Searchable Attribute-Based Proxy Re-encryption: Keyword Privacy, Verifiable Expressive Search, and Outsourced Decryption

Abstract

In this paper, we address the open problem posed by Ge et al. in 2020, which was to design a new attribute-based proxy re-encryption with keyword search scheme (ABPRE-KS) for enabling more expressive keyword search. ABPRE-KS exhibits promising potential in facilitating data searching and sharing through the implementation of one-to-many access control mechanism. However, existing ABPRE-KS schemes support single keyword search framework resulting in low search efficiency and poor user search experience. Also, maintaining keyword privacy, and protecting the outsourced ciphertexts and tokens from keyword guessing attacks (KGAs) quite challenging in ABPRE-KS framework. To overcome these issues, we propose an attribute-based proxy re-encryption scheme with Boolean keyword search (ABPRE-BKS) in the large attribute universe framework. Our scheme not only offers an efficient Boolean keyword search framework but also it enables constant decryption cost on the data user’s side. The data user needs to perform only constant number of computations to recover both the original and the re-encrypted ciphertext. We define ABPRE-BKS and its security models. And, we prove that our scheme achieves ciphertext indistinguishability against adaptive chosen ciphertext attack, ciphertext and token indistinguishability against chosen keyword attack, and non-interactive verifiability. The efficiency of our proposed construction is demonstrated through a comparison of its functionalities and performance with the existing such schemes.

Data Availability Statement

Not applicable.

Appendices

A: Proof of Theorem 3

Proof

Suppose a PPT Type-1 adversary \({\mathcal {A}}\) breaks \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Or}\) security with non-negligible advantage, then a challenger \({\mathcal {B}}\) can solve the DBDH problem by interacting with \({\mathcal {A}}\) as given in \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Or}\text{- }\textsf {Type}\text{- }\textsf {1}\) game. Given the DBDH problem instance \((\Delta , A=g^a, B=g^b, C=g^c,Z)\), the task for \({\mathcal {B}}\) is to determine whether \(Z=e(g,g)^{abc}\) or Z is a random element of \({\mathbb {G}}_T\).

• \(sk_{list}\): It stores tuples of the form \((\textit{S}, sk_{\textit{S}})\).

• \(rk_{list}\): It stores tuples of the form \((\textit{S},{\varGamma }_e',{W'},rk,flag)\) where \(flag \in \{1, 0\}\). Here, \(flag = 1\) indicates that rk is a valid re-encryption key, and \(flag = 0\) indicates that rk is randomly chosen.

Init. \({\mathcal {A}}\) sends a challenge attribute \(y^\star \in {\mathcal {U}}\) to \({\mathcal {B}}\).

Setup. \({\mathcal {B}}\) generates the system public parameters as follows. It picks \(\alpha ' {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\) and implicitly sets \(\alpha =\alpha '+ab\). It computes

$$\begin{aligned} Y=e(g,g)^{\alpha '}\cdot e(A,B). \end{aligned}$$

It also chooses \(\breve{\beta } {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\) and implicitly sets \(\beta =\breve{\beta }+b\). It computes \(X=g^{\breve{\beta }}\cdot B\). Next, \({\mathcal {B}}\) samples \(z_1,z_2,z_3,z_4,z_5,z_6,z_7,z_8,z_9,z_8',z_9'{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), sets \(g_i=g^{z_i}\) for all \(i= 1, 2, 3, 4, 5,6\), and computes

$$\begin{aligned} g_7=g^{z_7}A,g_8=g^{z_8}A^{z_8'},g_9=g^{z_9}A^{z_9'}. \end{aligned}$$

It chooses ten collision-resistant hash functions \(H_1:\{0, 1\}^{2\lambda }\rightarrow {\mathbb {Z}}_{p}^{*}, H_2: {\mathbb {G}}_T \rightarrow \{0, 1\}^{2\lambda }\), \(H_3: \{0, 1\}^{*}\rightarrow {\mathbb {G}}, H_4: {\mathbb {G}}_T \rightarrow {\mathbb {Z}}_{p}^{*}, H_5:\{0, 1\}^{*}\rightarrow \{0, 1\}^{\ell _{H_5}}, H_6: {\mathbb {G}}_T \rightarrow {\mathbb {Z}}_{p}^{*}, H_7:\{0, 1\}^{*}\rightarrow {\mathbb {Z}}_{p}^{*},\) \(H_8: \{0, 1\}^{*}\rightarrow {\mathbb {G}},H_9:\{0, 1\}^{\lambda }\rightarrow {\mathbb {Z}}_{p}^{*},H_{10}: {\mathbb {G}}_T \rightarrow {\mathbb {Z}}_{p}^{*}\), in which \(H_3\) is calculated as follows.

\(H_3^\textit{list}:\) Let \(y \in {\mathcal {U}}\) be an attribute with \(y\ne y^\star\). \({\mathcal {A}}\) queries \(H_3\) for \(H_3(y)\), if \((y,v_y,g^{v_y})\) exists in \(H_3^\textit{list}\), returns \(g^{v_y}\). Otherwise, choose \(v_y{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\) and returns \(g^{v_y}\). Adds \((y,v_y,g^{v_y})\) to \(H_3^\textit{list}\). If \(y= y^\star\), choose \(v_{y^\star }{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\) and returns \(g^{v_{y^\star }}C\). Adds \((y^\star ,v_{y^\star },g^{v_{y^\star }}C)\) to \(H_3^\textit{list}\).

\({\mathcal {B}}\) sets \(\textit{mpk}=( \Delta ,X, Y, \{g_i\}_{i=1}^{9}, \textit{M}, \{H_{i}\}_{i=1}^{10})\).

Next, \({\mathcal {B}}\) chooses \(\gamma ^\prime ,\beta ^{\prime }, b_{1}, b_{2}, b_{3}, b_{4}{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), computes \(h_{1}= g^{b_{1}}, h_{2}= g^{b_{2}}, h_{3}= g^{b_{3}}, h_{4}= g^{b_{4}}\), \(h_{T}=e(g, g_{6})^{\gamma ^\prime }\), \({\hat{X}}=X^{\beta ^{\prime }}\) and sets \(\textit{tpk}=( h_T, h_{1}, h_{2}, h_{3}, h_{4})\), \(\textit{tsk}=( \gamma ^\prime ,\{ b_{i}\}_{i=1}^4)\), \(\textit{cpk}= {\hat{X}}\) and \(\textit{csk}=\beta ^{\prime }\).

\({\mathcal {B}}\) sends \(\textit{PP}=(\textit{mpk},\textit{tpk},\textit{cpk})\) and \(\textit{csk}\) to \({\mathcal {A}}\).

Phase I. \({\mathcal {A}}\) issues the following series of queries.

• \({\mathcal {O}}_{\textit{sk}}(\textit{S})\): Here, \(y^\star \not \in \textit{S}\). \({\mathcal {B}}\) searches \(sk_{list}\). If \((\textit{S},\textit{sk}_{\textit{S}})\) already exists, returns \(\textit{sk}_{\textit{S}}\). Otherwise, it chooses \(\breve{r}{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\) and implicitly sets \(r=\breve{r}-a\). Compute

  $$\begin{aligned} K_1=g^{\alpha '}g^{\breve{\beta }\breve{r}} A^{-\breve{\beta }} B^{\breve{r}}, K_2=g^{\breve{r}}A^{-1},K_y=g^{v_y\breve{r}}A^{-v_y},~\forall y \in \textit{S} \end{aligned}$$

  \({\mathcal {B}}\) adds \((\textit{S}, sk_{\textit{S}})\) to \(sk_{list}\).

• \({\mathcal {O}}_{\textit{rk}}(\textit{S},{W'},{\varGamma }_{e}')\): \({\mathcal {B}}\) searches \(rk_{list}\). If \((\textit{S},{\varGamma }_e',{W'},rk,*)\) exists, it returns rk. Otherwise, it does the following.

  • If \(y^\star \in \textit{S}\), but there is no tuple \((\textit{S}',\textit{sk}_{\textit{S}'})\) in \(sk_{list}\), where \(\textit{S}'\models \varGamma _e'\), \({\mathcal {B}}\) randomly selects each values of rk. Adds \((\textit{S},{\varGamma }_e',{W'},rk,0)\) to \(rk_{list}\).

  • Otherwise, if \(y^\star \not \in \textit{S}\), \({\mathcal {B}}\) queries \({\mathcal {O}}_{\textit{sk}}(\textit{S})\) and generates rk using the obtained \(\textit{sk}_{\textit{S}}\). Adds \((\textit{S},\textit{sk}_{\textit{S}})\) and \((\textit{S},{\varGamma }_e',{W'},rk,1)\) to \(sk_{list}\) and \(rk_{list}\), respectively.

• \({\mathcal {O}}_{\textit{re}}(\textit{CT},\textit{S},{W'},{\varGamma }_{e}')\): If Eqs. (1),(2), and (3) do not hold simultaneously or \(y^\star \in \textit{S}\) and \(({S'},\textit{sk}_{{S'}})\) in \(sk_{list}\) with \(\textit{S}'\models {\varGamma }_e'\), output \(\bot\). Else, if there exists a tuple \((\textit{S},{\varGamma }_e',{W'},rk,*)\) in \(rk_{list}\), re-encrypt \(\textit{CT}\) with rk. Else, \({\mathcal {B}}\) issues \({\mathcal {O}}_{\textit{rk}}(\textit{S},{W'},{\varGamma }_{e}')\) to get rk, where \(\textit{S}\not \models {\varGamma }_{e}'\). Next, \({\mathcal {B}}\) re-encrypts \(\textit{CT}\) with rk. The final result will be given to \({\mathcal {A}}\).

• \({\mathcal {O}}_{\textit{token}}({\varGamma }_{t},\textit{S}):\) \({\mathcal {B}}\) performs the following cases.

  • If \(y^\star \in \textit{S}\), \({\mathcal {B}}\) chooses \(\xi ,\xi ',d,d^{\prime }, d^{\prime \prime },\ddot{r},\breve{q}_{i}, \breve{q}_{i}'{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), and implicitly sets \(\phi _{1}=\alpha d^{\prime \prime }/(dd'),\phi _{2}=\alpha /d,\phi _{3}=\alpha d^{\prime \prime }/d\). After this, \({\mathcal {B}}\) computes the token

    \(\textit{tok}=( {\varGamma }_{t}^\circ ,\Pi _{1}, \Pi _{2},\{{\Pi }_{i1},{\Pi }_{i2},{\Pi }_{i3},{U}_{i1},{U}_{i2},{U}_{i3},{U}_{i4}\}_{i \in [\ell _{t}]},D_1,D_2,\{D_y\}_{y\in \textit{S}})\) corresponding to the keyword policy \({\varGamma }_{t}=({\mathcal {K}}_{t},\psi _{t}^\circ ,\{w_{\psi _{t}^{\circ }(i)}\}_{i \in [\ell _t]})\) as follows. Set \(\ddot{r}=r/\phi _{2}\)

    $$\begin{aligned} D_1= g^d X^{\ddot{r}+ d^{\prime \prime }},D_2=g^{\ddot{r}},D_y= {\left\{ \begin{array}{ll} g^{v_y \ddot{r}}, &{} \text {if}~ y\ne y^\star \\ (g^{v_{y^\star }} C)^{\ddot{r}}, &{} \text {if}~ y= y^\star \end{array}\right. } \end{aligned}$$

    \(\Pi _{1}=g^\xi ,\textsf{pp}=e(\Pi _1,{\hat{X}})^{\xi '}\), \(\mathbf {\eta }=\big ( \gamma ' H_{10}(\textsf{pp}),y_{2},y_{3}, \ldots , y_{\ell _{t}}\big )\), where \(y_{2},y_{3}, \ldots , y_{\ell _{t}}{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_p^*\), and \(\zeta _{i}={\mathcal {K}}_{t}^{(i)}\cdot \mathbf {\eta }\), for all \(i\in [\ell _t]\).

    Also, set \(\mathbf {\eta }'=\big ( \phi _{3}/\phi _{1}=d',y_{2}',y_{3}', \ldots , y_{\ell _{t}}'\big )\), where \(y_{2}',y_{3}', \ldots , y_{\ell _{t}}'{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_p^*\), and \(\nu _{i}={\mathcal {K}}_{t}^{(i)}\cdot \mathbf {\eta }'\), for all \(i\in [\ell _t]\).

    Now, \({\mathcal {B}}\) calculates the rest of the token components as shown in construction and sends the token \(\textit{tok}\) to \({\mathcal {A}}\). Note that, in this case, \({\mathcal {B}}\) does not know \(\textit{sk}_{\textit{tr}}=(\phi _{1},\phi _{2})\); however, the simulation of \(\textit{tok}\) is similar to the original construction. It can be seen from Remark 1.

  • If \(y^\star \not \in \textit{S}\), it computes \(\textit{sk}_{\textit{S}}\leftarrow {\mathcal {O}}_{\textit{sk}}(\textit{S})\). Then, it returns \((\textit{tok},\textit{sk}_{\textit{tr}})\leftarrow \textsf {TokenGen}(\textit{PP},{\varGamma }_{t}, \textit{tsk}, \textit{sk}_{\textit{S}})\) to \({\mathcal {A}}\).

• \({\mathcal {O}}_{\textit{search}}({\varGamma }_{t},\textit{S},\textit{CT}):\) On input a ciphertext \(\textit{CT}\), a Boolean keyword formula \({\varGamma }_{t},\) and an attribute set \(\textit{S}\), it outputs the search result \(1/0\leftarrow \textsf {Search}(\textit{PP},\textit{CT}, \textit{csk},\textit{tok})\), where \(\textit{tok}\leftarrow {\mathcal {O}}_{\textit{token}}({\varGamma }_{t},\textit{S})\).

• \({\mathcal {O}}_{\textit{decrypt}}({\varGamma }_{t},\textit{S},\textit{CT}):\) \({\mathcal {B}}\) responds as follows.

  1. (i)

     Suppose \(\textit{CT}\) is an original ciphertext. If Eqs. (1), (2), and (3) do not hold simultaneously or \(\textit{S}\not \models {\varGamma }_{e}\) or \({\mathcal {O}}_{\textit{search}}({\varGamma }_{t},\textit{S},\textit{CT})\rightarrow 0\), return \(\bot\). Else, \({\mathcal {B}}\) does the following.

     • If \(y^{\star }\in \textit{S},\) \({\mathcal {B}}\) does not have the knowledge of the transformed secret key \(\textit{sk}_{\textit{tr}}\) according to the simulation of \({\mathcal {O}}_{\textit{token}}({\varGamma }_{t},\textit{S})\), and hence, it proceeds in the following way. It calculates

       $$\begin{aligned} \Omega =e(\breve{B}, g^{\alpha '})\cdot e\Big ({\bar{C}}(\breve{B})^{-(\rho z_7+\epsilon z_8+z_9)}, B^{(\rho +z_8'\epsilon +z_9')^{-1}}\Big )=Y^s \end{aligned}$$

       and \(\delta =H_4(\Omega ).\) Note that \(\rho +z_8'\epsilon +z_9'=0\) happens with probability at most 1/p, and hence, \(\rho +z_8'\epsilon +z_9'\ne 0\), since p is very large prime number. Next, \({\mathcal {B}}\) checks whether \(H_5(\delta ||C_0){\mathop {=}\limits ^{ ?}} \textsf{tag}\). If this is not true, it returns \(\bot\). Otherwise, it computes \(m||\gamma =C_0\oplus H_2(\Omega )\), and returns m to \({\mathcal {A}}\) if \(\breve{B}=g^{H_{1}(m||\gamma )}\) and \(C_{2}=g_{1}^{H_{1}(m||\gamma )}\).

     • If \(y^{\star }\notin \textit{S},\) \({\mathcal {B}}\) knows \(\textit{sk}_{\textit{tr}}\). Hence, it computes the transformed ciphertext \(\textit{CT}_{tr}\leftarrow {\textsf {Transform}}(\textit{PP}, \textit{CT}_m, \textit{tok})\) and returns to \({\mathcal {A}}\) the output of the algorithm \({\textsf {Verify}\text{- }\,\textsf {and}\text{- } \textsf {Decrypt}}(\textit{PP}, \textit{CT}_{tr}, \textit{sk}_{\textit{tr}}).\)

  2. (ii)

     Suppose \(\textit{CT}\) is a re-encrypted ciphertext. If Eqs. (5) and (6) do not hold simultaneously or \(\textit{S}\not \models {\varGamma }_{e}'\) or \({\mathcal {O}}_{\textit{search}}({\varGamma }_{t},\textit{S},\textit{CT})\rightarrow 0\), return \(\bot\). Otherwise, \({\mathcal {B}}\) does the following.

     • If \(y^{\star }\in \textit{S},\) \({\mathcal {B}}\) does not have the knowledge of the transformed secret key \(\textit{sk}_{\textit{tr}}\) according to the simulation of \({\mathcal {O}}_{\textit{token}}({\varGamma }_{t},\textit{S})\), and hence, it calculates

       $$\begin{aligned}\Omega '=e(\breve{D}, g^{\alpha '})\cdot e\Big ({\bar{C}}'(\breve{D})^{-(\rho ' z_7+\epsilon ' z_8+z_9)}, B^{(\rho '+z_8'\epsilon ' +z_9')^{-1}}\Big )=Y^{s'}\end{aligned}$$

       and \(\delta '=H_4(\Omega ').\) Note that \(\rho '+z_8'\epsilon '+z_9'=0\) happens with probability at most 1/p, and hence, \(\rho '+z_8'\epsilon '+z_9'\ne 0\), since p is very large prime number. Next, \({\mathcal {B}}\) checks whether \(H_5(\delta '||C_0'){\mathop {=}\limits ^{ ?}} \textsf{tag1}\). If this is not true, it returns \(\bot\). Otherwise, it computes \(\phi ||\gamma _1=C_0'\oplus H_2(\Omega ')\) and obtains \(\phi\) if \(\breve{D}=g^{H_{1}(\phi ||\gamma _1)}\). Next, \({\mathcal {B}}\) computes \(m||\gamma =C_0\oplus H_2(T^{1/H_9(\phi )})\) and returns m to \({\mathcal {A}}\) if \(\breve{B}=g^{H_{1}(m||\gamma )}\) and \(C_{2}=g_{1}^{H_{1}(m||\gamma )}\).

     • If \(y^{\star }\notin \textit{S},\) \({\mathcal {B}}\) knows \(\textit{sk}_{\textit{tr}}\). Hence, it computes the transformed ciphertext \(\textit{CT}_{tr}\leftarrow {\textsf {Transform}}(\textit{PP}, \textit{CT}_m, \textit{tok})\) and returns to \({\mathcal {A}}\) the output of the algorithm \({\textsf {Verify}\text{- }\,\textsf {and}\text{- } \textsf {Decrypt}}(\textit{PP}, \textit{CT}_{tr}, \textit{sk}_{\textit{tr}}).\)

Challenge. \({\mathcal {A}}\) selects two equal length messages \(\textit{m}_0^\star\) and \(\textit{m}_1^\star\), a challenge encryption policy \({\varGamma }_e^\star =B_{1}^\star \vee B_{2}^\star \vee \ldots \vee B_{n}^\star ,\) and a challenge keyword set \(\textit{W}^\star\), and sends to \({\mathcal {B}}\). Now, \({\mathcal {B}}\) selects a bit \(i {\mathop {\longleftarrow }\limits ^{\textrm{u}}} \{0,1\}\), outputs \(\textit{CT}^\star \leftarrow \textsf {Encrypt}(\textit{PP},\textit{m}_i^\star ,{\varGamma }_e^\star \wedge y^\star ,\textit{W}^\star )\), where \({\varGamma }_e^\star \wedge y^\star =(B_{1}^\star \cup \{y^\star \})\vee (B_{2}^\star \cup \{y^\star \}) \vee \cdots \vee (B_{n}^\star \cup \{y^\star \}),\) in the following way.

• Pick \(\gamma ^\star \in \{0,1\}^\lambda\) and implicitly define \(H_1(\textit{m}_i^\star ||\gamma ^\star )=c\).

• Select \(\delta ^{\prime },\delta ^{\prime \prime } {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), and set \(\sigma ^\prime =g^{\delta ^\prime },\sigma ^{\prime \prime } =X^{\delta ^{\prime \prime }}\).

• Implicitly define \(s_i=\breve{s}_i-b\), for all \(i\in [n]\) and compute

  $$\begin{aligned}{} & {} C_0^\star =(\textit{m}_i^\star ||\gamma ^\star ) \oplus H_2\big (Z\cdot e(g^{\alpha '},C)\big ),\\{} & {} \quad C_1^\star =C^{H_{6}(e(\sigma ^\prime ,{\hat{X}})^{\delta ^{\prime \prime }})},C_2^\star =C^{z_1},\\{} & {} C_{1,i}^\star =C^{\breve{\beta }}g^{v_{y^\star }\breve{s}_i}B^{-v_{y^\star }}C^{\breve{s}_i}\prod \limits _{\begin{array}{c} y\in B_{i}^\star \\ y\ne y^\star \end{array}} \big (g^{v_y \breve{s}_i}B^{-v_y}\big ),\\{} & {} \quad C_{2,i}^\star =g^{\breve{s}_i}B^{-1},\\{} & {} \delta ^\star =H_4\big (Z\cdot e(g^{\alpha '},C)\big ),\textsf {tag}^\star =H_{5}(\delta ^\star ||C_{0}^\star ).\end{aligned}$$

  Note that \(C_{1,i}^\star\) is corresponding to \(B_{i}^\star \cup \{y^\star \}\) in the encryption policy \({\varGamma }_e^\star \wedge y^\star\). Set \(\textit{ct}_{e}^\star =({\varGamma }_e^\star \wedge y^\star ,\sigma ^\prime ,\sigma ^{\prime \prime },C_{0}^\star ,C_{1}^\star ,C_{2}^\star ,\{ C_{1,i}^\star ,C_{2,i}^\star \}_{i\in [n]})\).

• Choose \(\mu _{{\mathcal {W}}},\tau _{{\mathcal {W}}1},\tau _{{\mathcal {W}}2}{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), for all \([{\mathcal {W}}:w^\star ] \in \textit{W}^{\star }\), where \(\textit{W}^{\star \circ }=\{{\mathcal {W}}\}\) and compute

  $$\begin{aligned}{} & {} I_{{\mathcal {W}}1}^\star =h_{1}^{\mu _{{\mathcal {W}}}-\tau _{{\mathcal {W}}1}}, I_{{\mathcal {W}}2}^\star =h_{2}^{\tau _{{\mathcal {W}}1}},\\{} & {} \quad I_{{\mathcal {W}}3}^\star =h_{3}^{\mu _{{\mathcal {W}}}-\tau _{{\mathcal {W}}2}}, I_{{\mathcal {W}}4}^\star =h_{4}^{\tau _{{\mathcal {W}}2}},\\{} & {} I_{{\mathcal {W}}5}^\star =(g_{2}^{w^\star }g_{3})^{\mu _{{\mathcal {W}}}}C^{-z_4},\\{} & {} \quad I_{{\mathcal {W}}6}^\star =(g_{2}^{w^\star }g_{3})^{\mu _{{\mathcal {W}}}}C^{-z_5}, k_{T}^\star =e(C,g_6)^{\gamma '}. \end{aligned}$$

  Set \(\textit{ct}_{k}^\star =(W^{\star \circ },k_{T}^\star ,\{I_{{\mathcal {W}}1}^\star ,I_{{\mathcal {W}}2}^\star ,I_{{\mathcal {W}}3}^\star ,I_{{\mathcal {W}}4}^\star ,I_{{\mathcal {W}}5}^\star ,I_{{\mathcal {W}}6}^\star \}_{{\mathcal {W}}\in W^{\star \circ }})\).

• Choose \(\varepsilon ^\star = \frac{-\varrho ^\star -z_9'}{z_8'}\) and compute \({\bar{C}}^\star =C^{(z_7 \varrho ^\star +z_8\varepsilon ^\star +z_9)}\), where

  \(\varrho ^\star =H_{7}(\textit{ct}_{e}^\star ||\textit{ct}_{k}^\star ||\textsf {tag}^\star )\). Finally, output the challenge original ciphertext \(\textit{CT}^\star =(\textit{ct}_{e}^\star ,\textit{c t}_{k}^\star ,\textsf {tag}^\star ,{\bar{C}}^\star ,\varepsilon ^\star )\).

Phase II. Other than the restrictions in the \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Or}\text{- }\textsf {Type}\text{- }\textsf {1}\) game, \({\mathcal {A}}\) queries as it does in Phase I.

Guess. \({\mathcal {A}}\) outputs a guess \(i'\in \{0,1\}.\) If \(i'=i\), \({\mathcal {A}}\) wins.

If \(Z=e(g,g)^{abc}\), the challenge ciphertext \(\textit{CT}^\star\) is valid. However, if \(Z {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {G}}_T\), the challenge ciphertext \(\textit{CT}^\star\) is independent of the bit i in the view of \({\mathcal {A}}\). Hence, if \({\mathcal {A}}\) has a non-negligible advantage in winning the game, \({\mathcal {B}}\) can solve DBDH problem with non-negligible advantage. \(\square\)

B: Proof of Theorem 4

Proof

Suppose a PPT Type-2 adversary \({\mathcal {A}}\) breaks \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Or}\) security with non-negligible advantage, then a challenger \({\mathcal {B}}\) can solve the DBDH problem by interacting with \({\mathcal {A}}\) as given in \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Or}\text{- }\textsf {Type}\text{- }\textsf {2}\) game. Given the DBDH problem instance \((\Delta , A=g^a, B=g^b, C=g^c,Z)\), the task for \({\mathcal {B}}\) is to determine whether \(Z=e(g,g)^{abc}\) or Z is a random element of \({\mathbb {G}}_T\).

Setup. \({\mathcal {B}}\) generates the system public parameters as follows. It picks \(\alpha ,\beta {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\) and sets \(Y=e(g,g)^{\alpha },X=g^{\beta }\). Next, \({\mathcal {B}}\) samples \(\{g_i\}_{i=1}^9{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {G}}\), and chooses ten collision-resistant hash functions \(\{H_i\}_{i=1}^{10}\) same as given in construction, in which \(H_6\) is calculated as follows.

\(H_6^\textit{list}:\) \({\mathcal {A}}\) queries \(H_6\) with \(g^s\). If \(\big (C_1=g^{sH_{6}(e(\sigma ^\prime ,{\hat{X}})^{\delta ^{\prime \prime }})},g^s, H_{6}(e(\sigma ^\prime ,{\hat{X}})^{\delta ^{\prime \prime }})\big )\) exists in \(H_6^\textit{list}\), returns \(C_1\). Otherwise, it picks \(\delta ^{\prime },\delta ^{\prime \prime }{\mathop {\longleftarrow }\limits ^{\textrm{u}}}{\mathbb {Z}}_{p}^{*}\), computes \(\sigma ^\prime =g^{\delta ^{\prime }},C_1=g^{sH_{6}(e(\sigma ^\prime ,{\hat{X}})^{\delta ^{\prime \prime }})}\) and returns \(C_1\). Next, it adds the tuple \(\big (g^s, H_{6}(e(\sigma ^\prime ,{\hat{X}})^{\delta ^{\prime \prime }}),C_1\big )\) to \(H_6^\textit{list}\).

\({\mathcal {B}}\) sets \(\textit{mpk}=( \Delta ,X, Y, \{g_i\}_{i=1}^{9}, \textit{M}, \{H_{i}\}_{i=1}^{10})\) and \(\textit{msk}=g^{\alpha }\).

Next, \({\mathcal {B}}\) chooses \(\gamma ^\prime , b_{1}, b_{2}, b_{3}, b_{4}{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), computes \(h_{1}= g^{b_{1}}, h_{2}= g^{b_{2}}, h_{3}= g^{b_{3}}, h_{4}= g^{b_{4}}\), \(h_{T}=e(g, g_{6})^{\gamma ^\prime }\), and sets \(\textit{tpk}=( h_T, h_{1}, h_{2}, h_{3}, h_{4})\), \(\textit{tsk}=( \gamma ^\prime ,\{ b_{i}\}_{i=1}^4)\). It implicitly sets \(\textit{csk}=a\) and \(\textit{cpk}=A^{\beta }\).

\({\mathcal {B}}\) sends \(\textit{PP}=(\textit{mpk},\textit{tpk},\textit{cpk})\) to \({\mathcal {A}}\).

Phase I. \({\mathcal {A}}\) queries for the oracles \({\mathcal {O}}_{\textit{sk}}, {\mathcal {O}}_{\textit{rk}},{\mathcal {O}}_{\textit{re}},\mathcal {O}^{\prime}_{\textit{token}}, \mathcal {O}^{\prime}_{\textit{search}}\) and \({\mathcal {O}}_{\textit{decrypt}}.\) Since \({\mathcal {B}}\) knows \(\textit{msk}\) and \(\textit{tsk}\), it runs suitable algorithms to answer \({\mathcal {A}}\)’s queries to \({\mathcal {O}}_{\textit{sk}}, {\mathcal {O}}_{\textit{rk}},{\mathcal {O}}_{\textit{re}},\mathcal {O}^{\prime}_{\textit{token}}\) and \({\mathcal {O}}_{\textit{decrypt}}.\)

• \(\mathcal {O}^{\prime}_{\textit{search}}({\varGamma }_t, \textit{S},\textit{CT})\): Suppose \(\textit{CT}\) is an original (resp. re-encrypted) ciphertext. If the entry corresponding to \(C_1\) (resp. \(C_1'\)) is not found in \(H_6\) list, \({\mathcal {B}}\) returns \(\bot\). Else, it obtains \(\textit{tok}\leftarrow \mathcal {O}^{\prime}_{\textit{token}}({\varGamma }_t, \textit{S})\) and returns \(1/0\leftarrow \textsf {Search}(\textit{PP},\textit{CT}, \star ,\textit{tok})\) to \({\mathcal {A}}\).

Challenge. \({\mathcal {A}}\) selects two equal length messages \(\textit{m}_0^\star\) and \(\textit{m}_1^\star\), a challenge encryption policy \({\varGamma }_e^\star =B_{1}^\star \vee B_{2}^\star \vee \ldots \vee B_{n}^\star\) and a challenge keyword set \(\textit{W}^\star\), and sends them to \({\mathcal {B}}\). Now, \({\mathcal {B}}\) selects a bit \(i {\mathop {\longleftarrow }\limits ^{\textrm{u}}} \{0,1\}\), returns \(\textit{CT}^\star\) in the following way.

Pick \(\gamma ^\star \in \{0,1\}^\lambda\) and compute \(H_1(\textit{m}_i^\star ||\gamma ^\star )=s\). Choose \(s_i{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), for all \(i \in [n]\) and also pick \(\varepsilon ,\mu _{{\mathcal {W}}},\tau _{{\mathcal {W}}1},\tau _{{\mathcal {W}}2}{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), for all \(~{\mathcal {W}} \in \textit{W}^{\circ }\). Compute

$$\begin{aligned} {\sigma '}^\star =B,{\sigma ^{\prime \prime }}^\star =C^\beta , C_1^\star =g^{sH_6(Z^\beta )}. \end{aligned}$$

The other components of \(\textit{CT}^\star\) can be computed similar to the construction. Finally, the challenge ciphertext \(\textit{CT}^\star\) is sent to \({\mathcal {A}}\).

Phase II. Other than the restrictions in the \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Or}\text{- }\textsf {Type}\text{- }\textsf {2}\) game, \({\mathcal {A}}\) queries as it does in Phase I.

Guess. \({\mathcal {A}}\) outputs a guess \(i'\in \{0,1\}.\) If \(i'=i\), \({\mathcal {A}}\) wins.

If \(Z=e(g,g)^{abc}\), the ciphertext \(\textit{CT}^\star\) is valid. However, if \(Z {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {G}}_T\), the challenge ciphertext \(\textit{CT}^\star\) is independent of the bit i in the view of \({\mathcal {A}}\). Hence, if \({\mathcal {A}}\) has a non-negligible advantage in winning the game, \({\mathcal {B}}\) can solve DBDH problem with non-negligible advantage. \(\square\)

C: Proof of Theorem 5

Proof

Suppose a PPT Type-1 adversary \({\mathcal {A}}\) breaks \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Re}\) security with non-negligible advantage, then a challenger \({\mathcal {B}}\) can solve the DBDH problem by interacting with \({\mathcal {A}}\) as given in \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Re}\text{- }\textsf {Type}\text{- }\textsf {1}\) game. Given the DBDH problem tuple \((\Delta , A=g^a, B=g^b, C=g^c,Z)\), \({\mathcal {B}}\) has to determine whether \(Z=e(g,g)^{abc}\) or Z is a random element of \({\mathbb {G}}_T\).

Init, Setup, and Phase I are similar to that of Theorem 3.

Challenge. \({\mathcal {A}}\) sends to \({\mathcal {B}}\) two equal length messages \(\textit{m}_0^\star\) and \(\textit{m}_1^\star\), a challenge encryption policy \({\varGamma }_e^\star\), and a challenge keyword set \(\textit{W}^\star\). Now, \({\mathcal {B}}\) selects \(i {\mathop {\longleftarrow }\limits ^{\textrm{u}}} \{0,1\}\), computes a re-encrypted challenge ciphertext \(\textit{CT}^\star \leftarrow \textsf {Re}\text{- }\textsf {Encrypt}\big (\textit{PP,csk}, \textsf {Encrypt}(\textit{PP},\textit{m}_i^\star ,{\varGamma }_e,\textit{W}),\textit{rk}^\star \big )\), where \(\textit{rk}^\star \leftarrow \textsf {Re}\text{- }\textsf {KeyGen}(\textit{PP},\textit{sk}_{\textit{S}},{\varGamma }_e^\star \wedge y^\star ,\textit{W}^\star ),\textit{S}\models {\varGamma }_e,\) \({\varGamma }_e^\star \wedge y^\star =(B_{1}^\star \cup \{y^\star \})\vee (B_{2}^\star \cup \{y^\star \}) \vee \cdots \vee (B_{n}^\star \cup \{y^\star \}),\) in the following way.

• Pick \(\gamma ^\star ,\phi ^\star ,\gamma _1^\star \in \{0,1\}^\lambda\) and set \(H_1(\textit{m}_i^\star ||\gamma ^\star )=s\).

• Select \(\delta '^{\star },\delta ''^{\star } {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\) and set \(\sigma '^\star =g^{\delta '^{\star }},\sigma ''^{\star } =X^{\delta ''^{\star }}\).

• Compute

  $$\begin{aligned}{} & {} C_0^\star =(\textit{m}_i^\star ||\gamma ^\star ) \oplus H_2\big (e(g,g)^{\alpha 's} e(A,B)^s\big ),\\{} & {} \quad C_1^\star =g^{sH_{6}(e(\sigma '^\star ,{\hat{X}})^{\delta ''^{\star }})}, \\{} & {} C_2^\star =g_1^{s}, T^\star =e(g,g)^{\alpha 'sH_9(\phi ^\star )} e(A,B)^{sH_9(\phi ^\star )}. \end{aligned}$$

• Implicitly define \(H_1(\phi ^\star ||\gamma _1^\star )=c\).

• Select \(\delta _1^{\star },\delta _2^{\star } {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), and set \(\sigma _1^\star =g^{\delta _1^{\star }},\sigma _2^{\star } =X^{\delta _2^{\star }}\).

• Implicitly define \(s_i'=\breve{s}_i'-b\), for all \(i\in [n]\) and compute

  $$\begin{aligned}{} & {} {C_0'}^\star =(\phi ^\star ||\gamma _1^\star ) \oplus H_2\big (Z\cdot e(g^{\alpha '},C)\big ),\\{} & {} \quad {C_1'}^\star =C^{H_{6}\big (e(\sigma _1^\star ,{\hat{X}})^{\delta _2^{\star }}\big )},\\{} & {} C_{1,i}^{\prime \star }=C^{\breve{\beta }}g^{v_{y^\star }\breve{s}_i'}B^{-v_{y^\star }}C^{\breve{s}_i'}\prod \limits _{\begin{array}{c} y\in B_{i}^\star \\ y\ne y^\star \end{array}} \big (g^{v_y \breve{s}_i'}B^{-v_y}\big ),\\{} & {} \quad C_{2,i}^{\prime \star }=g^{\breve{s}_i'}B^{-1},\\{} & {} {\delta '}^\star =H_4\big (Z\cdot e(g^{\alpha '},C)\big ),\textsf {tag}_1^\star =H_{5}\big ({\delta '}^\star ||{C_{0}'}^\star \big ). \end{aligned}$$

  Note that \(C_{1,i}^{\prime \star }\) is corresponding to \(B_{i}^\star \cup \{y^\star \}\) in the encryption policy \({\varGamma }_e^\star \wedge y^\star\). Set \({\textit{ct}_{e}'}^\star =({\varGamma }_e^\star \wedge y^\star ,\sigma _1^\star ,\sigma _2^\star ,{C_{0}'}^\star ,{C_{1}'}^\star ,\{ C_{1,i}^{\prime \star },C_{2,i}^{\prime \star }\}_{i\in [n]})\).

• Choose \({\mu }_{{\mathcal {W}}}',\tau _{{\mathcal {W}}1}',\tau _{{\mathcal {W}}2}'{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), for all \([{\mathcal {W}}:{w}^{\star }] \in \textit{W}^{\star }\),

  where \(\textit{W}^{\star \circ }=\{{\mathcal {W}}\}\) and compute

  $$\begin{aligned}{} & {} I_{{\mathcal {W}}1}^{\prime \star }=h_{1}^{\mu _{{\mathcal {W}}}'-\tau _{{\mathcal {W}}1}'}, I_{{\mathcal {W}}2}^{\prime \star }=h_{2}^{\tau _{{\mathcal {W}}1}'},\\{} & {} \quad I_{{\mathcal {W}}3}^{\prime \star }=h_{3}^{\mu _{{\mathcal {W}}}'-\tau _{{\mathcal {W}}2}'}, I_{{\mathcal {W}}4}^{\prime \star }=h_{4}^{\tau _{{\mathcal {W}}2}'}, \\{} & {} I_{{\mathcal {W}}5}^{\prime \star }=(g_{2}^{w^\star }g_{3})^{\mu _{{\mathcal {W}}}'}C^{-z_4},\\{} & {} \quad I_{{\mathcal {W}}6}^{\prime \star }=(g_{2}^{w^\star }g_{3})^{\mu _{{\mathcal {W}}}'}C^{-z_5}, k_{T}^{\prime \star }=e(C,g_6)^{\gamma '}. \end{aligned}$$

  Set \(\textit{ct}_{k}^{\prime \star }=(W^{\star \circ },k_{T}^{\prime \star },\{I_{{\mathcal {W}}1}^{\prime \star },I_{{\mathcal {W}}2}^{\prime \star },I_{{\mathcal {W}}3}^{\prime \star },I_{{\mathcal {W}}4}^{\prime \star },I_{{\mathcal {W}}5}^{\prime \star },I_{{\mathcal {W}}6}^{\prime \star }\}_{{\mathcal {W}}\in W^{\star \circ }})\).

• Choose \(\varepsilon ^{\prime \star } = \frac{-\varrho ^{\prime \star }-z_9'}{z_8'}\) and compute \({\bar{C}}^{\prime \star }=C^{(z_7 \varrho ^{\prime \star }+z_8\varepsilon ^{\prime \star }+z_9)}\), where \(\varrho ^{\prime \star }=H_{7}(\textit{ct}_{e}^{\prime \star }||\textit{ct}_{k}^{\prime \star }||\textsf {tag}_1^{\star }||\textit{S})\). Set \(rk_3^\star =(\textit{ct}_{e}^{\prime \star },\textit{ct}_{k}^{\prime \star },\textsf {tag}_1^{\star },{\bar{C}}^{\prime \star },\varepsilon ^{\prime \star })\).

  Finally, output the challenge re-encrypted ciphertext

  \(\textit{CT}^\star =(\textit{S},C_0^\star ,C_1^\star ,C_2^\star ,T^\star ,rk_3^\star )\).

Phase II. Other than the restrictions in the \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Re}\text{- }\textsf {Type}\text{- }\textsf {1}\) game, \({\mathcal {A}}\) queries as it does in Phase I.

Guess. \({\mathcal {A}}\) outputs a guess \(i'\in \{0,1\}.\) If \(i'=i\), \({\mathcal {A}}\) wins.

If \(Z=e(g,g)^{abc}\), the ciphertext is valid. However, if \(Z {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {G}}_T\), the challenge ciphertext \(\textit{CT}^\star\) is independent of the bit i in the view of \({\mathcal {A}}\). Hence, if \({\mathcal {A}}\) has a non-negligible advantage in winning the game, \({\mathcal {B}}\) can solve DBDH problem with non-negligible advantage. \(\square\)

D: Proof of Theorem 6

Proof

Suppose a PPT Type-2 adversary \({\mathcal {A}}\) breaks the \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Re}\) security with non-negligible advantage, then a challenger \({\mathcal {B}}\) can solve the DBDH problem by interacting with \({\mathcal {A}}\) as given in \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Re}\text{- }\textsf {Type}\text{- }\textsf {2}\) game. Given the DBDH problem tuple \((\Delta , A=g^a, B=g^b, C=g^c,Z)\), \({\mathcal {B}}\) has to determine whether \(Z=e(g,g)^{abc}\) or Z is a random element of \({\mathbb {G}}_T\).

Setup. The simulation of this phase is similar to that of Theorem 4.

Phase I. \({\mathcal {B}}\) responds to \({\mathcal {A}}\)’s queries as follows.

• \(\mathcal {O}^{\prime}_{\textit{search}}({\varGamma }_t, \textit{S},\textit{CT})\): Here, \(\textit{CT}\) is a re-encrypted ciphertext. If the entry corresponding to \(C_1'\) is not available in \(H_6^\textit{list}\), output \(\bot\). Otherwise, \({\mathcal {B}}\) gets \(\textit{tok}\leftarrow \mathcal {O}^{\prime}_{\textit{token}}({\varGamma }_t, \textit{S})\) and returns \(1/0\leftarrow \textsf {Search}(\textit{PP},\textit{CT}, \star ,\textit{tok})\) to \({\mathcal {A}}\).

The simulation of other oracles is same as that of Theorem 4.

Challenge. After Phase I is over, \({\mathcal {A}}\) selects two equal length messages \(\textit{m}_0^\star\) and \(\textit{m}_1^\star\), a challenge encryption policy \({\varGamma }_e^\star\) and a challenge keyword set \(\textit{W}^\star\) and sends them to \({\mathcal {B}}\). Now, \({\mathcal {B}}\) picks \(i {\mathop {\longleftarrow }\limits ^{\textrm{u}}} \{0,1\}\) and returns the challenge ciphertext \(\textit{CT}^\star\) in the following way.

Pick \(\phi ^\star ,\gamma _1^\star \in \{0,1\}^\lambda\) and compute \(H_1(\phi ^\star ||\gamma _1^\star )=s'\). Choose \(s_i'{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), for all \(i \in [n]\) and also pick \(\varepsilon ',\mu _{{\mathcal {W}}}',\tau _{{\mathcal {W}}1}',\tau _{{\mathcal {W}}2}'{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), for all \(~{\mathcal {W}}\in \textit{W}^{\star \circ }\). Compute the components of \(rk_3^\star\) as given below.

$$\begin{aligned} \sigma _1^\star =B,\sigma _2^\star =C^\beta , C_1^{\prime \star }=g^{s'H_6(Z^\beta )}. \end{aligned}$$

The other components of the challenge re-encrypted ciphertext \(\textit{CT}^\star\) can be computed as given in the construction.

Phase II. Other than the restrictions in the \(\textsf {IND}\text{- }\textsf {CCA2}\text{- }\textsf {Re}\text{- }\textsf {Type}\text{- }\textsf {2}\) game, \({\mathcal {A}}\) queries as it does in Phase I.

Guess. \({\mathcal {A}}\) outputs a guess \(i'\in \{0,1\}.\) If \(i'=i\), \({\mathcal {A}}\) wins.

If \(Z=e(g,g)^{abc}\), the ciphertext \(\textit{CT}^\star\) is valid. And, if \(Z {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {G}}_T\), \(\textit{CT}^\star\) is independent of the bit i in the view of \({\mathcal {A}}\). Hence, if \({\mathcal {A}}\) has a non-negligible advantage in winning the game, \({\mathcal {B}}\) can solve DBDH problem with non-negligible advantage. \(\square\)

E: Proof of Theorem 7

Proof

Suppose a PPT adversary \({\mathcal {A}}\) without having the cloud secret key \(\textit{csk}\) breaks the \(\textsf {IND}\text{- }\textsf {CKA}_{\textsf {ct}}\) security with non-negligible advantage, then a challenger \({\mathcal {B}}\) can solve the DBDH problem by interacting with \({\mathcal {A}}\) as given in \(\textsf {IND}\text{- }\textsf {CKA}_{\textsf {ct}}\) game. Given the DBDH problem instance \((\Delta , A=g^a, B=g^b, C=g^c,Z)\), the task for \({\mathcal {B}}\) is to determine whether \(Z=e(g,g)^{abc}\) or Z is random.

Setup. Same as described in Theorem 4.

Phase I. \({\mathcal {A}}\) queries for the oracles \({\mathcal {O}}_{\textit{sk}}', {\mathcal {O}}_{\textit{rk}}^{\prime },{\mathcal {O}}_{\textit{token}}^{\prime \prime },{\mathcal {O}}_{\textit{search}}'\) and \({\mathcal {O}}_{\textit{decrypt}}\). Since \({\mathcal {B}}\) has \(\textit{msk}\) and \(\textit{tsk}\), it runs suitable algorithms to answer \({\mathcal {A}}\)’s queries.

Challenge. \({\mathcal {A}}\) sends to \({\mathcal {B}}\) two equal size keyword sets \(\textit{W}_0^\star\) and \(\textit{W}_1^\star\) (where either \(\textit{W}_0^\star \models {\varGamma }_{t} \wedge \textit{W}_1^\star \models {\varGamma }_{t}\) or \(\textit{W}_0^\star \not \models {\varGamma }_{t} \wedge \textit{W}_1^\star \not \models {\varGamma }_{t}\) for all \({\varGamma }_t\) submitted to \(\mathcal {O''}_{\textit{token}},\mathcal {O}^{\prime}_{\textit{search}},{\mathcal {O}}_{\textit{decrypt}}\) in Phase I), a challenge message \(\textit{m}^\star\) and a challenge encryption policy \({\varGamma }_e^\star\). Now, \({\mathcal {B}}\) selects a bit \(i {\mathop {\longleftarrow }\limits ^{\textrm{u}}} \{0,1\}\), outputs an original ciphertext \(\textit{CT}^\star \leftarrow \textsf {Encrypt}(\textit{PP},\textit{m}^\star ,{\varGamma }_e^\star ,\textit{W}_i^\star )\), or a re-encrypted ciphertext \(\textit{CT}^\star \leftarrow \textsf {Re}\text{- }\textsf {Encrypt}\big (\textit{PP,csk}, \textsf {Encrypt}(\textit{PP},\textit{m}^\star ,{\varGamma }_e,\textit{W}),\textit{rk}^\star \big )\), where \(\textit{rk}^\star \leftarrow \textsf {Re}\text{- }\textsf {KeyGen}(\textit{PP},\textit{sk}_{\textit{S}},{\varGamma }_e^\star ,\textit{W}_i^\star ),\textit{S}\models {\varGamma }_e\), in the following way.

• If \(\textit{CT}^\star\) is an original ciphertext, pick \(\gamma ^\star \in \{0,1\}^\lambda\) and compute \(H_1(\textit{m}^\star ||\gamma ^\star )=s\). Choose \(s_i{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), for all \(i \in [n]\) and also pick \(\varepsilon ,\mu _{{\mathcal {W}}},\tau _{{\mathcal {W}}1},\tau _{{\mathcal {W}}2}{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\) for all \(~{\mathcal {W}} \in \textit{W}^{\circ }\). Compute

  $$\begin{aligned} {\sigma '}^\star =B,{\sigma ^{\prime \prime }}^\star =C^\beta , C_1^\star =g^{sH_6(Z^\beta )}. \end{aligned}$$

  The other components of the challenge original ciphertext \(\textit{CT}^\star\) can be computed as given in the construction.

• If \(\textit{CT}^\star\) is a re-encrypted ciphertext, pick \(\phi ^\star ,\gamma _1^\star \in \{0,1\}^\lambda\) and calculate \(H_1(\phi ^\star ||\gamma _1^\star )=s'\). Choose \(s_i'{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), for all \(i \in [n]\) and also pick \(\varepsilon ',\mu _{{\mathcal {W}}}',\tau _{{\mathcal {W}}1}',\tau _{{\mathcal {W}}2}'{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), for all \(~{\mathcal {W}} \in \textit{W}_i^{\star \circ }\). Compute the components of \(rk_3^\star\) as given below

  $$\begin{aligned} \sigma _1^\star =B,\sigma _2^\star =C^\beta , C_1^{\prime \star }=g^{s'H_6(Z^\beta )}. \end{aligned}$$

  The other components of the challenge re-encrypted ciphertext

  \(\textit{CT}^\star =(\textit{S},C_0,C_1,C_2,T,rk_3^\star )\) can be computed as given in the construction.

Finally, the challenge ciphertext \(\textit{CT}^\star\) is sent to \({\mathcal {A}}\).

Phase II. Other than the restrictions in the \(\textsf {IND}\text{- }\textsf {CKA}_{\textsf {ct}}\) game, \({\mathcal {A}}\) queries as it does in Phase I.

Guess. \({\mathcal {A}}\) outputs a guess \(i'\in \{0,1\}.\) If \(i'=i\), \({\mathcal {A}}\) wins.

If \(Z=e(g,g)^{abc}\), the ciphertext is valid. However, if \(Z {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {G}}_T\), the challenge ciphertext \(\textit{CT}^\star\) is independent of the bit i in the view of \({\mathcal {A}}\). Hence, if \({\mathcal {A}}\) has a non-negligible advantage in winning the game, \({\mathcal {B}}\) can solve DBDH problem with non-negligible advantage. \(\square\)

F: Proof of Theorem 8

Proof

Suppose a PPT adversary \({\mathcal {A}}\) without having the cloud secret key \(\textit{csk}\) breaks \(\textsf {IND}\text{- }\textsf {CKA}_{\textsf {tok}}\) security with non-negligible advantage, then a challenger \({\mathcal {B}}\) can solve the DBDH problem by interacting with \({\mathcal {A}}\) as given in \(\textsf {IND}\text{- }\textsf {CKA}_{\textsf {tok}}\) game. Given the DBDH problem instance \((\Delta , A=g^a, B=g^b, C=g^c,Z)\), the task for \({\mathcal {B}}\) is to determine whether \(Z=e(g,g)^{abc}\) or Z is a random.

Setup. Same as explained in Theorem 4.

Phase I. \({\mathcal {A}}\) queries for the oracles \({\mathcal {O}}_{\textit{sk}}', {\mathcal {O}}_{\textit{rk}}^{\prime },{\mathcal {O}}_{\textit{token}}^{\prime \prime },{\mathcal {O}}_{\textit{search}}'\) and \({\mathcal {O}}_{\textit{decrypt}}\). Since \({\mathcal {B}}\) has the access of \(\textit{msk}\) and \(\textit{tsk}\), it runs suitable algorithms to answer \({\mathcal {A}}\)’s queries.

Challenge. \({\mathcal {A}}\) selects two equal size Boolean keyword formulas \({\varGamma }_{t(0)}^\star\) and \({\varGamma }_{t(1)}^\star\) (where either \(\textit{W} \models {\varGamma }_{t(0)}^\star \wedge \textit{W} \models {\varGamma }_{t(1)}^\star\) or \(\textit{W} \not \models {\varGamma }_{t(0)}^\star \wedge \textit{W} \not \models {\varGamma }_{t(1)}^\star\) for all \(\textit{W}\) submitted to \(\mathcal {O}^{\prime}_{\textit{rk}}\) and for all \(\textit{W}\) attached in \(\textit{CT}\), which is input to \(\mathcal {O}^{\prime}_{\textit{search}}\) and \({\mathcal {O}}_{\textit{decrypt}}\) in Phase I), a challenge attribute set \(\textit{S}^\star\), and sends them to \({\mathcal {B}}\). Now, \({\mathcal {B}}\) selects a bit \(i {\mathop {\longleftarrow }\limits ^{\textrm{u}}} \{0,1\}\), outputs \((\textit{tok}^\star ,\textit{sk}_{\textit{tr}}^\star )\leftarrow \textsf {TokenGen}(\textit{PP},{\varGamma }_{t(i)}^\star , \textit{tsk}, \textit{sk}_{\textit{S}^\star })\) in the following way.

Let \({\varGamma }_{t(i)}^{\star }=({\mathcal {K}}_{t(i)},\rho _{t(i)}^\circ ,\{w_{\rho _{t(i)}^{\circ }}\}_{i \in \ell _t})\). Choose \(\mathbf {\eta }=\big ( \gamma ' H_{10}(\textsf{pp}),y_{2},y_{3}, \ldots , y_{\ell _{t}}\big )\), where \(\textsf{pp}\) is computed below and \(y_{2},y_{3}, \ldots , y_{\ell _{t}}\in {\mathbb {Z}}_p^*\). Compute \(\zeta _{j}={\mathcal {K}}_{t(i)}^{(j)}\cdot \mathbf {\eta }\), for all \(j\in [\ell _t]\). Also, choose \(\phi _{1},\phi _{2},\phi _{3},\breve{q}_{j},\breve{q}_{j}'{\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {Z}}_{p}^{*}\), set \(\mathbf {\eta }'=\big ( \phi _{3}/\phi _{1},y_{2}',y_{3}', \ldots , y_{\ell _{t}}'\big )\), where \(y_{2}',y_{3}', \ldots , y_{\ell _{t}}'\in {\mathbb {Z}}_p^*\) and compute \(\nu _{j}={\mathcal {K}}_{t(i)}^{(j)}\cdot \mathbf {\eta }'\), for all \(j\in [\ell _t]\). Compute the following token components:

$$\begin{aligned}{} & {} \Pi _{1}= B, \Pi _{2}= C^{\beta },\textsf{pp}=Z^{\beta }, {\Pi }_{j1}=g_{6}^{\zeta _{j}}\cdot g_{4}^{b_{1}b_{2}\breve{q}_{j}+b_{3}b_{4}\breve{q}_{j}'},\\{} & {} {\Pi }_{j2}=X^{\nu _{j}} \cdot g_{5}^{b_{1}b_{2}\breve{q}_{j}+b_{3}b_{4}\breve{q}_{j}'},\\{} & {} \quad {\Pi }_{j3}=H_8(\textsf{pp} ||{\varGamma }^{\star \circ }_{t(i)} ||{\mathcal {K}}_{t(i)}^{(j)})\cdot g^{b_{1}b_{2}\breve{q}_{j}+b_{3}b_{4}\breve{q}_{j}'},\\{} & {} U_{j1}=(g_{2}^{w_{\rho _{t(i)}^{\circ }(j)}}g_{3})^{-\breve{q}_{j}b_{1}}, U_{j2}=(g_{2}^{w_{\rho _{t(i)}^{\circ }(j)}}g_{3})^{-\breve{q}_{j}b_{2}}, \\{} & {} U_{j3}=(g_{2}^{w_{\rho _{t(i)}^{\circ }(j)}}g_{3})^{-\breve{q}_{j}'b_{3}}, U_{j4}=(g_{2}^{w_{\rho _{t(i)}^{\circ }(j)}}g_{3})^{-\breve{q}_{j}'b_{4}}. \end{aligned}$$

Set \(\textit{sk}_{\textit{tr}}^\star =(\phi _{1},\phi _{2})\). The other components of token \(\textit{tok}^\star =( {\varGamma }_{t(i)}^{\star \circ },\Pi _{1}, \Pi _{2},\{{\Pi }_{j1},{\Pi }_{j2},{\Pi }_{j3},{U}_{j1},{U}_{j2},{U}_{j3},{U}_{j4}\}_{j \in [\ell _{t}]},D_1,D_2,\{D_y\}_{y\in \textit{S}^\star })\) can be computed as given in the construction. Finally, \(\textit{tok}^\star\) and \(\textit{sk}_{\textit{tr}}^\star\) are sent to \({\mathcal {A}}\).

Phase II. Other than the restrictions in the \(\textsf {IND}\text{- }\textsf {CKA}_{\textsf {tok}}\) game, \({\mathcal {A}}\) queries as it does in Phase I.

Guess. \({\mathcal {A}}\) outputs a guess \(i'\in \{0,1\}.\) If \(i'=i\), \({\mathcal {A}}\) wins.

If \(Z=e(g,g)^{abc}\), the token \(\textit{tok}^\star\) is valid. However, if \(Z {\mathop {\longleftarrow }\limits ^{\textrm{u}}} {\mathbb {G}}_T\), the challenge token \(\textit{tok}^\star\) is independent of the bit i in the view of \({\mathcal {A}}\). Hence, if \({\mathcal {A}}\) has a non-negligible advantage in winning the game, \({\mathcal {B}}\) can solve DBDH problem with non-negligible advantage. \(\square\)

G: Proof of Theorem 9

Proof

Suppose a PPT adversary \({\mathcal {A}}\) having the cloud secret key \(\textit{csk}\) breaks the \(\textsf {Verifiability}\) security with non-negligible advantage, then a challenger \({\mathcal {B}}\) can find a collision for the hash function \(H_4\) or \(H_5\) by interacting with \({\mathcal {A}}\) as given in \(\textsf {Verifiability}\) game.

Setup. \({\mathcal {B}}\) computes \((\textit{mpk,msk})\leftarrow \textsf {PKG.Setup}(1^{\lambda }, \textit{U})\), \((\textit{tpk,tsk})\leftarrow \textsf {TGC.Setup}(1^{\lambda }, \textit{U})\), \((\textit{cpk,csk})\leftarrow \textsf {PCS.Setup}(1^{\lambda }, \textit{U})\), and sends \((\textit{PP,csk})\) to \({\mathcal {A}}\), where \(\textit{PP}=(\textit{mkp,cpk,tpk})\).

Phase I. \({\mathcal {A}}\) queries the oracles \({\mathcal {O}}_{\textit{sk}}', {\mathcal {O}}_{\textit{rk}}^{\prime \prime },{\mathcal {O}}_{\textit{token}}^{\prime \prime \prime },{\mathcal {O}}_{\textit{search}}^{\prime \prime }\),\({\mathcal {O}}_{\textit{transfom}}\) and \({\mathcal {O}}_{\textit{decrypt}}\). Since \({\mathcal {B}}\) has \(\textit{msk,csk}\) and \(\textit{tsk}\), it runs appropriate algorithms to answer \({\mathcal {A}}\)’s queries.

Challenge. \({\mathcal {A}}\) selects a message \(\textit{m}^\star\), an encryption policy \({\varGamma }_e^\star\) and a keyword set \(\textit{W}^\star\), and sends the same to \({\mathcal {B}}\). Now, \({\mathcal {B}}\) outputs an original ciphertext \(\textit{CT}^\star \leftarrow \textsf {Encrypt}(\textit{PP},\textit{m}^\star ,{\varGamma }_e^{\star },\textit{W}^\star )\), or a re-encrypted ciphertext \(\textit{CT}^\star \leftarrow \textsf {Re}\text{- }\textsf {Encrypt}\big (\textit{PP,csk}, \textsf {Encrypt}(\textit{PP},\textit{m}^\star ,{\varGamma }_e,\textit{W}),\textit{rk}^\star \big )\), where \(\textit{rk}^\star \leftarrow \textsf {Re}\text{- }\textsf {KeyGen}(\textit{PP},\textit{sk}_{\textit{S}},{\varGamma }_e^\star ,\textit{W}^\star ),\textit{S}\models {\varGamma }_e,\) and sends \(\textit{CT}^\star\) to \({\mathcal {A}}\). Here, \(\textit{CT}^\star =(\textit{ct}_{e}^\star ,\textit{ct}_{k}^\star ,\textsf {tag}^\star ,{\bar{C}}^\star ,\varepsilon ^\star )\) or \(\textit{CT}^\star =(\textit{S},C_0^\star ,C_1^\star ,C_2^\star ,T^\star ,rk_{3}^\star )\).

Phase II. Other than the restrictions in the \(\textsf {Verifiability}\) game, \({\mathcal {A}}\) queries as it does in Phase I.

Output. \({\mathcal {A}}\) outputs a keyword policy \({\varGamma }_t^\star\), an attribute set \(\textit{S}^\star\) and a transformed original ciphertext \(\textit{CT}_{tr}^\star =(\textit{R}_{1}, \textit{R}_{2},C_{0},\breve{B},C_{2},\textsf{tag}^\star )\) or a transformed re-encrypted ciphertext \(\textit{CT}_{tr}^\star =(\textit{Y}_{1}, \textit{Y}_{2},C_{0},C_{0}',\breve{B},\breve{D},C_{2}, T,\textsf{tag1}^\star )\).

If \(\textit{CT}_{tr}^\star\) is a transformed original ciphertext, as described in the Verifiability game, \({\mathcal {B}}\) has the entry \(( \varGamma _t^{\star }, \textit{S}^{\star }, \textit{tok}^\star , \textit{sk}_{\textit{tr}}^\star )\), where \(\textit{sk}_{\textit{tr}}^\star =(\phi _{1}^\star ,\phi _{2}^\star )\). If \({\mathcal {A}}\) breaks the verifiability of our scheme, \({\mathcal {B}}\) can recover a message \(m\leftarrow {\textsf {Verify}\text{- }\textsf {and}\text{- }\textsf {Decrypt}}(\textsf {PP},\textit{CT}_{tr}^{\star }, \textit{sk}_{\textit{tr}}^\star ),\) where \(m\notin \{m^{\star }, \bot \}\), as follows.

(i) Compute \(\Omega =R_1^{-\phi _1^{\star }}\cdot R_2^{\phi _2^{\star }}\); (ii) observe \(H_5(H_4(\Omega )||C_0)= \textsf{tag}^{\star }\), and (iii) obtain \(m||\gamma =C_0 \oplus H_2(\Omega ).\)

If \(\Omega ^{\star }\) is the respective component of \(\Omega\) used in the generation of \(\textit{CT}^{\star }\), then there are two possibilities \(\Omega \ne \Omega ^{\star }\) or \(\Omega = \Omega ^{\star }\).

From (ii), we have that \(H_5(H_4(\Omega )||C_0)= \textsf{tag}^{\star }=H_5(H_4(\Omega ^{\star })||C_0^{\star })\).

If \(\Omega \ne \Omega ^{\star }\), then \(H_4(\Omega )\ne H_4(\Omega ^{\star })\); otherwise, the pair \((\Omega , \Omega ^{\star })\) forms a collision for \(H_4\). Hence, \(H_4(\Omega )||C_0\ne H_4(\Omega ^{\star })||C_0^{\star }\). This shows that the pair \((H_4(\Omega )||C_0, H_4(\Omega ^{\star })||C_0^{\star })\) forms a collision for \(H_5\).

Suppose \(\Omega = \Omega ^{\star }\). Then, \(C_0 \oplus H_2(\Omega )=(m||\gamma )\ne (m^\star ||\gamma ^\star )=C_0^\star \oplus H_2(\Omega ^\star )\), and hence, \(C_0\ne C_0^{\star }\). Therefore, the pair \((H_4(\Omega )||C_0, H_4(\Omega )||C_0^{\star })\) forms a collision for \(H_5\).

In both the cases, \({\mathcal {B}}\) finds a collision for \(H_5.\) Since \(H_5\) is a collision-resistant hash function, \({\mathcal {A}}\) cannot win the verifiability game with non-negligible advantage, and hence, our scheme is verifiable.

Note that if \(\textit{CT}_{tr}^\star\) is a transformed re-encrypted ciphertext, in a similar way, we can prove that our scheme is verifiable. \(\square\)