Revocable and Traceable Decentralized ABE for P2P Networks

Abstract

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) technology provides fine-grained access control capabilities for P2P networks. However, its long-term development has been constrained by three major challenges: the trade-off between computational efficiency and functional completeness, decentralized trust security issues, and the problems of attribute revocation and traceability. This paper proposes a decentralized CP-ABE scheme based on multiple authorities (R-T-D-ABE). By leveraging three core techniques, including threshold distributed key generation, versioned attribute revocation, and identity-key binding verification, the scheme efficiently achieves both revocation and accountability while ensuring resistance against collusion attacks and forward/backward security. Security analysis demonstrates that the proposed scheme satisfies IND-CPA security under the Generic Group Model (GGM). Experimental results indicate that it not only guarantees efficient decentralized encryption and decryption but also realizes the dual functions of revocation and accountability, thereby providing a functionally complete and efficient access control solution for P2P networks.

1. Introduction

Peer-to-peer (P2P) networks, leveraging their decentralized nature, have demonstrated significant advantages in a wide range of applications, from blockchain systems [1,2,3] to critical infrastructure domains such as smart grids, distributed energy trading, and vehicular networks [4,5,6]. However, they also introduce new security challenges for access control [7,8]. Traditional access control techniques, which employ static permission assignment models [9], struggle to meet the demand for dynamic permission allocation in P2P networks [7,10]. To address this, researchers have introduced Attribute-Based Encryption (ABE), a concept first proposed by Sahai and Waters in 2005 [11]. Building upon this, Bethencourt et al. proposed Ciphertext-Policy Attribute-Based Encryption (CP-ABE) in 2007 [12]. This scheme allows data owners to directly specify access policies during encryption, enabling more flexible and fine-grained access control, and has been widely adopted to protect shared data security in P2P networks [13,14,15]. Despite its advantages, CP-ABE still faces three interrelated core challenges in the decentralized P2P environment, making it difficult for existing schemes to simultaneously achieve attribute revocation and user traceability under decentralization constraints without incurring efficiency bottlenecks.

First, there exists a difficult-to-reconcile contradiction between computational efficiency and functional completeness in ABE scheme design. Attribute matching in CP-ABE relies on bilinear pairing operations. Most current CP-ABE frameworks, including those based on classic schemes such as BSW CP-ABE [16], FAME CP-ABE [17], and ABGW CP-ABE [18], struggle to fundamentally overcome the efficiency bottleneck of large-scale attribute matching. On one hand, pursuing extreme efficiency often comes at the cost of functionality. For instance, optimizing data structures to improve efficiency may sacrifice policy flexibility [19], or relying on online/offline techniques may introduce centralized components [20]. Notably, even the fastest scheme like FABEO [21] does not consider implementing attribute revocation under a multi-authority setting. On the other hand, complex mechanisms introduced to enhance functionality, such as proxy re-encryption [22] or composite-order bilinear groups [23], significantly increase computational overhead, rendering many schemes impractical for deployment in P2P networks.

Second, the decentralized nature of P2P networks conflicts with the traditional centralized trust model of CP-ABE [24]. Multi-Authority CP-ABE (MA-CP-ABE) aims to address this by allowing multiple independent authorities to manage different attributes, thereby mitigating single points of failure [25,26,27,28]. However, existing approaches still face issues: some fail to completely eliminate centralized architecture [26], while others incur high key generation latency or additional computational and trust overhead due to the use of smart contracts [25], proxy nodes [28], or ring signatures [27].

Finally, the attribute revocation and user traceability functions essential for dynamic member management face a contradiction between privacy and efficiency in P2P networks. Efficient attribute revocation requires effective key and ciphertext update mechanisms to prevent replay attacks, but existing techniques are often limited due to coarse-grained revocation [29], reliance on trusted third parties [30], the need for additional delegated nodes [22], or dependency on specific communication protocols [31]. Simultaneously, user traceability is crucial for deterring attacks, yet existing schemes either suffer from high computational complexity when protecting privacy (e.g., requiring linear search [1]) or compromise decentralization for the sake of efficiency (e.g., relying on blockchain for permission table updates [32]), making it challenging to achieve both [33,34].

To address the aforementioned challenges, this paper proposes a Revocable and Traceable Decentralized ABE scheme (R-T-D-ABE) suitable for P2P networks. The core contribution of this work lies in its successful resolution of the efficiency bottleneck that arises from the simultaneous implementation of attribute revocation and user traceability within the highly dynamic and decentralized context of P2P networks. The main contributions are as follows:

• Design of an efficient decentralized key management mechanism for P2P networks. Utilizing distributed authority signatures and Shamir’s secret sharing technology, we achieve key generation and distribution without central coordination, eliminating single points of failure and enabling efficient encryption and decryption.
• Realization of real-time lightweight attribute revocation. Through version number control and coordination among distributed authorities, lightweight dynamic key updates within the P2P network are ensured, achieving attribute-level fine-grained real-time revocation.
• Proposal of a privacy-preserving and non-repudiable user traceability scheme. By binding user identities to their keys, our scheme enables fast and accurate tracing of key leakage sources without exposing user identities, effectively resolving the conflict between privacy and traceability efficiency.
• Provision of provable security guarantees. Through security proofs, our scheme is demonstrated to achieve IND-CPA security, collusion resistance, forward security, and backward security under the Generic Group Model (GGM).

The remainder of this paper is organized as follows. Section 2 reviews the preliminary knowledge. Section 3 elaborates on the detailed construction of the proposed R-T-D-ABE scheme. Security analysis and proofs are presented in Section 4. Section 5 discusses both theoretical and experimental evaluations. Finally, conclusions and future work are outlined in Section 6.

2. Preliminaries

2.1. Bilinear Maps

Let $\lambda$ be the security parameter, and $G_1$, $G_2$, and $G_T$ be three multiplicative cyclic groups of prime order p. Let $g_1$ and $g_2$ be generators of $G_1$ and $G_2$, respectively. A bilinear map $e:G_1\times G_2\to G_T$ is a function satisfying:

• Bilinearity: $\forall u\in G_1$, $\forall v\in G_2$, $\forall a,b\in Z_p$, we have $e\left(u^a,v^b\right)=e{\left(u,v\right)}^{ab}$.
• Non-degeneracy: $e\left(g_1,g_2\right)\ne 1_{G_T}$.
• Computability: There exists an efficient algorithm to compute $e(u,v)$ within deterministic polynomial time with respect to the security parameter $\lambda$.

2.2. Generic Group Model (GGM)

The Generic Group Model (GGM) [35,36] treats group elements as opaque handles, allowing adversaries to perform group operations only via oracles. Boneh et al. [37] extended it to bilinear groups. In our proof, we analyze security in an extended GGM that incorporates:

• Integration of Random Oracle: The hash function is modeled as a random oracle H.
• Embedding of Scheme-Specific Oracles: The adversary is allowed to access oracles $O_{\mathrm{mpk}}$, $O_{\mathrm{ct}}$, and $O_{\mathrm{sk}}$.
• Extended Adversarial Capabilities: Besides basic group operations, the adversary can also compute pairings through an oracle.

These extensions preserve the core limitation of GGM—that adversaries cannot directly manipulate the algebraic representation of group elements—while enabling the model to accurately reflect the security environment of the actual scheme. In Section 4.5, we prove that the scheme achieves IND-CPA security under the extended GGM by constructing a sequence of indistinguishable games ( ${\mathsf{Game}}_0$, ${\mathsf{Game}}_1$, ${\mathsf{Game}}_2$ ), with an advantage upper bounded by $O\left(Q^2\right)/p$, where Q denotes the number of adversary queries and p is the group order. The proof also demonstrates that the scheme satisfies forward security, backward security, and collusion resistance.

2.3. Monotone Span Programs (MSP)

Let $Arr=\left\{{Arr}_1,{Arr}_2,\dots ,{Arr}_n\right\}$ be an attribute set, and A be a monotone access structure on $Arr$, meaning A is a collection of non-empty subsets of $Arr$ with the monotonicity property: if an authorized attribute set $S\in A$, then any superset $S^{\prime }\supset S$ is also authorized.

In this CP-ABE scheme, the access structure A is described by MSP, defined as follows:

• Matrix Representation: Let $M\in Z_p^{m\times n}$ be a matrix over the finite field $Z_p$, where m is the number of rows and n is the number of columns. The row labeling function $\rho :\left[m\right]\to Arr$ associates the i-th row of matrix M with an attribute in $Arr$, i.e., $\rho \left(i\right)={Arr}_i$.
• Authorization Set Determination: For a user’s attribute set S, let $I_S=\{i\in \left[m\right]:$$\rho \left(i\right)\in S\}$ denote the set of row indices whose associated attributes belong to S. Let $M_S$ be the submatrix of M consisting of all rows where $i\in I_S$. Given a target vector $v=(1,0,\dots ,0)\in Z_p^{1\times n}$, if S is an authorized set ($S\in A$), there exists a weight vector $w\in Z_p^{1\times \left|S\right|}$ such that $w·M=v$ holds; otherwise, S is unauthorized ($S\notin A$).

2.4. FABEO

In 2022, Riepel and Wee proposed a fast attribute-based encryption (ABE) scheme achieving optimal adaptive IND-CPA security, based on asymmetric (Type-III) bilinear groups. The core idea is to allocate most computations to the group ${\mathbb{G}}_1$ and to optimize the number of bilinear pairing operations during decryption. A brief description of the CP-ABE scheme in FABEO is given below.

• Setup: The system master key is $\alpha \stackrel{R}{\leftarrow }{\mathbb{Z}}_p$. Define a hash function $H:\mathcal{U}\cup \left\{0\right\}\to {\mathbb{G}}_1$. Let $H\left(u\right)=g_1^{b\left[u\right]}$ for each attribute $u\in \mathcal{U}$, and $h=H\left(0\right)=g_1^{b^{\prime }}$. The master public key is $\mathsf{mpk}=(p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e,g_1,g_2,H,e{(g_1,g_2)}^{\alpha }).$
• KeyGen: For an attribute set $S\subseteq \mathcal{U}$, choose a random $r\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and generate the secret key $\mathsf{sk}=\left({\mathsf{sk}}_1=g_1^{\alpha }·h^r,{\mathsf{sk}}_2={\left\{H{\left(u\right)}^r\right\}}_{u\in S},{\mathsf{sk}}_3=g_2^r\right).$
• Encrypt: To encrypt a message M under an access structure $(\mathbf{M}\in {\mathbb{Z}}_p^{m\times n},\rho :\left[m\right]\to \mathcal{U})$, where $\tau$ denotes the maximum reuse count of attributes in $\mathbf{M}$, choose random vectors $\mathbf{s}=(s_1,\mathbf{v})\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^n$ and ${\mathbf{s}}^{\prime }\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{\tau }$. The ciphertext is constructed as: ${\mathsf{ct}}_0=M·e{(g_1,g_2)}^{\alpha s_1},$ ${\mathsf{ct}}_1=g_2^{s_1},$ ${\mathsf{ct}}_{2,j}=g_2^{s^{\prime }\left[j\right]},$ ${\mathsf{ct}}_{3,i}=h^{{\mathbf{M}}_i{(s_1\parallel \mathbf{v})}^{\top }}·H{\left(\rho \left(i\right)\right)}^{s^{\prime }\left[\rho \left(i\right)\right]},$ and $\mathsf{ct}=\left({\mathsf{ct}}_0,{\mathsf{ct}}_1,{\left\{{\mathsf{ct}}_{2,j}\right\}}_{j\in \left[\tau \right]},{\left\{{\mathsf{ct}}_{3,i}\right\}}_{i\in \left[n_1\right]}\right).$
• Decrypt: If S satisfies $(\mathbf{M},\rho )$, there exists a set of constants ${\left\{{\gamma }_i\right\}}_{i\in I}$ such that ${\sum }_{i\in I}{\gamma }_i{\mathbf{M}}_i=(1,0,\dots ,0)$. Decryption is performed as follows:

  $$e({\mathsf{sk}}_1,{\mathsf{ct}}_1)·{\displaystyle \frac{{\prod }_{j\in \left[\tau \right]}e\left({\prod }_{\begin{array}{c}i\in I\\ \rho \left(i\right)=j\end{array}}{\left({\mathsf{sk}}_{2,\pi \left(i\right)}\right)}^{{\gamma }_i},{\mathsf{ct}}_{2,j}\right)}{e\left({\prod }_{i\in I}{\left({\mathsf{ct}}_{3,i}\right)}^{{\gamma }_i},{\mathsf{sk}}_3\right)}}=e{(g_1,g_2)}^{\alpha s_1}.$$

FABEO incorporates the above CP-ABE scheme into the Pair Encoding Scheme ABE (PES-ABE) proof framework and proves that [21]: any PES-ABE scheme satisfying (1,1)-symbolic security automatically satisfies strong symbolic security. Consequently, under the Generic Group Model (GGM) and the Random Oracle Model (ROM), the scheme achieves optimal adaptive multi-ciphertext IND-CPA security.

2.5. PES-ABE

The Pair Encoding Scheme for Attribute-Based Encryption (PES-ABE) is a framework that modularizes security proofs [38,39], primarily comprising the following deterministic algorithms:

• ${\mathsf{Setup}}_0(\lambda ,\mathcal{X},\mathcal{Y})\to n$: On input the security parameter $\lambda$, the policy space $\mathcal{X}$, and the attribute space $\mathcal{Y}$, this algorithm outputs $n\in \mathbb{N}$, specifying the number of hash attributes in the master secret key, which serves as a global public parameter.
• ${\mathsf{KeyGen}}_0\left(y\right)\to (k^1,k^2)$: Given a user’s attribute set y, it outputs two linear functions $k^1:{\mathbb{Z}}_p^{1+m+mn}\to {\mathbb{Z}}_p^{m_1}$ and $k^2:{\mathbb{Z}}_p^m\to {\mathbb{Z}}_p^{m_2}$, where m is the length of the key’s random vector, $m_1$ denotes the number of ${\mathbb{G}}_1$ elements in the key, and $m_2$ denotes the number of ${\mathbb{G}}_2$ elements.
• ${\mathsf{Enc}}_0\left(x\right)\to (c^1,c^2)$: Given an access structure x (specifically modeled as a Monotone Span Program $(M,\pi )$ in this work), it outputs two linear functions $c^1:{\mathbb{Z}}_p^{wn}\to {\mathbb{Z}}_p^{w_1}$ and $c^2:{\mathbb{Z}}_p^w\to {\mathbb{Z}}_p^{w_2}$, where w is the length of the ciphertext’s random vector, $w_1$ is the number of ${\mathbb{G}}_1$ elements in the ciphertext, and $w_2$ is the number of ${\mathbb{G}}_2$ elements.

In a concrete ABE scheme, these deterministic algorithms are instantiated over bilinear groups, with computations performed in the exponent to generate the corresponding ciphertexts and keys.

It has been explicitly defined and proven within the FABEO scheme that any scheme satisfying symbolic security under the PES-ABE framework also satisfies strong symbolic security. Consequently, such a scheme achieves adaptive, multi-challenge IND-CPA security under both the Generic Group Model (GGM) and the Random Oracle Model (ROM).

Therefore, in our security proof, we first abstract the proposed R-T-D-ABE scheme into the PES-ABE framework and prove that it satisfies symbolic security. Based on the conclusion from FABEO, this is equivalent to satisfying strong symbolic security. Finally, leveraging this strong symbolic security, we prove that our scheme achieves IND-CPA security, collusion resistance, forward security, and backward security in the GGM.

3. R-T-D-ABE

3.1. System Mode

This scheme addresses the requirements for privacy preservation in peer-to-peer (P2P) networks. The proposed R-T-D-ABE scheme aims to achieve fine-grained access control, decentralized trust, dynamic revocation, and leakage traceability. Security is proven in the Generic Group Model (GGM) with the hash function modeled as a Random Oracle (ROM), achieving adaptive IND-CPA security with an optimal security bound.

As illustrated in Figure 1, the proposed architecture comprises four core entities:

• Data Owners (DOs): Entities that encrypt sensitive data and define the access policies.
• Data Users (DUs): Entities that request and access data, with their permissions governed by their attributes.
• Authorization Authority Cluster (AA): A decentralized set of authorities that collectively manage user attributes and are responsible for key generation and updates.
• Cloud Server (CS): A service provider that offers storage and computational resources, hosting the encrypted data.

Its key operational phases detailed as follows:

Distributed Key Generation: Multiple Authorization Authorities (AAs) collaboratively generate the system master key and user private keys using distributed authority signatures and Shamir’s Secret Sharing technique. This process eliminates single points of failure and establishes a foundation for a decentralized trust framework.

Data Encryption and Upload: Data Owners (DOs) define access policies and encrypt sensitive data accordingly, then upload the resulting ciphertext to the Cloud Server (CS) for storage.

Data Download and Decryption: Data Users (DUs) can successfully decrypt and access the encrypted data if and only if their attribute set and key version number satisfy the access policy and version requirements embedded within the ciphertext.

Dynamic Attribute Revocation:

• Upon receiving a revocation request, the Authorization Authority cluster (AA) cooperatively generates key update information.
• Non-revoked users can subsequently use this information to independently update their credentials without any system downtime.

Leakage Traceability: The scheme incorporates unique identity markers into the cryptographic keys, enabling the multiple AAs to precisely trace the source of any private key leakage, thereby providing non-repudiation support for auditing purposes.

In summary, the proposed scheme exhibits three salient features:

• The elimination of single points of failure through a fully decentralized architecture;
• Support for dynamic, attribute-level privilege management;
• Built-in, efficient leakage traceability that enhances system accountability.

3.2. Scheme Construction

The scheme operates over public parameters $pp=(p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e,g_1,g_2,H,\theta )$, where p is a large prime, ${\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T$ are cyclic groups of order p with bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, $g_1,g_2$ are generators, $H:\left[\right|\theta |+1]\to {\mathbb{G}}_1$ is a hash function modeled as a random oracle (ROM), and $\theta$ is the attribute universe.

It provides six core algorithms:

• $\mathrm{AASetup}\left(\lambda \right)\to (mpk,msk)$: Distributed system initialization.
• $\mathrm{AAkeyGen}(msk,uid,S)\to sk$: Attribute-based key generate.
• $\mathrm{DOEncrypt}(mpk,(M,\pi ),k)\to ct$: Policy-based encryption.
• $\mathrm{DUDecrypt}(ct,sk,S)\to k/\perp$: Conditional decryption.
• $\mathrm{Revoke}(v_a^{\prime },{\delta }^{\prime })\to Update$: Attribute revocation.
• Trace$(sk,uid)\to \{0,1\}$: Leakage tracing.

3.2.1. System Initialization: $\mathrm{AASetup}\left(\lambda \right)\to (mpk,msk)$

The initial authority AA₀ generates the system parameters using a security parameter $\lambda$:

$$(p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e,g_1,g_2,H,e{(g_1,g_2)}^{\alpha })$$

(1)

It then selects random numbers $x_0\leftarrow {\mathbb{Z}}_p$ and $r_0\leftarrow {\mathbb{Z}}_p$, and computes:

$$\begin{array}{cc}\hfill h_0& =g_1^{x_0},\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill h_0^{\prime }& =g_1^{r_0},\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill C_0& =C(h_0,h_0^{\prime })=g_1^{x_0}{g}_1^{r_0}.\hfill \end{array}$$

(4)

Subsequently, AA₀ publishes the initial authority key:

$$AA{K}_0=(p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e,g_1,g_2,H,e{(g_1,g_2)}^{\alpha },C_0).$$

(5)

Upon receiving $AA{K}_0$, each of the other authorities AA_i performs an identical operation: it selects random numbers $x_i\leftarrow {\mathbb{Z}}_p$ and $r_i\leftarrow {\mathbb{Z}}_p$, then publishes its commitment:

$$C_i=C(h_i,h_i^{\prime })=g_1^{x_i}{g}_1^{r_i}.$$

(6)

After k authorities have broadcast their commitments, all $C_i$ are revealed. The system verifies the validity of each commitment by checking if the equation $C_i=C(h_i,h_i^{\prime })$ holds. If all checks pass, the protocol proceeds; otherwise, it outputs an error.

Given that all commitments are valid, the authority aggregate public key is computed as:

$$AAPK=\prod _{i=1}^k{h}_i.$$

(7)

The authorities then collaboratively compute the master key $\alpha$ in a decentralized manner using a Joint Shamir RSS scheme:

• Each authority AA_k generates a random secret ${\delta }_k\in {\mathbb{Z}}_p$.
• With randomly chosen coefficients $a_1,a_2,\dots ,a_t\in {\mathbb{Z}}_p$, each AA_k constructs a polynomial of degree t (where t is the threshold for reconstructing $\alpha$):

  $$f_k\left(z\right)={\delta }_k+a_{1}z+a_2{z}^2+\dots +a_t{z}^t.$$

  (8)
• Each AA_i computes and sends the secret share $s{s}_{i,j}=f_i\left(j\right)$ to authority AA_j.
• Each AA_k receives n such shares from other authorities and computes its master secret share:

  $$s{s}_j=\sum _{i=1}^{n}s{s}_{i,j}modq.$$

  (9)
• Finally, the master key $\alpha$ is reconstructed by any set of k authorities using Lagrange interpolation over their shares $s{s}_j$:

  $$\alpha =\sum _{j=1}^{k}s{s}_j{L}_j,\mathrm{where}{L}_j=\prod _{\begin{array}{c}i=1\\ i\ne j\end{array}}^k{\displaystyle \frac{-i}{j-i}}.$$

  (10)

The revocation value $\delta$ is computed similarly through the same protocol.

Let $H:\left[\right|\theta |+1]\to {\mathbb{G}}_1$ be a hash function, where $\theta$ denotes the set of global attributes. The system’s master secret key and public key are then defined as:

$$\begin{array}{cc}\hfill msk& =\alpha ,\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill mpk& =(p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e,g_1,g_2,H,e{(g_1,g_2)}^{\alpha }).\hfill \end{array}$$

(12)

3.2.2. Authority-Issued User Keys: $\mathsf{AAkeyGen}(msk,uid)\to \left(sk\right)$

A user submits their $uid$ to j authorities ${\mathsf{AA}}_j$ for attribute registration. Each ${\mathsf{AA}}_j$ generates a partial secret key for the user:

$${\left\{ssk\right\}}_j=g_1^{s{s}_j{L}_j}.$$

(13)

Let $v_a\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$ be a version number. For a user with an attribute set $S\subseteq \theta$ and each attribute $u\in S$, a random number $r\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$ is selected, and the following components are computed:

$$\begin{array}{cc}\hfill RK& =g_1^{\delta v_a},\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill s{k}_1& =\left(\prod _{j\in t}{g}_1^{s{s}_j{L}_j}\right)·H{\left(\right|\theta |+1)}^r=g_1^{\alpha }·H{\left(\right|\theta |+1)}^r,\hfill \end{array}$$

(15)

$$\begin{array}{cc}\hfill s{k}_{2,u}& =H{\left(u\right)}^r·R{K}^r,\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill s{k}_3& =g_2^r,\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill s{k}_4& =e\left(g_1^r,g_2^{H(uid\Vert msk)}\right).\hfill \end{array}$$

(18)

The complete secret key for each attribute $u\in S$ is then constructed as:

$$\begin{array}{c}\hfill sk=\left(RK,s{k}_1,{\left\{s{k}_{2,u}\right\}}_{u\in S},s{k}_3,s{k}_4\right).\end{array}$$

(19)

3.2.3. Data Owner Encryption: $\mathrm{DOEncryption}\left(\mathrm{Enc}\left(Message\right),mpk,(M,\pi ),p{p}_u\right)\to ct$

The Data Owner (DO) constructs an access control structure $(M,\pi )$ and conceals the original key k of $\mathsf{Enc}\left(Message\right)$ using the system public key $mpk$ and user public key $p{p}_u$.

Let random numbers be generated as follows: $s_1\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$, $v\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$, $s_2\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$. Given an access structure $(M,\pi )$ where M is an $n_1\times n_2$ matrix and $i\in \left[n_1\right]$ denotes a row index, the DO collaboratively generates the ciphertext with authorities ${\mathsf{AA}}_j$ corresponding to the attributes in the access policy:

$$\begin{array}{cc}\hfill c{t}_0& =k·e{(g_1^{\alpha },g_2)}^{s_1},\hfill \end{array}$$

(20)

$$\begin{array}{cc}\hfill c{t}_1& =g_2^{s_1},\hfill \end{array}$$

(21)

$$\begin{array}{cc}\hfill c{t}_{2,j}& =g_2^{s_2\left[j\right]},\hfill \end{array}$$

(22)

$$\begin{array}{cc}\hfill c{t}_{3,i}& =H{\left(\right|\theta |+1)}^{M_i{(s_1\Vert v)}^{\top }}·H{\left(\pi \left(i\right)\right)}^{s_2\left[\rho \left(i\right)\right]}·R{K}^{s_2}.\hfill \end{array}$$

(23)

The complete ciphertext is constructed as:

$$\begin{array}{c}\hfill ct=\left(c{t}_0,c{t}_1,{\left\{c{t}_{2,j}\right\}}_{j\in \tau },{\left\{c{t}_{3,i}\right\}}_{i\in \left[n_1\right]}\right)\end{array}$$

(24)

where:

• In the access control matrix M, $\tau$ represents the maximum allowable number of repetitions for a single attribute.
• The blinding factor is given by $d=e{(g_1,g_2)}^{\alpha s_1}$.

3.2.4. Data User Decryption: $\mathrm{DUDecrypt}\left((M,\pi ),S,ct,sk\right)\to key$

If the data user’s attribute set S is an authorized set under the access control structure $(M,\pi )$, then there exists a set of constants ${\left\{{\gamma }_i\right\}}_{i\in I}$ such that: ${\sum }_{i\in I}{\gamma }_i{M}_i=(1,0,\dots ,0)$.

Furthermore, since the ${\mathsf{AA}}_j$ signatures embedded in the user’s secret key $sk$ coincide with those embedded in the ciphertext $ct$ by the data owner, the following computation can be performed:

$$\begin{array}{cc}\hfill key& =e(s{k}_1,c{t}_1)·{\displaystyle \frac{e\left({\prod }_{i\in I}{\left(s{k}_{2,\pi \left(i\right)}\right)}^{{\gamma }_i},c{t}_{2,j}\right)}{e\left({\prod }_{i\in I}{\left(c{t}_{3,i}\right)}^{{\gamma }_i},s{k}_3\right)}},\hfill \end{array}$$

(25)

$$\begin{array}{cc}\hfill k& ={\displaystyle \frac{c{t}_0}{key}}.\hfill \end{array}$$

(26)

3.2.5. Attribute Revocation: $\mathsf{Revoked}\to \left(\mathsf{Update}\right)$

The revocation protocol executes the following operations periodically:

The Authority (AA) updates the version number $v_a^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$, collaboratively generates a new revocation value ${\delta }^{\prime }$.

The AA then publishes Update to non-revoked users and refreshes the following components:

$$\begin{array}{cc}\hfill R{K}^{\prime }& =g_1^{v_a^{\prime }{\delta }^{\prime }},\hfill \end{array}$$

(27)

$$\begin{array}{cc}\hfill \mathsf{Update}& ={\displaystyle \frac{R{K}^{\prime }}{RK}}.\hfill \end{array}$$

(28)

Upon receiving the update, non-revoked users can autonomously update their secret keys:

$$\begin{array}{c}\hfill s{k}_{2,u}^{\prime }=s{k}_{2,u,j}·\mathsf{Update}.\end{array}$$

(29)

Concurrently, the data owner updates the ciphertext using $\mathsf{Update}$:

$$\begin{array}{c}\hfill c{t}_{3,i}^{\prime }=c{t}_{3,i,j}·\mathsf{Update}.\end{array}$$

(30)

3.2.6. Accountability

If a secret key $sk$ is compromised, the Attribute Authority (AA) can initiate a tracing procedure using the component $s{k}_4$.

• Given: User identifier $ui{d}_n$ and version parameter $R{K}_n$.
• Compute:

  $$\begin{array}{c}\hfill \mathrm{UTK}\leftarrow {\displaystyle \frac{e\left(g_1^{H(uid\Vert msk)},s{k}_3\right)}{s{k}_4}}.\end{array}$$

  (31)
• Trace: The AA can pinpoint the accountable user by checking if $\mathrm{UTK}=1$.

4. Security Proofs

4.1. Security Model

We define the security of our revocable attribute-based encryption scheme against chosen-plaintext attacks (R-IND-CPA) via the following security game ${\mathsf{Game}}_{\mathrm{R}-\mathrm{ABE}}^{\mathrm{IND}-\mathrm{CPA}}(\mathcal{A},\lambda )$ between a challenger $\mathcal{C}$ and a probabilistic polynomial-time (PPT) adversary $\mathcal{A}$.

Initialization Phase: 

The challenger $\mathcal{C}$ runs the setup algorithm $\mathrm{AASetup}\left(\lambda \right)\to (mpk,msk)$, where the master secret key $msk$ is distributed among multiple authorities. $\mathcal{C}$ provides the public parameters $mpk$ to the adversary $\mathcal{A}$ and initializes the version number $v_a$ for each attribute along with a revocation list $RL$.

Query Phase 1: 

The adversary $\mathcal{A}$ may adaptively issue a polynomial number of queries to $\mathcal{C}$:

• Private Key Query $O_{sk}$: $\mathcal{A}$ submits an attribute set S and a user identity $uid$. $\mathcal{C}$ runs $\mathsf{AAkeyGen}(msk,uid)\to sk$ and returns the secret key $sk$ to $\mathcal{A}$.
• Revocation Query $O_{rev}\left(attr\right)$: $\mathcal{A}$ specifies an attribute $attr$. $\mathcal{C}$ simulates the attribute authorities to execute the revocation algorithm $\mathsf{Revoked}\to \mathsf{Update}$, updates the ciphertext to version $v_a\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$, and sends the update information $\mathsf{Update}$ to $\mathcal{A}$.
• Corrupted Authority Query $O_{corrupt}\left(j\right)$: $\mathcal{A}$ may corrupt up to $t-1$ authorities. $\mathcal{C}$ returns the internal state (including secret shares) of authority ${\mathsf{AA}}_j$ to $\mathcal{A}$.

Challenge Phase: 

$\mathcal{A}$ submits two equal-length messages $m_0$ and $m_1$, along with a challenge access policy $(M^{*},{\pi }^{*})$. None of the attribute sets S queried in Phase 1 can satisfy $(M^{*},{\pi }^{*})$, and for any revoked attribute $attr$ in $(M^{*},{\pi }^{*})$, $\mathcal{A}$ cannot possess a key with version $v_a^{new}$ (the latest version after revocation). $\mathcal{C}$ randomly selects a bit $b\leftarrow \{0,1\}$, runs $\mathsf{DOEncryption}(\mathsf{Enc}\left(m_b\right),mpk,(M^{*},{\pi }^{*}),p{p}_u)\to c{t}^{*}$, and sends the challenge ciphertext $c{t}^{*}$ to $\mathcal{A}$.

Query Phase 2: 

$\mathcal{A}$ may continue to issue a polynomial number of $O_{sk}$, $O_{rev}\left(attr\right)$ and $O_{corrupt}\left(j\right)$: queries as in Phase 1, with the restriction that none of the queried attribute sets S satisfy the challenge policy $(M^{*},{\pi }^{*})$. $\mathcal{C}$ uses the latest attribute version numbers when generating keys.

Guess Phase: 

The adversary $\mathcal{A}$ outputs a guess $b^{\prime }$. The advantage of $\mathcal{A}$ in this game is defined as:

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathcal{A}}^{\mathrm{R}\text{-}\mathrm{IND}\text{-}\mathrm{CPA}}\left(\lambda \right)=\left|Pr[b^{\prime }=b]-{\displaystyle \frac{1}{2}}\right|.\end{array}$$

(32)

The scheme is said to be secure if for any PPT adversary $\mathcal{A}$, the advantage ${\mathbf{Adv}}_{\mathcal{A}}^{\mathrm{R}\text{-}\mathrm{IND}\text{-}\mathrm{CPA}}\left(\lambda \right)$ is negligible in the security parameter $\lambda$.

Security Properties: The security game ${\mathsf{Game}}_{\mathrm{R}\text{-}\mathrm{ABE}}^{\mathrm{IND}\text{-}\mathrm{CPA}}$ captures not only IND-CPA security but also the following properties:

• Collusion Resistance: Even if $\mathcal{A}$ obtains multiple private keys from different users and/or corrupts up to $t-1$ authorities, they cannot decrypt a ciphertext if none of the individual key’s attribute sets satisfies the access policy $(M,\pi )$.
• Forward Security: A secret key for an attribute at version $v_a$ cannot decrypt a ciphertext for the same attribute that has been updated to a newer version $v_a^{\prime }$ via a revocation query.
• Backward Security: A ciphertext for an attribute at version $v_a$ cannot be decrypted by a secret key for the same attribute that has been updated to a newer version $v_a^{\prime }$.

4.2. Notations and Encoding Definitions

Following the FABEO scheme, our construction can be defined within the following PES-ABE framework.

• System Parameters:

• Master key: $\alpha \in {\mathbb{Z}}_p$
• Revocation key: $\delta \in {\mathbb{Z}}_p$
• Attribute hash base: $\mathbf{b}=(b_1,\dots ,b_{\left|\theta \right|},b_{\left|\theta \right|+1})$
• Hash function for attributes: $H\left(u\right)=g_1^{b_u}$
• User identity hash: $t_{uid}=H(uid\Vert msk)\in {\mathbb{Z}}_p$
• Master secret key: $msk=(\alpha ,\delta )$

Secret Key Encoding: For version $v_a$ and user attributes $u\in S$, the secret key is encoded as $sk(S,v_a,uid)=(k^1,k^2)$:

$$\begin{array}{cc}\hfill k^1& =\left(\alpha +b_{\left|\theta \right|+1}·r\parallel b_u·r+\delta ·v_{a,u}·r\right),\hfill \end{array}$$

(33)

$$\begin{array}{cc}\hfill k^2& =r.\hfill \end{array}$$

(34)

Here, $v_{a,u}$ denotes the version number of attribute u at key generation. Notably, our scheme introduces an additional verification component $k^T=r·t_{uid}.$

• Ciphertext Encoding: For an access policy $(M,\pi )$, the ciphertext is encoded as $ct(M,\pi ,v_a)=(c^1,c^2)$:

  $$\begin{array}{cc}\hfill c^1& ={\left\{M_i({\mathbf{s}}_1\Vert \mathbf{v})·b_{\left|\theta \right|+1}+s_2\left[\rho \left(i\right)\right]·b_{\pi \left(i\right)}+\delta v_{a,\pi \left(i\right)}·s_2\right\}}_{i\in \left[l\right]},\hfill \end{array}$$

  (35)

  $$\begin{array}{cc}\hfill c^2& =({\mathbf{s}}_1\Vert {\mathbf{s}}_2).\hfill \end{array}$$

  (36)

Here, $v_{a,\pi \left(i\right)}$ denotes the version number of attribute $\pi \left(i\right)$ at encryption time.

• Decryption: When the key version matches the ciphertext version and the attribute set S satisfies the access policy, the decryption process symbolically recovers $\alpha {\mathbf{s}}_1$.

4.3. Symbolic Security

If our PES-ABE encoding is symbolically secure, then the system fails to decrypt correctly when either the user’s attributes do not satisfy the access policy, or the user’s attribute version number does not match the current version number.

We prove by contradiction. Specifically, we need to show that for $(M,\pi )\in \mathcal{X}$ and $S\in \mathcal{Y}$, if $P\left(\right(M,\pi ),S)=0$, then:

$$\begin{array}{c}\hfill \mathrm{span}(\tilde{\alpha }\otimes c_x^2)\cap \mathrm{span}(c_x^1\otimes k_y^2\Vert c_x^2\otimes k_y^1)=\left\{0\right\}.\end{array}$$

(37)

Here, $x=(M,\pi ,v_a^{ct})$ is the label containing the ciphertext version number; $y=(S,v_a^{sk},uid)$ is the label containing the key version number; and $(\tilde{\alpha },\tilde{\delta },\tilde{\mathbf{b}})$ are formal variables.

Assume, for contradiction, that there exists a non-zero vector ${\mathbf{e}}^{*}$ and non-zero coefficient vectors ${\mathbf{e}}_1$, ${\mathbf{e}}_2$ such that:

$$(\tilde{\alpha }\otimes c_x^2)·{\mathbf{e}}^{*\top }=(c_x^1\otimes k_y^2)·{\mathbf{e}}_1^{\top }+(c_x^2\otimes k_y^1)·{\mathbf{e}}_2^{\top }.$$

(38)

If the attribute set S does not satisfy the access structure $(M,\pi )$ yet decryption is possible, there must exist a vector $\mathbf{w}$ such that for all $\pi \left(i\right)\in S$, $\langle \mathbf{w},M_i\rangle =0$ and $\mathbf{w}\left[1\right]=1$.

Let $({\tilde{\mathbf{s}}}_1\Vert \tilde{\mathbf{v}})=\mathbf{w}$. Then, the polynomial in Equation (38) can be transformed into:

$$\begin{array}{cc}\hfill \tilde{\alpha }{\mathbf{e}}_1^{*}+\tilde{\alpha }{\tilde{\mathbf{s}}}_2{\mathbf{e}}_2^{*}=& \sum _{i=1}^l\left[M_i\mathbf{w}·{\tilde{b}}_{\left|\theta \right|+1}\tilde{r}+{\tilde{s}}_2\left[\rho \left(i\right)\right]{\tilde{b}}_{\pi \left(i\right)}\tilde{r}+\tilde{\sigma }{\tilde{v}}_{a,\pi \left(i\right)}{\tilde{s}}_2\tilde{r}\right]{\mathbf{e}}_1^{\top }\hfill \\ \hfill & +(\tilde{\alpha }+{\tilde{b}}_{\left|\theta \right|+1}\tilde{r}){\tilde{\mathbf{s}}}_2{\mathbf{e}}_{2,1}^{\top }+({\tilde{b}}_u\tilde{r}+\tilde{\delta }{\tilde{v}}_{a,u}\tilde{r}){\tilde{\mathbf{s}}}_2{\mathbf{e}}_{2,2}^{\top }.\hfill \end{array}$$

(39)

By comparing coefficients:

• For $\tilde{\alpha }$: The term $\tilde{\alpha }{\mathbf{e}}_1^{*}$ on the left has no corresponding term on the right. Thus, ${\mathbf{e}}_1^{*}=0$.
• For $\tilde{\alpha }{\tilde{\mathbf{s}}}_2$: The term $\tilde{\alpha }{\tilde{\mathbf{s}}}_2{\mathbf{e}}_2^{*}$ on the left must equal $\tilde{\alpha }{\tilde{\mathbf{s}}}_2{\mathbf{e}}_{2,1}^{\top }$ on the right. Hence, ${\mathbf{e}}_2^{*}={\mathbf{e}}_{2,1}^{\top }$.
• For ${\tilde{\mathbf{s}}}_2\tilde{r}$: Since $M_i\mathbf{w}=0$ for $\pi \left(i\right)\in S$, the equation simplifies to:

  $$\begin{array}{cc}\hfill 0=& \sum _{i:\pi \left(i\right)\in S}\left[{\tilde{s}}_2\left[\rho \left(i\right)\right]{\tilde{b}}_{\pi \left(i\right)}+\tilde{\sigma }{\tilde{v}}_{a,\pi \left(i\right)}{\tilde{s}}_2\right]\tilde{r}{\mathbf{e}}_1^{\top }\hfill \\ \hfill & +\sum _{i:\pi \left(i\right)\notin S}\left[M_i\mathbf{w}·{\tilde{b}}_{\left|\theta \right|+1}+{\tilde{s}}_2\left[\rho \left(i\right)\right]{\tilde{b}}_{\pi \left(i\right)}+\tilde{\sigma }{\tilde{v}}_{a,\pi \left(i\right)}{\tilde{s}}_2\right]\tilde{r}{\mathbf{e}}_1^{\top }\hfill \\ \hfill & +{\tilde{b}}_{\left|\theta \right|+1}{\tilde{\mathbf{s}}}_2\tilde{r}{\mathbf{e}}_{2,1}^{\top }\hfill \\ \hfill & +\sum _{u\in S}({\tilde{b}}_u+\tilde{\delta }{\tilde{v}}_{a,u}){\tilde{\mathbf{s}}}_2\tilde{r}{\mathbf{e}}_{2,2}^{\top }.\hfill \end{array}$$

  (40)
  This polynomial can be factored as $0=\left(\mathrm{polynomial}\right)·{\tilde{\mathbf{s}}}_2\tilde{r}$, so all coefficients must be zero. In particular, ${\tilde{b}}_{\left|\theta \right|+1}{\tilde{\mathbf{s}}}_2\tilde{r}{\mathbf{e}}_{2,1}^{\top }=0$ implies ${\mathbf{e}}_{2,1}^{\top }=0$, and thus ${\mathbf{e}}_2^{*}={\mathbf{e}}_{2,1}^{\top }=0$.

This contradicts the assumption that ${\mathbf{e}}^{*}$ is a non-zero vector. Therefore, no such non-zero vectors ${\mathbf{e}}^{*}$, ${\mathbf{e}}_1$, ${\mathbf{e}}_2$ exist when the attribute set does not satisfy the access policy or the key version mismatches the ciphertext version. Our scheme is symbolically secure under the PES-ABE encoding.

According to the proof in FABEO, if a PES-ABE scheme is symbolically secure, then it also satisfies strong symbolic security. This means the security model can be extended to multiple keys, multiple ciphertexts, and dynamic version queries as defined in ${\mathsf{Game}}_{R\text{-}ABE}^{IND\text{-}CPA}$. Consequently, our scheme also achieves strong symbolic security.

4.4. Enhanced Security Analysis

4.4.1. Collusion Resistance Formal Proof

• Multiple Users Collude
  Each user’s secret key contains a unique random value r. Consider two users A and B with $r^{\left(A\right)}\ne r^{\left(B\right)}$.
  If they attempt to combine their keys for decryption, they might use components from both users:

  $$\begin{array}{cc}\hfill key& =e(s{k}_1^{\left(A\right)},c{t}_1)·{\displaystyle \frac{e\left({\prod }_{i\in I}{\left(s{k}_{2,\pi \left(i\right)}^{\left(\mathrm{mix}\right)}\right)}^{{\gamma }_i},c{t}_{2,j}\right)}{e\left({\prod }_{i\in I}c{t}_{3,i}^{{\gamma }_i},s{k}_3^{\left(X\right)}\right)}}\hfill \end{array}$$

  (41)

  $$\begin{array}{cc}\hfill & =e{(g_1,g_2)}^{(\alpha +b_{\left|\theta \right|+1}{r}^{\left(A\right)})s_1}\hfill \end{array}$$

  (42)

  $$\begin{array}{cc}\hfill & ·{\displaystyle \frac{e{(g_1,g_2)}^{\left[{\sum }_{i\in I}{\gamma }_i{b}_{\pi \left(i\right)}{r}^{\left({\mathrm{src}}_i\right)}+\delta v_a{\sum }_{i\in I}{\gamma }_i{r}^{\left({\mathrm{src}}_i\right)}\right]s_2}}{e{(g_1,g_2)}^{{\sum }_{i\in I}{\gamma }_i\left[M_i(s_1{\left|\right|v)}^{\top }{b}_{\left|\theta \right|+1}+s_2\left[\rho \left(i\right)\right]b_{\pi \left(i\right)}+\delta v_a{s}_2\right]r^{\left(X\right)}}}}\hfill \end{array}$$

  (43)

  where ${\mathrm{src}}_i\in \{A,B\}$ indicates which user’s $s{k}_{2,\pi \left(i\right)}$ component is used for each $i\in I$, and $X\in \{A,B\}$ indicates which user’s $s{k}_3$ is used.
  For successful decryption, the $\delta v_a$ terms must cancel:

  $$\begin{array}{c}\hfill \delta v_a\left(\sum _{i\in I}{\gamma }_i{r}^{\left({\mathrm{src}}_i\right)}\right)s_2=\delta v_a\left(\sum _{i\in I}{\gamma }_i{s}_2\right)r^{\left(X\right)}\end{array}$$

  (44)

  This requires ${\sum }_{i\in I}{\gamma }_i{r}^{\left({\mathrm{src}}_i\right)}={\sum }_{i\in I}{\gamma }_i{r}^{\left(X\right)}$, which only holds if all $r^{\left({\mathrm{src}}_i\right)}=r^{\left(X\right)}$, that means all components come from the same user. Similarly, the $b_{\left|\theta \right|+1}$ terms require $r^{\left(A\right)}=r^{\left(X\right)}$.
  Therefore, colluding users cannot combine partial key components to decrypt a ciphertext that none could decrypt individually.
• Authority Collusion
  Consider the scenario where an adversary compromises up to $t-1$ attribute authorities, thereby obtaining their secret shares of the master keys.
  With $\left|\mathcal{M}\right|\le t-1$ compromised authorities, the adversary obtains shares ${\{s{s}_j^{\left(\alpha \right)}=f^{\left(\alpha \right)}\left(j\right)\}}_{j\in \mathcal{M}}$ and ${\{s{s}_j^{\left(\delta \right)}=f^{\left(\delta \right)}\left(j\right)\}}_{j\in \mathcal{M}}$, where $f^{\left(\alpha \right)}\left(z\right)$ and $f^{\left(\delta \right)}\left(z\right)$ are degree-$(t-1)$ polynomials satisfying $f^{\left(\alpha \right)}\left(0\right)=\alpha$ and $f^{\left(\delta \right)}\left(0\right)=\delta$.
  By the fundamental property of Shamir secret sharing, any set of at most $t-1$ shares provides zero information about the secret. Formally, for any candidate values ${\alpha }^{\prime },{\delta }^{\prime }\in {\mathbb{Z}}_p$, the conditional probability equals the prior probability:$Pr[\alpha ={\alpha }^{\prime }\mid {\left\{s{s}_j^{\left(\alpha \right)}\right\}}_{j\in \mathcal{M}}]=Pr[\alpha ={\alpha }^{\prime }]$, $Pr[\delta ={\delta }^{\prime }\mid {\left\{s{s}_j^{\left(\delta \right)}\right\}}_{j\in \mathcal{M}}]=Pr[\delta ={\delta }^{\prime }].$
  Consequently, even with $t-1$ shares, the adversary cannot reconstruct $\alpha$ or $\delta$, compute $g_1^{\alpha }$ or $g_1^{\delta }$, or generate valid key components $s{k}_1=g_1^{\alpha }·H{\left(\right|\theta |+1)}^r$ or $RK=g_1^{\delta v_a}$.
  To demonstrate security rigorously, suppose an adversary $\mathcal{A}$ could break IND-CPA security using only $t-1$ authority shares. We could then construct an algorithm $\mathcal{B}$ that takes $t-1$ shares of an unknown secret s, embeds them into a simulation of our scheme, and uses $\mathcal{A}$’s attack to gain information about s—contradicting the information-theoretic security of Shamir secret sharing. This reduction argument proves that authority collusion cannot compromise the system’s security.

4.4.2. Forward/Backward Security Proof

The version mechanism ensures:

Forward Security: After revocation to $v_a^{\prime }>v_a$, new ciphertexts contain $\tilde{\delta }{v}_a^{\prime }{\tilde{s}}_2$. Old keys have $\tilde{\delta }{v}_a\tilde{r}$. The mismatch term $\tilde{\delta }(v_a^{\prime }-v_a)\tilde{r}{\tilde{s}}_2$ prevents decryption.

Backward Security: Symmetrically, new keys with $\tilde{\delta }{v}_a^{\prime }\tilde{r}$ cannot decrypt old ciphertexts with $\tilde{\delta }{v}_a{\tilde{s}}_2$.

In our symbolic proof, this corresponds to ${\tilde{v}}_{a,\pi \left(i\right)}^{ct}\ne {\tilde{v}}_{a,u}^{sk}$ causing non-cancellation of $\tilde{\delta }$ terms.

4.5. Security Reduction

Under the Generic Group Model (GGM), given a security parameter $\lambda$, we consider an adversary $\mathcal{A}$ that performs at most Q group operations and oracle queries in the security game ${\mathsf{Game}}_{\mathsf{R}-\mathsf{ABE}}^{\mathsf{IND}-\mathsf{CPA}}(\mathcal{A},\lambda )$. If our scheme satisfies strong symbolic security, then the advantage of $\mathcal{A}$ in ${\mathsf{Game}}_{\mathsf{R}\text{-}\mathsf{ABE}}^{\mathsf{IND}\text{-}\mathsf{CPA}}(\mathcal{A},\lambda )$ is negligible:

$${\mathbf{Adv}}_{\mathcal{A}}^{\mathsf{R}\text{-}\mathsf{IND}\text{-}\mathsf{CPA}}\left(\lambda \right)\le {\displaystyle \frac{O\left(Q^2\right)}{p}}.$$

(45)

The security proof proceeds via a sequence of security games.

${\mathsf{Game}}_0$:

The challenger $\mathcal{C}$ and the adversary $\mathcal{A}$ interact according to the real scheme in ${\mathsf{Game}}_{\mathsf{R}\text{-}\mathsf{ABE}}^{\mathsf{IND}\text{-}\mathsf{CPA}}(\mathcal{A},\lambda )$. The challenge ciphertext is computed as $c{t}_0^{*}=m_b·e{(g_1,g_2)}^{\alpha s_1}$.

${\mathsf{Game}}_1$:

This game is identical to ${\mathsf{Game}}_0$, except that during random oracle queries $O_H(uid\Vert msk)$, if $uid$ is queried for the first time, the pair $(uid,t_{uid})$ is recorded and $t_{uid}$ is returned to $\mathcal{A}$, where $t_{uid}\leftarrow {\mathbb{Z}}_p$ is chosen uniformly at random.

${\mathsf{Game}}_2$:

This game is identical to ${\mathsf{Game}}_1$, except that the blinding factor in the challenge ciphertext is replaced. Specifically, $c{t}_0^{*}=m_b·T$, where $T=e{(g_1,g_2)}^t$ and $t\leftarrow {\mathbb{Z}}_p$ is random. Under the GGM and based on the proven strong symbolic security of our scheme, adversary $\mathcal{A}$ cannot distinguish between ${\mathsf{Game}}_1$ and ${\mathsf{Game}}_2$.

Indistinguishability:

• Transition from ${\mathsf{Game}}_0$ to ${\mathsf{Game}}_1$: The difference lies in the use of the random oracle model to ensure the randomness of the hash output. The adversary cannot recover $msk$ from the public parameters to distinguish between $H(uid\Vert msk)$ and the random $t_{uid}$. The advantage loss for $\mathcal{A}$ in this transition is ${\mathbf{Adv}}_{\mathcal{A}}^{\mathsf{ROM}}\left(\lambda \right)$.
• Transition from ${\mathsf{Game}}_1$ to ${\mathsf{Game}}_2$: Here, $\alpha s_1$ is replaced with a random variable t. According to the strong symbolic security, and under the constraints of the security game ${\mathsf{Game}}_{\mathsf{R}\text{-}\mathsf{ABE}}^{\mathsf{IND}\text{-}\mathsf{CPA}}(\mathcal{A},\lambda )$, that here all queried attribute sets do not satisfy the challenge access policy, the polynomial $\alpha s_1$ does not lie in the span of the other polynomials. Therefore, $\mathcal{A}$ cannot distinguish $\alpha s_1$ from a random t. By the standard argument of strong symbolic security within the GGM, the adversary’s advantage in this step is bounded by ${\displaystyle \frac{O\left(Q^2\right)}{p}}$.

In summary, the advantage of the adversary in ${\mathsf{Game}}_{\mathsf{R}\text{-}\mathsf{ABE}}^{\mathsf{IND}\text{-}\mathsf{CPA}}(\mathcal{A},\lambda )$ is:

$${\mathbf{Adv}}_{\mathcal{A}}^{{\mathsf{Game}}_0}\left(\lambda \right)\le {\mathbf{Adv}}_{\mathcal{A}}^{{\mathsf{Game}}_1}\left(\lambda \right)+{\displaystyle \frac{O\left(Q^2\right)}{p}}\le {\mathbf{Adv}}_{\mathcal{A}}^{\mathsf{ROM}}\left(\lambda \right)+{\displaystyle \frac{O\left(Q^2\right)}{p}}.$$

(46)

This completes the proof.

Therefore, our scheme is IND-CPA secure under the GGM, and also achieves forward security, backward security, and collusion resistance.

5. Performance Evaluation

5.1. Theoretical Analysis

As shown in

Table 1. Storage Overhead Comparison.

Scheme	Key Size	Ciphertext Size
FABEO	$(2m+3)G+2G_T$	$(3l+1)G+G_T$
MTA-CPABE	$(m+6)G+(1+m)G_T$	$(4n+3)G+G_T$
TR-AP-CPABE	$(2logN+m)G+l{G}_T$	$(n+1)G+G_T+logTG$
OO-MA-CPABE-CRF	$(m+1)G_1+G_2$	$n{G}_1+2G_2$
Ours	$(m+2)G_1+G_2+G_T$	$l{G}_1+2G_2+G_T$

, we compare the key size and ciphertext size of each scheme, and as shown in

Table 2. Computational Overhead Comparison.

Scheme	Key Generation	Encryption	Decryption
FABEO	${[1\mathrm{M}+(m+2)\mathrm{E}+(m+1)\mathrm{H}]}_{G_1}+{\left[1\mathrm{E}\right]}_{G_2}$	${[l\mathrm{M}+2l\mathrm{E}+(l+1)\mathrm{H}]}_{G_1}+{\left[2\mathrm{E}\right]}_{G_2}$	$3\mathrm{P}+{[2x\mathrm{E}+2(x-1)\mathrm{M}]}_{G_1}+{[\mathrm{M}+\mathrm{D}]}_{G_T}$
MTA-CPABE	${[(d+mK+U+m)\mathrm{M}+(2d+2mK+2U+2)\mathrm{E}]}_G$	${[(2l+1)\mathrm{M}+(3l+t+5)\mathrm{E}]}_G$	${[(3x-1)\mathrm{M}+x\mathrm{E}]}_{G_T}+(3x+2)\mathrm{P}$
TR-AP-CPABE	${[(1+m)\mathrm{M}+(2m+5)\mathrm{E}]}_G$	${[l\mathrm{M}+(4l+c+2)\mathrm{E}]}_G$	${[(x+1)\mathrm{M}+1\mathrm{E}]}_G+{[(3x+2)\mathrm{M}+(x+1)\mathrm{E}]}_{G_T}+(3x+2)\mathrm{P}$
OO-MA-CPABE-CRF	$(3+2m)\mathrm{E}+m\mathrm{M}$	$(2l+1)\mathrm{M}+2l\mathrm{E}$	$\left(3\right|I|+1)\mathrm{P}+3\left|I\right|\mathrm{M}+1\mathrm{E}$
Ours	${\left[(2m+4)\mathrm{E}\right]}_{G_1}+{\left[1\mathrm{E}\right]}_{G_2}+\mathrm{P}+{\left[m\mathrm{M}\right]}_{G_1}$	${\left[2\mathrm{E}\right]}_{G_2}+{[3l\mathrm{E}+2l\mathrm{M}]}_{G_1}$	$3\mathrm{P}+{[2x\mathrm{E}+2(x-1)\mathrm{M}]}_{G_1}+{[\mathrm{M}+\mathrm{D}]}_{G_T}$

Notations: m: Number of attributes in the attribute set; $l,n$: Number of rows and columns in the MSP matrix; x: Total number of attributes used in decryption; d: Height of the user management binary tree; t: Bit-length of version number space; K: Average number of non-revoked user nodes per attribute; U: Total number of non-revoked users; c: $\left|\mathrm{cover}\right(R\left)\right|$ (Number of cover nodes for revocation); $\left|I\right|$: Size of attribute set used in decryption; P: Pairing operation; E: Exponentiation operation; M: Multiplication operation; D: Division operation; H: Hash-to-group operation.

, we compare their computational overhead. Our R-T-D-ABE scheme demonstrates significant theoretical advantages across all key performance metrics.

For key and ciphertext size, our scheme achieves a key size of $(m+2)G_1+G_2+G_T$, which is comparable to the FABEO scheme’s $(2m+3)G+2G_T$. Compared to the structurally simplest OO-MA-CPABE-CRF scheme that does not support revocation, our scheme implements fine-grained attribute revocation by introducing only a minimal number of group elements, achieving an excellent balance between storage efficiency and functional richness. This compactness stems from our design strategy of component embedding rather than module appending. The revocation key $RK$ is integrated into $s{k}_{2,u}$ ($s{k}_{2,u}=H{\left(u\right)}^r·{RK}^r$), avoiding separate storage allocation while adding only one $G_T$ element for traceability ($s{k}_4$).

For key generation, the required overhead is ${\left[(2m+4)\mathrm{E}\right]}_{G_1}+{\left[1\mathrm{E}\right]}_{G_2}+\mathrm{P}+{\left[m\mathrm{M}\right]}_{G_1}$, with complexity growing linearly with the number of attributes, m. The additional pairing operation (‘P’) primarily stems from the construction of the non-interactive traceability component $s{k}_4=e(g_1^r,g_2^{H\left(uid\right|\left|msk\right)})$, which introduces only one $G_T$ element. Despite supporting multi-authority attribute revocation and accountability—a feature that leads to considerable complexity in MTA-CP-ABE and TR-AP-CPABE—our approach maintains a lower key generation overhead. This efficiency makes it particularly suitable for complex P2P network applications characterized by large attribute sets.

For encryption performance, the required overhead is ${\left[2\mathrm{E}\right]}_{G_2}+{[3l\mathrm{E}+2l\mathrm{M}]}_{G_1}$, where complexity scales with the number of rows l in the access policy matrix. A key factor contributing to this performance is that our scheme, similar to FABEO, shifts the bulk of the computational load to the smaller $G_1$ group. Importantly, the revocation component $RK$ is multiplied as a common factor into each $c{t}_{3,i}$, adding only constant $G_1$ multiplication overhead without changing the asymptotic complexity. This strategic choice results in significantly faster encryption compared to other schemes, highlighting a clear advantage in encryption performance.

For decryption efficiency, our scheme requires only $3\mathrm{P}+{[2x\mathrm{E}+2(x-1)\mathrm{M}]}_{G_1}+{[\mathrm{M}+\mathrm{D}]}_{G_T}$ in computational overhead. This is substantially lower than the demanding pairing operations (up to $\left(3\right|I|+1)$ or $(3x+2)$) in other schemes. The minimal 3 pairings result from algebraic cancellation: the $RK$ factors in $s{k}_{2,u}$ and $c{t}_{3,i}$ cancel during pairing, while $s{k}_4$ is excluded from normal decryption. This preserves the efficiency of the core CP-ABE structure despite added functionalities. The exceptional decryption efficiency underscores the suitability of our scheme for resource-constrained devices, such as mobile terminals and IoT nodes.

In summary, our scheme demonstrates well-rounded performance across multiple metrics: key/ciphertext size, key generation, encryption, and decryption overhead. It successfully integrates multi-authority attribute revocation and accountability into P2P networks, achieving an effective equilibrium between functionality, efficiency, and security. Consequently, the proposed scheme offers a practical and efficient solution for P2P applications.

5.2. Experimental Analysis

We conducted a comparative evaluation of our scheme against several schemes, including FABEO, MTA-CP-ABE, OO-MA-CP-ABE, and R-CP-ABE-Key-Tree. All implementations were executed on an ASUS TUF Gaming A15 laptop equipped with an AMD Ryzen 97940H processor and 16 GB RAM, running Windows 11. The experimental code was developed using the Charm-Crypto library 0.5 and Python 3.7. All tests were conducted under worst-case scenarios, as detailed below:

• For Setup, Key Generation, Encryption, and Decryption Tests: We fixed the number of users to 1, varied the number of attributes from 10 to 500 with a step size of 10, and employed the strictest access policy by connecting all attributes using AND gates only.
• For Ciphertext Update and Key Update Tests: We fixed the number of attributes to 3, set the access policy to $(1\wedge 2)\wedge 3$, simulated the revocation of attribute 2, and varied the number of users from 10 to 500 with a step size of 10.
• For Accountability Tests: We simulated the worst-case tracing scenario requiring traversal of the entire user list to identify the malicious user, while varying the number of users from 10 to 500 with a step size of 10.

Setup Time: As shown in Figure 2, the setup time of our R-T-D-ABE scheme exhibits a curvilinear growth pattern. Notably, in small-to-medium systems with fewer than 370 attributes, our scheme outperforms MTA-CP-ABE, demonstrating good practicality. Considering that system initialization is an infrequent operation in real-world applications, and our scheme achieves excellent performance in subsequent high-frequency operations such as key generation, encryption, and decryption, this initialization overhead is entirely acceptable. More importantly, our scheme supports both attribute revocation and accountability through a single initialization, providing significant advantages in practical deployment.

Key Generation Time: As shown in Figure 3, under the worst-case testing conditions (single user, all-AND policy), our scheme demonstrates exceptional performance in key generation. When the number of attributes reaches 500, R-T-D-ABE requires only approximately 0.6 s to complete key generation, significantly outperforming other schemes, and is only slightly slower than the optimal FABEO scheme (0.3 s). It is noteworthy that our scheme additionally supports revocability and traceability, which are features not offered by FABEO, making the achieved key generation efficiency particularly remarkable.

Encryption Time: As shown in Figure 4, under the worst-case all-AND policy, our scheme maintains encryption performance comparable to the optimal scheme, FABEO. With 500 attributes, our scheme requires 0.9 s for encryption, while FABEO requires 0.7 s. Although slightly slower than FABEO, our scheme still significantly outperforms other comparative schemes. The ability to maintain such high encryption efficiency while simultaneously achieving revocation and traceability functionalities fully demonstrates the superiority of our approach.

Decryption Time: As shown in Figure 5, under the worst-case all-AND policy, the decryption performance curve of our scheme almost completely overlaps with that of FABEO, far surpassing other schemes. This excellent performance confirms the high efficiency of our scheme during decryption, making it particularly suitable for P2P networks where nodes often have limited computational resources or require high responsiveness.

Key Update and Ciphertext Update Time: As shown in Figure 6 and Figure 7, we tested attribute revocation by fixing the access policy and simulating revocation events. The results indicate:

• Key Update: Our scheme demonstrates outstanding performance in key update. As shown in Figure 6, even with 500 users, the key update time remains below 0.003 s, significantly outperforming R-CP-ABE-Key-Tree. This near-real-time key update capability makes our scheme particularly suitable for highly dynamic P2P network environments.
• Ciphertext Update: As illustrated in Figure 7, our scheme requires only 1.4 s for ciphertext update with 500 users. Although this is slightly higher than the R-CP-ABE-Key-Tree scheme, it is better than MTA-CP-ABE. Notably, the R-CP-ABE-Key-Tree scheme requires up to 4 s for key update. Therefore, considering the overall revocation efficiency, our scheme exhibits a clear advantage.

Accountability Time: As shown in Figure 8, we simulated the worst-case accountability scenario (requiring traversal of all users to locate the malicious user). Our scheme requires only 0.95 s for tracing even with 500 users. This result indicates that the traceability feature of our scheme does not introduce significant performance overhead in practical deployment, demonstrating highly efficient tracing capability.

6. Conclusions and Future Work

In this paper, we propose a decentralized, revocable, and accountable CP-ABE scheme for P2P networks. By using a threshold-based distributed protocol for master key generation and a user identity binding mechanism, the scheme addresses key challenges in P2P environments: efficiency, centralized trust reliance, and dynamic user management. Theoretical and experimental results show that our scheme retains encryption/decryption performance close to non-revocable schemes while supporting near-real-time key updates and efficient traceability.

Future work will focus on strengthening the formal security proof and extending the scheme to support cross-domain collaboration and dynamic policies in complex P2P scenarios.