Attribute-based Signcryption with Ciphertext-policy and ... - IEEE Xplore

2011 Seventh International Conference on Computational Intelligence and Security

Attribute-based Signcryption with Ciphertext-policy and Claim-predicate Mechanism Changji Wang, Jiasen Huang School of Information Science and Technology Guangdong Province Information Security Key Laboratory Sun Yat-sen University, Guangzhou 510275, China Email: [email protected] Abstract—We propose a new notion called attribute-based signcryption with ciphertext-policy and claim-predicate mechanism (CP2-ABSC), which is inspired by the recent developments in attribute-based encryption and attribute-based signature. In this notion, a signcrypting party, who possesses a set of attributes from the authority, can sign a message with a claim-predicate that is satisfied by his attributes, and encrypt it with an access policy stating what kind of receivers will be able to decrypt the message. As in ciphertext-policy attribute-based encryption (CPABE), a user will only be able to decrypt a signcrypted message if that user’s attributes satisfy the access policy associated to the signcrypted message. As in attribute-based signature with claim-predicate mechanism (CP-ABS), a unsigncrypting party can verify the authenticity of the signcrypted message against the claim-predicate over signcrypting party’s attributes. We give the formal definition and security model of CP2-ABSC, and propose an CP2-ABSC construction from pairings which is more efficient than the combination of CP-ABE and CP-ABS that provide the same functionality of authenticated encryption. The proposed CP2-ABSC scheme is proved to be secure in the generic group model and random oracle model.

decrypted, while the private key is associated with a set of attributes. An example application of CP-ABE is secure mailing list system with access policy. The first CP-ABE scheme that allows any monotone access structures with the security proof in the generic bilinear group model was proposed by Bethencourt et al. [3]. Cheung et al. [4] presented an CCA-secure CP-ABE construction under the decisional Bilinear Diffie-Hellman assumption, but just supports AND gates in the access structure. Recently, Waters [5] proposed the first fully expressive CP-ABE in the standard model. The notion of attribute-based signature (ABS) was first introduced by Guo and Zeng [6], which extends identitybased signature by allowing identity of a signer to be a set of descriptive attributes rather than a single string representing the signer’s identity. Under this notion, a signature attests not to the identity of the individual who signed a message, but a claim regarding the attributes the underlying signer possesses. ABS has natural applications in many systems where users’ capabilities depend on possibly complex combinations of attributes, such as anonymous authentication, simple trustnegotiations and attribute-based messaging systems. Guo and Zeng proposed the first ABS scheme without strict security proof. Tan et al. [7] showed that Guo and Zeng’s ABS scheme is vulnerable to the partial key replacement attack. Shahandashti and Safavi-Naini [8] presented a threshold ABS scheme and discussed their application to anonymous credential systems. Recently, Maji et al. [9] formally gave the syntax and security definitions of ABS, and proposed an ABS construction which was proved to be secure in the generic group model. Signcryption was originally proposed by Zheng [10], which is primitive that simultaneously performs the functions of both digital signature and encryption in a single logical step, and the overheads of computation and communication is less than the traditional Sign-then-Encrypt approach. Since the introduction of the primitive, many signcryption schemes under certificatebased public key settings and identity-based settings have been proposed [11]. Attribute-based cryptography has generated much interest in recent years. However, research on signcryption under attribute-based settings has not been received much attention. Recently, Gagn´ e et al. [12] proposed a threshold attribute-

I. I NTRODUCTION Attribute-based encryption (ABE) was first introduced by Sahai and Waters with the name of fuzzy identity-based encryption [1]. The original goal of ABE is to provide an error-tolerant identity-based encryption (IBE) scheme that uses biometric identities. ABE can be viewed as a generalization of IBE, which allow security functionalities to be provided based on ‘attributes’ of users and not their individual identities. ABE provides an access control mechanism over encrypted data using access policies and ascribed attributes among private keys and ciphertexts. A major application of ABE is finegrained cryptographic access control of data. There are two types of ABE depending on which of private keys or ciphertexts that access policies are associated with. - In key-policy ABE (KP-ABE), attribute sets are used to annotate the ciphertexts and access policies over these attributes are associated to users’ private keys. An example application of KP-ABE is Pay-TV system with package policy. Goyal et al. [2] provided an KP-ABE construction that allowed keys to be expressed by any monotonic formula over encrypted data. - In ciphertext-policy ABE (CP-ABE), the ciphertext is associated with the access policy and the encrypting party determines the policy under which the data can be 978-0-7695-4584-4/11 $26.00 © 2011 IEEE DOI 10.1109/CIS.2011.204

905

Definition 2 (q-DHI Assumption). Let us consider prime order group G1 with generator P . The q-DHI assumption holds in G1 if, given a (q+1)-tuple (P, [γ]P, [γ 2 ]P, . . . , [γ q ]P ) for γ ∈R Z∗p , it is computationally infeasible to compute [ γ1 ]P .

based signcryption scheme with restriction that the access structure of the encryptor needs to be fixed in the setup phase. Emura et al. [13] then proposed the concept of dynamic attribute-based signcryption, where access structures of encryptor can be updated flexibly without re-issuing secret keys of users. In this paper, we introduce a new signcryption notion which is called attribute-based signcryption with ciphertext-policy and claim-predicate mechanism (CP2-ABSC). In CP2-ABSC, a user’s private key will be associated with an arbitrary number of attributes expressed as strings. As in CP-ABE, a user will only be able to decrypt a signcrypted message if that user’s attributes satisfy the access policy specified by the sender. As in CP-ABS, a receiver can verify the authenticity of the signcrypted message against the claim-predicate over sender’s attributes. We give the formal definitions and the security model of CP2-ABSC, and propose an CP2-ABSC construction from pairings which is more efficient than the combination of CP-ABE and CP-ABS that provide the same functionality of authenticated encryption. The proposed CP2-ABSC scheme is proved to be secure in the generic group model and random oracle model. The rest of the paper is organized as follows. Some preliminary works are introduced in Section 2, and the syntax and security definitions of CP2-ABSC are given in Section 3. An CP2-ABSC construction from bilinear pairings is presented in Section 4, the efficiency and security analysis of the proposed CP2-ABSC scheme are given in Section 5. Finally, we draw conclusions in the Section 6.

B. Access Structure and Access Tree Definition 3 (Access Structure). Let P = {P1 , P2 , . . . , Pn } be a set of parties. A collection A ⊆ 2P is monotone if ∀B, C, we have that if B ∈ A and B ⊆ C then C ∈ A. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A ⊆ 2P \ {∅}. The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets. In our context, the role of the parties is taken by the attributes. Thus, the access structure A will contain the authorized sets of attributes. Definition 4 (Access Tree). Let T be a tree with its root R representing an access structure. Each non-leaf node of the tree represents a threshold gate, described by its children and a threshold value. Let numx and kx be the number of children and the threshold value of a node x, respectively. When kx = 1, the threshold gate is an OR gate and when kx = numx , it is an AND gate. Each leaf node x of the tree is described by an attribute and a threshold value kx = 1. We denote the parent of the node x in the tree by parent(x). The function att(x) is defined only if x is a leaf node and denotes the attribute associated with the leaf node x in the tree. The access tree T also defines an ordering between the children of every node, that is, the children of a node x are numbered from 1 to numx . The function index(x) returns such a number associated with the node x.

II. P RELIMINARIES We first introduce some notations. If S is a set, x ∈R S denote the operation of picking an element x uniformly at random from S. We define the Lagrange coefficient def

Δi,S (x) =

Definition 5 (Satisfying an Access Tree). Let T be an access tree with root R. Denote by Tx the subtree of T rooted at the node x. If a set of attributes ρ satisfies the access tree Tx , we denote it as Tx (ρ) = 1. We compute Tx (ρ) recursively as follows. If x is a non-leaf node, evaluate Tz (ρ) for all children z of node x. Tx (ρ) returns 1 if and only if at least kx children of x return 1. If x is a leaf node, then Tx (ρ) = 1 if and only if att(x) ∈ ρ.

 x−j i−j j∈S j=i

for i ∈ Zp and a set S of elements in Zp . A. Bilinear Group System and Complexity Assumptions Definition 1 (Bilinear Map Groups). Let G1 , G2 and GT be three cyclic groups of prime order p, and let P be a generator of G1 and Q be a generator of G2 . We say that (G1 , G2 , GT ) are bilinear map groups if there exists a bilinear map e : G1 × G2 → GT satisfying the following properties: - Bilinearity: For all (S, T ) ∈ G1 × G2 and a, b ∈R Z, e([a]S, [b]T ) = e(S, T )ab . - Non-degeneracy: e(P, Q) = 1. - Computability: ∀(S, T ) ∈ G1 × G2 , e(S, T ) is efficiently computable. - There exists an efficient publicly computable homomorphism ψ from G2 to G1 such that ψ(Q) = P , but there exists no efficiently computable homomorphism from G1 to G2 .

We define a algorithm Disperse(T , t) that takes an input an access policy tree T and a secret t and return a set of secret shares corresponding each leaf node x of T , {ΔT (x)}. The algorithm is described as follows. - Choose a polynomial qx (·) for each non-leaf node x in the tree T . These polynomials are chosen in a top-down manner, starting from the root node R. - For each node x in the tree, set the degree dx of the polynomial qx (·) to be one less than the threshold value kx of that node, i.e., dx = kx − 1. - Starting with the root node R, set qR (0) = t, and choose dR other points of the polynomial qR (·) randomly to define it completely. For any other node x, set qx (0) = qparent(x) (index(x)) and choose dx other points randomly to completely define qx (·).

We call Π = (p, G1 , G2 , GT , e, ψ) a bilinear group system.

906

security parameter 1λ . It generates the master key msk and system parameters mpk. Note that mpk is made public, while msk will be known only to TAA. - Key Generation: The probabilistic key generation algorithm is an interaction between a user with a subset of attributes and the TAA. The user proves to the TAA that he enjoys a subset of attributes. After verifying that this is actually the case, TAA uses the master secret key msk to generate a private key (which depends on the subset of attributes), and gives it to the user. It is often thought best to use separate key pairs for encrypting and signing, so we provide two kind of key generation algorithms as follows. – sExtract: Given a set of signing attributes ρs , system parameters mpk and the master key msk as input, the algorithm outputs the private key sks,ρs . – uExtract: Given a set of encrypting attributes ρu , system parameters mpk and the master key msk as input, the algorithm outputs the private key sku,ρu . - Signcrypt: The probabilistic signcrypt algorithm is run by a signcrypting party, which takes the system parameters mpk, a message m, signcrypting party’s private key sks,ρs , a claim-predicate πs and a ciphertext-policy πu as input, and outputs a signcrypted message δ = Signcrypt(mpk, sks,ρs , πs , πu , m). - UnSigncrypt: The deterministic unsigncryption algorithm is run by a receiver, which takes the system parameters mpk, a signcrypted message δ, the signcrypting party’s claim-predicate πs , the ciphertext-policy πu , the receiver’s private key sku,ρu as input, and output either a message m = UnSigncrypt(mpk, sku,ρu , πs , πu , δ) or a reject symbol ⊥.

- At last, for each leaf node x in the tree, set ΔT (x) = def Δt (x) = qparent(x) (index(x)). We also define a algorithm Aggregate(T , {Sx }) that takes an input an access policy tree T and a set of secret shares corresponding some leaf nodes of T , {Sx = e(G, h)r·Δt (x) }, and returns e(G, h)r·t or failure. The algorithm is described as follows. - Set the state of every node x in the tree T to be undecided. - For each node x in the tree, if its secret share is in {Sx }, then set its state to be satisfied and its corresponding secret share to be Sx . Otherwise, set its state to be unsatisfied. - In a down-top manner, for each undecided node x, if there exists a set Satx = {z : z is a child of x ∩ def the sate of Z is satisfied} and |Satx | = kx , let Bx = {index(z) : z ∈ Satx } and i = index(z), compute  Δ (0)  Sx = Sz i,Bx = (e(G, h)r·qz (0) )Δi,Bx (0) z∈Satx

=



z∈Satx

e(G, h)

r·qx (i)·Δi,Bx (0)

= e(G, h)r·qx (0)

z∈Satx

then set the state of x to be satisfied. Otherwise, set the state of x to be unsatisfied. - For the root R, if its state is satisfied, then the algorithm returns SR = e(G, h)r·t . Otherwise return failure. III. D EFINITIONS AND S ECURITY M ODEL OF CP2-ABSC Let A = {attr1 , . . . , attrl } be the universe of possible attributes, where each attri denotes an attribute and n is the total number of attributes. Let R be a finite set of roles, where each role is a subset of attributes, i.e., ρ ∈ R and ρ ⊂ A. Each member has a role in R and can obtain a private key corresponding to its role. Let P be a finite set of policies, where each policy can be expressed as a logical function on attributes, fπ (X) for any π ∈ P and X ⊂ A. Roughly speaking, a message can be encrypted or signed to any policy π in P. We allow for an arbitrary predicate called open on the set P × R that specifies which roles in R can open what policies in P. In an encryption case, a key corresponding to the role ρ can decrypt ciphertexts which is encrypted under access policy π if and only if the role ρ opens the policy π, i.e., open(π, ρ) = fπ (ρ) is TRUE. This kind of encryption is called CP-ABE. In a signature case, everyone can also use access policy (claim-predicate) π to verify signature for key associated with the role ρ if and only if the role ρ opens the policy π, i.e., open(π, ρ) is TRUE. This kind of message authentication differs from that offered by traditional digital signatures due to the fact that it supports the claims of the form: “a single user, whose attributes satisfy the predicate, endorsed this message.”

For consistency, it is required that if δ Signcrypt(mpk, sks,ρs , πs , πu , m), then the output UnSigncrypt(mpk, sku,ρu , πu , πs , δ) is m.

= of

A. Security Model for CP2-ABSC The notion of security with respect to message confidentiality is indistinguishability of encryptions under adaptive chosen plaintext attack. For CP2-ABSC, this notion is captured by the following game between an adversary A and a challenger C who provides the environment for the attack. - Setup: The challenger C runs the Setup algorithm on input a security parameter λ, gives public parameters mpk to A and keeps the master key msk secret. - Phase 1: The adversary A makes the following queries adaptively. – sExtract: A queries a signing attribute set ρis , the challenger C answers by running algorithm sExtract(mpk, msk, ρis ). – uExtract: A queries an encrypting attribute set ρiu , the challenger C answers by running algorithm uExtract(mpk, msk, ρiu ). – Signcrypt: A queries a signing attributes ρis with claim-predicate πsi , a ciphertext-policy πui and a

Definition 6. An CP2-ABSC scheme consists of the following four polynomial-time algorithms. - Setup: The probabilistic setup algorithm is run by the trusted attribute authority (TAA), which takes as input a

907

message m, it returns an encryption under ciphertextpolicy πui of the message m signed in the name of the sender with attributes ρis satisfying the claimpredicate πsi . - Challenge: At the end of Phase 1, A submits two distinct messages m0 and m1 of equal length, an attribute set ρ∗s with claim-predicate πs∗ , a ciphertextpolicy πu∗ to the challenger. A must have made no uExtract query on attribute sets which satisfy the ciphertext-policy πu∗ in Phase 1. C first picks b ∈R {0, 1}, then runs sExtract(mpk, msk, ρ∗s ) and Signcrypt(mpk, sks,ρ∗s , πs∗ , πu∗ , mb ) → ζb∗ . Finally, sends the target signcrypted message ζb∗ to A. - Phase 2: In this phase, A asks a polynomially bounded number of above queries just with a natural restriction that he cannot make uExtract queries on attribute sets which satisfy the ciphertext-policy πu∗ . - Guess: Eventually, A outputs a bit b and wins the game if b = b . Note that the security models described above deals with insider security since the adversary is assumed to have access to the private key of the signcrypting party of a signcrypted message. This means that the confidentiality is preserved even if a signcrypting party’s private key is compromised. We refer to such an adversary A as an ABSC-IND-CPA adversary. A’s advantage is defined as Adv(A) = |2 Pr[b = b ] − 1|. The probability is taken over the random bits used by the challenger and the adversary.

that was not obtained from the Signcryption oracle during find stage and for which the private key of attribute set that satisfy claim-predicate πs∗ was not extracted. A wins the game if the result of Unsigncrypt(mpk, sku,ρ∗u , πu∗ , πs∗ , δ ∗ ) is not the ⊥, where sku,ρ∗u is the private key of attribute set ρ∗u that satisfy the ciphertext-policy πu∗ . Note that this definition allows the adversary to access to the secret key of the receiver of the forgery, which guarantees the insider security. Definition 8. An CP2-ABSC scheme is said to be existentially unforgeable against adpative chosen message attack (ABSCEUF-CMA) secure if no polynomially bounded adversary A has non-negligible advantage of winning the above game. IV. A N CP2-ABSC C ONSTRUCTION The scheme is described as follows. - Setup: TAA performs as follows. - Define the attribute space A. - Generate a bilinear group system Π = (p, G1 , G2 , GT , e, ψ) with two generators G, h of G1 and G2 , respectively. - Choose two collision-resistant hash functions H0 : {0, 1}∗ → G2 and H1 : {0, 1}∗ → Z∗p . - Choose α, β ∈R Z∗p , and set g = [β]G, ζ = e(G, h)α . The master secret key are msk = {α, β, G}, the public system parameters are mpk = {Π, A, g, h, ζ, H0 , H1 }. - sExtract: On receiving the key generation request of a user with signing attribute set ρs ⊂ A, TAA performs as follows. - Choose rs ∈R Z∗p and set Ds = [(α + rs )/β]h. - Choose rs,i ∈R Z∗p for each attri ∈ ρs , set Ds,i =  [rs ]G + [rs,i ]ψ(H0 (attri )) and Ds,i = [rs,i ]ψ(h). The private key corresponding to the signing attribute set  ρs is sks = (Ds , {Ds,i , Ds,i }attri ∈ρs ). - uExtract: On receiving the key generation request of a user with encrypting attribute set ρu ⊂ A, TAA performs as follows. - Choose ru ∈R Z∗p and set Du = [(α + ru )/β]h. - Choose ru,i ∈R Z∗p for each attri ∈ ρu , set Du,i =  [ru ]G + [ru,i ]ψ(H0 (attri )) and Du,i = [ru,i ]ψ(h). The private key corresponding to the encrypting attribute  set ρu is sku = (Du , {Du,i , Du,i }attri ∈ρu ). - Signcrypt: The signcrypting party with attribute set ρs performs as follows. - Convert claim-predicate πs and ciphertext policy πu to their corresponding access policy trees Ts and Tu . – Choose t ∈R Z∗p , run Disperse(Tu , t) and Disperse(Ts , t) to get two share sets {Δut (x)} and {Δst (x)}, respectively. - Compute C1 = [t]g, C2 = M ⊕ ζ t , Bu,ω =  [Δut (ω)]h, Bu,ω = [Δut (ω)]H0 (att(ω)) for ω ∈

Definition 7. An CP2-ABSC scheme is said to ABSC-INDCPA secure if no polynomially bounded adversary A has nonnegligible advantage of winning the above game. The notion of security with respect to authenticity is existential unforgeability against adaptively chosen message attacks. For CP2-ABSC, this notion is captured by the following game played between a challenger C and an adversary A. - Setup: Same as in the above ABSC-IND-CPA game. - Find: The adversary A queries the following oracles: – sExtract: A queries a signing attribute set ρis , the challenger C answers by running algorithm sExtract(mpk, msk, ρis ). – uExtract: A queries an encrypting attribute set ρiu , the challenger C answers by running algorithm uExtract(mpk, msk, ρiu ). – Signcrypt: A queries a signing attributes ρis with claim-predicate πsi , a ciphertext-policy πui and a message m, it returns an encryption under ciphertextpolicy πui of the message m signed in the name of the sender with attributes ρis satisfying the claimpredicate πsi . – Unsigncrypt: A queries a signcrypted message δ i , a claim-predicate πsi , a ciphertext-policy πui and a encrypting attribute set ρiu , it returns either a message m or a reject symbol ⊥. - Forgery: Finally, A produces a new triple (δ ∗ , πs∗ , πu∗ )

def

Ωu = {ω : ω is a leaf node of Tu }.

908

- Choose k ∈R Z∗p , compute V = e(C1 , h)k , c = H1 (M, V, Ts , Tu ), T = [k]h + [c]Ds , Bs,ω = def   [Δst (ω)]Ds,i , Bs,ω = [Δst (ω)]Ds,i for ω ∈ Ωs = {ω : ω is a leaf node of Ts ∩ att(ω) = attri ∈ ρs }. - Output the signcrypted message as

Theorem 2. The proposed CP2-ABSC scheme is ABSC-INDCPA secure in the generic group model. Theorem 3. The proposed CP2-ABSC scheme is ABSC-EUFCMA secure under the q-DHI assumption in the random oracle model.

 δ =(Tu , C1 , C2 , {Bu,ω , Bu,ω }ω∈Ωu ,

Due to space limitations, we will give the proof in the extended version.

 Ts , c, T, {Bs,ω , Bs,ω }ω∈Ωs )

- UnSigncrypt: On receiving the signcrypted message δ , the receiver recovers the message and verifies the signature as follows. - If the node x is a leaf node of Tu and att(x) = attrk ∈ ρu , compute Sxu =

VI. C ONCLUSIONS In this paper, we introduce a new concept called ciphertextpolicy and claim-predicate attribute-based signcryption. The formal definitions and security model of the CP2-ABSC are given, and an CP2-ABSC construction based on bilinear pairings is presented.

u e(Du,k , Bu,x ) = e(G, h)ru ·Δt (x) .   e(Du,k , Bu,x )

ACKNOWLEDGMENT

Sxu

After getting all for the leaf node x of Tu , invoke u the algorithm Aggregate(Tu , {Sxu }) to get SR = e(G, h)ru ·t . - Similarly, if the node x is a leaf node of Ts and Bs,x ∈ δ, compute Sxs =

This research is funded by the National Natural Science Foundation of China (Grant No. 60503005 and No. 61173189). R EFERENCES [1] A. Sahai and B. Waters: Fuzzy Identity Based Encryption. In EUROCRYPT 2005, LNCS 3494, Springer-Verlag, 2005, pp. 457–473. [2] V. Goyal, O. Pandey, A. Sahai and B. Waters: Attribute Based Encryption for Fine-Grained Access Conrol of Encrypted Data. In ACM conference on Computer and Communications Security, 2006, pp. 89–98. [3] J. Bethencourt, A. Sahai and B. Waters: Ciphertext-policy attribute-based encryption. In IEEE Symposium on Security & Privacy, 2007, pp. 321– 334. [4] L. Cheung and C. Newport: Provably Secure Ciphertext Policy ABE. In ACM conference on Computer and Communications Security, 2007, pp. 456–465. [5] B. Waters: Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization. In PKC 2011, LNCS 6571, Springer-Verlag, 2011, pp. 53–70. [6] S.Q. Guo and Y.P. Zeng: Attribute-based signature scheme. In International Conference on Information Security and Assurance, 2008, pp. 509C511. [7] S.Y. Tan, S.H. Heng, and B.M. Goi: On the Security of an AttributeBased Signature Scheme. UNESST 2009, Communications in Computer and Information Science 62, 2009, pp. 161C168. [8] S.F. Shahandashti and R. Safavi-Naini: Threshold attribute-based signatures and their application to anonymous credential systems. In AFRICACRYPT’09, pp. 198-216. [9] H. Maji, M. Prabhakaran and M. Rosulek: Attribute based signatures. In CT-RSA 2011, LNCS 6558, Springer-Verlag, 2011, pp. 376–392. [10] Y. Zheng: Digital Signcryption or How to Achieve Cost(Signature & Encryption)  Cost(Signature) + Cost(Encryption). In CRYPTO 1997, LNCS 1294, Springer-Verlag, 1997, pp. 165–179. [11] A. W. Dent and Y. L. Zheng: Practical Signcryption. In Series: Information Security and Cryptography, Springer, 2010, ISBN: 9783540894094. [12] M. Gagn´ e, S. Narayan and R. Safavi-Naini: Threshold Attribute-Based Signcryption. In Security and Cryptography for Networks, LNCS 6280, Springer-Verlag, 2010, pp. 154–171. [13] K. Emura, A. Miyaji and M.S. Rahman: Toward Dynamic AttributeBased Signcryption (Poster), In ACISP 2011, LNCS 6812, SpringerVerlag, 2011, pp. 439–443. [14] H. X Wang, Y. Zhu, R. Q Feng, et al., Attribute-based signature with policy-and-endorsement mechanism, Journal of Computer Science and Technology, Vol. 25, No. 6, 2010, pp. 1293–1304.

s e(Bs,x , h) = e(G, h)rs ·Δt (x) .  , H (att(x))) e(Bs,x 0

After getting all Sxs for the leaf node x of Ts and Bs,x ∈ δ, invoke the algorithm s Aggregate(Ts , {Sxs }) to get SR = e(G, h)rs ·t . - Then, compute Y =

e(C1 , Du ) e(C1 , T ) , M = C2 ⊕ Y  , V  = u s )c . SR (Y  · SR ?

- Finally, check c = H1 (M, V  , Ts , Tu ). If so, outputs M . Otherwise outputs ⊥. V. E FFICIENCY AND S ECURITY A NALYSIS Table I compared the efficiency of the proposed CP2ABSC scheme against the combination of ABE and ABS that provides the same functionality of authenticated encryption. We denote M , E and B by multiplication in G1 or G2 like [s]g, exponential operation in GT and bilinear paring operation, and denote |mpk| by the size of public parameters, |δ| by the size of signcrypted message. TABLE I E FFICIENCY C OMPARISON Schemes

|mpk|

|δ|

CP-ABE + PE-ABS

2(|G1 |+ |G2 | + |GT |) |G1 | + |G2 | + |GT |

(2n + 4)|G1 | (2n + 2)|G2 | |GT | + 3|Zp∗ | (2n + 1)|G1 | 2n|G2 | 2|GT | + |Zp∗ |

CP2ABSC

+ + + +

Signcrypt Cost (4 + 4n)M + 3E + B (3 + 4n)M + 2E + B

Unsigncrypt Cost 3M + (4 + 2n log n)E+ (4n + 4)B (1 + 2n log n)E+ (4n + 1)B

Theorem 1. The proposed CP2-ABSC scheme satisfies standard consistency constraint.

909