 Research
 Open Access
 Published:
Ciphertextpolicy attributebased encryption with hidden sensitive policy from keyword search techniques in smart city
EURASIP Journal on Wireless Communications and Networking volume 2021, Article number: 20 (2021)
Abstract
Countless data generated in Smart city may contain private and sensitive information and should be protected from unauthorized users. The data can be encrypted by Attributebased encryption (CPABE), which allows encrypter to specify access policies in the ciphertext. But, traditional CPABE schemes are limited because of two shortages: the access policy is public i.e., privacy exposed; the decryption time is linear with the complexity of policy, i.e., huge computational overheads. In this work, we introduce a novel method to protect the privacy of CPABE scheme by keyword search (KS) techniques. In detail, we define a new security model called chosen sensitive policy security: two access policies embedded in the ciphertext, one is public and the other is sensitive and hidden. If user's attributes don't satisfy the public policy, he/she cannot get any information (attribute name and its values) of the hidden one. Previous CPABE schemes with hidden policy only work on the “ANDgate” access structure or their ciphertext size or decryption time maybe superpolynomial. Our scheme is more expressive and compact. Since, IoT devices spread all over the smart city, so the computational overhead of encryption and decryption can be shifted to third parties. Therefore, our scheme is more applicable to resourceconstrained users. We prove our scheme to be selective secure under the decisional bilinear DiffieHellman (DBDH) assumption.
Introduction
Smart city is a new concept brought up with the technological revolution providing various digital services for citizens to make their life more convenient among all aspects of daily life including education, health care, traffic transport, job recruitment and so on. From the perspective of technological development, the construction of smart cities requires the realization of comprehensive perception, ubiquitous interconnection, pervasive computing and integrated applications through the Internet of Things, cloud computing and other newgeneration information technology applications represented by mobile technology. From the perspective of social development, smart cities also require the application of tools and methods such as wikis, social networks, Fab Lab, Living Lab and integrated integration methods to facilitate residents’ lives and economic activities. To build a smart city, enormous data will be generated, processed and analysed.
Cloud server is an internetbased paradigm that provides massive data storage and processing services for innumerable enterprises and individuals. Fog nodes [1] are physical components (such as gateways, switches, routers, servers, etc.) or virtual components (such as ED switches, virtual machines, Cloudlet 9, etc.) that are tightly connected with the network and provide computing resources. As shown in Fig. 1, such devices can be found everywhere in the smart city providing more efficient and convenient services.
Generally speaking, data and services on the cloud are open and accessible to anyone, and data owner will lose any control on the data as soon as it uploaded to the cloud. In many distributed applications, it is necessary to enforce a specific access control policy on sensitive data, and only authorized users can access these data.
In this case, Sahai et al. [2] first introduced the concept of attributebased encryption (ABE) achieving both scalable and finegrained access control on ciphertext. ABE schemes are generally divided into two types: ciphertextpolicy ABE (CPABE) [3] and keypolicy ABE (KPABE) [4]. In CPABE, the access policy is embedded in the ciphertext and anyone can decrypt it as long as his/her attributes satisfy the policy.
One problem in traditional CPABE scheme [4, 5] is that the access policy is sent along with a ciphertext to inform end users which attributes satisfy the access policy, therefore the privacy in the policy could be exposed. However, this property is not suitable for many application scenarios, such as medical, industrial and financial fields. For instance, the access policy of an encrypted files of patient's medical record may reveal individual privacy; a company may hire eligible staff with specific qualification (i.e., attributes) which may expose the company's future development strategy.
If it is not known which attributes should be used for decryption, the decryption will be infeasible for authorized users. So, Nishide et al. [6] introduced the notion of partially hidden access policy in CPABE. In their scheme, the attribute is defined by two parts, attribute name and attribute values and only attribute value is concealed in their shceme. Although this method protects the privacy of the policy to some extent, it also has some drawbacks: in some cases, the attribute name still contains sensitive and valuable information, and it's still revealed in the access policy; If the end user has multiple values for each attribute, the decryption time maybe superpolynomial, since he/she has to guess which attribute value is exactly embedded in the ciphertext. Innerproduct predicate encryption (IPE) [7] is another method to protect policy privacy, but it could cause the ciphertext size to be superpolynomial.
Besides attribute values, sometimes, attribute names are also sensitive and should be kept secret. For example: a recruitment sharing in the cloud can only be accessed by specific applicants. The access policy may be defined as {[Gender: male or female] AND [Education: M.D. or PH.D.]} AND {[Probability and statistics: statistics or econometrics] AND [Computer science and technology: data mining or machine learning]}. In this case, the “Probability and statistics: statistics or econometrics” and “Computer science and technology: data mining or machine learning” in the access policy are obviously more sensitive, since it may reveal commercial confidentiality that the company is managing to achieve transformation with the help of IoT.
Another problem in the existing ABE schemes [3,4,5] is that the number of pairing and exponentiation operations for ciphertext decryption is linear with the complexity of access policy, which means the computation cost of end user is quite expensive. This property is not suitable for users on their resourceconstrained mobile devices. To reduce the computational overhead of end user, some cryptographic operations with heavy computational load can be outsourced to thirdparty service [8, 9]. In smart cities, countless IoT devices connected to the Internet in every corner of the city can be utilized to provide much more convenient and faster computing resources for resourcelimited end users.
Motivation
In the abovementioned example, data owner could encrypt the data in a different way such that any one obtaining the ciphertext can only learn about the public access policy (i.e., [Gender: male or female] AND [Education: M.D. or PH.D.]), while the sensitive information in the secret policy (i.e., [Probability and statistics: statistics or econometrics] AND [Computer science and technology: data mining or machine learning]) including attribute name and its values should be fully hidden. Figures 2 and 3 graphically show this example.
There seems to be a simple solution to protect the privacy of sensitive policy. Specifically, one can use a classic CPABE to encrypt the sensitive access policy under the public access policy as first part of the ciphertext and use CPABE to encrypt the message under the secretaccesspolicy as the second part. However, in this method, the cloud can’t check whether the end user has sufficient authorities to access the ciphertext, since the ciphertext can only be obtained by authorized end users. Another drawback of this method is that the decryption overhead of the second part ciphertext can’t be outsourced to the cloud.
Contributions
Motivated by the above observation, in this paper, we propose a ciphertextpolicy attributebased encryption with hidden sensitive policy from keyword search techniques in smart city. In our scheme, data owner (employer) publishes an encrypted recruitment for the end user (potential employee) in the cloud. Only authorized end user can access the ciphertext, and the privacy of the sensitive access policy is preserved from unauthorized end users. The contribution of our scheme is shown as follows.

Hidden sensitive policy We embed two access policies in the encrypted data, one is public and the other is secret and hidden. When satisfying both policies, he/she can decrypt the ciphertext. For the privacy of sensitive policy, we propose a new security model i.e., chosen sensitive policy attack (CSPA): if user's attributes don't satisfy the public policy, he/she cannot learn anything of the secret one. Specifically, the end user generates two sets of randomized secret keys, where each component of the one set corresponds to a public attribute name (or value) and each component of the other set corresponds to an attribute index (usergenerated hash value). The end user uploads the two sets to the cloud to check whether he/she has authority to decrypt the ciphertext with double policies. If user satisfies the public policy, the cloud can detect whether the attribute contained in each leaf node of secret policy belongs the user's attributes. This process is essentially a attributebased keyword search (ABKS) mechanism. By keyword search (KS) methods, the cloud cannot learn about which attribute the leaf node in the access tree of secret policy stands for and unauthorized end users also can't obtain the ciphertext or learn about the secret policy. Therefore, our scheme protects the privacy in sensitive access policy of the ciphertext from unauthorized applicants.

Expressive and efficient Our scheme is expressive and efficient. It supports any monotone access structure instead of restricted policy such as ANDgates on multivalues. The size of the ciphertext scales linearly with the complexity of the access policy. End user doesn’t need to test several times, which could be superpolynomial in some previous schemes, before finding the attributes for successful decryption, even if he/she has multiple values for each attribute.

Applicable for resourcelimited end user With the help of thousands of fog nodes in the smart city, the computational overhead of data owner generating the subciphertext of the public access policy can be outsourced, and most computational overhead of decryption is shifted from end user to the cloud, leaving a constant number of operations to decrypt the ciphertext. Therefore, it is more suitable for resourceconstrained end users.
Discussion and result
Discussion
Sahai et al. [2] first introduced the concept of attributebased encryption (ABE), which can be divided into two forms: ciphertextpolicy ABE (CPABE) [4] and keypolicy ABE (KPABE) [3] . Bethencourt et al. [4] proposed the first CPABE scheme, in which the access policy is very expressive and specified by the data owner. From then on, ABE schemes with various functionalities have been widely constructed, e.g., supporting regular languages [10, 11], with unbounded attribute size [10, 12, 13], with constantsize ciphertext [14], with multiauthority [15,16,17], and with adaptive security [18,19,20]. One drawback in traditional CPABE schemes [4, 5] is that the number of pairing and exponentiation operations for ciphertext decryption is linear with the complexity of access policy, which means the computation cost of end user is quite expensive. This defect in attribute encryption makes it unsuitable for users with resourceconstrained devices. To reduce the computation cost of end user, Green et al. [9] provided a new methods for efficiently and securely outsourcing decryption of ABE ciphertexts. In their scheme, most of the heavy cryptographic operations of decryption algorithm are outsourced to the cloud, leaving only a small number of operations for the end user. Li et al. [21] also considered to outsource keyissuing and decryption simultaneously for ABE schemes by introducing two cloud service providers. In the wake of 5G and IoT techniques, fog computing [1] is considered to be a new data resource that can provide highquality outsourcing services. In fog computing environment, Zuo et al. [22] proposed a practical CPABE scheme with outsourced decryption, while Zhang et al. [23] support outsourced encryption, outsourced decryption and attribute update.
However, the access policy must be revealed in most of these schemes, since end users need to know how they combine their secret key components for decryption. This may lead to privacy disclosure, so research on the anonymity of access policies is necessary. Nishide et al. [6] first introduced the concept of partially hidden access policy to achieve anonymity, in which the attribute is split into an attribute name and its values, and only the attribute values are hidden. Some other works [24,25,26] improved the efficiency and security of [6], but their policies are all restricted with ANDgates on multivalues as in [6]. Later, Lai et al. [27] proposed an expressive fully secure CPABE scheme with the LSSSbased partially hidden policy in composite order groups. Based on Lai’s scheme, Cui et al. [28] proposed a more efficient one in prime order groups. However, looking for the correct attributes for successful decryption, both [27] and [28] need authorized users to test several times, which cloud be superpolynomial in special cases; for instance, user has many values for each attribute. All the above schemes focus on the partially hidden access policy, while the public attribute names may also lead to the leakage of sensitive information. Some other schemes based on the innerproduct predicate encryption [18, 29] and hidden vector encryption [30] are proposed to protect the policy privacy, but their efficiency is seriously restricted, which means that the size of ciphertext could be superpolynomial.
The keyword search techniques enables the cloud to search over encrypted data without revealing any sensitive information of the keyword. In 2000, Song et al. [31] initially introduced a searchable encryption (SE) technique. Boneh et al. [32] proposed the first public key encryption with keyword search. To achieve both finegrained access control and keyword search simultaneously, attributebased encryption with keyword search [33,34,35,36] was proposed. Among them, [35, 36] are constructed in fog computing environment.
Result
In our scheme, sensitive access policy of encrypted recruitment is fully hidden; expressive policy is supported; the ciphertext size is polynomial; the most computational overhead of decryption is outsourced to the cloud server, leaving a constant number of operations for the end user. We summarize the comparisons of various CPABE schemes with hidden policy in Table 1.
Method
Preliminaries
In this section, we introduce some background knowledge, which includes access structure, access tree, bilinear maps, Diffie–Hellman assumption and its variants.
Access structures
Definition 1
(Access structure [4]) Let \(\{P_{1},P_{2},\ldots ,P_{n}\}\) be a set of parties. A collection \({\mathbb {A}}\subseteq 2^{\{P_{1},P_{2},\ldots ,P_{n}\}}\) is monotone if \(\forall B,C\): if \(B\in {\mathbb {A}}\) and \(B \subseteq C\) then \(C \in {\mathbb {A}}\). An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) \({\mathbb {A}}\) of nonempty subsets of \(\{P_{1},P_{2},\ldots ,P_{n}\}\), i.e., \({\mathbb {A}} \subseteq 2^{\{P_{1},P_{2},\ldots ,P_{n}\}}{\setminus } \{\emptyset \}\). The sets in \({\mathbb {A}}\) are called the authorized sets, and the sets not in \({\mathbb {A}}\) are called the unauthorized sets.
In this paper, attributes take the role of the parties, and we only focus on the monotone access structure \({\mathbb {A}}\), which consists of the authorized sets of attributes. Obviously, attributes can directly reflect a user’s authority.
Definition 2
(Access tree [4]) Let \({\mathcal {T}}\) be a tree representing an access structure. Each nonleaf node of the tree represents a threshold gate, described by its children and a threshold value. If \(num_{x}\) is the number of children of a node x and \(k_{x}\) is its threshold value, then \(0\le k_{x}\le num_{x}\). When \(k_{x}=1\), the threshold gate is an OR gate and when \(k_{x}=num_{x}\), it is an AND gate. Each leaf node x of the tree is described by an attribute and a threshold value \(k_{x}=1\).
We introduce a few functions defined in [4] as follows. parent(x) denotes the parent of the node x in the tree. The access tree \({\mathcal {T}}\) also defines an ordering between the children of every node, that is, the children of a node are numbered from 1 to num. The function index(x) returns such a number associated with the node x, where the index values are uniquely assigned to nodes in the access structure for a given key in an arbitrary manner. Each leaf node x corresponds to an attribute \(a_j\), and this relationship should be revealed in the access tree \({\mathcal {T}}\). To protect the privacy of access policy, we defined the access tree with hidden attributes \(\widehat{{\mathcal {T}}}\).
Definition 3
(Access tree with hidden attributes \(\widehat{{\mathcal {T}}}\)) \(\widehat{{\mathcal {T}}}\) is an access tree with structure the same as normal access trees, except that it doesn’t reveal any information about the correspondence between leaf nodes and attributes. It is very easy to check whether a combination of leaf nodes satisfies the access structure, but the information of attribute in these nodes is hidden. So, it is impossible to find out which attributes are embedded in the access tree just from the structure itself.
For better understanding, assuming that \(x_i,y_i\) are the indexes of leaf nodes and \(a_i\) is the corresponding attribute, the comparison of two kinds of access tree is shown in Figs. 4 and 5. Specifically, the attribute name and its value in the dotted node in Fig. 4 are exposed. However, it is on the contrary in Fig. 5 and only the index of the node is revealed in Fig. 5.
Definition 4
(Satisfying an access tree [4]) Let \({\mathcal {T}}\) be an access tree with root r. Denote by \({\mathcal {T}}_{x}\) the subtree of \({\mathcal {T}}\) rooted at the node x. Hence, \({\mathcal {T}}\) is the same as \({\mathcal {T}}_{r}\). If a set of attributes \(\gamma\) satisfies the access tree \({\mathcal {T}}_{x}\), we denote it as \({\mathcal {T}}_{x}(\gamma )=1\). We compute \({\mathcal {T}}_{x}(\gamma )\) recursively as follows. If x is a nonleaf node, evaluate \({\mathcal {T}}_{x'}(\gamma )=1\) for all children \(x'\) of node x. \({\mathcal {T}}_{x}(\gamma )\) returns 1 if and only if at least \(k_{x}\) children return 1. If x is a leaf node, then \({\mathcal {T}}_{x}(\gamma )\) returns 1 if and only if \({\text {att}}(x)\in \gamma\).
Bilinear map and DBDH assumption
We briefly recall the definitions of the bilinear map and the decisional bilinear Diffie–Hellman (DBDH) assumption. Let \({\mathbb {G}}_{0}\) and \({\mathbb {G}}_{T}\) be two multiplicative cyclic groups of prime order p. Let g be a generator of \({\mathbb {G}}_{0}\) and e be a efficient computable bilinear map, \(e: {\mathbb {G}}_{0}\times {\mathbb {G}}_{0}\rightarrow {\mathbb {G}}_{T}\). The bilinear map e has a few properties: (1) Bilinearity: for all \(u, v\in {\mathbb {G}}_{0}\) and \(a, b \in {\mathbb {Z}}_{p}\), we have \(e(u^{a}, v^{b}) = e(u, v)^{ab}\). (2) Nondegeneracy: \(e(g,g)\ne 1\). We say that \({\mathbb {G}}_{0}\) is a bilinear group if the group operation in \({\mathbb {G}}_{0}\) and the bilinear map \(e: {\mathbb {G}}_{0}\times {\mathbb {G}}_{0}\rightarrow {\mathbb {G}}_{T}\) are both efficiently computable. Notice that the map e is symmetric since \(e(g^{a},g^{b}) = e(g, g)^{ab} = e(g^{b}, g^{a})\).
Given the bilinear map parameter \(({\mathbb {G}}_{0}, {\mathbb {G}}_{T},p,e,g)\) and three random elements \((x,y,z)\in {\mathbb {Z}}_{p}^{3}\), if there is no probabilistic polynomial time (PPT) adversary \({\mathcal {B}}\) can distinguish between the tuple \((g,g^{x},g^{y},g^{z}, e(g,g)^{xyz})\) and the tuple \((g,g^{x},g^{y},g^{z}, \vartheta )\), we say that the DBDH assumption holds, where \(\vartheta\) is randomly selected from \({\mathbb {G}}_{T}\). More specifically, the advantage \(\epsilon\) of \({\mathcal {B}}\) in solving the DBDH problem is defined as
Definition 5
(DBDH) We say that the DBDH assumption holds if no PPT algorithm has a nonnegligible advantage \(\epsilon\) in solving DBDH problem.
System and security model
In this section, we introduce the system description, system model, threat model and security model of our scheme.
System description
As shown in Fig. 6, we consider a ciphertext retrieval scenario in fog computing environment. It consists of five parties: Key Authority Center (\({\mathsf {KAC}}\)), Data Owner (\({\mathsf {DO}}\)), Cloud Server (\({\mathsf {CS}}\)), End User (\({\mathsf {EU}}\)), and Fog Nodes (\({\mathsf {FN}}\)). The specific role of each party is given as follows:

Key Authority Center (\({\mathsf {KAC}}\)): The \({\mathsf {KAC}}\) is a fully trusted third party which is in charge of generating public parameters and secret keys.

Data Owner (\({\mathsf {DO}}\)): The \({\mathsf {DO}}\) defines the access structure to encrypt a ciphertext CT with the help of fog nodes.

Cloud Server (\({\mathsf {CS}}\)): The \({\mathsf {CS}}\) has huge computing power and storage capacity; it can provide computing and storage services to both data owner and end user, especially to help end user partially decrypt the ciphertext.

End User (\({\mathsf {EU}}\)): Resourceconstrained user submits a trapdoor to the \({\mathsf {CS}}\), which will help him/her to partially decrypt the ciphertext.

Fog Nodes (\({\mathsf {FN}}\)): Some computational overheads can be outsourced from the \({\mathsf {DO}}\) to the fog nodes during the encryption process.
System model
Our scheme includes the following six algorithms:

Setup\((1^{\lambda }, \mathcal {L}) \rightarrow (PK,MSK)\) Given security parameter \(\lambda\) and a set of all possible attributes \(\mathcal {L}\), the \({\mathsf {KAC}}\) generates public key PK and master secret key MSK.

KeyGen\((PK,MSK, S) \rightarrow SK\) On input the public key PK, the master secret key MSK and an attribute set S, the \({\mathsf {KAC}}\) generates a secret key SK for the \({\mathsf {EU}}\).

Enc\((PK,{\mathcal {T}}_1,{\mathcal {T}}_2,M)\rightarrow CT\) On input PK, two access policies \({\mathcal {T}}_1,{\mathcal {T}}_2\) and message M, with the help of fog nodes, the \({\mathsf {DO}}\) generates the ciphertext CT, in which \({\mathcal {T}}_1\) is public and \({\mathcal {T}}_2\) is fully hidden.

Trap\(SK \rightarrow Tr\) The \({\mathsf {EU}}\) generates the trapdoor Tr by his own secret key SK and submits Tr to the \({{\mathsf {CS}}}\).

Tran\((CT,Tr)\rightarrow {\widetilde{CT}}\) or \(\perp\): This algorithm contains two steps:

At first, the \({\mathsf {CS}}\) interacts Tr and CT to verify whether the \({\mathsf {EU}}\) has authority to decrypt CT. If \(S\nvDash {\mathcal {T}}_1 \bigvee S\nvDash {\mathcal {T}}_2\), it outputs \(\perp\).

If \(S\models {\mathcal {T}}_1 \bigwedge S\models {\mathcal {T}}_2\), the \({\mathsf {CS}}\) partially decrypts CT and returns the precomputed ciphertext \(\widetilde{CT}\) to the \({\mathsf {EU}}\).


Dec\((\widetilde{CT}, SK)\rightarrow M\): On input \(\widetilde{CT},SK\), the \({\mathsf {EU}}\) decrypts \(\widetilde{CT}\) and outputs M.
Threat model
In this paper, we assume that the \({\mathsf {KAC}}\) is a fully trusted third party, while the \({\mathsf {CS}}\) and \({\mathsf {FN}}\) are honestbutcurious entities, which exactly follow the protocol specifications but also are curious about the sensitive information of ciphertexts and trapdoors. Users are not allowed to collude with \({\mathsf {CS}}\) or \({\mathsf {FN}}\). Nevertheless, malicious users may collude with each other to access some unauthorized ciphertexts.
Security model
Our scheme achieves chosen plaintext security by the following security game between a PPT adversary \({\mathcal {A}}\) and a challenger \({\mathcal {C}}\).

Initialization \({\mathcal {A}}\) chooses and submits two challenge access policies \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{*}\) to its challenger \({\mathcal {C}}\).

Setup \({\mathcal {C}}\) runs Setup algorithm and returns the public key PK to \({\mathcal {A}}\).

\(Phase\; 1\) \({\mathcal {A}}\) adaptively submits any attribute set S to \({\mathcal {C}}\) with the restriction that \((S\nvDash {\mathcal {T}}_1^{*} \bigvee S\nvDash {\mathcal {T}}_2^{*})\). In response, \({\mathcal {C}}\) runs KeyGen algorithm and answers \({\mathcal {A}}\) with the corresponding SK.

Challenge \({\mathcal {A}}\) chooses two equallength challenge messages \((m_{0},m_{1})\) and submits them to \({\mathcal {C}}\). Then \({\mathcal {C}}\) picks a random bit \(\vartheta \in \{0,1\}\), runs Enc algorithm to encrypt \(m_{\vartheta }\) with \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{*}\), and returns the challenge ciphertext \(CT^{*}\) to \({\mathcal {A}}\).

\(Phase\; 2\) This phase is the same as Phase 1.

Guess \({\mathcal {A}}\) outputs a guess bit \(\vartheta '\) of \(\vartheta\). We say that \({\mathcal {A}}\) wins the game if and only if \(\vartheta '=\vartheta\).
The advantage of \({\mathcal {A}}\) to win this security game is defined as \({\text {Adv}}({\mathcal {A}})=\left \Pr [\vartheta '=\vartheta ]\frac{1}{2}\right\).
Definition 6
Our scheme achieves INDCPA security if there exists no PPT adversary winning the above security game with a nonnegligible advantage \(\epsilon\) under the DBDH assumption.
In addition, we define a new security model chosen sensitive policy attack (CSPA) for our scheme by the following security game between \({\mathcal {A}}\) and \({\mathcal {C}}\).

Initialization \({\mathcal {A}}\) chooses and submits a challenge access structure \({\mathcal {T}}_1^{*}\) to its challenger \({\mathcal {C}}\).

Setup \({\mathcal {C}}\) runs Setup algorithm and gives PK to \({\mathcal {A}}\).

\(Phase\;1\) \({\mathcal {A}}\) adaptively submits any attribute set S with the restriction that \(S\nvDash {\mathcal {T}}_1^{*}\). In response, \({\mathcal {C}}\) runs Trap algorithm and responds \({\mathcal {A}}\) with the corresponding trapdoor Tr.

Challenge \({\mathcal {A}}\) submits \(m^*\) and two challenge hidden policies \({\mathcal {T}}_2^{0*}\) and \({\mathcal {T}}_2^{1*}\) with the same structure. Then, \({\mathcal {C}}\) picks a random bit \(\vartheta \in \{0,1\}\) and returns the challenge ciphertext \(CT^{*}\) encrypted with \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{\vartheta *}\).

\(Phase\; 2\) This phase is the same as Phase 1.

Guess \({\mathcal {A}}\) outputs a guess bit \(\vartheta '\) of \(\vartheta\). We say that \({\mathcal {A}}\) wins the game if and only if \(\vartheta '=\vartheta\).
The advantage of \({\mathcal {A}}\) to win this security game is defined as \({\text {Adv}}({\mathcal {A}})=\left \Pr [\vartheta '=\vartheta ]\frac{1}{2}\right\).
Definition 7
Our scheme achieves INDCSPA security if there exists no PPT adversary winning the above security game with a nonnegligible advantage \(\epsilon\) under the DBDH assumption.
Construction of our scheme
In this section, we present the concrete construction of CPABE scheme with hidden sensitive policy.
Without loss of generality, we suppose that there are n possible attributes in total and \(\mathcal {L}=\{a_{1},a_{2},\ldots ,a_{n} \}\) is the set of all possible attributes. Assume \({\mathbb {G}}_{0}, {\mathbb {G}}_{T}\) are multiplicative cyclic groups with prime order p and the generator of \({\mathbb {G}}_{0}\) is g. Let \(\lambda\) be the security parameter which determines the size of groups. Let \(e: {\mathbb {G}}_{0}\times {\mathbb {G}}_{0}\rightarrow {\mathbb {G}}_{T}\) be a bilinear map and \(H:\{0,1\}^{*}\longrightarrow \mathbb {Z}_{p}\) be a hash function which maps any string to a random element of \(\mathbb {Z}_{p}\). We also define the Lagrange coefficient \(\Delta _{i,L}(x)=\prod _{j\in L, j\ne i}\frac{xj}{ij}\), where \(i\in \mathbb {Z}_{p}\) and a set L of elements in \(\mathbb {Z}_{p}\). The details of our scheme are as follows.

Setup\((1^{\lambda }, \mathcal {L})\rightarrow (PK, MSK)\): Given a security parameter \(\lambda\) and all possible attributes \(\mathcal {L}\), the \({\mathsf {KAC}}\) chooses a bilinear group \({\mathbb {G}}_{0}\) with prime order p and generator g. Next, it picks \(\alpha ,\beta \in _R \mathbb {Z}_{p}^{*}\) and \(h \in _R {\mathbb {G}}_{0}\). For each attribute \(a_{j}\in \mathcal {L}\), it selects \(v_{j},v_{j}'\in _R \mathbb {Z}_{p}^{*}\). Finally, it generates the public key PK and master secret key MSK as
$$\begin{aligned} PK= & {} \left\{ \begin{array}{c} {\mathbb {G}}_{0}, g, h, g^{\alpha }, e(g,g)^{\beta },e(g,h)^{\beta },\\ \left\{ g^{v_{j}}, h^{v_{j}},g^{v_{j}'}, h^{v_{j}'},a_j \mid \forall a_{j}\in \mathcal {L} \right\} \end{array} \right\} ; \end{aligned}$$(2)$$\begin{aligned} MSK= & {} \left\{ \alpha , \beta , \left\{ v_{j},v_{j}', a_j\mid \forall a_{j}\in \mathcal {L}\right\} \right\} . \end{aligned}$$(3) 
KeyGen\((MSK, S)\rightarrow SK\): While receiving an attribute set S from the \({\mathsf {EU}}\), the \({\mathsf {KAC}}\) selects \(r, r' \in _R {\mathbb {Z}}_{p}^{*}\) and returns the secret key SK as
$$\begin{aligned} SK=\left\{ \begin{array}{c} g^{\beta +\alpha r}, h^{\beta +\alpha r}, g^{\alpha r}h^{r'},h^{\alpha r+r'}, g^{r'},\\ \{g^{\frac{\alpha r}{v_{j}}},h^{\frac{\alpha r}{v_{j}}},g^{\frac{\alpha r}{v_{j}'}},h^{\frac{\alpha r}{v_{j}'}}, a_j \mid \forall a_{j}\in S\} \end{array}\right\} . \end{aligned}$$(4) 
Enc\((PK,{\mathcal {T}}_1,{\mathcal {T}}_2,M)\rightarrow CT\): The \({\mathsf {DO}}\) chooses \(ck\in _R \mathbb {Z}_{p}^{*}\) as a symmetric encryption key and encrypts message M with ck, \(E_{ck}(M)\), by using symmetric encryption (AES). Then, it encrypts ck with the help of the \({\mathsf {FN}}\) as follows:

1
The \({\mathsf {DO}}\) sends \({\mathcal {T}}_1\) to the \({\mathsf {FN}}\). The \({\mathsf {FN}}\) randomly choose a polynomial \(q_{x}\) for each node x of \({\mathcal {T}}_1\) from the root node \(R_1\) in a topdown manner: for each node x of \({\mathcal {T}}_1\), the degree of \(q_{x}\) is \(d_{x}=k_{x}1\), where \(k_{x}\) is the threshold value of x; beginning with root node \(R_1\), the \({\mathsf {FN}}\) pick \(s_{1}\in _R {\mathbb {Z}}_{p}^{*}\), sets \(q_{R_1}(0)=s_1\) and randomly chooses \(d_{R_1}=k_{R_1}1\) other points of \(q_{R_1}\) to define the polynomial completely; for any other node x, they set \(q_{x}(0)=q_{parent(x)}(index(x))\) and choose \(d_{x}\) other points to define \(q_{x}\) completely. The \({\mathsf {FN}}\) generate the \(CT_1'\) as
$$\begin{aligned} CT_{1}'=\left\{ \begin{array}{c} {\mathcal {T}}_1, g^{s_{1}}, h^{s_{1}}, \{ C_{1}^x=g^{v_{j}q_{x}(0)}, \\ C_{2}^x=h^{v_{j}q_{x}(0)}, x \mid \forall x\in \mathcal {X}_1\} \end{array} \right\} , \end{aligned}$$(5)where \(\mathcal {X}_1\) is a set of attributes corresponding to all leaf nodes in \({\mathcal {T}}_1\) and each \(x\in \mathcal {X}_1\) is corresponding to attribute \(a_j\). Note that \({\mathcal {T}}_1\) is stored in \(CT_1'\) in the form of plaintext, so the privacy of the access policy of \({\mathcal {T}}_1\) is exposed.

2
The \({\mathsf {DO}}\) picks \(s_{2}\in _R {\mathbb {Z}}_{p}^{*}\) and sends \(g^{s_2}\), \(h^{s_2},e(g,h)^{\beta s_2}\) to \({\mathsf {FN}}\) to generate \(CT_{1}\) as
$$\begin{aligned} CT_{1}=\{g^{s_{2}},h^{s_{2}},e(g,h)^{\beta s_2},CT_{1}'\}. \end{aligned}$$(6) 
3
The \({\mathsf {DO}}\) picks \(s_{3},s_{4}\in _R {\mathbb {Z}}_{p}^{*}\) and generates the ciphertext \(CT_2\) corresponding to the \({\mathcal {T}}_2\) in the same way of \(CT_1\). For each node y of \({\mathcal {T}}_2\), \(q_y(0)\) and \(d_y\) are defined exactly the same with above \(q_x(0)\) and \(d_x\); for the root node \(R_2\) of \({\mathcal {T}}_2\), \(q_{R_2}(0)=s_3\). Then,
$$\begin{aligned} CT_{2}=\{g^{s_{4}},h^{s_{4}},CT_{2}'\}, \end{aligned}$$(7)and
$$\begin{aligned} CT'_{2}=\left\{ \begin{array}{c} \widehat{{\mathcal {T}}_2}, g^{s_{3}}, h^{s_{3}}, \{ C_{1}^y=g^{v_{j}'(q_{y}(0)s_2)}, \\ C_{2}^y=h^{v_{j}'(q_{y}(0)s_2)}, C_{3}^y=g^{q_{y}(0)},\\ C_{4}^y=h^{q_{y}(0)}, C_{5}^y=e(g,h)^{\beta q_{y}(0)}, y \mid \forall y\in \mathcal {X}_2 \} \end{array} \right\} , \end{aligned}$$(8)where each leaf node y is corresponding to attribute \(a_j\) and \(\mathcal {X}_2\) is a set of all leaf nodes in \({\mathcal {T}}_2\). Since \(\widehat{{\mathcal {T}}_2}\) is defined the same as \({\mathcal {T}}_2\), except that the attribute name and its value in the \(\widehat{{\mathcal {T}}_2}\) are fully hidden. Therefore, the privacy of \({\mathcal {T}}_2\) can be preserved.

4
The \({\mathsf {DO}}\) computes \(C=ck\cdot e(g,g)^{\beta (s_{2}+s_4)}\) and sends \(E_{ck}(M), C, CT_2\) to \({{\mathsf {FN}}}\), which generate and upload to the final ciphertext CT to the \({{\mathsf {CS}}}\), where
$$\begin{aligned} CT=\left\{ {\mathcal {T}}_1,\widehat{{\mathcal {T}}_2}, E_{ck}(M), C, CT_{1}, CT_{2}\right\} . \end{aligned}$$(9)

1

Trap\((SK)\rightarrow Tr\): The Trap algorithm proceeds as follows. The \({{\mathsf {EU}}}\) chooses \(x',y',z',k\in _R {\mathbb {Z}}_{p}^{*}\) and computes the attribute index \(H_j=H(k\parallel j)\) for each \(a_j \in S\), and generates the following trapdoor Tr with its SK as
$$\begin{aligned} Tr=\left\{ \begin{array}{c} T_0=x'+y',T_1=h^{(\alpha r+ r')(x'+y')+z'},T_2=g^{r'(x'+y')+z'},\\ T_3=g^{(\beta +\alpha r)x'},T_4=h^{(\beta +\alpha r)y'},T_5=g^{\alpha r x'}h^{r'x'},T_6=g^{r'x'}, \\ \{T_{10}^{j}=g^{\frac{\alpha r x'}{v_{j}}},T_{11}^{j}=h^{\frac{\alpha r y'}{v_{j}}}, a_j \mid \forall a_{j}\in S\},\\ \{T_{12}^{H_j}=g^{\frac{\alpha r x'}{v_{j}'}},T_{13}^{H_j}=h^{\frac{\alpha r y'}{v_{j}'}},H_j \mid \forall a_j\in S\} \end{array} \right\} , \end{aligned}$$(10)where the set \(\{T_{12}^{H_j},T_{13}^{H_j},H_j \mid \forall a_j\in S\}\) is sorted by \(H_j\). Due to the hash functions, the corresponding relationship between the tuple \(\{T_{12}^{H_j},T_{13}^{H_j},H_j\}\) and attribute \(a_j\) is preserved. The \({\mathsf {EU}}\) keeps \(x',k\) secret and sends Tr to the \({\mathsf {CS}}\).

Tran\((CT,Tr)\rightarrow \widetilde{CT}\) or \(\perp\): This algorithm conducts the following steps: access verification and ciphertext precomputation.

Access verification Because this process is a recursive procedure, we first define a recursive algorithm \(F_x=F_x(C_1^x,C_2^x,T_{10}^{j},T_{11}^{j},x)\) intaking \((C_1^x, C_2^x, x)\) in \(CT_1\) and \((T_{10}^{j}, T_{11}^{j})\) in Tr, respectively.
For each node of \({\mathcal {T}}_1\), the \({\mathsf {CS}}\) runs a recursive algorithm as follows:

(1)
If x is a leaf node of \({\mathcal {T}}_1\). Let \(a_{j}\) is the corresponding attributes of node x. If \(a_{j} \in S\), the \({\mathsf {CS}}\) computes
$$\begin{aligned} F_x&=e(C_2^x,T_{10}^{j})\cdot e(C_1^x,T_{11}^{j}) \\&=e(h^{v_{j}q_{x}(0)},g^{\frac{\alpha r x' }{v_{j}}})\cdot e(g^{v_{j}q_{x}(0)},h^{\frac{\alpha r y'}{v_{j}}}) \\&=e(g,h)^{\alpha r q_{x}(0)(x'+y')}. \end{aligned}$$(11)If \(a_{j} \not \in S\), set \(F_x=null\).

(2)
If x is a nonleaf node, the recursive algorithm is defined as: for all child nodes z of x, where \(a_{i}\) is the corresponding attributes of node z, the \({\mathsf {CS}}\) computes \(F_z=F_z(C_1^z,C_2^z,T_{10}^{i},T_{11}^{i},z)\) recursively. Let \(S_{x}\) be an arbitrary \(k_{x}\)sized set of child nodes z satisfying \(F_{z}\ne null\). If \(S_{x}\) does not exist, \(F_{x}=null\). Otherwise, the \({\mathsf {CS}}\) calculates
$$\begin{aligned} F_{x}&=\prod _{z\in S_{x}}F_{z}^{\Delta _{i,S_{x}'}(0)} \\&=\prod _{z\in S_{x}}(e(g,h)^{\alpha r (x'+y') q_{parent(z)}(index(z))})^{\Delta _{i,S_{x}'}(0)} \\&=e(g,h)^{\alpha r q_{x}(0)(x'+y')}, \end{aligned}$$(12)where \(i=index(z)\) and \(S_{x}'=\{ index(z)\mid \forall z\in S_{x}\}\).
By calling the above algorithm on the root node \(R_1\) of \({\mathcal {T}}_1\), the \({\mathsf {CS}}\) gets \(F_{R_1}=e(g,h)^{\alpha r s_{1}(x'+y')}\). Then, the \({\mathsf {CS}}\) computes D as
$$\begin{aligned} D&=\frac{ e(T_{1},g^{s_{1}+s_{2}})}{F_{R_1} \cdot e(T_{2},h^{s_{1}+s_{2}})} \\&=\frac{e(h^{(\alpha r+ r')(x'+y')+z'},g^{s_{1}+s_{2}})}{e(g,h)^{\alpha r s_{1}(x'+y')} \cdot e(g^{r'(x'+y')+z'},h^{s_{1}+s_{2}})} \\&=e(g,h)^{\alpha r s_{2}(x'+y')}. \end{aligned}$$(13)Then, for each leaf node \(y\in \widehat{{\mathcal {T}}_2}\), the \({\mathsf {CS}}\) defines
$$\begin{aligned} F_{y,H_j}=e(C_1^y,T_{13}^{H_j})\cdot e(C_2^y,T_{12}^{H_j}), \end{aligned}$$(14)and checks whether there exists an \(H_j\in \{H_j\}_{a_j\in S}\) such that
$$\begin{aligned} {C_5^y}^{T_0} \cdot F_{y,H_j}\cdot D = e(T_3,C_4^y)\cdot e(T_4,C_3^y). \end{aligned}$$(15)If \(S\models {\mathcal {T}}_1\) and there exists an \(H_j\in \{H_j\}_{a_j\in S}\) such that the \(a_j\) is the corresponding attribute of leaf node y, then
$$\begin{aligned}&{C_5^y}^{T_0} \cdot F_{y,j}\cdot D \\&\quad =e(g,h)^{\beta q_y(0)(x'+y')}\cdot e(g^{v_{j}'(q_{y}(0)s_2)},h^{\frac{\alpha r y'}{v_{j}'}})\cdot \\&\qquad e(h^{v_{j}'(q_{y}(0)s_2)},g^{\frac{\alpha r x'}{v_{j}'}})\cdot e(g,h)^{\alpha r s_2 (x'+y')} \\&\quad =e(g,h)^{(\beta + \alpha r) q_{y}(0)(x'+y')} \\&\quad =e(g^{(\beta +\alpha r)x'},h^{q_{y}(0)})\cdot e(h^{(\beta +\alpha r)y'},g^{q_{y}(0)}) \\&\quad =e(T_3,C_4^y)\cdot e(T_4,C_3^y). \end{aligned}$$(16)By running the above functions recursively, the \({\mathsf {CS}}\) can find out whether this \({\mathsf {EU}}\) has the attribute corresponding to each leaf node of \(\widehat{{\mathcal {T}}_2}\) and then check out whether it has the authority to access the ciphertext CT, e.t., \(S \models {\mathcal {T}}_1\) and \(S \models \widehat{{\mathcal {T}}_2}\). If CT is accessible, \({\mathsf {CS}}\) outputs the following Table 2. Otherwise, the algorithm outputs \(\perp\). Assume that the \({\mathsf {EU}}\) has the attributes corresponding to t leaf nodes in \(\widehat{{\mathcal {T}}_2}\).

(1)

Ciphertext precomputation If CT is accessible, i.e., \(S \models {\mathcal {T}}_1\) and \(S \models \widehat{{\mathcal {T}}_2}\), the algorithm is similar to the recursive procedure defined in the above algorithm.
1. \(S \models {\mathcal {T}}_1\). For each node of \({\mathcal {T}}_1\).
(1) If x is a leaf node of \({\mathcal {T}}_1\). If \(a_{j} \in S\), the \({\mathsf {CS}}\) sets \(G_x=G_x(C_1^x,T_{10}^{j},x)\) and computes
$$\begin{aligned} G_x=e(C_1^x,T_{10}^{j})=e(g^{v_{j}q_{x}(0)},g^{\frac{\alpha r x' }{v_{j}}})=e(g,g)^{\alpha r q_{x}(0)x'}. \end{aligned}$$(17)If \(a_{j} \not \in S\), set \(G_x=null\).
(2) If x is a nonleaf node, for all child nodes z of x, the \({\mathsf {CS}}\) computes \(G_z=G_x(C_1^z,T_{10}^{j},z)\) recursively. Let \(S_{x}\) be an arbitrary \(k_{x}\)sized set of child nodes z satisfying \(G_{z}\ne null\). If \(S_{x}\) does not exist, \(G_{x}=null\). Otherwise, the \({\mathsf {CS}}\) calculates
$$\begin{aligned} G_{x}&=\prod _{z\in S_{x}}G_{z}^{\Delta _{i,S_{x}'}(0)} \\&=\prod _{z\in S_{x}}(e(g,g)^{\alpha r x' q_{parent(z)}(index(z))})^{\Delta _{i,S_{x}'}(0)} \\&=e(g,g)^{\alpha r q_{x}(0)x'}, \end{aligned}$$(18)where \(i=index(z)\) and \(S_{x}'=\{ index(z)\mid \forall z\in S_{x}\}\). Then \({\mathsf {CS}}\) gets \(G_{R_1}=e(g,g)^{\alpha r s_{1}x'}\) and computes
$$\begin{aligned} A'&=\frac{G_{R_1}\cdot e(T_6, h^{s_1+s_2})}{e(T_5,g^{s_1+s_2})} \\&=\frac{e(g,g)^{\alpha r s_{1}x'}\cdot e(g^{r'x'},h^{s_1+s_2})}{ e(g^{\alpha r x'}h^{r'x'},g^{s_1+s_2})} \\&=e(g,g)^{\alpha r s_2 x'}. \end{aligned}$$(19)$$\begin{aligned} A&=\frac{e(T_3,g^{s_2})}{A'}=\frac{e(g^{(\beta +\alpha r)x'},g^{s_2})}{e(g,g)^{\alpha r s_2 x'}}=e(g,g)^{\beta s_2 x'}. \end{aligned}$$(20)2. \(S \models \widehat{{\mathcal {T}}_2}\). For each \(y_i\) in Table 2, the \({\mathsf {CS}}\) sets \(G_{y_i}=G_{y_i}(C_1^{y_i},T_{10}^{H_{j_i}},y_i,A)\) and computes
$$\begin{aligned} G_{y_i}&=e(g^{v_{j_i}'(q_{y_i}(0)s_2)},g^{\frac{\alpha r x' }{v_{j_i}'}})\cdot A \\&=e(g,g)^{\alpha r q_{y_i}(0)x'}. \end{aligned}$$(21)Since \(S \models \widehat{{\mathcal {T}}_2}\), for the root node \(R_2\) of \(\widehat{{\mathcal {T}}_2}\), the \({\mathsf {CS}}\) can compute \(G_{R_2}=e(g,g)^{\alpha r s_3 x'}\) in a recursive manner, and then computes
$$\begin{aligned} B&=\frac{e(T_3,g^{s_4})\cdot e(T_5,g^{s_3+s_4})}{G_{R_2}\cdot e(T_6, h^{s_3+s_4})} \\&=\frac{e(g^{(\beta +\alpha r)x'},g^{s_4})\cdot e(g^{(\alpha r x'}h^{r'x'},g^{s_3+s_4})}{e(g,g)^{\alpha r s_{3}x'}\cdot e(g^{r'x'},h^{s_3+s_4})} \\&=e(g,g)^{\beta s_4 x'}. \end{aligned}$$(22)Finally, the \({\mathsf {CS}}\) returns the precomputed ciphertext
$$\begin{aligned} \widetilde{CT}=\{E_{ck}(M),A,B,C=ck\cdot e(g,g)^{\beta (s_{2}+s_4)}\} \end{aligned}$$to the \({\mathsf {EU}}\).


Dec\(((\widetilde{CT}, x')\rightarrow M\): The \({\mathsf {EU}}\) derives the symmetric secret key ck as
$$\begin{aligned} ck=\frac{C}{(AB)^{\frac{1}{x'}}}=\frac{ck\cdot e(g,g)^{\beta (s_2+s_4)}}{e(g,g)^{\frac{\beta (s_2+s_4) x'}{x'}}}, \end{aligned}$$(23)and uses ck to decrypt \(E_ck(M)\) by symmetric decryption.
Remark 1
Different from previous schemes, we let the attribute \(a_j\) (or leaf node x, attribute index \(H_j\)) appear in the component of secret key (or ciphertext, trapdoor) just to make it clearer which attribute (or leaf node, attribute index) the component of secret key (or ciphertext, trapdoor) corresponds to.
Remark 2
Once the \({\mathsf {EU}}\) has access to the ciphertext, the \({\mathsf {CS}}\) will find out that the leaf nodes in the access tree must correspond to some attributes in S. Therefore, we made a small modification to the Trap algorithm, replacing \(\{T_{10}^{j},T_{11}^{j}, a_j \mid \forall a_{j}\in S\}\) with \(\{T_{10}^{j},T_{11}^{j}, a_j \mid \forall a_{j}\in S_1\}\), where \(S_1\subseteq S\). Since the public access policy is revealed in the ciphertext, the end user can decide the attribute set \(S_1\) by their own. In addition, the Trap algorithm can be run offline while the device is charging.
Remark 3
The computational overhead of the \({\mathsf {CS}}\) to run the Access Verification algorithm scales linearly with \(\mid T_1\mid +\mid S\mid \cdot \mid T_2\mid\), supposed that \(\mid S\mid\) is the number of attributes the \({\mathsf {EU}}\) owned and \(\mid T_1\mid ,\mid T_2\mid\) is the number of leaf nodes in the access tree \({\mathcal {T}}_1,\widehat{{\mathcal {T}}_2}\), respectively. Thus, it does not need a superpolynomial time to find out the correct attributes for successful decryption.
Analysis of our scheme
In this section, we provide a formal security analysis of our scheme.
Security analysis
Theorem 1
Supposed that a PPT adversary \({\mathcal {A}}\) can break the INDCPA security of our scheme with a nonnegligible advantage \(\epsilon >0\), then there exists a PPT simulator \({\mathcal {B}}\) that can distinguish a DBDH tuple from a random tuple with an advantage \(\frac{\epsilon }{2}\).
Proof
Given the bilinear map parameter \(({\mathbb {G}}_{0}, {\mathbb {G}}_{T},p,e,g)\). The DBDH challenger \({\mathcal {C}}\) selects \(a',b',c'\in {\mathbb {Z}}_{p}\), \(\theta \in \{0,1\}\), \(\mathcal {R} \in {\mathbb {G}}_{T}\) at random. Let \({\mathcal {Z}}=e(g,g)^{a'b'c'}\), if \(\theta =0\), \(\mathcal {R}\) else. Next, \({\mathcal {C}}\) sends \({\mathcal {B}}\) the tuple \(\langle g,g^{a'}, g^{b'}, g^{c'}, {\mathcal {Z}} \rangle\). Then, \({\mathcal {B}}\) plays the role of challenger in the following security game.

Initialization \({\mathcal {A}}\) submits two challenge access policy \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{*}\) to \({\mathcal {B}}\).

Setup \({\mathcal {B}}\) chooses \(\beta ',x \in {\mathbb {Z}}_{p}\) at random and sets \(h=g^{x}\), \(g^{\alpha }=g^{a'}\), \(e(g,g)^{\beta }=e(g,g)^{\beta '+a'b'}=e(g,g)^{\beta '}e(g^{a'},g^{b'})\), \(e(g,h)^{\beta }=e(g,g)^{\beta x}\). For each attribute \(a_{j}\in \mathcal {L}\), \({\mathcal {B}}\) picks \(s_{j},s_{j}'\in _R Z_p\). If \(a_{j}\in {\mathcal {T}}_1^{*}\), set \(g^{v_{j}}=g^{\frac{a'}{s_{j}}}\), otherwise \(g^{v_{j}}=g^{s_{j}}\); if \(a_{j}\in {\mathcal {T}}_2^{*}\), set \(g^{v_{j}'}=g^{\frac{a'}{s_{j}'}}\), otherwise \(g^{v_{j}'}=g^{s_{j}'}\). The \({\mathcal {B}}\) sets \(h^{v_{j}}=g^{v_{j}x},h^{v_{j}'}=g^{v_{j}'x}\) and sends PK to \({\mathcal {A}}\), where
$$\begin{aligned} PK=\left\{ \begin{array}{c} {\mathbb {G}}_{0},g,h,g^{\alpha }, e(g,g)^{\beta },e(g,h)^{\beta },\\ \{g^{v_{j}}, h^{v_{j}},g^{v_{j}'},h^{v_{j}'},a_j\mid \forall a_{j}\in \mathcal {L}\} \end{array}\right\} . \end{aligned}$$(24) 
\(Phase\;1\) \({\mathcal {A}}\) adaptively submits any attribute set \(S\in \mathcal {L}\) to \({\mathcal {B}}\) with the restriction that \((S\nvDash {\mathcal {T}}_1^{*} \bigvee S\nvDash {\mathcal {T}}_2^{*})\). In response, \({\mathcal {B}}\) picks \(\hat{r},\tilde{r}\in {\mathbb {Z}}_{p}\) at random, computes \(g^{r}=\frac{g^{\hat{r}}}{g^{b'}}=g^{\hat{r}b'}\), \(g^{\beta +\alpha r}=g^{\beta '+a'b'+a'(\hat{r}b')}=g^{\beta '+a'\hat{r}}\), \(h^{\beta +\alpha r}=g^{(\beta '+a'\hat{r})x}=h^{\beta '+a'\hat{r}}\), \(g^{\alpha \hat{r}}h^{\tilde{r}}\), \(h^{\alpha \hat{r}}h^{\tilde{r}}\), \(g^{\tilde{r}}\). For each \(a_{j}\in S\), if \(a_{j}\in {\mathcal {T}}_1^{*}\), \({\mathcal {B}}\) computes \(g^{\frac{\alpha \hat{r}}{v_{j}}}=g^{s_{j}\hat{r}}\), \(h^{\frac{\alpha \hat{r}}{v_{j}}}=h^{s_{j}\hat{r}}\), otherwise \(g^{\frac{\alpha \hat{r}}{v_{j}}}=g^{\frac{a' \hat{r}}{s_{j}}}\), \(h^{\frac{\alpha \hat{r}}{v_{j}}}=h^{\frac{a' \hat{r}}{s_{j}}}\); if \(a_{j}\in {\mathcal {T}}_2^{*}\), \({\mathcal {B}}\) sets \(g^{\frac{\alpha \hat{r}}{v_{j}'}}=g^{s_{j}'\hat{r}}\), \(h^{\frac{\alpha \hat{r}}{v_{j}'}}=h^{s_{j}'\hat{r}}\), otherwise \(g^{\frac{\alpha \hat{r}}{v_{j}'}}=g^{\frac{a' \hat{r}}{s_{j}'}}\), \(h^{\frac{\alpha \hat{r}}{v_{j}'}}=h^{\frac{a' \hat{r}}{s_{j}'}}\).
Afterward, \({\mathcal {B}}\) answers \({\mathcal {A}}\) with the corresponding secret key
$$\begin{aligned} SK=\left\{ \begin{array}{c} g^{\beta '+\alpha \hat{r}}, h^{\beta '+a'\hat{r}}, g^{\alpha \hat{r}}h^{\tilde{r}},h^{\alpha \hat{r}}h^{\tilde{r}}, g^{\tilde{r}},\\ \{g^{\frac{\alpha \hat{r}}{v_{j}}},h^{\frac{\alpha \hat{r}}{v_{j}}},g^{\frac{\alpha \hat{r}}{v_{j}'}},h^{\frac{\alpha \hat{r}}{v_{j}'}}, a_j\mid \forall a_{j}\in S\} \end{array}\right\} . \end{aligned}$$(25) 
Challenge \({\mathcal {A}}\) submits two equallength challenge messages \(\{m_{0},m_{1}\}\) to \({\mathcal {B}}\). Then, \({\mathcal {B}}\) chooses \(s_{1},s_{2} \in _R {\mathbb {Z}}_{p}\) and generates
$$\begin{aligned} CT_{1}'^{*}=\left\{ \begin{array}{c} {\mathcal {T}}_{1}^{*}, g^{s_{1}}, h^{s_{1}}, \{ C_{j,1}=g^{v_{j}q_{x^{*}}(0)},\\ C_{j,2}=h^{v_{j}q_{x^{*}}(0)},x^* \mid \forall x^*\in \mathcal {X}_1^{*}\} \end{array} \right\} , \end{aligned}$$where \(\mathcal {X}_1^{*}\) is a set of attributes corresponding to all leaf nodes in \({\mathcal {T}}_1^{*}\) and each \(x^*\in \mathcal {X}_1^{*}\) is corresponding to attribute \(a_j\). The \({\mathcal {B}}\) sets
$$\begin{aligned} CT_{1}^*=\{g^{s_{2}},h^{s_{2}},e(g,h)^{\beta s_2},CT_{1}'^*\}, \end{aligned}$$(26)and generates \(CT_{2}^*\) in a similar method. \({\mathcal {B}}\) picks \(s_{3} \in _R {\mathbb {Z}}_{p}\) and sets \(g^{s_{4}}=\frac{g^{c'}}{g^{s_2}}\), \(h^{s_{4}}=g^{s_{4}x}\), \(e(g,g)^{\beta (s_{2}+s_{4})}={\mathcal {Z}}\cdot e(g,g)^{\beta 'c'}\). So,
$$\begin{aligned} CT_{2}^*=\{g^{s_{4}},h^{s_{4}},CT_{2}^{'*}\}, \end{aligned}$$(27)where
$$\begin{aligned} CT_{2}^{'*}=\left\{ \begin{array}{c} \widehat{{\mathcal {T}}_2^*}, g^{s_{3}}, h^{s_{3}}, \{ C_{1}^y=g^{v_{j}'(q_{y^*}(0)s_2)}, \\ C_{2}^y=h^{v_{j}'(q_{y^*}(0)s_2)}, C_{3}^y=g^{q_{y^*}(0)},\\ C_{4}^y=h^{q_{y^*}(0)}, C_{5}^y=e(g,h)^{\beta q_{y^*}(0)}, y \mid \forall y\in \mathcal {X}_2 \} \end{array} \right\} . \end{aligned}$$(28)Finally, \({\mathcal {B}}\) randomly picks \(\theta '\in \{0,1\}\), sets \(C^{*}=m_{\theta '}\cdot {\mathcal {Z}}\cdot e(g,g)^{\beta 'c'}\), and returns \({\mathcal {A}}\) the final challenge ciphertext \(CT^{*}=\{{\mathcal {T}}_1^*,\widehat{{\mathcal {T}}_2^*}, C^*, CT_{1}^*, CT_{2}^*\}\).

\(Phase\;2\) This phase is the same as Phase 1.

Guess \({\mathcal {A}}\) outputs a guess bit \(\theta ''\) of \(\theta '\). If \(\theta ''=\theta '\), \({\mathcal {B}}\) guesses \(\theta =0\) which indicates that \({\mathcal {Z}}=e(g,g)^{a'b'c'}\) in the above game. Otherwise, \({\mathcal {B}}\) guesses \(\theta =1\), i.e., \({\mathcal {Z}}=\mathcal {R}\).
If \({\mathcal {Z}}=\mathcal {R}\), then \(CT^{*}\) is random from the view of \({\mathcal {A}}\). Hence, \({\mathcal {B}}'s\) probability to guess \(\theta\) correctly is
Else \({\mathcal {Z}}=e(g,g)^{a'b'c'}\), then \(CT^{*}\) is available and \({\mathcal {A}}'s\) advantage of guessing \(\theta '\) is \(\epsilon\). Therefore, \({\mathcal {B}}'s\) probability to guess \(\theta\) correctly is
In conclusion, \({\mathcal {B}}'s\) advantage to win the above security game is
\(\square\)
Theorem 2
Supposed that a PPT adversary \({\mathcal {A}}\) can break the INDCSPA security of our scheme with a nonnegligible advantage \(\epsilon >0\), then there exists a PPT simulator \({\mathcal {B}}\) that can distinguish a DBDH tuple from a random tuple with an advantage \(\frac{\epsilon }{2}\).
Proof
The proof process of this theorem is similar to that of Theorem 1. The DBDH challenger \({\mathcal {C}}\) sends \({\mathcal {B}}\) the tuple \(\langle g,g^{a'}, g^{b'}, g^{c'}, {\mathcal {Z}} \rangle\), in which \({\mathcal {Z}}=e(g,g)^{a'b'c'}\) or \(\mathcal {R}\). \({\mathcal {A}}\) chooses a challenge access structure \({\mathcal {T}}^{*}\) initially. \({\mathcal {B}}\) returns public key in the same way as in Theorem 1. Then \({\mathcal {A}}\) adaptively submits any attribute set S with the restriction that \(S \nvDash {\mathcal {T}}^{*}\). Since \({\mathcal {B}}\) can generate secret keys as in Theorem 1, it can naturally answer \({\mathcal {A}}\) with the corresponding trapdoor Tr. In the challenge phase, \({\mathcal {A}}\) submits \(m^*\) and two challenge policies \({\mathcal {T}}_0^{*}\) and \({\mathcal {T}}_1^{*}\) with the same structure, i.e., \(\widehat{{\mathcal {T}}_0^{*}}=\widehat{{\mathcal {T}}_1^{*}}\). \({\mathcal {B}}\) randomly picks \(\theta '\in \{0,1\}\), generates \(CT_2^*\) with \({\mathcal {T}}_{\theta '}^*\) and returns the challenge ciphertext \(CT^{*}\). If \({\mathcal {A}}\)’s advantage of guessing \(\theta '\) is \(\epsilon\), then \({\mathcal {B}}\)’s advantage to distinguish a DBDH tuple from a random tuple is \(\frac{\epsilon }{2}\). \(\square\)
Remark 4
In Definition 6, it demonstrates the INDCPA security of our scheme. Since the adversary needs to satisfies both \({\mathcal {T}}_1^{*}\) and \({\mathcal {T}}_2^{*}\) to decrypt the ciphertext, the restriction on the private key inquiry in Theorem 1 is \((S\nvDash {\mathcal {T}}_1^{*} \bigvee S\nvDash {\mathcal {T}}_2^{*})\), otherwise the adversary can break our scheme trivially. While in Definition 7, it is required that the adversary cannot tell the challenge sensitive policy \({\mathcal {T}}_0^{*}\) apart from \({\mathcal {T}}_1^{*}\) if it doesn’t satisfy the public access policy \({\mathcal {T}}^{*}\). So the restriction on the private key inquiry in Theorem 2 is \(S\nvDash {\mathcal {T}}^{*}\), otherwise the adversary can break our scheme trivially.
Complexity analysis
In this section, we compare the computational overhead with some other related schemes with hidden policy from a technical point of view. Some schemes only support ANDgate policies, to represent an expressive policy f, we transmute it to a disjunctive normal form and \(f=f_1\bigvee \cdots \bigvee f_n\) and then represent each \(f_i\) by a conjunctive clause as \(f_i={\text {att}}_{i,1}\bigwedge \cdots \bigwedge {\text {att}}_{i,l}\). Without loss of generality, we suppose each attribute \({\text {att}}_i\) has two values \({\text {att}}_{i,1},{\text {att}}_{i,2}\) and consider such a simple access policy
which means that there are \(2^{n}\) access strategies. Now, we discuss the computational overhead of each scheme in Table 3.
As shown in Table 3, schemes [6, 24, 25] restricted with ANDgates on multivalues give rise to an exponential size of ciphertext for supporting an expressive access policy. Since the attribute value is hidden in [28], for finding the correct attribute value for successful decryption, [28] needs end user to test superpolynomial times. In addition, all the above schemes only protect the privacy attribute value, but expose the information of attribute name. Some other schemes based on the innerproduct predicate encryption [18, 29] that we haven’t discussed in detail here, because transform an innerproduct predicate to an expressive access policy will also cause an exponential size of ciphertext. In our scheme, the size of ciphertext, test time and decryption time are all polynomial. Partial overhead for generating the ciphertext is outsourced to fog nodes and most overhead during test and decryption is outsourced from end user to the cloud.
Conclusion
In this work, we provide a novel method to protect the privacy of sensitive policy in CPABE scheme. With the help of KS techniques,the access policy in our scheme is expressive and compact, and the computational overhead of encryption (half part) and decryption (most part) can be sifted to fog nodes and cloud server respectively. Hence, our scheme is more friendly for resourcelimited mobile devices. The list of abbreviations is shown in Table 4.
References
 1.
F. Bonomi, R.A. Milito, J. Zhu, S. Addepalli, Fog computing and its role in the internet of things, in MCC@SIGCOMM 2012 (2012), pp. 13–16
 2.
A. Sahai, B. Waters, Fuzzy identitybased encryption, in EUROCRYPT 2005 (2005), pp. 457–473
 3.
V. Goyal, O. Pandey, A. Sahai, B. Waters, Attributebased encryption for finegrained access control of encrypted data. CCS 2006, 89–98 (2006)
 4.
J. Bethencourt, A. Sahai, B. Waters, Ciphertextpolicy attributebased encryption, in S&P 2007 (2007), pp. 321–334
 5.
B. Waters, Ciphertextpolicy attributebased encryption: an expressive, efficient, and provably secure realization, in PKC 2011, Lecture Notes in Computer Science, vol. 6571 (Springer, Taormina, 2011), pp. 53–70
 6.
T. Nishide, K. Yoneyama, K. Ohta, Attributebased encryption with partially hidden encryptorspecified access structures, in ACNS 2008. Lecture Notes in Computer Science, vol. 5037, ed. by S.M. Bellovin, R. Gennaro, A.D. Keromytis, M. Yung (Springer, New York, 2008), pp. 111–129
 7.
J. Katz, A. Sahai, B. Waters, Predicate encryption supporting disjunctions, polynomial equations, and inner products, in EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965, ed. by N.P. Smart (Springer, Istanbul, 2008), pp. 146–162
 8.
S. Yu, C. Wang, K. Ren, W. Lou, Achieving secure, scalable, and finegrained data access control in cloud computing, in INFOCOM 2010 (IEEE, San Diego, USA, 2010), pp. 534–542
 9.
M. Green, S. Hohenberger, B. Waters, Outsourcing the decryption of ABE ciphertexts, in USENIX 2011 (2011)
 10.
N. Attrapadung, Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more, in EUROCRYPT 2014. Lecture Notes in Computer Science, vol. 8441, ed. by P.Q. Nguyen, E. Oswald (Springer, Copenhagen, 2014), pp. 557–577
 11.
B. Waters, Functional encryption for regular languages, in CRYPTO 2012. Lecture Notes in Computer Science, vol. 7417, ed. by R. SafaviNaini, R. Canetti (Springer, Santa Barbara, 2012), pp. 218–235
 12.
A.B. Lewko, B. Waters, Unbounded HIBE and attributebased encryption, in EUROCRYPT 2011. Lecture Notes in Computer Science, vol. 6632, ed. by K.G. Paterson (Springer, Tallinn, 2011), pp. 547–567
 13.
Y. Rouselakis, B. Waters, Practical constructions and new proof methods for large universe attributebased encryption, in CCS 2013, ed. by A. Sadeghi, V.D. Gligor, M. Yung (ACM, Berlin, 2013), pp. 463–474
 14.
N. Attrapadung, B. Libert, E. de Panafieu, Expressive keypolicy attributebased encryption with constantsize ciphertexts, in PKC 2011. Lecture Notes in Computer Science, vol. 6571, ed. by D. Catalano, N. Fazio, R. Gennaro, A. Nicolosi (Springer, Taormina, 2011), pp. 90–108
 15.
M. Chase, Multiauthority attribute based encryption, in TCC 2007. Lecture Notes in Computer Science, vol. 4392, ed. by S.P. Vadhan (Springer, Amsterdam, 2007), pp. 515–534
 16.
M. Chase, S.S.M. Chow, Improving privacy and security in multiauthority attributebased encryption, in CCS 2009, ed. by E. AlShaer, S. Jha, A.D. Keromytis (ACM, Chicago, 2009), pp. 121–130
 17.
A.B. Lewko, B. Waters, Decentralizing attributebased encryption, in EUROCRYPT 2011. Lecture Notes in Computer Science, vol. 6632, ed. by K.G. Paterson (Springer, Tallinn, 2011), pp. 568–588
 18.
A.B. Lewko, T. Okamoto, A. Sahai, K. Takashima, B. Waters, Fully secure functional encryption: attributebased encryption and (hierarchical) inner product encryption, in EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, ed. by H. Gilbert (Springer, Monaco, 2010), pp. 62–91
 19.
T. Okamoto, K. Takashima, Fully secure unbounded innerproduct and attributebased encryption, in ASIACRYPT 2012. Lecture Notes in Computer Science, vol. 7658, ed. by X. Wang, K. Sako (Springer, Beijing, 2012), pp. 349–366
 20.
A.B. Lewko, B. Waters, New proof methods for attributebased encryption: achieving full security through selective techniques, in CRYPTO 2012. Lecture Notes in Computer Science, vol. 7417, ed. by R. SafaviNaini, R. Canetti (Springer, Santa Barbara, 2012), pp. 180–198
 21.
J. Li, X. Chen, J. Li, C. Jia, J. Ma, W. Lou, Finegrained access control system based on outsourced attributebased encryption, in ESORICS 2013. Lecture Notes in Computer Science, vol. 8134, ed. by J. Crampton, S. Jajodia, K. Mayes (Springer, Egham, 2013), pp. 592–609
 22.
C. Zuo, J. Shao, G. Wei, M. Xie, M. Ji, CCAsecure ABE with outsourced decryption for fog computing. Future Gener. Comput. Syst. 78, 730–738 (2018)
 23.
P. Zhang, Z. Chen, J.K. Liu, K. Liang, H. Liu, An efficient access control scheme with outsourcing capability and attribute update for fog computing. Future Gener. Comput. Syst. 78, 753–762 (2018)
 24.
J. Li, K. Ren, B. Zhu, Z. Wan, Privacyaware attributebased encryption with user accountability, in ISC 2009. Lecture Notes in Computer Science, vol. 5735, ed. by P. Samarati, M. Yung, F. Martinelli, C.A. Ardagna (Springer, Pisa, 2009), pp. 347–362
 25.
J. Lai, R.H. Deng, Y. Li, Fully secure cipertextpolicy hiding CPABE, in ISPEC 2011. Lecture Notes in Computer Science, vol. 6672, ed. by F. Bao, J. Weng (Springer, Guangzhou, 2011), pp. 24–39
 26.
Y. Zhang, X. Chen, J. Li, D.S. Wong, H. Li, Anonymous attributebased encryption supporting efficient decryption test, in ASIACCS 2013, ed. by K. Chen, Q. Xie, W. Qiu, N. Li, W. Tzeng (ACM, Hangzhou, 2013), pp. 511–516
 27.
J. Lai, R.H. Deng, Y. Li, Expressive CPABE with partially hidden access structures, in ASIACCS 2012, ed. by H.Y. Youm, Y. Won (ACM, Seoul, 2012), pp. 18–19
 28.
H. Cui, R.H. Deng, G. Wu, J. Lai, An efficient and expressive ciphertextpolicy attributebased encryption scheme with partially hidden access structures, in ProvSec 2016. Lecture Notes in Computer Science, vol. 10005, ed. by L. Chen, J. Han (Springer, New York, 2016), pp. 19–38
 29.
Y. Michalevsky, M. Joye, Decentralized policyhiding ABE with receiver privacy, in ESORICS 2018. Lecture Notes in Computer Science, vol. 11099, ed. by J. López, J. Zhou, M. Soriano (Springer, Barcelona, 2018), pp. 548–567
 30.
F. Khan, H. Li, L. Zhang, J. Shen, An expressive hidden access policy CPABE, in DSC 2017 (IEEE Computer Society, Shenzhen, China, 2017), pp. 178–186
 31.
D.X. Song, D.A. Wagner, A. Perrig, Practical techniques for searches on encrypted data, in 2000 IEEE Symposium on Security and Privacy, Berkeley, California, USA, May 14–17 2000 (2000), pp. 44–55
 32.
D. Boneh, G.D. Crescenzo, R. Ostrovsky, G. Persiano, Public key encryption with keyword search, in Proceedings of the Advances in Cryptology—EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2–6, 2004 (2004), pp. 506–522
 33.
Q. Zheng, S. Xu, G. Ateniese, VABKS: verifiable attributebased keyword search over outsourced encrypted data, in 2014 IEEE Conference on Computer Communications, INFOCOM 2014, Toronto, Canada, April 27–May 2, 2014 (2014), pp. 522–530
 34.
W. Sun, S. Yu, W. Lou, Y.T. Hou, H. Li, Protecting your right: verifiable attributebased keyword search with finegrained ownerenforced search authorization in the cloud. IEEE Trans. Parallel Distrib. Syst. 27(4), 1187–1198 (2016)
 35.
Y. Miao, J. Ma, X. Liu, J. Weng, H. Li, H. Li, Lightweight finegrained search over encrypted data in fog computing. IEEE Trans. Serv. Comput. 12(5), 772–785 (2019)
 36.
F. Meng, M.W.L. Cheng, ABDKS: attributebased encryption with dynamic keyword search in fog computing. Front. Comput. Sci. (2020). https://doi.org/10.1007/s1170402094727
Acknowledgements
Not applicable.
Funding
The authors are supported by National Cryptography Development Fund (Grant No. MMJJ20180210) and National Natural Science Foundation of China (Grant Nos. 61832012 and 61672019).
Author information
Affiliations
Contributions
Fei Meng, Leixiao Cheng and Mingqiang Wang are the main authors of the current paper. They contributed to the development of the ideas, design of the study, theory, result analysis, and paper writing. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Meng, F., Cheng, L. & Wang, M. Ciphertextpolicy attributebased encryption with hidden sensitive policy from keyword search techniques in smart city. J Wireless Com Network 2021, 20 (2021). https://doi.org/10.1186/s13638020018752
Received:
Accepted:
Published:
Keywords
 Smart city
 Attributebased encryption
 Hidden sensitive policy
 Keyword search
 Fog nodes