A Key-Policy Attribute-Based Broadcast Encryption

444 The Iteratoa rab Joura of Iformato Techooy Vo. 0 o. 5 September 0 Key-Pocy ttrbute-base Broacast Ecrypto J Su Yupu Hu a Leyou ha Departmet of ppcato Mathematcs X a Uversty of Techooy Cha Key Lab of Computer etwork a Iformato Securty Xa Uversty Cha bstract: ccor to the broacast ecrypto scheme wth we appcatos the rea wor wthout coser ts securty a effcecy the moe smutaeousy a uboue Key-Pocy ttrbute-base Broacast Ecrypto schemekp-bbe was propose by comb wth waters ua system ecrypto attrbute-base ecrypto a broacast ecrypto system. Base o the staar moe the scheme ca acheve costat-sze pubc parameters the pubc parameters o ot mpose atoa mtatos o the fuctoaty of the systems uboue a ether a sma uverse sze or a bou o the sze of attrbute sets avo to fxe at setup. The scheme s prove by us the ua system ecrypto arumet a the four statc assumptos whch o ot epe o the umber of queres the attacker makes. The aayss resuts show that the scheme of ths paper s seectve secure. Keywors: ttrbute-base ecrypto broacast ecrypto ua system KP-BBE provaby secure. Receve March 0; accepte Jue 0; pubshe oe uust 5 0. Itroucto The cocept of the broacast ecrypto was troucee by Fat a aor [8] frsty aow a seer who wats to se a messae to a yamcay chose subset S of users a to costruct a cphertext so that oy users S ca escrbe. The the seer ca safey trasmt ths cphertext over a broacast chae to a users. It has become a ew hot spot of the cryptooy prompty. May broacast ecrypto schemes [ 6 7 0 ] wth speca purpose were propose cosecutvey. However these schemes ha some efcecy obvousy for exampe ther securty was base o the stro assumpto or o staar cryptoraphc assumpto; the scheme oy uaratee chose patext securty or seectve-id securty; the scheme was ese uer the raom orace moe etc. Recety a ew pubc-key prmtve cae ttrbute-base Ecrypto BE aso cae fuzzy etty base ecrypto [4 9 4] has bee ve much attetos whch has sfcat avatae over the tratoa PKC prmtves thus t s evsoe as a mportat too for aress the probem of secure a fe-rae ata shar a access cotro. I BE scheme the sets of escrptve attrbutes the characterstc of etty for exampe: Facuty CS Dept. Teure etc. efe for the system users are abee wth the ecrypto keys a/or cphertexts a a partcuar user s prvate key ca ecrypt a partcuar cphertext oy f the two match. Key-Pocy ttrbute-base Ecrypto KP-BE system [9] s oe of the BE systems whch users wth secret keys are assocate wth access poces over a uverse the some set wth some ae features of attrbutes a cphertexts are assocate wth sets of attrbutes. I the BE sett the partcuar access poces a attrbute sets may chae over tme however the staar moe oce the pubc parameters pubc key have bee set curret costructos o ot aow compete versatty the choce of attrbutes a poces... Our Cotrbuto I ths work we make the foow cotrbutos:. Preset the efto of KP-BBE scheme a the securty moe for them.. By comb wth Waters ua system ecrypto KP-BE a the broacast ecrypto we propose a uboue" key-pocy attrbute-base broacast ecrypto scheme. Base o the staar moe the scheme ca acheve costat-sze pubc parameters mpose o bou o the sze of attrbute sets use for ecrypto a has a are attrbute uverse. It supports LSSS matrces [7] as access structures a proves eeato capabtes to users atoay. To overcome the mtatos of prevous costructos by empoy a secretshar techque a trouc fresh oca raomess for the keys a cphertexts we w create may sampes each of whch has ew raomess avo the securty of the prevous approach escrbe above.. Prove the seectve securty for our KP-BBE scheme from the same statc a eercay secure assumptos Composte orer bear roups.

Key-Pocy ttrbute-base Broacast Ecrypto 445.. Reate Work There are two ks of setts of broacast ecrypto the terature: the prvate key sett a the pubc key sett. The Pubc Key Broacast Ecrypto PKBE overcomes a shortcom of the prvate key broacast ecrypto whch the ceter may be a se pot of faure. By the work of Dos a Fazo [7] us the Herarchca Ietty-Base Ecrypto HIBE scheme some broacast ecrypto schemes the prvate key broacast ecrypto cou be trasforme to schemes the pubc key broacast ecrypto. Boeh et a. [] mprove ther metho by appy the HIBE scheme whch resuts PKBE schemes wth Or cphertexts a Oo prvate keys. Recety Boeh et a. [] propose a effcet PKBE scheme for are users. More recety Deerabee et a. [6] sueste a ew PKBE scheme that features Or cphertexts a O prvate keys at the expese of computato cost o ecrypto a pubc key sze. BE s propose by Saha a Waters [0] frsty. To reuce the trust of attrbute authorty Chase [5] propose a mut- authorty attrbute-base ecrypto scheme whch each authorty cotros some of the attrbutes. There are two methos for access cotro base o BE: Key-Pocy BE KP-BE where each attrbute prvate key s assocate wth a access structure a each cphertext s abee wth a set of attrbutes a Cphertext-Pocy BE CP-BE where cphertexts are assocate wth access poces a keys are assocate wth sets of attrbutes. Both otos are propose by Goya et a. [9] the frst KP-BE costructo [9] ca reaze the mootoc access structures for key poces. To eabe more fexbe access pocy Ostrovsky et a. [8] presete the frst KP-BE system that supports the expresso of omootoe formuas key poces. Recety fuy secure costructos were prove by Lewko et a. [4] a Okamoto a Takashma [9] propose a precate ecrypto scheme base o the prmtve cae he vector ecrypto further stue [ ]. The methoooy of ua system ecrypto was trouce by Waters [] a ater use [5 6] to obta aaptve securty for IBE HIBE a BE systems. Except that we o ot coser eakae resece a aso prove oy seectve securty the BE case the abstractos we prove for ua system ecrypto the HIBE a BE setts are smar to the abstractos prove [5].. Premares.. Lear Secret-Shar Schemes Our costructo w empoy Lear Secret-Shar Schemes LSSS [7] whch was efe the foow: LSSS: secret shar scheme L over a set of partes S s cae ear over p f:. The shares for each party form a vector over p.. There exsts a matrx m cae the share-eerat matrx for L. The th row of s abee by a party f f s a fucto from { m} to S for a m. v s the vector of m shares of the secret s accor to L for the coum vector v s r r where s p s the secret to be share a r r p are raomy chose a t beos to party f. We ote the ear recostructo property: et L eote a LSSS for access structure. We efe U { m} as U{ f S } a et S eote a authorze set. The there exst costats {λ p } U such that λ τ s for ay va shares {τ} of a U secret s accor to L. These costats {λ } ca be fou tme poyoma the sze of the shareeerat matrx... Composte Orer Bear Groups Composte orer bear roups were use cryptoraphc costructo []. We use roups of orer prouct of three prmes a a eerator G whch takes as put securty parameter λ a outputs a escrpto of p p p GG T e where p p p are stct prmes G a G T are cycc roups of orer a e:g G G T s a map wth the foow propertes:. Bearty: h G a b e a h b e h ab.. o-eeeracy: G such that e has orer G T. Furthermore for ab { p p p }we eote by G ab the subroup of orer ab. From the fact that the roup s cycc t s smpe to verfy that f h a h are roup eemets of fferet orer a thus beo to fferet subroups the eh h. To see ths suppose h G P a h G P. We et eote a eerator of G. The p p eerates G p p p eerates G p a p p eerates G p. Hece for some α α p p α p p α h a h we ote: p p α p p α p α p p p e h h e e α. Ths s cae the orthooaty property a s a cruca too our costructos... Compexty ssumptos We use the otato x G to express that x s chose uformy raomy from the fte set G. ssumpto : For a eerator G retur bear setts of orer prouct of three prmes we efe the foow strbuto. Frst pck a raom bear sett Гp p p G G T e by ru

446 The Iteratoa rab Joura of Iformato Techooy Vo. 0 o. 5 September 0 G λ a the pck G p D Γ T G p p T Gp We efe the avatae of a aorthm break ssumpto to be: v λ : Pr[ DT ] Pr[ DT ] Defto : We say that ssumpto hos for eerator G f for a probabstc poyoma-tme aorthms v λ s a ebe fucto of λ. ssumpto : For a eerator G retur bear setts of orer prouct of three prmes we efe the foow strbuto. Frst pck a raom bear sett Гp p p GG T e by ru G λ a the pck G p X Y Gp Gp α s s α s D Γ X Y T α e T G T. We efe the avatae of a aorthm break ssumpto to be: v λ : Pr[ D T ] Pr[ D T ] Defto : We say that ssumpto hos for eerator G f for a probabstc poyoma-tme aorthms v λ s a ebe fucto of λ. ssumpto : For a eerator G retur bear setts of orer prouct of three prmes we efe the foow strbuto. Frst we pck a raom bear sett Гp p p GG T e by ru G λ a the pck X Gp Gp Gp D Γ XX T Gp T G p p. We efe the avatae of a aorthm break ssumpto to be: v λ : Pr[ D T ] Pr[ D T ] Defto : We say that ssumpto hos for eerator G f for a probabstc poyoma-tme aorthms v λ s a ebe fucto of λ. ssumpto 4: For a eerator G retur bear setts of orer prouct of three prmes we efe the foow strbuto. Frst we pck a raom bear sett Гp p p GG T e by ru G λ a the pck X Gp X Y Gp Y Gp DГ X X X Y Y T G p p T G. We efe the avatae of a aorthm break ssumpto to be: v 4 λ : Pr[ D T ] Pr[ D T ] 4 Defto 4: We say that ssumpto hos for eerator G f for a probabstc poyoma-tme aorthms v4 λ s a ebe fucto of λ..4. The Defto of Dua System Ecrypto KP-BBE Dua System Ecrypto KP-BBE scheme cossts of the foow aorthms. Because the aorthms Ecrypt F a Keye F w ot be use the orma operato of the system a oy eee for the securty proof they ee ot ru poyoma tme. Setup λ U: The setup aorthm takes the securty parameter λ a the attrbute uverse escrpto U. It outputs the pubc parameters Pk a a master secret key Mk. KeyGeMk: The key eerato aorthm takes the master secret key Mk a access structure a the pubc parameters. It outputs a secret key Sk. KeyGe F Mk: The sem-fuctoa key eerato aorthm takes the master secret key Mk the pubc parameters a access structure a a attrbute vector x {0 }. It outputs a semfuctoa secret key S k ~. EcryptPk{ x } M: Takes as put the pubc key parameters Pk attrbute assembae { x x {0} } a messae M from the assocate messae space a returs cphertext C. Ecrypt F Pk{ x } M: The sem-fuctoa ecrypto aorthm takes a set of attrbutes { x x {0} } the pubc parameters Pk a a messae M. It outputs a sem-fuctoa cphertext C ~. DecryptPkCSk: The aorthm takes a cphertext ecrypte uer a set of attrbutes { x x {0} } a a secret key for a access structure. It w output the messae M f the key a cphertext are ot both sem-fuctoa a { x x {0} } satsfes..5. Seectve Securty Defto for KP-BBE We et U eote the attrbutes uverse. Later we w refer to ths as Game KP-BBE wth eeato. We assume that the uverse of attrbutes s kow by the attacker the tazato phase. Itazato: The attacker chooses a set S U of attrbutes whch t w attack a ves ths to the chaeer. Setup: The chaeer obtas the pubc parameters Pk by ru the Setup aorthm the ves t to the attacker. It aso tazes a set Φφ. Phase : The attacker ca make may queres such as: create queres eeate queres revea queres [7]. Chaee: The attacker ecares two equa eth messaes M 0 a M. The chaeer ecrypts M b uer S to prouce cphertext C by fpp a raom co b {0}. It ves C to the attacker.

Key-Pocy ttrbute-base Broacast Ecrypto 447 Phase : The attacker aa makes create eeate a revea queres subect to the same costrats as Phase. Guess: Fay the attacker outputs a uess b for b a ws the ame f bb. The avatae of a attacker ths ame s efe as: v λ Pr[b b] 5 KP BBE ext we efe three securty propertes for a ua system ecrypto KP-BBE scheme. We frst efe Game C to be the same as Game KP-BBE except that the chaeer w create a sem-fuctoa cphertext by ca Ecrypt F the chaee phase stea of ca Ecrypt. so we efe Game F to be the same as Game KP-BBE except that the chaeer putt the set { x x {0} }* tay prove by the attacker a respos to a key requests by ca KeyGe F. Sem-fuctoa Cphertext Ivarace: For a ua system ecrypto KP-BBE scheme Ω Setup KeyGe KeyGe F Ecrypt Ecrypt F Decrypt a ay PPT attacker I f the avatae of I Game C s eby cose to the avatae of I Game KP-BBE we say t has sem-fuctoa cphertext varace. We eote ths by: KP BBE C v I λ vi λ e λ 6 Sem-Fuctoa Key Ivarace: For ay PPT attacker I a a ua system ecrypto KP-BBE scheme ΩSetup KeyGe KeyGe F Ecrypt Ecrypt F Decrypt f the avatae of I Game F s eby cose to the avatae of I Game C we say t has sem-fuctoa key varace. We eote ths by: C F vi λ vi λ e λ 7 Oe sem-fuctoa key varace: For a ua system ecrypto KP-BBE scheme Ω Setup KeyGe KeyGe F Ecrypt Ecrypt F Decrypt a ay PPT attacker I f the avatae of I Game 0 s eby cose to the avatae of I Game we say t has oe sem-fuctoa key varace. We eote ths by: 0 v I λ v I λ e λ 8 Defto 5: For a key-pocy attrbute-base broacast ecrypto system wth eeato f a poyoma tme attackers have at most a ebe avatae the above securty ame a wth three securty propertes we say t s seectvey secure.. Costruct Key-Pocy ttrbute-base Broacast Ecrypto.. Our Scheme I ths secto we escrbe our costructo for a keypocy attrbute-base broacast ecrypto scheme. I our system a costat umber of eemets from a bear roup of Composte orer cosst the pubc parameters a the attrbute uverse s. Secret keys are assocate wth LSSS access matrces whe cphertexts are assocate wth sets of attrbutes. Wthout oss of eeraty we share a vaue a oe empoys a vector a wth frst coorate equa to a a the shares are obtae by mutpy the rows of the LSSS matrx. subset of rows s capabe of recostruct the share secret f a oy f ther spa cues the vector 0 0. We et eote a eerator of the subroup G for. p Setup λ : The setup aorthm chooses a escrpto of a bear roup Гp p p GG T e by ru a eerator aorthm G o put λ. The setup aorthm chooses uformy raom huvw G p a a the the pubc parameters are pk{гhuvwe a } a the master secret key s mka. KeyGemkf: Let f s a LSSS matrx where s a m matrx over a f s a map from each row of to a attrbute. The key eerato aorthm chooses raom a a... a raom vaues a a m β β m. For { m} the aorthm use eotes the th row of a use f eote that attrbute assocate wth ths row by the mapp f. We et τ a eote the share assocate wth the row of. The secret τ key s forme as: β β w β f α v u h α 4. KeGe F mkf : Whe the sem- fuctoa key eerato aorthm s cae frst tme t chooses two raom vaues γθ whch t stores a uses o a subsequet cas. Each tme t s cae the sem-fuctoa key eerato aorthm frst cas the orma key eerato aorthm KeGe to obta a orma secret key { { m }}. It forms the 4 sem-fuctoa key as: { m} f f the. f f 4 4 aorthm chooses a raom vaue ~ β β a set β. β ~ θ ~ γ ~ 4 4

448 The Iteratoa rab Joura of Iformato Techooy Vo. 0 o. 5 September 0 Ecryptmk{k}: I orer to se a messae M G T ~ to the recever coecto { k k K } m the ecrypto aorthm takes a messae M a set of attrbutes ~ a the pubc parameters. We et eote the sze of the set ~ ~ a z z eote the eemets of ~. The ecrypto aorthm chooses raom sr r a creates the cphertext as: C C C C C C 0 4 as s s k k z k rk Me w v u h k 9 Ecrypt F M{k k }: I orer to se a messae M G T to the recever coecto ~ { k k K } m the sem-fuctoa ecrypto aorthm frst cas the orma ecrypto aorthm Ecrypt to obta a orma ~ cphertext C C0 C C C C4 { k k }. The t chooses two raom vaues ησ a forms the sem-fuctoa cphertext as foows: C σ C C C C η C C C 4 C 4. 0 C 0 Decrypt: Upo recev a cphertext CC 0 C C C C 4 ay etmate user wth attrbute k check f the attrbutes of the cphertext satsfy the pocy of the secret key. If ot refuse to ecrypt otherwse t computes costats λ k such that λ 0 0. It the computes: f k ɶ e as k k e C e C k k λk ~ e C f k k e C 4 k 4 the we ca ow the messae MC 0 /e as... Correctess 0 Let CC 0 C C C C 4 s etmate cphertextthe the correctess ca be easy verfe by the foow equaty: ~ f k k 4 k4 ~ f k e e C k e C k e C e C sτk.. Effcecy s k e w v k s τk βk e w e f βk e ~ λ k k λk k βk v u s f e f k h zk rk αk u h k αk ~ λτ k k λk e The key-pocy attrbute-base broacast ecrypto scheme combe wth Waters ua system ecrypto attrbute-base ecrypto a broacast ecrypto system. Base o the staar moe the scheme ca acheve costat-sze pubc parameters mposes o as bou o the sze of attrbute sets use for ecrypto a has a are attrbute uverse. It supports LSSS matrces as access structures a proves eeato capabtes for users atoay. Ecrypt aorthm oes ot requre the bear par computato where e ca be pre-compute a Decrypt aorthm ee four bear par computato a mutpcatos roup G. The seectve securty of our scheme s prove by us statc eercay secure assumptos Composte orer bear roups whch o ot epe o the umber of queres the attacker makes. I the course of prov by trouc a este ua system ecrypto approach the scheme overcomes the ma obstace whch the ow amout of etropy prove by the short pubc parameters. Furthermore the aayss resuts cate that t has ess mpemetato compexty wthout the crease of comput efforts. 4. Securty ayss Theorem: If a ua system KP-BBE scheme ΩSetup KeyGe KeyGe F Ecrypt Ecrypt F Decrypt has sem-fuctoa cphertext varace sem-fuctoa key varace a sem-fuctoa securty the ΩSetup KeyGe Ecrypt Decrypt s a seectvey secure KP-BBE scheme. 4.. Sem-Fuctoa Cphertext Ivarace Lemma : Our KP-BBE scheme wth ua system has sem-fuctoa cphertext varace uer ssumpto. Proof: ssume there exst a PPT attacker I such that I ca acheve a o-ebe fferece avatae betwee Game C a Game KP-BBE. The we w create a PPT aorthm R wth oebe avatae to breaks ssumpto. R s ve G p a T receves the set from I a the he chooses x y z t a raomy. It ves the pubc parameters pk{гh x u y v z w t e a } to I. Sce R kows the master secret key a t ca respo tois key requests by ca the key eerato aorthm. Some tme proves two messaes M 0 M a requests the chaee cphertext for. We use to eote the sze of a we et z z eote the eemets of. R forms the cphertext as foows: It chooses raomy r r b {0} a sets: a t k k 0 b z k rk 4 k C M e T C T C T v C C u h k { }

Key-Pocy ttrbute-base Broacast Ecrypto 449 Ths mpcty sets s equa to the G p part of T. If T G p the ths s a we-strbute orma cphertext a R has propery smuate Game KP-BBE ; If T G p p the ths s a we-strbute semfuctoa cphertext a R has propery smuate Game C. Thus smuator R ca use the output of I to acheve a o-ebe avatae aast ssumpto. 4.. Sem-Fuctoa Securty Lemma : Our KP-BBE scheme wth ua system has sem-fuctoa securty uer ssumpto. Proof: Suppose there exsts a PPT attacker I who acheves a o-ebe avatae Game F a the we w create a PPT aorthm R whch has a o-ebe avatae aast ssumpto. Smuator R receves a X s Y T a from I. It chooses xyzta raomy a ves the pubc parameters pk{гh x u y v z w t e a X } to I. ote that R oes ot kow the master secret key a. I respose to a KeyGe query for a m LSSS matrx f R w create a semfuctoa key as foows: It chooses a raom vector u up to the costrat that the frst coorate s zero raom vaues α α β a a uformy chose vector m β m v whch are orthooa to a rows of where f a have frst etry equa to R w mpcty set a av + u that ths s strbute as a uformy raom vector wth frst etry equa to a. It aso chooses raom vaues f for each such that f. The the sem-fuctoa key s forme as: { m}: If f the β f α v u h α 4. µ β w β If f aorthm chooses a raom vaue ~ β µ a t+ v β t+ f a set X w β a v f β a zv zf f α X v X u h α 4. Ths s a propery strbute sem-fuctoa key wth γt+ mo p p θz mo p p β β` β mo p for a s.t. f β a v+ β mop for a s.t. f. Some tme I proves R wth two messaes M 0 M. We use to eote the sze of a we et z z eote the eemets of. R forms the chaee cphertext as foows. It chooses raomy r r σ b {0} a sets: s s t k σ k 0 b z k rk 4 k C M T C Y C Y v C C u h k { } If Te as t s a we-strbute semfuctoa ecrypto of M b wth η equa to o Y a σ equa to t tmes ths screte o pus σ. Where σ raomzes ths so that there s o correato wth t mo p. Hece from the expoets mouo p of the sem-fuctoa keys ths s ucorreate. I ths case R has propery smuate Game F. If T G T s a raom eemet the ths s a sem-fuctoa ecrypto of a raom messae so the cphertext cotas o formato about b a hece the avatae of I must be zero. R ca use the output of I to obta a o-ebe avatae aast ssumpto because the avatae of I s o-ebe Game F. 4. Sem-Fuctoa Key Ivarace Us a hybr arumet over the foow sequece of ames we w prove oe sem-fuctoa key varace of our ua system BBE scheme stea of sem-fuctoa key varace []. We be wth Game 0 a e wth Game. To et from Game 0 to Game we efe the foow termeary amesthe strbuto of the requeste orma a sem-fuctoa keys are the same as Game 0 a Game amo these ames but the strbutos of the chaee key a cphertext vary. Game 0 : Ths ame s exacty ke Game 0 except wth the ae restrcto: for the chaee key the attacker caot prouce a access matrx f such that f for some but whe both are reuce mouo p f s equa to some eemet of. Game k : I ths ame we reta the ae mouar restrcto from the prevous ame except that the cphertext s sem-fuctoa a the chaee key s ow ephemera sem-fuctoa wth ex. Game C : I ths ame we reta the ae mouar restrcto except that the cphertext s ephemera sem-fuctoa a the chaee key s ephemera sem-fuctoa wth ex. Game F : I ths ame we reta the ae mouar restrcto except that the cphertext s semfuctoa a the chaee key sem-fuctoa wth ex. Game : Ths ame s exacty ke Game except wth the ae mouar restrcto.

450 The Iteratoa rab Joura of Iformato Techooy Vo. 0 o. 5 September 0 I these ames we w trast ther orer as foows: We be wth Game 0 a move to Game 0. We the move to Game the Game k C the Game F the Game k Game C Game F a so o ut we arrve at Game F whch s the same as Game. Fay we trast to Game. Lemma : Our KP-BBE scheme wth ua system has oe sem-fuctoa key varace uer ssumpto a 4. Proof: By the above trastos we w assume that I acheve a o-ebe fferece avatae betwee Game 0 a Game. Sce at most a poyoma umber of steps our hybr sequece of ames betwee GameF a Game 0 F there must exst a vaue of { } such that I acheves a o- ebe avatae betwee oe of the foow pars of ames: Game F a Game k Game k a Game C or C Game a Game F. We assume that R tay obta the roup eemets s η β βγ β β βθ from ts h uv w w v orace. It chooses raom a a ves the pubc parameters pk{г h u v w e a } to I. Sce R kows a he ca respos by us the usua key eerato aorthm whe I requests a orma key. Whe I requests a sem-fuctoa key for some access matrx f R creates oe as foows. It chooses raom vauesα α β a a m β m raom vector a wth frst etry equa to a we etτ a for each row of. R forms the key as: { m}: If If f the β f α v u h f α 4. aorthm set τ β w β τ β βγ β w ββ β βθ β f α α v u h 4. Whe I requests the chaee key for some access matrx f R makes a chaee key-type query to the orace wth put vaue f where { } s the ex of the th row such that f. R receves from ts orace four roup eemets respose whch we w eote by T T T T 4. R chooses raom vaues α β for a { } such that. It aso chooses a raom vector a wth frst etry equa to a a we setτ a. R forms the chaee key as: { m}: If If f the β f α v u h α 4. f aorthm set ββ τ β w β τ β βγ β w β βθ β f α v u h α 4. If R has propery smuate Game F the β β β α α T T T T 4 w be strbute as w v u h forαβ raomy chose a so ths w be a propery strbute orma key. If R has propery smuate Game or Game the T T T T 4 w k C β β β α α be strbute as w v u h X X Y Y where α β X Y G p a X Y G p are chose raomy a so ths w be a propery strbute ephemera sem-fuctoa key. If R has propery smuate Game the T T T T 4 w be strbute as F β β γ β β β θ α v u h α where α β are raomy chose a so ths w be a propery strbute sem-fuctoa key. Whe I requests the chaee cphertext for messaes M 0 M a { z z } R makes a cphertext-type query to the orace for each z We reca the vaue f from the chaee key caot be equa to ay of these vaues z mouo p. I respose to each query for z R receves three roup eemets whch we eote by T T T. R chooses b {0} raomy a forms the cphertext as: s η a s η 0 b 4 C M e C C T C T C T { } If R has propery smuate Game F Game k or Game the T T T w be strbute as F r r z r s w σ v u h where r s raomy chose so ths w be a propery strbute semfuctoa cphertext. If R has propery smuate Game the T T T w be strbute as s w C σ r v θr r r u z h r r yz + x for r x y are raomy chose a o ot vary wth. I ths case R has prouce a propery strbute ephemera sem-fuctoa cphertext. Thus sce I must acheve a o-ebe fferece of avatae betwee at east oe of these pars of ames R w be abe to stush the correspo par of oraces wth o-ebe

Key-Pocy ttrbute-base Broacast Ecrypto 45 avatae. So our ua system ecrypto KP-BBE scheme has oe sem-fuctoa key varace uer ssumptos a 4. 5. Cocusos thouh BE has bee appe extesvey to the area of access cotro exst costructos for BE the staar moe ether a sma uverse sze or a bou o the sze of attrbute sets ha to be fxe at setup. Tak to coserato the broacast ecrypto scheme wth we appcatos the rea wor smutaeousy a key-pocy attrbute-base broacast ecrypto was propose by comb wth Waters ua system ecrypto attrbute-base ecrypto a broacast ecrypto system. Base o the staar moe the scheme ca acheve costat-sze pubc parameters mposes o bou o the sze of attrbute sets use for ecrypto a has a are attrbute uverse. It supports LSSS matrces as access structures a proves eeato capabtes to users atoay. The seectve securty of our scheme s prove by us statc eercay secure assumptos Composte orer bear roups whch o ot epe o the umber of queres the attacker makes. The aayss resuts cate that t has ess mpemetato compexty wthout creas of comput efforts. ckoweemets Ths research was face by the atoa atura Scece Fouato of Cha uer Grats 679 a 608768 a the Scetfc Research Fouato of Eucato Departmet of Shaax Provca Govermet of Cha Grat o. 0JK6. Refereces [] Boeh D. Boye X. a Goh E. Herarchca Ietty Base Ecrypto wth Costat Sze Cphertext Procees of the 4 th ua Iteratoa Coferece o the Theory a ppcatos of Cryptoraphc Techques Demark pp. 440-456 005. [] Boeh D. Getry C. a Waters B. Couso Resstat Broacast Ecrypto wth Short Cphertexts a Prvate Keys Procees of the 5 th ua Iteratoa Cryptooy Coferece US pp. 58-75 005. [] Boeh D. Goh E. a ssm K. Evauat - DF Formuas o Cphertexts Procees of the Coferece o Theory of Cryptoraphy US pp. 5-4 005. [4] Charef C. Tab M. a Vcet. Fuzzy a euro-fuzzy Moe of a Fermetato Process The Iteratoa rab Joura of Iformato Techooy vo. 6 o. 4 pp. 78-85 009. [5] Chase M. Mut-uthorty ttrbute Base Ecrypt-Io Procees of the 4 th Coferece o Theory of Cryptoraphy Ber pp. 55-54 007. [6] Deerabée C. Paer P. a Potcheva D. Fuy Couso Secure Dyamc Broacast Ecrypt-To wth Costat-Sze Cphertexts or Decrypto Keys Procees of the st Iteratoa Coferece o Par-Base Cryptoraphy Japa pp. 9-59 007. [7] Dos Y. a Fazo. Pubc Key Broacast Ecrypto Secure ast aptve Chose Cpher-Text ttack Procees of the 6 th Iteratoa Workshop o Practce a Theory Pubc Key Cryptoraphy Mam US pp. 00-5 00. [8] Fat. a aor M. Broacast Ecrypto Procees of the th ua Iteratoa Cryptooy Coferece Sata Barbara US pp. 480-4999. [9] Goya V. Paey O. Saha. Waters B. ttrbute-base Ecrypto for Fe-Grae ccess Cotro for Ecrypte Data Procees of the th Coferece o Computer a Commucatos Securty pp. 89-98 006. [0] Hu L. Lu. a Che X. Effcet Ietty- Base Broacast Ecrypto wthout Raom Oraces Joura of Computers vo. 5 o. pp. -6 00. [] Kapaa G. a Puthava M. Reabe Broacast us Effcet Forwar oe Seecto for Mobe hoc etworks The Iteratoa rab Joura of Iformato Techooy vo. 9 o. 4 pp. 99-05 0. [] L J. Re K. a Km K. BE: ccoutabe ttrbute Base Ecrypto for buse Free ccess Cotro avaabe at: http://eprt.acr.or/009 /8 ast vste 009. [] L J. Re K. hu B. a Wa. Prvacy- ware ttrbute Base Ecrypto wth User ccoutabty Procees of the th Iteratoa Coferece o Iformato Securty Itay pp. 47-6 009. [4] Lewko. Okamoto T. Saha. Takashma K. a Bret W. Fuy Secure Fuctoa Ecrypto: ttrbute-base Ecrypto a Herarchca Ier Prouct Ecrypto Procees of the 9 th ua Iteratoa Coferece o the Theory a ppcatos of Cryptoraphc Techques Frech pp. 6-9 00. [5] Lewko. Rouseaks Y. a Waters B. chev Leakae Resece throuh Dua System Ecrypto Procees of the 8 th Coferece o Theory of Cryptoraphy US pp. 70-88 0.

45 The Iteratoa rab Joura of Iformato Techooy Vo. 0 o. 5 September 0 [6] Lewko. a Waters B. ew Techques for Dua System Ecrypto a Fuy Secure HIBE wth Short Cphertexts Procees of the 7 th Coferece o Theory of Cryptoraphy Swtzera pp. 455-479 00. [7] Lewko. a Waters B. Uboue HIBE a ttrbute-base Ecrypto avaabe at: http:// eprt.acr.or/0/049.pf ast vste 0. [8] Ostrovsky R. Saha. a Waters B. ttrbute-base Ecrypto wth o- Mootoc ccess Structures Procees of the 4 th CM Coferece o Computer a Commucatos Securty ew York pp. 95-0 007. [9] Okamoto T. a Takashma K. Fuy Secure Fuctoa Ecrypto wth Geera Reatos from the Decsoa Lear ssumpto Procees of the 0 th Coferece o ua Cryptooy pp.9-08 00. [0] Saha. a Waters B. Fuzzy etty base ecrypto Procees of the 4 th ua Iteratoa Coferece o the Theory a ppcatos of Cryptoraphc Techques Demark pp.457-47 005. [] Waters B. Dua System Ecrypto: Reaz Fuy Secure IBE a HIBE uer Smpe ssumptos Procees of the 9 th Coferece o ua Iteratoa Cryptooy US pp. 69-66 009. [] ha L. Hu Y. a Mu. Ietty-Base Broacast Ecrypto Protoco for -hoc etworks Procees of the 9 th Iteratoa Coferece for You Computer Scetsts Hua pp. 69-6 009. Yupu Hu s a professor a PhD supervsor Key Laboratory of Computer etworks a Iformato Securty of Mstry of Eucato Xa Uversty Cha. He he PhD eree cryptoraphy from Xa Uversty 999. He s a member of Cha Isttute of Commucatos. Hs curret research terests cue formato securty stream cpher bock cpher ta sature a etwork securty. Leyou ha receve hs PhD from the Xa Uversty 009. Currety he s a assocate professor the Departmet of Mathematca scece of Xa Uversty. Hs curret research terests cue etwork securty computer securty a cryptoraphy. J Su receve her B s a M s erees mathematcs from the Shaax orma Uversty x a Cha 000 a from X a Uversty of Techooy X a Cha 005 respectvey. Sce 008 she has bee a PhD eree caate cryptoraphy from Xa Uversty X a Cha. Her curret research terests cue the ess for PKE scheme a broacast ecrypto scheme.

Key-Pocy ttrbute-base Broacast Ecrypto 45