Research Article | Open Access

Kai Zhang, Yanping Li, Yun Song, Laifeng Lu, Tao Zhang, Qi Jiang, "A Traceable and Revocable Multiauthority Attribute-Based Encryption Scheme with Fast Access", *Security and Communication Networks*, vol. 2020, Article ID 6661243, 14 pages, 2020. https://doi.org/10.1155/2020/6661243

# A Traceable and Revocable Multiauthority Attribute-Based Encryption Scheme with Fast Access

**Academic Editor:**Athanasios V. Vasilakos

#### Abstract

Multiauthority ciphertext-policy attribute-based encryption (MA-CP-ABE) is a promising technique for secure data sharing in cloud storage. As multiple users with same attributes have same decryption privilege in MA-CP-ABE, the identity of the decryption key owner cannot be accurately traced by the exposed decryption key. This will lead to the key abuse problem, for example, the malicious users may sell their decryption keys to others. In this paper, we first present a traceable MA-CP-ABE scheme supporting fast access and malicious users’ accountability. Then, we prove that the proposed scheme is adaptively secure under the symmetric external Diffie–Hellman assumption and fully traceable under the -Strong Diffie–Hellman assumption. Finally, we design a traceable and revocable MA-CP-ABE system for secure and efficient cloud storage from the proposed scheme. When a malicious user leaks his decryption key, our proposed system can not only confirm his identity but also revoke his decryption privilege. Extensive efficiency analysis results indicate that our system requires only constant number of pairing operations for ciphertext data access.

#### 1. Introduction

In recent years, the rise of the Internet of things [1] promotes the application and development of sensor technology [2–4]. As an important sensing paradigm, mobile crowdsensing [5] has been widely used in various industries due to its large coverage area and low deployment cost characteristics. One of the most significant services for mobile crowdsensing is cloud storage [6], which supports large-scale data sharing. In cloud storage, the individuals or organizations often need to share the sensitive data with the users whose attributes satisfy a specific policy. For example, a patient wants to share his medical data with nurses and doctors in neurosurgery, but he does not know the identities of the nurses and doctors. Security is a very important issue [7, 8] in the Internet, and a potential solution for achieving data security is to encrypt the sensitive data before sharing it by the cloud. Unfortunately, the traditional public key encryption [9] requires the data owner to know the receiver’s exact identity, so it is not suitable for the above scenario.

To address this issue, ciphertext-policy attribute-based encryption (CP-ABE) [10, 11] was introduced as an expansion of the traditional public key encryption. In CP-ABE, the user’s secret key is associated with his attributes, and the ciphertext is associated with an access policy, which is defined in the form of Boolean formula over a set of attributes; the user can decrypt the ciphertext only when his attributes satisfy the access policy. By using CP-ABE in the above example, the patient can encrypt the medical data with the access policy (“Doctor” AND “Neurosurgery”) OR (“Nurse” AND “Neurosurgery”) and upload the ciphertext to the cloud; then, only nurses and doctors in neurosurgery can access the medical data.

In the typical CP-ABE system, a single central authority should manage all attributes and generate all users’ decryption keys. However, many scenarios require multiple authorities to manage different attribute domains. For instance, a patient wants to share his medical document with the users with the attribute “Doctor” that is issued by a hospital and attribute “Researcher” that is issued by a medical research institute. To solve this problem, Chase [12] introduced the multiauthority attribute-based encryption (MA-ABE), in which different authorities manage different attribute sets and each authority issues secret keys only for the attributes it manages. However, before the MA-ABE being applied in practice, there exist the following issues that need to be solved.

The standard MA-ABE suffers the decryption key abuse problem. In multiauthority ciphertext-policy attribute-based encryption (MA-CP-ABE), the decryption privilege is only based on the user’s attributes and the ciphertext does not contain the user’s identity information. Hence, a ciphertext can be decrypted by multiple users with same attributes. For example, Alice and Bob have the attributes {“Researcher,” “Neurosurgery”}; then, both of them can decrypt the ciphertext associated with the access policy (“Doctor” AND “Neurosurgery”) OR (“Researcher” AND “Neurosurgery”). In the MA-CP-ABE system, if a malicious user who has same attributes with others sells his decryption key on the Internet, how to identify the malicious user?

Another major issue in MA-ABE is malicious user revocation. In the MA-CP-ABE system, the decryption keys may be compromised and the corresponding malicious users should be removed from the system. Hence, the user revocation mechanism should be designed for the MA-CP-ABE system. The user revocation mechanism was divided into direct revocation and indirect revocation. In direct revocation, the data owner encrypts the data by a specified revocation list, and the revoked users who in this list cannot decrypt the corresponding ciphertext. Unfortunately, the direct revocation mechanism requires each data owner to keep a revocation user identity list and breaks the user anonymity in the ABE system. In indirect revocation, the authorities help the nonrevoked users to update their decryption keys periodically, so the revoked users cannot decrypt the new ciphertexts. In this paper, we focus on the indirect user revocation issue in the MA-CP-ABE system.

One efficiency drawback for MA-ABE is the significant cost of data access. In the MA-CP-ABE system, the number of resource-consuming pairing operations required to decrypt a ciphertext grows linearly with the number of attributes used for decryption, which makes the data access too expensive. This drawback hinders the large-scale application of the MA-CP-ABE system in lightweight devices. For example, consider a medical cloud system based on MA-CP-ABE, the patients encrypt the data and upload the ciphertexts in cloud, and the doctor may need to real-time access the medical data by a smartphone. Due to the expensive access cost, the traditional MA-CP-ABE system is obviously unsuitable in this scenario.

##### 1.1. Our Contributions

Seeking to address the above issues, we first give the formal definition and security model for traceable MA-CP-ABE (T-MA-CP-ABE) scheme and propose a concrete construction of T-MA-CP-ABE on prime order bilinear groups. Then, we prove the construction is adaptively secure under the symmetric external Diffie–Hellman assumption and fully traceable under the -Strong Diffie–Hellman assumption in the random oracle model. Based on the T-MA-CP-ABE construction, we further present a traceable and revocable MA-CP-ABE (TR-MA-CP-ABE) system for secure cloud storage. To the best of our knowledge, this is the first practical MA-ABE system that simultaneously supports traceability, revocation, and fast access. The major features of our TR-MA-CP-ABE system are outlined as follows:(1)Multiauthority. There exists a central authority (CA) and multiple attribute authorities in our TR-MA-CP-ABE system. Each attribute authority (AA) is responsible for generating the user secret keys for the attributes under its control, and CA is responsible for tracing and revoking the malicious users. Unlike prior MA-ABE schemes, neither CA nor AA can independently generate user decryption keys in our system, even for just one attribute. In addition, the access policies can be expressed as any monotone access structures, which make our system more practical.(2)Traceability. Our TR-MA-CP-ABE system supports white-box traceability (traceability can be divided into white-box traceability and black-box traceability. White-box traceability can catch the malicious user who leaks his decryption keys to others, while black-box traceability can catch the malicious user who leaks a decryption black-box). In our system, CA generates tracing information and user secret keys for the identity. If a malicious user leaks his decryption key to others, then CA can trace the malicious user identity from the corresponding decryption key. By adopting a full signature technique, our system does not require any identity table for tracing, which significantly reduces the storage overhead for CA.(3)Revocation. Our TR-MA-CP-ABE system supports indirect user revocation. If a malicious user was caught by CA, then CA adds his identity into a revocation list, and AAs only periodically update the attribute-based secret keys for the users whose identities do not belong to the revocation list. Hence, the malicious users cannot obtain the new decryption keys and access the new ciphertext data created in the current time period.(4)Fast access. In our TR-MA-CP-ABE system, the number of pairings for decrypt a ciphertext is only 6, rather than increases linearly with the number of attributes used during decryption. Furthermore, our decryption operation is run on prime order bilinear groups, which makes access speed significantly faster. The efficiency comparison shows that the data access in our system is more efficient than that in other related works.

Table 1 compares the specific features of our TR-MA-CP-ABE system with the existing ABE schemes [13–16] that achieve multiauthority and traceability simultaneously.

| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

AS represents adaptively secure, MAS represents supporting any monotone access structures, ZST represents zero storage cost for tracing, POG represents constructed in prime order groups, FA represents constant pairing operations for data access, and R represents revocation. ^{2}The scheme [13] achieves selectively secure and the scheme [16] only achieves statically secure. ^{3}In [13], their scheme only supports “AND gates with wildcard.” ^{4}In [14], the number of identity tables for tracing is equal to the number of central authorities in the scheme. ^{5}In [13–16], the number of pairing operations for decryption grows linearly with the number of attributes used for decryption. |

##### 1.2. Related Works

Chase [12] introduced the notion of MA-ABE and gave the first concrete construction of MA-ABE. As CA is assumed to be able to decrypt every ciphertext in [12], Chase and Chow [17] proposed a MA-ABE scheme without any CA, which was limited to expressing a strict “AND” policy over a predetermined set of authorities. Later, Lewko and Waters [18] presented an adaptively secure MA-ABE scheme where a policy could be expressed as any monotonic Boolean formula. Based on [18], Cui and Deng [19] presented a revocable MA-ABE that achieves attribute revocation. Zhang et al. [20] presented a shorter MA-ABE where a ciphertext can be decrypted with a constant number of pairing operations. Wang et al. [21] constructed a MA-ABE scheme from the LWE assumption. More recently, Xiong et al. [22] presented a revocable MA-ABE with outsourced decryption. However, these schemes did not consider the trace problem.

Hinek et al. [23] proposed the first traceable CP-ABE, but their scheme only supports “AND gates with wildcard.” To improve the expression ability, Liu et al. [24] presented the first traceable CP-ABE that supports monotonic access structures. Later, Wang et al [25] presented a traceable CP-ABE that can catch the malicious user who leaks a black-box decryption equipment. Ning et al. [26] presented a traceable and revocable CP-ABE that supports both accountable authority and public auditing. Liu and Wong [27] proposed a traceable and revocable CP-ABE for large universe. Xu [28] constructed a traceable CP-ABE with short decryption key. Recently, Han et al. [29] presented a traceable and revocable CP-ABE with hidden policy. Unfortunately, the above schemes can only apply to the single-authority setting.

To address the key abuse problem in MA-ABE, Li et al. [13] presented a traceable MA-CP-ABE with limited access policy and security. Later, Zhou et al. [14] proposed a revocable and traceable MA-CP-ABE that achieves high expressiveness and full security. However, there exists multiple CAs in their scheme, and each CA needs to maintain a tracing identity table. Yu et al. [15] constructed a traceable MA-CP-ABE without any identity table and proved it is adaptively secure in composite order groups. Recently, Zhang et al. [16] presented a more efficient traceable MA-CP-ABE in prime order groups. Unfortunately, their scheme only achieves statically secure and does not support user revocation. In addition, the common efficiency drawback of these schemes is that the number of pairing operations required to decrypt a ciphertext increases linearly with the number of attributes satisfying the access policy, which presents significant challenges for the users who access data by mobile devices.

##### 1.3. Organization

Section 2 introduces the relevant preliminaries, which includes the access structure, bilinear group, and complexity assumptions. Section 3 gives the system architecture, algorithm definition, and security model of TR-MA-CP-ABE. Section 4 presents the detailed constructions and formal security analysis of T-MA-CP-ABE scheme. Section 5 designs a TR-MA-CP-ABE system and compares its efficiency with other related works. Section 6 concludes the whole paper.

#### 2. Preliminaries

##### 2.1. Notations

For convenience, we define some notations that will be used in this paper. For a finite set S, we denote by , the fact that is chosen uniformly at random from . Let be a set , where is a prime. Let and denote the set of all -dimensional vectors and matrices ( rows and columns) in , respectively. We denote a matrix by a bold letter. For a matrix , let be the transposition of , and be the ^{th} (the ^{th} row and ^{th} column) element of . For group , , and matrix , we use to denote the matrix, in which its ^{th} element is . For matrix , we denote . For , we denote . For two vectors , we denote the inner product of and by . We can also denote the above inner product notation for row and column vectors as follows.

Note that and .

##### 2.2. Access Structures

*Definition 1 (Access structure [30]). *Let be the attributes universe. An access structure is a collection of nonempty subsets of , i.e., . If for , we have ; then, we say is monotone. The sets in are called authorized sets, while the sets not in are called unauthorized sets.

*Definition 2 (Linear secret-sharing schemes (LSSS) [30]). *A secret-sharing scheme over the attributes universe is called linear over if(1)The shares for each attribute form a vector over (2)There exists a matrix and function satisfy the following: let the column vector , where is the secret to be shared, and ; then, is equal to the vector of shares of the secret according to . The share belongs to attribute .Let be an LSSS for the access structure and be the access policy for . According to [30], LSSS enjoys the linear reconstruction as follows. Let be an authorized set, and let . Then, there exist constants such that , where is the row of matrix .

##### 2.3. Bilinear Groups and Assumptions

Let be an asymmetric bilinear group generator that takes as input a security parameter and outputs a tuple , where , and are the cyclic groups of prime order , (respectively, ) is a generator of (respectively, ), and is an efficiently computable bilinear map such that(1)Bilinear: (2)Nondegenerate:

For , we denote .

*Definition 3 (SXDH, Symmetric External Diffie–Hellman assumption [31]). *The adversary ’s advantage in SXDH assumption is defined aswhere , , , , . We say the SXDH assumption holds if for all polynomial time algorithm adversaries and both , is negligible in .

*Definition 4 (-SDH, -Strong Diffie–Hellman assumption [32]). *The adversary ’s advantage in -SDH assumption is defined aswhere , , and . We say the -SDH assumption holds if for all polynomial time algorithm adversaries , is negligible in .

Note that compared with the -SDH assumption in [32], and have exchanged places here. However, this will not affect the security of full signature scheme [32], that is, strong existential unforgeability under an adaptive chosen message attack based on -SDH assumption because we will also exchange the places of and in the full signature scheme. The modified full signature scheme (BB scheme) is briefly described as follows:(i)Setup . Run to obtain . Pick , set the public key , and secret key .(ii)Sign . Given a message and , pick , compute , and set the signature as (iii)Verify . If , it outputs 1 meaning that the signature is valid. Otherwise, it outputs 0 meaning that the signature is invalid.

#### 3. Problem Formulation

In this section, we first describe the system architecture of our TR-MA-CP-ABE. Then, we give the formal algorithm definition and security model for T-MA-CP-ABE and TR-MA-CP-ABE scheme.

##### 3.1. System Architecture

As shown in Figure 1, our TR-MA-CP-ABE system comprises the following entities: a cloud sever (CS), a central authority (CA), multiple attribute authorities (AAs), data owners (DOs), and data users (DUs). The role of each party is described as follows:

More specifically, CA generates its own public/secret key pair, publishes the CA public key, and uses the CA secret key to generate the identity keys for all DUs. Each AA generates its own public/secret key pair, publishes the AA public key, and generates the user keys corresponding to the attributes that are managed by it. Then, DU uses the identity key and attribute keys to generate his own decryption key. Next, DO encrypts the data by the public keys and an access policy and uploads the ciphertext to CS. Finally, the nonrevoked uses can decrypt the ciphertext when their attributes satisfy the access policy, and other users cannot access the data. In our system, when a malicious user sells his decryption key, CA first identifies him by a tracing algorithm and then revokes him by adding his identity to a revocation list. Since AA will not update the attribute keys for the users whose identities are in the revocation list, the malicious users cannot update their decryption keys and access new ciphertext data.

In our system, DOs are fully trusted entities who honestly execute the encryption algorithm. CS, CA, and AAs are both honest but curious, who correctly execute the algorithms in the system, but try to learn any sensitive information about the data. Our system does not allow CS to modify or delete the stored ciphertext, but allows several corrupt AAs to make an attack on the unauthorized ciphertext whose policy cannot be satisfied by the corrupt attributes. Note that the decryption key is generated by the combination of identity key and attribute keys, so neither CA nor AA can independently construct the complete decryption key in our system. DUs are untrusted entities that may not only try to access the unauthorized data but also sell their decryption keys on the Internet. To formally describe the above system and attacks, Section 3.2 defines the TR-MA-CP-ABE algorithms, and Section 3.3 presents an adaptive security model against the adversary who try to learn any information about the unauthorized data and a traceable security model against the malicious data user who leaks his decryption key.

##### 3.2. Algorithm Definition

A T-MA-CP-ABE scheme consists of eight algorithms:(i)Global Setup . On input a security parameter , it outputs the global parameters for the system(ii)CA Setup . CA runs this algorithm with the global parameters as input, and outputs its public/secret key pair (iii)AA Setup . Each attribute authority runs this algorithm with the global parameters and its attributes set as input and outputs its public/secret key pair (iv)CA KeyGen . On input an identity , the CA secret key and the global parameters , the CA key generation algorithm outputs the user’s CA key (v)AA KeyGen . On input an identity , the global parameters , a set of attributes , a user’s CA key , and the set of AA secret keys for the relevant AAs, the AA key generation algorithm outputs the user’s decryption key (vi)Encrypt . On input the global parameters , the CA public key , the set of AA public keys for the relevant AAs, a message , and an access policy , the encryption algorithm outputs a ciphertext (vii)Decrypt . On input the global parameters , a decryption key for an attributes set , and a ciphertext for an access policy , the decryption algorithm returns either the message when the attributes set satisfies the access policy or the error symbol meaning that decryption fails(viii)Trace . On input the global parameters , the CA public key , the AA public keys , and a decryption key , the tracing algorithm returns either an identity when passes the key sanity check, or the symbol meaning that does not need to be traced. The key sanity check is a deterministic algorithm to determine whether needs to be traced Our TR-MA-CP-ABE scheme is almost the same with the T-MA-CP-ABE scheme, except for modifying CA Setup by adding a revocation list, Encrypt and Decrypt by adding a time period, and replacing AA KeyGen by AA KeyGen and KeyUpdate and Trace by Trace and Revoke. The above modified and replaced algorithms in TR-MA-CP-ABE scheme are described as follows.(ix)CA Setup . CA runs the CA setup algorithm with the global parameters as input to generate its public/secret key pair . In addition, CA initializes an empty revocation identity list .(x)AA KeyGen and KeyUpdate . It takes as input an identity , the global parameters , a set of attributes , a time period , a user’s CA key , a revocation list , and the set of AA secret keys for the relevant AAs. If , it outputs . Otherwise, it outputs the user’s decryption key .(xi)Encrypt . It takes as input the global parameters , the CA public key , the set of AA public keys for the relevant authorities, an access policy , a message , and a time period . It outputs a ciphertext .(xii)Decrypt . It takes as input the global parameters , a decryption key for an attributes set for a time period , and a ciphertext for an access policy for a time period . If and satisfies , it outputs the message . Otherwise, it outputs the error symbol .(xiii)Trace and Revoke . It takes as input the global parameters , the CA public key , the AA public keys , and a decryption key . If passes the key sanity check, it returns an identity and add it to the revocation list . Otherwise, it returns the symbol .

##### 3.3. Security Model

We now describe the adaptive security model for T-MA-CP-ABE scheme. In our security model, an AA can manage multiple attributes, while each attribute can only be controlled by one AA. Let be the attribute authority universe and be the attribute universe. The adaptive security game between a challenger and an adversary is defined as follows.(i)Setup. The challenger runs the global setup and CA setup algorithms and then gives and to the adversary. The adversary specifies a set of corrupt AAs . For noncorrupt AAs in , the challenger runs the AA setup algorithm and provides the AA public keys to the adversary.(ii)Phase 1. The adversary can repeatedly make two types of key queries as follows(1)CA key query. The adversary sends a user’s identity to the challenger. The challenger returns the corresponding private key to the adversary.(2)AA key query. The adversary sends a pair to the challenger, where is an identity, and is a set of attributes belonging to noncorrupt AAs. The challenger returns the corresponding decryption key to the adversary. Note that the user’s AA private key is part of his decryption key in our scheme, so the challenger gives the user’s AA private key to the adversary in this query.(iii)Challenge. The adversary submits two messages and an access policy , where satisfies the following constraint. Let denote the attributes controlled by corrupt AAs, and denotes the attributes in which the adversary has queried for identity . For each , we require that does not satisfy . The challenger chooses a random coin and returns ciphertext to the adversary.(iv)Phase 2. The adversary can make the key queries as Phase 1, with the restriction of as described above(v)Guess. The adversary submits a guess and wins if . The advantage of an adversary in this game is defined as .

*Definition 5. *A T-MA-CP-ABE scheme is adaptively (or fully) secure if for any probabilistic polynomial time adversary, its advantage is negligible in .

A T-MA-CP-ABE scheme is called selectively secure if the adversary submits the access policy before the Setup phase. A T-MA-CP-ABE scheme is called statically secure if the adversary submits all queries immediately after seeing the global parameters. Our construction will be proved to satisfy adaptively secure without the above restrictions.

Traceability of the T-MA-CP-ABE is described by a game as follows:(i)Setup. The challenger runs the global setup, CA setup, and AA setup algorithms and then gives , , and to the adversary(ii)Key query. The adversary makes the following queries(1)CA key query. The adversary sends to the challenger, where is an identity. The challenger returns the corresponding private keys .(2)AA key query. The adversary sends to the challenger, where is an attributes set. The challenger returns the corresponding decryption keys .(iii)Key forgery. The adversary submits a decryption key and wins if .The advantage of an adversary in this game is defined as

*Definition 6. *A T-MA-CP-ABE scheme is fully traceable if for any probabilistic polynomial time adversary, its advantage is negligible in .

In our TR-MA-CP-ABE scheme, the AA key generation algorithm is same with the AA key update algorithm. Hence, the security model of our TR-MA-CP-ABE scheme is same with that of our T-MA-CP-ABE scheme.

#### 4. Our T-MA-CP-ABE Scheme

In this section, we present a T-MA-CP-ABE scheme in an asymmetric bilinear group and prove it is adaptively secure and fully traceable in the random oracle model.

##### 4.1. Construction

Inspired by [18, 20], we adopt a hash function to map user identities to the elements in group . Unlike with [18, 20], we use a CA to personalize the identity key for each user and the AAs to generate the corresponding attribute keys, so our construction can achieve multiple authorities and the AAs cannot get the user decryption key. Furthermore, we employ a full signature scheme [32] to realize traceability. More specifically, the CA injects the signature of the user identity into the user identity key and traces the user by his decryption key. We now present our T-MA-CP-ABE construction based on [18, 20], in which each attribute authority manages an attributes set .(i)Global Setup . The algorithm first runs to obtain . , and are the cyclic groups of prime order , is a generator of , is a generator of , and is a bilinear map. It then samples and sets and . It chooses a hash function and publishes as the global parameters.(ii)CA Setup . CA picks and computes , . Then, CA publishes the public key and sets as its secret key.(iii)AA Setup . For each attribute , picks and computes , and . Then, publishes the public key and sets as its secret key.(iv)CA KeyGen . For a user’s identity , CA picks and sets . Then, CA sends the private key to the user whose identity is .(v)AA KeyGen . A user submits his identity and attributes set and to the relevant authorities . For each attribute , computes and sends the private key to the corresponding user. When the user receives , he sets as his decryption key.(vi)Encrypt . On input a message and an access policy . is a matrix, and maps its rows to attributes. It first picks . For each , it computes , , where is the row of . The ciphertext is computed as Decrypt . On input a ciphertext for a policy and a decryption key for an attributes set . Let . If does not satisfy , it outputs . Otherwise, it chooses constants such that and computes Finally, the message can be recovered as (vii)Trace . If the decryption key is not in the form of , it outputs . Otherwise, it runs a key sanity check on as follows: , , s.t. and If passes the above check, it outputs the identity . Otherwise, it outputs .(viii)Correctness If the attributes set satisfies the policy , we have that . Then, Therefore, Note that , so there exists an unknown vector such that . Then, we have Hence, .

##### 4.2. Security Analysis

In this section, we first prove that our T-MA-CP-ABE scheme is adaptively secure based on the SXDH assumption by a reduction to the underlying scheme in [20]. More specifically, we assume an adversary breaks our T-MA-CP-ABE scheme in the random oracle model with advantage ; then, we build a simulator that breaks the scheme [20] in the random oracle model with advantage . Then, we prove our T-MA-CP-ABE scheme is fully traceable based on the -SDH assumption by a reduction to a signature scheme [32]. More specifically, we assume an adversary breaks our T-MA-CP-ABE scheme in the traceability game; then, we build a simulator that breaks the signature scheme [32] under an adaptive chosen message attack.

###### 4.2.1. Adaptive Security

Note that there are two typos (that make encryption and decryption algorithms cannot be completely executed) in the scheme [20] that should be corrected: should be corrected as , and should be corrected as . We denote the scheme [20] with as ZCGM1 scheme, which has been proved adaptively secure in [20].

Lemma 1 (see [20]). *If the SXDH assumption holds, then the ZCGM1 scheme is adaptively secure in the random oracle model.*

Lemma 2. *Assuming that the ZCGM1 scheme [20] is adaptively secure, then our T-MA-CP-ABE scheme is adaptively secure.*

*Proof. *Let denote the challenger corresponding to in the adaptive security game of ZCGM1 scheme.(i)Setup. When receives the global parameters from , it picks and computes , and . Then, stores and sends and to . Next, submits a corrupt AAs set to , and submits to to request the AA public keys for noncorrupt AAs. When obtains AA public keys from , it sends to .(ii)Phase 1. initializes an empty table and answers the CA key and AA key queries as follows:(1)CA key query. When submits an identity to to request the corresponding CA key, first searches the entry in table . If such entry exists, returns to . Otherwise, picks and computes . Then, sends to and stores it in .(2)AA key query. When submits a pair to to request the corresponding decryption key, first searches the entry in table . If such entry exists, can obtain from table . Otherwise, picks , computes , and stores in table . Then, calls the ZCGM1 AA key generation oracle on to obtain the private key . For each , computes . Finally, sets the corresponding decryption key as and sends it to .(iii)Challenge. The adversary submits two messages and an access policy , where satisfies the following constraint. Let denote the attributes controlled by corrupt AAs, and denotes the attributes in which the adversary has queried for identity . For each , we require that does not satisfy . The challenger sends , and to to obtain the ZCGM1 challenge ciphertext . Then, computes and sends to .(iv)Phase 2. The adversary makes the key queries as Phase 1, but with the restriction of as described above. responds the queries in the same way as Phase 1.(v)Guess. When outputs a guess , then outputs .Since perfectly simulates the ZCGM1 security game for , the advantage of breaks the ZCGM1 scheme equals to the advantage of breaks our scheme.

Theorem 1. *If the SXDH assumption holds, then our T-MA-CP-ABE scheme is adaptively secure.*

*Proof. *This proof follows directly from Lemmas 1 and 2.

###### 4.2.2. Traceability

Now, we prove our T-MA-CP-ABE scheme is fully traceable by a reduction to BB scheme [32], which is strongly existentially unforgeable.

Lemma 3 (See [32]). *If the -SDH assumption holds, then the BB scheme is strongly existentially unforgeable under an adaptive chosen message attack.*

Lemma 4. *Assuming that the BB scheme [32] is strongly existentially unforgeable under an adaptive chosen message attack, then our T-MA-CP-ABE scheme is fully traceable in the random oracle model.*

*Proof. *Let be a prime order bilinear group, and be the public key of BB scheme. Let be the attributes set managed by attribute authority , and be the challenger corresponding to in the BB security game.(i)Setup. When receives public key from , it first samples , sets , , and . Then, computes , , and sets . For each attribute , picks , computes and , and sets . Finally, sends global parameters , CA public key , and AA public keys to . stores and controls the random oracle .(ii)Key query. In this phase, queries the CA keys corresponding to and AA keys corresponding to . initializes two empty tables and answers ’s queries as follows:(1)Random oracle hash query. When submits an identity to to request the corresponding random oracle hash value , first searches the entry in . If such entry exists, returns . Otherwise, picks , sends to , and stores in .(2)CA key query. When submits an identity to to request the corresponding CA key , first searches the entry in . If such entry exists, returns to . Otherwise, submits to to request the corresponding signature. When receives signature from , searches the entry in . If no such entry exists, picks and stores in . Next, obtains from table and sets as the corresponding CA private key. Finally, sends to and stores it in .(3)AA key query. When submits a pair to to request the corresponding decryption key , first searches CA key in . If no such entry exists, generates CA key as in (2) and stores it in . For each , computes . Finally, sends the corresponding decryption key to .(iii)Key forgery. returns a decryption key