An efficient and secure attribute based signcryption scheme with LSSS access structure

Abstract

Attribute based encryption (ABE) and attribute based signature (ABS) provide flexible access control with authentication for data sharing between users, but realizing both functions will bring about too much computation burden. In this paper, we combine the advantages of CP-ABE with ABS and propose a ciphertext policy attribute based signcryption scheme. In our scheme, only legal receivers can decrypt the ciphertext and verify the signature signed by data owner. Furthermore, we use linear secret sharing scheme instead of tree structure to avoid the frequent calls of recursive algorithm. By security and performance analysis, we prove that our scheme is secure as well as gains higher efficiency.

Background

The notion of attribute based encryption (ABE) was first proposed by Sahai and Waters (2005). Since then, many typical ABE (Goyal et al. 2006; Waters 2011; Lewko et al. 2010; Goyal et al. 2008; Tian and Peng 2014) schemes have been proposed. In ABE, user’s access privileges are described by a set of attributes instead of a single identity string. A user can get access to the ciphertext only if his attributes satisfy with the policy which is set by the data owner. Due to its capability of providing fine-grained and flexible access control, ABE appears to be a promising tool for data encryption and data sharing between users. Attribute based signature (ABS) has been developed as a primitive to solve the data authentication problem of ABE, which was first introduced (Guo and Zeng 2008) in 2008. In ABS mechanisms (Maji et al. 2011), a signer can sign a message with the private key component corresponds with the attributes he processes. The signature can be verified to a certain set of attributes or an attribute access structure of which the data owner claims.

The notion of signcryption (Zheng 1997; Lim and Lee 1998; Tan 2008; Selvi et al. 2008) can be introduced to attribute based cryptography to present attribute based signcryption schemes. Signcryption (Paulo et al. 2005; Li and Khan 2012) is a single logical step to complete the function of both signature and encryption at the same time, thus it achieves better efficiency then the traditional sign-then-encryption method. However, research on attribute based signcryption has not been received much attention from academia. Wang and Huang (2011) proposed a signcryption scheme from pairings. Their scheme provides the same functions of encryption and authentication and is proved to be more efficient than the simply combination of “CP-ABE + CP-ABS”. Hu and Zhang (2013) proposed a fuzzy attribute based signcryption and apply it in the BAN (Body area network). Their scheme is a novel security mechanism and achieves outstand performance. However, the proposed (Wang and Huang 2011; Hu and Zhang 2013) schemes are based on the tree structure (Bethencourt et al. 2007) and threshold structure, which need frequent calls of recursive algorithm for the purpose of recovering the secret encryption component. Thus this will bring about external computation overhead.

To better improve the efficiency of attribute based signcryption scheme, in this paper, we propose an improved ciphertext policy attribute based signcryption scheme. We use LSSS structure (Beimel 1996) instead of access tree structure to avoid the frequent calls of recursive algorithm. By security and performance analysis, we prove that our scheme is secure as well as achieves higher efficiency.

Preliminaries

Bilinear pairings

Let $G_1$ and $G_2$ be two cyclic groups of prime order $q$. Let g be a generator of $G_1$. A bilinear pairing $\widehat{e}$: $G_1\times G_1\to G_2$, $G_2$ has these features:

Bilinearity: for $a,b\in Z_q$, we have $\widehat{e}\left(g^a,g^b\right)=\widehat{e}{\left(g,g\right)}^{ab}$.

Non-degeneracy: for any $g\in G_1$, $\widehat{e}\left(g,g\right)\ne 1$.

Computability: the value of $\widehat{e}\left(u,v\right)$ can be computed for any $u,v\in G_1$.

Hardness assumption

Discrete logarithm assumption (DL)

Given $P,Q\in G_1,$ no probabilistic polynomial-time (PPT) algorithm can find an integer $n\in Z_q^{\ast }$ such that $Q=P^n$ with non-negligible probability.

Decision bilinear Diffie–Hellman problem (DBDH)

For $a,b,c,z\in Z_q^{\ast }$, given $\{g,g^a,g^b,g^c,z\}$, no probabilistic polynomial-time (PPT) algorithm can distinguish the following tuples $\left\{A=g^a,B=g^b,C=g^c,\widehat{e}{\left(g,g\right)}^{abc}\right\}$ and $\left\{A=g^a,B=g^b,C=g^c,\widehat{e}{\left(g,g\right)}^z\right\}$ with non-negligible probability.

Our model and assumptions

Formulized definitions of our scheme

Our scheme consists of the following algorithms:

Setup On input security parameter, it returns the system public parameter $PK$ and master key $MK$. $PK$ is shared by users while $MK$ is kept private by the private key generator.

$PrivateKeygeneration$ On input the system public key $PK$, the master key $MK$, and an attribute set $\left\{A_i\right\}$, private key generator (PKG) outputs $D_i$ as the user’s attribute private key. To distinguish the role of signers and receivers, in this paper, we define the private key of signer as $D_s$ while the private key of receiver as $D_r$.

$Signcrypt$ This algorithm is run by a signer which takes the systems public parameter $PK$, a plaintext $M$, signer’s private key $D_s$ and an access structure as input. Then it outputs the ciphertext $CT\left\{U,V,E\right\}$.

$De\text{-}signcrypt$ This algorithm is run by the receiver. The algorithm takes as input the ciphertext $CT\left\{U,V,E\right\}$ and the receiver’s private key $D_r$, it outputs either the plaintext $M$ or the reject symbol $\perp .$

Security model

Definition 1

Our scheme has the essential confidentiality under chosen plaintext attack in selected model if no $Adversary$ has non-negligible advantage in the challenge game.

$Setup\text{:}Adversary$ claims a challenging attribute set $\mathit{\gamma }$. $Challenger$ runs setup algorithm to obtain $PK$. It sends $PK$ to $Adversary.$

$Adversary$ may make the following queries to $Challenger$.

$Privatekeygenerationquery\text{:}Adversary$ can request the private key of an attribute set (expect for the challenging attribute set).

$Challenge\text{:}Adversary$ chooses two plaintexts $M_0$ and $M_1$. $Challenger$ chooses $\mathit{\mu }\in \left\{0,1\right\}$ randomly and calculates $C^{\ast }=Signcrypt\left\{PK,M_{\mathit{\mu }},D_s\right\}$. Then $Challenger$ sends the result back to $Adversary$.

$Adversary$ cannot ask $Challenger$ for $Privatekeygeneration$ query for the challenging attribute set $\mathit{\gamma }$.

$Adversary$ outputs a value ${\mathit{\mu }}^{\ast }$ as a conjecture of $\mathit{\mu }$. If ${\mathit{\mu }}^{\ast }=\mathit{\mu }$ then $Adversary$ wins the game.

Denote $\left|Pr\left[{\mathit{\mu }}^{\ast }=\mathit{\mu }\right]-\frac{1}{2}\right|$ to be the advantage of $Adversary$.

Definition 2

Our scheme has the existential unforgeability under chosen message attack in the selective model if no $Adversary$ has non-negligible advantage in the challenge game.

$Setup\text{:}Adversary$ claims a challenging attribute set $\mathit{\gamma }$. $Challenger$ takes a security parameter and runs setup procedure to obtain the system parameters. It sends the $PK$ to $Adversary$.

$Privatekeygenerationquery\text{:}Adversary$ can request the private key of an attribute set (expect for the challenging attribute set).

$Signcryptquery\text{:}Adversary$ chooses an attribute set $\left\{A_i\right\}$, an access structure, a plaintext M. $Challenger$ calculates $D_s$ and runs the signcrypt procedure to calculate the ciphertext $CT=Signcrypt\left\{PK,M,D_i,\mathit{\gamma }\right\}$. After then, $Challenger$ sends $CT$ to $Adversary$.

$Challenge$: $Adversary$ computes a 3-tuple $C{T}^{\ast }\left\{U,V,E\right\},$ while $C{T}^{\ast }\left\{U,V,E\right\}$ was not from a $igncrypt$$query$.

$Challenger$ de-signcrypts the ciphertext by running the $De\text{-}signcrypt\{PK,C{T}^{\ast },D_r$ }.

$Adversary$ wins the game if the output of $De\text{-}signcrypt$ is not $\perp$.

Denote $Adv\left(A\right)=\left|Pr\left[Result=M\right]\right|$ to be the advantage of $Adversary$.

Our contributions to attribute based signcryption scheme

Let $G_1$ and $G_2$ be two cyclic groups of prime order $p$, while g is the generator of $G_1$. Let $\widehat{e}:G_1\times G_1\to G_2$ be a bilinear pairing. Define 2 functions: $H_1,H_2.$ The function $H_1$ associates attributes to rows of access $Matrix$ (the number of rows $\in Z_p^{\ast }$). $H_2:{\left\{0,1\right\}}^n\to Z_p^{\ast }$.

$Setup$ PKG randomly chooses ${\mathit{\alpha }}_i\in Z_p^{\ast }$ for each attribute $i$ in the system. Besides, PKG chooses another secret number $\mathit{\alpha }\in Z_p^{\ast }.$ The system outputs the system master keys $\left\{g^{\mathit{\alpha }},{\mathit{\alpha }}_i\right\}$, public parameters $\left\{\widehat{e}{\left(g,g\right)}^{\mathit{\alpha }},\widehat{e}{\left(g,g\right)}^{{\mathit{\alpha }}_i{H}_1\left(i\right)},H_1,H_2,G_1,G_2,p,g\right\}$.

$Privatekeygeneration$ For signer’s attribute set $\left\{A_j\right\}$, PKG chooses $u\in Z_p^{\ast }$ and calculates its private key $\left\{D_{s,1},D_{s,2},D_{s,3}\right\}=\left\{g^{u+{\mathit{\alpha }}_j{H}_1\left(j\right)},g^{\mathit{\alpha }+u},\widehat{e}{\left(g,g\right)}^u\right\}$. Likewisely, for receiver’s attribute set $\left\{A_i\right\}$ PKG chooses $h\in Z_p^{\ast }$ calculates its private key $\left\{D_{r,1},D_{r,2},D_{r,3}\right\}=\left\{g^{{\mathit{\alpha }}_i{H}_1\left(i\right)+h},g^{\mathit{\alpha }+h},\widehat{e}{\left(g,g\right)}^h\right\}.$ PKG transfers the private key to each user through secure channels.

$Signcrypt$ Signer firstly picks $x\in Z_p^{\ast }$ and a LSSS access structure $Matrix,$ then chooses random vector $\overrightarrow{v}=\left(x,v{r}_1,v{r}_2,\dots ,v{r}_n\right)\in Z_p^n.$ Let ${\mathit{\lambda }}_i=\overrightarrow{v}·Matri{x}_i$. ($Matri{x}_i$ stands for the $i\text{th}$ row of the corresponding $Matrix$). Finally, singer randomly picks $r_i\in Z_p^{\ast }$ and calculates the signcryption information:

$$U=\left\{\widehat{e}{\left(g,g\right)}^{{\sum }_{j\in S}{\mathit{\alpha }}_j{H}_1\left(j\right)·x}\right\}$$

$$t=H_2(U||M)$$

$$V:\left\{v_1=\prod _{j\in S}{D}_{s,1}^{x+t},v_2=\prod _{j\in S}{D}_{s,3}^{x+t}\right\}$$

$$E:\left\{C_0=M\widehat{e}{\left(g,g\right)}^{\mathit{\alpha }x},C_1=g^x,C_{2,i}=\widehat{e}{\left(g,g\right)}^{-{\mathit{\alpha }}_i{H}_1\left(j\right)·{\mathit{\lambda }}_i},C_{3,i}=g^{{\mathit{\lambda }}_i}\right\}$$ 1

Signer sends $CT=\left\{U,V,E\right\}$ to the receiver.

$De\text{-}signcrypt$ Let ${\left\{\mathit{\omega }\in Z_p\right\}}_{i\in l}$ be a set of constants such that if $\{{\mathit{\lambda }}_i\}$ are valid shares of secret $x$ according to $Matrix$, then ${\sum }_{i\in l}{\mathit{\omega }}_i{\mathit{\lambda }}_i=x$. Receiver calculates $M^{\ast }$ as follows:

$$M^{\ast }=\frac{C_0}{{\prod }_{i\in l}{\left(\widehat{e}\left(C_3\right.,D_{r,1})·C_{2,i}\right)}^{{\mathit{\omega }}_i}·\widehat{e}\left(C_1\right.,D_{r,2})}$$ 2

Then, receiver verifies if

$$\widehat{e}\left(v_1,g\right)=U·v_2·\widehat{e}{\left(g,g\right)}^{{\sum }_{j\in S}{\mathit{\alpha }}_j{H}_1\left(j\right)·t}$$ 3

If Eq. (3) holds then the algorithm outputs plaintext $M$ with the signature. If not, it outputs reject “$\perp$”.

Correctness proof:

(a) Decryption:

$$\begin{array}{cc}\hfill M^{\ast }& =\frac{C_0}{{\prod }_{i\in l}{\left(\widehat{e}\left(C_{3,i}\right.,D_{r,1})·C_{2,i}\right)}^{{\mathit{\omega }}_i}·\widehat{e}\left(C_1\right.,D_{r,2})}=\frac{C_0·\widehat{e}\left(C_1\right.,D_{r,2}{)}^{-1}}{{\prod }_{i\in l}{\left(\widehat{e}\left(g^{{\mathit{\lambda }}_i},g^{{\mathit{\alpha }}_i{H}_1\left(i\right)+u}\right)\widehat{e}{\left(g,g\right)}^{-{\mathit{\alpha }}_i{H}_1\left(j\right)·{\mathit{\lambda }}_i}\right)}^{{\mathit{\omega }}_i}}\hfill \\ \hfill & =\frac{C_0·\widehat{e}\left(C_1\right.,D_{r,2}{)}^{-1}}{{\prod }_{i\in l}{\left(\widehat{e}{\left(g,g\right)}^{u{\mathit{\lambda }}_i}\right)}^{{\mathit{\omega }}_i}}\hfill \\ \hfill & =\frac{M\widehat{e}{\left(g,g\right)}^{\mathit{\alpha }x}·\widehat{e}{\left(g,g\right)}^{ux}}{\widehat{e}{\left(g,g\right)}^{\mathit{\alpha }x}·\widehat{e}{\left(g,g\right)}^{u{\sum }_{i\in l}{\mathit{\lambda }}_i{\mathit{\omega }}_i}}\hfill \\ \hfill & =M\hfill \\ \hfill \end{array}$$ 4

(b) Signature verification:

$$\begin{array}{cc}\hfill t& =H_2(U||M)\hfill \\ \hfill \widehat{e}\left(v_1,g\right)& =\widehat{e}\left(g^{{\sum }_{j\in S}\left({\mathit{\alpha }}_j{H}_1\left(j\right)+u\right)·\left(x+t\right)},g\right)\hfill \\ \hfill & =\widehat{e}{\left(g,g\right)}^{{\sum }_{j\in S}{\mathit{\alpha }}_j{H}_1\left(j\right)·\left(x+t\right)}·\widehat{e}{\left(g,g\right)}^{{\sum }_{j\in S}u\left(x+t\right)}\hfill \\ \hfill & =\widehat{e}{\left(g,g\right)}^{{\sum }_{j\in S}{\mathit{\alpha }}_j{H}_1\left(j\right)·x}·\widehat{e}{\left(g,g\right)}^{{\sum }_{j\in S}{\mathit{\alpha }}_j{H}_1\left(j\right)·t}·\widehat{e}{\left(g,g\right)}^{{\sum }_{j\in S}u\left(x+t\right)}\hfill \\ \hfill & =U·v_2·\widehat{e}{\left(g,g\right)}^{{\sum }_{j\in S}{\mathit{\alpha }}_j{H}_1\left(j\right)·t}\hfill \\ \hfill \end{array}$$ 5

Security and efficiency analysis

Confidentiality

Theorem 1 If$Adversary$ can break our scheme under chosen plaintext attack in the selective model, then a simulator can solve the DBDH problem.

Proof In the challenge game, if there exists an $Adversary$ which has advantage $\mathit{\epsilon }$ in attacking our scheme, there exists a simulator solving the DBDH problem with an advantage of $\mathit{\epsilon }/2$.

The simulator is constructed as follows:

Phase 1 $Setup\text{:}Adversary$ claims a challenging attribute set $\mathit{\gamma }$. $Challenger$ defines a set of attributes $\left\{A_i\right\}.$ Let $G_1$ and $G_2$ be two cyclic groups of prime order $p$,while g is the generator of $G_1$. Let $\widehat{e}:G_1\times G_1\to G_2$ be a bilinear pairing. Define 2 functions $:H_1$ associates attributes to rows of access $Matrix$, $H_2:{\left\{0,1\right\}}^{\ast }\to Z_p^{\ast }.$

$Challenger$ randomly chooses $\mathit{\mu }\in \left\{0,1\right\}$, $a,b,c\in Z_p^{\ast }$.

$$\text{Let}\left\{\begin{array}{c}\left(A,B,C,Z\right)=\left(g^a,g^b,g^c,\widehat{e}{\left(g,g\right)}^{abc}\right)if\mathit{\mu }=0\hfill \\ \left(A,B,C,Z\right)=\left(g^a,g^b,g^c,\widehat{e}{\left(g,g\right)}^z\right)if\mathit{\mu }=1\hfill \end{array}\right.$$

The aim of simulator is to output a value ${\mathit{\mu }}^{\ast }$ as a conjecture of $\mathit{\mu }.$

The simulator simulates the role of $Challenger$ and runs $Adversary$’s algorithm as subprogram.

Phase 2 $Queries$:

$Adversary$ asks for private key for attributes $A_i$. Simulator picks $u,y,a_i\in Z_p^{\ast }$ and makes the following settings:

$$\left\{D_{r,1},D_{r,2},D_{r,3}\right\}=\left\{\begin{array}{c}{g}^{u+{\mathit{\alpha }}_i{H}_1\left(i\right)},g^{ab+u},\widehat{e}{\left(g,g\right)}^u,if{A}_i\in \mathit{\gamma }\\ g^{u+{\mathit{\alpha }}_i{H}_1\left(i\right)},g^{y+u},\widehat{e}{\left(g,g\right)}^u,if{A}_i\notin \mathit{\gamma }\end{array}\right.$$ 6

The queries like Phase 2 can be asked by $Adversary$ for a bounded times.

Phase 3 $Challenge$:

$Adversary$ picks plaintext $M_0$, $M_1$ and a challenging LSSS containing attribute set $\mathit{\gamma }$.

Simulator chooses $\mathit{\mu }\in \left\{0,1\right\}$ and calculates $C{T}_{\mathit{\mu }}=Signcrypt\left\{PK,M_{\mathit{\mu }},D_s\right\}$.

Simulator sends $C{T}_{\mathit{\sigma }}$ to $Adversary$.

$$C{T}_{\mathit{\mu }}:\left\{C_0=M\widehat{e}{\left(g,g\right)}^{abx},C_1=g^x,C_{2,i}=\widehat{e}{\left(g,g\right)}^{-{\mathit{\alpha }}_i{H}_1\left(j\right)·{\mathit{\lambda }}_i},C_{3,i}=g^{{\mathit{\lambda }}_i}\right\}$$

Let $x=c$, accoding to the previous setting in the $Setup$ phase:

$$C{T}_{\mathit{\mu }}=\left\{\begin{array}{c}M\widehat{e}{\left(g,g\right)}^{abc},if\mathit{\mu }=0\hfill \\ M\widehat{e}{\left(g,g\right)}^z,if\mathit{\mu }=1\hfill \end{array}\right.$$ 7

$Adversary$ outputs a value ${\mathit{\mu }}^{\ast }$ as a guess of $\mathit{\mu }.$ If ${\mathit{\mu }}^{\ast }=\mathit{\mu }$$Adversary$ wins the game.

Then we will discuss simulator’s advantage in distinguishing the following two tuples $\left\{A=g^a,B=g^b,C=g^c,\widehat{e}{\left(g,g\right)}^{abc}\right\}$ and $\left\{A=g^a,B=g^b,C=g^c,\widehat{e}{\left(g,g\right)}^z\right\}$.

When $\mathit{\mu }=1$, $E$ is a illegal ciphertext and $Adversary$ cannot acquire useful information of $\mathit{\sigma }.$

$$Pr\left({\mathit{\mu }}^{\ast }\ne \mathit{\mu }|\mathit{\mu }=1\right)=\frac{1}{2}$$ 8

Since when ${\mathit{\mu }}^{\ast }\ne \mathit{\mu }$, the simulator outputs $\mathit{\mu }=1$, so:

$$Pr\left({\mathit{\mu }}^{\ast }=\mathit{\mu }|\mathit{\mu }=1\right)=\frac{1}{2}$$ 9

When $\mathit{\mu }=0$, $E$ is a legal ciphertext. According to the assumption, $Adversary$ has an advantage $\mathit{\epsilon }.$

$$Pr\left({\mathit{\mu }}^{\ast }=\mathit{\mu }|\mathit{\mu }=1\right)=\frac{1}{2}+\mathit{\epsilon }$$ 10

Since when ${\mathit{\mu }}^{\ast }=\mathit{\mu }$ the simulator outputs $\mathit{\mu }=1$, so

$$Pr\left({\mathit{\mu }}^{\ast }=\mathit{\mu }|\mathit{\mu }=0\right)=\frac{1}{2}+\mathit{\epsilon }$$ 11

As is mentioned above, the advantage of simulator is

$$\begin{array}{cc}& \frac{1}{2}Pr\left({\mathit{\mu }}^{\ast }=\mathit{\mu }|\mathit{\mu }=0\right)+\frac{1}{2}Pr\left({\mathit{\mu }}^{\ast }=\mathit{\mu }|\mathit{\mu }=1\right)-\frac{1}{2}\hfill \\ \hfill & =\frac{1}{2}\left(\frac{1}{2}+\mathit{\epsilon }\right)+\frac{1}{2}\times \frac{1}{2}-\frac{1}{2}\hfill \\ \hfill & =\frac{\mathit{\epsilon }}{2}\hfill \\ \hfill \end{array}$$ 12

Unforgeability

Theorem 2 If an$Adversary$ can break our scheme chosen message attack in the selective model, then it can be constructed that a simulator with a non- negligible advantage solves the DBDH problem.

Proof In the challenge game, if there exists an $Adversary$ which has advantage $\mathit{\epsilon }$ in forging a legal ciphertext, there exists a simulator which can solve the DBDH problem with an advantage of $\mathit{\epsilon }/2$.

Phase 1 $Setup\text{:}$

$Adversary$ claims a challenging attribute set $\mathit{\gamma }$. $Challenger$ defines a set of attributes $\left\{A_i\right\}$; Let $G_1$ and $G_2$ be two cyclic groups of prime order $p$, while g is the generator of $G_1$. Let $\widehat{e}:G_1\times G_1\to G_2$ be a bilinear pairing. Define 2 functions: $H_1$ associates attributes to rows of access $Matrix,H_2:{\left\{0,1\right\}}^{\ast }\to Z_p^{\ast }.$

$Challenger$ randomly chooses $b\in \left\{0,1\right\}$, $a,b,c\in Z_p^{\ast }$.

$$\text{Let}\left\{\begin{array}{c}\left(A,B,C,Z\right)=\left(g^a,g^b,g^c,\widehat{e}{\left(g,g\right)}^{abc}\right)if\mathit{\mu }=0\\ \left(A,B,C,Z\right)=\left(g^a,g^b,g^c,\widehat{e}{\left(g,g\right)}^z\right)if\mathit{\mu }=1\end{array}\right.$$

The aim of simulator is to output a value ${\mathit{\mu }}^{\ast }$ as a conjecture of $\mathit{\mu }$.

Phase 2 $Queries\text{:}$

$Privatekeygenerationquery\text{:}Adversary$ chooses a set of attributes $\left\{A_j\right\}$, a plaintext $M$ and a LSSS. Simulator picks $u,y,a_i,b_i,y_i\in Z_p^{\ast }$ and makes the following settings:

$$\left\{D_{s,1},D_{s,2},D_{s,3}\right\}=\left\{\begin{array}{c}{g}^{u+{\mathit{\alpha }}_i{b}_i{H}_1\left(i\right)},g^{ab+u},\widehat{e}{\left(g,g\right)}^u,if{A}_j\in \mathit{\gamma }\hfill \\ g^{u+y_i{H}_1\left(i\right)},g^{y+u},\widehat{e}{\left(g,g\right)}^u,if{A}_j\notin \mathit{\gamma }\hfill \end{array}\right.$$ 13

$Signcrypt$$query$: $Adversary$ picks a message $M$ for signcrypt query. Simulator runs algorithm $Signcrypt\left\{M,D_s,PK\right\}$ and returns the result $CT=\{U,V,E\}$ to $Adversary.$

The queries like Phase 2 can be asked by $Adversary$ for a bounded times.

Phase 3 $Challenge\text{:}$

$Adversary$ outputs a ciphertext $C{T}^{\ast }\{U^{\ast },V^{\ast },E^{\ast }\}$. $Adversary$ makes the forges the illegal ciphertext as the following process:

$$U^{\ast }=\left\{\begin{array}{c}\widehat{e}{\left(g,g\right)}^{a_i{b}_i{H}_1\left(j\right)·x},A_j\in \mathit{\gamma }\hfill \\ \widehat{e}{\left(g,g\right)}^{y_i{H}_1\left(i\right)·x},A_j\notin \mathit{\gamma }\hfill \end{array}\right.$$

$$t=H_2\left(U^{\ast }||M\right)$$

$$V=\left\{v_1^{\ast },v_2^{\ast }\right\}=\left\{\begin{array}{c}{g}^{{\left({\mathit{\alpha }}_j{b}_j{H}_1\left(j\right)+u\right)}^{\ast }·\left(x+t\right)},\widehat{e}{\left(g,g\right)}^{u·\left(x+t\right)},A_j\in \mathit{\gamma }\hfill \\ g^{{\left(y_j{H}_1\left(j\right)+u\right)}^{\ast }·\left(x+t\right)},\widehat{e}{\left(g,g\right)}^{u·\left(x+t\right)},A_j\notin \mathit{\gamma }\hfill \end{array}\right.$$

$$E^{\ast }\text{:}\left\{C_0=M\widehat{e}{\left(g,g\right)}^{abx},C_1=g^x,C_{2,i}=\widehat{e}{\left(g,g\right)}^{-{\mathit{\alpha }}_i{H}_1\left(j\right)·{\mathit{\lambda }}_i},C_{3,i}=g^{{\mathit{\lambda }}_i}\right\}$$ 14

Simulator verifies the ciphertext $C{T}^{\ast }\left\{U^{\ast },V^{\ast },E^{\ast }\right\}$. Simulator firstly calculates the legal private key of receivers’ attribute set $\left\{A_i\right\}$:

$$\{D_{s,1},D_{s,2}\}=\left\{\begin{array}{c}\left\{g^{a_j{b}_j{H}_1\left(j\right)+u},g^{ab+u},A_j\in \mathit{\gamma }\right\}\hfill \\ \left\{g^{y_j{H}_1\left(j\right)+u},g^{y+u},A_j\notin \mathit{\gamma }\right\}\hfill \end{array}\right.$$ 15

Then decrypts and verifies:

$$M^{\ast }=\frac{C_0}{{\prod }_{i\in l}{\left(\widehat{e}\left(C_3\right.,D_{r,1})·C_{2,i}\right)}^{{\mathit{\omega }}_i}·\widehat{e}\left(C_1\right.,D_{r,2})},$$

$$t=H_2\left(U||M\right)$$

$$\begin{array}{cc}\hfill \widehat{e}\left(v_1^{\ast },g\right)& =\left\{\begin{array}{c}\widehat{e}\left(g^{(a_j{b}_j{H}_1\left(j\right)+u)\left(x+t\right)},g\right),A_j\in \mathit{\gamma }\\ \widehat{e}\left(g^{(y_j{H}_1\left(j\right)+u)\left(x+t\right)},g\right),A_j\notin \mathit{\gamma }\end{array}\right.\hfill \\ \hfill & =\left\{\begin{array}{c}\widehat{e}{\left(g,g\right)}^{{\mathit{\alpha }}_j{b}_j{H}_1\left(j\right)·x}·\widehat{e}{\left(g,g\right)}^{{\mathit{\alpha }}_j{b}_j{H}_1\left(j\right)·t}·\widehat{e}{\left(g,g\right)}^{u\left(x+t\right)},A_j\in \mathit{\gamma }\hfill \\ \widehat{e}{\left(g,g\right)}^{y_j{H}_1\left(j\right)·x}·\widehat{e}{\left(g,g\right)}^{y_j{H}_1\left(j\right)·t}·\widehat{e}{\left(g,g\right)}^{u\left(x+t\right)},A_j\notin \mathit{\gamma }\hfill \end{array}\right.\hfill \\ \hfill \end{array}$$ 16

Let $f=\widehat{e}{\left(g,g\right)}^{{\mathit{\alpha }}_j{b}_j{H}_1\left(j\right)·t+u\left(x+t\right)},g^{H_1\left(j\right)·x}=g^c$, according to the previous setting in the $Setup$ phase:

$$\widehat{e}\left(v_1^{\ast },g\right)=\left\{\begin{array}{c}f·v_2^{\ast }·\widehat{e}{\left(g,g\right)}^{abc},ifu=0\hfill \\ f·v_2^{\ast }·\widehat{e}{\left(g,g\right)}^z,ifu=1\hfill \end{array}\right.$$ 17

When $\mathit{\mu }=1$, $\widehat{e}\left(v_1^{\ast },g\right)$ is a random number and $Adversary$ fails to forge a legal ciphertext.

$$Pr\left({\mathit{\mu }}^{\ast }=\mathit{\mu }|\mathit{\mu }=1\right)=\frac{1}{2}$$ 18

When $\mathit{\mu }=0$, $E$ is a legal ciphertext and $Adversary$ successfully forges the ciphertext. According to the assumption, $Adversary$ has an advantage $\mathit{\epsilon }.$

$$Pr\left({\mathit{\mu }}^{\ast }=\mathit{\mu }|\mathit{\mu }=0\right)=\frac{1}{2}+\mathit{\epsilon }$$ 19

As is mentioned above, the advantage of simulator is

$$\begin{array}{cc}& \frac{1}{2}Pr\left({\mathit{\mu }}^{\ast }=\mathit{\mu }|\mathit{\mu }=0\right)+\frac{1}{2}Pr\left({\mathit{\mu }}^{\ast }=\mathit{\mu }|\mathit{\mu }=1\right)-\frac{1}{2}\hfill \\ \hfill & =\frac{1}{2}\left(\frac{1}{2}+\mathit{\epsilon }\right)+\frac{1}{2}\times \frac{1}{2}-\frac{1}{2}\hfill \\ \hfill & =\frac{\mathit{\epsilon }}{2}\hfill \\ \hfill \end{array}$$ 20

Efficiency analysis

In this paper, we compare the proposed scheme with Wang’s and Hu’s schemes with respect to the computation cost and access control method. Due to the fact that the computation cost of add operation and multiply operation is much smaller than that of exponential operation and bilinear pairing operation, consequently, we mainly compare the number of exponential operation and bilinear pairing operation in different schemes. We denote “Exp” and “Pair” by exponential operation and bilinear pairings. Detailed results are listed in Table 1.

Table 1.

Performance comparison

Schemes	Access control method	Signcryption computation cost	De-signcryption computation cost
Wang and Huang (2011)	Access tree	2 Exp + 1Pair	(1 + 2nlog n)Exp + (4n + 1)Pair
Hu and Zhang (2013)	Threshold	(2n + 5) Exp	2n Exp + (3n + 2)Pair
Our scheme	LSSS matrix	(5n + 2) Exp	(n + 1) Exp + (2n + 1)Pair

From Table 1, we can figure out that the number of exponential operation in the signcryption in our CP-ABSC is more than those in Wang and Huang (2011) and Hu and Zhang (2013), however, the number of bilinear pairing operation in the de-signcryption is decreased greatly. Since the computation burden of bilinear pairing operation is heavier than that of exponential operation, the total computation cost has been reduced in our scheme. What’s more, our CP-ABSC adopts LSSS to realize data access control, which differs from the access structures in Wang and Huang (2011 and Hu and Zhang (2013). The LSSS access structure not only avoids the frequent calls of recursive algorithm used in access tree structure model, but also provides more flexible control management and increases the overall efficiency of the cryptosystem.

Conclusion

In this paper, we propose an optimized attribute based signcryption scheme. By security analysis, we prove that it meets the security demands of confidentiality, unforgeability and non-repudiation. Besides, by introducing LSSS structure to implement the access control function, the flexibility and efficiency of the whole attributed based signcryption system has been improved.

Our future work should focus on the attribute revocation and key refreshing in the attribute based encryption. Since users with the same set of attributes share the same private key, once a single user’s private key has been leaked, a group of users’ privacy and privilege will be damaged. Consequently, protecting users’ privacy and refreshing private keys at a lower cost when private key leakage happens is a problem urgently to be solved and should be taken into our future research direction.