Short CCA-Secure Attribute-Based Encryption

Article history: Received: 16 November, 2017 Accepted: 16 January, 2018 Online: 31 January, 2018


Introduction
Access control is one of the fundamental processes and requirements in cybersecurity. Attribute-based encryption (ABE) invented by Sahai and Waters [1], where attributes mean authorized credentials, enables to realize access control which is functionally close to role-based access control (RBAC), but by encryption.
In key-policy ABE (KP-ABE) introduced by the subsequent work of Goyal, Pandey, Sahai and Waters [2], a secret key is associated with an access policy over attributes, while a ciphertext is associated with a set of attributes. In a dual manner, in ciphertext-policy ABE (CP-ABE) [2,3,4], a ciphertext is associated with an access policy over attributes, while a secret key is associated with a set of attributes. In a KP-ABE or CP-ABE scheme, a secret key works to decrypt a ciphertext if and only if the associated set of attributes satisfies the associated access policy. The remarkable feature of ABE is attribute privacy; that is, in decryption, no information about the access policy and the identity of the secret key owner in the case of KP-ABE (or, the attributes and the identity of the secret key owner in the case of CP-ABE) leaks except the fact that the set of attributes satisfies the access policy. Since the proposals, it has been studied to attain certain properties such as indistinguishability against chosen-plaintext attacks (IND-CPA) in the standard model [4] and adaptive security against adversary's choice of a target access policy [5].
In this paper 1 , we work through resolving a problem of constructing a shorter ABE scheme that attains indistinguishability against chosen-ciphertext attacks (IND-CCA) in the standard model. Here CCA means that an adversary can collects decryption results of ciphertexts of its choice through adversaries' attacking. Note that "provable security" of a cryptographic primitive is now a must requirement when we employ the primitive in a system, where it means that an appropriately defined security is polynomially reduced to the hardness of a computational problem. Moreover, the CCA security of an encryption scheme is preferable to attain because the CCA security is one of the theoretically highest securities and hence the scheme can be used widely.
To capture the idea of our approach, let us recall the case of identity-based encryption (IBE). The CHK transformation of Canetti, Halevi and Katz [7] is a generic tool for obtaining IND-CCA secure IBE scheme. It transforms any hierarchical IBE (HIBE) scheme that is selective-ID IND-CPA secure [8] into an IBE scheme that is adaptive-ID IND-CCA secure [8]. A point of the CHK transformation is that it introduces a dummy identity vk that is a verification key of a one-time signature. Then a ciphertext is attached with vk and a signature σ , which is generated each time one executes encryption. In contrast, the direct chosen-ciphertext security technique for IBE of Boyen, Mei and Waters [9] is individual modification for obtaining an IND-CCA secure IBE scheme. It converts a HIBE scheme that is adaptive-ID IND-CPA secure into an IBE scheme that is adaptive-ID IND-CCA secure. Though the technique needs to treat each scheme individually, the obtained scheme attains better performance than that obtained by the generic tool (the CHK transformation). Let us transfer into the case of ABE. The transformation in [10] is a generic tool for obtaining IND-CCA secure ABE scheme. It transforms any ABE scheme (with the delegatability or the verifiability [10]) that is IND-CPA secure into an ABE scheme that is IND-CCA secure. A point of their transformation is, similar to the case of IBE, that it introduces a dummy attribute vk that is a verification key of a one-time signature. Then a ciphertext is attached with vk and a signature σ . Notice here that discussing direct chosen-ciphertext security modification for ABE (in the standard model) is a missing piece. One of the reasons seems that there is an obstacle that a Diffie Hellman tuple to be verified is in the target group of a bilinear map. In that situation, the bilinear map looks of no use.

Our Contribution
A contribution is that we fill in the missing piece; we demonstrate direct chosen-ciphertext security modification in the case of the Waters CP-ABE scheme [4] and the KP-ABE scheme of Ostrovsky, Sahai and Waters [11] To overcome the above obstacle, we employ the technique of the Twin Diffie-Hellman Trapdoor Test of Cash, Kiltz and Shoup [12]. In addition, we also utilize the algebraic trick of Boneh and Boyen [13] and Kiltz [14] to reply for adversary's decryption queries.

Related Works
Waters [4] pointed out that IND-CCA security would be attained by the CHK transformation. Gorantla, Boyd and Nieto [15] constructed a IND-CCA secure CP-ABKEM in the random oracle model. In [10] the authors proposed a generic transformation of a IND-CPA secure ABE scheme into a IND-CCA secure ABE scheme. Their transformation is considered to be an ABE-version of the CHK transformation, and it is versatile. Especially, it can be applied to non-pairingbased scheme.
The Waters CP-ABE [4] can be captured as a CP-ABKEM: the blinding factor can be considered as a random one-time key. This Waters CP-ABKEM is IND-CPA secure because the Waters CP-ABE is proved to be IND-CPA secure. For theoretical simplicity, we demonstrate an individual conversion of the Waters CP-ABKEM into a CP-ABKEM which is IND-CCA secure. Then we provide a CP-ABE scheme which is IND-CCA secure. As for KP-ABE, we demonstrate an individual conversion of KP-ABKEM of Ostrovsky, Sahai and Waters [11], which is IND-CPA secure, into a KP-ABKEM which is IND-CCA secure. Then we provide a KP-ABE scheme which is IND-CCA secure.
Finally, we note that there is a remarkable work of CP-ABE schemes and KP-ABE schemes with constantsize ciphertexts [16,17]. Our direct chosen-ciphertext security modification is not constant-size ciphertexts but a different approach for easier implementation in engineering.

Organization of the Paper
In Section 2, we survey concepts, definitions and techniques needed. In Section 3, we revisit the concept, the algorithm and the security of the twin Diffie-Hellman technique. In Section 4, we construct a CCAsecure CP-ABKEM from the Waters CPA-secure CP-ABKEM [4], and provide a security proof. Also, we describe the encryption version, a CCA-secure CP-ABE. In Section 5, we construct a CCA-secure KP-ABKEM from the Ostrovsky-Sahai-Waters CPA-secure KP-ABKEM [11], and provide a security proof. Also, we describe the encryption version, a CCA-secure KP-ABE. In Section 6, we compare efficiency of our CP-ABE and KP-ABE schemes with the original schemes, and also, with the schemes obtained by applying the generic transformation [10] to the original schemes. In Section 7, we conclude our work.

Preliminaries
The security parameter is denoted λ. A prime of bit length λ is denoted p. A multiplicative cyclic group of order p is denoted G. The ring of exponent domain of G, which consists of integers from 0 to p − 1 with modulo p operation, is denoted Z p .

Bilinear Map
We remark first that our description in the subsequent sections is in the setting of a symmetric bilinear map for simplicity, but we can employ an asymmetric bilinear map instead for better efficiency as is noted in Section 6. Let G and G T be two multiplicative cyclic groups of prime order p. Let g be a generator of G and e be a bilinear map, e : G × G → G T . The bilinear map e has the following properties: 1. Bilinearity: for all u, v ∈ G and a, b ∈ Z p , we have e(u a , v b ) = e(u, v) ab . 2. Non-degeneracy: e(g, g) id G T (: the identity element of the group G T ).
Parameters of a bilinear map are generated by a probabilistic polynomial time (PPT) algorithm Grp on input λ: (p, G, G T , g, e) ← Grp(λ).
Hereafter we assume that the group operation in G and G T and the bilinear map e : G × G → G T are computable in PT in λ.

Access Structure
Let U = {χ 1 , . . . , χ u } be a set of attributes, or simply set U = {1, . . . , u} by numbering. An access structure, which corresponds to an access policy, is defined as a collection A of non-empty subsets of U ; that is, A ⊂ 2 U \{φ}. An access structure A is called monotone if for any B ∈ A and B ⊂ C, C ∈ A holds. The sets in A are called authorized sets, and the sets not in A are called unauthorized sets. We will consider in this paper only monotone access structures.

Linear Secret-Sharing Scheme
We only describe a linear secret-sharing scheme (LSSS) in our context of attribute-based schemes. A secret-sharing scheme Π over the attribute universe U is called linear over Z p if: 1. The shares for each attribute form a vector over Z p , 2. There exists a matrix M of size l ×n called the sharegenerating matrix for Π and a function ρ which maps each row index i of M to an attribute in U = {1, . . . , u}: ρ : {1, ..., l} → U .
To make shares, we first choose a random vector v = (s, y 2 , . . . , y n ) ∈ Z n p : s is a secret to be shared. For i = 1 to l, we calculate each share λ i = v ·M i , where M i denotes the i-th row vector of M and · denotes the formal inner product. LSSS Π = (M, ρ) defines an access structure A through ρ.
Suppose that an attribute set S satisfies A (S ∈ A) and let I S = ρ −1 (S) ⊂ {1, . . . , l}. Then, let {ω i ∈ Z p ; i ∈ I S } be a set of constants (linear reconstruction constants) such that if {λ i ∈ Z p ; i ∈ I S } are valid shares of a secret s according to M, then i∈I S ω i λ i = s. It is known that these constants {ω i } i∈I S can be found in time polynomial in l: the row size of the share-generating matrix M. If S does not satisfy A (S A), then no such constants {ω i } i∈I S exist.

Attribute-Based Key Encapsulation Mechanism
Ciphertext-policy attribute-based key encapsulation mechanism (CP-ABKEM). A CP-ABKEM consists of four PPT algorithms (Setup, Encap, KeyGen, Decap) 2 . Setup(λ, U ). A setup algorithm Setup takes as input the security parameter λ and the attribute universe U = {1, . . . , u}. It returns a public key PK and a master secret key MSK. Encap(PK, A). An encapsulation algorithm Encap takes as input the public key PK and an access structure A. It returns a random string κ and its encapsulation ψ. Note that A is contained in ψ.
KeyGen(PK, MSK, S). A key generation algorithm KeyGen takes as input the public key PK, the master secret key MSK and an attribute set S. It returns a secret key SK S corresponding to S. Note that S is contained in SK S .
Decap(PK, SK S , ψ). A decapsulation algorithm Decap takes as input the public key PK, an encapsulation (we also call it a ciphertext according to context) ψ and a secret key SK S . It first checks whether S ∈ A, where S and A are contained in SK S and ψ, respectively. If the check result is False, it putsκ =⊥. It returns a decapsulation resultκ.
Chosen-Ciphertext Attack on CP-ABKEM. According to previous works (for example, see [15]), the chosen-ciphertext attack on a CP-ABKEM is formally defined as the indistinguishability game (IND-CCA game). In this paper, we consider the selective game on a target access structure (IND-sel-CCA game); that is, the adversary A declares a target access structure A * before A receives a public key PK, which is defined as the following experiment.
In the above experiment, two kinds of queries are issued by A. One is key-extraction queries. Indicating an attribute set S i , A queries its key-extraction oracle KeyGen(PK, MSK, ·) for the secret key SK S i . Here we do not require any input attribute sets S i 1 and S i 2 to be distinct. Another is decapsulation queries. Indicating a pair (S j , ψ j ) of an attribute set and an encapsulation, A queries its decapsulation oracle Decap(PK, SK · , ·) for the decapsulation resultκ j . Here an access structure A j , which is used to generate an encapsulation ψ j , is implicitly included in ψ j . In the case that S A,κ j =⊥ is replied to A. Both kinds of queries are at most q k and q d times in total, respectively, which are polynomial in λ.
The access structure A * declared by A is called a target access structure. Two restrictions are imposed on A concerning A * . In key-extraction queries, each attribute set S i must satisfy S i A * . In decapsulation queries, each pair (S j , ψ j ) must satisfy S j A * ∨ ψ j ψ * .
The advantage of the adversary A over CP-ABKEM in the IND-CCA game is defined as the following probability: . CP-ABKEM is called selectively secure against chosenciphertext attacks if, for any PPT adversary A and for any attribute universe U , Adv ind-sel-cca A,CP-ABKEM (λ, U ) is negligible in λ. Here we must distinguish the two cases; the case that U is small (i.e. |U | = u is bounded by a polynomial of λ) and the case that U is large (i.e. u is not necessarily bounded by a polynomial of λ). We assume the small case in this paper.
In the indistinguishability game against chosenplaintext attack (IND-CPA game), the adversary A issues no decapsulation query (that is, q d = 0).

Ciphertext-Policy
Attribute-Based Encryption Scheme (CP-ABE). In the case of the encryption version (i.e. CP-ABE), Encap(PK, A) and Decap(PK, SK S , ψ) are replaced by PPT algorithms Encrypt(PK, A, m) and Decrypt(PK, SK S , CT), respectively, where m and CT mean a message and a ciphertext, respectively.
The IND-CCA game for CP-ABE is defined in the same way as for CP-ABKEM above, except the following difference. In Challenge phase, the adversary A submits two equal length messages (plaintexts) m 0 and m 1 . Then the challenger flips a coin b ∈ {0, 1} and gives an encryption result CT of m b to A. In Guess phase, the adversary

Key-Policy Attribute-Based Key Encapsulation Mechanism (KP-ABKEM) and Encryption Scheme (KP-ABE).
The key-policy case is analogously defined as the case of the ciphertext-policy case. We state only the syntax and the security experiment of the key-policy ABKEM. Setup(λ, U ). A setup algorithm Setup takes as input the security parameter λ and the attribute universe U = {1, . . . , u}. It returns a public key PK and a master secret key MSK. Encap(PK, S). An encapsulation algorithm Encap takes as input the public key PK and an attribute set S. It returns a random string κ and its encapsulation ψ. Note that S is contained in ψ. KeyGen(PK, MSK, A). A key generation algorithm KeyGen takes as input the public key PK, the master secret key MSK and an access structure A. It returns a secret key SK A corresponding to S. Note that A is contained in SK A . Decap(PK, SK A , ψ). A decapsulation algorithm Decap takes as input the public key PK, an encapsulation (we also call it a ciphertext according to context) ψ and a secret key SK A . It first checks whether S ∈ A. If the check result is False, it putsκ =⊥. It returns a decapsulation resultκ. Chosen-Ciphertext Attack on KP-ABKEM. The selective game on a target attribute set (IND-sel-CCA game) is defined by the following experiment.

Target Collision Resistant Hash Functions
Target collision resistant (TCR) hash functions [18] are treated as a family. Let us denote a function family as Hfam(λ) = {H µ } µ∈HKey(λ) . Here HKey(λ) is a hash key space, µ ∈ HKey(λ) is a hash key and H µ is a func- Given a PPT algorithm CF , a collision finder, we consider the following experiment (the target collision resistance game).
then return Win else return Lose.
Then we define CF 's advantage over Hfam in the game of target collision resistance as follows.

The Twin Diffie-Hellman Technique Revisited
is called a twin Diffie-Hellman tuple if the tuple is written as (g, g x 1 , g x 2 , g y , g x 1 y , g x 2 y ) for some elements x 1 , x 2 , y in Z p . In other words, a 6-tuple (g, X 1 , X 2 , Y , Z 1 , Z 2 ) is a twin Diffie-Hellman tuple (twin DH tuple, for short) if Y = g y and Z 1 = X y 1 and Z 2 = X y 2 . The following lemma of Cash, Kiltz and Shoup will be used in the security proof to decide whether a tuple is a twin DH tuple or not.
Lemma 1 ("Trapdoor Test" [12]) Let X 1 , r, s be mutually independent random variables, where X 1 takes values in G, and each of r, s is uniformly distributed over Z p . Define the random variable X 2 = X −r 1 g s . Suppose that Y ,Ẑ 1 ,Ẑ 2 are random variables taking values in G, each of which is defined independently of r. Then the probability that the truth value ofẐ 1 rẐ 2 =Ŷ s does not agree with the truth value of (g, Note that Lemma 1 is a statistical property. Especially, Lemma 1 holds without any number theoretic assumption. To be precise, we consider the following experiment of an algorithm Cheat with unbounded computational power (not limited to PPT), where Cheat, given a triple (g, X 1 , X 2 ), tries to complete a 6-tuple (g, X 1 , X 2 ,Ŷ ,Ẑ 1 ,Ẑ 2 ) which passes the "Trapdoor Test" but which is not a twin DH tuple.
is NOT a twin DH tuple, then return Win else return Lose Let us define the advantage of Cheat over G as follows.
Adv twinDH-test Now we are ready to complement Lemma 1.
Lemma 2 (Complement for "Trapdoor Test" [12]) For any algorithm Cheat with unbounded computational power, Adv twinDH-test For a proof of Lemma 2, see Appendix A.

Securing the Waters CP-ABKEM against Chosen-Ciphertext Attacks
In this section, we describe our direct chosenciphertext security technique by applying it to the Waters CP-ABE [4].
Overview of Our Modification The Waters CP-ABE is proved to be secure in the IND-sel-CPA game [4]. We convert it into a scheme that is secure in the INDsel-CCA game by employing the Twin Diffie-Hellman technique of Cash, Kiltz and Shoup [12] and the algebraic trick of Boneh and Boyen [13] and Kiltz [14]. In encryption, a ciphertext becomes to contain additional two elements (d 1 , d 2 ), which function in decryption as a "check sum" to verify that a tuple is certainly a twin DH tuple.
In security proof, the Twin Diffie-Hellman Trapdoor Test does the function instead. It is noteworthy that we are unable to use the bilinear map instead because the tuple to be verified is in the target group. In addition, the algebraic trick enables to answer for adversary's decryption queries. Note also that the both technique become compatible by introducing random variables. Key Encapsulation and Encryption. The Waters CP-ABE can be captured as a CP-ABKEM: the blinding factor of the form e(g, g) αs in the Waters CP-ABE can be considered as a random one-time key. So we call it the Waters CP-ABKEM hereafter and denote it as CP-ABKEM cpa . Likewise, we distinguish parameters and algorithms of CP-ABKEM cpa by the index cpa . For theoretical simplicity, we first develop a KEM CP-ABKEM.

Our Construction
Our CP-ABKEM consists of the following four PPT algorithms (Setup, Encap, KeyGen, Decap). Roughly speaking, the Waters original scheme CP-ABKEM cpa (the first scheme in [4]) corresponds to the case k = 1 below excluding the "check sum" (d 1 , d 2 ).
KeyGen(MSK, PK, S). The key generation algorithm KeyGen takes as input the master secret key MSK, the public key PK and a set S of attributes. KeyGen first chooses a random t k ∈ Z p , k = 1, . . . , 4. It generates the secret key SK S as follows.
Decap(PK, ψ, SK S ). The decapsulation algorithm Decap takes as input the public key PK, an encapsulation ψ for an access structure A = (M, ρ) and a private key SK S for an attribute set S. It first checks whether S ∈ A. If the result is False, putκ =⊥. Otherwise, let I S = ρ −1 (S) ⊂ {1, . . . , l} and let {ω i ∈ Z p ; i ∈ I S } be a set of linear reconstruction constants. Then, the decapsu-lationκ is computed as follows.

Security and Proof
Theorem 1 If the Waters CP-ABKEM cpa [4] is selectively secure against chosen-plaintext attacks and an employed hash function family Hfam has target collision resistance, then our CP-ABKEM is selectively secure against chosenciphertext attacks. More precisely, for any given PPT adversary A that attacks CP-ABKEM in the IND-sel-CCA game where decapsulation queries are at most q d times, and for any small attribute universe U , there exist a PPT adversary B that attacks CP-ABKEM cpa in the IND-sel-CPA game and a PPT target collision finder CF on Hfam that satisfy the following tight reduction. Proof.
Given any adversary A that attacks our scheme CP-ABKEM in the IND-sel-CCA game, we construct an adversary B that attacks the Waters scheme CP-ABKEM cpa in the IND-sel-CPA game as follows. Commit to a Target Access Structure. B is given (λ, U ) as inputs, where λ is the security parameter and U = {1, . . . , u} is the attribute universe. B invokes A on input (λ, U ) and gets a target access structure A * = (M * , ρ * ) from A, where M * is of size l * × n * . B uses A * as the target access structure of itself and outputs A * . Set up. In return to outputting A * , B receives the public key PK cpa for CP-ABKEM cpa , which consists of the following components. PK cpa = (g, g a , h 1 , . . . , h u , e(g, g) α ).
To set up a public key PK for CP-ABKEM, B herein needs a challenge instance: B queries its challenger and gets a challenge instance (κ, ψ * cpa ). It consists of the following components. κ = e(g, g) αs * OR a random one-time key κ ∈ KeySp(λ), . . , l * )). Then B makes the rest of parameters of PK as follows.
Then B inputs PK into A. Note that PK determines the corresponding MSK uniquely. Phase 1. B answers for two types of A's queries as follows.
(1) Key-Extraction Queries. In the case that A issues a key-extraction query for an attribute set S ⊂ U , B has to simulate A's challenger. To do so, B issues keyextraction queries to B's challenger for S repeatedly up to four times. As replies, B gets four secret keys of the Waters CP-ABKEM cpa for a single attribute set S: SK cpa,S,k = (K cpa,k , L cpa,k , (K cpa,k,x ; x ∈ S)), k = 1, . . . , 4.
We remark that, according to the randomness in the key-generation algorithm of the Waters CP-ABKEM cpa , all four secret keys SK cpa,S,1 , . . . , SK cpa,S,4 are random and mutually independent. To reply a secret key SK S of our CP-ABKEM to A, B converts the four secret keys as follows.
(2) Decapsulation Queries. In the case that A issues a decapsulation query for (S, ψ), where S ⊂ U is an attribute set and ψ = (ψ cpa , d 1 , d 2 ) is an encapsulation concerning A, B has to simulate A's challenger. To do so, B computes the decapsulation resultκ as follows.
If S A then putκ =⊥, Challenge. In the case that A queries its challenger for a challenge instance, B makes a challenge instance as follows.
Guess. In the case that A returns A's guessb, B returnsb itself as B's guess.
In the above construction of B, B can perfectly simulate the real view of A until the case Abort happens, except for a negligible case, and hence the algorithm A works as designed. To see the perfect simulation with a negligible exceptional case, we are enough to prove the following seven claims. . . . , 4) for a key-extraction query of A is a perfect simulation.

Claim 1 The reply SK
Proof. We must consider the implicit relations (1). For the index 2, we have implicitly set the randomness t 2 = t cpa,2 (−γ 1 ) and we get:
Proof. This claim can be proved by a short calculation. See Appendix C.

Claim 4 Consider the following event which we name as
In the i-th TwinDH-Test, the following condition holds: is NOT a twin DH tuple.
Then, for at most q d times decapsulation queries of A, the probability that at least one Overlook i occurs is negligible in λ. More precisely, the following inequality holds: Proof. To apply Lemma 2, we construct an algorithm Cheat λ,U with unbounded computational power, which takes as input (e(g, g), e(g, g) α 1 , e(g, g) α 2 ) and returns (Ŷ ,Ẑ 1 ,Ẑ 2 ) employing the adversary A as a subroutine. Fig. 1 shows the construction. First, note that the view of A in Cheat λ,U is the same as the real view of A and hence the algorithm A works as designed.
Second, note that the return (Ŷ ,Ẑ 1 ,Ẑ 2 ) of Cheat λ,U is randomized in TABLE. Hence: Third, applying Lemma 2 to Cheat λ,U , we get: Combining (3) and (4), we have: Claim 5 The probability that Overlook i never occurs in TwinDH-Test for every i and Abort occurs is negligible in λ. More precisely, the following inequality holds: Proof. This claim is proved by constructing a collision finder CF on Hfam. See Appendix D.

Claim 6 The replyκ to
A as an answer for a decapsulation query is correct.
Proof. These two claims are proved by a direct calculation. See Appendices E and F, respectively. Evaluation of the Advantage of B. Now we are ready to evaluate the advantage of B in the IND-sel-CPA game. That A wins in the IND-sel-CCA game means that (κ, ψ * = (ψ * cpa , d * 1 , d * 2 )) is correctly guessed. This is equivalent to that (κ, ψ * cpa ) is correctly guessed because ψ * cpa determines the consistent blinding factor κ * = e(g, g) αs * uniquely. This means that B wins in the IND-sel-CPA game.

Encryption Scheme from KEM
It is straightforward to construct our encryption scheme CP-ABE from CP-ABKEM. The IND-sel-CCA security of CP-ABE is proved based on IND-sel-CPA security of the Waters KEM CP-ABKEM cpa . Setup(λ, U ). The same as Setup of CP-ABKEM. Encrypt (PK, A, m). The same as Encap of CP-ABKEM except that Encrypt multiplies m by the blinding factor κ in the group G T . Encrypt returns CT = (C = mκ, ψ = (ψ cpa , d 1 , d 2 )). KeyGen(MSK, PK, S). The same as KeyGen of CP-ABKEM. Decrypt(PK, CT, SK S ).
The same as Decap of CP-ABKEM except that Decrypt divides out C by the decapsulated blinding factorκ. Decrypt returns the resultm.

Security and Proof
Theorem 2 If the Waters CP-ABKEM cpa [4] is selectively secure against chosen-plaintext attacks and an employed hash function family Hfam has target collision resistance, then our CP-ABE is selectively secure against chosenciphertext attacks. More precisely, for any given PPT ad-versary A that attacks CP-ABE in the IND-sel-CCA game where decryption queries are at most q d times, and for any small attribute universe U , there exist a PPT adversary B that attacks CP-ABKEM cpa in the IND-sel-CPA game and a PPT target collision finder CF on Hfam that satisfy the following inequality.
Proof. Given any adversary A that attacks our scheme CP-ABE in the IND-sel-CCA game, we construct an adversary B that attacks the Waters KEM CP-ABKEM cpa in the IND-sel-CPA game as follows.
Commit to a Target Access Structure. The same as that of CP-ABKEM. Set up. In return to outputting A * , B receives the public key PK cpa for CP-ABKEM cpa . To set up a public key PK for CP-ABE, B herein needs a challenge instance: B queries its challenger and gets a challenge instance (κ, ψ * cpa ). The rest of procedure is the same as that of CP-ABKEM, and B inputs PK into A. Phase 1. The same as that of CP-ABKEM except that B replies a decrypted messagem to A for a decryption query.
Challenge. In the case that A submits two plaintexts (m * 0 , m * 1 ) of equal length, B makes a challenge ciphertext CT * as follows and feeds CT * to A. ).
Phase 2. The same as in Phase 1.
Guess. In the case that A returns A's guessb, B returnsb as B's guess.
Evaluation of the Advantage of B. A standard argument deduces a loss of tightness by a factor of 1/2. That is;

Securing the Ostrovsky-Sahai-Waters KP-ABKEM against Chosen-Ciphertext Attacks
In this section, we describe our direct chosenciphertext security modification by applying it to the Ostrovsky-Sahai-Waters KP-ABE [11].
Overview of Our Modification The Ostrovsky-Sahai-Waters KP-ABE is proved to be secure in the IND-sel-CPA game [11]. We convert it into a scheme that is secure in the IND-sel-CCA game by employing the Twin Diffie-Hellman technique of Cash, Kiltz and Shoup [12] and the algebraic trick of Boneh and Boyen [13] and Kiltz [14].
In encryption, a ciphertext becomes to contain additional two elements (d 1 , d 2 ), which function in decryption as a "check sum" to verify that a tuple is certainly a twin DH tuple.
In security proof, the Twin Diffie-Hellman Trapdoor Test does the function instead. It is noteworthy that we are unable to use the bilinear map instead because the tuple to be verified is in the target group. In addition, the algebraic trick enables to answer for adversary's decryption queries. Note also that the both technique become compatible by introducing random variables. Key Encapsulation and Encryption. The Ostrovsky-Sahai-Waters KP-ABE can be captured as a KP-ABKEM: the blinding factor of the form e(g, g) aαs in the Ostrovsky-Sahai-Waters KP-ABE can be considered as a random one-time key. So we call it the Ostrovsky-Sahai-Waters KP-ABKEM hereafter and denote it as KP-ABKEM cpa . Likewise, we distinguish parameters and algorithms of KP-ABKEM cpa by the index cpa . For theoretical simplicity, we first develop a KEM KP-ABKEM.

Our Construction
Our KP-ABKEM consists of the following four PPT algorithms (Setup, Encap, KeyGen, Decap). Roughly speaking, the Ostrovsky-Sahai-Waters original scheme KP-ABKEM cpa (the first scheme in [11]) corresponds to the case k = 1 below excluding the "check sum" (d 1 , d 2 ). Setup(λ, U ). Setup takes as input the security parameter λ and the attribute universe U = {1, . . . , u}. It runs Grp(λ) to get (p, G, G T , g, e), where G and G T are cyclic groups of order p, e : G → G T is a bilinear map and g is a generator of G. These become public parameters. Then Setup chooses u random group elements h 1 , . . . , h u ∈ G that are associated with the u attributes. In addition, it chooses random exponents α k ∈ Z p , k = 1, . . . , 4, a ∈ Z p and a hash key η ∈ HKey(λ). The public key is published as PK = (g, g a , h 1 , . . . , h u , e(g, g) aα 1 , . . . , e(g, g) aα 4 , η). The authority sets MSK = (α 1 , . . . , α 4 ) as the master secret key. Encap(PK, S). The encapsulation algorithm Encap takes as input the public key PK and a set S of attributes. Encap first chooses a random value s ∈ Z p that is the encryption randomness. Then, a pair of a random one-time key and its encapsulation (κ, ψ) is computed as follows.
Put C = g s ; For x ∈ S : C x = h s x ψ cpa = (S, C , (C x ; x ∈ S)), τ ← H η (ψ cpa ); random values y k,2 , . . . , y k,n ∈ Z p and forms a vector v k = (α k , y k,2 , . . . , y k,n ). Then, for i = 1 to l, it calculates λ k,i = v k · M i , where M i denotes the i-th row vector of M, and it chooses random values r k,i ∈ Z p . KeyGen generates the secret key SK A as follows.
Decap(PK, ψ, SK A ). The decapsulation algorithm Decap takes as input the public key PK, an encapsulation ψ for an attribute set S and a private key SK A for an access structure A = (M, ρ). It first checks whether S ∈ A. If the result is False, putκ =⊥. Otherwise, let I S = ρ −1 (S) ⊂ {1, . . . , l} and let {ω i ∈ Z p ; i ∈ I S } be a set of linear reconstruction constants. Then, the decapsulationκ is computed as follows.

Security and Proof
Theorem 3 If the Ostrovsky-Sahai-Waters KP-ABKEM cpa [11] is selectively secure against chosen-plaintext attacks and an employed hash function family Hfam has target collision resistance, then our KP-ABKEM is selectively secure against chosen-ciphertext attacks. More precisely, for any given PPT adversary A that attacks KP-ABKEM in the IND-sel-CCA game where decapsulation queries are at most q d times, and for any small attribute universe U , there exist a PPT adversary B that attacks KP-ABKEM cpa in the IND-sel-CPA game and a PPT target collision finder CF on Hfam that satisfy the following tight reduction.
Proof. We will omit the description of the proof because the proof goes analogously to the case of CP-ABKEM in Section 4.2.  d 1 , d 2 )).
The same as Decap of KP-ABKEM except that Decrypt divides out C by the decapsulated blinding factorκ. Decrypt returns the resultm.

Security and Proof
Theorem 4 If the Ostrovsky-Sahai-Waters KP-ABKEM cpa [11] is selectively secure against chosen-plaintext attacks and an employed hash function family Hfam has target collision resistance, then our KP-ABE is selectively secure against chosen-ciphertext attacks. More precisely, for any given PPT adversary A that attacks KP-ABE in the INDsel-CCA game where decryption queries are at most q d times, and for any small attribute universe U , there exist a PPT adversary B that attacks KP-ABKEM cpa in the IND-sel-CPA game and a PPT target collision finder CF on Hfam that satisfy the following inequality.
Proof. We will omit the description of the proof because the proof goes in the same way as the case of CP-ABE in Section 4.4.

Efficiency Discussion
First of all, we remark that our individual modification to attain CCA security is applicable when a Diffie-Hellman tuple to be verified is in the target group of a bilinear map e : G × G → G T . Especially, it is applicable even when an original CPA secure scheme is based on asymmetric pairing [19], e : G 1 × G 2 → G T . For example, the Type 3 version [19] of the Waters CP-ABE scheme [4] can be found in [20]. Detailed discussions and results on real implementations are found for the case of CPA-secure ABE schemes [21,20]. We note here that the efficiency comparison below enables to guess the implementation results of CCA-secure ABE schemes via our modification. We compare the efficiency of our CP-ABE with the original Waters CP-ABE cpa , and our KP-ABE with the original Ostrovsky-Sahai-Waters KP-ABE cpa . We also compare the efficiency of our schemes with the CCAsecure CP-ABE and KP-ABE schemes obtained by the generic transformation in [10]. Here the generic transformation [10] is considered in the case of a small attribute universe, the delegation type [10] and the Lamport one-time signature [22]. Table 1 shows these comparison. Note that a hash function is applied to generate a message digest of bit-length λ before signing by a secret key of the one-time signature. Note also, for simplicity, we evaluate the lengths and the amounts of computation below in the case that an access structure A is "all-AND" and an attribute map ρ is injective (i.e "single-use" that is opposed to "multiuse"). Table 1: Efficiency comparison of IND-sel-CCA secure ABEs ( [10] and ours) with the original IND-sel-CPA secure ABEs [4,11].
Scheme L(PK) L(SK S ) L(CT) C(Enc) C(Dec) Generic transform [10], CP-ABE +4λ 2 (G) +4λ 2 (G) +3λ 2 (bit) +2λ 2  Our individual modification results in expansion of the length of a secret-key and the amount of decryption computation by a factor of four, while the length of a public-key, the length of a ciphertext and the amount of encryption computation are almost the same as those of the original CPA-secure schemes. In the case that the size of an attribute set is up to ( 2 3 of) the square of the security parameter λ, the amount of decryption computation of our CP-ABE and KP-ABE are smaller than those of the CP-ABE and KP-ABE obtained by the generic transformation [10], respectively.

Conclusion
We demonstrated direct chosen-ciphertext security modification for ABE in the standard model in the case of the Waters scheme (CP-ABKEM cpa , CP-ABE cpa ) and the Ostrovsky-Sahai-Waters scheme (KP-ABKEM cpa , KP-ABE cpa ). We utilized the Twin Diffie-Hellman Trapdoor Test of Cash, Kiltz and Shoup and the algebraic trick of Boneh and Boyen [13] and Kiltz [14]. Our modification worked for the setting that the Diffie-Hellman tuple to be verified in decryption was in the target group of the bilinear map. We compared the efficiency of our CCA-secure ABE schemes with the original CPA-secure ABE schemes and with the CCA-secure ABE schemes obtained by the versatile generic transformation.