A Fully Secure KP-ABE Scheme on Prime-Order Bilinear Groups through Selective Techniques

Key-policy attribute-based encryption (KP-ABE) is the cryptographic primitive which enables ﬁne grained access control while still providing end-to-end encryption. Although traditional encryption schemes can provide end-to-end encryption, users have to either share the same decryption keys or the data have to be stored in multiple instances which are encrypted with diﬀerent keys. Both of these options are undesirable. However, KP-ABE can provide less key overhead compared to the traditional encryption schemes. While there are a lot of KP-ABE schemes, none of them simultaneously supports multiuse of attributes, adaptive security, monotone span programs, and static security assumption. Hence, we propose a fully secure KP-ABE scheme for monotone span programs in prime-order group. This scheme uses selective security proof techniques to obtain the requisite ingredients for full security proof. This strengthens the correlation between selective and full security models and enables the transition of the best qualities in selective security models to fully secure systems. The security proof is based on decisional linear assumption and three-party Diﬃe–Hellman assumption.


Introduction
Attribute-based encryption (ABE) is a public key cryptosystem which yields fine grained access control over ciphertext. Succinctly put, the ABE system allows ciphertext and key to be linked to a set of attributes such that the decryption of a particular ciphertext is feasible only if the set of attributes of a user's secret key satisfies the attributes of the ciphertext. In key-policy ABE (KP-ABE) construction for instance, a message is encrypted over attribute set such as "profession: nurse, sex: female, and institution: hospital A," and keys are generated over access policy like "profession: nurse ∧ sex: female." e decryption of a given ciphertext is feasible only if the attributes satisfy the access policy. Ciphertext-policy ABE (CP-ABE) construction is a dual version of KP-ABE scheme with the ciphertext and key attached to access policy and attributes, respectively [1][2][3].
ABE is useful cryptographic primitive when data are outsourced in untrusted repositories such as third-party cloud servers. ABE provides an efficient mechanism to share the outsourced data with multiple users based on the user's roles or attributes. While traditional encryption methods can provide end-to-end encryption, users have to either share the same decryption keys or the data have to be stored in multiple instances which are encrypted with different keys. Both of these options are inappropriate. However, ABE can provide less key overhead compared to traditional encryption methods. ABE offers fine grained access control while still providing end-to-end encryption. In the public repository, a malicious user can obtain the stored encrypted data which do not match his/her attributes' secret key; however, the user cannot access the content of the data without decipherable keys.
Suppose that a patient encrypts his or her personal health data with the attributes {Hospital A, Hospital B, doctor, nurse} and the access control policy is {{{Hospital A} and {nurse or doctor}} or {{Hospital B and {nurse or doctor}}}. With this access policy, any nurse or doctor in one of the hospitals satisfies the access policy requirement and can access the encrypted data.
is example is visualized in Figure 1.
However, in this scenario, the challenge is that the attributes "nurse" and "doctor" have been used in the access policy multiple times. An ABE scheme with a single-use of attributes restriction requires that an attribute must appear only once in the access structure. [3]. One caveat way to overcome this single use of restriction is to fix multiple attributes for each use of the attributes such as nurse-1, doctor-1, nurse-2, doctor-2, and so on, in advance. However, there are two problems with this solution. e first is that the maximum number of similar attributes appearing in the access policy should be determined at the setup stage. Hence, the access policy supported by the scheme become restricted. e second one is that, in KP-ABE, for example, this solution blows up the size of ciphertext relative to the maximum number an attribute is reused, which yields reduction in performance. Conversely, in a KP-ABE construction that supports multiple attributes usage, policies are not constrained and any combination of attributes can be rendered arbitrarily to create a policy. So, in this KP-ABE construction, the size of ciphertext becomes policy-independent and compact. e expressiveness of access policy ensures rich structure of keys and ciphertexts of ABE construction [3]. e more expressive an ABE scheme is, the more space is required for the potential access policies and attributes.
is raises substantial obstacles, when proving the security of ABE schemes, since the standard notion of security should impose collusion resistance. us, a coalition of unqualified users must not have the ability to aggregate their secret keys to decrypt a ciphertext in which not one of them is approved to decrypt. erefore, the security proof must consider an adversary who is capable of collecting different keys, not only the private key formally assigned to him/her. is necessitates security reductions to strike a balance between two conflicting objectives: the simulator should be sufficiently strong to provide an adversary with the numerous keys he/she requests adaptively; however, the simulator should also lack vital information about the strategies of the adversary which enables him/her to achieve success. us, the procedures of the adversary should be hidden from the simulator. e foremost security proof in the standard model for ABE constructions in [4,5] adopts a strategy, known as "partitioning," to reconcile these two objectives. e partitioning proof strategy was formerly employed in the settings of identity-based encryption (IBE) [6][7][8][9][10].
With the partitioning proof, the simulator configures the system in such a way that every possible private key is in one of the two spaces: keys which the simulator has the ability to create and which she/he cannot [3]. In order to guarantee that the keys that the adversary queries are within the set of keys that the simulator can produce, the previous works [4,5,11] resorted to a weaker security model referred to as "selective security." Unfortunately, under this model, the adversary must announce the access structure to be attacked before giving the public parameters of the system. is does not seem to be suitable security notion in practice for the high security requirement in the real world applications. At the intermediate phase, this concept of selective security is quite useful, but unsuitable as an ultimate goal. In the settings of IBE, the drawback of selective security was eliminated by giving the simulator the ability to "guess" a partition and terminate whenever the adversary exceeds its limit [10]. Nevertheless, if this approach is used in the ABE schemes, it will lead to exponential loss of security because the ABE scheme has a highly expressive access policy, which makes it difficult to identify a partition that is consistent with the partial power ordering of each key. Moreover, CP-ABE's selective security is still a challenge and the state-of-the-art approach in [5] introduced "q-type" assumption into the fully secure ABE constructions. e q-type assumption in [5] resulted from the need to encode small public parameters with a potentially large access policy. However, since this assumption is extremely complex to understand and also vulnerable to Cheon attack [12], it leads us to seek for KP-ABE construction which is proven fully secure under simple static assumptions such as three-party Diffie-Hellman assumption and decisional linear assumption.
Dual system of encryption was introduced by Waters [1] to solve the constraints imposed by the partitioning model. In the proof of the dual system of encryption, the simulator is incessantly configured to produce every key and the challenge ciphertext the adversary requests. e principal idea of the technique is that there are two categories of keys and ciphertexts, namely, "normal" and "semifunctional," which the simulator can produce [1]. A ciphertext can be decrypted with a key when both the key and the ciphertext are not semifunctional. e combination of ciphertext and a key, both semifunctional, triggers failed decryption because in the semifunctional space, the hidden objects are not cancelled. e semifunctional keys and ciphertext are used in hybrid proof while the normal key and ciphertext are used in the actual system. In the hybrid proof, the adversary is given either normal or semifunctional ciphertext and the secret key that is progressively given to him/her is converted to semifunctional one after the other until it gets to a point where the simulator only issues semifunctional key in the security game. At this point, it becomes easy to prove the security. e critical step in the hybrid proof is when a key becomes semifunctional. At this stage, depending on the proposition that the key (now semifunctional) cannot correctly decrypt the challenge ciphertext, we indicate that the adversary cannot recognize the subtle change in the key. However, since the simulator does not need a partition, she/ he cannot be restricted from generating a key and testing the workability of the key by himself/herself via decrypting a semifunctional ciphertext with the key.
is challenge in 2 Security and Communication Networks dual encryption proof was resolved in [13] by guaranteeing that the simulator generates only a key decipherable with a semifunctional ciphertext so that the decryption is not hindered from the perspective of the simulator irrespective of whether the semifunctional object exists or not. is type of key formed by the simulator is known as "nominal semifunctional key." Conversely, in the perspective of the adversary who is restricted from requesting a qualified key, the decryption of the "semifunctional ciphertext" with the "nominal semifunctional key" is hindered. e correlated factor within the nominal semifunctional key and the semifunctional ciphertext which guarantees successful decryption is information-theoretic concealed from the adversary [13]. is presented the first proof of full security in the standard model. Our dual encryption system is constructed over semifunctional and normal space. e semifunctional components of ciphertext and keys are much like the normal component of the actual system except that they are decoupled from the public parameters. is gives us the chance to obtain related parameters in the semifunctional space to create relevant variables during the course of simulation rather than to have all the parameters fixed up in the setup phase. e semifunctional space can supply fresh parameters to the simulator for key isolation mechanism; this implies that every semifunctional key should have unique distribution through the use of fresh parameters in the semifunctional space. When the simulator first issues a secret key, then the challenge access policy is known before the semifunctional parameters are defined. Based on the known access policy, the simulator can embed a difficulty in the secret key from the semifunctional space and later annul this difficulty in the ciphertext. On the other hand, if a ciphertext is first issued, then the attribute set of the challenge ciphertext is known before semifunctional parameters are specified. Based on the known attributes, the simulator can also embed a difficulty in the ciphertext from the semifunctional space and later annul this difficulty in the key. e difficulty is random variables chosen in the semifunctional space with their attachment to either the secret key or the ciphertext rendering invalid decryption unless those variables are cancelled out. e difficulty which is embedded in either the key or the ciphertext requires a complete set of key's component to cancel it out. However, based on the restriction that the adversary cannot obtain complete components of a secret key, computationally this difficulty is unknown to him/her. erefore, the two selective ways of embedding difficulties to prevent correct decryption of ciphertext can be combined to attain full security in the standard model.

Our Contribution.
We present a KP-ABE scheme in the prime-order settings that supports monotone span program for access policies. e construction achieves full security through selective techniques. Our scheme is based on simple security assumption such as three-party Diffie-Hellman assumption and decisional linear assumption. In summary, our KP-ABE scheme simultaneously achieves the following results: (1) It enables arbitrary usage of attributes in the access policy.

Related Works
ABE, which evolved from IBE, was initially designed by Shamir [14] and then constructed in [6,15]. Horwitz and Lynn [16] expanded this idea to hierarchical identity-based encryption (HIBE) which was firstly constructed by Gentry and Silverberg [17]. In the standard model, some earlier ABE constructions [8][9][10]18] were proven to be selectively secure. Also, ABE construction has been proven to be secure in the generic group model [19]. Dual encryption proofing techniques were also further explored in the study of [20,21] and applied to attain leakage resilience in [22][23][24] and applied directly to computational assumptions in [25]. Lewko and Waters [3] developed new methodology to prove full security by integrating selective techniques used to prove selective security for KP-ABE and CP-ABE constructions. However, they used "q-type assumption" in the security proof which is susceptible to attack [12]. From the studies in [12], it can be inferred that as "q" grows larger, the "q-type" assumption becomes stronger and the scheme which requires it becomes vulnerable, particularly if "q" scales in a predictable way. Recently, Tomida et al. [26] and Kowalczyk et al. [27] proposed ABE schemes that address the problem of one-use restriction of attributes in access policy. e schemes were built on a piecewise guessing framework developed in [28], and they proved adaptive security of the ABE constructions with some polynomial security losses. Nonetheless, these schemes do not directly support span programs (linear secret sharing scheme matrix) to express policies. Song et al. [29] proposed attribute-based encryption which enables users to request for their attribute private keys without revealing their attributes to the key generator. Even though this scheme ensures users' attributes privacy, it is not fully secure and it does not ensure multiuse of attributes. Recently, Khan et al. [30] proposed efficient attribute-based encryption with repeated attribute optimization. e authors employed "RAO" algorithm to remove repeated redundant attribute shares in encryption operations to reduce ciphertext size and computational cost. However, the limitation of this scheme is that the security is proven in selective model. Also, the scheme is not proven secure against chosen ciphertext attacks but rather chosen plaintext attacks under generic bilinear group model. Hence, the scheme does not achieve full security. Table 1 shows the comparison of our scheme with other KP-ABE schemes which satisfy full security (adaptive security) notion. Note that adaptive security just refers to an adversary who does not execute all the queries at once (batch queries), but rather adapts her/his queries from previous results (see Definition 10). e last row describes our scheme in Section 4. From Table 1, it can be seen that JL [26] scheme possesses most of the needed properties of ABE construction. However, this scheme inherits the problem of polynomial security losses from the "piecewise guessing framework" that was used for its construction. Also, the security of schemes JL [26] and LK [27] was proven in random oracle model. erefore, from the authors' point of view, there is no scheme that simultaneously achieves the properties listed in Section 1.1. and that is still able to retain the efficiency of selective security in the standard model.

Organization.
In Section 3, we revise the important concepts on KP-ABE systems in prime-order bilinear groups, along with formal definitions of the complexity assumptions. In Section 4, we provide the construction of our scheme and demonstrate its correctness. Section 5 shows security proof of the scheme. In Section 6, we provide implementation and evaluation of the proposed scheme and other related schemes. Finally, in Section 7, we conclude the work.

Preliminaries
Definition 1 (access structure) [33]. Let P � ρ 1 , ρ 2 , . . . , ρ n be a set of parties. A collection A⊆2 P is monotone if B ∈ A and B⊆C imply that C ∈ A. An access structure (respectively, monotone access structure) is a collection of nonempty subsets of P. e sets in A are authorized sets, and the sets not in A are nonauthorized sets.
Definition 2 (linear secret sharing scheme). A linear secret sharing scheme is made of two algorithms, share and reconstruct. To distribute a secret s ∈ Z p among n parties, the share algorithm sets r 1 � s, randomly selects (r 1 , r 2 , . . . , r t ) ∈ Z t p , and computes ρ(i) � t k�1 r k i k for all 1 ≤ i ≥ n. e shadows or shares ρ(i) � λ i are distributed to n distinct parties. Since the secret is the constant term s � r 1 � ρ(1), the reconstruct algorithm recovers the secret from any t shares λ i , for the attribute set S⊨A and I � i|ρ(i) ∈ S , by computing the linear function of the shares as i∈I ω i λ i � s, where each constant ω i � j∈I,j≠i (i /(j − 1)) can be obtained efficiently in the polynomial time.
Definition 3 (monotone span program (msp)) [34]. A msp is a linear algebraic model for computing monotone functions. Let Z be a field and w 1 , . . . , w n be variables. A msp is a tuple Δ � (M, ρ) where M ∈ Z t×n is a matrix and ρ: 1, 2, . . . , ρ t � w 1 , . . . , w n is labelling function. e msp Δ actualizes the monotone access structure A ⊂ 2 P where B ∈ A if and only if n is spanned by the rows of the matrix M whose labels belong to B. e size of Δ is t, and the number of rows in M. With regard to secret sharing, the size of the msp is the total number of shares that are given to all parties in P.
Definition 4 (bilinear groups). A group generating algorithm G takes a secret parameter λ and returns a description of a group G ⟶ (p, G, G T , g, e), where p is a prime number, G and G T are cyclic groups of order p, g ∈ G is a generator, and e: G 2 ⟶ G T is a bilinear map, which has two properties: (1) Bilinearity: ∀g, h ∈ G, z, y ∈ Z p , e(g z , h y ) � e(g, h) zy . (2) Nondegeneracy: for generators g and h, e(g, h) ≠ 1.

Security and Communication Networks
Definition 5 (the decisional linear (DLIN) assumption). With a given group generating algorithm G, we define the following distribution: (1) e advantage an algorithm A has in breaking this assumption is We declare that DLIN assumption is satisfied by G, if for any probabilistic polynomial time (PPT) algorithm A, Adv dL G,A (λ) is negligible.
Definition 6 (the three-party Diffie-Hellman (TPDH) assumption). With a given group generating algorithm G, we define the following distribution: e advantage an algorithm A has in breaking this assumption is We declare that TPDH assumption is satisfied by G, if for any probabilistic polynomial time (PPT) algorithm A, Definition 7 (dual pairing vector spaces). We follow the definition of double vector pairing spaces in [35,36]. For u ⇀ � (u 1 , . . . , u n ) ∈ Z n p and g ∈ G, we write g u ⇀ to represent the n-tuple of elements of G: We can execute scalar product and exponentiation in the exponent. For any a ∈ Z p and u We define a bilinear map e n to represent the product of the componentwise pairings: Here, the dot product is executed using modulo p. We select two random sets of vectors: of Z n p subject to the following constraints: (1) e basis B with the family b erefore, the two vectors are perpendicular to each other. As a consequence, their dot product yields zero.
Here, it can be seen that we have abused the terminology "orthonormal," since δ is not constrained to 1.
Note that the random selection of (B, B * ) from the sets that satisfy requirements of dual orthonormality can be done by selecting a set of n vectors (i.e., b at uniformly random from Z n p . en, each vector B * is determined from the orthonormality constraint such that under high probability, the vectors (B, B * ) are linearly independent.
Definition 8 (the subspace assumption). With a given group generating algorithm G, we define the subspace assumption as

Security and Communication Networks
We assert that for any PPT algorithm A which returns a value in 0, 1 { }, is negligible in the security parameter λ. e subspace assumption is the application of the DLIN assumption with vectors. e proof of this assumption can be found in pages 37-38 [3]. (4) Dec(pp, ct, sk A ) ⟶ msg: it takes public parameters pp, ciphertext ct, and secret key sk and returns a message msg or ⊥.
3.1. Correctness. KP-ABE construction is correct if it meets the following requirements. With a given ciphertext and a secret key, if the ciphertext attribute's set matches the key's access structure, then for any msg ∈ Msg, we have Definition 10 (KP-ABE full security model). e security game between the challenger C and adversary A proceeds as follows.
e security definition for fully secure KP-ABE depends on indistinguishable game with PPT-chosen plaintext attacker. e game proceeds as follows: (1) Setup: the challenger C executes Setup(1 λ , U) ⟶ (pp, msk) and submits pp to adversary A.
(2) Phase 1: A adaptively queries C for the secret keys corresponding to a set of access structures (3) Challenge: A sends two messages msg * 0 , msg * 1 of equal size together with the set of attributes S * to C.
en, C tosses a binary coin b and executes ct * ←Enc(pp, msg * b , S * ) and gives ct * to A on a condition that S * does not satisfy any of the access structures queried in phase 1. (4) Phase 2: A adaptively queries C for the secret keys corresponding to the set of access structures A Q 1 +1 , . . . , A Q with the condition that none of these satisfy S * . For each time, it obtains sk A ←KeyGen(pp, msk, A k ) from C. (5) At the end, A returns b * as a guess for b, and the adversary A is a winner if b � b * . e advantage of A for this indistinguishable game is defined as Definition 11. A KP-ABE construction is fully secure if PPT algorithm A has negligible advantage in the above security game.
Note that with the selective security game, the adversary must announce A before viewing the pp. Henceforth, the term semifunctional will be denoted as SF.

Prime-Order KP-ABE Construction
We use the dual framework of data encryption proof technique in prime-order settings, where orthogonal subspaces within the exponents perform the role of both normal and SF components. Since SF vectors are never published, they can serve as "hidden parameters" which create new randomness even with a fixed size of public parameters. We provide fresh pair of vectors for each attribute to produce enough randomness to ensure an information-theoretic transition from a nominal SF key (one with SF components but still capable of correctly decrypting SF ciphertext) to a real SF one (a key which is incapable of decrypting SF ciphertext). Again, we denote the attribute universe [U] � 1, 2, . . . , U { } as the complete number of attributes within the system. e scheme is constructed as follows: i,j are the basis vectors of (B j , B * j ) for each j from 0 to U. e setup algorithm also picks a quadruple of random exponents α 1 , α 2 , r 1 , r 2 ← $ Z p and another quadruple of ran- Additionally, the master secret key msk is (2) KeyGen(pp, msk, A � (M, ρ)) ⟶ sk A : the algorithm gets the public key pp, a master key msk, and access structure A � (M, ρ), and the algorithm picks randomly (z 1 , z 2 , . . . , z t ), (r 1 , r 2 , . . . , r t ) ∈ Z t p . en, set z 1 � α 1 , r 1 � α 2 and compute the shares λ i � t k�1 z k i k and ω i � t k�1 r k i k for all 1 ≤ i ≥ n, where (i 1 , i 2 , . . . , i t ) is the vector of M i ∈ M which corresponds to the i-th row of M. It then picks randomly a 1 , a 2 ∈ Z p and outputs (3) Enc(msg, S, pp) ⟶ ct: the algorithm gets the message msg, attribute sets S, and public parameter pp, picks randomly s 1 , s 2 ←Z p , and outputs (4) Dec(ct, sk A ) ⟶ msg: let S * correspond to the set of attributes associated to ciphertext ct and M be the policy matrix. If S * satisfies A, the decryption algorithm computes α 1 � i∈S * λ i σ i and Security and Communication Networks where each constant σ i � j∈S * ,i ≠ j (i/(j − 1)) can be obtained efficiently in the polynomial time. It then computes en, the message is retrieved as

Security Proof
Theorem 1. Under the DLIN assumption and TPDH assumption defined in Section 3, our KP-ABE construction is fully secure (i.e., see Definition 11).
e security proof for our construction depends on hybrid argument over series of games. We will define the set of keys and ciphertext that will be used in the games. To commence the security game, first the challenger gen- as the related parameters that will be used in the security proof.

SF Ciphertext.
To create this ciphertext for a set of attributes S, firstly, we execute the normal encryption algorithm in equation (15). e ciphertext is made up of the following components: C 0 , C 1,i , ∀i ∈ S, C 2 . en, we pick random values(B, B * )← $ Dual(Z 3 p , δ)S 3 ∈ Z p and multiply C 1,i by g s 3 b ⇀ 5,i . Also, we multiply C 2 by g s 3 b ⇀ 6 . e other component of the ciphertext stays unaltered as shown below.
8 Security and Communication Networks

SF Keys.
To generate these keys for an msp(M, ρ), we first execute the normal key generation algorithm in equation (14) to get a normal key made up of the following components of K 1,i ∈ ρ(i), K 2 . We then pick random secret values a 3 , α 3 ∈ Z p and a random vector v � (r 1 , . . . , r t ) ∈ Z t p and set the index r 1 � α 3 . We produce shares for the secret as Φ i � M i · v T , where M i is the row vector in M with the label ρ(i). e SF key is output as Recall that we do not put a partition on a simulator with a nominal SF key. erefore, the nominal SF key correlates correctly with the SF ciphertext to allow decryption, regardless of the presence or absence of SF components. is happens because the share of the secret α 3 in the SF space is zero.

Ephemeral SF Keys.
ese keys are indistinguishable to nominal keys, with the exception that SF components attach to either K 1,i or K 2 which is now being randomized (which prevent accurate SF ciphertext decryption). Concretely, to create an ephemeral SF key for the access matrix M, we first execute the normal key generation algorithm in equation (15) to get a normal key made up of the following components of K 1,i ∈ ρ(i), K 2 . We then pick random secret values a 3 , a 4 , a 5 , α 3 ∈ Z p and a random vector v � ( r 1 , . . . , r t ) ∈ Z t p and set the index r 1 � α 3 . Note that value of the secret α 3 in the SF space is zero. We produce shares for the secret as Φ i � M i · v T , where M i is the row vector in M with the label ρ(i). e SF key is output as

Proof Structure.
e hybrid proof is executed over a series of games. Denoting Q as the total number of key requested by adversary, we define the series of games as follows: Game real is the real security game as in Section 3 (see Definition 10). In Game k , the ciphertext submitted to the adversary is SF, as are the first k keys. e rest of the keys are normal. Game N k is similar to Game k , besides the fact that the k-th key delivered to the adversary is nominal SF key. e first k − 1 keys are SF, whereas the rest of the keys are normal. Game T k is similar to Game k , besides the fact that the k-th key delivered to the adversary is an ephemeral SF. e first k − 1 keys are SF, whereas the rest of the keys are normal. Game final is analogous to Game Q , besides the fact that the SF ciphertext delivered to the adversary is encryption of random message. e layout of our hybrid argument will be as follows. Firstly, we move from Game real to Game 0 , then to Game 1 , next to Game 2 , and so on. Eventually, we get to Game Q , where all of the keys and the ciphertext delivered to the adversary are SF. en, we move to Game final and this completes our security proof since any adversary in the final game has negligible advantage. e transition from Game real to Game 0 and from Game Q to Game final is not complicated and can be done with the help of the computational assumptions. However, the transition from Game K−1 to Game k is a bit complicated and requires other steps. For these steps, we will consider making transition between two phases. Phase 1 is when the adversary requests a challenge ciphertext after obtaining the secret key. In phase 2, the adversary requests a secret key after obtaining the challenge ciphertext. erefore, in order to get from Game k−1 to Game k , we will transition first from Game k−1 to Game N k , then to Game T k , and finally to Game k . We let Q 1 represent the number of queries in phase 1, and we will tackle this transition independently for k ≤ Q 1 and k ≥ Q 1 . e security proof for phase 1 queries and phase 2 queries is similar to the selective security proof in the KP-ABE settings and CP-ABE settings, respectively.

Lemma 1. Under the subspace assumption, no PPT adversary can achieve a non-negligible advantage in distinguishing Game real and Game 0 .
Proof: Suppose a PPT algorithm A achieves a non-negligible advantage in distinguishing Game real from Game 0 , then we will construct a PPT algorithm C to break the subspace assumption. We will set the parameters n i � 3, m � U + 2, k i � 1, for two values of i and n i � 6, k i � 2 for the remaining values of i in the subspace assumption. To correctly align the assumption notation with our scheme notation, we hereby designate the bases of the assumption as (B, B * ), (B 0 , B * 0 ) ∈ Dual(Z 3 p , δ) and (B 1 , B * 1 ), . . . , (B U , B * U ) ∈ Dual(Z 6 p , δ). We will exclude the µ 3 term Security and Communication Networks because it is not applicable here. e procedure for simulating Game real and Game 0 is described as follows : , e 6 (g d where α 3 is the secret; (8.7) let K 2 � T 2 ; (8.8) for i � 1 to Q 1 ; To simulate either Game real or Game 0 , Algorithm C sets the bases for the construction as We assert that these are well distributed because (D * , D), (D * 0 , D 0 ), etc., are chosen randomly up to sharing the same value δ. Implicitly, C selects α 1 , α 2 ∈ Z p and sets α 1 � ηα 1 , α 2 � βα 2 . en, C produces In line 1, the subspace assumption adversary C is given the public parameters of the system and its challenge Γ. In line 8, A requests for its private keys, which C replies correctly to. In line 10, A sends two messages msg * 0 , msg * 1 of the same length with the attribute S * to C and requests for the challenge ciphertext. In response, C outputs the correct ciphertext tuple (C 0 , C 1,i , C 2 )∀i ∈ S * to A with the restriction that the attribute S * does not satisfy the access structure which is enforced by the guard. In line 17, A requests for the private key (K 1,i , K 2 ) ∀i ∈ A 1 for the second time. C outputs the correct private key to A with the restriction that the access structure A 1 does not satisfy the attribute set S * of the previously queried ciphertext. Eventually, CoutputsA's guess as its own guess. By analysing this game, when the τ 3 terms are absent in the private key, then C correctly simulates Game Real . In this instance, Γ 0 is used in generating the private key. When τ 3 terms are present, then C correctly simulates Game 0 . In this case, Γ 1 is used in generating the private key. erefore, C can capitalize on algorithm A's non-negligible advantage in distinguishing between these two games to obtain a nonnegligible advantage against subspace assumption.

Lemma 2.
Under the subspace assumption, no PPT adversary can have a non-negligible advantage in distinguishing between Game k−1 and Game N k for any k from 1 to Q.
Proof: Suppose a PPT algorithm A achieves a non-negligible advantage in distinguishing Game K−1 from Game N k , then we will construct a PPT algorithm C to break the subspace assumption. We will set the parameters n i � 3, m � U+ 2, k i � 1, for two values of i and n i � 6, k i � 2 for the remaining values of i in the subspace assumption. To correctly align the assumption notation with our scheme notation, we hereby designate the bases of the assumption as (B, B * ), . We will exclude the µ 3 term because it is not applicable here. e procedure for simulating Game k−1 and Game N k is described as follows: , en(g d (13) let s 1 ←μ 1 , s 2 ←μ 2 , s 3 ←μ 3 ; To simulate either Game K−1 or Game N K , algorithm C sets the bases for the construction as

Security and Communication Networks 11
We assert that these are well distributed because (D * , D), (D * 0 , D 0 ), etc., are chosen randomly up to sharing the same value δ. Implicitly, C selects α 1 , α 2 ∈ Z p and sets α 1 � ηα 1 , α 2 � βα 2 . en, C produces In line 1, the subspace assumption adversary C is given the public parameters of the system and its challenge Γ, U. In line 8, A requests for its private keys, which C replies correctly to. In line 10, A sends two messages msg * 0 , msg * 1 of the same length with the attribute S * to C and requests for the challenge ciphertext. In response, C outputs the correct ciphertext tuple (C 0 , C 1,i , C 2 )∀i ∈ S * to A with the restriction that the attribute S * does not satisfy the access structure A 1 which is enforced by the guard. In line 18, A requests for the private key (K 1,i , K 2 )∀i ∈ A 1 for the second time. C outputs the correct private key to A with the restriction that the access structure A 1 does not satisfy the attribute set S * of the previously queried ciphertext. Eventually, C outputs A's guess as its own guess. By analysing this game, when the extra components µ 3 b ⇀ 5,i and µ 3 b ⇀ 6 on C 1,i and C 2 , respectively, are present, then the ciphertext is SF ciphertext (i.e., Γ * � Γ * 1 ); otherwise, it is normal ciphertext (i.e., Γ * � Γ * 0 ). Hence, C is capable to simulate normal and SF ciphertext. When the τ 3 terms are absent in the private key, then C correctly simulates Game k−1 . In this instance, Γ 0 is used in generating the private key. When τ 3 terms are present, then C correctly simulates Game N k . In this case, Γ 1 is used in generating the private key. erefore, C can capitalize on algorithm A's non-negligible advantage in distinguishing between these two games to obtain a non-negligible advantage against subspace assumption.

Lemma 3.
Under the TPDH assumption, no PPT adversary can have a non-negligible advantage in distinguishing between Game N k and Game T k for any k from 1 to Q 1 (note that these are phase 1 queries).
Proof: Suppose a PPTalgorithm A achieves a non-negligible advantage in distinguishing Game N k from Game T k , then we will construct a PPT algorithm C to break the TPDH assumption. C gets g, g x , g y , g z where T is either g xyz or random element of G. Algorithm C simulates either Game e procedure for simulating Game N k and Game T k is described as follows: , Γ)←C; (2) b← 0, 1 { }; (3.4) let g, g x , g y , T ; , e(g, g) α 1 , e(g, g) α 2 }; (6) Output pp ⟶ A; To simulate either Game N K or Game T K , algorithm C sets the bases for the construction as We assert that these are well distributed because (B * , B), (B * 0 , B 0 ), etc., are chosen randomly up to sharing the same value δ.
e SF components b can supply fresh parameters to randomize the ciphertext and the private key, respectively. In line 1, the TPDH assumption adversary C is given the public parameters of the system and its challenge T. In line 7, A requests for its private keys, which C replies correctly to. In line 9, A sends two messages msg * 0 , msg * 1 of the same length with the attribute S * to C and requests for the challenge ciphertext. In response, C outputs the correct ciphertext tuple (C 0 , C 1,i , C 2 )∀ i ∈ S * to A with the restriction that the attribute S * does not satisfy the access structure A 1 which is enforced by the guard. Eventually, C outputs A's guess as its own guess. By analysing this game, if T � g xyz , then the power vector becomes 5,i as needed for the nominal SF key. Alternatively, this power vector is distributed as random multiples of b ⇀ * 5,i , which is required for an ephemeral SF key. Hence, when T � g xyz , then C has successfully simulated Game N k , and if T is a random group element, then C has successfully simulated Game T k . erefore, C can capitalize on A's non-negligible advantage in distinguishing between these two games to obtain a non-negligible advantage against the TPDH assumption.

Lemma 4.
Under the TPDH assumption, no PPT adversary can have a non-negligible advantage in distinguishing between Game N k and Game T k for any k > Q 1 (note that these are phase 2 queries).
Proof: Suppose a PPTalgorithm A achieves a non-negligible advantage in distinguishing Game k 1 and Game N k for some k such that Q 1 < k ≤ Q. We will construct a PPT algorithm C to break the TPDH assumption. C gets g, g x , g y , g z , T where T is either g xyz or a random element of B * . C will simulate either Game N k or Game T k with algorithm A based on T. C picks a random dual orthonormal bases dimensions, all with the same value δ. e procedure for simulating Game N k and Game T k is described as follows: (3.4) C← g, g x , g y , g z , T ; (3.5) let g, g x , g y , T ; with; where α 2 is the secret, where α 3 is the secret, A 1 ≡ M 1 ; (15.10) guide(S * ⊭A 1 ); To simulate either Game N k or Game T k , algorithm C sets the bases for the construction as Security and Communication Networks ⇀ 1 , where α 1 is the secret, (9) } (10) (C 0 , C 1,i , C 2 )←A(msg * 0 , msg * 1 , S * ) with; To simulate either Game Q or Game final , algorithm C sets the bases for the construction as We assert that these are well distributed because (B * , B), (B * 0 , B 0 ), etc., are chosen randomly up to sharing the same value δ. Implicitly, C selects α 1 , α 2 ∈ Z p and sets α 1 � ητ 1 , α 2 � βτ 2 . en, C produces In line 1, the subspace assumption adversary C is given the public parameters of the system and its challenge Γ. In line 8, A requests for its private keys, which C replies correctly to. In line 10, A sends two messages msg * 0 , msg * 1 of the same length with the attribute S * to C and requests for the challenge ciphertext. In response, C outputs the correct ciphertext tuple (C 0 , C 1,i , C 2 )∀i ∈ S * to A with the restriction that the attribute set S * does not satisfy the access structure which is enforced by the guard. Eventually, C outputs A's guess as its own guess. By analysing this game, if the exponent of T 1,i is equal to c * 1 τ 1 ηd and hence we have a well-distributed SF encryption of msg * b , as required in Game Q . In this instance, Γ 0 and Γ * 0 are used in generating the challenge ciphertext. If instead the power of 3,i , then we have n i�1 e 6 U 1,i , T 1,i � e(g, g) α 1 s 1 +α 2 s 2 +α 3 s 3 ( )δ .
As long as the τ 3 term remains hidden in the SF ciphertext, it provides a blinding factor required for encryption of random message in the Game final . Consequently, C can capitalize on A's non-negligible advantage in distinguishing between these games to attain a non-negligible advantage against the subspace assumption.

Implementation and Evaluation
We implemented the automation proofs of our KP-ABE scheme in AutoG&P [37]. In all cases, the proof is discovered semiautomatically, with the lines of codes which involve manual hand-tuning steps.
e implementation was executed on Intel i7 personal laptop with 2.2 GHz CPU and 8 GB RAM running on macOS High Sierra 10.13.6. e proof-generation time for all the hybrid games of our scheme (i.e. Game real ⟶ Game 0 , Additionally, we use python cryptographic library known as charm-crypto 0.43 [38] to implement our KP-ABE scheme and the ABE scheme by Lewko and Waters [3] (Lw), which are the only schemes which support dual vector subspace assumption and thus whose functionalities are close to our scheme among the known ABE schemes. We used SS512 elliptic curve with 512 bit base field and SHA-3 hash function. We set the number of attribute as 10 and increase by 10 number of attributes each time. e benchmarks of the experiments are shown in Figures 2-4.
As can be inferred from Figures 2 and 4, the computation cost for key generation and encryption algorithms increases with the increment in the size of attributes. Our scheme has less computation overhead as compared to Lw scheme. is is because our scheme has less exponentiation of computation of the group elements. Also, our scheme has less decryption computation cost which can be inferred from Figure 4. is is as a result of less number of pairing operations in decryption as compared with Lw scheme.

eoretical Comparison.
We provide theoretical comparisons with some KP-ABE schemes which are shown in Tables 2-5. To enable us to make comparison with JL [26] scheme which uses asymmetric elliptic curve, we adopted the approach in [39] to convert Lw [3], GSW [31], and our scheme from the symmetric setting unto asymmetric setting without having to compute isomorphisms between the source groups. We use "MNT159" asymmetric curve with 159 bit base field from charm-crypto python library. Table 6 gives the cost of the computation operations. e parameters are set as follows: (i) m: the number of attributes. (ii) d: the maximum of multiple use of attributes. (iii) n ′ : the number of distinct labels (n ′ ≤ n). (iv) n, n t , n f : the number of inputs and non-negated and negated inputs to a policy, respectively (n � n t + n f ). (v) I, I t , I f : the number of attributes and non-negated and negated attributes in decryption, respectively (I � I t + I f ). (vi) n 1 : the number of rows of a matrix for span programs.
As can be deduced from Tables 2-4, GSW is the most efficient scheme. However, it does not support the multiuse      [3] 4(6n 1 ) + 4(3) ---JL [26] 15n t + 18n f 12n′ 3 d -GSW [31] n 1 --- --4(6m) + 4(3) -JL [26] 12m 12m 3 -GSW [31] --m - ---I We omit the multiplication cost in the groups (G 1 , G 2 , G T ) as they are insignificant when comparing with exponentiation and pairing.  and adaptive security properties. Although JL supports multiuse of attributes in the access policy, the computation cost of key generation increases with multiuse of attribute by the factor of d. However, since our scheme and Lw use the selective technique in generation of either the ciphertext or the key, the scheme performance is not affected by the multiuse of attribute. In terms of computation cost of decryption, the number of pairing operations and exponentiation increases with the factor of d in JL scheme when attributes are reused multiple times. However, our scheme and Lw scheme are not affected by multiuse of attribute. e computation cost only increases when there is an increment in the size of attributes. From Table 6, we can infer that GSW has the least size of key and ciphertext. However, it does not support multiuse of attributes. Although JL supports multiuse of attributes, the size of the ciphertext increases by the factor of d. While the key and ciphertext sizes of Lw and our scheme are not affected by multiuse of attributes, comparatively our scheme has lesser key and ciphertext sizes than Lw scheme.

Conclusions
In the prime-order bilinear groups, we have introduced KP-ABE scheme which is fully secure and supports arbitrary usage of attributes in the access policy. is scheme attains full security under DLIN assumption and three-party assumption. is work removes high security loss that is involved in the reuse of attributes and enables the nonrestricted use of attributes. Our key point is inspired by the idea that the information-theoretical steps of the former dual system proof give the adversary excessive ground as if the computational arguments would be enough. So, we revived the earlier selective proofing techniques within the framework of dual system of encryption to gain enough ground to achieve full security proof.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.