1 Introduction

The resources of the broadcasting channel are protected by allowing only the authorized person to be accessible to these resources [27]. By installing the access control into this channel, the individual has the attributes that will be attested to participate in the system. In addition, the access control is set up not only by the identity’s user but also by the predicate of attributes (age, career, address, etc.). Currently, there are many broadcasting systems that integrate fine-grained access control into the authorization of user-accessible such as mobile pay-TV [35], 5G direct access via satellite [12], and Internet of Thing [24]. The incorporation of access control to the broadcasting systems not only controls the filtered users when using the service but also prevents from an unauthorized attempt to the system.

Among all the existing cryptographic tools, Attribute-Based Broadcast Encryption (ABBE) [22, 36] is well-suitable to construct an efficient mechanism. It creates the complicated access control that enables the broadcasting system. ABBE is a combination of Attribute-Based Encryption (ABE) [4, 6, 11, 16, 21, 28, 32] and Broadcast Encryption (BE) [5, 7, 14]. In the first proposal, the ABBE [22] allows the broadcaster to select groups of users defined by their attributes. This scheme is restricted the access policy for the group of users who satisfy the access policy can decrypt the ciphertext of broadcast encryption scheme. Technically, a user joint to the ABBE system is issued by a secret key \(\textsf {SK}\) associated with a user identity \(\textsf {ID}\) and a set of user’s attributes \(\textsf {L}\). Then the broadcaster who launched the ABBE system creates a ciphertext \(\textsf {CT}\), which is associated with a list \(\textsf {S}\) of the user’s identity and an access policy \(\textsf {W}\). In addition, the access policy \(\textsf {W}\) is expressed by the predicate of the specified attributes. In the end, a user whose \(\textsf {SK}\) can decrypt the ciphertext \(\textsf {CT}\) if and only if the user \(\textsf {ID}\) belongs to the set \(\textsf {S}\) of valid user’s identity, and the user’s attributes \(\textsf {L}\) satisfies access policy \(\textsf {W}\).

Motivation The Pay TV system wants to uphold customer service by offering exclusive prices and benefits. The system selects promising customers to participate in this campaign. However, all the information, including the price, benefits, and customers, cannot be unveiled publicly. Only the authorized person can intercommunicate with the system to obtain this information. For example, the broadcaster encrypts the data associated with the group of \(\textsf {k}\) customers \(\{\textsf {ID}_1, \textsf {ID}_2, \ldots , \textsf {ID}_k\}\), and the access policy as “(Town A \(\textsf {AND}\) Age > 22 \(\textsf {AND}\) No home-phone line) \(\textsf {OR}\) (Town C \(\textsf {AND}\) Registered home-phone line)”. Therefore, the broadcaster needs to protect all the information when public on the channel. Indeed, suppose the access policy is hidden when producing in the ciphertext. In that case, the competitor/the adversary can not extract the customer’s information and learn from Pay TV’s strategy to attract customers. Eventually, the customers who have satisfied the access structure can subscribe to their favorite channels. The existing ABBE schemes [10, 20, 30, 33, 36] have not considered the issue of hidden access policy when generating the ciphertext to deliver in the broadcasting channel.

Contribution In order to anonymize both the information of the group of \(\textsf {ID}\) users and the access structures, this work proposes two Anonymous Key Policy Attribute Based Broadcast Encryption (AKP-ABBE) and Anonymous Ciphertext Policy Attribute Based Broadcast Encryption (ACP-ABBE) schemes. Our proposed schemes can hide the information of the group of \(\textsf {ID}\) users and the access structures when delivering to the broadcasting system. The access structure is expressed by the predicate of positive and negative attributes, which are concatenated by the Boolean gates \((\textsf {AND}, \textsf {OR})\). Formally, both the descriptions of AKP-ABBE and ACP-ABBE are similar to KP-ABBE [2, 30] and CP-ABBE [2, 30]. To strengthen the anonymity, we devise the solution to adapt two schemes KP-ABBE, CP-ABBE with OR/AND Gates with positive, negative attributes by exploiting the “attribute-hiding” Inner Product Encryption (\(\textsf {IPE}\)) [1, 3, 9, 19, 23, 26, 29] to achieve the A-KP-ABBE and A-CP-ABBE. We then enable the generic constructions for AKP-ABBE, ACP-ABBE.

In AKP-ABBE, to generate the ciphertext, we input a set of indices \(\textsf {S}\) and an attribute list \(\textsf {L}\) containing positive, and negative attributes. We create the polynomial \(\mathcal {P}_{\textsf {S}}\) from all the n elements of set \(\textsf {S}\). In order to generate the coefficient of \(\mathcal {P}_{\textsf {S}}\), we apply the Viète theorem [31] to compute all the coefficients \((a_n, a_{n-1}, \ldots , a_1, a_0)\) of polynomial by using the all the elements of set \(\textsf {S}\). Additionally, we aggregate all the attributes in the list \(\textsf {L}\) into one value b, then generate \((b^m, b^{m - 1}, \ldots , 1)\), where m is the total attributes in \(\textsf {L}\). Subsequently, we produce the ciphertext by calling the \(\textsf {IPE}\)’s encryption with the input of \(\textbf{v} = (a_n, a_{n-1}, \ldots , a_1, a_0, b^m, b^{m - 1}, \ldots , 1)\) and message \(\textsf {M}\). In order to generate the secret key, we input a user \(\textsf {ID}\) and the complex access structure \(\textsf {W}= (\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{\textsf {W}_1} \textsf {OR}\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{\textsf {W}_2} \textsf {OR}\ldots \textsf {OR}\underbrace{({{\textbf {AND}}}_{i \in \{1, \ldots ,m\}} A_i)}_{\textsf {W}_{m}})\). We encodes \(\textsf {ID}\) to integer value \(x_{\textsf {ID}}\), then, generate as \(( x_{\textsf {ID}}^n, x_{\textsf {ID}}^{n-1}, x_{\textsf {ID}}^{n-2}, \ldots , 1)\). Similarly, we create the polynomial \(\mathcal {P}_{\textsf {W}}\) from the set of \((\textsf {W}_1, \textsf {W}_2, \ldots , \textsf {W}_m)\) by Viète theorem, and obtain \((b_m, b_{m-1}, \ldots , b_1, b_0)\). We then produce the secret key by calling the \(\textsf {IPE}\)’s key generation with the input of \(\textbf{x} = (x_{\textsf {ID}}^n, x_{\textsf {ID}}^{n-1}, x_{\textsf {ID}}^{n-2}, \ldots , 1,b_m, b_{m-1}, \ldots , b_1, b_0)\). As a result, if the inner product of \((\textbf{v}, \textbf{x})\) equals zero, the \(\textsf {IPE}\)’s decryption will return the message \(\textsf {M}\). This means that the \(\textsf {ID}\) belongs to set \(\textsf {S}\), and the attribute list \(\textsf {L}\) satisfies the access structure \(\textsf {W}\). Mathematically, \(x_{\textsf {ID}}\) and aggregated b of \(\textsf {L}\) are the roots of polynomial \(\mathcal {P}_{\textsf {S}}\) and \(\mathcal {P}_{\textsf {W}}\), respectively.

On the other hand, ACP-ABBE is a inversion form of AKP-ABBE. A set of indices \(\textsf {S}\) and a complex access structure \(\textsf {W}\) into a vector \(\textbf{v}\), which is used for encryption. The user identity \(\textsf {ID}\) and user’s attributes \(\textsf {L}\) containing positive and negative symbols is transformed into another vector \(\textbf{x}\), which is used in key generation. The decryption is successful if the \(\textsf {ID}\) belongs to set \(\textsf {S}\), and the attribute list \(\textsf {L}\) satisfies the access structure \(\textsf {W}\).

Our proposed schemes utilize the \(\textsf {IPE}\) manner to achieve the hidden access structures. Hence, we apply the security proof of \(\textsf {IPE}\) scheme in [19, 26] to prove that our AKP-ABBE and ACP-ABBE are secure in the standard model. We then compare with ABBE schemes to show our efficiency regarding hidden access structures and anonymity. Moreover, the generic constructions for AKP-ABBE, ACP-ABBE can be applied to many cryptography preliminaries to achieve the anonymous for ABBE schemes.

Related work Several ABBE schemes [2, 18, 22, 30] have been proposed in the literature. In [22], Lubicz and Sirvent proposed a CP-ABBE scheme which allows access policies to be expressed in disjunctive normal form, with the OR function provided by ciphertext concatenation. Attrapadung and Imai [2] proposed two KP-ABBE and two CP-ABBE schemes, which are constructed by algebraically combining some existing BE schemes (namely, the Boneh–Gentry–Waters BE scheme [7] and the Sahai–Waters BE scheme [29]) with some existing ABE schemes (namely, the KP-ABE scheme by Goyal et al. [16] and the CP-ABE scheme by Waters [32]). Junod and Karlov [18] also proposed a CP-ABBE scheme that supports boolean access policies with AND, OR and NOT gates. Junod and Karlov’s scheme achieved direct revocation by simply treating each user’s identity as a unique attribute in the attribute universe. In [30] scheme has proposed CP-ABBE and KP-ABBE scheme, which is constant ciphertext size with AND Gates positive, negative attributes and wildcard. In addition, [10] presented an efficient constant-size private key ciphertext-policy ABBE scheme for disjunctive normal form supporting fast decryption, and [34] proposed an efficient ciphertext-policy attribute-based encryption scheme for partially hidden policy, direct revocation, and verifiable outsourced decryption. However, most of current ABBE schemes do not concern about the anonymous access structures, which are essential when outsourcing the data in the broadcasting system.

Attribute-based encryption (ABE) [4, 6, 11, 16, 21, 28, 32], which was introduced by Sahai and Waters [28] and extensively studied in recent years [6, 16, 21, 32], provides a fine-grained access control of encrypted data. In a Ciphertext Policy Attribute Based Encryption (CP-ABE) system, the secret user key is associated with a set of attributes, and the ciphertext is associated with an access policy. The ciphertext can be decrypted by a secret key if and only if the attributes associated with the secret key satisfy the access policy. A Key Policy ABE (KP-ABE) the system can be defined in a similar way by swapping the positions of the attributes and the access policy. In BE setting, a center is allowed to broadcast a secret to any subset of privileged users out of a universe of size n so that conjunctions of k users not in the privileged set cannot learn the secret. Apart from this, several broadcast encryption schemes were adopted with many interesting problems as [7, 8, 13, 15, 17] with solutions for collusion resistance, trace, and revoke for BE.

1.1 Paper organization

We present the preliminaries and definitions in Sect. 2, which is followed by our generic constructions in Sect. 3 and our analyzing the security proof in Sect. 4. We discuss the extensions in Sect. 5, then give the comparisons in Sect. 6. The paper is concluded in Sect. 7.

2 Preliminaries

2.1 Bilinear map and its related assumptions

Let \({\mathbb {G}}\) and \(\mathbb {G_T}\) be two multiplicative cyclic groups of same prime order p. Let e: \({\mathbb {G}}\) \(\times \) \({\mathbb {G}}\) \(\rightarrow \) \(\mathbb {G_T}\) be a bilinear map with the following properties:

  1. 1.

    Bilinearity: \(e(u^{a},v^{b}) = e(u^{b},v^{a}) = e(u,v)^{ab}.\) for any \(u, v \in {\mathbb {G}}\) and \(a, b \in {\mathbb {Z}}_p\).

  2. 2.

    Non-degeneracy: e(gg) \(\ne 1 \).

Definition 1

The Decisional Bilinear Diffie–Hellman (DBDH) problem in \({\mathbb {G}}\) is defined as follows: given a tuple \((g,g^a,g^b,g^c,T) \in {\mathbb {G}}^{4} \times {\mathbb {G}}_T\), decide whether \(T = e(g,g)^{abc}\) or \(T = e(g,g)^{r}\) where abcr are randomly selected from \({\mathbb {Z}}_p\). An algorithm A has advantage \(\epsilon \) in solving the DBDH problem in \({\mathbb {G}}\) if

$$\begin{aligned} {}^{\textrm{DBDH}}_{A}(k)= & {} {\textrm{Pr}}[A(1^k, g,g^{a}, g^b, g^{c}, Z ) = 1 \Vert Z = e(g,g)^{abc}]\\{} & {} - {\textrm{Pr}}[A(1^k, g,g^{a}, g^b, g^{c}, Z) = 1 \Vert Z = g^r] \le \epsilon . \end{aligned}$$

We say that the DBDH assumptions holds in \({\mathbb {G}}\) if \(\epsilon \) is negligible for any PPT algorithm A.

Definition 2

The Decisional Linear (DLIN) problem in \({\mathbb {G}}\) defined as follows: given a tuple \((g, g^a, g^b, g^{ac}, g^{d},Z)\) \(\in {\mathbb {G}}^5 \times {\mathbb {G}}_T\), decide whether \(T = g^{b(c +d)}\) or Z in random in \({\mathbb {G}}\). An algorithm A has advantage \(\epsilon \) in solving the DLIN problem in \({\mathbb {G}}\) if

$$\begin{aligned} {}^{\textrm{DLIN}}_{A}(k) = {\textrm{Pr}}[A(1^k, g,g^{a}, g^b, g^{ac}, g^d, Z ) = 1\Vert Z = g^{b(c+d)}]\\\quad - {\textrm{Pr}}[A(1^k, g,g^{a}, g^b, g^{ac}, g^d, Z) = 1 \Vert Z = g^r] \le \epsilon \end{aligned}$$

where \(a, b, c, d,r \in _R {\mathbb {Z}}_p\). We say that the DLIN assumptions holds in \({\mathbb {G}}\) if \(\epsilon \) is negligible for any PPT algorithm A.

2.2 Anonymous key-policy attribute based broadcast encryption definition

Let \(\textsf {U}\) denote the set of all user indices and \(\textsf {N}\) as the set of all user attributes. An Anonymous Key-Policy Attribute Based Broadcast Encryption (AKP-ABBE) scheme consists of four algorithms:

  • Setup(\(1^\lambda \)) The setup algorithm takes the security parameter \(1^\lambda \) as input and outputs the public parameters \(\textsf {PK}\), and a master key \(\textsf {MSK}\).

  • Encrypt(\(\textsf {M}, \textsf {S}, \textsf {L}, \textsf {PK}\)) The encryption algorithm takes as input the public parameters \(\textsf {PK}\), a message \(\textsf {M}\), a set of user index \(\textsf {S}\subseteq \textsf {U}\), a set of attributes \(\textsf {L}\subseteq \textsf {N}\), and outputs a ciphertext as \(\textsf {CT}\).

  • KeyGen(\(\textsf {ID}, \textsf {W}, \textsf {MSK}, \textsf {PK}\)) The key generation algorithm takes as input the master key \(\textsf {MSK}\), public parameters \(\textsf {PK}\), a user index \(\textsf {ID}\in \textsf {U}\), an access structure W, and outputs a user secret key \(\textsf {SK}\).

  • Decrypt(\(\textsf {CT}\), \(\textsf {SK}\)) The decryption algorithm takes as input a ciphertext \(\textsf {CT}\), and a private key \(\textsf {SK}\), then it outputs a message M or an error symbol ‘\(\bot \)’.

Security definition for AKP-ABBE We define the Selective IND-CPA security for AKP-ABBE via the following game.

  • Init The adversary commits to the challenge user indices \((\textsf {S}^*_0, \textsf {S}^*_1)\) and target attribute sets \((\textsf {L}^*_0, \textsf {L}^*_1)\).

  • Setup The challenger runs the Setup algorithm and gives \(\textsf {PK}\) to the adversary.

  • Phase 1 The adversary queries for private keys with pairs of user index and access structure \((\textsf {ID}, \textsf {W})\) following the cases:

    • \((\textsf {L}^*_0 \not \models \textsf {W}\text { and } (\textsf {L}^*_1 \not \models \textsf {W})\) or \((\textsf {ID}\notin \textsf {S}^*_0 \text { and } \textsf {ID}\notin \textsf {S}^*_1)\).

    • \((\textsf {L}^*_0 \models \textsf {W}\text { and } (\textsf {L}^*_1 \models \textsf {W})\) and \((\textsf {ID}\in \textsf {S}^*_0 \text { and } \textsf {ID}\in \textsf {S}^*_1)\).

    Then the challenger gives the adversary the corresponding secret key \(\textsf {SK}\). Otherwise, it outputs \(\perp \).

  • Challenge The adversary submits the two messages \(\textsf {M}_0,\textsf {M}_1\) to the challenger with respect to the challenge user indices \((\textsf {S}^*_0, \textsf {S}^*_1)\) and target attribute sets \((\textsf {L}^*_0, \textsf {L}^*_1)\). The challenger flips a random coin \(\beta \) and passes the ciphertext \(\textsf {CT}^* = \textsf {Encrypt}(\textsf {PK}, \textsf {M}_{\beta }, \textsf {L}^*_\beta , \textsf {S}^*_\beta )\) to the adversary.

  • Phase 2 Phase 1 is repeated.

  • Guess The adversary outputs a guess \(\beta ^{\prime }\) of \(\beta \).

Definition 1

We say an AKP-ABBE scheme is selective IND-CPA secure if for any probabilistic polynomial time adversary

$$\begin{aligned} {\textbf {Adv}}^{\hbox {s-ind-cpa}}_{kp}(\lambda ) = |{\textrm{Pr}}[\beta ' = \beta ] - 1/2| \end{aligned}$$

is a negligible function of \(\lambda \).

2.3 Anonymous ciphertext-policy attribute-based broadcast encryption definition

An Anonymous Ciphertext-Policy Attribute-Based Broadcast Encryption (ACP-ABBE) scheme consists of four algorithms:

  • Setup(\(1^\lambda \)): The setup algorithm takes the security parameter \(1^\lambda \) as input and outputs the public parameters \(\textsf {PK}\), and a master key \(\textsf {MSK}\).

  • Encrypt(\(\textsf {M}, \S , \textsf {W}, \textsf {PK}\)): The encryption algorithm takes as input the public parameters \(\textsf {PK}\), a message \(\textsf {M}\), a set of user index \(\textsf {S}\subseteq \textsf {U}\), and an access structure \(\textsf {W}\), then outputs a ciphertext as \(\textsf {CT}\).

  • KeyGen(\(\textsf {ID}, \textsf {L}, \textsf {MSK}, \textsf {PK}\)): The key generation algorithm takes as input the master key \(\textsf {MSK}\), public parameters \(\textsf {PK}\), a user index \(\textsf {ID}\in \textsf {U}\), and a set of attributes \(\textsf {L}\subseteq \textsf {N}\), and outputs a user secret key \(\textsf {SK}\).

  • Decrypt(\(\textsf {CT}\), \(\textsf {SK}\)): The decryption algorithm takes as input a ciphertext \(\textsf {CT}\), and a private key \(\textsf {SK}\), then outputs a message \(\textsf {M}\) or an error symbol ‘\(\bot \)’.

Security definition for ACP-ABBE We define the Selective IND-CPA security for ACP-ABBE via the following game.

  • Init The adversary commits to the challenge user indices \((\textsf {S}^*_0, \textsf {S}^*_1)\) and target access structures \((\textsf {W}^*_0, \textsf {W}^*_1)\).

  • Setup The challenger runs the Setup algorithm and gives \(\textsf {PK}\) to the adversary.

  • Phase 1 The adversary queries for private keys with pairs of user index and a user attribute list \((\textsf {ID}, \textsf {L})\) following the cases:

  • \((\textsf {L}\not \models \textsf {W}^*_0 \text { and } (\textsf {L}\not \models \textsf {W}^*_1 )\) or \((\textsf {ID}\notin \textsf {S}^*_0 \text { and } \textsf {ID}\notin \textsf {S}^*_1)\).

  • \((\textsf {L}\models \textsf {W}^*_0 \text { and } (\textsf {L}\models \textsf {W}^*_1 )\) and \((\textsf {ID}\in \textsf {S}^*_0 \text { and } \textsf {ID}\in \textsf {S}^*_1)\).

  • Challenge The adversary submits messages \(\textsf {M}_0,\textsf {M}_1\) to the challenger with respect to the challenge user indices \((\textsf {S}^*_0, \textsf {S}^*_1)\) and target access structures \((\textsf {W}^*_0, \textsf {W}^*_1)\). The challenger flips a random coin \(\beta \) and passes the ciphertext \(\textsf {CT}^*= \textsf {Encrypt}(\textsf {PK}, \textsf {M}_{\beta }, \textsf {W}^*_\beta , \textsf {S}^*_\beta )\) to the adversary.

  • Phase 2 Phase 1 is repeated.

  • Guess The adversary outputs a guess \(\beta ^{\prime }\) of \(\beta \).

Definition 2

We say a ACP-ABBE scheme is selective IND-CPA secure if for any probabilistic polynomial time adversary

$$\begin{aligned} {\textbf {Adv}}^{\hbox {s-ind-cpa}}_{cp}(\lambda ) = |{\textrm{Pr}}[\beta ' = \beta ] - 1/2| \end{aligned}$$

is a negligible function of \(\lambda \).

2.4 Inner product encryption

Let \(\Sigma \in {\mathbb {Z}}\) be the set of attributes involving vectors \(\textbf{v}\) of dimension n, and \(\mathcal {F}\) be the class of predicates involving inner-products over vectors \( \mathcal {F} = \{f_{\textbf{v}}, \textbf{v} \in \Sigma \} \text { such that } f_{\textbf{v}}(\textbf{x}) = 1 \hbox { iff } <\textbf{v}, \textbf{x}> = 0 \). An inner-product encryption (\(\textsf {IPE}\)) scheme for the class of predicate \(\mathcal {F}\) over the set of attributes consists of four algorithms as follows:

  • IPE.Setup(\(1^\lambda ,n\)) on input a security parameter \(1^{\lambda }\) and the vector length \(n = poly(\lambda )\), the algorithm outputs a public key \(\textsf {PK}\) and a master secret key \(\textsf {MSK}\).

  • IPE.Encrypt(\(\textsf {M},\textsf {PK}, \textbf{v} = (v_1, v_2, \ldots , v_n)\)): on input a message M, the public key PK, and a vector \(\textbf{v} \in \Sigma ^n\), it outputs a ciphertext \(\textsf {CT}\).

  • IPE.KeyGen(\(\textsf {MSK},\textbf{x} = (x_1, x_2, \ldots , x_n)\)): on input the master secret key \(\textsf {MSK}\), a vector \(\textbf{x} \in \Sigma \), the algorithm outputs a secret key \(\textsf {SK}\).

  • IPE.Decrypt(\(\textsf {CT},\textsf {SK}\)): on input a secret key \(\textsf {SK}\) (w.r.t. a vector \(\textbf{x}\)) and a ciphertext \(\textsf {CT}\) (w.r.t. a vector \(\textbf{v}\)), if \(f_{\textbf{v}} (\textbf{x}) = 0\), the algorithm outputs a message \(\textsf {M}\); otherwise, it outputs \(\perp \).

Security model \(\textsf {IPE}\) scheme Following [19], we define the security, i.e., attribute-hiding property, of the IPE scheme. The security is defined by the following game interacted between an attacker \(\mathcal {A}\) and a challenger \(\mathcal {C}\). We assume that \((\Sigma , \mathcal {F})\) are given to both \(\mathcal {A}\) and \(\mathcal {C}\) in advance.

  • Init \(\mathcal {A}\) outputs two vectors \(\textbf{v}, \textbf{x} \in \Sigma \)

  • Setup \(\mathcal {C}\) runs Setup to obtain the public key \(\textsf {PK}\) and master secret key \(\textsf {MSK}\). \(\mathcal {A}\) is given \(\textsf {PK}\).

  • Query Phase 1 \(\mathcal {A}\) adaptively issues private key queries for any vectors \(\mathbf {v_1},\ldots , \mathbf {v_n} \in \Sigma \), subject to the restriction that, \(\forall i,<\mathbf {v_i}, \textbf{x}> = 0\) if and only if \(<\mathbf {v_i}, \textbf{x}> = 0\). \(\mathcal {C}\) responds with \(\textsf {SK}_{\mathbf {v_i}} \leftarrow {\textsf {KeyGen}}(\textsf {SK}, \mathbf {v_i})\).

  • Challenge \(\mathcal {A}\) outputs two messages \(\textsf {M}_0,\textsf {M}_1\) with equal length. If \(\textsf {M}_0 \ne \textsf {M}_1\), then it is required that \(<\textbf{v},\textbf{x}>\ne 0\ne <\textbf{x},\textbf{x}>\) for any \(\textbf{x}\) appeared in Query Phase 1. \(\mathcal {C}\) flips a random coin \(b \in \{0,1\}\). If \(b = 0\), \(\mathcal {C}\) returns \(\textsf {CT}\leftarrow \textsf {Encryption}(\textsf {PK},\textbf{v},\textsf {M}_0)\) to \(\mathcal {A}\); otherwise, if \(b = 1\), \(\mathcal {C}\) returns \(\textsf {CT}\leftarrow \textsf {Encrypt}(\textsf {PK},\textbf{x},\textsf {M}_1)\) to \(\mathcal {A}\).

  • Query Phase 2 Phase 1 is repeatedly.

  • Guess \( \mathcal {A}\) outputs a guess bit \(b'\) and succeeds if \(b' = b\).

The advantage of \(\mathcal {A}\) in this game is defined as \( Adv_{\mathcal {A}} (\lambda ) = {\textrm{Pr}}[b'= b] - \frac{1}{2}.\)

Definition 3

We say that an \(\textsf {IPE}\) scheme is attribute-hiding if for all polynomial time adversaries \(\mathcal {A}\), we have that \(Adv(\mathcal {A})\) is negligible.

In fact, the challenge ciphertext is given to \(\mathcal {A}\) as: if \(b = 0\) then \(\textsf {CT}\leftarrow \textsf {Encrypt}(\textsf {PK}, \textbf{v}, \textsf {M}_0)\) and if \(b = 1\) then \(\textsf {CT}\leftarrow \textsf {Encrypt}(\textsf {PK}, \textbf{x}, \textsf {M}_1)\). As well as similar \(Adv(\mathcal {A})\) to the one above, we say that a \(\textsf {IPE}\) scheme is attribute-hiding if for all polynomial time adversaries \(\mathcal {A}\), we have that \(Adv(\mathcal {A})\) is negligible.

2.5 Polynomial and roots

Consider that a polynomial \(\mathcal {P}\) has degree n is defined as:

$$\begin{aligned} \mathcal {P} = a_nx^n + a_{n-1}x^{n-1} + \ldots + a_1x+ a_0 \end{aligned}$$
(1)
Fig. 1
figure 1

Checking one root of \(\mathcal {P}\)

Full size image

We then extract the coefficients of P to create a vector \(\textbf{v}\) as follows:

$$\begin{aligned} \textbf{v} = (a_n, a_{n-1}, \ldots , a_1, a_0). \end{aligned}$$

In addition, we create the a vector \(\textbf{x}\) by choosing a integer value x randomly as follows:

$$\begin{aligned} \begin{array}{ll} \overrightarrow{x} &{}= \left( \underbrace{x\cdot x \cdots x}_\text {n}, \underbrace{x \cdots x}_\text {n-1}, \ldots , x, 1\right) \\ \end{array} \end{aligned}$$

If \((\textbf{v} \cdot \overrightarrow{x}) = 0\), then we conclude that x is a root of polynomial \(\mathcal {P}\) (Fig. 1).

2.6 Consequence of Viète formula

We apply consequence of the Viète’s formula to reconstruct all the coefficients of \(\mathcal {P}\) in (1) as follows:

$$\begin{aligned} {\left\{ \begin{array}{ll} x_1 + x_2 + \ldots + x_n &{}= \big (-\frac{a_{n-1}}{a_n}\big )\\ (x_1x_2 + x_1x_3 + \ldots + x_1x_n)\\ + (x_2x_3 + x_3x_4 + \ldots +x_2x_n)+ \ldots + x_{n-1}x_n &{}= \big (\frac{a_{n-2}}{a_n}\big )\\ \ldots \\ x_1x_2\ldots x_n &{}= (-1)^{n}\frac{a_0}{a_n} \end{array}\right. } \end{aligned}$$

Generally, we write: \(\sum _{1\le i_1< i_2< \cdots < i_k\le n} x_{i_1}x_{i_2}\cdots x_{i_k}=(-1)^k\frac{a_{n-k}}{a_n}\) for \(k = 1, 2,..., n\).

Apart from Sect. 2.4, we can rewrite the \(\textbf{v}\) as

$$\begin{aligned} \textbf{v} = \Bigg (1, -\frac{a_{n-1}}{a_n}, \ldots , (-1)^{n}\frac{a_1}{a_n}, (-1)^{n}\frac{a_0}{a_n}\Bigg ). \end{aligned}$$

Then we have the \(\textbf{x} = (x^n, x^{n-1}, \ldots , x, 1)\). If \(<\textbf{v} \cdot \overrightarrow{x}> = 0\), then we conclude that x is a root of polynomial \(\mathcal {P}\).

3 Generic constructions

3.1 \(\textsf {AND}/\textsf {OR}\) gates access structure

3.1.1 AND gates positive/negative attributes

Let \(\textsf {U}= \{\textsf {Att}_1,\textsf {Att}_2,...,\textsf {Att}_n\}\) be the universe of the attributes in the system. Each \(\textsf {Att}_i\) is represented by a unique value \(A_i\). When a user joins the system, the user is tagged with an attribute list defined as \(\textsf {S}= \{\textsf {S}_1,\textsf {S}_2,...,\textsf {S}_n\}\) where each symbol \(\textsf {S}_i\) has two possible values: ‘\(+\)’ and ‘−’. Let \(\textsf {W}= \{\textsf {S}'_1,\textsf {S}'_2,...,\textsf {S}'_n\}\) denote an AND-gate access policy where each symbol \(\textsf {S}'_i\) has two possible values: ‘\(+\)’, ‘−’. We use the notation \(\S \models \textsf {W}\) to denote that the attribute list S of a user satisfies \(\textsf {W}\).

We illustrate the \(\textsf {AND}\) gates with positive/negate attribute by the following example. Suppose that \(\textsf {U}= \{\textsf {Att}_1 = \hbox {CS}, \textsf {Att}_2 = \hbox {EE}, \textsf {Att}_3= \hbox {Professor}, \textsf {Att}_4=\hbox {Faculty}, \textsf {Att}_5=\hbox {Student}, \textsf {Att}_6=\hbox {Tutor}\}\). Alice is a student and tutor in the CS department; Bob is a faculty in the EE department; Carol is a faculty holding a joint position in the EE and CS departments. All attribute lists are expressed in Table  1. In addition, the access structure \(\textsf {W}_1\) is designed to allow all the CS students and tutors in only CS departments to access to the system.

Table 1 List of attributes and AND positive/negative attributes policies
Full size table

Observably, only Alice is the student/tutor of CS departments, which is attested to access to the system since the Alice’s attributes satisfy the access structure \(\textsf {W}_1\).

3.1.2 Multiple \(\textsf {OR}/\textsf {AND}\) gates

In this work, we consider the complex access structures, which are expressed the predicate of attributes by both of the \(\textsf {OR}\) and \(\textsf {AND}\) gates.

Suppose that we have an access structures \(\textsf {W}_1\) as follows:

$$\begin{aligned} \textsf {W}_1= & {} (({\textsf {AND}}_{i \in \{1, \ldots ,m\}} A_i) {\textsf {OR}} ({\textsf {AND}}_{i \in \{1, \ldots ,m\}} A_i) {\textsf {OR}} \ldots {\textsf {OR}} ({\textsf {AND}}_{i \in \{1, \ldots ,m\}} A_i) \end{aligned}$$

as the Disjunctive Normal Form (DNF). Utilizing the set of attributes \(\textsf {U}= \{\textsf {Att}_1,\textsf {Att}_2,...,\textsf {Att}_n\}\) in AND  gate access structure, \(\textsf {W}_1\) is expressed as:

$$\begin{aligned} \textsf {W}_1 =(\underbrace{(\textsf {Att}_1 {\textsf { AND }} \textsf {Att}_3))}_{{\textsf {W}11}} {\textsf { OR }} \underbrace{(\textsf {Att}_1 {\textsf { AND }} \textsf {Att}_6 {\textsf { AND }} \textsf {Att}_5)}_{{\textsf {W}12}}), \end{aligned}$$
Table 2 List of attributes and AND then OR  policies
Full size table

Regarding the Table 2, we decouple \(\textsf {W}_1\) into the two access structures \(\textsf {W}_{11}\) and \(\textsf {W}_{12}\). Then if a user has the set of attributes satisfy \(\textsf {W}_{11}\) or \(\textsf {W}_{12}\), the he is valid to decrypt the message.

Next, we consider the Conjunctive Normal Form (CNF) access structures \(\textsf {W}_2\) as follows:

$$\begin{aligned} W_2= & {} ((\textsf {OR}_{i \in \{1, \ldots ,m\}} A_i) \textsf {AND}(\textsf {OR}_{i \in \{1, \ldots ,m\}} A_i) \textsf {AND}\ldots \textsf {AND}_{m - 1} (\textsf {OR}_{i \in \{1, \ldots ,m\}} A_i) ). \end{aligned}$$

In practice, \(W_2\) is expressed by the attributes in set \(\textsf {U}\) as:

$$\begin{aligned} \textsf {W}_2 =((\textsf {Att}_1 {\textsf { OR }} \textsf {Att}_2)) {\textsf { AND }} (\textsf {Att}_3 {\textsf { OR }} \textsf {Att}_4)). \end{aligned}$$

We then transform the \(\textsf {W}_2\) in the other observation:

$$\begin{aligned} \begin{array}{lll} \textsf {W}_2 &{}=&{}(\underbrace{(\textsf {Att}_1 {\textsf { AND }} \textsf {Att}_3)}_{{\textsf {W}_21}} {\textsf { OR }} \underbrace{(\textsf {Att}_1 {\textsf { AND }} \textsf {Att}_4)}_{\textsf {W}22} {\textsf { OR }} \underbrace{(\textsf {Att}_2 {\textsf { AND }} \textsf {Att}_3))}_{\textsf {W}23}\\ {} &{}&{}{\textsf { OR }} \underbrace{(\textsf {Att}_2 {\textsf { AND }} \textsf {Att}_4))}_{\textsf {W}24} \end{array} \end{aligned}$$
Table 3 List of attributes and OR then AND policies
Full size table

Regarding the Table  3, we interpret \(\textsf {W}_2\) into the the set of access structures \((\textsf {W}_{21}, \textsf {W}_{22}, \textsf {W}_{23}, \textsf {W}_{24})\). Then if a user has the set of attributes satisfy \(\textsf {W}_{21}\) or \(\textsf {W}_{22}\) or \(\textsf {W}_{23}\) or \(\textsf {W}_{24}\), then he is valid to decrypt the message. As a result, we realize that when a user joins the system, the user is tagged with an attribute list defined as \(\textsf {S}= \{A_i\}_{i \in \{ 1, m\}}\). We conclude the two statements as follows:

  • \(\textsf {S}\models \textsf {W}_1\), if the set attributes in \(\textsf {S}\) satisfies one of \(\textsf {AND}\) literals in \(\textsf {W}_1\).

  • \(\textsf {S}\models \textsf {W}_2\), if the set attributes in \(\textsf {S}\) satisfies all of OR literals in \(\textsf {W}_2\).

3.2 Original IPE construction

In this section, we represent the original of IPE scheme [25], which is a building block to construct our proposed work later.

Setup(\(1^k, n\)): The setup algorithm first randomly generates \((g, {\mathbb {G}}, {\mathbb {G}}_T,p, e)\) and n is the maximum length of vector. It then chooses randomly \(\gamma _1, \gamma _2, \theta _1, \theta _2, \{u_{1,i}\}_{i = 1}^{n}, t_1, \{t_{1,i}\}_{i = 1}^{n}, \{t_{2,i}\}_{i = 1}^{n}, \{w_{1,i}\}_{i = 1}^{n}, \{z_{1,i}\}_{i = 1}^{n}, \{z_{2,i}\}_{i = 1}^{n}\) in \({\mathbb {Z}}_p\) and \(g_2\) in \({\mathbb {G}}\). Then it selects a random \(\Delta \in {\mathbb {Z}}_p\) and obtains \(\{u_{2,i}\}^{n}_{i = 1}, \{w_{2,i}\}^{n}_{i = 1}, w_2, u_2\) under the condition: \(\Delta = \gamma _1 u_{2,i} - \gamma _2 u_{1,i} \Delta = \theta _1 w_{2,i} - \theta _2 w_{1,i}.\)

For i from 1 to n, it creates:

$$\begin{aligned} \begin{array}{l} U_{1,i} = g^{u_{1,i}}, U_{2,i} = g^{u_{2,i}}, W_{1,i} = g^{w_{1,i}}, W_{2,i} = g^{w_{2,i}}, T_{1,i} = g^{t_{1,i}}, T_{2,i} = g^{t_{2,i}},\\ Z_{1,i} = g^{z_{1,i}}, V_{1} = g^{\gamma _1}, V_{2} = g^{\gamma _2}, X_{1} = g^{\theta _1}, V_{2} = g^{\theta _2}. \end{array} \end{aligned}$$

Next it sets \(g_1 = g^{\Delta }, Y=e(g,g_2)\), and the public key \(\textsf {PK}\) and master key \(\textsf {MSK}\) as

$$\begin{aligned} \begin{array}{rl} \textsf {PK}=&{} (g, {\mathbb {G}}, {\mathbb {G}}_T, p, e, g_1, Y, \{U_{1,i}, U_{2,i}, T_{1,i}, T_{2.i}, W_{1.i}, W_{2,i}, Z_{1,i}, Z_{2,i}\}^{n}_{i = 1}, \{V_i, X_i\}_{i = 1}^{2})\\ \textsf {MSK}=&{} (g_2, \{u_{1,i}, u_{2,i}, t_{1,i}, t_{2,i}, w_{1,i}, w_{2,i}, z_{1,i}, z_{2,i}\}^{n}_{i = 1}, \{v_i, x_i\}_{i = 1}^{2}). \end{array} \end{aligned}$$

Encrypt(\(\textsf {PK}, \textbf{v}, \textsf {M}\)): The encryption algorithm chooses random \(s_1, s_2, \alpha , \beta \in {\mathbb {Z}}_p\) and creates the ciphertext as follows:

$$\begin{aligned}{} & {} C_m = M\cdot Y^{s_2}, C_{A} =g^{s_2}, C_{B} = g_{1}^{s_1},\\{} & {} \begin{array}{rl} \{C_{1,i},C_{2,i}\}=&{}\{U_{1,i}^{s_1}T_{1,i}^{s_2}V_{1}^{v_i \alpha }, U_{2,i}^{s_1}T_{2,i}^{s_2}V_{2}^{v_i \alpha }\},\\ \{C_{3,i}, C_{4,i}\} =&{}\{W_{1,i}^{s_1}Z_{1,i}^{s_2}X_{1}^{v_i \beta }, W_{2,i}^{s_1}Z_{2,i}^{s_2}X_{2}^{v_i \beta }\},\\ \end{array} \end{aligned}$$

where \(\textbf{v} = (v_1, \ldots , v_n)\), then ciphertext CT is set as:

$$\begin{aligned} \begin{array}{lll} \textsf {CT}= & {} (C_m, C_{A}, C_{B}, \{C_{1,i}, C_{2,i}, C_{3,i}, C_{4,i}\}_{i = 1}^{n}. \end{array} \end{aligned}$$

KeyGen(\(\textsf {PK},\textbf{x},\textsf {MSK}\)): The key generation algorithm chooses randomly \(r_{i,1}, r_{i,2}\) for \(i = 1\) to n, and \(f_1, f_ 2, r_1, r_2 \in {\mathbb {Z}}_p\), and then creates the secret key as follows:

$$\begin{aligned} \begin{array}{rll} \{K_{1,i}, K_{2,i}\}=&{}\{g^{-\gamma _2 r_{1,i}}g^{f_1 x_{i} u_{2,i}}, g^{\gamma _1 r_{1,i}}g^{-f_1 x_{i} u_{1,i}}\},\\ \{K_{3,i}, K_{4,i}\}=&{}\{g^{-\theta _2 r_{2,i}}g^{f_2 x_{i} w_{2,i}}, g^{\theta _1 r_{2,i}}g^{-f_2 x_{i} w_{1,i}}\},\\ K_{A}=&{} g_{2}\cdot \prod _{i = 1}^{n} K_{1,i}^{-t_{1,i}} K_{2,i}^{-t_{2,i}} K_{3,i}^{-z_{1,i}}K_{4,i}^{-z_{2,i}},\\ K_{B}=&{} \prod _{i = 1}^{n} g^{-(r_{1,i} + r_{2,i})}. \end{array} \end{aligned}$$

where \(\textbf{x} = (x_1, \ldots , x_n)\), the secret key is set as:

$$\begin{aligned} \begin{array}{lll} \textsf {SK}= & {} ( K_{A}, K_{B},\{K_{1,i}, K_{2,i}, K_{3,i}, K_{4,i}\}_{i=1}^{n}. \end{array} \end{aligned}$$

Decrypt(\(\textsf {SK}, \textsf {CT}\)): The decryption algorithm returns

$$\begin{aligned} \begin{array}{ll} \frac{C_m}{e(C_{A}, K_{A}) \cdot e(C_{B}, K_{B}) \prod _{j = 1}^{4}\prod _{i = 1}^{n}e(C_{j,i},K_{j,i})} = \frac{M}{e(g,g)^{(\sum _{i = 0}^n v_{i} x_{i}) (f_1 \alpha \Delta + f_2 \beta \Delta )}}. \end{array} \end{aligned}$$

Therefore, the message M will be returned iff \((\textbf{v}, \textbf{x})= 0\) meaning the attributes list in user key \(\textsf {SK}\) satisfies the access policy in the ciphertext \(\textsf {CT}\).

Following the description of the above Multiple OR/AND gate access structures and the original IPE construction, we present two Anonymous Key Policy Attribute Based Broadcast Encryption and Anonymous Ciphertext Policy Attribute Based Broadcast Encryption schemes with OR/AND Gate with positive, negative attributes in access structure.

3.3 Generic construction of AKP-ABBE from IPE

In our AKP-ABBE scheme, we only consider two values, positive, negative, of attributes. In order to construct, we desire an (n + m)- dimensional \(\textsf {IPE}\) scheme, where n is the number of set indices, and m is the maximum number of access structures. In this scheme, we present the construction of DNF access structure since the CNF form can converse to the DNF.

Let \(\textsf {U}\) denote the set of all user indices, and \(\textsf {N}\) as the set of all user attributes and given an \(\textsf {IPE}\) scheme with four algorithms: (IPE.Setup, IPE.KeyGen, IPE.Enc, IPE.Dec), we construct an AKP-ABBE scheme with the corresponding four algorithms Setup, KeyGen, Encrypt, Decrypt, which we elaborate as follows:

  • Setup(\(1^k\)): The algorithm chooses a suitable encoding \(\tau _1\) sending each of the n indicies \(\textsf {ID}\in {\mathbb {N}}\) onto an element \(\tau _1(\textsf {ID}) = x_1 \in (\mathbb {Z / \hbox {p}{\mathbb {Z}}})^{*}\), and choose \(t_1, \ldots , t_{2_n}\) randomly in \({\mathbb {Z}}_p\). It runs IPE.Setup( \(1^{k}, n+m\)) with m as the number of attributes to construct to access structure, and outputs public parameters \(\textsf {PK}\) and a master key \(\textsf {MSK}\).

  • Encrypt(\(\textsf {PK}, \textsf {M}, \textsf {S}, \textsf {L}\)): The algorithm inputs a user index set \(\textsf {S}= \{\textsf {ID}_a. \textsf {ID}_b, \textsf {ID}_c,\ldots \textsf {ID}_s\} \subseteq \textsf {U}\), and message \(\textsf {M}\), attribute list \(\textsf {L}\). The algorithm transforms \((\textsf {S}, \textsf {L})\) into \(\textbf{v}\) as:

    The user index set is input as \(\textsf {S}= (\textsf {ID}_a, \textsf {ID}_b, \textsf {ID}_c, \ldots , \textsf {ID}_s) \subseteq \textsf {U}\). We denote \(\Delta \) as the total number elements in set \(\textsf {S}\), then the algorithm applies the Viète’s formula to compute:

    $$\begin{aligned} {\left\{ \begin{array}{ll} \tau _1(\textsf {ID}_a) + \tau _1 (\textsf {ID}_b) + \tau _1(\textsf {ID}_c) +\ldots + \tau _1(\textsf {ID}_s) &{}= a_{\Delta }\\ (\tau _1(\textsf {ID}_a) \tau _1(\textsf {ID}_b) + \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_c) + \ldots + \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_s )\\ \ldots + \tau _1(\textsf {ID}_{\Delta -1})\tau _1(\textsf {ID}_s) &{}= a_{\Delta - 1}\\ \ldots \\ \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_b)\tau _1(\textsf {ID}_c)\ldots \tau _1(\textsf {ID}_s) &{}= a_0 \end{array}\right. } \end{aligned}$$
    (2)

    The algorithm converts an attribute user list \(\textsf {L}\) by generating:

    $$\begin{aligned} \hbox {If } {\left\{ \begin{array}{ll} \textsf {Att}_i \hbox { is } + &{}: r'_i= t_i\\ \textsf {Att}_i \text{ is } - &{}: r'_i = t_{2_i}\\ \end{array}\right. } \end{aligned}$$
    (3)

    Then set \(b = \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\), and it computes based on b:

    $$\begin{aligned} {\left\{ \begin{array}{ll} b_m &{}= b^m\\ b_{m-1} &{}= b^{m-1}\\ b_{m-2} &{} = b^{m-2}\\ \ldots \\ b_{0} &{} = 1 \end{array}\right. } \end{aligned}$$

    The \(\textbf{v}\) is produced as

    $$\begin{aligned} \textbf{v} = (1_0, a_{\Delta }, a_{\Delta -1}, \ldots , a_0, b_m, \ldots , 1_m). \end{aligned}$$

    Then it runs \(\textsf {CT}\leftarrow \textsf {IPE.Enc(PK,} \textbf{v}, \textsf {M)}\), and output the ciphertext \(\textsf {CT}\).

  • KeyGen(\(\textsf {MSK}, \textsf {ID}, \textsf {W}= (\textsf {W}_1~\textsf {OR}~\ldots ~\textsf {OR}~ \textsf {W}_{m})\)): Suppose that a user joins the system with the a given user identity \(\textsf {ID}\) and the access structure \(\textsf {W}= (\textsf {W}_1~\textsf {OR}~\ldots ~\textsf {OR}~ \textsf {W}_{m})\), the algorithm inputs \((\textsf {ID}, \textsf {W})\), and transforms them into a vector \(\textbf{z}\) by generating:

    It encodes \(\textsf {ID}\) by \(\tau _1(ID) = x_{\textsf {ID}} \in ({\mathbb {Z}}/p{\mathbb {Z}})^*\). Then, we compute \(x_{\textsf {ID}}\) as the one of the roots of polynomial degree n:

    $$\begin{aligned} {\left\{ \begin{array}{ll} a'_n &{}= x_{\textsf {ID}}^n\\ a'_{n-1} &{}= x_{\textsf {ID}}^{n-1}\\ a'_{n-2} &{} = x_{\textsf {ID}}^{n-2}\\ \ldots \\ a'_0 &{} = 1 \end{array}\right. } \end{aligned}$$
    (4)

    Next, the access structure \(\textsf {W}\) is interpreted as:

    $$\begin{aligned} \textsf {W}= & {} (\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{W_1} \textsf {OR}\underbrace{\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{W_2} \textsf {OR}\ldots \textsf {OR}\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} A_i)}_{\textsf {W}_{m}} ). \end{aligned}$$

    Then the algorithms computes as follows:

    $$\begin{aligned} \hbox {Each }\textsf {W}_i, \hbox {If } {\left\{ \begin{array}{ll} \textsf {Att}_j \hbox { is } + &{}: r_{j} =t_i,\\ \textsf {Att}_j \text{ is } - &{}: r_j = t_{2_i}\\ \end{array}\right. }; \end{aligned}$$

    Then set \(\textsf {W}_i = \sum \limits _{\textsf {Att}_j \in \textsf {W}_i} r_j\).

    Next apply the Viète’s formula as (2) to computes the whole access structure \(\textsf {W}\):

    $$\begin{aligned} {\left\{ \begin{array}{ll} \textsf {W}_1 + \textsf {W}_2 + \ldots + \textsf {W}_{m} &{}= b'_{m -1}\\ \textsf {W}_1\textsf {W}_2 + \textsf {W}_1\textsf {W}_3 + \ldots + \textsf {W}_{m-1}\textsf {W}_{m} &{}= b'_{m - 2}\\ \ldots \\ \textsf {W}_1\textsf {W}_2\ldots \textsf {W}_{m} &{}= b'_0 \end{array}\right. } \end{aligned}$$
    (5)

    The \(\textbf{z}\) is produced as

    $$\begin{aligned} \textbf{z} = (a'_n, a'_{n-1}, \ldots , 1_n, 1_{m}, b'_{m - 1}, \ldots , b'_0). \end{aligned}$$

    Then it runs \(\textsf {SK}\leftarrow \textsf {IPE.KeyGen}(\textsf {PK}, \textbf{z}, \textsf {MSK})\), and output the secret key \(\textsf {SK}\).

  • Decrypt(\(\textsf {SK}, \textsf {CT}\)) the algorithms runs IPE.Dec( CT, SK) and outputs the message \(\textsf {M}\) iff \(<\textbf{v}, \textbf{z}> == 0\).

Correctness for the vector \(vec{v} = (1_0, a_{\Delta }, a_{\Delta -1}, \ldots , a_0, b_m, \ldots , 1_m))\) corresponding to the set user indices \(\textsf {S}\) and attribute list \(\textsf {L}\) in the ciphertext \(\textsf {CT}\) and the vector \(\textbf{z} = (a'_n, a'_{n-1}, \ldots , 1_n, 1_{m}, b'_{m - 1}, \ldots , b'_0)\) corresponding to the secret key component \(\textsf {SK}\) in the AKP-ABBE, we have:

$$\begin{aligned} \sum \limits _{i = 0}^{n + m} v_i. x_i= & {} \sum \limits _{i = 0}^{n} v_i. x_i + \sum \limits _{i = n +1}^{n + m} v_i. x_i \\= & {} \sum \limits _{i = 0}^{n} a_i \cdot x_{\textsf {ID}}^i + \sum \limits _{i = n + 1}^{n + m} b_{i - n} \cdot b'_{i - n}\\= & {} (1_0 \cdot x_{\textsf {ID}}^n + a_{\Delta } \cdot x_{\textsf {ID}}^{n-1} + \ldots + a_0 \cdot 1_n) \\{} & {} \quad + \left( \left( \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\right) ^m \cdot 1_{m} + \left( \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\right) ^{m -1} \cdot b'_{m - 1} + \ldots + b'_0\right) \\= & {} \big (x_{\textsf {ID}}^n + [\tau _1(\textsf {ID}_a) +\ldots + \tau _1(\textsf {ID}_s)] \cdot x_{\textsf {ID}}^{n-1} + \ldots + [\tau _1(\textsf {ID}_a)\ldots \tau _1(\textsf {ID}_s)]\big ) \\{} & {} \quad + \Bigg ( \left( \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\right) ^m + \left( \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\right) ^{m -1} \cdot \left[ \sum \limits _{i = 1}^{m}\sum \limits _{\textsf {Att}_j, j = 1 \in \textsf {W}_i}^{m} r_j\right] \\{} & {} + \ldots + \left[ \prod \limits _{i = 1}^{m}\sum \limits _{\textsf {Att}_j, j = 1 \in \textsf {W}_i}^{m} r_j\right] \Bigg ). \end{aligned}$$

If \(\sum \limits _{i = 0}^{n + m} v_i. x_i = 0\), the algorithm return \(\textsf {M}\). This means that the \(\textsf {ID}\) user is belongs to the set of indices \(\textsf {S}\), and the attribute list \(\textsf {L}\) satisfies the user’s access structures \({\mathbb {W}}\). Otherwise, the algorithms return \(\perp \).

Theorem 1

Our AKP-ABBE scheme is secure under the standard assumption if the underlying \(\textsf {IPE}\) is secure under the standard assumption.

3.4 Generic construction of ACP-ABBE from IPE

The ACP-ABBE scheme is a dual form of AKP-ABBE.

3.4.1 Main scheme

Given an \(\textsf {IPE}\) scheme with four algorithms: (IPE.Setup, IPE.KeyGen, IPE.Enc, IPE.Dec), we construct an ACP-AABBE scheme with the corresponding four algorithms: Setup, KeyGen, Encrypt, Decrypt) as follows:

  • Setup(\(1^k\)): The algorithm chooses a suitable encoding \(\tau _1\) sending each of the n indicies \(\textsf {ID}\in {\mathbb {N}}\) onto an element \(\tau _1(\textsf {ID}) = x_1 \in (\mathbb {Z / \hbox {p}{\mathbb {Z}}})^{*}\), and choose \(t_1, \ldots , t_{2_n}\) randomly in \({\mathbb {Z}}_p\). It runs IPE.Setup( \(1^{k}, n+m\)) with m as the number of attributes to construct to access structure, and outputs public parameters \(\textsf {PK}\) and a master key \(\textsf {MSK}\).

  • Encrypt(\(\textsf {PK}, \textsf {M}, \textsf {S}, \textsf {W}= (\textsf {W}_1~ \textsf {OR}\ldots \textsf {OR}~ \textsf {W}_m)\)): The algorithm inputs a user index set \(\textsf {S}= \{\textsf {ID}_a. \textsf {ID}_b, \textsf {ID}_c,\ldots \textsf {ID}_s\} \subseteq \textsf {U}\), and message \(\textsf {M}\), the access structure \(\textsf {W}= (\textsf {W}_1~ \textsf {OR}\ldots \textsf {OR}~ \textsf {W}_m)\).The algorithm transforms \((\textsf {S}, \textsf {W})\) into \(\textbf{v}\) as:

    The user index set is input as \(\textsf {S}= (\textsf {ID}_a, \textsf {ID}_b, \textsf {ID}_c, \ldots , \textsf {ID}_s) \subseteq \textsf {U}\). We denote \(\Delta \) as the total number elements in set \(\textsf {S}\), then the algorithm applies the Viète’s formula to compute:

    $$\begin{aligned} {\left\{ \begin{array}{ll} \tau _1(\textsf {ID}_a) + \tau _1 (\textsf {ID}_b) + \tau _1(\textsf {ID}_c) +\ldots + \tau _1(\textsf {ID}_s) &{}= a_{\Delta }\\ (\tau _1(\textsf {ID}_a) \tau _1(\textsf {ID}_b) + \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_c) + \ldots + \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_s )\\ \ldots + \tau _1(\textsf {ID}_{\Delta -1})\tau _1(\textsf {ID}_s) &{}= a_{\Delta - 1}\\ \ldots \\ \tau _1(\textsf {ID}_a)\tau _1(\textsf {ID}_b)\tau _1(\textsf {ID}_c)\ldots \tau _1(\textsf {ID}_s) &{}= a_0 \end{array}\right. } \end{aligned}$$
    (6)

    Next, the access structure \(\textsf {W}\) is interpreted as:

    $$\begin{aligned} \textsf {W}= & {} (\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} \textsf {Att}_i)}_{W_1} \textsf {OR}\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} \textsf {Att}_i)}_{W_2} \textsf {OR}\ldots \textsf {OR}\underbrace{(\textsf {AND}_{i \in \{1, \ldots ,m\}} \textsf {Att}_i)}_{W_{m}} ). \end{aligned}$$

    Then the algorithms computes as follows:

    $$\begin{aligned} \hbox {Each} \textsf {W}_i, \hbox {If } {\left\{ \begin{array}{ll} \textsf {Att}_j \hbox { is } + &{}: r_{j} =t_i,\\ \textsf {Att}_j \text{ is } - &{}: r_j = t_{2_i}\\ \end{array}\right. }; \end{aligned}$$

    Then set \(\textsf {W}_i = \sum \limits _{\textsf {Att}_j \in \textsf {W}_i} r_j\).

    Next apply the Viète’s formula as (2) to computes the whole access structure \(\textsf {W}\):

    $$\begin{aligned} {\left\{ \begin{array}{ll} \textsf {W}_1 + \textsf {W}_2 + \ldots + \textsf {W}_{m} &{}= b'_{m -1}\\ \textsf {W}_1\textsf {W}_2 + \textsf {W}_1\textsf {W}_3 + \ldots + \textsf {W}_{m-1}\textsf {W}_{m} &{}= b'_{m - 2}\\ \ldots \\ \textsf {W}_1\textsf {W}_2\ldots \textsf {W}_{m} &{}= b'_0 \end{array}\right. } \end{aligned}$$
    (7)

    Then it produces a vector:

    $$\begin{aligned} \textbf{v} = \big (1_0, a_{\Delta }, a_{\Delta -1}, \ldots , a_0,1_{m}, b'_{m - 1}, \ldots , b'_0\big ) \end{aligned}$$

    Then it runs IPE.Enc(PK, \(\textbf{v}\), M), and output the ciphertext \(\textsf {CT}\).

  • KeyGen(\(\textsf {MSK}, \textsf {ID}, \textsf {L}\)):Suppose that a user joins the system with the a given user identity \(\textsf {ID}\) and his attribute list \(\textsf {L}\), the algorithm inputs \((\textsf {ID}, \textsf {L})\), and transforms them into a vector \(\textbf{z}\) by generating:

    It encodes \(\textsf {ID}\) by \(\tau _1(ID) = x_{\textsf {ID}} \in ({\mathbb {Z}}/p{\mathbb {Z}})^*\). Then, we compute \(x_{\textsf {ID}}\) as the one of the roots of polynomial degree n:

    $$\begin{aligned} {\left\{ \begin{array}{ll} a'_n &{}= x_{\textsf {ID}}^n\\ a'_{n-1} &{}= x_{\textsf {ID}}^{n-1}\\ a'_{n-2} &{} = x_{\textsf {ID}}^{n-2}\\ \ldots \\ a'_0 &{} = 1 \end{array}\right. } \end{aligned}$$
    (8)

    The algorithm converts an attribute user list \(\textsf {L}\) by generating:

    $$\begin{aligned} \hbox {If } {\left\{ \begin{array}{ll} \textsf {Att}_i \hbox { is } + &{}: r'_i= t_i\\ \textsf {Att}_i \text{ is } - &{}: r'_i = t_{2_i}\\ \end{array}\right. } \end{aligned}$$
    (9)

    Then set \(b = \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\), and it computes based on b:

    $$\begin{aligned} {\left\{ \begin{array}{ll} b_m &{}= b^m\\ b_{m-1} &{}= b^{m-1}\\ b_{m-2} &{} = b^{m-2}\\ \ldots \\ b_{0} &{} = 1 \end{array}\right. } \end{aligned}$$

    We then produce a vector:

    $$\begin{aligned} \textbf{z} = \big (a'_n, a'_{n-1}, \ldots , 1_n, b_m, \ldots , 1_m\big ) \end{aligned}$$

    Then it runs IPE.KeyGen(PK, \(\textbf{z}\), MSK), and output the secret key \(\textsf {SK}\).

  • Decrypt(\(\textsf {CT}, \textsf {SK}\)): the algorithm inputs the ciphertext \(\textsf {CT}\) and the user’s secret key \(\textsf {SK}\), then it runs IPE.Dec( CT, SK) and outputs the message \(\textsf {M}\) iff \(<\textbf{v}, \textbf{z}> == 0\). Otherwise, the algorithms the symbol \(\perp \).

Correctness: for the vector \(\textbf{v} = (1_0, a_{\Delta }, a_{\Delta -1}, \ldots , a_0,1_{m}, b'_{m - 1}, \ldots , b'_0)\) corresponding to the set user indices \(\textsf {S}\) and access structure \(\textsf {W}\) embedded in the ciphertext CT and the vector \(\textbf{z} = (a'_n, a'_{n-1}, \ldots , 1_n, b_m, \ldots , 1_m)\) corresponding to the secret key component \(\textsf {SK}\) in the ACP-AABBE., we have:

$$\begin{aligned} \sum \limits _{i = 0}^{n + m} v_i. x_i= & {} \sum \limits _{i = 0}^{n} v_i. x_i + \sum \limits _{i = n +1}^{n + m} v_i. x_i \\= & {} \sum \limits _{i = 0}^{n} a_i \cdot x_{\textsf {ID}}^i + \sum \limits _{i = n + 1}^{n + m} b'_{i - n} \cdot b_{i - n}\\= & {} \big (1_0 \cdot x_{\textsf {ID}}^n + a_{\Delta } \cdot x_{\textsf {ID}}^{n-1} + \ldots + a_0 \cdot 1_n\big ) \\{} & {} \quad + \left( \left( \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\right) ^m \cdot 1_{m} + \left( \sum \limits _{\textsf {Att}_i \in \textsf {L}} r'_i\right) ^{m -1} \cdot b'_{m - 1} + \ldots + b'_0\right) \end{aligned}$$

If \(\sum \limits _{i = 0}^{n + m} v_i. x_i = 0\), the algorithm return \(\textsf {M}\). This means that the \(\textsf {ID}\) user is belongs to the set of indices \(\textsf {S}\), and the user attribute list \(\textsf {L}\) satisfies the access structures \({\mathbb {W}}\). Otherwise, the algorithms return \(\perp \).

*Constructions of secret keys We assume \(\sum _{att_i \in L}^{} \gamma _1 \ne \sum _{att_i \in L'}^{} \gamma _1 \) in both of AKP-ABBE and ACP-ABBE.

If there exist \(\textsf {L}\) and \(\textsf {L}' (\textsf {L}\ne \textsf {L}')\) such that \(\sum _{\textsf {Att}_i \in \textsf {L}}^{} \gamma _1 = \sum _{\textsf {Att}_i \in \textsf {L}'}^{} \gamma _1 \), a user with attribute list \(\textsf {L}\) can decrypt a ciphertext associated with \(\textsf {W}\), where \(\textsf {L}'\not \models \textsf {W}\) and \( \textsf {L}\models \textsf {W}\).

Hence, the assumption holds with overwhelming probability:

$$\begin{aligned} \frac{p(p-1)(p-(N-1))}{p^n}> \frac{(p-N + 1)^N}{p^N} = \Bigg (1 - \frac{N -1}{p}\Bigg )^N> 1 - \frac{N(N-1)}{p} > 1 - \frac{N^2}{p}, \end{aligned}$$

where p is the prime number which chosen in the first step, \(N = \prod _{i = 1}^{2n} \gamma _i\). If each secret key \(\gamma _i\) is chosen at random from \({\mathbb {Z}}_p\), then our assumption is natural. Then, the advantage of \(\mathcal {A}\) in this game is defined as \({{\textbf {Adv}}}_\mathcal{} \cdot (1 - \frac{N^2}{p})\).

Theorem 2

Our ACP-ABBE scheme is secure under the standard assumption if the underlying \(\textsf {IPE}\) is secure under the standard assumption.

4 Security analysis

Our AKP-ABBE and ACP-ABBE utilize the \(\textsf {IPE}\) manner to achieve the hidden access structures. Indeed the access structure and the user index set are transformed into the vector. In this part, we choose AKP-ABBE to elaborate the security analysis. Hence, in order to prove that our AKP-ABBE scheme is access structure hiding, we apply the indistinguishability, in which the adversary cannot distinguish two vectors \(\textbf{v}\) and \(\textbf{x}\). These two vectors correspond to \((\textsf {S}^*_0, \textsf {L}^*_0)\) and \((\textsf {S}^*_1, \textsf {L}^*_1)\), respectively, which have been used to generate the two ciphertexts \(\textsf {M}_0\) and \(\textsf {M}_1\).

Based on these above games, we apply the security proof of [19] to our Theorems 1 and 2 directly. To prove the AKP-ABBE be secured in the indistinguishable chosen plaintext attack, we consider two cases \(M_0 = \textsf {M}_1\) and \(\textsf {M}_0 \ne \textsf {M}_1\):

  • \(\textsf {M}_0 = \textsf {M}_1\), we only consider the following game sequence from \({\textbf {Game}}_1\) to \({\textbf {Game}}_5\). In this case, we prove the property of attribute hiding.

  • \(\textsf {M}_0 \ne \textsf {M}_1\), we consider the whole proof from \({\textbf {Game}}_0\) to \({\textbf {Game}}_6\).

We then present a description of each game, where the challenge ciphertexts \(\textsf {CT}_1, \ldots , \textsf {CT}_6\) are generated by the IPE’s encryption scheme:

  • \({\textbf {Game}}_0:\) The challenge ciphertext \(\textsf {CT}_0\) is generated under \((\textbf{v}, \textbf{v})\) and \(\textsf {M}_0\).

  • \({\textbf {Game}}_1:\) The challenge ciphertext \(\textsf {CT}_1\) is generated under \((\textbf{v}, \textbf{v})\) and a random message R.

  • \({\textbf {Game}}_2:\) The challenge ciphertext \(\textsf {CT}_2\) is generated under \((\textbf{v}, \textbf{0})\) and a random message R.

  • \({\textbf {Game}}_3:\) The challenge ciphertext \(\textsf {CT}_3\) is generated under \((\textbf{v}, \textbf{x})\) and a random message R.

  • \({\textbf {Game}}_4:\) The challenge ciphertext \(\textsf {CT}_4\) is generated under \((\textbf{0}, \textbf{x})\) and a random message R.

  • \({\textbf {Game}}_5:\) The challenge ciphertext \(\textsf {CT}_5\) is generated under \((\textbf{x}, \textbf{x})\) and a random message R.

  • \({\textbf {Game}}_6:\) The challenge ciphertext \(\textsf {CT}_6\) is generated under \((\textbf{x}, \textbf{x})\) and message \(\textsf {M}_1\).

PROOF Suppose that the adversary commits to the challenge user indices \(\textsf {S}^*_0, = (\textsf {ID}^*_{0a}, \textsf {ID}^*_{0b}, \textsf {ID}^*_{0c},\ldots \textsf {ID}^*_{0\,s})\) and \(\textsf {S}^*_1 = (\textsf {ID}^*_{1a}, \textsf {ID}^*_{1b}, \textsf {ID}^*_{1c},\ldots ,\textsf {ID}^*_{1\,s} ) \subseteq \textsf {U}\), and the target attribute sets \(\textsf {L}^*_0 = (\textsf {Att}^*_{01}, \ldots , \textsf {Att}^*_{0m})\) and \(\textsf {L}^*_1 = (\textsf {Att}^*_{11}, \ldots , \textsf {Att}^*_{1m})\) at the beginning of the game.

The \(\textbf{v}\) is produced of \(\textsf {S}^*_0, = (\textsf {ID}^*_{0a}, \textsf {ID}^*_{0b}, \textsf {ID}^*_{0c},\ldots \textsf {ID}^*_{0\,s})\), and \(\textsf {L}^*_0 = (\textsf {Att}^*_{01}, \ldots , \textsf {Att}^*_{0\,m})\) by using (2), (3) from the original construction.

The \(\textbf{x}\) is produced of \(\textsf {S}^*_1, = (\textsf {ID}^*_{1a}, \textsf {ID}^*_{1b}, \textsf {ID}^*_{1c},\ldots \textsf {ID}^*_{1\,s})\), and \(\textsf {L}^*_1 = (\textsf {Att}^*_{11}, \ldots , \textsf {Att}^*_{1\,m})\) by using (2), (3) from the original construction.

We also note that in the query phase the adversary is issued the \(\textsf {SK}\) corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\). It is also considered that the \(\textsf {SK}\) is related to \(\textbf{y}\), where he \(\textbf{y}\) is produced of the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) by using (4), (5) from the original construction.

We use the above sequence of hybrid games to prove that the adversary cannot win the original security game with the non-negligible security. We begin with game \({\textbf {Game}}_0\).

Indistinguishability between \({\textbf {Game}}_0\) and \({\textbf {Game}}_1\) If the adversary obtain the secret key \(\textsf {SK}\) corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) satisfying such that \((\textsf {L}^*_0 \models \textsf {W}\) and \((\textsf {ID}\in \textsf {S}^*_0)\) (meanwhile \(<\textbf{v}, \textbf{y}> = 0\)), then the challenge ciphertext is generated correctly. We consider that the challenge ciphertext is distributed in \({\textbf {Game}}_0\).

On the other hand, if the adversary obtains the secret key \(\textsf {SK}\) with corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) where \((\textsf {L}^*_0 \not \models \textsf {W}\) and \((\textsf {ID}\notin \textsf {S}^*_0)\) (meanwhile \(<\textbf{v}, \textbf{y}> \ne 0\)), then the challenge ciphertext component \(C_m\) of IPE scheme is a random element in \({\mathbb {G}}_T\) regardless of the random choice, while the rest of the challenge ciphertext are generated in an original way. Then we consider that the challenge ciphertext is distributed in \({\textbf {Game}}_1\).

Indistinguishability between \({\textbf {Game}}_1\) and \({\textbf {Game}}_2\)

If the adversary obtains the secret key \(\textsf {SK}\) with corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) where \((\textsf {L}^*_0 \not \models \textsf {W}\) and \((\textsf {ID}\notin \textsf {S}^*_0)\), or \((\textsf {L}^*_0 \models \textsf {W}\) and \((\textsf {ID}\in \textsf {S}^*_0)\) or \((\textsf {L}^*_0 \not \models \textsf {W}\) and \((\textsf {ID}\in \textsf {S}^*_0)\) (meanwhile \(<\textbf{v}, \textbf{y}> \ne 0\)), or \((\textsf {L}^*_0 \models \textsf {W}\) and \((\textsf {ID}\in \textsf {S}^*_0)\) (meanwhile \(<\textbf{v}, \textbf{y}> = 0\)), then the challenge ciphertext is generated correctly. We consider that the challenge ciphertext is distributed in \({\textbf {Game}}_1\).

On the other hand, if the adversary obtains the secret key \(\textsf {SK}\) with corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) by relaxed generation, then the two challenge ciphertext components \(C_{3,i}\) and \(C_{4,i}\) are the random elements in \({\mathbb {G}}\) regardless of the random choice, while the rest of the challenge ciphertext is generated in an original way. Then we consider that the challenge ciphertext is distributed in \({\textbf {Game}}_2\).

Indistinguishability between \({\textbf {Game}}_2\) and \({\textbf {Game}}_3\) If the adversary obtain the secret key \(\textsf {SK}\) corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) satisfying such that \((\textsf {L}^*_0 \models \textsf {W}\text { and } (\textsf {L}^*_1 \models \textsf {W})\) and \((\textsf {ID}\in \textsf {S}^*_0 \text { and } \textsf {ID}\in \textsf {S}^*_1)\) (meanwhile \(<\textbf{v}, \textbf{y}> = <\textbf{x}, \textbf{y}> = = 0\)), then the challenge ciphertext is generated correctly. We consider that the challenge ciphertext is distributed in \({\textbf {Game}}_2\).

On the other hand, if the adversary did not obtain the secret key \(\textsf {SK}\) with corresponding to the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) satisfying the constrain of \((\textsf {L}^*_0 \models \textsf {W}\text { and } (\textsf {L}^*_1 \models \textsf {W})\) and \((\textsf {ID}\in \textsf {S}^*_0 \text { and } \textsf {ID}\in \textsf {S}^*_1)\) (meanwhile \(<\textbf{v}, \textbf{y}> = <\textbf{x}, \textbf{y}> \ne 0\)), then the two challenge ciphertext components \(C_{3,i}\) and \(C_{4,i}\) are the random elements in \({\mathbb {G}}\) regardless of the random choice, while the rest of the challenge ciphertext are generated in a original way. Then we consider that the challenge ciphertext is distributed in \({\textbf {Game}}_3\).

Due to the symmetric observation, the rest of the proof is similar to the above proofs:

  • the indistinguishability between \({\textbf {Game}}_3\) and \({\textbf {Game}}_4\) can be proved in the same way as for \({\textbf {Game}}_2\) and \({\textbf {Game}}_3\);

  • the indistinguishability between \({\textbf {Game}}_4\) and \({\textbf {Game}}_5\) can be proved in the same way as for \({\textbf {Game}}_1\) and \({\textbf {Game}}_2\);

  • the indistinguishability of \({\textbf {Game}}_5\) and \({\textbf {Game}}_6\) can be proved in the same way as for \({\textbf {Game}}_0\) and \({\textbf {Game}}_1\).

The ACP-ABBE is proved secure under standard assumption by the similar arguments of AKP-ABBE, where \(\textbf{v}\) is produced of \(\textsf {S}^*_0, = (\textsf {ID}^*_{0a}, \textsf {ID}^*_{0b}, \textsf {ID}^*_{0c},\ldots \textsf {ID}^*_{0s})\), and \(\textsf {W}^*_0 = (\textsf {W}^*_{01}, \ldots , \textsf {W}^*_{0\,m})\) by using (4), (5) from the original construction. In addition, the \(\textbf{x}\) is produced of \(\textsf {S}^*_1, = (\textsf {ID}^*_{1a}, \textsf {ID}^*_{1b}, \textsf {ID}^*_{1c},\ldots \textsf {ID}^*_{1\,s})\), and \(\textsf {W}^*_1 = (\textsf {W}^*_{11}, \ldots , \textsf {W}^*_{1\,m})\) by using (6), (7) from the original construction. It is also considered that the \(\textsf {SK}\) is related to \(\textbf{y}\), where he \(\textbf{y}\) is produced of the access structure \(\textsf {W}\) and the user identity \(\textsf {ID}\) by using (8), (9) from the original construction.

Our proposal utilizes the work of [26] as a building block to construct the AKP-ABBE and ACP-ABBE schemes. Inherently, the strategy of our security proof is also argued as [19, 26], in which we directly apply the DBDH and DLIN assumption as [26] to prove our AKP-ABBE and ACP-ABBE be secured in the standard assumption. Therefore, by underlying the secured \(\textsf {IPE}\) of [26] under the standard assumption, we conclude that our AKP-ABBE and ACP-ABBE schemes are secure under the standard assumption.

5 Extensions

We extend how our proposed scheme can also achieve the Anonymous ABBE, which access structure supports \(\textsf {AND}\) Gates with positive, negative, wildcard [means “don’t care” (i.e., both positive and negative attributes are accepted)]:

Firstly, we choose the suitable encoding \(\tau _2\) sending each of the m attributes \(\textsf {Att}\in \textsf {U}\) onto an element \(\tau _2(\textsf {Att}) = x_2 \in (\mathbb {Z / \hbox {p}{\mathbb {Z}}})^{*}\)

$$\begin{aligned} \hbox {If } {\left\{ \begin{array}{ll} \textsf {Att}_i \hbox { is } + &{}: b_{2i - 1} = \tau _2(\textsf {Att}_i), b_{2i} = -1\\ \textsf {Att}_i \text{ is } - &{}: b_{2i - 1} = -\tau _2(\textsf {Att}_i), b_{2i} = -1\\ \textsf {Att}_i \text{ is } * &{}: b_{2i - 1} = 0, b_{2i} = 0\\ \end{array}\right. }; \end{aligned}$$
(10)

then we generate the \(\textbf{v}\) as:

$$\begin{aligned} \textbf{v} = (b_1,, \ldots , b_{m}) \end{aligned}$$

For an attribute user list \(\textsf {L}\), it computes:

$$\begin{aligned} \hbox {If } {\left\{ \begin{array}{ll} att_i \hbox { is } + &{}: b'_{2i - 1} = 1; b'_{2i} = \tau _2(att_i)\\ att_i \text{ is } - &{}: b'_{2i - 1} = 1; b'_{2i} = -\tau _2(att_i)\\ \end{array}\right. }; \end{aligned}$$
(11)

, then we generate the \(\textbf{z}\) as:

$$\begin{aligned} \textbf{v} = (b'_1,, \ldots , b'_{m}) \end{aligned}$$

If \(<\textbf{v}, \textbf{z}> =0\), we conclude that \(\textsf {L}\models \textsf {W}\).

6 Comparisons

In this section, we give a comparison among ABBE schemes in Tables 5 and 4. The schemes are compared in terms of the order of the underlying group, ciphertext size, decryption cost, access structure, and complexity assumption. In the table, N—number of clauses in a policy, M—maximum number of attributes in the given clause, k-number of attributes for a given user, r-number of revoked users, \(k_{max}\)—maximum number of attributes in access structure, n-total of the user’s identity, m—number of universe attributes.

Table 4 Comparisons in AKP-ABBE
Full size table
Table 5 Comparisons in ACP-ABBE
Full size table

As can be seen in Tables 4 and 5, our encryption and decryption are linear depending on the size of the user’s indices and the size of the access structure. In fact, both two proposed schemes implement the IPE’s encryption to produce the ciphertext, and invoke the IPE’s decryption to recover the message. In addition, the cost of IPE scheme relies on the input of vectors. Our access structures are designed with flexibility by employing both AND/OR gates with negative/positive attributes and wildcards. This idea is well-suitable in practice, where the architecture of access control always requires multiple authorizations. In terms of security proof, both KP-ABBE and CP-ABBE can be proved in the standard assumptions, such as DBDH and DLinear assumptions. Specifically, we highlight that our proposed ABBEs can achieve anonymity due to the inherence of attribute hiding from the IPE scheme. Therefore, our ABBE schemes achieve anonymity with multiple access structures.

7 Conclusion

This paper proposes two new constructions of Anonymous Attribute-Based Broadcast Encryption as AKP-ABBE and ACP-ABBE for complex access structure by considering the \(\textsf {OR}/\textsf {AND}\) Gates with positive, and negative attributes. We present our proposed schemes in generic constructions, achieving anonymity. We also proved the security of our schemes be secured in the standard model. One open problem is to construct our AKP/ACP-ABBE schemes that have constant ciphertext and secret key, and we leave it as our future work.