0.

1 Complexity Assumptions
Let G and GT be prime p-order cyclic groups with a bilinear mapping
e : G × G → GT , g ∈ G, s, a, b, {bj }j∈[1,q] ∈ Z∗p , q ∈ N.
Decisional Diffie-Hellman (DDH) assumption. Given Y ~ = {g, g a , g b },
ab
D = e(g, g) , R ∈R GT , the advantage of distinguishing distributions (Y~ , D)
~ , R) is negligible for any PPT adversary A. That is,
and (Y
~ , D) = 1] − P r[A(Y
AdvA = |P r[A(Y ~ , R) = 1]| ≤ η,

where η is negligible.
Decisional Bilinear Diffie-Hellman Exponent (DBDHE) Assump-
~ = {g, g s , {g ai }i∈[1,2q],i6=q+1 }, D = e(g, g)aq+1 s , R ∈R GT , the
tion. Given Y
~ , D) and (Y
advantage of distinguishing distributions (Y ~ , R) is negligible for any
PPT adversary A.

0.2 Linear Secret Sharing Scheme

Let U = {x1 , ..., xn } be an attribute universe. A set A of non-empty subsets
of U is an access policy. A set A ∈ A is an authorised set, B ∈
/ A is an
unauthorised set.
A linear secret sharing scheme (LSSS) represents a monotonic access policy
A as a matrix Ml×n with a function ρ maps the i-th row Mi of Ml×n to an
attribute ρ(i) ∈ U, which has the following properties.

• For any A ∈ A, there exists {ωi }i∈I such that i∈I ωi Mi = (1, 0, ..., 0),
P

where I = {i : ρ(i) ∈ A}.

/ A, there exists θ~ = (θ1 = −1, θ2 , θ3 , ..., θn ) such that θ·M

• For any B ∈ ~ i=0
for all i : ρ(i) ∈ B.

The access policy A with the matrix (M, ρ) is denoted as A(M, ρ). Using
A(M, ρ), we can share and reconstruct secrets as follows.

• Sharing: Inputs the secret s and an access policy A(M, ρ), chooses y2 , y3 , ..., yn ,
sets ~v = (s, y2 , y3 , ..., yn ), computes and outputs the share set {λi : λi =
~v · Mi }i∈[1,n] .

• Reconstruction: Inputs the access policy A(M, ρ) and an authorized set

P
A ∈ A with its share set {λi }i∈I={i:ρ(i)∈A} , finds {ωi }i∈I such that i∈I ωi Mi =
P
(1, 0, ..., 0), computes and outputs the secret s = i∈I ωi λi .

1
0.3 Proof
The improved scheme is IND-CPA secure under the DBDHE assumption.
Assuming A can win the IND-CPA GAME with an advantage of ε, we
construct B to solve the DBDHE problem.

• Initialization: A chooses a challenge access policy A∗ (M∗l∗ ×n∗ , ρ∗ ) and

sends it to B.

• Setup: Receiving a DBDHE instance (Y

~ , T ).

– Chooses α0 , b ∈R Z∗p and sets

0 q
g1 = g a , g2 = g b , Y = e(g, g)α e(g a , g a ) = e(g, g)α ,

where implicitly sets α = α0 + aq+1 .

– For each x ∈ U, chooses γx ∈R Z∗p . If there exists an i such that
ρ∗ (i) = x, computes
Y j ∗
hx = g γx (g a )mi,j ,
j∈[1,n∗ ]

where m∗i,j is the i-row and j-column element of matrix M∗ . Other-

wise, computes hx = g γx .
– For each x ∈ U, chooses βx ∈R Z∗p , computes zx = g βx .
– Chooses the parameters λ, lkabf , and k + 1 HASH functions H0 and
H = {H1 , H2 , ..., Hk } for the keyed attribute Bloom filter.
– Chooses a secure HASH function H : GT → Z∗p .
– Sends the public parameters PP = (g, g1 , g2 , Y, {hx , zx }x∈U , λ, lkabf ,
H0 , H, H) to A.

• Attribute-key query 1: A queries the private key on an attribute set

S. If S ∈ A∗ , returns ⊥. Otherwise, B finds θ~ = (θ1 = −1, θ2 ..., θn∗ ) such
that θ~ · Mi∗ = j∈[1,n∗ ] θj m∗i,j = 0 for all i : ρ∗ (i) ∈ S, where m∗i,j is the
P

i-row and j-column element of matrix M∗ .

2
 Chooses t0 ∈R Z∗p and computes
0 0 Y q−j+2 −1
k1 =[g α (g a )t (g a )θj ]b
j∈[2,n∗ ]
0 q+1 q+1 0 Y q−j+1 −1
=[g α g a (g a )−1 (g1 )t (g1a )θj ]b
j∈[2,n∗ ]
0 Y q−j+1 −1
=[g α (g a )t (g1a )θj ]b
j∈[1,n∗ ]
−1 −1
=gαb g1tb ,
0 Y q−j+1
k2 =g t (g a )θj = g t ,
j∈[1,n∗ ]

where implicitly sets t = t0 + q−j+1

P
j∈[1,n∗ ] (θj a ).
If there exists an i such that ρ∗ (i) = x, computes
Y j 0 Y q−k+j+1 ∗
kx =k2γx [g a t
(g a )θk ]mi,j
j∈[1,n∗ ] k∈[1,n∗ ],k6=j
0 q−j+1 j ∗ 0 j ∗
θk aq−k+1
Y Y Y P
=[g t (g a )θj ]γx ((g a )mi,j )t [ (g a )mi,j ] k∈[1,n∗ ]

j∈[1,n∗ ] j∈[1,n∗ ] j∈[1,n∗ ]

q+1
P ∗
a /bi θ
j∈[1,n∗ ] j m
(g ) i,j

t0
j ∗ j ∗
θj aq−j+1
Y Y P
=[g γx (g a )mi,j ] [g γx (g a )mi,j ] j∈[1,n∗ ]

j∈[1,n∗ ] j∈[1,n∗ ]
P q−j+1
0 j∈[1,n∗ ] θj a
=htx hx
=htx .

Otherwise, kx = k2γx = htx .

Returns the private key

SK S = (k1 , k2 , {kx , βx }x∈S ).

• Challenge: A submits K0 , K1 ∈ GT to B. B chooses β ∈R {0, 1}, en-

crypts Kβ as follows.

3
 – Chooses s̃, s2 , s3 , ..., sn∗ ∈R Z∗p , computes
0
C ∗ =Kβ T e(g s , g α ),
c∗ =g bs ,
0
c0∗ =g s g s̃ = g s+s̃ = g s ,
Y ∗
c∗i =h−s̃
ρ∗ (i) g
−sγρ∗ (i)
g ami,j sj
j∈[2,n∗]
a j∈[2,n∗ ] m∗ j ∗ j ∗
P P P
=h−s̃ −sγρ∗ (i) i,j sj j∈[1,n∗ ] sa mi,j − j∈[1,n∗ ] sa mi,j
ρ∗ (i) g g g g
j
m∗
Y
=h−s̃
ρ∗ (i) g
aλi γρ∗ (i)
[g (g a ) i,j ]−s
j∈[1,n∗ ]

=g1λi h−s −s̃

ρ∗ (i) hρ∗ (i) ,
0
=g1λi h−s ∗
ρ∗ (i) , i ∈ [1, l ],

∗
−1 T
where implicitly sets ~v = (s, s2 + sa, s3 + sa2 , ..., sn∗ + san ) ,
T ∗ 0
(λ1 , λ2 , ..., λl∗ ) = M · ~v , and s = s + s̃.
– Computes the commitment of message
s 0
,g α ))
com∗ = g H(Kβ ) hH(T e(g .

– Rruns the KABFBuild algorithm on access policy A∗ (M∗l∗ ×n∗ , ρ∗ )

and gets the corresponding keyed attribute Bloom filter KABFA∗ .
– Returns the challenge ciphertext

KEC ∗ = (C ∗ , c∗ , c0∗ , {c∗i }i∈[1,l∗ ] , com∗ , M∗l∗ ×n∗ , KABFA∗ ).

• Attribute-key query 2: Same as Attribute-key query 1.

• Guess: A outputs his guess β 0 . If β 0 = β, B outputs 1; otherwise 0.

Advantage analysis. The formula derivation attached to the above sim-

ulation indicates that the simulation is perfect.
q+1
• When T = e(g, g)a s
= D, the challenge ciphertext KEC ∗ is a valid
ciphertext for Kβ . In this case, A can carry out effective attacks, and
then

~ , D) = 1] = P r[β = β 0 |T = D] = 1 ± .
P r[B(Y
2

4
 q+1
• When T = R 6= e(g, g)a s
, the challenge ciphertext KEC ∗ is a correct
ciphertext for random message K̃ = C ∗ · Y −s , independent of β. In this
case, A is unable to launch any meaningful attacks, and we have

~ , R) = 1] = P r[β = β 0 |T = R] = 1
P r[B(Y .
2

So, the advantage of B in solving the BDHE problem

~ , R) = 1]| = 1 ±  − 1 = .
~ , D) = 1] − P r[B(Y
AdvB = |P r[B(Y
2 2
7