1 Introduction

Smart city is a new concept brought up with the technological revolution providing various digital services for citizens to make their life more convenient among all aspects of daily life including education, health care, traffic transport, job recruitment and so on. From the perspective of technological development, the construction of smart cities requires the realization of comprehensive perception, ubiquitous interconnection, pervasive computing and integrated applications through the Internet of Things, cloud computing and other new-generation information technology applications represented by mobile technology. From the perspective of social development, smart cities also require the application of tools and methods such as wikis, social networks, Fab Lab, Living Lab and integrated integration methods to facilitate residents’ lives and economic activities. To build a smart city, enormous data will be generated, processed and analysed.

Cloud server is an internet-based paradigm that provides massive data storage and processing services for innumerable enterprises and individuals. Fog nodes [1] are physical components (such as gateways, switches, routers, servers, etc.) or virtual components (such as ED switches, virtual machines, Cloudlet 9, etc.) that are tightly connected with the network and provide computing resources. As shown in Fig. 1, such devices can be found everywhere in the smart city providing more efficient and convenient services.

Fig. 1
figure 1

Fog nodes in smart city

Full size image

Generally speaking, data and services on the cloud are open and accessible to anyone, and data owner will lose any control on the data as soon as it uploaded to the cloud. In many distributed applications, it is necessary to enforce a specific access control policy on sensitive data, and only authorized users can access these data.

In this case, Sahai et al. [2] first introduced the concept of attribute-based encryption (ABE) achieving both scalable and fine-grained access control on ciphertext. ABE schemes are generally divided into two types: ciphertext-policy ABE (CP-ABE) [3] and key-policy ABE (KP-ABE) [4]. In CP-ABE, the access policy is embedded in the ciphertext and anyone can decrypt it as long as his/her attributes satisfy the policy.

One problem in traditional CP-ABE scheme [4, 5] is that the access policy is sent along with a ciphertext to inform end users which attributes satisfy the access policy, therefore the privacy in the policy could be exposed. However, this property is not suitable for many application scenarios, such as medical, industrial and financial fields. For instance, the access policy of an encrypted files of patient's medical record may reveal individual privacy; a company may hire eligible staff with specific qualification (i.e., attributes) which may expose the company's future development strategy.

If it is not known which attributes should be used for decryption, the decryption will be infeasible for authorized users. So, Nishide et al. [6] introduced the notion of partially hidden access policy in CP-ABE. In their scheme, the attribute is defined by two parts, attribute name and attribute values and only attribute value is concealed in their shceme. Although this method protects the privacy of the policy to some extent, it also has some drawbacks: in some cases, the attribute name still contains sensitive and valuable information, and it's still revealed in the access policy; If the end user has multiple values for each attribute, the decryption time maybe super-polynomial, since he/she has to guess which attribute value is exactly embedded in the ciphertext. Inner-product predicate encryption (IPE) [7] is another method to protect policy privacy, but it could cause the ciphertext size to be super-polynomial.

Besides attribute values, sometimes, attribute names are also sensitive and should be kept secret. For example: a recruitment sharing in the cloud can only be accessed by specific applicants. The access policy may be defined as {[Gender: male or female] AND [Education: M.D. or PH.D.]} AND {[Probability and statistics: statistics or econometrics] AND [Computer science and technology: data mining or machine learning]}. In this case, the “Probability and statistics: statistics or econometrics” and “Computer science and technology: data mining or machine learning” in the access policy are obviously more sensitive, since it may reveal commercial confidentiality that the company is managing to achieve transformation with the help of IoT.

Another problem in the existing ABE schemes [3,4,5] is that the number of pairing and exponentiation operations for ciphertext decryption is linear with the complexity of access policy, which means the computation cost of end user is quite expensive. This property is not suitable for users on their resource-constrained mobile devices. To reduce the computational overhead of end user, some cryptographic operations with heavy computational load can be outsourced to third-party service [8, 9]. In smart cities, countless IoT devices connected to the Internet in every corner of the city can be utilized to provide much more convenient and faster computing resources for resource-limited end users.

1.1 Motivation

In the above-mentioned example, data owner could encrypt the data in a different way such that any one obtaining the ciphertext can only learn about the public access policy (i.e., [Gender: male or female] AND [Education: M.D. or PH.D.]), while the sensitive information in the secret policy (i.e., [Probability and statistics: statistics or econometrics] AND [Computer science and technology: data mining or machine learning]) including attribute name and its values should be fully hidden. Figures 2 and 3 graphically show this example.

Fig. 2
figure 2

Public access policy

Full size image
Fig. 3
figure 3

Secret access policy. The information of attribute and name and its value in the dotted node is fully hidden

Full size image

There seems to be a simple solution to protect the privacy of sensitive policy. Specifically, one can use a classic CP-ABE to encrypt the sensitive access policy under the public access policy as first part of the ciphertext and use CP-ABE to encrypt the message under the secret-access-policy as the second part. However, in this method, the cloud can’t check whether the end user has sufficient authorities to access the ciphertext, since the ciphertext can only be obtained by authorized end users. Another drawback of this method is that the decryption overhead of the second part ciphertext can’t be outsourced to the cloud.

1.2 Contributions

Motivated by the above observation, in this paper, we propose a ciphertext-policy attribute-based encryption with hidden sensitive policy from keyword search techniques in smart city. In our scheme, data owner (employer) publishes an encrypted recruitment for the end user (potential employee) in the cloud. Only authorized end user can access the ciphertext, and the privacy of the sensitive access policy is preserved from unauthorized end users. The contribution of our scheme is shown as follows.

  • Hidden sensitive policy We embed two access policies in the encrypted data, one is public and the other is secret and hidden. When satisfying both policies, he/she can decrypt the ciphertext. For the privacy of sensitive policy, we propose a new security model i.e., chosen sensitive policy attack (CSPA): if user's attributes don't satisfy the public policy, he/she cannot learn anything of the secret one. Specifically, the end user generates two sets of randomized secret keys, where each component of the one set corresponds to a public attribute name (or value) and each component of the other set corresponds to an attribute index (user-generated hash value). The end user uploads the two sets to the cloud to check whether he/she has authority to decrypt the ciphertext with double policies. If user satisfies the public policy, the cloud can detect whether the attribute contained in each leaf node of secret policy belongs the user's attributes. This process is essentially a attribute-based keyword search (ABKS) mechanism. By keyword search (KS) methods, the cloud cannot learn about which attribute the leaf node in the access tree of secret policy stands for and unauthorized end users also can't obtain the ciphertext or learn about the secret policy. Therefore, our scheme protects the privacy in sensitive access policy of the ciphertext from unauthorized applicants.

  • Expressive and efficient Our scheme is expressive and efficient. It supports any monotone access structure instead of restricted policy such as AND-gates on multi-values. The size of the ciphertext scales linearly with the complexity of the access policy. End user doesn’t need to test several times, which could be super-polynomial in some previous schemes, before finding the attributes for successful decryption, even if he/she has multiple values for each attribute.

  • Applicable for resource-limited end user With the help of thousands of fog nodes in the smart city, the computational overhead of data owner generating the sub-ciphertext of the public access policy can be outsourced, and most computational overhead of decryption is shifted from end user to the cloud, leaving a constant number of operations to decrypt the ciphertext. Therefore, it is more suitable for resource-constrained end users.

2 Discussion and result

2.1 Discussion

Sahai et al. [2] first introduced the concept of attribute-based encryption (ABE), which can be divided into two forms: ciphertext-policy ABE (CP-ABE) [4] and key-policy ABE (KP-ABE) [3] . Bethencourt et al. [4] proposed the first CP-ABE scheme, in which the access policy is very expressive and specified by the data owner. From then on, ABE schemes with various functionalities have been widely constructed, e.g., supporting regular languages [10, 11], with unbounded attribute size [10, 12, 13], with constant-size ciphertext [14], with multi-authority [15,16,17], and with adaptive security [18,19,20]. One drawback in traditional CP-ABE schemes [4, 5] is that the number of pairing and exponentiation operations for ciphertext decryption is linear with the complexity of access policy, which means the computation cost of end user is quite expensive. This defect in attribute encryption makes it unsuitable for users with resource-constrained devices. To reduce the computation cost of end user, Green et al. [9] provided a new methods for efficiently and securely outsourcing decryption of ABE ciphertexts. In their scheme, most of the heavy cryptographic operations of decryption algorithm are outsourced to the cloud, leaving only a small number of operations for the end user. Li et al. [21] also considered to outsource key-issuing and decryption simultaneously for ABE schemes by introducing two cloud service providers. In the wake of 5G and IoT techniques, fog computing [1] is considered to be a new data resource that can provide high-quality outsourcing services. In fog computing environment, Zuo et al. [22] proposed a practical CP-ABE scheme with outsourced decryption, while Zhang et al. [23] support outsourced encryption, outsourced decryption and attribute update.

However, the access policy must be revealed in most of these schemes, since end users need to know how they combine their secret key components for decryption. This may lead to privacy disclosure, so research on the anonymity of access policies is necessary. Nishide et al. [6] first introduced the concept of partially hidden access policy to achieve anonymity, in which the attribute is split into an attribute name and its values, and only the attribute values are hidden. Some other works [24,25,26] improved the efficiency and security of [6], but their policies are all restricted with AND-gates on multi-values as in [6]. Later, Lai et al. [27] proposed an expressive fully secure CP-ABE scheme with the LSSS-based partially hidden policy in composite order groups. Based on Lai’s scheme, Cui et al. [28] proposed a more efficient one in prime order groups. However, looking for the correct attributes for successful decryption, both [27] and [28] need authorized users to test several times, which cloud be super-polynomial in special cases; for instance, user has many values for each attribute. All the above schemes focus on the partially hidden access policy, while the public attribute names may also lead to the leakage of sensitive information. Some other schemes based on the inner-product predicate encryption [18, 29] and hidden vector encryption [30] are proposed to protect the policy privacy, but their efficiency is seriously restricted, which means that the size of ciphertext could be super-polynomial.

The keyword search techniques enables the cloud to search over encrypted data without revealing any sensitive information of the keyword. In 2000, Song et al. [31] initially introduced a searchable encryption (SE) technique. Boneh et al. [32] proposed the first public key encryption with keyword search. To achieve both fine-grained access control and keyword search simultaneously, attribute-based encryption with keyword search [33,34,35,36] was proposed. Among them, [35, 36] are constructed in fog computing environment.

2.2 Result

In our scheme, sensitive access policy of encrypted recruitment is fully hidden; expressive policy is supported; the ciphertext size is polynomial; the most computational overhead of decryption is outsourced to the cloud server, leaving a constant number of operations for the end user. We summarize the comparisons of various CP-ABE schemes with hidden policy in Table 1.

Table 1 Comparison of CP-ABE schemes with hidden policy
Full size table

3 Method

3.1 Preliminaries

In this section, we introduce some background knowledge, which includes access structure, access tree, bilinear maps, Diffie–Hellman assumption and its variants.

3.1.1 Access structures

Definition 1

(Access structure [4]) Let \(\{P_{1},P_{2},\ldots ,P_{n}\}\) be a set of parties. A collection \({\mathbb {A}}\subseteq 2^{\{P_{1},P_{2},\ldots ,P_{n}\}}\) is monotone if \(\forall B,C\): if \(B\in {\mathbb {A}}\) and \(B \subseteq C\) then \(C \in {\mathbb {A}}\). An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) \({\mathbb {A}}\) of non-empty subsets of \(\{P_{1},P_{2},\ldots ,P_{n}\}\), i.e., \({\mathbb {A}} \subseteq 2^{\{P_{1},P_{2},\ldots ,P_{n}\}}{\setminus } \{\emptyset \}\). The sets in \({\mathbb {A}}\) are called the authorized sets, and the sets not in \({\mathbb {A}}\) are called the unauthorized sets.

In this paper, attributes take the role of the parties, and we only focus on the monotone access structure \({\mathbb {A}}\), which consists of the authorized sets of attributes. Obviously, attributes can directly reflect a user’s authority.

Definition 2

(Access tree [4]) Let \({\mathcal {T}}\) be a tree representing an access structure. Each non-leaf node of the tree represents a threshold gate, described by its children and a threshold value. If \(num_{x}\) is the number of children of a node x and \(k_{x}\) is its threshold value, then \(0\le k_{x}\le num_{x}\). When \(k_{x}=1\), the threshold gate is an OR gate and when \(k_{x}=num_{x}\), it is an AND gate. Each leaf node x of the tree is described by an attribute and a threshold value \(k_{x}=1\).

We introduce a few functions defined in [4] as follows. parent(x) denotes the parent of the node x in the tree. The access tree \({\mathcal {T}}\) also defines an ordering between the children of every node, that is, the children of a node are numbered from 1 to num. The function index(x) returns such a number associated with the node x, where the index values are uniquely assigned to nodes in the access structure for a given key in an arbitrary manner. Each leaf node x corresponds to an attribute \(a_j\), and this relationship should be revealed in the access tree \({\mathcal {T}}\). To protect the privacy of access policy, we defined the access tree with hidden attributes \(\widehat{{\mathcal {T}}}\).

Definition 3

(Access tree with hidden attributes \(\widehat{{\mathcal {T}}}\)) \(\widehat{{\mathcal {T}}}\) is an access tree with structure the same as normal access trees, except that it doesn’t reveal any information about the correspondence between leaf nodes and attributes. It is very easy to check whether a combination of leaf nodes satisfies the access structure, but the information of attribute in these nodes is hidden. So, it is impossible to find out which attributes are embedded in the access tree just from the structure itself.

For better understanding, assuming that \(x_i,y_i\) are the indexes of leaf nodes and \(a_i\) is the corresponding attribute, the comparison of two kinds of access tree is shown in Figs. 4 and 5. Specifically, the attribute name and its value in the dotted node in Fig. 4 are exposed. However, it is on the contrary in Fig. 5 and only the index of the node is revealed in Fig. 5.

Fig. 4
figure 4

Normal access tree

Full size image
Fig. 5
figure 5

Access tree with hidden attributes. The information of attribute name and its value in the dotted node is fully hidden, only the index of the node is revealed

Full size image

Definition 4

(Satisfying an access tree [4]) Let \({\mathcal {T}}\) be an access tree with root r. Denote by \({\mathcal {T}}_{x}\) the subtree of \({\mathcal {T}}\) rooted at the node x. Hence, \({\mathcal {T}}\) is the same as \({\mathcal {T}}_{r}\). If a set of attributes \(\gamma\) satisfies the access tree \({\mathcal {T}}_{x}\), we denote it as \({\mathcal {T}}_{x}(\gamma )=1\). We compute \({\mathcal {T}}_{x}(\gamma )\) recursively as follows. If x is a non-leaf node, evaluate \({\mathcal {T}}_{x'}(\gamma )=1\) for all children \(x'\) of node x. \({\mathcal {T}}_{x}(\gamma )\) returns 1 if and only if at least \(k_{x}\) children return 1. If x is a leaf node, then \({\mathcal {T}}_{x}(\gamma )\) returns 1 if and only if \({\text {att}}(x)\in \gamma\).

3.1.2 Bilinear map and DBDH assumption

We briefly recall the definitions of the bilinear map and the decisional bilinear Diffie–Hellman (DBDH) assumption. Let \({\mathbb {G}}_{0}\) and \({\mathbb {G}}_{T}\) be two multiplicative cyclic groups of prime order p. Let g be a generator of \({\mathbb {G}}_{0}\) and e be a efficient computable bilinear map, \(e: {\mathbb {G}}_{0}\times {\mathbb {G}}_{0}\rightarrow {\mathbb {G}}_{T}\). The bilinear map e has a few properties: (1) Bilinearity: for all \(u, v\in {\mathbb {G}}_{0}\) and \(a, b \in {\mathbb {Z}}_{p}\), we have \(e(u^{a}, v^{b}) = e(u, v)^{ab}\). (2) Non-degeneracy: \(e(g,g)\ne 1\). We say that \({\mathbb {G}}_{0}\) is a bilinear group if the group operation in \({\mathbb {G}}_{0}\) and the bilinear map \(e: {\mathbb {G}}_{0}\times {\mathbb {G}}_{0}\rightarrow {\mathbb {G}}_{T}\) are both efficiently computable. Notice that the map e is symmetric since \(e(g^{a},g^{b}) = e(g, g)^{ab} = e(g^{b}, g^{a})\).

Given the bilinear map parameter \(({\mathbb {G}}_{0}, {\mathbb {G}}_{T},p,e,g)\) and three random elements \((x,y,z)\in {\mathbb {Z}}_{p}^{3}\), if there is no probabilistic polynomial time (PPT) adversary \({\mathcal {B}}\) can distinguish between the tuple \((g,g^{x},g^{y},g^{z}, e(g,g)^{xyz})\) and the tuple \((g,g^{x},g^{y},g^{z}, \vartheta )\), we say that the DBDH assumption holds, where \(\vartheta\) is randomly selected from \({\mathbb {G}}_{T}\). More specifically, the advantage \(\epsilon\) of \({\mathcal {B}}\) in solving the DBDH problem is defined as

$$\begin{aligned} \left| \Pr [{\mathcal {A}}(g,g^{x},g^{y},g^{z}, e(g,g)^{xyz})=1] -\Pr [{\mathcal {A}}(g,g^{x},g^{y},g^{z}, \vartheta )=1] \right| . \end{aligned}$$
(1)

Definition 5

(DBDH) We say that the DBDH assumption holds if no PPT algorithm has a non-negligible advantage \(\epsilon\) in solving DBDH problem.

3.2 System and security model

In this section, we introduce the system description, system model, threat model and security model of our scheme.

3.2.1 System description

As shown in Fig. 6, we consider a ciphertext retrieval scenario in fog computing environment. It consists of five parties: Key Authority Center (\({\mathsf {KAC}}\)), Data Owner (\({\mathsf {DO}}\)), Cloud Server (\({\mathsf {CS}}\)), End User (\({\mathsf {EU}}\)), and Fog Nodes (\({\mathsf {FN}}\)). The specific role of each party is given as follows:

  • Key Authority Center (\({\mathsf {KAC}}\)): The \({\mathsf {KAC}}\) is a fully trusted third party which is in charge of generating public parameters and secret keys.

  • Data Owner (\({\mathsf {DO}}\)): The \({\mathsf {DO}}\) defines the access structure to encrypt a ciphertext CT with the help of fog nodes.

  • Cloud Server (\({\mathsf {CS}}\)): The \({\mathsf {CS}}\) has huge computing power and storage capacity; it can provide computing and storage services to both data owner and end user, especially to help end user partially decrypt the ciphertext.

  • End User (\({\mathsf {EU}}\)): Resource-constrained user submits a trapdoor to the \({\mathsf {CS}}\), which will help him/her to partially decrypt the ciphertext.

  • Fog Nodes (\({\mathsf {FN}}\)): Some computational overheads can be outsourced from the \({\mathsf {DO}}\) to the fog nodes during the encryption process.

Fig. 6
figure 6

System description of our scheme

Full size image

3.2.2 System model

Our scheme includes the following six algorithms:

  • Setup\((1^{\lambda }, \mathcal {L}) \rightarrow (PK,MSK)\) Given security parameter \(\lambda\) and a set of all possible attributes \(\mathcal {L}\), the \({\mathsf {KAC}}\) generates public key PK and master secret key MSK.

  • KeyGen\((PK,MSK, S) \rightarrow SK\) On input the public key PK, the master secret key MSK and an attribute set S, the \({\mathsf {KAC}}\) generates a secret key SK for the \({\mathsf {EU}}\).

  • Enc\((PK,{\mathcal {T}}_1,{\mathcal {T}}_2,M)\rightarrow CT\) On input PK, two access policies \({\mathcal {T}}_1,{\mathcal {T}}_2\) and message M, with the help of fog nodes, the \({\mathsf {DO}}\) generates the ciphertext CT, in which \({\mathcal {T}}_1\) is public and \({\mathcal {T}}_2\) is fully hidden.

  • Trap\(SK \rightarrow Tr\) The \({\mathsf {EU}}\) generates the trapdoor Tr by his own secret key SK and submits Tr to the \({{\mathsf {CS}}}\).

  • Tran\((CT,Tr)\rightarrow {\widetilde{CT}}\) or \(\perp\): This algorithm contains two steps:

    • At first, the \({\mathsf {CS}}\) interacts Tr and CT to verify whether the \({\mathsf {EU}}\) has authority to decrypt CT. If \(S\nvDash {\mathcal {T}}_1 \bigvee S\nvDash {\mathcal {T}}_2\), it outputs \(\perp\).

    • If \(S\models {\mathcal {T}}_1 \bigwedge S\models {\mathcal {T}}_2\), the \({\mathsf {CS}}\) partially decrypts CT and returns the precomputed ciphertext \(\widetilde{CT}\) to the \({\mathsf {EU}}\).

  • Dec\((\widetilde{CT}, SK)\rightarrow M\): On input \(\widetilde{CT},SK\), the \({\mathsf {EU}}\) decrypts \(\widetilde{CT}\) and outputs M.

3.2.3 Threat model

In this paper, we assume that the \({\mathsf {KAC}}\) is a fully trusted third party, while the \({\mathsf {CS}}\) and \({\mathsf {FN}}\) are honest-but-curious entities, which exactly follow the protocol specifications but also are curious about the sensitive information of ciphertexts and trapdoors. Users are not allowed to collude with \({\mathsf {CS}}\) or \({\mathsf {FN}}\). Nevertheless, malicious users may collude with each other to access some unauthorized ciphertexts.

3.2.4 Security model

Our scheme achieves chosen plaintext security by the following security game between a PPT adversary \({\mathcal {A}}\) and a challenger \({\mathcal {C}}\).

  • Initialization \({\mathcal {A}}\) chooses and submits two challenge access policies \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{*}\) to its challenger \({\mathcal {C}}\).

  • Setup \({\mathcal {C}}\) runs Setup algorithm and returns the public key PK to \({\mathcal {A}}\).

  • \(Phase\; 1\) \({\mathcal {A}}\) adaptively submits any attribute set S to \({\mathcal {C}}\) with the restriction that \((S\nvDash {\mathcal {T}}_1^{*} \bigvee S\nvDash {\mathcal {T}}_2^{*})\). In response, \({\mathcal {C}}\) runs KeyGen algorithm and answers \({\mathcal {A}}\) with the corresponding SK.

  • Challenge \({\mathcal {A}}\) chooses two equal-length challenge messages \((m_{0},m_{1})\) and submits them to \({\mathcal {C}}\). Then \({\mathcal {C}}\) picks a random bit \(\vartheta \in \{0,1\}\), runs Enc algorithm to encrypt \(m_{\vartheta }\) with \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{*}\), and returns the challenge ciphertext \(CT^{*}\) to \({\mathcal {A}}\).

  • \(Phase\; 2\) This phase is the same as Phase 1.

  • Guess \({\mathcal {A}}\) outputs a guess bit \(\vartheta '\) of \(\vartheta\). We say that \({\mathcal {A}}\) wins the game if and only if \(\vartheta '=\vartheta\).

    The advantage of \({\mathcal {A}}\) to win this security game is defined as \({\text {Adv}}({\mathcal {A}})=\left| \Pr [\vartheta '=\vartheta ]-\frac{1}{2}\right|\).

Definition 6

Our scheme achieves IND-CPA security if there exists no PPT adversary winning the above security game with a non-negligible advantage \(\epsilon\) under the DBDH assumption.

In addition, we define a new security model chosen sensitive policy attack (CSPA) for our scheme by the following security game between \({\mathcal {A}}\) and \({\mathcal {C}}\).

  • Initialization \({\mathcal {A}}\) chooses and submits a challenge access structure \({\mathcal {T}}_1^{*}\) to its challenger \({\mathcal {C}}\).

  • Setup \({\mathcal {C}}\) runs Setup algorithm and gives PK to \({\mathcal {A}}\).

  • \(Phase\;1\) \({\mathcal {A}}\) adaptively submits any attribute set S with the restriction that \(S\nvDash {\mathcal {T}}_1^{*}\). In response, \({\mathcal {C}}\) runs Trap algorithm and responds \({\mathcal {A}}\) with the corresponding trapdoor Tr.

  • Challenge \({\mathcal {A}}\) submits \(m^*\) and two challenge hidden policies \({\mathcal {T}}_2^{0*}\) and \({\mathcal {T}}_2^{1*}\) with the same structure. Then, \({\mathcal {C}}\) picks a random bit \(\vartheta \in \{0,1\}\) and returns the challenge ciphertext \(CT^{*}\) encrypted with \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{\vartheta *}\).

  • \(Phase\; 2\) This phase is the same as Phase 1.

  • Guess \({\mathcal {A}}\) outputs a guess bit \(\vartheta '\) of \(\vartheta\). We say that \({\mathcal {A}}\) wins the game if and only if \(\vartheta '=\vartheta\).

    The advantage of \({\mathcal {A}}\) to win this security game is defined as \({\text {Adv}}({\mathcal {A}})=\left| \Pr [\vartheta '=\vartheta ]-\frac{1}{2}\right|\).

Definition 7

Our scheme achieves IND-CSPA security if there exists no PPT adversary winning the above security game with a non-negligible advantage \(\epsilon\) under the DBDH assumption.

3.3 Construction of our scheme

In this section, we present the concrete construction of CP-ABE scheme with hidden sensitive policy.

Without loss of generality, we suppose that there are n possible attributes in total and \(\mathcal {L}=\{a_{1},a_{2},\ldots ,a_{n} \}\) is the set of all possible attributes. Assume \({\mathbb {G}}_{0}, {\mathbb {G}}_{T}\) are multiplicative cyclic groups with prime order p and the generator of \({\mathbb {G}}_{0}\) is g. Let \(\lambda\) be the security parameter which determines the size of groups. Let \(e: {\mathbb {G}}_{0}\times {\mathbb {G}}_{0}\rightarrow {\mathbb {G}}_{T}\) be a bilinear map and \(H:\{0,1\}^{*}\longrightarrow \mathbb {Z}_{p}\) be a hash function which maps any string to a random element of \(\mathbb {Z}_{p}\). We also define the Lagrange coefficient \(\Delta _{i,L}(x)=\prod _{j\in L, j\ne i}\frac{x-j}{i-j}\), where \(i\in \mathbb {Z}_{p}\) and a set L of elements in \(\mathbb {Z}_{p}\). The details of our scheme are as follows.

  • Setup\((1^{\lambda }, \mathcal {L})\rightarrow (PK, MSK)\): Given a security parameter \(\lambda\) and all possible attributes \(\mathcal {L}\), the \({\mathsf {KAC}}\) chooses a bilinear group \({\mathbb {G}}_{0}\) with prime order p and generator g. Next, it picks \(\alpha ,\beta \in _R \mathbb {Z}_{p}^{*}\) and \(h \in _R {\mathbb {G}}_{0}\). For each attribute \(a_{j}\in \mathcal {L}\), it selects \(v_{j},v_{j}'\in _R \mathbb {Z}_{p}^{*}\). Finally, it generates the public key PK and master secret key MSK as

    $$\begin{aligned} PK= & {} \left\{ \begin{array}{c} {\mathbb {G}}_{0}, g, h, g^{\alpha }, e(g,g)^{\beta },e(g,h)^{\beta },\\ \left\{ g^{v_{j}}, h^{v_{j}},g^{v_{j}'}, h^{v_{j}'},a_j \mid \forall a_{j}\in \mathcal {L} \right\} \end{array} \right\} ; \end{aligned}$$
    (2)
    $$\begin{aligned} MSK= & {} \left\{ \alpha , \beta , \left\{ v_{j},v_{j}', a_j\mid \forall a_{j}\in \mathcal {L}\right\} \right\} . \end{aligned}$$
    (3)

  • KeyGen\((MSK, S)\rightarrow SK\): While receiving an attribute set S from the \({\mathsf {EU}}\), the \({\mathsf {KAC}}\) selects \(r, r' \in _R {\mathbb {Z}}_{p}^{*}\) and returns the secret key SK as

    $$\begin{aligned} SK=\left\{ \begin{array}{c} g^{\beta +\alpha r}, h^{\beta +\alpha r}, g^{\alpha r}h^{r'},h^{\alpha r+r'}, g^{r'},\\ \{g^{\frac{\alpha r}{v_{j}}},h^{\frac{\alpha r}{v_{j}}},g^{\frac{\alpha r}{v_{j}'}},h^{\frac{\alpha r}{v_{j}'}}, a_j \mid \forall a_{j}\in S\} \end{array}\right\} . \end{aligned}$$
    (4)

  • Enc\((PK,{\mathcal {T}}_1,{\mathcal {T}}_2,M)\rightarrow CT\): The \({\mathsf {DO}}\) chooses \(ck\in _R \mathbb {Z}_{p}^{*}\) as a symmetric encryption key and encrypts message M with ck, \(E_{ck}(M)\), by using symmetric encryption (AES). Then, it encrypts ck with the help of the \({\mathsf {FN}}\) as follows:

    1. 1

      The \({\mathsf {DO}}\) sends \({\mathcal {T}}_1\) to the \({\mathsf {FN}}\). The \({\mathsf {FN}}\) randomly choose a polynomial \(q_{x}\) for each node x of \({\mathcal {T}}_1\) from the root node \(R_1\) in a top-down manner: for each node x of \({\mathcal {T}}_1\), the degree of \(q_{x}\) is \(d_{x}=k_{x}-1\), where \(k_{x}\) is the threshold value of x; beginning with root node \(R_1\), the \({\mathsf {FN}}\) pick \(s_{1}\in _R {\mathbb {Z}}_{p}^{*}\), sets \(q_{R_1}(0)=s_1\) and randomly chooses \(d_{R_1}=k_{R_1}-1\) other points of \(q_{R_1}\) to define the polynomial completely; for any other node x, they set \(q_{x}(0)=q_{parent(x)}(index(x))\) and choose \(d_{x}\) other points to define \(q_{x}\) completely. The \({\mathsf {FN}}\) generate the \(CT_1'\) as

      $$\begin{aligned} CT_{1}'=\left\{ \begin{array}{c} {\mathcal {T}}_1, g^{s_{1}}, h^{s_{1}}, \{ C_{1}^x=g^{v_{j}q_{x}(0)}, \\ C_{2}^x=h^{v_{j}q_{x}(0)}, x \mid \forall x\in \mathcal {X}_1\} \end{array} \right\} , \end{aligned}$$
      (5)

      where \(\mathcal {X}_1\) is a set of attributes corresponding to all leaf nodes in \({\mathcal {T}}_1\) and each \(x\in \mathcal {X}_1\) is corresponding to attribute \(a_j\). Note that \({\mathcal {T}}_1\) is stored in \(CT_1'\) in the form of plaintext, so the privacy of the access policy of \({\mathcal {T}}_1\) is exposed.

    2. 2

      The \({\mathsf {DO}}\) picks \(s_{2}\in _R {\mathbb {Z}}_{p}^{*}\) and sends \(g^{s_2}\), \(h^{s_2},e(g,h)^{\beta s_2}\) to \({\mathsf {FN}}\) to generate \(CT_{1}\) as

      $$\begin{aligned} CT_{1}=\{g^{s_{2}},h^{s_{2}},e(g,h)^{\beta s_2},CT_{1}'\}. \end{aligned}$$
      (6)
    3. 3

      The \({\mathsf {DO}}\) picks \(s_{3},s_{4}\in _R {\mathbb {Z}}_{p}^{*}\) and generates the ciphertext \(CT_2\) corresponding to the \({\mathcal {T}}_2\) in the same way of \(CT_1\). For each node y of \({\mathcal {T}}_2\), \(q_y(0)\) and \(d_y\) are defined exactly the same with above \(q_x(0)\) and \(d_x\); for the root node \(R_2\) of \({\mathcal {T}}_2\), \(q_{R_2}(0)=s_3\). Then,

      $$\begin{aligned} CT_{2}=\{g^{s_{4}},h^{s_{4}},CT_{2}'\}, \end{aligned}$$
      (7)

      and

      $$\begin{aligned} CT'_{2}=\left\{ \begin{array}{c} \widehat{{\mathcal {T}}_2}, g^{s_{3}}, h^{s_{3}}, \{ C_{1}^y=g^{v_{j}'(q_{y}(0)-s_2)}, \\ C_{2}^y=h^{v_{j}'(q_{y}(0)-s_2)}, C_{3}^y=g^{q_{y}(0)},\\ C_{4}^y=h^{q_{y}(0)}, C_{5}^y=e(g,h)^{\beta q_{y}(0)}, y \mid \forall y\in \mathcal {X}_2 \} \end{array} \right\} , \end{aligned}$$
      (8)

      where each leaf node y is corresponding to attribute \(a_j\) and \(\mathcal {X}_2\) is a set of all leaf nodes in \({\mathcal {T}}_2\). Since \(\widehat{{\mathcal {T}}_2}\) is defined the same as \({\mathcal {T}}_2\), except that the attribute name and its value in the \(\widehat{{\mathcal {T}}_2}\) are fully hidden. Therefore, the privacy of \({\mathcal {T}}_2\) can be preserved.

    4. 4

      The \({\mathsf {DO}}\) computes \(C=ck\cdot e(g,g)^{\beta (s_{2}+s_4)}\) and sends \(E_{ck}(M), C, CT_2\) to \({{\mathsf {FN}}}\), which generate and upload to the final ciphertext CT to the \({{\mathsf {CS}}}\), where

      $$\begin{aligned} CT=\left\{ {\mathcal {T}}_1,\widehat{{\mathcal {T}}_2}, E_{ck}(M), C, CT_{1}, CT_{2}\right\} . \end{aligned}$$
      (9)

  • Trap\((SK)\rightarrow Tr\): The Trap algorithm proceeds as follows. The \({{\mathsf {EU}}}\) chooses \(x',y',z',k\in _R {\mathbb {Z}}_{p}^{*}\) and computes the attribute index \(H_j=H(k\parallel j)\) for each \(a_j \in S\), and generates the following trapdoor Tr with its SK as

    $$\begin{aligned} Tr=\left\{ \begin{array}{c} T_0=x'+y',T_1=h^{(\alpha r+ r')(x'+y')+z'},T_2=g^{r'(x'+y')+z'},\\ T_3=g^{(\beta +\alpha r)x'},T_4=h^{(\beta +\alpha r)y'},T_5=g^{\alpha r x'}h^{r'x'},T_6=g^{r'x'}, \\ \{T_{10}^{j}=g^{\frac{\alpha r x'}{v_{j}}},T_{11}^{j}=h^{\frac{\alpha r y'}{v_{j}}}, a_j \mid \forall a_{j}\in S\},\\ \{T_{12}^{H_j}=g^{\frac{\alpha r x'}{v_{j}'}},T_{13}^{H_j}=h^{\frac{\alpha r y'}{v_{j}'}},H_j \mid \forall a_j\in S\} \end{array} \right\} , \end{aligned}$$
    (10)

    where the set \(\{T_{12}^{H_j},T_{13}^{H_j},H_j \mid \forall a_j\in S\}\) is sorted by \(H_j\). Due to the hash functions, the corresponding relationship between the tuple \(\{T_{12}^{H_j},T_{13}^{H_j},H_j\}\) and attribute \(a_j\) is preserved. The \({\mathsf {EU}}\) keeps \(x',k\) secret and sends Tr to the \({\mathsf {CS}}\).

  • Tran\((CT,Tr)\rightarrow \widetilde{CT}\) or \(\perp\): This algorithm conducts the following steps: access verification and ciphertext precomputation.

    • Access verification Because this process is a recursive procedure, we first define a recursive algorithm \(F_x=F_x(C_1^x,C_2^x,T_{10}^{j},T_{11}^{j},x)\) intaking \((C_1^x, C_2^x, x)\) in \(CT_1\) and \((T_{10}^{j}, T_{11}^{j})\) in Tr, respectively.

      For each node of \({\mathcal {T}}_1\), the \({\mathsf {CS}}\) runs a recursive algorithm as follows:

      1. (1)

        If x is a leaf node of \({\mathcal {T}}_1\). Let \(a_{j}\) is the corresponding attributes of node x. If \(a_{j} \in S\), the \({\mathsf {CS}}\) computes

        $$\begin{aligned} F_x&=e(C_2^x,T_{10}^{j})\cdot e(C_1^x,T_{11}^{j}) \\&=e(h^{v_{j}q_{x}(0)},g^{\frac{\alpha r x' }{v_{j}}})\cdot e(g^{v_{j}q_{x}(0)},h^{\frac{\alpha r y'}{v_{j}}}) \\&=e(g,h)^{\alpha r q_{x}(0)(x'+y')}. \end{aligned}$$
        (11)

        If \(a_{j} \not \in S\), set \(F_x=null\).

      2. (2)

        If x is a non-leaf node, the recursive algorithm is defined as: for all child nodes z of x, where \(a_{i}\) is the corresponding attributes of node z, the \({\mathsf {CS}}\) computes \(F_z=F_z(C_1^z,C_2^z,T_{10}^{i},T_{11}^{i},z)\) recursively. Let \(S_{x}\) be an arbitrary \(k_{x}\)-sized set of child nodes z satisfying \(F_{z}\ne null\). If \(S_{x}\) does not exist, \(F_{x}=null\). Otherwise, the \({\mathsf {CS}}\) calculates

        $$\begin{aligned} F_{x}&=\prod _{z\in S_{x}}F_{z}^{\Delta _{i,S_{x}'}(0)} \\&=\prod _{z\in S_{x}}(e(g,h)^{\alpha r (x'+y') q_{parent(z)}(index(z))})^{\Delta _{i,S_{x}'}(0)} \\&=e(g,h)^{\alpha r q_{x}(0)(x'+y')}, \end{aligned}$$
        (12)

        where \(i=index(z)\) and \(S_{x}'=\{ index(z)\mid \forall z\in S_{x}\}\).

        By calling the above algorithm on the root node \(R_1\) of \({\mathcal {T}}_1\), the \({\mathsf {CS}}\) gets \(F_{R_1}=e(g,h)^{\alpha r s_{1}(x'+y')}\). Then, the \({\mathsf {CS}}\) computes D as

        $$\begin{aligned} D&=\frac{ e(T_{1},g^{s_{1}+s_{2}})}{F_{R_1} \cdot e(T_{2},h^{s_{1}+s_{2}})} \\&=\frac{e(h^{(\alpha r+ r')(x'+y')+z'},g^{s_{1}+s_{2}})}{e(g,h)^{\alpha r s_{1}(x'+y')} \cdot e(g^{r'(x'+y')+z'},h^{s_{1}+s_{2}})} \\&=e(g,h)^{\alpha r s_{2}(x'+y')}. \end{aligned}$$
        (13)

        Then, for each leaf node \(y\in \widehat{{\mathcal {T}}_2}\), the \({\mathsf {CS}}\) defines

        $$\begin{aligned} F_{y,H_j}=e(C_1^y,T_{13}^{H_j})\cdot e(C_2^y,T_{12}^{H_j}), \end{aligned}$$
        (14)

        and checks whether there exists an \(H_j\in \{H_j\}_{a_j\in S}\) such that

        $$\begin{aligned} {C_5^y}^{T_0} \cdot F_{y,H_j}\cdot D = e(T_3,C_4^y)\cdot e(T_4,C_3^y). \end{aligned}$$
        (15)

        If \(S\models {\mathcal {T}}_1\) and there exists an \(H_j\in \{H_j\}_{a_j\in S}\) such that the \(a_j\) is the corresponding attribute of leaf node y, then

        $$\begin{aligned}&{C_5^y}^{T_0} \cdot F_{y,j}\cdot D \\&\quad =e(g,h)^{\beta q_y(0)(x'+y')}\cdot e(g^{v_{j}'(q_{y}(0)-s_2)},h^{\frac{\alpha r y'}{v_{j}'}})\cdot \\&\qquad e(h^{v_{j}'(q_{y}(0)-s_2)},g^{\frac{\alpha r x'}{v_{j}'}})\cdot e(g,h)^{\alpha r s_2 (x'+y')} \\&\quad =e(g,h)^{(\beta + \alpha r) q_{y}(0)(x'+y')} \\&\quad =e(g^{(\beta +\alpha r)x'},h^{q_{y}(0)})\cdot e(h^{(\beta +\alpha r)y'},g^{q_{y}(0)}) \\&\quad =e(T_3,C_4^y)\cdot e(T_4,C_3^y). \end{aligned}$$
        (16)

        By running the above functions recursively, the \({\mathsf {CS}}\) can find out whether this \({\mathsf {EU}}\) has the attribute corresponding to each leaf node of \(\widehat{{\mathcal {T}}_2}\) and then check out whether it has the authority to access the ciphertext CT, e.t., \(S \models {\mathcal {T}}_1\) and \(S \models \widehat{{\mathcal {T}}_2}\). If CT is accessible, \({\mathsf {CS}}\) outputs the following Table 2. Otherwise, the algorithm outputs \(\perp\). Assume that the \({\mathsf {EU}}\) has the attributes corresponding to t leaf nodes in \(\widehat{{\mathcal {T}}_2}\).

    • Ciphertext precomputation If CT is accessible, i.e., \(S \models {\mathcal {T}}_1\) and \(S \models \widehat{{\mathcal {T}}_2}\), the algorithm is similar to the recursive procedure defined in the above algorithm.

      1. \(S \models {\mathcal {T}}_1\). For each node of \({\mathcal {T}}_1\).

      (1) If x is a leaf node of \({\mathcal {T}}_1\). If \(a_{j} \in S\), the \({\mathsf {CS}}\) sets \(G_x=G_x(C_1^x,T_{10}^{j},x)\) and computes

      $$\begin{aligned} G_x=e(C_1^x,T_{10}^{j})=e(g^{v_{j}q_{x}(0)},g^{\frac{\alpha r x' }{v_{j}}})=e(g,g)^{\alpha r q_{x}(0)x'}. \end{aligned}$$
      (17)

      If \(a_{j} \not \in S\), set \(G_x=null\).

      (2) If x is a non-leaf node, for all child nodes z of x, the \({\mathsf {CS}}\) computes \(G_z=G_x(C_1^z,T_{10}^{j},z)\) recursively. Let \(S_{x}\) be an arbitrary \(k_{x}\)-sized set of child nodes z satisfying \(G_{z}\ne null\). If \(S_{x}\) does not exist, \(G_{x}=null\). Otherwise, the \({\mathsf {CS}}\) calculates

      $$\begin{aligned} G_{x}&=\prod _{z\in S_{x}}G_{z}^{\Delta _{i,S_{x}'}(0)} \\&=\prod _{z\in S_{x}}(e(g,g)^{\alpha r x' q_{parent(z)}(index(z))})^{\Delta _{i,S_{x}'}(0)} \\&=e(g,g)^{\alpha r q_{x}(0)x'}, \end{aligned}$$
      (18)

      where \(i=index(z)\) and \(S_{x}'=\{ index(z)\mid \forall z\in S_{x}\}\). Then \({\mathsf {CS}}\) gets \(G_{R_1}=e(g,g)^{\alpha r s_{1}x'}\) and computes

      $$\begin{aligned} A'&=\frac{G_{R_1}\cdot e(T_6, h^{s_1+s_2})}{e(T_5,g^{s_1+s_2})} \\&=\frac{e(g,g)^{\alpha r s_{1}x'}\cdot e(g^{r'x'},h^{s_1+s_2})}{ e(g^{\alpha r x'}h^{r'x'},g^{s_1+s_2})} \\&=e(g,g)^{\alpha r s_2 x'}. \end{aligned}$$
      (19)
      $$\begin{aligned} A&=\frac{e(T_3,g^{s_2})}{A'}=\frac{e(g^{(\beta +\alpha r)x'},g^{s_2})}{e(g,g)^{\alpha r s_2 x'}}=e(g,g)^{\beta s_2 x'}. \end{aligned}$$
      (20)

      2. \(S \models \widehat{{\mathcal {T}}_2}\). For each \(y_i\) in Table 2, the \({\mathsf {CS}}\) sets \(G_{y_i}=G_{y_i}(C_1^{y_i},T_{10}^{H_{j_i}},y_i,A)\) and computes

      $$\begin{aligned} G_{y_i}&=e(g^{v_{j_i}'(q_{y_i}(0)-s_2)},g^{\frac{\alpha r x' }{v_{j_i}'}})\cdot A \\&=e(g,g)^{\alpha r q_{y_i}(0)x'}. \end{aligned}$$
      (21)

      Since \(S \models \widehat{{\mathcal {T}}_2}\), for the root node \(R_2\) of \(\widehat{{\mathcal {T}}_2}\), the \({\mathsf {CS}}\) can compute \(G_{R_2}=e(g,g)^{\alpha r s_3 x'}\) in a recursive manner, and then computes

      $$\begin{aligned} B&=\frac{e(T_3,g^{s_4})\cdot e(T_5,g^{s_3+s_4})}{G_{R_2}\cdot e(T_6, h^{s_3+s_4})} \\&=\frac{e(g^{(\beta +\alpha r)x'},g^{s_4})\cdot e(g^{(\alpha r x'}h^{r'x'},g^{s_3+s_4})}{e(g,g)^{\alpha r s_{3}x'}\cdot e(g^{r'x'},h^{s_3+s_4})} \\&=e(g,g)^{\beta s_4 x'}. \end{aligned}$$
      (22)

      Finally, the \({\mathsf {CS}}\) returns the precomputed ciphertext

      $$\begin{aligned} \widetilde{CT}=\{E_{ck}(M),A,B,C=ck\cdot e(g,g)^{\beta (s_{2}+s_4)}\} \end{aligned}$$

      to the \({\mathsf {EU}}\).

  • Dec\(((\widetilde{CT}, x')\rightarrow M\): The \({\mathsf {EU}}\) derives the symmetric secret key ck as

    $$\begin{aligned} ck=\frac{C}{(AB)^{\frac{1}{x'}}}=\frac{ck\cdot e(g,g)^{\beta (s_2+s_4)}}{e(g,g)^{\frac{\beta (s_2+s_4) x'}{x'}}}, \end{aligned}$$
    (23)

    and uses ck to decrypt \(E_ck(M)\) by symmetric decryption.

Table 2 Correspondence between leaf node and attribute index
Full size table

Remark 1

Different from previous schemes, we let the attribute \(a_j\) (or leaf node x, attribute index \(H_j\)) appear in the component of secret key (or ciphertext, trapdoor) just to make it clearer which attribute (or leaf node, attribute index) the component of secret key (or ciphertext, trapdoor) corresponds to.

Remark 2

Once the \({\mathsf {EU}}\) has access to the ciphertext, the \({\mathsf {CS}}\) will find out that the leaf nodes in the access tree must correspond to some attributes in S. Therefore, we made a small modification to the Trap algorithm, replacing \(\{T_{10}^{j},T_{11}^{j}, a_j \mid \forall a_{j}\in S\}\) with \(\{T_{10}^{j},T_{11}^{j}, a_j \mid \forall a_{j}\in S_1\}\), where \(S_1\subseteq S\). Since the public access policy is revealed in the ciphertext, the end user can decide the attribute set \(S_1\) by their own. In addition, the Trap algorithm can be run offline while the device is charging.

Remark 3

The computational overhead of the \({\mathsf {CS}}\) to run the Access Verification algorithm scales linearly with \(\mid T_1\mid +\mid S\mid \cdot \mid T_2\mid\), supposed that \(\mid S\mid\) is the number of attributes the \({\mathsf {EU}}\) owned and \(\mid T_1\mid ,\mid T_2\mid\) is the number of leaf nodes in the access tree \({\mathcal {T}}_1,\widehat{{\mathcal {T}}_2}\), respectively. Thus, it does not need a super-polynomial time to find out the correct attributes for successful decryption.

3.4 Analysis of our scheme

In this section, we provide a formal security analysis of our scheme.

3.4.1 Security analysis

Theorem 1

Supposed that a PPT adversary \({\mathcal {A}}\) can break the IND-CPA security of our scheme with a non-negligible advantage \(\epsilon >0\), then there exists a PPT simulator \({\mathcal {B}}\) that can distinguish a DBDH tuple from a random tuple with an advantage \(\frac{\epsilon }{2}\).

Proof

Given the bilinear map parameter \(({\mathbb {G}}_{0}, {\mathbb {G}}_{T},p,e,g)\). The DBDH challenger \({\mathcal {C}}\) selects \(a',b',c'\in {\mathbb {Z}}_{p}\), \(\theta \in \{0,1\}\), \(\mathcal {R} \in {\mathbb {G}}_{T}\) at random. Let \({\mathcal {Z}}=e(g,g)^{a'b'c'}\), if \(\theta =0\), \(\mathcal {R}\) else. Next, \({\mathcal {C}}\) sends \({\mathcal {B}}\) the tuple \(\langle g,g^{a'}, g^{b'}, g^{c'}, {\mathcal {Z}} \rangle\). Then, \({\mathcal {B}}\) plays the role of challenger in the following security game.

  • Initialization \({\mathcal {A}}\) submits two challenge access policy \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{*}\) to \({\mathcal {B}}\).

  • Setup \({\mathcal {B}}\) chooses \(\beta ',x \in {\mathbb {Z}}_{p}\) at random and sets \(h=g^{x}\), \(g^{\alpha }=g^{a'}\), \(e(g,g)^{\beta }=e(g,g)^{\beta '+a'b'}=e(g,g)^{\beta '}e(g^{a'},g^{b'})\), \(e(g,h)^{\beta }=e(g,g)^{\beta x}\). For each attribute \(a_{j}\in \mathcal {L}\), \({\mathcal {B}}\) picks \(s_{j},s_{j}'\in _R Z_p\). If \(a_{j}\in {\mathcal {T}}_1^{*}\), set \(g^{v_{j}}=g^{\frac{a'}{s_{j}}}\), otherwise \(g^{v_{j}}=g^{s_{j}}\); if \(a_{j}\in {\mathcal {T}}_2^{*}\), set \(g^{v_{j}'}=g^{\frac{a'}{s_{j}'}}\), otherwise \(g^{v_{j}'}=g^{s_{j}'}\). The \({\mathcal {B}}\) sets \(h^{v_{j}}=g^{v_{j}x},h^{v_{j}'}=g^{v_{j}'x}\) and sends PK to \({\mathcal {A}}\), where

    $$\begin{aligned} PK=\left\{ \begin{array}{c} {\mathbb {G}}_{0},g,h,g^{\alpha }, e(g,g)^{\beta },e(g,h)^{\beta },\\ \{g^{v_{j}}, h^{v_{j}},g^{v_{j}'},h^{v_{j}'},a_j\mid \forall a_{j}\in \mathcal {L}\} \end{array}\right\} . \end{aligned}$$
    (24)

  • \(Phase\;1\) \({\mathcal {A}}\) adaptively submits any attribute set \(S\in \mathcal {L}\) to \({\mathcal {B}}\) with the restriction that \((S\nvDash {\mathcal {T}}_1^{*} \bigvee S\nvDash {\mathcal {T}}_2^{*})\). In response, \({\mathcal {B}}\) picks \(\hat{r},\tilde{r}\in {\mathbb {Z}}_{p}\) at random, computes \(g^{r}=\frac{g^{\hat{r}}}{g^{b'}}=g^{\hat{r}-b'}\), \(g^{\beta +\alpha r}=g^{\beta '+a'b'+a'(\hat{r}-b')}=g^{\beta '+a'\hat{r}}\), \(h^{\beta +\alpha r}=g^{(\beta '+a'\hat{r})x}=h^{\beta '+a'\hat{r}}\), \(g^{\alpha \hat{r}}h^{\tilde{r}}\), \(h^{\alpha \hat{r}}h^{\tilde{r}}\), \(g^{\tilde{r}}\). For each \(a_{j}\in S\), if \(a_{j}\in {\mathcal {T}}_1^{*}\), \({\mathcal {B}}\) computes \(g^{\frac{\alpha \hat{r}}{v_{j}}}=g^{s_{j}\hat{r}}\), \(h^{\frac{\alpha \hat{r}}{v_{j}}}=h^{s_{j}\hat{r}}\), otherwise \(g^{\frac{\alpha \hat{r}}{v_{j}}}=g^{\frac{a' \hat{r}}{s_{j}}}\), \(h^{\frac{\alpha \hat{r}}{v_{j}}}=h^{\frac{a' \hat{r}}{s_{j}}}\); if \(a_{j}\in {\mathcal {T}}_2^{*}\), \({\mathcal {B}}\) sets \(g^{\frac{\alpha \hat{r}}{v_{j}'}}=g^{s_{j}'\hat{r}}\), \(h^{\frac{\alpha \hat{r}}{v_{j}'}}=h^{s_{j}'\hat{r}}\), otherwise \(g^{\frac{\alpha \hat{r}}{v_{j}'}}=g^{\frac{a' \hat{r}}{s_{j}'}}\), \(h^{\frac{\alpha \hat{r}}{v_{j}'}}=h^{\frac{a' \hat{r}}{s_{j}'}}\).

    Afterward, \({\mathcal {B}}\) answers \({\mathcal {A}}\) with the corresponding secret key

    $$\begin{aligned} SK=\left\{ \begin{array}{c} g^{\beta '+\alpha \hat{r}}, h^{\beta '+a'\hat{r}}, g^{\alpha \hat{r}}h^{\tilde{r}},h^{\alpha \hat{r}}h^{\tilde{r}}, g^{\tilde{r}},\\ \{g^{\frac{\alpha \hat{r}}{v_{j}}},h^{\frac{\alpha \hat{r}}{v_{j}}},g^{\frac{\alpha \hat{r}}{v_{j}'}},h^{\frac{\alpha \hat{r}}{v_{j}'}}, a_j\mid \forall a_{j}\in S\} \end{array}\right\} . \end{aligned}$$
    (25)

  • Challenge \({\mathcal {A}}\) submits two equal-length challenge messages \(\{m_{0},m_{1}\}\) to \({\mathcal {B}}\). Then, \({\mathcal {B}}\) chooses \(s_{1},s_{2} \in _R {\mathbb {Z}}_{p}\) and generates

    $$\begin{aligned} CT_{1}'^{*}=\left\{ \begin{array}{c} {\mathcal {T}}_{1}^{*}, g^{s_{1}}, h^{s_{1}}, \{ C_{j,1}=g^{v_{j}q_{x^{*}}(0)},\\ C_{j,2}=h^{v_{j}q_{x^{*}}(0)},x^* \mid \forall x^*\in \mathcal {X}_1^{*}\} \end{array} \right\} , \end{aligned}$$

    where \(\mathcal {X}_1^{*}\) is a set of attributes corresponding to all leaf nodes in \({\mathcal {T}}_1^{*}\) and each \(x^*\in \mathcal {X}_1^{*}\) is corresponding to attribute \(a_j\). The \({\mathcal {B}}\) sets

    $$\begin{aligned} CT_{1}^*=\{g^{s_{2}},h^{s_{2}},e(g,h)^{\beta s_2},CT_{1}'^*\}, \end{aligned}$$
    (26)

    and generates \(CT_{2}^*\) in a similar method. \({\mathcal {B}}\) picks \(s_{3} \in _R {\mathbb {Z}}_{p}\) and sets \(g^{s_{4}}=\frac{g^{c'}}{g^{s_2}}\), \(h^{s_{4}}=g^{s_{4}x}\), \(e(g,g)^{\beta (s_{2}+s_{4})}={\mathcal {Z}}\cdot e(g,g)^{\beta 'c'}\). So,

    $$\begin{aligned} CT_{2}^*=\{g^{s_{4}},h^{s_{4}},CT_{2}^{'*}\}, \end{aligned}$$
    (27)

    where

    $$\begin{aligned} CT_{2}^{'*}=\left\{ \begin{array}{c} \widehat{{\mathcal {T}}_2^*}, g^{s_{3}}, h^{s_{3}}, \{ C_{1}^y=g^{v_{j}'(q_{y^*}(0)-s_2)}, \\ C_{2}^y=h^{v_{j}'(q_{y^*}(0)-s_2)}, C_{3}^y=g^{q_{y^*}(0)},\\ C_{4}^y=h^{q_{y^*}(0)}, C_{5}^y=e(g,h)^{\beta q_{y^*}(0)}, y \mid \forall y\in \mathcal {X}_2 \} \end{array} \right\} . \end{aligned}$$
    (28)

    Finally, \({\mathcal {B}}\) randomly picks \(\theta '\in \{0,1\}\), sets \(C^{*}=m_{\theta '}\cdot {\mathcal {Z}}\cdot e(g,g)^{\beta 'c'}\), and returns \({\mathcal {A}}\) the final challenge ciphertext \(CT^{*}=\{{\mathcal {T}}_1^*,\widehat{{\mathcal {T}}_2^*}, C^*, CT_{1}^*, CT_{2}^*\}\).

  • \(Phase\;2\) This phase is the same as Phase 1.

  • Guess \({\mathcal {A}}\) outputs a guess bit \(\theta ''\) of \(\theta '\). If \(\theta ''=\theta '\), \({\mathcal {B}}\) guesses \(\theta =0\) which indicates that \({\mathcal {Z}}=e(g,g)^{a'b'c'}\) in the above game. Otherwise, \({\mathcal {B}}\) guesses \(\theta =1\), i.e., \({\mathcal {Z}}=\mathcal {R}\).

If \({\mathcal {Z}}=\mathcal {R}\), then \(CT^{*}\) is random from the view of \({\mathcal {A}}\). Hence, \({\mathcal {B}}'s\) probability to guess \(\theta\) correctly is

$$\begin{aligned} \Pr \left[ {\mathcal {B}}\left( g,g^{a'}, g^{b'}, g^{c'}, {\mathcal {Z}}=\mathcal {R}\right) =1\right] =\frac{1}{2}. \end{aligned}$$
(29)

Else \({\mathcal {Z}}=e(g,g)^{a'b'c'}\), then \(CT^{*}\) is available and \({\mathcal {A}}'s\) advantage of guessing \(\theta '\) is \(\epsilon\). Therefore, \({\mathcal {B}}'s\) probability to guess \(\theta\) correctly is

$$\begin{aligned} \Pr \left[ {\mathcal {B}}\left( g,g^{a'}, g^{b'}, g^{c'}, {\mathcal {Z}}=e(g,g)^{a'b'c'}\right) =0\right] =\frac{1}{2}+\epsilon . \end{aligned}$$
(30)

In conclusion, \({\mathcal {B}}'s\) advantage to win the above security game is

$$\begin{aligned} {\text {Adv}}({\mathcal {B}})&=\frac{1}{2}\left( \Pr \left[ {\mathcal {B}}\left( g,g^{a'}, g^{b'}, g^{c'}, {\mathcal {Z}}=e(g,g)^{a'b'c'}\right) =0\right] \right. \\&\quad \left. +\Pr \left[ {\mathcal {B}}\left( g,g^{a'}, g^{b'}, g^{c'}, {\mathcal {Z}}=\mathcal {R}\right) =1\right] \right) -\frac{1}{2} =\frac{1}{2}\epsilon . \end{aligned}$$
(31)

\(\square\)

Theorem 2

Supposed that a PPT adversary \({\mathcal {A}}\) can break the IND-CSPA security of our scheme with a non-negligible advantage \(\epsilon >0\), then there exists a PPT simulator \({\mathcal {B}}\) that can distinguish a DBDH tuple from a random tuple with an advantage \(\frac{\epsilon }{2}\).

Proof

The proof process of this theorem is similar to that of Theorem 1. The DBDH challenger \({\mathcal {C}}\) sends \({\mathcal {B}}\) the tuple \(\langle g,g^{a'}, g^{b'}, g^{c'}, {\mathcal {Z}} \rangle\), in which \({\mathcal {Z}}=e(g,g)^{a'b'c'}\) or \(\mathcal {R}\). \({\mathcal {A}}\) chooses a challenge access structure \({\mathcal {T}}^{*}\) initially. \({\mathcal {B}}\) returns public key in the same way as in Theorem 1. Then \({\mathcal {A}}\) adaptively submits any attribute set S with the restriction that \(S \nvDash {\mathcal {T}}^{*}\). Since \({\mathcal {B}}\) can generate secret keys as in Theorem 1, it can naturally answer \({\mathcal {A}}\) with the corresponding trapdoor Tr. In the challenge phase, \({\mathcal {A}}\) submits \(m^*\) and two challenge policies \({\mathcal {T}}_0^{*}\) and \({\mathcal {T}}_1^{*}\) with the same structure, i.e., \(\widehat{{\mathcal {T}}_0^{*}}=\widehat{{\mathcal {T}}_1^{*}}\). \({\mathcal {B}}\) randomly picks \(\theta '\in \{0,1\}\), generates \(CT_2^*\) with \({\mathcal {T}}_{\theta '}^*\) and returns the challenge ciphertext \(CT^{*}\). If \({\mathcal {A}}\)’s advantage of guessing \(\theta '\) is \(\epsilon\), then \({\mathcal {B}}\)’s advantage to distinguish a DBDH tuple from a random tuple is \(\frac{\epsilon }{2}\). \(\square\)

Remark 4

In Definition  6, it demonstrates the IND-CPA security of our scheme. Since the adversary needs to satisfies both \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{*}\) to decrypt the ciphertext, the restriction on the private key inquiry in Theorem  1 is \((S\nvDash {\mathcal {T}}_1^{*} \bigvee S\nvDash {\mathcal {T}}_2^{*})\), otherwise the adversary can break our scheme trivially. While in Definition  7, it is required that the adversary cannot tell the challenge sensitive policy \({\mathcal {T}}_0^{*}\) apart from \({\mathcal {T}}_1^{*}\) if it doesn’t satisfy the public access policy \({\mathcal {T}}^{*}\). So the restriction on the private key inquiry in Theorem  2 is \(S\nvDash {\mathcal {T}}^{*}\), otherwise the adversary can break our scheme trivially.

3.4.2 Complexity analysis

In this section, we compare the computational overhead with some other related schemes with hidden policy from a technical point of view. Some schemes only support AND-gate policies, to represent an expressive policy f, we transmute it to a disjunctive normal form and \(f=f_1\bigvee \cdots \bigvee f_n\) and then represent each \(f_i\) by a conjunctive clause as \(f_i={\text {att}}_{i,1}\bigwedge \cdots \bigwedge {\text {att}}_{i,l}\). Without loss of generality, we suppose each attribute \({\text {att}}_i\) has two values \({\text {att}}_{i,1},{\text {att}}_{i,2}\) and consider such a simple access policy

$$\begin{aligned} f=({\text {att}}_{1,1}\bigvee {\text {att}}_{1,2})\bigwedge ({\text {att}}_{2,1}\bigvee {\text {att}}_{2,2})\ldots \bigwedge ({\text {att}}_{n,1}\bigvee {\text {att}}_{n,2}), \end{aligned}$$

which means that there are \(2^{n}\) access strategies. Now, we discuss the computational overhead of each scheme in Table 3.

Table 3 Computational overhead among various schemes
Full size table

As shown in Table 3, schemes [6, 24, 25] restricted with AND-gates on multi-values give rise to an exponential size of ciphertext for supporting an expressive access policy. Since the attribute value is hidden in [28], for finding the correct attribute value for successful decryption, [28] needs end user to test super-polynomial times. In addition, all the above schemes only protect the privacy attribute value, but expose the information of attribute name. Some other schemes based on the inner-product predicate encryption [18, 29] that we haven’t discussed in detail here, because transform an inner-product predicate to an expressive access policy will also cause an exponential size of ciphertext. In our scheme, the size of ciphertext, test time and decryption time are all polynomial. Partial overhead for generating the ciphertext is outsourced to fog nodes and most overhead during test and decryption is outsourced from end user to the cloud.

4 Conclusion

In this work, we provide a novel method to protect the privacy of sensitive policy in CP-ABE scheme. With the help of KS techniques,the access policy in our scheme is expressive and compact, and the computational overhead of encryption (half part) and decryption (most part) can be sifted to fog nodes and cloud server respectively. Hence, our scheme is more friendly for resource-limited mobile devices. The list of abbreviations is shown in Table 4.

Table 4 List of abbreviations
Full size table