat{g}_1^{r_{u}}, R_{13}=\hat{g}_2^{r_{u}}, R_{14}=\hat{f}^{r_{M}}\hat{h}^{r_{u}}. \end{aligned}$$
  3. 3.

     Compute \(c=H(R_1,\ldots ,R_{14}, C_{1},\ldots , C_{12},\mathsf {pk}_{MRA},\mathsf {pk}_{\mathsf {MS}},\mathsf {pk}_d)\)

  4. 4.

     Compute \(s_{M}=r_{M}+cM\), \(s_{\zeta }=r_{\zeta }+c\zeta \), \(s_{\alpha }=r_{\alpha }+c\alpha \), \(s_{y_{j}}=r_{y_{j}}+cy_{j}\), \(s_{{z}_{j}}=r_{{z}_{j}}+cz_{j}\), \(s_{m_{j}}=r_{m_{j}}+cm_{j}\), \(s_{m_{j+1}}=r_{m_{j+1}}+cm_{j+1}\), \(s_{\delta _{1,1}}=r_{\delta _{1,1}}+c\delta _{1,1}\), \(s_{\delta _{1,2}}=r_{\delta _{1,2}}+c{\delta _{1,2}}\), \(s_{\delta _{2,1}}=r_{\delta _{2,1}}+c{\delta _{2,1}}\), \(s_{\delta _{2,2}}=r_{\delta _{2,2}}+c{\delta _{2,2}}\), \(s_{\theta _{1,1}}=r_{\theta _{1,1}}+c{\theta _{1,1}}\), \(s_{\theta _{1,2}}=r_{\theta _{1,2}}+c{\theta _{1,2}}\), \(s_{\theta _{2,1}}=r_{\theta _{2,1}}+c{\theta _{2,1}}\), \(s_{\theta _{2,2}}=r_{\theta _{2,2}}+c{\theta _{2,2}}\), \(s_{\beta _{1,1}}=r_{\beta _{1,1}}+c{\beta _{1,1}}\), \(s_{\beta _{1,2}}=r_{\beta _{1,2}}+c{\beta _{1,2}}\), \(s_{\beta _{2,1}}=r_{\beta _{2,1}}+c{\beta _{2,1}}\), \(s_{\beta _{2,2}}=r_{\beta _{2,2}}+c{\beta _{2,2}}\), \(s_{\xi _{1}}=r_{\xi _{1}}+c{\xi _{1}}\), \(s_{\xi _{1}^\prime }=r_{\xi _{1}^\prime }+c{\xi _{1}^\prime }\), \(s_{\xi _{1}^{\prime \prime }}=r_{\xi _{1}^{\prime \prime }}+c{\xi _{1}^{\prime \prime }}\), \(s_{\xi _{2}}=r_{\xi _{2}}+c{\xi _{2}}\), \(s_{\xi _{2}^\prime }=r_{\xi _{2}^\prime }+c{\xi _{2}^\prime }\), \(s_{\xi _{2}^{\prime \prime }}=r_{\xi _{2}^{\prime \prime }}+c{\xi _{2}^{\prime \prime }}\), and \(s_{u}=r_{u}+c{u}\).

  5. 5.

     Output \(C=(C_{1},\ldots ,C_{12}, \pi )\), where \(\pi =(c\), \(s_{M}\), \(s_{\zeta }\), \(s_{\alpha }\), \(s_{y_{j}}\), \(s_{{z}_{j}}\), \(s_{m_{j}}\), \(s_{m_{j+1}}\), \(s_{\delta _{1,1}}\), \(s_{\delta _{1,2}}\), \(s_{\delta _{2,1}}\), \(s_{\delta _{2,2}}\), \(s_{\theta _{1,1}}\), \(s_{\theta _{1,2}}\), \(s_{\theta _{2,1}}\), \(s_{\theta _{2,2}}\), \(s_{\beta _{1,1}}\), \(s_{\beta _{1,2}}\), \(s_{\beta _{2,1}}\), \(s_{\beta _{2,2}}\), \(s_{\xi _{1}}\), \(s_{\xi _{1}^\prime }\), \(s_{\xi _{1}^{\prime \prime }}\), \(s_{\xi _{2}}\), \(s_{\xi _{2}^\prime }\), \(s_{\xi _{2}^{\prime \prime }}\), \(s_{u})\).

  Output a ciphertext \(C=(C_1,\ldots ,C_{12}, \pi )\).

• \(\mathsf{VerifyMS}(\mathsf {pk}_{MRA},\mathsf {pk}_d,\mathsf {MS},\mathsf {pk}_{\mathsf {MS}},C)\) : Note that all pairing values are pre-computable, except \(e(C_{1}, g^{s_{z_{j}}}Y_1^{c})\), \(e(C_{2},g^{s_{\delta _{1,1}}}Y_2^{c})\), \(e(C_{3},g^{s_{\delta _{1,2}}}Y_3^{c})\), \(e(C_{4},g^{s_{\delta _{2,1}}}Y_2^{c})\), and \(e(C_{5},g^{s_{\delta _{2,2}}}Y_3^{c})\).

  1. 1.

     Compute

     $$\begin{aligned} R^\prime _1&=e(g_5,Y_1)^{s_{\alpha }}e(g_5,g)^{s_{\zeta }}e(g_1,g)^t e(g_2,g)^{s_{m_{j}}}e(g_3,g)^{s_{m_{j+1}}}e(g_4,g)^{s_{y_{j}}} \\&\qquad e(g,g)^{c}/e(C_{1},g^{s_{z_{j}}}Y_1^{c}), \\ R^\prime _2&=e(g_5,Y_2)^{s_{\beta _{1,1}}}e(g_5,g)^{s_{\theta _{1,1}}}e(\tilde{g},g)^{c}/e(C_{2},g^{s_{\delta _{1,1}}}Y_2^{c}), \\ R^\prime _3&=e(g_5,Y_3)^{s_{\beta _{1,2}}}e(g_5,g)^{s_{\theta _{1,2}}}e(\dot{g},g)^{c}/e(C_{3},g^{s_{\delta _{1,2}}}Y_3^{c}), \\ R^\prime _4&=e(g_5,Y_2)^{s_{\beta _{2,1}}}e(g_5,g)^{s_{\theta _{2,1}}}e(\tilde{g},g)^{c}/e(C_{4},g^{s_{\delta _{2,1}}}Y_2^{c}), \\ R^\prime _5&=e(g_5,Y_3)^{s_{\beta _{2,2}}}e(g_5,g)^{s_{\theta _{2,2}}}e(\dot{g},g)^{c}/e(C_{5},g^{s_{\delta _{2,2}}}Y_3^{c}), \\ R^\prime _6&=\tilde{g}^{s_{\delta _{1,1}}}\tilde{g}_1^{s_{\xi _{1}}}C_{6}^{-c}, R^\prime _7=C_{6}^{s_{\delta _{1,1}}}\tilde{g}_{1}^{s_{\xi ^{\prime \prime }_{1}}}C_{7}^{-c}, R^\prime _8=\tilde{g}^{-s_{\delta _{1,2}}+s_{M}-s_{m_{j}}}\tilde{g}_1^{s_{\xi _{1}^\prime }}C_{7}^{-c}, \\ R^\prime _9&=\tilde{g}^{s_{\delta _{2,1}}}\tilde{g}_1^{s_{\xi _{2}}}C_{8}^{-c}, R^\prime _{10}=C_{8}^{s_{\delta _{2,1}}}\tilde{g}_1^{s_{\xi ^{\prime \prime }_{2}}}C_{9}^{-c},\\ R^\prime _{11}&=\tilde{g}^{-s_{\delta _{2,2}}+s_{m_{j+1}}-s_{M}}\tilde{g}_1^{s_{\xi _{2}^\prime }}C_{9}^{-c}, R^\prime _{12}=\hat{g}_1^{s_{u}}C_{10}^{-c}, R^\prime _{13}=\hat{g}_2^{s_u}C_{11}^{-c},\\ R^\prime _{14}&=\hat{f}^{s_{M}}\hat{h}^{s_{u}}C_{12}^{-c}. \end{aligned}$$
  2. 2.

     Output 1 if \(c=H(R^\prime _1,\ldots ,R^\prime _{14}, C_{1},\ldots , C_{12},\mathsf {pk}_{MRA},\mathsf {pk}_{\mathsf {MS}},\mathsf {pk}_d)\), and 0 otherwise.

• \(\mathsf{RDec}(\mathsf {pk}_{MRA},\mathsf {pk}_d,\mathsf {sk}_d,\mathsf {MS},\mathsf {pk}_{\mathsf {MS}},C)\) : Compute \(\hat{f}^M=C_{12}/C_{10}^{z}\), solve the DL problem \((\hat{f},\hat{f}^M)\), and output M. If the verification fails, output \(\bot \).