Revocable Key-Aggregate Cryptosystem for Data Sharing in Cloud Qingqing Gan , XiaomingWang , and

With the rapid development of network and storage technology, cloud storage has become a new service mode, while data sharing and user revocation are important functions in the cloud storage. Therefore, according to the characteristics of cloud storage, a revocable key-aggregate encryption scheme is put forward based on subset-cover framework. The proposed scheme not only has the key-aggregate characteristics, which greatly simplifies the user’s key management, but also can revoke user access permissions, realizing the flexible and effective access control. When user revocation occurs, it allows cloud server to update the ciphertext so that revoked users can not have access to the new ciphertext, while nonrevoked users do not need to update their private keys. In addition, a verification mechanism is provided in the proposed scheme, which can verify the updated ciphertext and ensure that the user revocation is performed correctly. Compared with the existing schemes, this scheme can not only reduce the cost of key management and storage, but also realize user revocation and achieve user’s access control efficiently. Finally, the proposed scheme can be proved to be selective chosen-plaintext security in the standard model.


Introduction
With the continuous development of cloud computing technology, a new kind of data storage model called cloud storage has attracted great attention.Derived from cloud computing, cloud storage can provide online storage space through the network [1].With the advantage of low cost, easy utilizing, and high scalability, it can meet the needs of the mass data storage and provide data sharing service, which has become the important area in the data storage technology.After requesting the storage service from cloud service providers, enterprises or individuals store a large amount of data to the cloud server, greatly reducing the burden of the local hardware infrastructure and saving the local storage overhead.What is more, its function of data sharing is regarded as very important for multiuser cloud computing environment.When data owners outsource their data in the server and want to share these data with other users, they can adopt techniques to delegate permission to these users.By this way, the legitimate users can have access to corresponding data from the cloud server so as to achieve the process of data sharing.However, when cloud storage brings great convenience for users dealing with large-scale data, it also brings new security issues and challenges [2].Because the cloud server is not completely trusted, enterprises or individuals will lose absolute control over the data outsourced to the cloud data, which brings the worries about data security and privacy protection.So for these data, such as how to use encryption scheme to ensure the cloud security and how to protect the data privacy, realize effective data sharing, and reduce the user key management cost as much as possible, keyaggregate cryptosystem is brought forward at this moment.In such cryptosystem, user's private keys can be aggregated together to be a single key and only using the single key can user decrypt the corresponding multiple encrypted files, which simplifies the user's key management.It also grants different decryption access for different users and can be applied to the data sharing in cloud flexibly.Meanwhile, since user's access changed dynamically and frequently in the cloud environment, how to realize user's access control and revocation become vital problems to be solved.For example, when an employee leaves his company, he will no longer have permission to the company's internal data.So, in order to 2 Security and Communication Networks meet the dynamic change of user access, it is necessary to consider the problem of user revocation.
Therefore, according to the characteristics of cloud storage, the research and establishment of an efficient and secure revocable key-aggregate encryption scheme is very necessary and urgent, which has important theoretical significance and application value.
1.1.Contribution.In order to solve the key management problems and realize dynamic access control during data sharing more effectively, this paper has been focused on the study of revocable key-aggregate cryptosystem in cloud.Its main contribution shows the following: (1) According to the characteristics of the key-aggregate cryptosystem and the needs for user revocation, this paper first makes formal definition about the revocable key-aggregate cryptosystem.
(2) Combining the subset-cover framework, this paper puts forward an efficient revocable key-aggregate encryption scheme based on multilinear maps, realizing the user's access control and revocation.Our construction not only has the characteristics of key aggregation, which simplifies the user's key management effectively, but also can delegate different users with different decryption permission and achieve revocation of user access rights, realizing the flexible access control effectively.
(3) Compared with the existing schemes, this paper analyzes the related performance for the proposed scheme.It indicates that our scheme not only keeps the users' secret key and the ciphertext in constantsize, but also reduces the length of system parameters to (log ), where  is the maximum number of files in the system, thus saving the cost of storage and transmission efficiently.By updating ciphertext via the cloud servers, the proposed scheme realizes the user permissions revocation while legitimate users do not need to update their private keys.What is more, it provides a verification mechanism to ensure user revocation executed correctly.
(4) Lastly, security analysis shows that the proposed scheme is proved to be selective chosen-plaintext security based on Generalized DHDHE assumption in the standard model.In addition, we discuss a solution to extend our basic scheme to solve the rapid growing number of files in the cloud environment.

Related Works.
In recent years, it has become a crucial problem to realize secure and effective data sharing, as well as reducing the key management costs in the cloud environment.How to reduce the number of keys that users have to save, thus simplifying the key management problems effectively, has been a hot research topic.In existing research results, they can mainly be divided into four kinds in reducing the cost of the key management: hierarchical key management scheme, key compression scheme based on symmetric encryption, identity-based key compression scheme, and other related solutions.
In cloud storage, the hierarchical key management scheme generally utilizes tree structure, where the key of each nonleaf node can generate keys of its child nodes.And users only need to save the corresponding ancestor nodes, effectively simplifying the key management.This technology was first proposed by Akl and Taylor [7] and later has been applied to the cloud environment with the rise of cloud computing [8,9].For example, Ateniese et al. [10] put forward a predefined hierarchical key management scheme based on the logical key tree.However, the main drawback of hierarchical key management scheme was that only under certain conditions can it achieve effective key compression.This was because the node key can only access to the subtree of the node, if authorized files were from different branches, which in turn would increase the number of users' private keys.So its key compression was limited; only when sharing all the documents from the same branch in the tree, it could achieve the effective compression of private key.
In order to solve the issue that it needs to transport a large number of keys in the broadcast encryption scenario, Benaloh et al. [11] proposed a key compression scheme based on symmetric encryption.Its basic method is to split the entire ciphertext space into finite sets and generate a constantsize key corresponding to each of these sets, so as to realize the effect of key compression.Other schemes such as [12,13] were also symmetrical encryption schemes trying to reduce the key size.Since these schemes were set in the environment of symmetric encryption, which required to share a symmetric key through secure channel, their application scenarios were greatly limited in the cloud environment.
As Shamir [14] proposed the concept of identity-based encryption (IBE) and then Boneh and Franklin [15] put forward the first practical IBE scheme using bilinear pairings, it brought out the research of identity-based key compression scheme.Guo et al. [16] presented a multi-identity single key decryption scheme and proved its security in the random oracle model.In their scheme, when user adopted different identities as the public key in different scenarios, for example, user had more than one email address, it only needed to store a private key to decrypt multiple encrypted messages from different companies, remarkably cutting down the cost of the user key management.Then [17,18] made improvements on the efficiency and achieved adaptive chosen-ciphertext security in the standard model.But in these schemes, key compression was restricted, which required all the keys from different identity divisions, and the length of ciphertext and public parameters were linearly related to the maximum number of keys that can be aggregated, which increased the overhead of storage and transmission.Sahai and Waters [19] proposed a fuzzy identity-based encryption (FIBE) scheme to take users' biometric information as their identities, so that user's identity was no longer a single one but was made up of several attributes.It allowed a private key to decrypt multiple ciphertexts and was proved to be secure in the standard model.However, this scheme required the ciphertext to be encrypted by identity that met certain conditions, so it could not achieve the flexible key compression.
Other relevant solutions include the attribute-based encryption (ABE) and proxy reencryption (PRE).Waters [20] presented an ABE scheme that its private key was associated with the strategy, and ciphertext was associated with attributes and could decrypt when strategy matched with attributes.In their scheme, however, the length of private key was linearly related to the leaf nodes in the strategy access tree.Li et al. [21] applied ABE to share keys in group users, but the main concern was to resist collusion attacks, rather than key compression.Canetti and Hohenberger [22] put forward PRE scheme using the thought of transformation to turn the original ciphertext into the ciphertext encrypted by the user's public key.However, such technology is essentially aimed at transferring the secure key storage to the cloud proxy server.In addition, a key management scheme based on secret sharing was proposed in [23], but it was suitable for wireless sensor networks.
Recently, Chu et al. [24] first put forward the concept of key-aggregate cryptosystem (KAC) and constructed the first key-aggregate encryption scheme applied to data sharing in the cloud environment flexibly.The scheme was set in public key cryptosystem and it could aggregate users' private key to be a single one, so that users only stored this aggregated key to decrypt multiple files.Most importantly, its aggregation could be achieved without conditions and kept the length of ciphertext in constant-size.However, the length of system parameters in their scheme was linearly related to the maximum number of files, and it did not provide a specific security proof.Soon afterwards, the thought of keyaggregate cryptosystem was adopted in [25][26][27][28], such as Dang et al. [27] who applied the key-aggregate cryptosystem in the wireless sensor network and proposed a fine-grained sharing scheme to the encrypted senor data.Sikhar et al. [3] proposed a dynamic key-aggregate encryption scheme to realize the user revocation.But one of its imitations was that once user revocation occurred, all legitimate users needed to update their private keys, which brought expensive overhead of key update.

Organization.
The rest of the paper is organized as follows: Section 2 introduces some related knowledge, including multilinear maps, complexity assumption, and subset-cover framework.In Section 3 we discuss the definition, the security model, and system model of the revocable key-aggregate cryptosystem.Section 4 details our new construction and Section 5 shows the evaluation of our proposed scheme, containing performance analysis and the security analysis.Then in Section 6, we have some discussions and present an extension for our basic scheme.Finally, we conclude this paper and look forward to the future work in Section 7.

Preliminaries
In this section we describe some basic primitives and concepts that are used in our scheme.

Multilinear Maps.
Multilinear maps were first put forward by Boneh and Silverberg [29], making the research and application of multilinear maps be more and more widely.Multilinear maps mainly consist of the following two algorithms: (1) Setup (): the Setup algorithm outputs an -linear map, which contains  groups  = ( 1 ,  2 , . . .,   ) with prime order  and generators   ∈   .
In the asymmetric multilinear maps [30], group is divided by a vector and the map operations make The definition shows the following: (1) Setup (n): the Setup algorithm takes a positive integer vector n ∈   as input and outputs an n-linear map, which contains a set of groups { k } with prime order , and generators  k ∈  k , while v are nonnegative integer vectors meeting k ≤ n.Assume e  be the vector with 1 at the position  and 0 at else positions.Then { e  } are the source groups,  n is defined as the target group, and the rest of the groups are intermediate group. ( Similarly, we leave out the subscripts to be written as  and also generalize  with multiple inputs as (ℎ (1) , ℎ (2) , . . ., ℎ () ) = (ℎ (1) , (ℎ (2) , . . ., ℎ () )).

Complexity Assumption.
We introduce a new complexity assumption named Generalized DHDHE.This new assumption is the variant version of the well-known Decisional -Hybrid Diffie-Hellman Exponent (DHDHE) proposed by Boneh et al. [30].
For a polynomial-time adversary , its advantages to Generalized DHDHE problem are defined as . (1)

Revoked user
Cover(R) ST(R) From here we can see that this new assumption is the generalization of DHDHE assumption.Specifically, if we multiply  1 and  2 , Generalized DHDHE assumption can be reduced to DHDHE assumption in [30].
Definition 2. We say the Generalized DHDHE assumption holds if, for any polynomial-time adversary ,  has a negligible advantage in solving the Generalized DHDHE problem.

Subset-Cover
Framework.Naor et al. [4] first proposed the subset-cover framework and applied it to the broadcast encryption scheme, realizing the dynamic authorization of the user.The subset-cover framework includes complete subtree (CS) method and subset difference (SD) method.This paper mainly introduces CS method, shown as follows.
Let  be a full binary tree with depth .Thus the number of leaf nodes in the tree is (2  − 1), representing (2  − 1) users.First, for each user , we define a path set denoted by path(), containing all the nodes passing through the root node to leaf node.When given a user revocation set , let   1 ,   2 , . . .,    be the complete subtrees in  rooted at the nodes of outdegree one in Steiner Tree ST(), and   1 ,   2 , . . .,    are not in the ST().We said that   1 ,   2 , . . .,    cover all the nonrevoked nodes in , denoted by cover().Take the example in Figure 1.Given the full binary tree  with eight leaf nodes, we get the user sets  = { 8 ,  9 , . . .,  15 }.Then the path set for each user can be obtained as path( 8 ) = { 1 ,  2 ,  4 ,  8 }, path( 12 ) = { 1 ,  3 ,  6 ,  12 }, and so on.Suppose the user revocation set  = { 8 ,  10 }; then ST() is shown in the dotted box in Figure 1, so that cover() = { 3 ,  9 ,  11 } including all the nonrevoked users.
When constructing the scheme based on the subset-cover framework, the path set is embedded in private key, while the cover set is related to the ciphertext.If and only if path() ∩ cover() ̸ = , the user  can take the next step to the decryption.In the CS method as shown in Figure 1, only legitimate users, such as  9 ,  12 , meet the conditions.For revoked user , since path() ∩ cover() = , then he is unable to complete the decryption, as  8 in Figure 1.

Revocable Key-Aggregate Cryptosystem
Since the delegated users in cloud have the feature of dynamic change, revocable key-aggregate cryptosystem is essential for consummating the user revocation function in KAC.

Definition.
Revocable key-aggregate cryptosystem (RKAC) is an extension of KAC such that a user can be revoked if his credential is expired.A revocable key-aggregate encryption scheme consists of seven polynomial-time algorithms as Setup, KeyGen, Encrypt, Extract, Update, Decrypt, and Verify, which are defined as follows: (1) Setup(1  , ): the Setup algorithm takes as input a security parameter 1  and the maximum number of files .It outputs public parameters params.
(2) KeyGen(params): the key generation algorithm takes as input public parameters params.It generates a public key PK and a master secret key msk.
(  Phase 1.  adaptively requests a series of queries.These queries are processed as follows: (i)   When the data owner Alice wants to share multiple files  1 ,  2 , . . .,   with others through the cloud server utilizing revocable key-aggregate encryption scheme, Alice first runs Setup algorithm to get the system parameters params.Then Alice executes KeyGen(params) to get a random public/master secret key-pair (PK, msk) and kept msk secretly.After that, Alice and anyone who cooperated with Alice can run the encryption algorithm Encrypt(PK, , , , params) and upload the encrypted files to the cloud server.Once Alice hopes to share several of these files to user Bob, Alice will run the algorithm Extract(msk, uid, , params) to generate a private key SK for Bob according to authorized files' indices and the user's identity.Since SK is a fixed size, it is easy for Alice to pass SK to Bob through safe channel with small communication cost.Whenever Alice wants to revoke users, Alice will send the user revocation list  to CSP.Then CSP calls the algorithm Update(PK, , , params) to update the corresponding ciphertext.If and only if Bob has not been revoked, Bob downloads the updated ciphertext from the cloud server and runs the algorithm Decrypt(, SK, , , , params) with the use of the private key to obtain plaintext.And if the user has been revoked, such as David in Figure 2, he will not be able to decrypt the updated ciphertext, thus withdrawing David's permission to the files.Finally, by invoking the algorithm Verif y(,   , params), Alice can achieve the verification of the updated ciphertext, to ensure that the user revocation is effectively implemented.

Main Construction
Our main construction of the revocable key-aggregate encryption scheme is based on multilinear maps and realizes data sharing and user revocation in cloud storage securely and efficiently.

Basic Idea.
In KAC, the aggregation of file indices is embedded in the user's private key so that authorized users store the aggregate key to realize the access to multiple files.However, the access of user in system is changed dynamically, requiring KAC to support user revocation.Therefore, in order to construct a revocable key-aggregate encryption scheme, two mainly challenges are remained to be solved.One is how to construct an efficient scheme with key-aggregate function, the other is how to realize revoking users securely while not affecting the legitimate users' access to files.
For the first challenge, we are inspired by Boneh et al. 's broadcast encryption [30].Based on this scheme, we try to construct a key-aggregate scheme to keep the users' secret key and the ciphertext in constant-size.With the multilinear maps, it can reduces the length of system parameters to (log ), thus saving the cost of storage and transmission efficiently.
For the second challenge, our inspiration comes from Shi et al. [6] revocable key-policy ABE scheme.The scheme not only realizes the direct user revocation, but also achieves the function of ciphertext delegation by a third-party server.What is more, it provides a verification mechanism to ensure the correctness of the ciphertext delegation, which has been of great significance.However, in their scheme, the user private key is related to the access structure and path set in subset-cover framework.Besides that, Shi et al. [6] scheme is only proved to be secure under the random oracle model.So we try to combine Naor et al. [4] subset-cover framework with our scheme for user revocation.In addition, we make improvement of the complete subtree method of subset-cover framework in [4] to aggregate the path set for each user as private key, so as to realize the user's key aggregation and simplify the key management effectively.
Therefore, this paper proposes a revocable key-aggregate encryption scheme and proves its security in the standard model.The main thought of the scheme lies in constructing the ciphertext and the private key.The ciphertext of the new scheme includes not only the file index, but also the user revocation set, realizing the user revocable directly.At the same time, the private key is correspondingly divided into two parts.One is the aggregation of the file index set, and the other is the aggregation of the path set for each user, so as to realize the user's key aggregation effectively.Through the above method, only the legitimate users have access to the appropriate file, realizing the file access control function in the system effectively.This new scheme achieves the ciphertext updating through the cloud servers to save the computational overhead of data owner; when the user revocation occurs, nonrevoked user does not need to update his private key, greatly reducing the key update expensive cost and the burden of key delegate authority; because the cloud server is not completely trusted, we consider to provide a verification mechanism for the scheme, so that the data owner can validate the updated ciphertext to make sure the user revocation is carried out correctly.

Scheme Design.
Let Setup  be the Setup algorithm for a multilinear map, where outputs group with order , respectively.Let  be a full binary tree with depth  (1 ≤  ≤ ), where the leaf stands for user.Number all the nodes in  from one to (2  − 1); then our scheme consists of the following algorithms: (1) Setup(1  , ): take as input the length  of index.
Let {0, 1}  \ {0  } be the index space.Therefore the maximum number of files in the system is  = 2  − 1.
Let n be the all-ones vector with length ( + 1).
(5) Update(PK, , , params): for user revocation set , compute cover() according to the CS method in subset-cover framework.For  ∈ cover(), compute . Finally get the updated ciphertext as follows: (6) Decrypt(, SK, , , , params): when user receives the ciphertext  with the index , if either the index  ∉  or the user's identity uid ∈ , then return ⊥.
Otherwise, for  = path(uid) ∩ cover(), decryption can be done as follows: For correctness, we can see that (5)

Evaluation
In this section, we evaluate the proposed scheme in two aspects, performance analysis and security analysis.
5.1.Performance Analysis.Performance analysis mainly includes the cost of computation, storage, and communication by comparison with several related schemes.In computation, since our scheme is based on asymmetric multilinear maps,  =   (2  ) 2n in the ciphertext is system parameter, and the value of  n ,    n and   can be calculated in advance.Therefore, multilinear mapping operation in the process of encryption does not exist, which reduces the computational cost greatly.Decryption cost is linearly related to user's authorized file index set and path set in the complete subtree.In terms of storage and communication cost, this paper will compare the new scheme with [3][4][5][6], including the length of system public parameters, the length of private key, length of ciphertext, revocation manners and costs, and whether it is able to verify the correctness of revocation, as shown in Table 1.
Note that the length of ciphertext refers to the length of original ciphertext when no user has been revoked, and the revocation cost refers to the computational cost when the user revocation occurs. stands for the maximum number of encrypted files in the system,  denotes the number of revocation users,  represents the number of legitimate users, ℓ is number for leaf node in the access tree corresponding to the user's private key, and  is on behalf of the number of attributes.
As can be seen from Table 1, the proposed scheme not only keeps the length for user's private key as (1), but also keeps the length of the ciphertext as (1), which is as well as [3,5] and better than [4,6].But the length of system parameters in [3,5] is (), while that in the proposed scheme is (log ).Revocation manners contain direct and indirect revocation.Direct revocation refers that the revocation list is directly embedded in the ciphertext, so that revoked users cannot decrypt any more, such as our scheme and [4,6]; indirect revocation refers that the authorized agency or data owner distributes the updated keys for the nonrevoked users so as to realize the user revocation, such as [3,5].As for the revocation cost, because the indirect revocation needs to distribute updated keys to all legitimate users, computational cost for revocation is (), while the revocation cost in our scheme and [4,6] is mainly focused on the ciphertext update as ( log ).In addition, our scheme and [6] also provide verification mechanism, allowing the data owner and any trusted third-party auditor to verify the updated ciphertext, so as to ensure effective implementation of revocation, which is better than [3][4][5].Above all, the proposed scheme is superior to [3][4][5][6], with less cost of storage and communication, and has ciphertext verifiability function.; it also means that assumption is difficult.

Security
By the following theorem, we prove the security of the proposed scheme.

Theorem 5. If the Generalized DHDHE problem is hard to solve, then the proposed revocable key-aggregate encryption scheme is selective IND-CPA security.
Proof.Assume there exists a polynomial-time adversary  who can break the selective IND-CPA security of the revocable key-aggregate encryption scheme; then a challenger Chal can use the adversary's ability to construct an algorithm  to solve the Generalized DHDHE problem.It is contradictory to our assumption that Generalized DHDHE problem is difficult to solve, thus proving the proposed scheme is selective IND-CPA security.Suppose, in an asymmetric multilinear maps group system,  is given an instance of the Generalized DHDHE problem (params  , {  } ∈{0,1,...,} ,  1 ,  2 , ) as follows: (1) params  ← Setup  (2n), where n is the all-ones vector of length ( + 1).
Algorithm  decides whether  =   (2  ) 2n ; if it holds, it outputs 1 or else outputs 0. Algorithm  proceeds the following game with the adversary .
Init.Algorithm  initials a full binary tree  of depth  (1 ≤  ≤ ), and all the node in  is numbered from 1 to (2  − 1). submits an index  * ,  * that  will challenge.
Setup.Algorithm  performs the following operations: (i) Step 1: it chooses a random ∈    and sets V =  n  /  * , of which   * can be calculated by  ℓ .
Therefore,  =  −   * .Since  is randomly selected in   , it is independent with .Then, according to the principle of subset-cover framework, cover( * ) can be obtained from  * .For any  *  ∈ cover( * ), it chooses a random   ∈   and sets  =  n   /  *  , of which Ζ  *  can be calculated by  ℓ .Therefore,  =   −   *  .As   is randomly selected in Ζ  , it is independent with .The public key is set as PK = (, V); note that algorithm  does not know the master secret key(, ).Phase 1.A is allowed to query for private keys in this stage.For set  in condition that  * ∉ , B computes the index aggregate key   = ∏ ∈ Z  2  − /∏ ∈ Z 2  −+ * .For user identity uid ∈  * , it satisfies the condition that path(uid) ∩ cover( * ) = .So for  *  ∈ cover( * ), it is bound to meet  *  ∉ path(uid).From the full binary tree , user path is denoted as path(uid) = Security and Communication Networks the revocable key-aggregate cryptosystem and proposes a revocable key-aggregate encryption scheme combined with the subset-cover framework in cloud environment, realizing the key aggregation and user access control effectively.By updating ciphertext via the cloud servers, the proposed scheme realizes the user permissions revocation while legitimate users do not need to update their private keys.What is more, it provides a verification mechanism to ensure user revocation is executed correctly.Performance analysis shows that, compared with the existing schemes, the proposed scheme reduces the cost of storage and transmission and realizes the user access control effectively.Security analysis shows that the proposed scheme proved to be selective CPA security based on Generalized DHDHE assumption in the standard model.Besides, an extended scheme is proposed to adapt for the cloud scenario, where the number of files is extremely large and growing rapidly.
This paper also has limitations that it only considers to construct a CPA security scheme.Since there are a lot of solutions to transfer a scheme from CPA security to CCA security [31], how to construct an efficient CCA secure keyaggregate encryption scheme will be a concern.And the total number of users is predefined in our revocable scheme, which is not conducive to flexible extension of the system.Therefore, how to design a key-aggregate encryption scheme united the revocation and extensibility will be the future work.In addition, trying to use the theory to solve some security problems in the practical application environment, such as how to apply the idea of revocable key-aggregate cryptosystem in the privacy-preserving of data aggregation and realize the data integrity verification, will be one of the future research directions.

Definition 4 .
If, for any polynomial-time  and adversary  through  queries in the above game without the decryption query, its advantage for RKAC scheme Adv RKAC  ≤ , one said this RKAC scheme is selective (, , )-IND-CPA security.

3. 3 .
System Model.Applying the RKAC in a cloud environment, the model is shown in Figure2.It consists of three entities: cloud service provider (CSP), the data owner (DO), and user.

( 7 )
Verify(,   , PK, params): to verify whether the cloud server has executed the revocation correctly and honestly, the equation (  ,  4 ) ? = ( 5 ,  n )can be used and it returns 0 or 1.For data owner, in order to verify whether the updated ciphertext   3 is right or not, he can use the equation (  3 / 3 ,  n ) ? = (,  4 ).If returning 1, it means right or else means wrong.
) Encrypt(PK, , , params): the encryption algorithm takes as input public key PK, an index  denoting the file, a message , and public parameters params.It outputs a ciphertext .  , PK, params): the Verify algorithm takes as input a ciphertext , an updated ciphertext   , public key PK, and public parameters params.If the cloud server has executed the revocation honestly and updated the ciphertext correctly, it outputs 1 or else outputs 0.
(4) Extract(msk, uid, , params): the Extract algorithm takes as input the master secret key msk and a set S of indices corresponding to different files, user identity uid, and public parameters params.It outputs users' private key SK.(5) Update(PK, , , params): the update algorithm takes as input the public key PK, the user revocation set , a ciphertext , and public parameters params.It outputs an updated ciphertext   .(6) Decrypt(, SK, , , , params): the decryption algorithm takes as input a ciphertext , user private key SK, the set , an index  denoting the ciphertext , the user revocation set , and public parameters params.If ( ∈ ) ∧ (uid ∉ ), it outputs the result  or else outputs ⊥. (7) Verif y(, Init. initially submits a challenge file index  * and a revoked identity set  * .Setup.Chal generates public parameters params and (PK, msk) by running Setup(1  , ) and KeyGen(params).It keeps msk secretly to itself and gives params and PK to .
Phase 2.  continues to request a series of adaptive queries, but with the restrictions that it cannot perform the decryption query to  * .The challenger Chal adopts the same method as in Phase 1 to answer the queries.If, for any polynomial-time  and adversary  through  queries in the above game, its advantage for RKAC scheme Adv RKAC Step 1 (extraction query): for any file index set ( * ∉ ) and identity uid(uid ∈  * ), Chal invokes the Extract algorithm Extract(msk, uid, , params) and sends the generated private key SK = (  ,  uid ) to . (ii) Step 2 (decryption query): for any ciphertext   , file index set ( * ∉ ), and identity uid(uid ∈  * ), the challenger Chal executes the decryption algorithm Decrypt(  , SK, , , , params) and sends the obtained plaintext to .Challenge.Once the adversary  decides to end Phase 1, it submits two challenge messages  0 ,  1 ∈  with equal length.Chal flips a random coin  ∈ {0, 1} and sets  = Encrypt(PK,  * ,   , params),  * = Update(,  * ) and then gives the challenge ciphertext  * to .  ≤ , one said this RKAC scheme is selective (, , )-IND-CCA security.
RunSetup  (2n) to obtain the public parameters params  for a multilinear map of target group  2n .Select a random  ∈   , and set  ℓ =  (2 ℓ )

Table 1 :
Comparison with related schemes.
Analysis.Our scheme is based on Generalized DHDHE assumption and is proved to be adaptive IND-CPA security under the standard model.First we analyze Generalized DHDHE assumption.Let  ℓ =   (2 ℓ )  − 1],   =    n can be directly calculated.And given  =   (2  +1) e  , when  ∈ [2  + 1, 2 +1 ],  can be computed out.However, from   ,  1 , and  2 , it is difficult to compute  =  (2  )2n .The reason is that only the random  is related to  1 and  2 .Inorder to obtain , we first need to multiply  1 and  2 , and let the multiplication results do the match operation with   (2  ) .Since n is a ( + 1)dimensional vector composed of 1, any  ℓ cannot match with itself, which means that we can only compute   (2  )    ) for  ℓ ∈ {0, 1} and Χ 0 ℓ =  e ℓ .Notice that the index of the given   =   (2  +1) However, for all the subsets of L ⊆ [0,  − 1], there are ∑ ℓ∈ 2 ℓ < 2  .Therefore it is unable to calculate  (2  ) n from  ℓ n , it should meet   = 0 in (Χ