Definition 1:

Bilinear Diffie-Hellman problem (BDH problem). Let $\mathbb {G}_{1}$ and $\mathbb {G}_{T}$ be the groups of the same prime order $q$ above. Given $(g, g^{c}, g^{b}, g^{a}) \in \mathbb {G}^{4}$ for some $a,b,c \in \mathbb {Z}_{q}^{*}$ , to compute $e(g, g)^{abc}$ . Where $g$ isn’t the identity element of $\mathbb {G}$ and $e: \mathbb {G} \times \mathbb {G} \rightarrow \mathbb {G}_{\mathrm {T}}$ .

Definition 2:

Twin-decision bilinear Diffie-Hellman problem (t-DBDH problem). Given two distributions \begin{align*} D_{0}=&\{g,g^{a},g^{b},g^{c},g^{u},g^{v},e(g,g)^{abc}, \\&e(g,g)^{auv}: a,b,c,u,v \in \mathbb {Z}_{q}\} \\ D_{1}=&\{g,g^{a},g^{b},g^{c},g^{u},g^{v},e(g,g)^{d}, \\&e(g,g)^{w}: a,b,c,d,u,v,w \in \mathbb {Z}_{q}\}\end{align*} View Source\begin{align*} D_{0}=&\{g,g^{a},g^{b},g^{c},g^{u},g^{v},e(g,g)^{abc}, \\&e(g,g)^{auv}: a,b,c,u,v \in \mathbb {Z}_{q}\} \\ D_{1}=&\{g,g^{a},g^{b},g^{c},g^{u},g^{v},e(g,g)^{d}, \\&e(g,g)^{w}: a,b,c,d,u,v,w \in \mathbb {Z}_{q}\}\end{align*} to decide whether $abc\equiv d ~ \mathrm {mod} ~q$ and $auv\equiv w ~ \mathrm {mod} ~q$ hold or not.

Definition 3:

We call an IBEET scheme to be OW-ID-CCA secure, if for all OW-ID-CCA adversaries, $Adv^{OW-ID-CCA}_{\mathrm {IBEET},\mathcal {A}}(k)$ is negligible in the security parameter $k$ .

1) Recall the Ma’s IBEET Scheme

The construction of their scheme is as follows.

• Setup: On input a security parameter $k$ , it works as follows:

  • Produce some public parameters: two multiplicative groups $\mathbb {G},\mathbb {G}_{\mathrm {T}}$ of prime order $p$ , and an admissible bilinear map $e: \mathbb {G}\times \mathbb {G} \rightarrow \mathbb {G}_{\mathrm {T}}$ with a random generator $g\in \mathbb {G}$ . Randomly select three cryptographic hash functions: $H_{1}:\{0,1\}^{*} \rightarrow \mathbb {G},\,\,H_{2}: \mathbb {G}_{\mathrm {T}}\rightarrow \mathbb {G},\,\,H_{3}:\mathbb {G}_{\mathrm {T}} \rightarrow \{0,1\}^{l_{1}+l_{2}}$ , where $l_{1}$ and $l_{2}$ are length of elements in $\mathbb {G}$ and $\mathbb {Z}_{p}$ , respectively.

  • Select random elements $s',s\in \mathbb {Z}_{p}$ and let $g_{1}=g^{s'}$ and $g_{2}=g^{s}$ . Here let $\mathbb {M} \subset \mathbb {G}$ be the message space and $\mathbb {C} \subset \mathbb {G}^{4} \times \{0,1\}^{l_{1}+l_{2}}$ be the ciphertext space. The public system parameters are $K_{\mathrm {IBEET}}=(p,\mathbb {G},\mathbb {G}_{\mathrm {T}},e,g,g_{1},\,\,g_{2},\,\,H_{1}, H_{2},H_{3})$ . The master key $msk$ is $(s',s) \in \mathbb {Z}_{p}^{2}$ .

• Extract: On input an identity $ID \in \{0,1\}^{*}$ , it works as follows:

  • Firstly calculate $h_{ID}=H_{1}(ID)\in \mathbb {G}$ , and then calculate $sk_{ID}=(h^{s'}_{ID},h^{s}_{ID})$ as the private key, where $(s',s)$ is the master key.

• Trapdoor: On input an identity $ID \in \{0,1\}^{*}$ , it works as follows:

  • Firstly calculate $h_{ID}=H_{1}(ID)\in \mathbb {G}$ , then set the trapdoor $td_{ID}=h^{s'}_{ID}$ , which is the first element of $sk_{ID}$ .

• Enc: On input a message $M \in \mathbb {G}$ and an identity $ID$ , it works as follows:

  • Firstly calculate $h_{ID}=H_{1}(ID)\in \mathbb {G}$ , and randomly pick three elements $r_{1},r_{2},r_{3}\in \mathbb {Z}_{p}$ ;

  • Set the ciphertext to be $C=(C_{1},C_{2},C_{3},C_{4},C_{5})$ , where \begin{align*} C_{1}=&g^{r_{1}},\quad C_{2}=g^{r_{2}},~C_{4}=g^{r_{3}}, \\ C_{3}=&M^{r_{1}}H_{2}(U_{1}^{r_{2}}),\quad C_{5}=(M||r_{1})\oplus H_{3}(U_{2}^{r_{3}}),\end{align*} View Source\begin{align*} C_{1}=&g^{r_{1}},\quad C_{2}=g^{r_{2}},~C_{4}=g^{r_{3}}, \\ C_{3}=&M^{r_{1}}H_{2}(U_{1}^{r_{2}}),\quad C_{5}=(M||r_{1})\oplus H_{3}(U_{2}^{r_{3}}),\end{align*} and where \begin{equation*} U_{1}=e(h_{ID},g_{1})\in \mathbb {G}_{\mathrm {T}},\quad U_{2} = e(h_{ID},g_{2})\in \mathbb {G}_{\mathrm {T}}.\end{equation*} View Source\begin{equation*} U_{1}=e(h_{ID},g_{1})\in \mathbb {G}_{\mathrm {T}},\quad U_{2} = e(h_{ID},g_{2})\in \mathbb {G}_{\mathrm {T}}.\end{equation*}

• Dec($C,sk_{ID}$ ): On input ciphertext $C$ and the private key $sk_{ID}=(h^{s'}_{ID},h^{s}_{ID})$ , where $C=(C_{1},C_{2},C_{3},C_{4},C_{5})\in \mathbb {C}$ is a ciphertext encrypted by using the identity $ID$ , the algorithm firstly calculates \begin{equation*} C_{5} \oplus H_{3}(e(h_{ID}^{s},C_{4}))=M||r_{1},\end{equation*} View Source\begin{equation*} C_{5} \oplus H_{3}(e(h_{ID}^{s},C_{4}))=M||r_{1},\end{equation*} and then it outputs $M$ if the following equalities hold.\begin{equation*} C_{1}=g^{r_{1}},\frac {C_{3}}{M^{r_{1}}}=H_{2}(e(h_{ID}^{s'},C_{2}))\end{equation*} View Source\begin{equation*} C_{1}=g^{r_{1}},\frac {C_{3}}{M^{r_{1}}}=H_{2}(e(h_{ID}^{s'},C_{2}))\end{equation*} Otherwise, it outputs $``\bot ''$ .

• Test($C_{A},td_{ID_{A}},C_{B},td_{ID_{B}}$ ): On input ciphertexts $C_{A},~C_{B}$ and corresponding trapdoors $td_{ID_{A}},~td_{ID_{B}}$ respectively, to determine whether plaintexts $M_{A}$ and $M_{B}$ are equal or not, where \begin{equation*} C_{A}=(C_{A,1},C_{A,2},C_{A,3},C_{A,4},C_{A,5})=\mathrm {Enc}(M_{A},ID_{A})\end{equation*} View Source\begin{equation*} C_{A}=(C_{A,1},C_{A,2},C_{A,3},C_{A,4},C_{A,5})=\mathrm {Enc}(M_{A},ID_{A})\end{equation*} and \begin{equation*} C_{B}=(C_{B,1},C_{B,2},C_{B,3},C_{B,4},C_{A,5})=\mathrm {Enc}(M_{B},ID_{B}),\end{equation*} View Source\begin{equation*} C_{B}=(C_{B,1},C_{B,2},C_{B,3},C_{B,4},C_{A,5})=\mathrm {Enc}(M_{B},ID_{B}),\end{equation*} $td_{ID_{A}}=h^{s'}_{ID_{A}}$ and $td_{ID_{B}}=h^{s'}_{ID_{B}}$ . It firstly computes:\begin{equation*} X_{A}=\frac {C_{A,3}}{H_{2}(e(h^{s'}_{ID_{A}},C_{A,2}))}, \quad X_{B}=\frac {C_{B,3}}{H_{2}(e(h^{s'}_{ID_{B}},C_{B,2}))},\end{equation*} View Source\begin{equation*} X_{A}=\frac {C_{A,3}}{H_{2}(e(h^{s'}_{ID_{A}},C_{A,2}))}, \quad X_{B}=\frac {C_{B,3}}{H_{2}(e(h^{s'}_{ID_{B}},C_{B,2}))},\end{equation*} and then it outputs “1” if the equation \begin{equation*} e(C_{A,1},X_{B})=e(C_{B,1},X_{A})\end{equation*} View Source\begin{equation*} e(C_{A,1},X_{B})=e(C_{B,1},X_{A})\end{equation*} holds; otherwise it outputs “0”.

2) Insecurity of Ma’s Scheme

Next, we will show that the IBEET scheme doesn’t satisfy the above OW-ID-CCA security, which was firstly defined in paper [11]. From the definition of the OW-ID-CCA attack, at any time any adversary can have access to the trapdoor oracle to obtain the trapdoor of any identity including the challenge identity $ID^{*}$ . That is to say, at least the adversary can get $td_{ID^{*}}=h^{s'}_{ID^{*}}$ before guess stage in the attack game. When the adversary knows the challenge identity $ID^{*}$ and the challenge ciphertext $C^{*}=(C_{1}^{*},C_{2}^{*},C_{3}^{*},C_{4}^{*},C_{5}^{*})$ , it conducts as follows.

• When the adversary obtains the challenge $(ID^{*}, C^{*})$ , she/he checks whether the challenge identity $ID^{*}$ is listed in trapdoor queries or not. It can get $td_{ID^{*}}=h^{s'}_{ID^{*}}$ by having access to the trapdoor queries before the guess stage if it is not listed in previous trapdoor queries (A better and easier way to do it is to pick the challenge identity from the list of trapdoor queries in the phase 1. Because the challenge identity is chosen by the adversary.).

• Secondly, the adversary calculates \begin{equation*} V^{*}=\frac {C_{3}^{*}}{H_{2}(e(h_{ID^{*}}^{s'},C_{2}^{*}))},\end{equation*} View Source\begin{equation*} V^{*}=\frac {C_{3}^{*}}{H_{2}(e(h_{ID^{*}}^{s'},C_{2}^{*}))},\end{equation*} and randomly selects $r \in \mathbb {Z}_{p}^{*}$ to set $C_{2}= (C_{2}^{*})^{r}$ . The adversary checks whether $C_{2}$ is a part of a ciphertext having been on the list of decryption queries and encrypted by the identity $ID^{*}$ . If it is on the list of decryption queries, then repeats above step (renew the random number $r$ ); otherwise, the adversary calculates \begin{equation*} C_{3} = V^{*}H_{2}(e(h_{ID^{*}}^{s'},(C_{2}^{*})^{r})).\end{equation*} View Source\begin{equation*} C_{3} = V^{*}H_{2}(e(h_{ID^{*}}^{s'},(C_{2}^{*})^{r})).\end{equation*}

• Thirdly, the adversary modifies the challenge ciphertext $C^{*}$ and continues to perform the chosen ciphertext attack as follows. The adversary firstly sets \begin{align*} C_{1}'=&C_{1}^{*},\quad C_{2}'= C_{2},~C_{3}'=C_{3}, \\ C_{4}'=&C_{4}^{*},\quad C_{5}'=C_{5}^{*},\end{align*} View Source\begin{align*} C_{1}'=&C_{1}^{*},\quad C_{2}'= C_{2},~C_{3}'=C_{3}, \\ C_{4}'=&C_{4}^{*},\quad C_{5}'=C_{5}^{*},\end{align*} and then submits $C'=(C_{1}',C_{2}',C_{3}',C_{4}',C_{5}')\,\,C'=(C_{1}',C_{2}',C_{3}',C_{4}',C_{5}')$ with the identity $ID^{*}$ to the decryption queries as a ciphertext. The challenge responds $M'$ if the “ciphertext” $C'$ is a valid ciphertext; otherwise it responds $``\bot ''$ .

• Finally, the adversary outputs $M^{*}(=M')$ as a plaintext of the challenge ciphertext $C^{*}$ and the challenge identity $ID^{*}$ .

\begin{equation*} C_{2}'= C_{2}= (C_{2}^{*})^{r} \neq C_{2}^{*}.\end{equation*} View Source\begin{equation*} C_{2}'= C_{2}= (C_{2}^{*})^{r} \neq C_{2}^{*}.\end{equation*}

\begin{equation*} C'_{5} \oplus H_{3}(e(h_{ID^{*}}^{s},C'_{4}))=M'||r_{1}'.\end{equation*} View Source\begin{equation*} C'_{5} \oplus H_{3}(e(h_{ID^{*}}^{s},C'_{4}))=M'||r_{1}'.\end{equation*}

\begin{align*} C_{1}'=&g^{r_{1}'}\quad \mathrm {and} \\ \frac {C'_{3}}{M'^{r'_{1}}}=&\frac {\frac {C_{3}^{*}}{H_{2}(e(h_{ID^{*}}^{s'},C_{2}^{*}))}H_{2}(e(h_{ID^{*}}^{s'},(C_{2}^{*})^{r}))}{M'^{r'_{1}}} \\=&H_{2}(e(h_{ID^{*}}^{s'},C'_{2})).\end{align*} View Source\begin{align*} C_{1}'=&g^{r_{1}'}\quad \mathrm {and} \\ \frac {C'_{3}}{M'^{r'_{1}}}=&\frac {\frac {C_{3}^{*}}{H_{2}(e(h_{ID^{*}}^{s'},C_{2}^{*}))}H_{2}(e(h_{ID^{*}}^{s'},(C_{2}^{*})^{r}))}{M'^{r'_{1}}} \\=&H_{2}(e(h_{ID^{*}}^{s'},C'_{2})).\end{align*}

Therefore, the IBEET scheme is not OW-ID-CCA secure.

Definition 4:

The CP-ABEET scheme is selectively IND-CPA secure if the advantage of any polynomial-time adversary is negligible in security parameter $k$ in the above game.

1) Recall the CP-ABEET Scheme

• Setup($1^{k})$ : On input a security parameter $k$ , produce $Param$ and the master key $MSK$ as follows.

  • Generate two bilinear groups $\mathbb {G},\mathbb {G}_{\mathrm {T}}$ with the same prime order $p$ , and generate a random generator $g \in \mathbb {G}$ . A map $e: \mathbb {G} \times \mathbb {G} \rightarrow \mathbb {G}_{\mathrm {T}}$ is a bilinear map.

  • Select two hash functions $H_{1}: \mathbb {G}_{\mathrm {T}} \rightarrow \mathbb {G} \times \mathbb {Z}_{p},\,\,H_{2}: \mathbb {G}_{\mathrm {T}} \rightarrow \mathbb {G}$ .

  • Randomly choose $N$ elements $r_{1}, \cdots, r_{N} \in \mathbb {Z}_{p}$ and calculate $R_{i} = g^{r_{i}}$ for $i= 1$ to $N$ . Where $N$ is the number of system attributes.

  • Randomly choose $\alpha, \alpha ', \gamma _{1}, \gamma _{2}, \gamma _{3} \in \mathbb {Z}_{p}$ and $W_{1},W_{2} \in \mathbb {G}$ and calculate \begin{align*} u_{1}=&e(g,W_{2})^{\alpha \gamma _{1}}e(g,W_{1})^{\alpha \gamma _{1}}, \\ v_{1}=&e(g,W_{2})^{\alpha \gamma _{2}}e(g,W_{1})^{\alpha \gamma _{2}}, \\ u_{2}=&e(g,W_{2})^{\alpha '\gamma _{1}}e(g,W_{1})^{\alpha '\gamma _{1}}, \\ v_{2}=&e(g,W_{2})^{\alpha '\gamma _{3}}e(g,W_{1})^{\alpha '\gamma _{3}}.\end{align*} View Source\begin{align*} u_{1}=&e(g,W_{2})^{\alpha \gamma _{1}}e(g,W_{1})^{\alpha \gamma _{1}}, \\ v_{1}=&e(g,W_{2})^{\alpha \gamma _{2}}e(g,W_{1})^{\alpha \gamma _{2}}, \\ u_{2}=&e(g,W_{2})^{\alpha '\gamma _{1}}e(g,W_{1})^{\alpha '\gamma _{1}}, \\ v_{2}=&e(g,W_{2})^{\alpha '\gamma _{3}}e(g,W_{1})^{\alpha '\gamma _{3}}.\end{align*}

  • Set the public parameter $Param = (\mathbb {G},\,\,\mathbb {G}_{\mathrm {T}},\,\,g,\,\,p,\,\,e,\,\,g^{\alpha },\,\,g^{\alpha '},\,\,W_{1},\,\,W_{2},\,\,u_{1},\,\,u_{2},\,\,v_{1},\,\,v_{2},\,\,R_{1},\,\,\cdots,\,\,R_{N},\,\,H_{1},\,\,H_{2})$ and keep the master key $MSK = (\alpha,~\alpha ',~r_{1},~\cdots,~r_{N},~\gamma _{1},~\gamma _{2},~\gamma _{3})$ secret.

• Enc(M, Param, S, S’): On input a message $M$ , public parameter $Param$ and an access policy $W$ , which contains: $l_{1} \leq L_{1}$ wildcards occur at positions $J = \{\omega _{1},\cdots, \omega _{l_{1}}\},\,\,l_{2} \leq L_{2}$ positive attributes occur at positions $X = \{x_{1},\cdots, x_{l_{2}}\}$ , and $l_{3} \leq L_{3}$ negative attributes occur at positions $Y = \{y_{1},\cdots, y_{l_{3}}\}$ . By means of the Viéte’s formulas, for the wildcard position $\{\omega _{k}\}_{1, \cdots, l_{1}}$ in access structure, compute $a_{\omega _{k}}$ and set $t_{\omega } = \sum _{k=0}^{l_{1}}a_{\omega _{k}}$ . This algorithm creates the cipheretext $CT$ as follows.

  • Randomly pick $z, z_{1}, z_{2}, \in \mathbb {Z}_{p}$ and calculate \begin{align*} C_{0}=&H_{1}(u_{1}^{z_{1}}v_{1}^{z_{2}}) \oplus M\|z,\quad C_{1} = M^{z} H_{2}(u_{2}^{z_{1}}v_{2}^{z_{2}}), \\[-3pt] C_{2}=&g^{\frac {\alpha z_{1}}{t_{\omega }}},\quad C_{3} = g^{\frac {z_{2}}{t_{\omega }}},~C'_{2} = g^{\frac {\alpha ' z_{1}}{t_{\omega }}},~C'_{3} = g^{z}, \\[-3pt] C_{4}=&\left({W_{1} \prod _{i \in X}R_{i}^{\frac {\prod _{k=0}^{l_{1}}(i-\omega _{k})}{t_{\omega }}}}\right)^{z_{1}+z_{2}}, \\[-6pt] C_{5}=&\left({W_{2} \prod _{i \in Y}R_{i}^{\frac {\prod _{k=0}^{l_{1}}(i-\omega _{k})}{t_{\omega }}}}\right)^{z_{1}+z_{2}}.\end{align*} View Source\begin{align*} C_{0}=&H_{1}(u_{1}^{z_{1}}v_{1}^{z_{2}}) \oplus M\|z,\quad C_{1} = M^{z} H_{2}(u_{2}^{z_{1}}v_{2}^{z_{2}}), \\[-3pt] C_{2}=&g^{\frac {\alpha z_{1}}{t_{\omega }}},\quad C_{3} = g^{\frac {z_{2}}{t_{\omega }}},~C'_{2} = g^{\frac {\alpha ' z_{1}}{t_{\omega }}},~C'_{3} = g^{z}, \\[-3pt] C_{4}=&\left({W_{1} \prod _{i \in X}R_{i}^{\frac {\prod _{k=0}^{l_{1}}(i-\omega _{k})}{t_{\omega }}}}\right)^{z_{1}+z_{2}}, \\[-6pt] C_{5}=&\left({W_{2} \prod _{i \in Y}R_{i}^{\frac {\prod _{k=0}^{l_{1}}(i-\omega _{k})}{t_{\omega }}}}\right)^{z_{1}+z_{2}}.\end{align*}

  • Set $CT =(C_{0},C_{1},C_{2},C_{3},C_{4},C_{5},C'_{2},C'_{3},J)$ as the ciphertext.

• KeyGen(Param, MSK, AL): On input the public parameter $Param$ , the master key $MSK$ and a set of attributes $AL$ which contains: $l_{2} (\leq L_{2})$ positive attributes appear at positions $X = \{x'_{1}, \cdots, x'_{l_{2}}\},\,\,l_{3} \leq L_{3}$ negative attributes appear at positions $Y' = (y'_{1}, \cdots, y'_{l_{3}}\}$ . By means of the Viète’s formula, for all positive positions $\{x'_{i}\}_{i \in \{1, \cdots, l_{2}\}}$ and negative positions $\{y'_{i}\}_{i \in \{1, \cdots, l_{3}\}}$ , compute $\{a_{x'_{i}}\},~\{a_{y'_{i}}\}$ and set $t'_{x} = \sum _{k=0}^{l_{2}}a_{x'},\,\,t'_{y} = \sum _{k=0}^{l_{3}}a_{y'}$ . This algorithm produces the decryption secret key SK as follows:

  • Select a random element $s \in \mathbb {Z}_{p}$ , calculate $s_{1} = \gamma _{1} + s,\,\,s_{2} = \gamma _{2} + s,\,\,s_{3} = \gamma _{3} + s$ and generate the decryption secret key as follows.\begin{align*} sk_{1}=&g^{\frac {\alpha s}{t'_{x}}}, \quad sk_{2} = g^{\frac {\alpha s}{t'_{y}}}, ~sk'_{1} = g^{\frac {\alpha ' s}{t'_{x}}}, ~sk'_{2} = g^{\frac {\alpha ' s}{t'_{y}}}, \\[-4pt] sk_{3}=&\{sk_{3,0},sk_{3,1},\cdots, sk_{3,L_{1}}\},\end{align*} View Source\begin{align*} sk_{1}=&g^{\frac {\alpha s}{t'_{x}}}, \quad sk_{2} = g^{\frac {\alpha s}{t'_{y}}}, ~sk'_{1} = g^{\frac {\alpha ' s}{t'_{x}}}, ~sk'_{2} = g^{\frac {\alpha ' s}{t'_{y}}}, \\[-4pt] sk_{3}=&\{sk_{3,0},sk_{3,1},\cdots, sk_{3,L_{1}}\},\end{align*} where $sk_{3,i} = W_{1}^{s_{1}}\prod _{j \in X'}g^{sr_{j}j^{i}},\,\,i$ from 0 to $L_{1}$ ;\begin{equation*} sk'_{3} = \{sk'_{3,0},sk'_{3,1},\cdots, sk'_{3,L_{1}}\},\end{equation*} View Source\begin{equation*} sk'_{3} = \{sk'_{3,0},sk'_{3,1},\cdots, sk'_{3,L_{1}}\},\end{equation*} where $sk'_{3,i} = W_{1}^{\alpha s_{2}}\prod _{j \in X'}g^{\alpha sr_{j}j^{i}},\,\,i$ from 0 to $L_{1}$ ;\begin{equation*} sk''_{3} = \{sk''_{3,0},sk''_{3,1},\cdots, sk''_{3,L_{1}}\},\end{equation*} View Source\begin{equation*} sk''_{3} = \{sk''_{3,0},sk''_{3,1},\cdots, sk''_{3,L_{1}}\},\end{equation*} where $sk''_{3,i} = W_{1}^{\alpha ' s_{3}}\prod _{j \in X'}g^{\alpha ' sr_{j}j^{i}},\,\,i$ from 0 to $L_{1}$ ;\begin{equation*} sk_{4} = \{sk_{4,0},sk_{4,1},\cdots, sk_{4,L_{1}}\},\end{equation*} View Source\begin{equation*} sk_{4} = \{sk_{4,0},sk_{4,1},\cdots, sk_{4,L_{1}}\},\end{equation*} where $sk_{4,i} = W_{2}^{s_{1}}\prod _{j \in Y'}g^{sr_{j}j^{i}},\,\,i$ from 0 to $L_{1}$ ;\begin{equation*} sk'_{4} = \{sk'_{4,0},sk'_{4,1},\cdots, sk'_{4,L_{1}}\},\end{equation*} View Source\begin{equation*} sk'_{4} = \{sk'_{4,0},sk'_{4,1},\cdots, sk'_{4,L_{1}}\},\end{equation*} where $sk'_{4,i} = W_{2}^{\alpha s_{2}}\prod _{j \in Y'}g^{\alpha sr_{j}j^{i}},\,\,i$ from 0 to $L_{1}$ ;\begin{equation*} sk''_{4} = \{sk''_{4,0},sk''_{4,1},\cdots, sk''_{4,L_{1}}\},\end{equation*} View Source\begin{equation*} sk''_{4} = \{sk''_{4,0},sk''_{4,1},\cdots, sk''_{4,L_{1}}\},\end{equation*} where $sk''_{4,i} = W_{2}^{\alpha ' s_{3}}\prod _{j \in Y'}g^{\alpha ' sr_{j}j^{i}},\,\,i$ from 0 to $L_{1}$ . Set $SK = (sk_{1},sk_{2},sk'_{1},sk'_{2},sk_{3},sk'_{3},sk''_{3},sk_{4},sk'_{4},sk''_{4})$ as the decryption key.

• Trapdoor($Param, AL, SK$ ): On input the public parameter $Param$ , a set of attributes $AL$ and the decryption secret key $SK$ , output a trapdoor $TD = $ \begin{equation*} (td_{1}, td_{2},(td_{3,i},td'_{3,i},td_{4,i},td'_{4,i})_{i \in [{0,L_{1}}]}),\end{equation*} View Source\begin{equation*} (td_{1}, td_{2},(td_{3,i},td'_{3,i},td_{4,i},td'_{4,i})_{i \in [{0,L_{1}}]}),\end{equation*} where $td_{1} = sk'_{1},\,\,td_{2}\,\,td_{3,i} = sk_{3,i},\,\,td'_{3,i} = sk''_{3,i},\,\,td_{4,i} = sk_{4,i},\,\,td'_{4,i} = sk''_{4,i}$ , for $i= 0$ to $L_{1}$ .

• Dec($CT,SK, S,S'$ ): On input the ciphertext $CT$ and the decryption secret key $SK$ , compute the plaintext as follows.\begin{align*} V_{1}=&\frac {e\left({\prod _{j=1}^{l_{1}}sk_{3,j}^{a_{\omega _{j}}},C_{2}}\right) e\left({\prod _{j=1}^{l_{1}}(sk'_{3,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk_{1},C_{4})^{t_{x'}}} \\&\times \frac {e\left({\prod _{j=1}^{l_{1}}sk_{4,j}^{a_{\omega _{j}}},C_{2}}\right)e\left({\prod _{j=1}^{l_{1}}(sk'_{4,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk_{2},C_{5})^{t_{y'}}}, \\ V_{2}=&\frac {e\left({\prod _{j=1}^{l_{1}}sk_{3,j}^{a_{\omega _{j}}},C'_{2}}\right) e\left({\prod _{j=1}^{l_{1}}(sk''_{3,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk'_{1},C_{4})^{t_{x'}}} \\&\times \frac {e\left({\prod _{j=1}^{l_{1}}sk_{4,j}^{a_{\omega _{j}}},C_{2}}\right)e\left({\prod _{j=1}^{l_{1}}(sk''_{4,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk'_{2},C_{5})^{t_{y'}}}, \\ M\|z=&H_{1}(V_{1})\oplus C_{0}.\end{align*} View Source\begin{align*} V_{1}=&\frac {e\left({\prod _{j=1}^{l_{1}}sk_{3,j}^{a_{\omega _{j}}},C_{2}}\right) e\left({\prod _{j=1}^{l_{1}}(sk'_{3,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk_{1},C_{4})^{t_{x'}}} \\&\times \frac {e\left({\prod _{j=1}^{l_{1}}sk_{4,j}^{a_{\omega _{j}}},C_{2}}\right)e\left({\prod _{j=1}^{l_{1}}(sk'_{4,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk_{2},C_{5})^{t_{y'}}}, \\ V_{2}=&\frac {e\left({\prod _{j=1}^{l_{1}}sk_{3,j}^{a_{\omega _{j}}},C'_{2}}\right) e\left({\prod _{j=1}^{l_{1}}(sk''_{3,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk'_{1},C_{4})^{t_{x'}}} \\&\times \frac {e\left({\prod _{j=1}^{l_{1}}sk_{4,j}^{a_{\omega _{j}}},C_{2}}\right)e\left({\prod _{j=1}^{l_{1}}(sk''_{4,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk'_{2},C_{5})^{t_{y'}}}, \\ M\|z=&H_{1}(V_{1})\oplus C_{0}.\end{align*} If $C'_{3}= g^{z}$ and $H_{2}(V_{2}) = \frac {C_{1}}{M^{z}}$ , then output the plaintext $M$ . Here all $a_{k}$ above are coefficients in the unfolding polynomial $\prod _{k=0}^{l_{1}}(i-\omega _{k})$ .

• Test$(CT_{A}, CT_{B}, TD_{A}, TD_{B}, S')$ : On input two ciphertexts $CT_{A},~CT_{B}$ and the corresponding trapdoors $TD_{A},~TD_{B}$ , respectively. This algorithm decides that the planitexts $M_{A}$ and $M_{B}$ are equal or not as follows.

  Compute \begin{align*} Q'_{A}=&\frac {e\left({\prod _{j=1}^{l_{1}}td_{3,j,A}^{a_{\omega _{j},A}},C'_{2,A}}\right)e\left({\prod _{j=1}^{l_{1}}(td'_{3,j,A})^{a_{\omega _{j},A}},C_{3,A}}\right)}{e(td_{1,A},C_{4,A})^{t_{x'_{A}}}} \\&\times \frac {e\left({\prod _{j=1}^{l_{1}}td_{4,j,A}^{a_{\omega _{j},A}},C'_{2,A}}\right)e\left({\prod _{j=1}^{l_{1}}\!(td'_{4,j,A}) ^{a_{\omega _{j},A}},\!C_{3,A}}\right)}{e(td_{2,A},C_{5,A})^{t_{y'_{A}}}}, \\ Q_{A}=&\frac {C_{1,A}}{H_{2}(Q'_{A})}. \\ Q'_{B}=&\frac {e\left({\prod _{j=1}^{l_{1}}td_{3,j,B}^{a_{\omega _{j},B}},C'_{2,B}}\right)e\left({\prod _{j=1}^{l_{1}}(td'_{3,j,B})^{a_{\omega _{j},B}},C_{3,B}}\right)}{e(td_{1,B},C_{4,B})^{t_{x'_{B}}}} \\&\times \frac {e\left({\prod _{j=1}^{l_{1}}td_{4,j,B}^{a_{\omega _{j},B}},C'_{2,B}}\right) e\left({\prod _{j=1}^{l_{1}}\!(td'_{4,j,B})^{a_{\omega _{j},B}},\!C_{3,B}}\right)}{e(td_{2,B},C_{5,B})^{t_{y'_{B}}}}, \\ Q_{B}=&\frac {C_{1,B}}{H_{2}(Q'_{B})}.\end{align*} View Source\begin{align*} Q'_{A}=&\frac {e\left({\prod _{j=1}^{l_{1}}td_{3,j,A}^{a_{\omega _{j},A}},C'_{2,A}}\right)e\left({\prod _{j=1}^{l_{1}}(td'_{3,j,A})^{a_{\omega _{j},A}},C_{3,A}}\right)}{e(td_{1,A},C_{4,A})^{t_{x'_{A}}}} \\&\times \frac {e\left({\prod _{j=1}^{l_{1}}td_{4,j,A}^{a_{\omega _{j},A}},C'_{2,A}}\right)e\left({\prod _{j=1}^{l_{1}}\!(td'_{4,j,A}) ^{a_{\omega _{j},A}},\!C_{3,A}}\right)}{e(td_{2,A},C_{5,A})^{t_{y'_{A}}}}, \\ Q_{A}=&\frac {C_{1,A}}{H_{2}(Q'_{A})}. \\ Q'_{B}=&\frac {e\left({\prod _{j=1}^{l_{1}}td_{3,j,B}^{a_{\omega _{j},B}},C'_{2,B}}\right)e\left({\prod _{j=1}^{l_{1}}(td'_{3,j,B})^{a_{\omega _{j},B}},C_{3,B}}\right)}{e(td_{1,B},C_{4,B})^{t_{x'_{B}}}} \\&\times \frac {e\left({\prod _{j=1}^{l_{1}}td_{4,j,B}^{a_{\omega _{j},B}},C'_{2,B}}\right) e\left({\prod _{j=1}^{l_{1}}\!(td'_{4,j,B})^{a_{\omega _{j},B}},\!C_{3,B}}\right)}{e(td_{2,B},C_{5,B})^{t_{y'_{B}}}}, \\ Q_{B}=&\frac {C_{1,B}}{H_{2}(Q'_{B})}.\end{align*} and if $e(Q_{B},C'_{3,A}) = e(Q_{A},C'_{3,B})$ it outputs 1; Otherwise, it outputs 0.

2) The CP-ABEET Scheme ISN’t Secure for IND-CPA

Now, we analyze the IND-CPA security of the CP-ABEET scheme.

From the definition of $GAME~2$ , we know that any adversary $\mathcal {A}$ selects the challenge messages $M_{0}$ and $M_{1}$ and obtains the challenge ciphertext $CT^{*}$ which is a ciphertext of $M_{0}$ or $M_{1}$ . Next, the adversary $\mathcal {A}$ continues to make trapdoor query get the trapdoor $TD$ of the attribute set $AL$ satisfying the access structure $W$ . This is important to our attack. The adversary uses $TD$ and $CT^{*}$ to compute \begin{align*}&\hspace {-1pc}V= \frac {e\left({\prod _{j=1}^{l_{1}}sk_{3,j}^{a_{\omega _{j}}},C'_{2}}\right)e\left({\prod _{j=1}^{l_{1}}(sk''_{3,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk'_{1},C_{4})^{t_{x'}}} \\&\qquad \qquad \qquad \quad \times \frac {e\left({\prod _{j=1}^{l_{1}}sk_{4,j}^{a_{\omega _{j}}},C_{2}}\right)e\left({\prod _{j=1}^{l_{1}}(sk''_{4,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk'_{2},C_{5})^{t_{y'}}},\end{align*} View Source\begin{align*}&\hspace {-1pc}V= \frac {e\left({\prod _{j=1}^{l_{1}}sk_{3,j}^{a_{\omega _{j}}},C'_{2}}\right)e\left({\prod _{j=1}^{l_{1}}(sk''_{3,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk'_{1},C_{4})^{t_{x'}}} \\&\qquad \qquad \qquad \quad \times \frac {e\left({\prod _{j=1}^{l_{1}}sk_{4,j}^{a_{\omega _{j}}},C_{2}}\right)e\left({\prod _{j=1}^{l_{1}}(sk''_{4,j})^{a_{\omega _{j}}},C_{3}}\right)}{e(sk'_{2},C_{5})^{t_{y'}}},\end{align*} and \begin{equation*} X_{M_{b}} = \frac {C_{1}}{H_{2}(V)}.\end{equation*} View Source\begin{equation*} X_{M_{b}} = \frac {C_{1}}{H_{2}(V)}.\end{equation*} Then, the adversary verifies the following equality.\begin{equation*} e(X_{M_{b}}, g) \stackrel {?}{=} e(M_{0}, C'_{3})\end{equation*} View Source\begin{equation*} e(X_{M_{b}}, g) \stackrel {?}{=} e(M_{0}, C'_{3})\end{equation*} If the equality holds, the adversary outputs $M_{0}$ ; otherwise, it outputs $M_{1}$ .

Obviously, if the challenge ciphertext $CT^{*}$ is a valid ciphertext and the trapdoor $TD$ is valid, then the value of $V$ is correct and such that \begin{equation*} M_{b}^{z} = X_{M_{b}} = \frac {C_{1}}{H_{2}(V)}.\end{equation*} View Source\begin{equation*} M_{b}^{z} = X_{M_{b}} = \frac {C_{1}}{H_{2}(V)}.\end{equation*}

Since \begin{equation*} e(X_{M_{b}}, g) = e(M_{b}^{z}, g) = e(M_{b}, g^{z}),\end{equation*} View Source\begin{equation*} e(X_{M_{b}}, g) = e(M_{b}^{z}, g) = e(M_{b}, g^{z}),\end{equation*} while \begin{equation*} e(M_{0}, C'_{3})= e(M_{0}, g^{z}).\end{equation*} View Source\begin{equation*} e(M_{0}, C'_{3})= e(M_{0}, g^{z}).\end{equation*} Thus, the equality $e(X_{M_{b}}, g) = e(M_{0}, C'_{3})$ holding means $M_{b} = M_{0}$ ; otherwise, it means $M_{b} = M_{1}$ .

Thus, the attack can show that the CP-ABEET scheme isn’t IND-CPA secure.