A CP-ABE Scheme Supporting Arithmetic Span Programs

Attribute-based encryption achieves fine-grained access control, especially in a cloud computing environment. In a ciphertextpolicy attribute-based encryption (CP-ABE) scheme, the ciphertexts are associated with the access policies, while the secret keys are determined by the attributes. In recent years, people have tried to findmore effective access structures to improve the efficiency of encryption systems. ,is paper presents a ciphertext-policy attribute-based encryption scheme that supports arithmetic span programs. On the composite-order bilinear group, the security of the scheme is proven by experimental sequence based on the combination of composite-order bilinear entropy expansion lemma and subgroup decision (SD) assumption. And, it is an adaptively secure scheme with constant-size public parameters.


Introduction
In the cloud computing environment, the traditional public key encryption system cannot meet the realistic needs due to the feature that it only achieves one-to-one encrypted data sharing. In 2006, Goyal et al. [1] proposed attribute-based encryption (ABE), which can achieve one-to-many encryption, making the sharing of encrypted data more convenient. Besides, the encrypter does no need to know the specific identifying information of the visitors but only needs to use the access structure to complete the access control of the user's identity on the fine-grained level, which provides a new idea for data sharing. ABE is divided into two types based on ciphertexts or keys being marked as attributes. For example, in a CP-ABE scheme, keys are marked as attributes and the ciphertexts are linked with access policies. Conversely, the key-policy ABE (KP-ABE) means that keys are linked with access policies and the ciphertexts are marked as a series of attributes.
In 2006, Goyal et al. [1] came up with a KP-ABE scheme that supports an access tree. e size of the public parameters is linearly related to the size of the attributes, that is, the size is not constant. In 2008, Katz et al. [2] put forward the first KP-ABE scheme based on the inner product on the composite-order bilinear group. It is a selectively secure scheme, and the length of the ciphertext increases linearly with the vector's dimension. In 2010, Herranz et al. [3] proposed a CP-ABE scheme with a constant-size ciphertext, but it only supports the threshold access control. In 2011, based on dual pairing vector space, Okamoto and Takashima [4] presented a zero-inner product encryption scheme and a nonzero inner product encryption scheme which are fully secure under the standard model, in which the ciphertext's length or the key's length can reach a constant. In 2011, Attrapadung et al. [5] first proposed a KP-ABE scheme that supports the nonmonotonic access control. e scheme has a constant-size ciphertext, but it can only be proved under the selective model. In 2013, Chen et al. [6] gave a general construction method from inner product encryption to ABE and presented an ABE scheme supporting threshold access control based on inner product encryption.
is scheme achieves adaptive security with constant-size ciphertext. In 2014, Wee [7] first proposed an ABE scheme supporting the arithmetic span programs [8], but did not give a specific scheme (just a framework). In 2015, Attrapadung et al. [9] proposed a general conversion between the ABE scheme supporting the arithmetic span programs and the KP-ABE scheme when we do not limit the size of the span programs, but the size of the attributes is limited. is scheme achieves adaptive security with a constant-size ciphertext, but the length of the public parameters is still not constant. In 2017, Chen et al. [10] first proposed a KP-ABE scheme supporting arithmetic span programs via bilinear entropy expansion, and the scheme is adaptive security with constant-size parameters. In particular, Table 1 illustrates the development of ABE about the access structure. Besides, the existing ABE scheme can be converted into a scheme supporting the arithmetic span program. Compared with the ABE scheme achieved by the Boolean circuit, the computational complexity and parameter size of the scheme supporting the arithmetic span program are relatively small. erefore, based on the fact that the composite-order bilinear group has fewer algorithm components and the algorithm represents simple and clear advantages, we naturally think of the following question about ABE: "Can we design a CP-ABE scheme that supports arithmetic span program on a bilinear group?"

Our Contribution.
Although CP-ABE and KP-ABE have many similarities in structure, even a dual relationship, the application scenarios are very different. In the CP-ABE scheme, because the policy is embedded in ciphertext, the data owner can set policies to determine which properties can access the ciphertext.
at is, encrypted access control for this data can be refined to the attribute level. e application scenario of CP-ABE is usually data encryption storage and fine-grained sharing on the public cloud, while the application scenario of KP-ABE is more inclined to pay video websites, log encryption management, and so on. Inspired by [10], we consider designing an adaptively secure CP-ABE scheme. ere are some schemes supporting arithmetic span programs [10,11], where [10,11] are KP-ABE schemes. However, considering that the composite-order group has fewer algorithm components and the algorithm represents simple and clear advantages, it is meaningful to construct a CP-ABE scheme on composite-order groups. Specifically, to reduce the parameter size, we first give the compositeorder bilinear entropy expansion lemma, which contains the specific form of public parameters, ciphertext, and the key. In the setup, we use some random numbers as the master secret key and use the master secret key to calculate the master public key. In the Enc, we subtly embed the strategy into certain components of the ciphertext in combination with the public parameters and the bilinear entropy extension vector. In the KeyGen, we combine the attribute vector, the public parameter, and the bilinear entropy extension vector to generate the secret key. In the Dec, the arithmetic span program is used as a standard for decryption and the user can decrypt normally. Finally, based on SD assumption and composite-order bilinear entropy expansion lemma, the scheme is proved to have adaptive security.

Organization.
We first list some relevant knowledge in Section 2. en, we present the formal definition of our scheme in Section 3.1 and propose the adaptive security model in Section 3.2. Specifically, we present our scheme in Section 3.3 and verify its correctness in Section 3.4. Finally, we prove its adaptive security by a series of experiments in Section 3.5.

Preliminaries
Notation. We let Z p denote a ring of algebraic integers modules a prime number p and Z n p denote an m-dimension vector in Z p . G N and e represent a group of order N and a bilinear map, respectively. We denote [n] as the set 1, 2, . . . , n { } and n-dimensional vector as the bold letter x � (x 1 , x 2 , . . . , x n ).

Bilinear Maps
Definition 1 (see [12,13] bilinear maps). Let G N , H N , and G T be bilinear groups of order N � p 1 p 2 p 3 , where p 1 , p 2 , and p 3 are primes. Let g be the generator of G N and g 1 , g 2 , and g 3 the generators of g p1 , g p2 , and g p3 , respectively. Let h be the generator of H N , and h 1 , h 2 , and h 3 are the generators of H p1 , H p2 , and H p3 , respectively. e: (G N , H N ) ⟶ G T is a bilinear map, if it satisfies the following three properties: that the order of e(g 0 , h 0 ) is N. Also, the composite-order bilinear map satisfies the orthogonality e(g i , h j ) � 1, for all i, j ∈ 1, 2, 3 { }, i ≠ j.

Arithmetic Span Program
Definition 2 (arithmetic span program [8]). An arithmetic span program (υ, ρ) is a map ρ: , and a collection of row vectors υ � (y j , where 1 ≔ (1, 0, . . . , ) ∈ Z l′ p . Like in paper [9], we limit ρ to be an identity map and l � n. [12,13]). We define the subgroup decision assumption (denoted by SD H N p 2 ⟶ p 2 p 3 ) holds if for all probability polynomial time (PPT) adversaries A, and the following advantage function is negligible in λ:

Computational Assumptions
where D ≔ h 1 , h 2 , h 3 , g 1 , g 2 , g 23 , (3) , holds if for all probability polynomial time (PPT) adversaries A, and the following advantage function is negligible in λ: where

Bilinear Entropy Expansion Lemma.
For an adversary A, the advantage of distinguishing the following two distributions in any polynomial time is negligible: sk: where See Appendix for details about the proof of this lemma.

Formal Definition of the CP-ABE Scheme Supporting Arithmetic Span Program
Setup(l λ , l n ): input security parameters (l λ , l n ) and output the master public key mpk and the master secret key msk. Enc(mpk, υ, m): input access structure υ � (y j , z j ): j ∈ [n], y j , z j ∈ Z l′ p and plaintext m and output ciphertext ct υ . KeyGen(mpk, msk, x): input the vector x ∈ Z n p and output the secret key sk x . Dec(mpk, sk x , ct υ ): input sk x and ct υ and output m if x, υ satisfies l j�1 ω j (y j + x j z j ) � 1.

Adaptively Security Model for CP-ABE Schemes Supporting Arithmetic Span Programs.
We present an adaptive security model of the CP-ABE scheme that supports the arithmetic span program through the games about the challenger B and adversary A.
Setup 1: challenger B runs the initialization algorithm and sends mpk to adversary A.
Stage 1: adversary A chooses x ′ to perform multiple secret key queries. Challenger B runs the KeyGen and sends the secret key to the adversary A. Challenge: adversary A sends two equal-length plaintexts (m 0 and m 1 ) and the challenge access structure υ * � (y j , z j ): j ∈ [n], y j , z j ∈ Z l′ p to challenger B (any query vector x ′ and the challenge access structure υ * � en, Challenger B sends the challenge ciphertext ct υ * to the adversary A. Stage 2: same as Stage 1. Guess: adversary A outputs the guess b ′ about b.
We say adversary A wins this game iff b ′ � b, and the advantage of adversary A is Adv e encryption scheme is adaptively secure if the advantages of winning the above games are negligible, for all PPT adversaries.

Our Construction
Setup(1 λ , 1 n ): input the number of security parameters λ and attributes n and select G ≔ (N � p 1 p 2 p 3 , G N , H N , e)⟵G(1 λ ). Pick random generators g 1 , h 1 , and h 123 of G p 1 , H p 1 , and H N , respectively. Sample w, w 0 , w 1 , w ′ , w 0 ′ , w 1 ′ , α, u 0 ⟵ R Z N and output the master public key and the master secret key KeyGen(mpk, msk, x): input the master secret key msk and vector Dec(mpk, sk x , ct υ ): input secret key sk x and ciphertext

Correctness. For all
Security and Communication Networks

Security.
e proof of the security relies on a series of games that cannot be distinguished. We first define the ciphertext and secret key distributions that are needed in the process of the proof.

Ciphertext Distributions
Standard ciphertext: generated by the encryption algorithm: Entropy expansion ciphertext: the difference between it and standard ciphertext is given as follows:

Secret Key Distributions
Standard secret key: it is generated by the secret key generation algorithm: Entropy expansion secret key: compared to the standard secret key, we make a copy of in H p 3 : Pseudostandard secret key: compared to the entropy expansion secret key, we make a copy of in H p 3 : Pseudosemi-functional secret key: compared to the pseudostandard secret key, we sample α⟵H p 3 : Semifunctional secret key: compared to the pseudosemi-functional secret key, we remove : 3.5.3. Games. Assume that an adversary A makes at most Q secret key queries. Let the advantage of A in Game xx be denoted by Adv xx (λ). In the following, we describe in detail the specific details of the games, and the comparison of Game xx is given in Table 2.

Security and Communication Networks
Proof. Challenger B 0 obtains the following distribution: sk: B 0 needs to distinguish whether it is left distribution or right in the bilinear entropy expansion lemma. Challenger B 0 simulates the secret key generation algorithm and picks r j ⟵ R Z N for all j ∈ [n]. Output Challenge: adversary A sends two equal-length plaintexts (m 0 and m 1 ) and the challenge access structure υ * � (y j , z j ): j ∈ [n], y j , z j ∈ Z l′ p to challenger B 0 (any query vector x ′ in Phase 1 and the challenge access and outputs the challenge ciphertext: ct υ * :   Table 2  given g 1 , g 23 , h 1 , h 2 , h 3 Challenger B 1 samples u j , v j , u j ′ , v j ′ , and α for all j ∈ [n] and obtains T, T j , T j ′ with g 1 , g 2 , and h 1 . en, B 1 needs to Challenge: adversary A sends two equal-length plaintexts (m 0 and m 1 ) and the challenge access structure υ * � (y j , z j ): j ∈ [n], y j , z j ∈ Z l′ p to challenger B 1 (any query vector x ′ in Phase 1 and the challenge access structure υ * � (y j , z j ): j ∈ [n], y j , z j ∈ Z l′ p do not satisfy n j�1 ω j (y j + x j ′ · z j ) � 1). Challenger B 1 picks b ∈ 0, 1 { } and u⟵ R Z l′−1 N and outputs the challenge ciphertext: and Game i,2 outputs Adversary A observes that the only difference between Game i,1 and Game i,2 is i ′ th secret key query in K 0 . Firstly, h α 3 h u 0 r 1 and h u 0 r 1 have the same distribution due to the random number α, r. Secondly, the output of the decryption algorithm in Game i,1 and Game i,2 is the same because e(g s 1 , h α 3 ) � 1. erefore, the adversary A cannot distinguish these two secret keys. Challenge: Game i,1 and Game i,2 have the same distribution because their outputs are entropy expansion challenge ciphertext.
Obtained from the above analysis, we have ere exists a challenger B 3 who can solve SD Proof. Same as Lemma 3, challenger B 3 samples u j , v j , u j ′ , v j ′ , α for all j ∈ [n] and obtains T, T j , T j ′ with g 1 , g 2 , and h 1 . en, B 3 needs to distinguish whether T, T j , T j ′ is the left distribution or right. And challenger B 3 outputs e output is a pseudo-semifunctional secret key if B 3 obtains the left distribution, which is . e output is an entropy semifunctional secret key if B 3 obtains the right erefore, Game i,2 and Game i,3 cannot be distinguished due to SD H N p 2 ⟶ p 2 p 3 . □ Lemma 6 (Game i ≡ Game i−1,3 ). We know it in Table 2 easily (in fact, they have the same secret key and challenge ciphertext).
Proof. Challenger B 4 samples u j , v j , u j ′ , v j ′ for all j ∈ [n]. e difference between these two games is the challenge ciphertext. In Game Q+1 , the challenge ciphertext is obtained by m, while the challenge ciphertext in Game Final is obtained by a random message. Let us prove that the two games are indistinguishable. Pick random generator h 123 and h 3 of H N and H p 3 , respectively. Select α, α⟵ R Z N and define h α 123 ≔ h α 123 /h α 3 . We simulate Game Q+1 as follows: Setup: pick random generator h 123 of H N . Sample w, w 0 , w 1 , w ′ , w 0 ′ , w 1 ′ , α, u 0 ⟵ R Z N and output We can remove h α 3 because e(g 1 , h α 3 ) � 1. Stage 1: adversary A queries the secret key corre- . , x n ′ ). Challenger B 4 simulates the secret key generation algorithm and picks r, r j , r j ′ ⟵ R Z N for all j ∈ [n]. Output Challenge: adversary A sends two equal-length plaintexts (m 0 and m 1 ) and the challenge access structure υ * � (y j , z j ): j ∈ [n], y j , z j ∈ Z l′ p to challenger B 4 (any query vector x ′ in Phase 1 and the challenge access structure υ * � (y j , z j ): j ∈ [n], y j , z j ∈ Z l′ p do not satisfy n j�1 ω j (y j + x j ′ · z j ) � 1). Challenger B 4 picks b ∈ 0, 1 { } and u⟵ R Z l′−1 N , and the outputs challenge the ciphertext: Guess: adversary A outputs the guess b ′ about b.
We have e(g S h 3 ) −α in the entropy expansion challenge ciphertext. e distribution of e(g S 1 g S 2 , h 3 ) −α in G T is a uniform distribution due to the random number α, that is, the ciphertext which encrypted from a random number and the ciphertext which encrypted from m have the same distribution. erefore, adversary A cannot distinguish these two entropy expansion ciphertexts.
e indistinguishability between Game i and Game i+1 is due to By Lemma 3∼6, we know Obviously, we have Adv Final (λ) � 0. In summary, the advantage of the adversary A in Game 0 is Adv 0 (λ) ≤ (2Q + 1)ε. (42) at is, our scheme is adaptively secure under the entropy expansion lemma and subgroup decision assumption. □ 3.6. Performance Analysis. At last, we show the difference between our scheme and the existing schemes that support arithmetic span programs in Table 3 (where "T" represents the operation time of the bilinear mapping). Compared with [11], the size of the public parameters of our scheme is smaller (from O (n) to O (1)) and adaptive security is achieved. Compared with [10], our scheme chooses the CP-ABE suitable for more flexible application scenarios and is based on the SD assumption to prove its adaptive security.

Conclusion
In this paper, we present a ciphertext-policy attributebased encryption scheme that supports arithmetic span programs on composite-order bilinear groups. Firstly, we prove our entropy expansion lemma with a sequence of games and seven lemmas. Secondly, we prove that our scheme is adaptively secure under the conditions that entropy expansion lemma and subgroup decision assumption are true.

Proof for the Bilinear Entropy Expansion Lemma
We first list the proof frame through a series of indistinguishable distributions: sk: K 1 � h r 123 ,   Proof. e proof is similar to Lemma 3 in paper [10], and we first modify the game sequence in Lemma 3. , given g 1 , g 2 , h 13 , where v j , v j ′ ⟵ R Z N , and set u j � v j + jw 1 , u j ′ � v j ′ + jw 1 ′ . Game i (i � 1, 2, . . . , n + 1): modify ct as follows: ct: It is easy to know that Game 0 ′ ≈ Game 1 . en, we will prove that Game i ≈ Game i+1 through the following game sequence. Game i,1 : modify ct i as follows: