Traceable Ciphertext-Policy Attribute-Based Encryption with Verifiable Outsourced Decryption in eHealth Cloud

1 School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China 2Jiangsu Key Laboratory of Big Data Security & Intelligent Processing, Nanjing University of Posts and Telecommunications, Nanjing 210023, China 3Jiangsu Innovative Coordination Center of Internet of Things, Nanjing University of Posts and Telecommunications, Nanjing 210003, China 4School of Computer Science and Technology, Anhui University, Hefei 230601, China 5School of Computer Science and Technology, Xidian University, Xian 710071, China


Introduction
Electronic health care (eHealth) system is regarded as an outstanding approach to provide well health care service through various emerging technologies, including Internet of Things, cloud computing, mobile computing, and wireless sensor networks.In cloud-assisted eHealth systems, an individual patient integrates his/her personal health information (PHI) collected via various wearable and embedded sensors, stores the PHI in the cloud, and receives real-time and highquality medical treatment.Unfortunately, when the patient enjoys convenient storage services provided by cloud server, the risk of privacy exposure also raises.The sensitive PHI may be exposed to the cloud server which can not be fully trusted.Even worse, the PHI may be widely propagated to unauthorized parties for commerce benefit or other purposes.Thus, the PHI must be encrypted before hosted to the eHealth cloud.Meanwhile, an access policy must be specified to point out who are authorized to access the PHI.
Aiming to realize access control on encrypted message, attribute-based encryption (ABE) [1] was presented to provide an efficient solution to this kind of applications.According to the place where the access policy is embedded, the ABE schemes are divided into two forms, key-policy ABE (KP-ABE) [2] and another type of ABE named ciphertext-policy ABE (CP-ABE) [3].In the former framework, every user's key is labeled with an access policy while the ciphertexts are annotated with chosen sets of attributes.On the contrary, the 2 Wireless Communications and Mobile Computing user's key in CP-ABE is issued according to his/her attributes while the ciphertext is encrypted under an access policy.Since that ABE is a feasible mechanism which preserves the security and privacy of patients' PHI, a series of attribute-based access control systems [4][5][6][7][8] have been proposed, aiming at expressive policies, security, or efficiency.In particular, there remain two significant features to be considered in utilizing ABE technique in eHealth systems.
The first feature is verifiability of outsourced decryption.In most ABE systems [1][2][3][9][10][11][12], the decryption overhead is linear to the scale of involved attributes and expensive for energy-constrained terminals.The decryption outsourcing technique [13] is proposed to reduce the number of exponential operations and bilinear pairing operations on user side by offloading the heavy decryption computation to a third-party server, e.g., the cloud server.The user then recovers the plaintext by executing only one exponential operation over ElGamal-style partial decrypted ciphertext element generated by the third-party server.However, such outsourced scheme can not guarantee the correctness of returned ElGamal-style element.Lai et al. [14] presented the verifiable approach in ABE to check whether the thirdparty server has honestly executed the decryption service.They also bring redundant overhead in both encryption computation and ciphertext size.Qin et al. [15] provided an efficient verifiable ABE scheme which significantly reduces the computation cost in encryption and the decryption overhead for users.
Another considerable feature is traceability.We take CP-ABE as an instance; the private key is generated from some descriptive attributes rather than from a unique identity.Each attribute may be possessed by multiple users.It could be impossible to distinguish who is the original owner of a given private key.Imagine two physicians in eHealth systems, Tomas and Jack.They have the attribute set '{orthopedics department, chief physician}' which is not possessed by any other users.By the key delegate technique [3], both Tomas and Jack can regenerate a private key responding to the set '{orthopedics department, chief physician}' , if there is a third user who can decrypt the ciphertext labeled by access policy '{ 'orthopedics department' AND 'chief physician' }' .Where did the key come from?Tomas or Jack?To solve the problem above, Liu et al. [16] extended an adaptively secure CP-ABE scheme [9] to support 'white-box' traceability, where the malicious user directly leaks his/her private key.Subsequently, Ning et al. [17] constructed a large attribute universe and traceable CP-ABE scheme.On the contrary to the 'small universe' in [3,10,[14][15][16]], the 'large universe' means that the scale of attribute universe is unbounded [18].
However, existing works mostly aimed to support the property of verifiable outsourced decryption or traceability separately.There is no CP-ABE scheme with both verifiable outsourced decryption and white-box traceability in practice: (1) the CP-ABE schemes [16,17] support the traceability well, but the user's decryption cost grow with the attribute number; (2) these CP-ABE schemes [14,15,19,20] provide decryption assistance for users, and the correctness of returned PDC element is guaranteed; however, the traceability property is not addressed.
In this work, we propose a novel verifiable and traceable CP-ABE scheme named VTCP-ABE for eHealth cloud applications.The VTCP-ABE scheme is the first scheme which simultaneously achieves white-box traceability and verifiable outsourced decryption without exposing the physician's identity information.Since we take the 'large universe' scheme [18] as the basis, the attribute universe in our scheme is inherently unbounded.We further extend the VTCP-ABE to support another delegation property.We also provide the formal proof of the selective CPA security, verifiability, and traceability for VTCP-ABE.The comparison and simulation results show that our VTCP-ABE is applicable for practical eHealth cloud applications.In particularly, we make the following contributions: (1) We propose a new VTCP-ABE scheme which simultaneously achieves the properties of verifiable outsourced decryption, white-box traceability, and large universe.An authorized physician can check the correctness of partial decrypted ciphertext (PDC) which is requested from the eHealth CDS.Given a private key, the original owner can be precisely tracked.The attribute universe can be exponentially large and the number of public parameter elements is constant no matter how many attributes are chosen.
(2) We present an efficient approach to prevent the CDS from knowing the fixed identification information of physician during offering decryption service.The original ciphertext and the transmission private key will be preprocessed before being sent to the CDS.This method is acceptable since only two additional exponential operations for each decryption request are added.
(3) We exploit an additional property of delegation for our VTCP-ABE, with which a resource-constrained physician can delegate someone to obtain a PDC element without compromising the privacy of PHI.
Green et al. [13] constructed the first decryption outsourcing ABE, where the most decryption overhead is hosted to a third party.With the returned partial decrypted ciphertext, a user could recover the plaintext message by executing only one exponential operation.Based on the outsourced method [13], Li et al. [7] presented a PHR data sharing scheme for cloud storage applications in the multi-authority settings.In both [7,13], the correctness of returned PDC is not guaranteed.Lai et al. [14] presented an approach to check whether the partial decrypted ciphertext element (transformed ciphertext element) is correctly calculated.Their technique incurred noticeable overhead in both decryption and encryption.Based on key encapsulation mechanism, Lin et al. [19] and Qin et al. [15] separately proposed a fascinating method to support verifiable outsourced decryption in ABE.The difference between [19] and [15] is that, in [19], the hash value of a random group element  is set as the symmetric key to encrypt the original data, then  is encrypted by a ABE scheme to obtain a ABE-type ciphertext, which will be used to generate the verification key.In [15], the original data  is encrypted along with a randomly chosen bit string , while the verification key is set by executing exponential operations in the group by taking the hash values of  and  as exponents.
Liu et al. presented the first adaptively secure and whitebox traceable CP-ABE scheme in [16], where any monotonic LSSS access structure is supported.They further constructed another CP-ABE scheme with black-box traceability in [30].Based on the scheme [31], Ning et al. [17] exploited the whitebox traceability for CP-ABE in large universe settings.From then on, many traceable ABE constructions are proposed in [6,32,33].However, in these traceable schemes [6,16,17,30,32,33], the decryption overhead grows with the scale of attribute set adopted in decryption.
Table 1 compares the characteristics between some related works and our VTCP-ABE.From Table 1, our VTCP-ABE scheme is the only practical scheme to simultaneously support the properties of large universe, verifiable outsourced decryption, white-box traceability, and delegation in CP-ABE.

Linear Secret Sharing Schemes (LSSS)
Definition 1. Linear Secret Sharing Schemes [21,34]: let P denote a set of attributes, and let  be a chosen prime.Let  ∈ Z ×  be a matrix.For all  = 1, . . ., , a function  labels the -th row of  with an attribute (i.e.,  ∈ F([] → P)).A secret sharing scheme Π over the attribute universe P is linear if one has the following: (1) The shares for each attribute make a vector over Z  .
(2) In order to generate the shares of a secret  ∈ Z  , we select the column vector  →  = (,  2 , . . .,   ) ⊤ , where  2 , . . .,   are randomly selected from Z  , then   →  is the shares of  according to Π.The share (  →  )  belongs to the attribute ().
As demonstrated in [34], the linear reconstruction property of LSSS is defined as follows: Suppose (, ) is the access structure T and  is an authorized set.Let  = { : () ∈ } be the index set of rows which are linked with the attributes in .There exist constants {  ∈ Z  } ∈ which satisfy that if {  = (  →  )  } are valid, then we have ∑ ∈     = .

𝜑-Type
Assumption.The security of VTCP-ABE is reduced to a -type assumption [18].Suppose G is a cyclic group and prime  is the group order.Randomly pick  ∈ G and choose , ,  1 ,  2 , . . .,   ∈ Z  .If an adversary A is given the group description (, G, G 1 , ) and Ξ including all of the following terms: It must be hard for A to distinguish the element (, ) The advantage of an algorithm A which solves the above -type problem is Definition 2. We claim that the -type assumption holds if the advantage of all polynomial time adversaries is negligible in the above -type game.

𝜗-Strong Diffie-Hellman Assumption (𝜗-SDH).
The -SDH problem [35,36]: suppose G is a cyclic group.Let prime  be the group order. is randomly selected from G. Given a ( + 1)-tuple (,   ,   2 , . . .,    ), output a pair (,  1/(+) ) ∈ Z  × G.An algorithm A has advantage  in solving -SDH problem if Pr[A(,   ,   2 , . . .,    ) = (, 1/(+) )] ≥ , where the probability is over the random bits consumed by A and the randomness of  ∈ Z  .Definition 3. We claim that the (, , )-SDH assumption holds if the advantage of all -time adversaries is at most  in solving the above -SDH problem.The authority: the authority produces the system parameters and generates private keys for the legal physicians depending on their attributes.It is also in charge of tracing the malicious physicians.

System Architecture and Security Model
The patient: with the help of IOT techniques, the patient integrates and then encrypts his/her PHI under appropriate access policy and further uploads the ciphertext to the eHealth cloud storage server.
The eHealth cloud storage server (CSS): the eHealth CSS provides storage service for the patient.If necessary, the patient can call CSS to delete his/her PHI data.
The eHealth cloud decryption server (CDS): the eHealth CDS provides pre-decryption service of the encrypted PHI and returns the partial decrypted ciphertext to the authorized physician.
The physician: the physician takes responsibility of medical treatment for the patient whose access policy accepts his/her attributes.The physician is also enabled to check the correctness of returned pre-decryption results from the CDS.The malicious physician may leak his private key for economic benefit or some malignant purpose.
We note that the eHealth CSS and CDS are assumed to be semi-trusted as in [22].That is, the CSS and CDS honestly execute the pre-set algorithms.But they attempts to get useful information of the encrypted PHI as much as possible.In addition, the eHealth CDS may want to obtain the identification information of physician.
As one of the important applications in IOT environments, the eHealth cloud system enables the patient to collect his PHI via wearable devices, physiologic sensor nodes and body area networks, etc.Before uploading the PHI to the cloud sever to get real-time health care services, the patient can define expressive access policy of his PHI over descriptive attributes by VTCP-ABE.According to the assigned attributes, the individual physicians have differential flexible access rights.They can provide various (free or paid) health care services by smart devices on condition that their attributes match the access policy of patient's PHI.Our VTCP-ABE also offers the traceability to prevent the key abuse problem and the verifiable outsourced decryption technique to offload most decryption cost to the cloud server and guarantee the returned results.

Definition of VTCP-ABE.
Our VTCP-ABE is comprised by the following seven algorithms.
Setup(, ) → (, ): this algorithm takes in a security parameter  and the system attribute universe .It then outputs the system public parameters  and the master secret key .Besides, it initializes an identity table  = ⌀.
Encrypt (, , T) → (, ).This algorithm takes in a message , , and an access structure T. It then outputs a ciphertext  and a verification key .
KeyGen (, , , ) → (, ).This algorithm takes in , , an identity information  and an attribute set .It then outputs a transmission private key  and a user decryption key .
Pre-Process (, , ) → (, ).This algorithm takes in  and .It then outputs a pre-processed ciphertext  and a pre-processed private key .
Trace (, , , ) →  or ⊤.This algorithm takes in , , , and .It first verifies whether  and  are well-formed.If so, this algorithm outputs the  annotated with  and .Otherwise, it outputs ⊤ implying that  and  are not required to be traced.If  and  can pass a "key sanity check" which means that they can be used in the normal decryption phase, they are called well-formed [16].

CPA Security Model.
Similar to [17,18], the definition of selective security model of VTCP-ABE against chosen plaintext attack (CPA) is given as follows: Init.The adversary A gives the simulator B the challenge access policy T * . Setup Definition 4. We claim that a VTCP-ABE scheme is selectively CPA secure if the advantage is negligible for all PPT adversaries in the above selective security game.

Security Game for Verifiability.
Based on the replayable chosen ciphertext attack (RCCA) security model [13,15], we briefly introduce the verifiability game as follows.
Setup.The challenger B generates (, ) and sends  to the attacker A.
Phase 1. B queries the results from the , , and  oracles as in [15].
Challenge Phase.

The Proposed VTCP-ABE
In this section, we first briefly introduce the techniques of constructing a verifiable and traceable CP-ABE scheme and then give the details of VTCP-ABE construction.

Technical Overview.
To achieve the traceability in [17], each private key is associated with a unique fixed number  so that the key owner cannot re-randomize his own private key to get a completely new key.In the verifiable CP-ABE scheme with outsourced decryption [15], the private key is composed of a transmission key and a user decryption key.The transmission key is sent to a third party to get the partial decryption result and the user decryption key is used to decrypt the partial decryption result and check its correctness.
Our goal is to achieve the efficient user decryption and traceability without compromising the security and privacy.However, if we combine the traceable CP-ABE [17] and the verifiable outsourced decryption approach [15] in a naive way, the fixed identifier number  will be exposed to the eHealth CDS.Even worse, the CDS may use  and the transmission private key to fabricate a key which could pass the check in the traceable algorithm of [17].That is, a legal physician may be framed to be malicious and further revoked from the system.To prevent the CDS from knowing , we process the transmission private key and original ciphertext before submitting them to the eHealth CDS.Meanwhile, we add the user decryption key as input of the traceable algorithm.Finally, we add the property of verifiable outsourced decryption into the traceable CP-ABE scheme [17] at a very low cost on the physician side (one additional element in private key, two additional exponential operations in pre-processing) 4.2.Detailed Construction.We now give the detailed construction of the VTCP-ABE.
Setup.Given a group description  = (, G, G 1 , ), where prime order  is the order of groups (G, G 1 ) and  denotes a map  : G × G → G 1 .The system attribute universe is set as  = Z  .Then randomly pick , , ℏ, , ] ∈ G and ,  ∈ Z  .
After that, this algorithm sets  1 =  1 () and computes a symmetric key  =  3 ().Then it calls  to create a ciphertext   = SE-Encrypt(, ) and the verification key Finally, the ciphertext of PHI data  = (  ,   ) is uploaded to the eHealth CSS as well as .
Pre-Process.The physician can request the PHI ciphertext  = (  ,   ) and  from the eHealth CSS, which will response by the elements  1 ,  2 ,   , and  while the other elements will be sent to the eHealth CDS.

Security Proof
5.1.CPA Security.For simplicity, the security of the presented VTCP-ABE scheme is reduced to that of the traceable scheme [17] which is proved under the -type assumption.We let ∑ − and ∑ − denote the traceable scheme [17] and our VTCP-ABE scheme, respectively.
Proof.Similar to the proof in [15], we define a series of hybrid argument of games as in [37].
Game 0 .Identical to the original security game as defined in Section 3.3.Proof.Suppose that an attacker A can distinguish Game 0 from Game 1 , then we can build a PPT algorithm B to break ∑ − .
Init.The attacker A submits the challenge access policy T * to B. B then sends T * to ∑ − .
B randomly picks  ∈ Z  and sets  = ( K) 1/ =  /(+)   , B implicitly sets  = ( β) 1/ and   = ( β ) According to the analysis in [15] and Lemma 10.Suppose that  is a semantically secure symmetric encryption scheme, then the attacker can not win Game 2 with a non-negligible advantage.
Proof.In Game 2 ,  *  ∈ {0, 1} ℓ  is a truly random symmetric key.An algorithm B can be directly constructed from A to break the semantic security of  * .Therefore, we have Remark that Game 0 is identical to the selective security game for our proposed VTCP-ABE scheme.The advantage is | Pr[ 0 ]−1/2|.Thus, the security of our ∑ − follows.

Verifiability
Theorem 11.Suppose that these two hash functions  1 and  2 are collision-resistant, our proposed VTCP-ABE scheme is privately verifiable.
Proof.Suppose that an attacker A can win the verifiability game, we can employ A to build an algorithm B to break the collision-resistance of  1 and  2 .
Given the challenge hash functions  * 1 and  * 2 , B processes as follows.
B runs Setup to generate  and , except for  *

Wireless Communications and Mobile Computing
A outputs an attribute set  * which satisfies T * and a partially decrypted ciphertext  * =   and   .
If A wins the verifiability game, B will get a message  ∉ { * , ⊥}.Note that the Decrypt algorithm outputs where  1 =  * 1 () and  is recovered from  * and   .
We now analyze the success probability of A by considering the following cases: (1) Thus, B gets a collision of  * 1 .

Traceability
Theorem 12.If the -SDH assumption holds, then our proposed VTCP-ABE scheme is fully traceable on condition that  < , where  is the number of key queries made by the attacker A.
Setup.Key Query.B answers the -th query of (  ,   ) as follows.
If Ψ A does not happen, B randomly picks (  ,   ) ∈ Z  × G as the solution.
As analyzed in [17], B's advantage is non-negligible in solving the -SDH problem.

Performance Comparison
We here compare the performance of the VTCP-ABE scheme with the TCP-ABE scheme [17] and the VCP-ABE scheme [15] in the setting of key encapsulation, where the PHI data is encrypted by a symmetric encryption key  which will be encrypted under an access policy in ABE.
6.1.Numeric Result.Tables 2 and 3 show the numeric comparison between our scheme and other two schemes [15,17].Let , , and  1 be the overhead in executing a bilinear pairing, an exponential operation in G and G 1 , respectively. denotes the system attribute universe.  ,   , and  refer to the set of attributes used in encryption, key generation, and decryption, respectively.Let ℓ  2 be the output length of  2 .
In Table 2, we calculate the computation cost incurred in the following phases: encryption, key generation, predecryption, and user decryption.The user in VCP-ABE and our VTCP-ABE expends constant size computation cost of exponential operation in G 1 .Note that our VTCP-ABE requires two additional exponential operations in the user side since that the ciphertext and transmission key need to be processed before being transmitted to the eHealth CDS.
In Table 3, the length of system public parameter, private key, and ciphertext is calculated by the number of group elements.The VCP-ABE scheme requires more public parameters which are linear with the scale of system attribute universe due to the fact that all the possible attributes need to be listed during the system initialization phase.Compared with the non-outsourced TCP-ABE scheme, our VTCP-ABE requires an additional element as the user decryption key and an output of  2 as the verification key.6.2.Implementation.We implement VCP-ABE scheme [15], TCP-ABE scheme [17], and the proposed VTCP-ABE on a windows 7 platform of an Intel(R) Core(TM) i5-3450 CPU at 3.10 GHz with 8.00 GB Memory.A Type A elliptic curve group is chosen from the JPBC library [38] and the order is a 512-bit prime.We mainly count the computation cost incurred by ABE relevant operations.The computation time of each algorithm is the average of 20 trials.
Figure 2 illustrates the computation cost comparison among VCP-ABE scheme, TCP-ABE scheme, and our proposed VTCP-ABE scheme.
shows the computation time in the initialization phase.In the three schemes, the computation cost is mainly incurred by computing the parameters (, )  and   .
Figures 2(b) and 2(c) show the computation time in the key generation phase and the encryption phase, respectively.It is observed that the key generation cost and encryption overhead in three schemes are linearly with the number of used attributes.More precisely, TCP-ABE and ours require more computation operation than VCP-ABE since that the combination of parameters  and ℏ is employed to indicate an attribute.
Figure 2(d) shows the computation cost in the pre-process phase of our VTCP-ABE.Two exponential and multiplicative operations in group G are required in computing  3 and  3 no matter how many attributes are involved.
Figure 2(e) illustrates the computation cost comparison in the user decryption phase among three schemes.We can find that the user decryption cost in TCP-ABE scheme increases with the number of attributes.Thanks to the efficient outsourced decryption approach, the final decryption costs on the user side in VCP-ABE scheme and ours are significantly lower than that in TCP-ABE and independent of the attribute number.
Figure 2(f) gives the computation cost comparison in tracing the malicious users between TCP-ABE and ours.We can observe that the computation cost in both scheme grows with the number of attributes and our scheme only requires one additional exponential operation in group G 1 .

Delegate Extension
If a physician is in trouble to connect to the eHealth CSS and CDS, he/she can delegate someone to download the PHI ciphertext from the CSS and request the partial decrypted ciphertext from the CDS.However, the access privilege of delegated user has to be restricted.Inspired by [20,39,40], we employ a verifiable random function to limit the access of delegated users to maximum  times and propose a verifiable and traceable CP-ABE scheme with key delegation (VTDCP-ABE).
The Encrypt, KeyGen, Pre-Process, Pre-Decrypt, and Trace algorithms are as well as that in VTCP-ABE.
The -times delegated transmission key is set as   Delegate Pre-Decrypt.The eHealth CDS first initializes a counter  = 0 and a set   = {Γ ,1 } for each delegated user and stores the tuple (,   ) in a delegation list .Once receiving the Pre-Decrypt request from a delegated user, the CDS responds by the following way.
If the above three conditions do not hold, it aborts.Otherwise, it updates  ← +1 and computes the partial decryption ciphertext as Finally, the CDS responds the delegated user by   =    .Then the delegated user gives   and   to the physician.
Decrypt.If the physician interacts with the CSS and CDS directly, this algorithm acts exactly as in the Decrypt algorithm of VTCP-ABE.If the physician asks a delegated user to get the ciphertext and request the outsourced decryption service,  is recovered by  = /(   )  .The verification and PHI decryption operations are identical to that of VTCP-ABE.
Since that the  of physician and  are kept secretly, the delegated user can not obtain any content of the PHI ciphertext except a partial decrypted ciphertext.

Conclusion
In this paper, we have constructed a verifiable and traceable CP-ABE (VTCP-ABE) scheme for eHealth cloud applications, which also achieves the properties of large universe and delegation.With VTCP-ABE, the patient can enforce finegrained access control over his/her PHI in a cryptographical way.Before submitting the encrypted PHI to the eHealth cloud decryption server, a pre-process on the ciphertext and transmission key is employed to preserve the identity privacy of the physician.The correctness of returned ciphertext can be efficiently verified.Moreover, the malicious physician who leaks the private key can be precisely tracked.Besides, we extend the proposed VTCP-ABE to support the delegation property, with which a resource-limited physician can authorize someone else to obtain a partial decrypted ciphertext without exposing the PHI content.The security of VTCP-ABE is proved in the selective model.The extensive experiments illustrate that our VTCP-ABE scheme efficiently achieves verifiability, traceability, and large attribute universe.

3. 1 .
System Description.As shown in Figure1, our VTCP-ABE framework in the eHealth cloud mainly consists of the following components.
Guess.A guesses   for .A's advantage is defined as Pr ) ∉ {,⊥}.A's advantage in this game is defined as  − A. We claim that a VTCP-ABE scheme is verifiable if  − A is negligible for all PPT attackers in the above game.3.5.Security Game for Traceability.The traceability game of our VTCP-ABE is defined as follows.Setup.The challenger B generates (, ) and sends  to the attacker A. It keeps  as a secret key.Key Query.A submits the tuples ( 1 ,  1 ), ( 2 ,  2 ), . . ., (  ,   ) to B, where  refers to the query number that A can make.Key Forgery.A outputs  ⋆ and  ⋆ .A wins if Trace (, ,  ⋆ ,  ⋆ ) ̸ = ⊤ and Trace(, ,  ⋆ ,  ⋆ ) ∉ { 1 ,  2 , . . .,   }.A's advantage is defined as Pr[Trace(, ,  ⋆ ,  Definition 6.We claim that a VTCP-ABE scheme is fully traceable if the advantage is negligible for all PPT attackers in the above game. The attacker A submits an access policy T * and a message  * .B encrypts  * under T * to obtain ( * ,  * ) and sends them to A. Phase 2. A repeats the key queries as in Phase 1. Output.A gives B  * and an attribute set  * which satisfies T * .The attacker A wins the above game if Decrypt ( * ,  * ,  * ⋆ ) ̸ = {⊤} ∪ { 1 ,  2 , . . .,   }].

Table 3 :
The parameter length comparison.