1. Introduction
Public cloud storage enables the users to store their huge data in a professional storage service platform with a relatively cheap cost. Additionally, the service could be handy and flexible to satisfy the changing needs of the customers. Meanwhile, a user can access the data anywhere if he connects to the Internet. In a public cloud, the security issues are always critical. Researches [
1,
2,
3,
4,
5,
6,
7] about confidentiality, integrity, availability, auditability and so on are proposed to address various security problems. However, if a cloud service provider (CSP) is suspicious, the security problems cloud become much more complicated. Unlike in the distributed system such as P2P grid, whose trust model is usually constructed in a special model, in a traditional centralized cloud storage system, users have to trust the cloud service provider (CSP) completely, because the data stored in cloud is completely under the control of CSP. But in fact, CSP is usually a semi-trusted party (honest but curious), sometimes even a suspicious party. This adds the security concerns about data leaking and abusing, and it becomes the major obstacle for the users who try to move their data to a public cloud.
Distinct from normal cloud storage, Kamara and Lauter [
5] proposed a new architecture referred as cryptographic cloud storage (CCS). In this CCS system, the data owners (DO) instead of CSP are in charge of the management of data security. CSP only provides the storage service in CCS, because CSP should usually be considered as a semi-trusted party.
Among the operations of security management, the access control is a critical function which offers the data availability (such as data sharing). To enforce the data access control, before uploading data to the cloud, a DO encrypts the data and makes that the authorized users can decrypt the data in a certain way. In [
5], CP-ABE schemes are suggested to be used to realize this access control.
Unlike traditional public key encryptions which are used to perform one-to-one encryption, attribute-based encryption (ABE) [
8] is a powerful tool to fulfill the requirement of one-to-many encryption. As a variant of ABE, the concept of CP-ABE is clarified by Goyal et al. [
9], and Bethencourt et al. [
10] proposed the first CP-ABE scheme which realized an expressive and fine-grained access control over the encrypted data. In a CP-ABE system, a set of attributes
S is allocated to each user, and a DO can specify the access policy of a data by encrypting the data with a corresponding access structure. Then only the data user, whose attribute set
S satisfies the access policy, can decrypt the ciphertext. For example, Alice wants to share a message with all accountants in the company and the IT engineers of New York branch. In a CP-ABE system, Alice can encrypt the message under the policy “accountant
OR (IT engineer
AND New York branch)”, then publish the encrypted message to the cloud. All users can download the message, but only the user who possesses the attribute {accountant} or the attributes {IT engineer, New York branch} can recover the message because their attribute sets satisfy the access control policy. Obviously, CP-ABE can provide a role-based, fine-grained, and expressive access control based on the special encryption method, moreover, the management of access control is transferred from the CSP to the data owners. The data stored in a public CCS can be shared securely, even if the CSP may be suspicious. Thus, CP-ABE is regarded as an ideal technique for access control, especially in the cases of cryptographic cloud storage and similar scenarios.
However, to implement a CP-ABE scheme in CCS, there is still an important security issue need to be solved in CP-ABE, that is, how to effectively identify the malicious user who illegally shares his access privilege with others. Suppose that a content service provider rents cryptographic cloud storage to provide service, and allocates a private key for attribute set Sa = {Los Angeles area, San Francisco area, e-book, video} to Alice, while Bob is assigned a key for attribute set Sb = {San Francisco area, e-book, video}. In most CP-ABE systems, both of them are capable of generating a decryption key corresponding to the attributes set {San Francisco area, e-book} for others. Meanwhile, it is difficult to identify whether it is Alice or Bob who performs the key sharing. Moreover, Alice or Bob can also build a decryption device/black-box with his/her key embedded in this device, and provide decryption service to others. As a result, if it is not possible to identify who has performed the illegal privilege sharing, then a malicious user could make profits or even compete with the content service provider.
Because the access policies are role-based and the users’ privileges are embodied in the attribute keys, it becomes a common problem for CP-ABE systems. In general, the problem may include two factors: (1) Leaking private keys to unauthorized users, and (2) constructing a decryption device/black-box to share privileges with others. To address the problem, a CP-ABE system needs to support traceability. Corresponding to the description above, Liu et al. [
11] clarified the concept of traceability and pointed out that there are two levels of the traceability. Level one is referred as
white-box traceability. This means that using a well-formed decryption key the tracing algorithm can identify the key owner. It implies the ability to trace a new key which is created from the malicious user’s original key. Level two is referred as
black-box traceability. This means the tracing algorithm can identify the builder of a decryption black-box/device
, even if the decryption algorithm and the decryption key are unknown to the tracing algorithm. Obviously, tracing a black-box is much more difficult. However, the black-box traceability implies white-box one, thus, the black-box traceability usually makes more sense to security.
Since Liu et al., presented the first black-box traceable CP-ABE scheme in [
11], there are several general black-box traceable schemes [
12,
13,
14,
15] that have been proposed. However, the computation of these schemes in [
11,
12,
13,
14] could be costly, especially for the tracing algorithm that needs to run the encryption for
times (
N denotes the number of the users in system) to trace a black-box. Hence, it is almost impossible to apply these schemes in a system of medium size (e.g.,
N is more than 1000) or larger size. In addition, because the ciphertext size or public key size is sub-linear or linear in
N, these schemes are also unscalable. It means that they are very difficult to be implemented in practice. A practical black-box traceable construction, which is scalable and the tracing algorithm runs in
time, is presented in [
15]. To our best knowledge, it is the most efficient black-box traceable scheme. However, instead of the standard model, a generic group model [
16], which is an artificial model based on the assumption that for performing any group operations the adversary has to access an oracle, is applied to prove the security of the scheme. This is considered as a major secure limitation of the scheme.
Our contribution. On the basis of the analysis above, we believe it is necessary to realize the black-box traceability in CCS. But we can see that most black-box traceable CP-ABE schemes are impractical due to the costly computation or the absence of scalability or the inefficiency of the tracing method. Although, the scheme of [
15] firstly provides a practical scheme of black-box traceable CP-ABE, it is not that secure because its security proof is based on the generic group model instead of a stand model. Motivated by seeking a practical and secure CP-ABE scheme for the efficient implementation of access control in CCS, we design a new black-box traceable scheme. The following features make the scheme to be truly practical for the CCS system.
High practicability: To solve the problem of unacceptable computation cost, and to make the scheme to be practical for most CCS system, our scheme is constructed on the prime order bilinear groups instead of the composite order bilinear groups. This sharply cuts down the computation costs of group operations in CP-ABE system. Unlike the most of prior black-box traceable schemes, our scheme is scalable and significantly more efficient. More importantly, in our construction, the cost of tracing algorithm is or even . Therefore, the scheme could be very practical in a variety of applications.
Provable security: The scheme is proved to be secure under a selective standard model while acquires a high efficiency similar to the scheme of [
15].
2. Related Work
Based on the works of the ABE system, Goyal proposed two variants of ABE: Key-police ABE (KP-ABE) and CP-ABE. In a KP-ABE system, the message is encrypted under an attribute set, and an access formula over attributes is assigned to the user’s private key. On the contrary, in a CP-ABE system, an attribute set is assigned to a user’s private key, and a message is encrypted under an access formula over attributes. In both systems, the user can decrypt the message when the attribute set satisfies the access formula. Bethencourt, Sahai, and Waters (BSW) [
10] proposed the first expressive CP-ABE scheme. BSW scheme is highly efficient for computation and its access policy can be fine-grained and expressive. But BSW system has the limitation that it is not proved secure under a standard model. To make up the deficiency, in the subsequent works, various CP-ABE schemes are proposed [
17,
18,
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30]. Most of these schemes managed to achieve the provable security under a standard model, some of the works also improve the performance or provide extra security such as access structure hiding, user revocation, or multi-authority.
However, as mentioned in the previous section, the lack of traceability could be a great obstacle to the utilization of CP-ABE schemes. To support traceability and prevent the abuse of private keys, Jin Li et al. [
31] proposed an
accountable CP-ABE scheme. In the key generation of this scheme, some user-specific information is embedded in the user’s private keys, hence, a malicious user can be identified with the leaked key. However, in their scheme, to trace a malicious user, his original private key must be obtained. Thus, using his private key, a malicious user can choose to construct a decryption black-box with his private key hidden in it, and sells it to others. So, it is not a full traceability. Liu et al. [
11] clarified the concept of traceability and categorized it into two kinds of traceability: White-box and black-box traceability. Actually, accountable CP-ABE schemes can be classified as white-box traceable schemes, as well as the schemes of [
6,
32,
33,
34,
35,
36]. The white-box traceability is not a full traceability, because the decryption black-box is still untraceable in these systems.
To solve the issue, Liu firstly presented a black-box traceable CP-ABE scheme in [
11]. Their construction is inspired by the works of Boneh and Waters [
37], which is a traceable broadcast encryption scheme. Furthermore, Liu et al. [
11,
12] classified the decryption black-boxes into
key-like black-box and
policy-specific black-box. A
key-like decryption black-box
is associated with an attribute set
.
can decrypt the ciphertext if the access policy of the ciphertext can be satisfied by
. A decryption black-box
is referred as
policy-specific, if it is associated with an access policy
.
can decrypt the ciphertext with access policy
. Key-like black-box has a stronger decryption ability than policy-specific black-box, but tracing a policy-specific black-box is more difficult. Liu et al., proved that if a policy-specific black-box is traceable in a CP-ABE scheme, the key-like black-box also must be traceable. Therefore, the works of [
12] focused on how to trace a policy-specific black-box. As the first two black-box traceable scheme, these schemes are constructed on the composite order group which makes group operations to be very costly. Besides that, the length of ciphertext and the public key size are sub-linear in the number of system users, so the system is unscalable. For improving the efficiency of ciphertext, Ning et al. [
13] presented a scheme with a short ciphertext whose size is linear in the size of access policy rather than the number of system users. Their scheme also owns the traceability against policy-specific black-box.
However, the computation costs of these mentioned black-box traceable schemes are expensive, because all of them are constructed on the composite order bilinear groups, which results in great losses in computation efficiency and makes it impractical in many settings. Thus, Liu et al. [
38] proposed a new black-box traceable scheme based on prime order groups. After that, to provide full security and achieve better efficiency, Liu et al. [
14] presented another scheme on prime order groups by making use of dual pairing vector spaces (DVPS), which is developed by Lewko [
39]. But the tracing algorithm of all these schemes could be costly, because the encryption has to be performed for
times in tracing (
N denotes the number of users). Since the cost of encryption and decryption are both relatively heavy, it may be impractical in a system of medium size or larger size to trace a black-box. In addition, all these schemes are unscalable due to that the sizes of public key and the ciphertext are sub-linear in
N.
Hence, a lightweight black-box traceable scheme which is scalable is proposed in [
15], and it is practical in a large system because the overhead of tracing algorithm is
. The work of [
15] is derived from the construction of BSW scheme and achieves a similar efficiency. However, the scheme has the same security limitation as BSW scheme, that is, it is just proved secure in the generic group model. Thus, its security is considered to be weak because the security proof is not based on the standard complexity assumptions.
Therefore, we are motivated to design a novel black-box traceable scheme which is proved to be secure in a standard model while keeps the advantages of [
15]. In fact, we adopt a relatively simple construction based on the prime order groups, so as to lower the cost of group operations largely. At the same time, we design a high efficient tracing mechanism and by using it we can trace a malicious user in
or
time. In our construction, the ciphertext size, the public key length, and the private key length are all independent of the number of the users, this makes the scheme to be scalable. Meanwhile, we design the subtle construction to realize security under decisional
q-parallel Bilinear Diffie-Hellman Exponent assumption (decisional
q-parallel BDHE) [
30]. To the best of our knowledge, the work of this paper is the first practical black-box traceable CP-ABE scheme, that is provably secure in a standard model. It overcomes the deficiencies of prior black-box traceable schemes, and enables the secure implementation of access control in CCS.
4. Our Construction
Here, we present the concrete construction of our system. We also present a performance analysis and compare our scheme with the recent works. From the analysis, we show that our scheme is valuable for practical application in CCS due to the efficient computation and the scalability of the system.
4.1. Concrete Construction
In our construction, we take use of the LSSS access matrix as our access structure. Note that the notation denotes, for example, the set .
Setup. Taking as inputs the attribute universe
U and the security parameter
(
determines the size of
p), this algorithm chooses a bilinear group generator to produce
. Then, the algorithm randomly chooses exponents
and the group elements
. It publishes the public parameter as:
and secretly keeps the master key
.
KeyGen. This algorithm generates a private keys
according to the user’s attribute set
S by applying the master key
. It selects the exponents
at random. Then, it computes and outputs the key
:
and records
in a list
.
Encrypt.
Encrypt algorithm encrypts a message
M under
by using the public parameter
.
A is an
LSSS matrix according to the access policy, and each row
of
A can be mapped to an attribute
. This algorithm chooses the elements of vector
at random. Then, for each row
of
A, it randomly chooses
and calculates
. Finally, it outputs ciphertext
as
Decrypt. The algorithm decrypts a ciphertext
, that contains the access structure
, with the private key
and the public parameter
. If the access policy of
can be satisfied by an attribute set
(
S is the attribute set associated with
), the algorithm computes the constants
such that
, then computes
The algorithm continues to compute to finish the decryption. If the attribute set according to cannot satisfy , it outputs ⊥.
4.2. Traceability
When tracing a decryption black-box, we need to send the black-box a tracing ciphertext and analyze the decryption result to identify the keys embedded in the black-box, then expose the owner of the keys. We now describe our Encrypt algorithm, which is used to generate the tracing ciphertext, as follows:
Encrypt. The algorithm encrypts a message
M under
by using the public parameter
. This algorithm takes almost the same steps as algorithm
Encrypt. The only difference is that it chooses tow random elements
s and
in
, and forms the sharing vector as
to calculate
. Then, it computes the ciphertext
as
and the
is
.
In a tracing ciphertext
,
are the shares of
rather than
s. So following this way, a black-box
can be tracked. Firstly, we choose an access structure
that can be satisfied by
of
, and select a message
at random. Secondly, we run algorithm
Encrypt, and send
to
while keep the
. If
correctly performs the decryption algorithm
Decrypt as
and returns
, we can compute
. For every
in
, we compute
and compare it to
W, until they are equal. Then, we have this
as the identity of the decryption key of
. Therefore, if during the key generation the users’
are recorded corresponding to their private keys, we can expose the builder of
.
Note that in order to make sure that is always a valid message, we assume that group is the message space. So cannot distinguish between the normal ciphertext and the tracing ciphertext by determining whether is valid or not.
Efficient tracing. We can trace a black-box efficiently by setting the parameter rather than randomly choosing . In this case, is always set to 1. Thus, for the search in , we can directly compare W to , and make the search quite efficient.
4.3. Performance Analysis
4.3.1. Theoretical Analysis of Performance
In general, we can measure the normal performance of a CP-ABE system in terms of computation costs of decryption and encryption, scalability, private key size, ciphertext size and so on. In
Table 1, we provide a brief performance comparison of some related works.
In
Table 1,
m denotes the size of the access policy (the number of LSSS matrix rows),
N is the number of system users,
is the size of the attribute set involved in decryption, and
is the size of the user’s attribute set. The encryption costs are measured by the number of times that exponentiation computation is performed, and the decryption costs are measured by the number of times that pairing computation is performed.
Computation efficiency. In fact, our scheme is much simpler than most prior black-box traceable schemes, especially the schemes of [
11,
12,
13] which are constructed on composite order bilinear groups. In general, the order
n of a composite order elliptic curve group must be at least 1024 bits, in order to make sure
n is infeasible to factor. Meanwhile, a prime order elliptic curve group whose size is 160 bits can provide an equivalent level of security [
41]. Thus, the group operations on composite order bilinear groups, especially pairing and exponentiations computations, are very costly. For example, the cost of a Tate pairing operation on 1024 bits composite order elliptic curve is about 50 times the cost of the same pairing operation on a prime order curve with comparably security [
42]. Hence, we manage to construct our system based on the prime order bilinear groups. Although the scheme of [
14] is also constructed on the prime order bilinear groups, it is clear in
Table 1 that its computation cost is much higher than our scheme.
Scalability. In most prior black-box traceable CP-ABE schemes, the public key size or ciphertext length or private key length is dependent of N, so the schemes are not scalable. Therefore, we have to reset the total system, when a new user joins in. This makes these schemes impractical in many applications. By contrast, our construction is scalable, due to that the size of the public key, the ciphertext length, and the private key length are all independent of N.
Tracing efficiency. As mentioned in
Section 2, when there are relatively more users in a system, tracing could be very costly in most black-box traceable CP-ABE systems. To trace a black-box in [
11,
12,
13,
14], we needs to perform the tracing step for
times, and for each time we has to run the encryption algorithm for
times, where
and
is the security parameter. In our system, one just needs to perform the algorithm
Encrypt for only one time to trace a black-box, and
Encrypt has the equal cost to the normal encryption algorithm
Encrypt. In addition, in our scheme one has to search the
to find the malicious user, but it is a light operation and the cost is at most
. Actually, by making use of
efficient tracing, the searching cost is almost negligible in contrast to the encryption. In this case, if the cost is measured in terms of the heavy operations as exponentiations and pairing computations, the cost of tracing is
.
Security. In
Table 2, we also provide a brief security comparison with some related works. We can see in
Table 2, all the schemes are CPA secure or selectively CPA secure. But different from [
15], our scheme is based on complexity assumption, thus, it owns the security comparable to the schemes in [
11,
14,
30]. In addition, by comparing the performance, it is obvious that the scheme of [
15] and the scheme of this paper are the only two practical black-box traceable schemes that can be implemented in CCS. However, the scheme of [
15] is only proved secure in a generic group model, while this work is proved secure in a standard model under the non-interactive assumption. Thus, this scheme is more suitable for the implementation of the access control in CCS.
4.3.2. Performance Measurements
Obviously, the system performance of CP-ABE mainly depends on the encryption and decryption algorithm, thus, we implement our system in the experiments and present the measurements results of the two algorithms. So far the scheme of Qiao et al. [
15] is the most efficient black-box traceable CP-ABE scheme, thus, we compare the measurement results of our work with the implementation of [
15].
In the experiments, the access structure is set as a single AND gate. In the decryption tests, this guarantees the uniformity and avoids the different outcomes caused by the different decryption keys. We use an elliptic curve group, the representations of which are 512 bits long, and the size of which is 160 bits long. The schemes are implemented by using the Java Pairing Based Cryptography (JPBC) library [
43]. We run all the experiments on the same PC, the CPU of which is an Intel Core i7-3520M.
As shown in
Table 1, the performance of the encryption of [
15] should be better than the encryption of this works. Actually, it is shown in
Figure 1, the encryption algorithm of this work is more efficient than that of [
15]. This is because there are
more hash operations need to be performed in the encryption of [
15]. Note that
m denotes the number of attributes (the size of the access structure). By testing, we have that the average cost of the hash operation into group
is 26 milliseconds, while the average cost of exponentiation in group
is 11 milliseconds. Therefore, although there are
more exponentiation operations in this work, we achieve a better performance than [
15] for the encryption algorithm.
It is easy to see in
Figure 2 that the decryption algorithm of [
15] achieves a better performance than that of this paper because there are
more paring operations in the encryption algorithm of this work. The measurement results coincide with the theoretical analysis in
Table 1.
In summary, the performance of this work is comparable to [
15], and the security is improved because this work is provably secure in a standard model rather than a generic model.
5. Security Proof
The proof of Theorem 1 shows that our CP-ABE scheme is selective CPA secure, and the proof of Theorem 2 shows that our system is compulsory traceable.
Theorem 1. Under the decisional q-parallel BDHE assumption, a polynomial time adversary can never selectively break our scheme with a challenge matrix A of size , where .
Proof of Theorem 1. We assume that an adversary can break our CP-ABE scheme with non-negligible advantage in the selective security game. We show that this adversary can be used to construct a simulator , and can be used to break the decisional q-parallel BDHE assumption with a non-negligible probability. So it leads to a contradiction if the decisional q-parallel BDHE assumption holds, therefore, completes the proof.
Suppose that a decisional q-parallel BDHE challenge is given to the simulator.
Init. The adversary chooses a LSSS access structure with matrix A of size , where , and gives it to the simulator.
Setup. The simulator chooses exponents
at random, and set
, that means we have
. For each
,
X denotes the set
(
i is the index of the row in
A), and the simulator computes
and
as:
Note that if
, then
. It publishes the public parameter as:
Phase 1. For each private key query, the simulator responds to the query as follows. Suppose the adversary
gives the simulator a key query for an attribute set
S that does not satisfy the access structure
, and let the set
. Then, the simulator chooses
at random, and continues to find a vector
, such that
and
for all
. This vector must exist, due to the property of LSSS which is discussed in
Section 3. Then the simulator implicitly set
by letting
Thus, for each
, the simulator randomly chooses
and computes:
J denotes the set . Note that all the terms of the form , which cannot be simulated, are canceled because .
Challenge. gives the simulator two message
. The simulator flips a random coin
, and computes
To generate the rest of ciphertext, the simulator randomly chooses
and
. It implicitly constructs the secret sharing vector
and implicitly sets
. For each row
of
A, let the set
. Thus, the simulator produces the ciphertext as
and gives the whole ciphertext to
.
Phase 2. queries the simulator for private keys, and the response of simulator is the same as that in Phase 1.
Guess. outputs a guess
. When
the simulator outputs 0 to indicate that
, otherwise the output is 1. When
, the simulation is perfect, hence, we have
If
E is a random element
R of
,
b will be independent from
’s view. In this case, we have
. Thus,
can break the decisional
q-parallel BDHE assumption with a non-negligible advantage:
So we complete the proof. ☐
By using the generic group model, we show that this scheme is compulsory traceable if the adversary acts generically on the groups.
The generic bilinear group model [
10]. Suppose that there are two random encodings
of group
, which are injective maps
, where
. Let the group
and
. We give oracles for the computation of the group operation on
and bilinear map
.
is referred as the generic bilinear group.
Theorem 2. Let be defined as the generic bilinear group model. Suppose that the adversary receives no more than q group elements from its quest to the oracles and its interaction with the challenger. Then, in the security game of compulsory traceability, the advantage of is .
Proof of Theorem 2. This theorem indicates that if group order p is large enough, has a negligible advantage in playing the security game for compulsory traceability. We proceed the proof by introducing some notations. For encodings , we let , and denotes , and denotes .
At Setup time, the simulator randomly chooses exponents
. It publishes the public parameter as:
and keeps the master key
.
In Phase 1, For the
k’th private decryption key query according to the attribute set
, the simulator randomly chooses
. Then, it computes and outputs a private key:
as the response.
In a Challenge,
gives the simulator an access structure
with matrix
A of size
, and the simulator performs as follows. It firstly chooses a message
and an element
both at random. Then, it flips a coin
. When
the simulator sets
, otherwise it randomly chooses
. Next, the simulator constructs the vector
, where
are randomly chosen. For each row
of
A, it continues to choose
at random, and calculates
. Finally, the simulator outputs ciphertext
as
The simulator gives the ciphertext to .
In Phase 2, queries the simulator for private keys, and the response of simulator is the same as that in Phase 1. Note that there exists at least one set which satisfies the access structure .
Now, we continue the proof with the restrictions that (1) the order of
and
are
p, and (2)
can only apply the values it receives from the oracles or the simulator to make queries. Therefore, an oracle query must be a rational function
f of the variables
. To make it clear, all possible component terms of a query into
are enumerated in
Table 3. Thus, we can obtain any component term of a query into
by multiplying two of the types in
Table 3. In addition,
can also add the terms 1,
and
to a query into group
. In general,
can make queries into
that are the arbitrary linear combinations of those terms mentioned above.
In the next part of the proof, we can see that cannot determine whether or not because in this simulation his view is identically distributed to what his view could have been when the simulator sets .
Now, let us assume that the simulator sets in the challenge. It is obvious that in this case the ’s view will differ only if he can construct such two queries f and into group , that but . Therefore, we should have that , for some polynomial . It implies that can make a pair of queries: and , such that both of them contains the same polynomial . Next, we will show that is impossible for to create such a pair of queries in the game.
Let the nonempty set
. Using a key
, where
,
can perform the computation:
by querying the oracle. Thus,
can get the query polynomial as the form of
, for some constants
and some set
. Obviously,
is the only polynomial form which
can create to satisfy the form of
. So
must be the polynomial
. It means that
has to be able to create the query such that
. To create a query containing
,
has to pair
with
, and there is no other way for
. Then,
can get the term
. However, none of the terms, that
has access to, can cancel the term
. So,
cannot create such a pair of queries
and
, as well as
f and
.
Therefore, unless there happens to be an “unexpected collision”,
’s view will be identically distributed to his view in the case of
. An unexpected collision means that two distinct functions
evaluate to the same value. At this point due to the random values of variables, the values of
f and
may coincide, that is
.
is a non-zero polynomial, thus, the probability of
is at most
[
16]. In this game,
can receive no more than
q elements. Hence, the probability of that such a collision happens is
by a union bound. Thus, the advantage of an adversary in playing the compulsory traceability security game is
, and this complete the proof.
In fact, following the same way, we can prove that an adversary also cannot determine whether or not , therefore, the efficient tracing is also compulsory traceable. ☐