In Multi Authority Attribute Based Encryption Systems

Published Date: 02 Nov 2017

attribute universe and issues the private keys to users. A user��s private keys from different

authorities must be linked together by his global identifier (GID) to prevent collusion attacks.

The previous multi-authority ABE schemes are subject to such restrictions during initializing

the systems: either the attribute universe is polynomially sized and the attributes have to be

enumerated, or the attribute universe can be exponentially large, but the size of the set of

attributes which will be used in encryption is not more than n, where the parameter n is a

fixed value. These restrictions prevent multi-authority ABE schemes from being deployed in

dynamic practice applications. Thereby, it remains a challenging problem that how to construct

a multi-authority ABE scheme without such restrictions.

In this paper, we present a large universe multi-authority key-policy ABE (KP-ABE)

scheme, where no such additional limitation exists. In our scheme, there is no requirement

of any central authority (CA). A participant can be an attribute authority (AA) by issuing the

public parameters and declaring the attribute universe that it manages. Each AA executes in-

dependently from the others and can join or depart the system allodiality. Our system supports

any monotone access policy that can be expressed by a linear secret sharing scheme (LSSS).

The size of the system public parameters is related to the number of the attribute authorities

(AAs) rather than the amount of attributes. We construct the proposed scheme on prime order

groups and prove the selective security in the standard model. To the best of our knowledge,

our scheme is the first large universe multi-authority KP-ABE system in the standard model.

1 Introduction

In open communication scenarios, one must encrypt the sensitive data prior to storing or trans-

mitting. Nevertheless, traditional cryptosystems cannot support complex access structures and are

useless in such applications, where the recipient is denoted by a set of descriptive attributes rather

than a public key or identity. Sahai and Waters [20] gave a solution to this issue by presenting

Attribute-based Encryption (ABE). In the proposed ABE system, the ciphertext is associated with

a set of attributes, a central authority issues the private keys to each user corresponding to his

attributes. A user can successfully decrypt the ciphertext if and only if there is an overlap between

his attributes and the set of attributes in the ciphertext.

Subsequently, Goyal et al. proposed the first construction of Key-Policy ABE (KP-ABE) [8] and

further formulated another kind of ABE: Ciphertext-Policy ABE (CP-ABE). In KP-ABE schemes,

the ciphertext is annotated with a set of attributes while the user��s private keys are labeled with an

access structure. On the contrary, in CP-ABE systems, the ciphertext is associated with an access

1policy while the user��s private keys are labeled with a set of attributes. The first CP-ABE system

was presented in [2]. Varieties of ABE schemes can be found in [7, 21, 6, 10, 18]. However, in these

ABE systems aforementioned, only a single central authority is supported. These single-authority

ABE systems are useless in distributed application environments, where the attributes may be

issued and administered by different authorities. To address this problem, Chase [4] proposed the

first multi-authority ABE system. From then on, more multi-authority ABE schemes have been

constructed in [5, 11, 16, 17, 9].

A limitation of the prior ABE systems is that, once the system parameters have been selected

at the setup phase, these systems cannot offer complete flexibility in choosing the attributes or

access policies. Lewko et al. [12] first addressed this issue and introduced a classification of ABE

schemes: small universe and large universe. In ��small universe�� ABE schemes (e.g. [10, 2, 6, 4]),

the size of attribute universe is polynomial to the system security parameter, and the attributes

in the universe must be fixed at the setup stage. The size of system public parameters increases

linearly with the amount of attributes in the chosen universe. In ��large universe�� ABE schemes,

the attribute universe can be exponentially large. However, in the ��large universe�� constructions,

either the maximum number of the attributes that will be employed in encryption is limited to a

parameter n, which must be fixed at the setup phase. Such as the ABE systems in [8, 15], or the

ABE scheme was proved secure in the random oracle model.

Such limitation prevents ABE systems from being deployed in practical applications. For in-

stance, if the system parameters are selected to be too small. the system cannot provide sufficient

domain of potential attributes and will have to be re-initialized while the user possesses the at-

tributes that overstep the restriction. if the system parameters are selected to be too large, unnec-

essary computation overhead will be brought in all operations. To remove such restriction, Lewko

et al. [12] presented the first large universe ABE system in standard model. They constructed the

KP-ABE system on composite order groups. In their scheme, the number of system public param-

eters is constant size. Afterwards, Rouselakis et al. [19] proposed two large universe ABE schemes

(one CP-ABE and one KP-ABE) on prime order groups. Nevertheless, These ABE schemes [12, 19]

only supported a single authority. To the best of our knowledge, it remains an open problem that

how to construct a large universe KP-ABE system in multi-authority setting.

In this paper, we present a large universe multi-authority KP-ABE system in standard model by

extending the single-authority KP-ABE system [19] into the multi-authority setting. The proposed

scheme supports a large universe of attributes and doesn��t impose any bounds on the set of attributes

which will be used in encryption. Since the number of Attribute Authorities (AAs) is less smaller

than the amount of attributes, the size of system public parameters that is linearly to the number

of AAs is acceptable. In our scheme, there is no central authority and any participant can be an

Attribute Authority (AA) by publishing its public parameters and an attribute universe. Each AA

issues private keys to different users and operates entirely independently. To prevent unauthorized

users from decrypting the ciphertext by combining their private keys. We link each user��s private

keys with its global identity (GID). In addition, our system is secure against at most F ? 1 AAs

corruption, where F denotes the number of AAs in the scheme. We construct this system on prime

order groups and prove selective security under q ? type assumption. Performance comparison

shows that the efficiency of our scheme is comparable to the underlying single-authority KP-ABE

scheme [19].

21.1 Related Work

Sahai and Waters [20] introduced the concept of ABE and left an open problem that whether

it��s possible to construct an ABE system where the attributes are issued by different authorities.

Chase [4] gave an affirmative answer by presenting the first multi-authority KP-ABE system, where

a Central Authority (CA) and multiple AAs existed. The most challenging problem in multi-

authority ABE is to resist the collusion attacks from multiple unauthorized users, Chase [4] resolved

this problem by labeling each user with an unique global identifier (GID). A user��s private keys from

different AAs will be linked together by his GID. Since the CA chose the secret key for each AA, it

can decrypt all ciphertexts. Lin et al. [14] presented a multi-authority KP-ABE system without any

CA employing a threshold technique, where multiple authorities must cooperate during initializing

the system. Their system is not secure if k or more user collude, where k is a bound value fixed in

the setup phase. Chase et al. [5] also removed the need of a CA by applying a distributed pseudo

random function (PRF) technique. Moreover, they presented an anonymous key issuing protocol for

protecting the privacy of users. In this system, the AAs also need to cooperate in the setup phase.

Chase et al. left the construction of a privacy-preserving multi-authority ABE system without the

requirement of collaborations among the AAs as an open challenging problem. Han et al. [?] gave

an affirmative answer to this question by presenting a privacy-preserving decentralized KP-ABE

scheme, where no CA exists and multiple AAs operate independently without any collaboration.

The first multi-authority CP-ABE scheme was presented by M��uller et al. [16, 17]. In this sys-

tem, there must be a CA who generates the global public parameters, and each AA can execute

independently from the others. Lewko and Waters [11] presented a decentralizing CP-ABE system.

Being different from all multi-authority ABE schemes aforementioned, which are only selectively

secure, this system achieves full security and is proven security in the random oracle model. More-

over, while the systems [4, 14, 5] support tree access structures and the systems [16, 17] support the

policy written in Disjunctive Normal Form (DNF), the new scheme can support any LSSS access

matrix. In this system, there is no requirement of a CA and multiple AAs operate independently

in both the setup and key generation phases. Each participant can be an AA by issuing the public

parameters, and each AA can join or depart the system freely without redeploying the system. Liu

et al. [15] presented the first fully secure multi-authority CP-ABE system in the standard model.

In this system, there are multiple CAs and AAs. The CAs issue the private keys to a user that

reflect his identity. The AAs manage different attribute universes and issue the private keys to a

user that reflect his attributes. Li et al. [13] presented a multi-authority CP-ABE system with

accountability, where a misbehaving user can be traced when he leaked his private keys to others.

However, multiple AAs must collaborate during the system initialization.

1.2 Organization

In section 2. we provide some notation of bilinear maps, access structures, linear secret sharing

schemes and the assumption. Additionally, we introduce the definition of the multi-authority KP-

ABE and the security game. Section 3 gives the detailed construction of our large universe multi-

authority KP-ABE system. Section 4 presents the results of performance comparison. Section 5

gives the security proof of the proposed scheme. Finally, we conclude in Section 6.

32 Backgrounds

2.1 Bilinear Maps

We use the definition of the bilinear maps from [3][20].

Select two multiplicative cyclic groups G and G 1 of prime order p. Let g be a generator of G.

The map e is a bilinear map if e has such properties:

1. Bilinearity: ? h, �� �� G and x, y �� Z p , we have e(h x , �� y ) = e(h, ��) xy .

2. Non-degeneracy: e(g, g) 6 = 1.

The group G is said to be a admissible bilinear group if the group action in G and the bilinear

map e can be efficiently computed. Furthermore, e is a symmetric map since e(g x , g y ) = e(g y , g x ) =

e(g, g) xy .

2.2 Access Structure

Definition 2.1. Access Structure [1]: Let P = { P 1 , P 2 , . . . , P T } be a set of parties. A collection

A ? 2{ P 1 ,P 2 ,...,P T } is monotonic if ? A 1 , A 2 : if A 1 �� A and A 1 ? A 2 then we have A 2 �� A. An

access structure (respectively, monotonic access structure) is a collection (respectively, monotonic

collection) A of non-empty subsets of P, namely A ? 2{ P 1 ,P 2 ,...,P T } {?} . The sets in A are called

the authorized sets, and the sets outside A are called the unauthorized sets.

Among ABE systems, the role of the parties is replaced by the descriptive attributes. In this

way, the access structure A will contain the authorized set of attributes. We focus on the monotonic

access structure in this paper. To realize common access structures, one can simply consider the

negation of an attribute as a separate attribute.

2.3 Linear Secret Sharing Schemes

Here we adopt the definition of linear secret sharing schemes (LSSS) from [1, 21]:

Definition 2.2. Linear Secret Sharing Schemes: Let P be a set of parties, p be a prime. A secret

sharing scheme �� over P is called linear (over Z p ) if

1. The shares of a secret for each party form a vector over Z p .

2. There exists a matrix A �� Z ` �� n

p called the share-generating matrix for ��. For all i = 1, . . . , `,

there exists a function �� that labels the i-th row of A with a party. (i.e. �� �� F ([`] �� P)). During

generating the shares, we consider the column vector ?�� �� = (s, r 2 , . . . , r n )>, where s �� Z p is the

secret to be shared, and r 2 , . . . , r n are randomly chosen from Z p , then A ?�� �� is the vector of ` shares

of the secret s according to ��. The shares (A ?�� �� ) i belongs to the party ��(i).

As shown in [1], each linear secret sharing scheme mentioned before must satisfy the linear

reconstruction requirement, defined as follows: Assume that �� is an LSSS for the access structure

A denoted by (A, ��). Let S denote an authorized set. Then let I ? { 1, 2, . . . , ` } be defined as

I = { i : ��(i) �� S } . There exist constants { �� i �� Z p } i �� I such that if { �� i = (A ?�� �� ) i } are valid

shares of a secret s according to ��, then we have P i �� I

�� i �� i = s. Additionally, such constants

{ �� i �� Z p } i �� I can be found in time polynomial in the size of the matrix A. Nevertheless, if the set

S is unauthorized, no such constants exist. We adopt the LSSS matrix (A��) to denote the access

structure A.

42.4 Assumption

For our unbounded multi-authority KP-ABE system, We will follow the assumption which was

proposed in [19]. The assumption is defined as follows: The challenger selects two groups G, G 1 of

prime order p, picks a generator g of G. It choosed q + 3 exponents x, y, z, b 1 , b 2 , . . . , b q randomly

from Z p . e is a bilinear map e : G �� G �� G 1 . The adversary is given the group (p, G, G 1 , e) and

the whole following elements:

X =

g, g x , g y , g z , g (xz)

2

g b i , g xzb i , g xz/b i , g x

2

zb i , g y/b

2

i , g y

2

/b

2

i , ? i �� [q]

g xzb i /b j , g

yb i /b

2

j , g xyzb i /b j , g (xz)

2

b i /b j , ? i, j �� [q], i 6 = j

In addition, the challenger picks a random coin o �� 0, 1. If o = 0, it sends the term T = e(g, g) xyz

to the adversary. Otherwise, it sends T = R, where R is a random element from G 1 . Finally, the

adversary has to output a guess o0 on o. We define the advantage of an adversary in solving the

decisional q ? 2 problem in G as Adv = P r[o0 = o] ? 1/2.

Definition 2.3. We say that the q ? 2 assumption holds if no PPT adversary has at least a non-

negligible advantage in solving the above security game.

2.5 Multi-authority KP-ABE

To distinguish from our unbounded multi-authority CP-ABE scheme, there is no central authority in

the KP-ABE setting. A multi-authority KP-ABE system is composed of the following 5 algorithms:

GlobalSetup(��) �� (GP K): This algorithm takes in the security parameter �� and outputs the

global system public parameters GP K.

AASetup (GP K, f, U f ) �� (AAP K f , AAMSK f ): Each AA f runs this algorithm to generate

the AA��s public parameter AAP K f and the corresponding master secret key AAMSK f .

Encrypt (M, S, GP K, S AAP K f ) �� (CT ): This algorithm takes in a message M, a set of

attributes S, the global public parameters GP K, and the set of public parameters S AAP K f for

relevant AAs. It then outputs a ciphertext CT . We assume the set S is implicitly included in CT .

AAKeyGen (A GID,f , GP K, AAMSK f ) �� (UAASKA GID,f

): Each AA f runs this algorithm

by taking in a user��s GID, an access structure A GID,f , GP K and the master secret key AAMSK f ,

where A GID,f is represented by an LSSS matrix (A GID , ��). It then gives the private key UAASKA GID,f

to the user. We assume the matrix A GID,f is implicitly included in UAASKA GID,f

.

Decrypt (CT, GP K, S UAASKA GID,f

) �� (M): This algorithm takes in CT ,GP K and S UAASKA GID,f

.

If the set of attributes S satisfies the access structure A GID where A GID = A GID,f , the algorithm

outputs M, otherwise, it outputs �� .

2.6 Selective Security Game

Our security model for the multi-authority ABE is similar to the game introduced in [4, ?] where

the adversary must declare the challenge set of attributes before the setup phase. The detailed

definition of our selective security game is given as follows:

Initialization. The adversary specifies a index set of the uncorrupted AAs and a set of at-

tributes S? which he wants to challenge in the security game. In order to facilitate understanding,

we write S? = S S? f

, where each S? f

is issued by an unique AA f .

5Setup. The challenger runs the GlobalSetup algorithms to provide the public parameters GP K.

In AASetup phase, For each corrupted AA, the challenger produces AAP K f and AAMSK f , and

passes them to the adversary. For each uncorrupted AA, only the public parameter AAP K f will

be sent to the adversary.

Phase 1. The adversary A can query the secret keys for each GID as follows:

To answer the key queries on the access structures that belongs to the corrupted AAs, the

secret keys can be generated by the adversary itself. In contrast, The challenger will answer the

key queries on the access structures belonging to the uncorrupted AAs. These type of queries can

be made adaptively other than such restriction that, for all f �� F uc , at least a set S? f

cannot satisfy

the chosen access structure issued by AA f , where F uc denotes the index set of the uncorrupted

AAs.

Challenge Phase. The adversary A submits two massages M 0 and M 1 with equal length. B

flips a random coins �� �� { 0, 1 } and encrypts M �� under S?. It then gives the ciphertext CT ? to A .

Phase 2. The adversary repeats the queries as in Phase 1.

Guess. A outputs a guess ��0 on ��. The advantage of A is defined as | P r[��0 = ��] ? 1/2 | .

Definition 2.4. A multi-authority KP-ABE system is selectively secure if all PPT adversaries have

at most a negligible advantage in the above game.

Similar to the schemes [4, 15], a user��s GID is assumed to request the corresponding private

keys from each AA only once in our scheme. To remove the restriction, one can add a time stamp

on GID [15] or give the user a new GID [4].

3 large universe multi-authority KP-ABE scheme

We now show how to construct an unbounded multi-authority KP-ABE scheme which is secure

against at most F ? 1 AAs corruption, where F denotes the number of AAs in the system. The

idea is encouraged by the single authority KP-ABE scheme [19] and the decentralized ABE systems

[11, 9]. The detailed construction is given in the following way:

GlobalSetup(��) �� (GP K): This algorithm takes in the security parameter �� and outputs the

terms (p, G, G 1 , e), where G and G 1 are the bilinear groups of prime order p, and e is a bilinear

map, e : G �� G �� G 1 . Let g be a generator of G. The algorithm selects ��, h, ��, �� randomly from

G. The global public parameters is GP K = (p, G, G 1 , e; g, ��, h, ��, ��).

AASetup (GP K, f, U f ) �� (AAP K f , AAMSK f ): Each AA f first picks two random exponents

�� f , �� f �� Z p . It then computes AAP K f,1 = e(g, g) �� f and AAP K f,2 = �� �� f . Finally, it sets the

public parameters AAP K f = (AAP K f,1 , AAP K f,2 ) and keeps �� f and �� f as its master secret keys.

Encrypt (M, S, GP K, S AAP K f ) �� (CT ): We denote the set of attributes S as S = S S f ,

where each S f belongs to the corresponding authority AA f . Let m = | S | be the number of attributes

in the set S. The encryption algorithm first selects m + 1 exponents s, r 1 , r 2 , . . . , r m randomly from

Z p . It then computes C = M �� Q f ��F E

e(g, g)

�� f s

, C 0 = g s , C 1 = Q f ��F E

g �� f s , where F E denotes

the index set of the corresponding AA f s. And for each k �� [m], it calculates C 2,k = g r k and

C 3,k = (�� AT T k h) r k ��? s . The ciphertext is published as CT = (C, C 0 , C 1 , { C 2,k , C 3,k } k �� [m] )

AAKeyGen (A GID,f , GP K, AAMSK f ) �� (UAASKA GID,f

): The algorithm takes in a user��s

GID �� Z p and an ` �� n access matrix A GID,f = (A f , ��) where the attributes belong to the

authority AA f . it works in the following way: It first selects a vector ?�� �� f = (�� f , �� 2,f , . . . , �� n,f )>

where �� 2,f , . . . , �� n,f are randomly chosen from Z p . The master secret key �� f will be shared by

6computing ?�� �� f = (�� 1,f , �� 2,f , . . . , �� `,f )> = A f ��?�� �� f . Meanwhile, The algorithm chooses another vector

?�� �� f = (GID, �� 2,f , . . . , �� n,f )> where �� 2,f , . . . , �� n,f are randomly selected from Z p , and computes

?�� �� f = (�� 1,f , �� 2,f , . . . , �� `,f ) > = A f ��

?�� �� f . It then chooses ` random exponents t 1,f , t 2,f , . . . , t `,f

from Z p . For each k �� [`], it calculates K 1,k,f = g �� k,f �� t k,f �� �� k,f �� f , K 2,k,f = (�� ��(k f ) h)? t k,f and

K 3,k,f = g t k,f .

The private keys are published as UAASKA GID,f

= { K 1,k,f , K 2,k,f , K 3,k,f } k �� [`]

Decrypt (CT, GP K, S UAASKA GID,f

) �� (M): To decrypt the ciphertext, the decryption algo-

rithm first checks whether the set S in the ciphertext satisfy the access structures S UAASKA GID,f

in the private keys. If so, for each matrix A GID,f , there must be some constants { c i,f �� Z p } i �� I f

which satisfy that P i �� I f

c i,f A i,f = (1, 0, . . . , 0), where I f = { i : ��(i, f) �� S f } and A i,f is the

i ? th row of A f . These constants can be found in polynomial time if the set S f satisfies the access

structure. Then, it computes

B = Q f ��F E Q i �� I f

(e (C 0 , K 1,i,f ) e (C 2,i , K 2,i,f ) e (C 3,i , K 3,i,f ))

c i,f

e (�� GID , C 1 )

Finally, the algorithm calculates M = C/B

Correctness: If S f in the ciphertext is an authorized set. We have P i �� I f

c i,f �� i,f = �� f and

P i �� I f

c i,f �� i,f = GID. Thereby:

Y f ��F E Y i �� I f

(e (C 0 , K 1,i,f ) e (C 2,i , K 2,i,f ) e (C 3,i , K 3,i,f ))

c i,f

= Y f ��F E Y i f �� I f

e(g, g)

s�� i,f c i,f e(g, ��)

s�� f �� i,f c i,f

= Y f ��F E

e(g, g)

s�� f e(g, ��)

s�� f GID

e(��

GID

, C 1 ) = e(��

GID

, Y f ��F E

g

�� f s

) = Y f ��F E

e(��, g)

s�� f GID

Then, we have

B = Y f ��F E

e(g, g)

�� f s

4 Performance Analysis

Table 1 compares the single-authority KP-ABE system [19], the multi-authority KP-ABE system

[4], the decentralizing CP-ABE scheme [11], the privacy-preserving decentralizing KP-ABE scheme

[9] and our KP-ABE scheme. In this table, S = S S f is the attribute set, where the attributes in S f

are issued and managed by the authority AA f . ` = P ` f is the number of rows in the LSSS matrix

(A, ��), where ` f is the amount of rows in the LSSS matrix (A f , ��). I is the number of attributes in

S that are utilized in decryption. U is the attribute universe in the system. n f denotes the number

of attributes in the tree access structure which is issued by the authority AA f . F E denotes the

index set of the authorities AA f whose public parameters are used in encryption.

In [4, 9], the threshold tree access structures are supported, while the LSSS matrix policies

are employed in [19, 11] and our scheme. All of the schemes are selectively secure except the

fully secure decentralizing CP-ABE scheme [11]. In some resource-limited practical application,

7Table 1: Performances comparison

KP-ABE [19] MA KP-ABE [4] decentralizing ABE [11] PP KP-ABE [?] Our scheme

Standard model YES YES NO YES YES

Multi-authority NO YES YES YES YES

Central authority YES YES NO NO NO

Ciphertext size 2 | S | + 2 | S | + 2 3` + 1 | S | + 3 2 | S | + 3

Private key size 3` P n f + 1 | S | P n f + 1 3`

Pairing in decryption 3I I + 1 2I |F E | + I + 1 3I + 1

Group order prime prime composite prime prime

Size of PK 5 | U | + 1 2 | U | | U | + 2F 2F + 4

Large universe NO NO NO NO Fully-large

selective security can be a considerable trade off for efficiency. The size of public parameters of the

frameworks [4, 11, 9] goes linearly with the amount of attributes in the universe. However, in our

scheme, the size of the system public parameters is related to the number of AAs rather than the

size of the attribute universe. As shown in Table 1, our system retains almost the same performance

as the single-authority KP-ABE scheme [19].

5 Security Analysis

Theorem 1. Suppose the q ? 2 assumption holds, then no PPT adversary has at least non-negligible

advantage in selectively breaking our scheme with a challenge set of attributes of size t, where t �� q.

Assume that there is a PPT adversary A who can selectively break our large universe multi-

authority KP-ABE system with a non-negligible advantage, then we can use A to construct a

simulator B which has a non-negligible advantage in solving the q-th assumption. We now introduce

the security game of our system as follows:

Initialization: The simulator B receives a group of elements from the q ? 2 assumption. The

adversary A submits the challenge set of attributes S? = S S? f

= { AT T ? 1 , AT T ? 2 , . . . , AT T ? t } and

a index set F c of the corrupted AAs. We let F uc = F \ F c be the index set of uncorrupted AAs.

Without loss of generality, we suppose the attribute authority AA f? be the only one uncorrupted

AA.

GlobalSetup: The simulator B produces the global public parameters in the following way:

g = g

�� = g

a �� Y i �� [t]

g

y/b

2

i

h = g

b �� Y i �� [t]

g

xz/b i �� Y i �� [t]

(g

y/b

2

i )? AT T ?

i

�� = g

x

�� = g

c

where a, b, c are randomly selected from Z p .

8AASetup: To set the public parameters for the corrupted AAs, the simulator operates as

follows: For each f �� F c , it selects random exponents �� f , �� f �� Z p , and computes AAP K f,1 =

e(g, g) �� f and AAP K f,2 = �� �� f as in the AASetup algorithm. It then sends AAP K f,1 , AAP K f,2

and �� f , �� f to the adversary.

To set the public parameters for AA f? , the simulator sets �� f? = xy and computes

AAP K f?,1 = e(g, g) �� f ? Q f ��F c

e(g, g)? �� f = e(g, g)

xy ? P f ��F c ? �� f and AAP K f?,2 = �� �� f ? , where �� f?

is a random exponent chosen from Z p .

Phase 1.: The adversary makes the secret key query by submitting a user��s GID to the simulator

with a set of access matrices, where each access matrix is issued and managed by an AA. The query

is answered as follows:

If the GID is submitted to the corrupted AAs, the adversary can make the secret keys on any

access matrix.

If the GID is submitted to AA f? along with an access matrix A GID,f? = (A f? , ��). The simulator

B responds in the following way: Since S? is not an authorized set and AA f? is the only one

uncorrupted authority, the set S? f?

can not satisfy the matrix A GID,f? . In this way, B chooses a

vector ?�� �� = (1, �� 2 , . . . , �� n )> �� Z p such h M d , ?�� �� i = 0 for all d �� [`] that ��(d) �� S? f?

. The vector ?�� �� f?

can be denoted as

?�� �� f? = xy ?�� �� + (0, ��0 2 , . . . , ��0 n )>

where the exponents ��0 2 , . . . , ��0 n are randomly chosen from Z p . We note that the first component of

?�� �� f? is �� = xy and the other components are uniformly random from Z p . Thereby, for each d �� [`],

the share of �� is

�� d,f? = h A f?,d , ?�� �� f? i = xy h A f?,d , ?�� �� i + h A f?,d , (0, ��0 2 , . . . , ��0 n )> i = xy h A f?,d , ?�� �� i + ��0 d,f?

In addition, the vectors ??�� �� f? and ?�� �� f? are set as in the AAKeyGen algorithm.

For each d �� [`] that ��(d) �� S? f ?

, we have h M d , ?�� �� i = 0. Therefore, the simulator can pick

random exponent t d �� Z p and compute UAASKA GID,f ?

as in the AAKeyGen algorithm.

For each d �� [`] that ��(d) / �� S? f ?

, the simulator selects random exponent t0 d �� Z p and sets

t d = ? y h M d , ?�� �� i + X i �� [t]

xzb i h M d , ?�� �� i

��(d) ? AT T ? i

+ t0 d

Hence the simulator can compute UAASKA GID,f ?

for such row d using the terms from the assump-

tion:

K 1,d,f? = g

�� d,f ? ��

t d,f ? ��

�� d,f ? �� f ?

= g

xy h A f ? ,d , ?�� �� i +��0

d,f ? �� g? xy h A f ? ,d , ?�� �� i + P i �� [t]

x

2

zb

i h M

d

, ?�� �� i

��(d) ? AT T ? i �� ��

t0

d �� ��

�� d,f ? �� f ?

= g

��0

d,f ? �� Y i �� [t]

(g

x

2

zb i )

h A

f ? ,d

, ?�� �� i

��(d) ? AT T ? i �� ��

t0

d �� ��

�� d,f ? �� f ?

The terms K 2,d,f? , K 3,d,f? can be computed similarly. We note that K 1,d,f? , K 2,d,f? , K 3,d,f? are

properly distributed for each d.

9Challenge: The adversary A submits two same-length messages M 0 and M 1 for challenge. The

simulator B selects �� �� { 0, 1 } at random. It sets s = z and r k = b k for every k �� [t]. The elements

s, { r k } k �� [t] are correct distributed since the parameters z, { b k } k �� [t] from the q ? 2 assumption are

chosen out of the adversary��s view. Now B can provide the ciphertext for A by computing:

C = T �� M ��

C 0 = g

s

= g

z

C 1 = C 1 = Y f ��F E

g

�� f s

C 2,k = g

r k = g

b k

C 3,k = (��

AT T ?

k h)

r k ��? s

= g

b k (aAT T ?

k

+b) �� Y i �� [t]

g

xzb k /b i �� Y i �� [t]

g

yb k (AT T ?

k ? AT T ?

i

)/b

2

i �� g? xz

= (g

b k )

aAT T ?

k

+b �� Y i �� [t],i 6 =k

g

xzb k /b i �� Y i �� [t],i 6 =k

(g

yb k /b

2

i )

AT T ?

k ? AT T ?

i

Notice that the elements of the challenge ciphertext can be computed by the terms from the

q ? 2 assumption. Finally, the ciphertext is sent to the adversary.

Phase 2.: B acts as in Phase 1.

Guess. The adversary outputs its guess ��0 on ��. If ��0 = ��, the simulator answers 0 in the q ? 2

game, i.e, it declares that T = e(g, g) xyz . Otherwise, it answers 1.

Suppose the adversary can break our selective security game with an advantage ��, we now give

the advantage with which the simulator can break the q ? 2 assumption.

If o = 0, the challenge ciphertext is valid. Hence the adversary can guess ��0 = �� with the

advantage ��, That is, P r[��0 = �� | o = 0] = 1

2

+ ��. Since the simulator answers o0 = 0 when ��0 = ��,

we have P r[o0 = o | o = 0] = 1

2

+ ��.

If o = 1, the adversary obtains no information about ��. Thereby, we have P r[��0 6 = �� | o = 1] = 1

2

.

Since B answers o0 = 1 when ��0 6 = ��, we have P r[o0 = o | o = 1] = 1

2

.

Finally, the overall advantage of B in solving the q ? 2 assumption is 1

2

P r[o0 = o | o = 0]+ 1

2

P r[o0 =

o | o = 1] ? 1

2

= 1

2

��.

6 Conclusion

In this paper, we presented a large universe multi-authority KP-ABE system, where no additional

restriction is imposed on the set of attributes that will be taken in encryption. In the proposed

scheme, there is no central authority. Each participant can be an attribute authority by announcing

its attribute universe and the public parameters. Each attribute authority issues the private keys

to users that related to their attributes, and can join or depart the system without resetting the

system. To prevent collusion attacks, all the user��s private keys are linked together by his global

identifier. The size of the system public parameters is not relevant to the size of attributes universe.

It is proportional to the number of attribute authorities. Our scheme supports any monotonic access

structure which can be expressed by LSSS matrix, and is almost as efficient as the underlying single-

authority KP-ABE system. Finally, we prove the selective security of our scheme in the standard

model.