The original construction reported in Section 5 of [ 3 ] (henceforth CP-WATERS-KEM) makes use of a bilinear group, defined as follows:

Let and be two multiplicative cyclic groups of prime order . Let be a generator of and be a bilinear map: : × → . The bilinear map has the following properties: 1. Bilinearity: for all , ∈ and , ∈ , we have (, ) = (, ) = (, ). 2. Non-degeneracy: (, ) ̸= 1.

If the group operation in and the bilinear map are both eficiently computable, is said a bilinear group.

Here, we consider CP-WATERS-KEM in its small universe construction, however, an extension to the large universe construction (reported in Appendix A of [ 3 ]) is straightforward.

We implement a revocation scheme preventing decryption of ciphertext created after the key has been revoked. Note that this is not a general revocation scheme for ABE. Rather, it is a “forward revocation”, where only ciphertext generated after the actual revocation happens becomes hard to decrypt if the key has been revoked. To implement this kind of revocation, the original CP-WATERS-KEM scheme is slightly altered and combined with the cryptographic accumulator based on bilinear mappings described by Camenisch in [ 4 ].

The accumulator makes use of a set of indexes {} kept by the Authority and assigned to each released secret key. In the setup phase, the Authority initially creates an accumulator 0 = 1 and two public initially empty sets: = {} and = {}, where is the set of all indexes that will be ever added to the accumulator (but may have been subsequently removed). The sequence , . . . , , +2, . . . , 2 (but not +1) is made public by the Authority (e.g., as part of ). Appendix D of [ 4 ] suggests a possible technique to reduce the size of this sequence. The mathematical definition of the accumulator is the following: = ∏︁ +1+− = ∑︀̸= +1+− ∑︁ +1+− = +1 + ∑︁ +1+− ⇔ ∈ ∈ .

Where ∈ is a generator of the group of prime order , and is picked at random from

The schema is adapted from [ 2 ]. A revocable functional credentials scheme for an attribute universe Ω and a family of policies Φ consists of the following probabilistic algorithms: 1. MSK, MPK ← CKGen(1 ): The key generation algorithm takes input the security parameter ∈ N and outputs a key pair (MSK, MPK) of an issuer (master key pair). 2. credi, MPK′ ← GrantCred(MSK, Si): The grant credential algorithm takes input the master secret key MSK and a non-empty set of attributes Si ⊂ Ω and outputs a credential credi with i ∈ N for the corresponding set of attributes. It also outputs an updated master public key MPK′. 3. b ← < ShowCred(MPK, credi, f), VrfyCred(MPK, f) >: ShowCred takes input the master public key MPK, a credential credi, and a policy f ∈ Φ ; VrfyCred inputs the master public key MPK and a policy f. At the end, VrfyCred outputs either 0 or 1. 4. MPK′ ← Revoke(MPK, MSK, credi): takes input the master public key MPK, the master secret key MSK, and a credential credi ∈ GrantCred and outputs an update master public key MPK′. credi is said a "revoked credential". A non-revoked credentials is said a "valid credential".

By definition, for all ∈ N, for all (MSK, MPK) ∈ CKGen(1 ) for all S ⊂ Ω, for all cred ∈ GrantCred, for all f ∈ Φ such that f(S) = 1, a functional credentials scheme • is said correct if, assumed cred is valid (i.e., cred ̸∈ Revoke) it holds that

Pr[1 ← < ShowCred(MPK, cred, f), VrfyCred(MPK, f) >] = 1 • is said unforgeable if, chosen an arbitrary policy f, any adversary having access to all system issued credentials credi ∈ GrantCred but the ones satisfying the policy (i.e, f(credi) ̸= 1) and to all revoked credentials credj ∈ Revoke, has a negligible probability to succeed in the credential verification process. • is said anonymous if, arbitrarily chosen a policy f and two provers P0 and P1 owing non-revoked credentials credi, credj ̸∈ Revoke, both satisfying or not the policy (i.e., f(credi) = f(credj)), any adversary cannot distinguish between them.

Note that we leave out one optional feature described in the original paper (policy hiding).

To support revocable functional credentials as above defined, CP-WATERS-KEM is modified as follows: 1. (MPK, MSK) ← Setup(1 ): The algorithm outputs the master secret key and the master public key , and publishes the .

• The algorithm chooses a group of prime order and generator , random group elements ℎ1, ℎ2, . . . , ℎ (where is the maximum number of system attributes) and a bilinear pairing such that : × → . In addition, it chooses random exponents , , , ∈ . • The algorithm initially creates an accumulator 0 = 1, and two initially empty public sets: = {} and = {}, where is the set of all indexes that will be ever added to the accumulator (but may have been subsequently removed). • The public key is , , ℎ1, ℎ2, . . . , ℎ, , and

( , ) (, +1)

The master secret key is , , , , . • The sequence , . . . , , +2, . . . , 2 (but not +1) is made public by the

Authority. 2. (MPK′, SKi = (Ki, Li, ∀x∈S Ki,x, witi)) ← KeyGen(MPK, MSK, S): Key generation happens by taking as input the master keys ( , ) and a set of attributes that describe the key. The output is a randomized secret key. The Authority associates an index to each new generated secret decryption key .

• The algorithm includes in the set and : = ∪ {}, = ∪ {} and updates the accumulator : • The algorithm updates the terms in the master public key using the accumulator: and ( , ) (, +1), while the master secret key remains the same. • Chosen a random ∈ , the algorithm computes the secret decryption key component as as follows: = ++ , = and, for each ∈ , , = ℎ. • Also, the algorithm releases a new key component (the witness): = ∏︁ +1+− = ∑︀̸= +1+− . 3. MPK′ ← KeyRemove(PK, MSK, i): A similar step is also executed when the Authority needs to revoke a key . In this case, the algorithm simply removes from the set , recomputes the accumulator value and, consequently, the terms in the master public key using it: and ( , ) (, +1 ) as above (the master secret key remains the same).

With the addition or removal of elements to the accumulator, previously released witnesses become stale and any Client who has previously received a witness shall update it.

Therefore, the following step is introduced into the schema: 4. wit′i ← UpdateWitness(MPK, Vold, V, witi): The algorithm takes as input the old witness and updates it to match the new master public key and the current set of authorized indices . The new witness is locally computed using the following equation: ′ ←

∏︀ ∏︀ ∈/ +1+− ∈/ +1+− Note that the Client does not know +1 , hence, this algorithm fails when the condition ∈ ∩ is not verified, i.e. a Client cannot update its if is not (no more) in as a result of a revocation. In this case the update operation returns ′ = ⊥. 5. (C = (C′, C′′, ∀k∈[1,... l] Ck), ) ← Encrypt(MPK, Ml× m, ): The algorithm takes as input an access structure (, ) and the public key . is an × matrix, while is an injective function associating each row of to an attribute (i.e., = () ∈ ); note that in this construct one attribute is associated with at most one row. The output is a random secret and the ciphertext.

• Chosen a random vector ⃗ = (, 2, . . . , ) in and being the -th row of , the algorithm computes = · . • Together with a with description of (, ), the algorithm makes public the ciphertext:

ℎ− , ′′ = = ( ∏︁ +1− ) ′ = , = ∈ • Finally, the algorithm computes the random secret

= [( , ) (, +1 )] and keeps it private. 6. ← Decrypt(SKi, C): Dually, the decryption takes as input the ciphertext and the secret key . The output is the shared secret if and only if the set of attributes satisfies the access structure, or ⊥ otherwise.

• For each such that ∈ (i.e., consider only attributes in ), compute such that ∑︀ = (there could diferent sets of {} satisfying this equation) • Compute the random secret:

(′′, ) = ∏︀ [(, )(′, , )] (′, ) = [( , ) (, +1 )]

To understand why decryption works, consider the solution equation, and note the numerator is (′′, ) = (, ) ∑︀∈ +1+− ( ++ ) = (, ) ( , ) ( , )(, )∑︀∈ +1+−

As in the original CP-ABKEM decryption algorithm, the second factor ( , ) cancels out with the first part of the denominator: ∏︁[(, )(′, )] = ∏︁ ([ ℎ− , )(, ℎ )] = ∏︁ ( , ) = ( , )

Regarding the third factor (, )∑︀∈ +1+− we note that, if and only if the index is contained in the current accumulator (i.e., ∈ ), we have: (, )∑︀∈ +1+− = (, +1+∑︀̸= +1+− ) = (, +1 )(, ) [( , ) (, +1 )]

Partially cancelling out with the factor (, ) in the denominator. Therefore, the result of the computation is

To prove security, we use a security game based on the one presented in Section 5 of [ 3 ]. The adversary chooses to be challenged on an encryption to an access structure * , and can ask arbitrarily times for any private key that does not satisfy * . However, the original model is extended by letting the adversary query for private keys that satisfy the access structure, with the restriction that any of those keys shall be revoked before the challenge: • Setup. The challenger runs Setup algorithm and gives the public parameters, PK to the adversary. • Phase 1. The adversary makes repeated private keys corresponding to sets of attributes

S1, . . . , Sq′ (with 1 < ′ < ). • Revocation Using the keyremove algorithm in the schema, any key may (or not) be revoked. Phase 1 and Revocation may be arbitrarily interleaved. • Challenge. The adversary submits two equal length messages M0 and M1. In addition the adversary gives a challenge access structure A* such that none of the sets S1, . . . , Sq′ from Phase 1 satisfies the access structure, or such that any of those keys corresponding to sets satisfying the access structure has been revoked. The challenger flips a random coin , and encrypts M under A* . The ciphertext CT* is given to the adversary. • Phase 2. Phase 1 is repeated with the restriction that none of sets of attributes Sq′+1, . . . , Sq satisfies the access structure corresponding to the challenge. Revocation may also occur in this phase.

• Guess. The adversary outputs a guess ′ of .

The advantage of the adversary in the above game is = Pr[ ′ = ] − 21 and, by definition, the scheme is secure if all polynomial time adversaries have at most a negligible advantage. We use a selective proof, therefore the above game is augmented by an initial step Init in which the adversary commits to the challenge access structure * and to the final set of credentials that will eventually appear in the accumulator * .

Our security proof works under the General Difie-Hellman Exponent Problem introduced by Boneh, Boyen and Goh in [ 6 ]. Using this hardness assumption, in a longer version of this paper [ 7 ] we prove that chosen an access structure * , no polynomial time adversary can (selectively) break our system, provided all keys satisfying * have been revoked before the challenge.

Note that the presented security model supports only chosen-plaintext attacks. The model is extended to handle chosen-ciphertext attacks by allowing for decryption queries in Phase 1 and Phase 2. To achieve chosen-ciphertext security we use the Fujisaki-Okamoto transformation reported in subsection 3.1 and 3.2. As this transformation exactly applies as in the original paper, we let the reader refer to [ 5 ] for the security proof.

We use the above CP-ABE schema to implement the revocable functional credential schema in section 2.2(the protocol is also adapted from [ 8 ]): 1. CP-ABE Setup(1 ) algorithm takes place in order to generate the key pair ( , ). 2. The grant credential algorithm is implemented through the MPK′, SKi ← KeyGen(MPK, MSK, S) algorithm which releases credentials = corresponding to a non-empty set of attributes . It also outputs an updated master public key ′. 3. To check credential, chosen an access policy (i.e., a matrix × , and a function ), a verifier generates and encrypts a random secret through the CP-ABE Encrypt(MPK, Ml× m, ); and sends the resulting ciphertext to the prover. Using a credential ′, the prover executes ′ ← Decrypt(SK′, C) and sent back the result to the verifier. The verifier output 1 if = ′ and 0 otherwise. 4. Revocation of credential is implemented through the KeyRemove(PK, MSK, i) algorithm, which updates the master public key to ′.

Note that since each challenge encapsulates a randomly generated secret token, the protocol is natively immune to replay attacks.

The CCA-secure encryption algorithm is specified by the following steps: • The decrypting party (prover) shall choose a random number and send it to the encrypting party. • Received , the encrypting party (verifier) chooses an access structure and a secret and concatenates them to form the string |||| • The encrypting party runs the encryption algorithm of the original CP-WATERS-KEM or of the modified schema with revocation to get a random secret and the ciphertext. The seed |||| is used as a source of randomness for the encryption algorithm with u ← PRG(H′(rc||Kc||AP), ), where PRG is a pseudo random generator, is the length of the returned random bit string ( ∈ {0, 1}) and ′ is a collision-resistant hash function. – The random secret is (, ) for CP-WATERS-KEM or (( , ) (, +1 )) for the modified CP-WATERS-KEM. The encrypting party keeps it private and uses in the next step.

– The encrypting party releases the ABKEM ciphertext . • The encrypting party uses random secret above for XORing the concatenation || – Transform || into bytes (octects). – Using the pseudo random generator , get for CP-WATERS-KEM or r ←

PRG(H(e(g, g) s), ) r ←

PRG(H([e(accV, g) e(gb, g n+1 )]s), ) for the modified CP-WATERS-KEM, with being a collision-resistant hash function. – Finally, compute = ⊕ (||)

The CCA-secure decryption algorithm is specified by the following steps: • Run decryption of the original CP-WATERS-KEM or of the modified schema to decrypt the ciphertext and obtain the shared secret:

(, ) or for the modified schema. • Use that shared secret to generate randomness (( , ) (, +1 )) r ← r ← • Use generated randomness for XORing the ciphertext and retrieve and : ⊕ = (||) • Verify matches the random number chosen at beginning. • Run again the CCA-secure Encryption using |||| as a source of randomness and verify the result is equal to the received ciphertext .

Theorem. A polynomial time adversary, acting as a Verifier, cannot distinguish between any two provers with diferent CP-WATERS-KEM (plus Accumulator) keys, if their (non revoked) keys both satisfy (or not satisfy) the same access structure they are tested against.

Proof. We start considering the following security game (adapted from [ 2 ]): 1. The Setup(1 ) algorithm of CP-WATERS-KEM or the modified schema takes place. The public key is given to the adversary. 2. Any Prover receives distinct secret keys embedding some attributes. 3. The adversary is allowed to submit queries in the form (|||| ) to an oracle O1 which produces a random output if this is the first time the input has been queried on. Otherwise, it gives back the previous response. In addition, the oracle computes the ciphertext using the CCA-secure encryption algorithm and records the couple ((|||| ), (, )) in a table. This oracle operation runs throughout the whole game. 4. The adversary, acting as a Verifier , arbitrarily chooses an access structure * and two Provers 0 and 1, such that their corresponding keys either both satisfy, or both not satisfy the chosen access structure. 5. Depending on an internal coin toss , a second oracle O2 impersonates the prover in the verification algorithm. 6. Verifier computes a CCA-secure ciphertext and sends it to O2. 7. O2 responds with the decrypted ciphertext or with ⊥. 8. The aforementioned steps (except the Setup) are repeated adaptively for any polynomial number of times on arbitrarily chosen access structure and arbitrarily chosen pairs of provers. 9. The adversary tries a guess ′ and wins the game if == ′ (i.e., she is able to guess which Prover has responded).

Modify the game as follows: at step 7, when given a ciphertext , oracle O1 checks if appears in the random oracle table. If so, it outputs the corresponding = (||) value in the table; otherwise, it outputs ⊥ and rejects.

The diference between the original game and the modified one is negligible, as in the original game the oracle may decrypt even in case of a forged ciphertext (i.e., a ciphertext not computed using the CCA-secure encryption algorithm). However, since O1 was not queries on (|||| ), the probability that this event happens is bounded by the probability of apriori guessing a ciphertext output by an encryption for a given message without knowing the randomness used to encrypt.

Now, the following observations apply to this modified game: • If the Verifier produces a genuine ciphertext C following the CCA-secure Encryption algorithm, she gets a correct decryption if the attributes embedded in the secret key satisfy the chosen access structure * , i.e. * () = 1. Thus, the presented schema satisfies by definition the correctness property. • Viceversa, if the attributes embedded in the secret key do not satisfy the chosen access structure * , i.e. * () = 0, the ciphertext wouldn’t decrypt at all except for a negligible probability . Thus, the presented schema satisfies by definition the unforgeability property.

Furthermore, we observe that: • The access structure * associated to the ciphertext is always known to the challenger (given as input after being chosen by the adversary) • Because a pseudo random generator is used, the ciphertext is deterministically computed from the public key and the access structure * • The ciphertext is uniformly distributed on the ciphertext space, because computed using the uniformly distributed randomness in step 3.

Under the conditions above, suppose to modify the previous game replacing prover ’s behaviour as follows: • if key embeds attributes satisfying the access structure * , then message is returned; • otherwise ⊥ is returned.

That is, no longer evaluates the decryption using the key rather it (deterministically) returns or ⊥ depending on the internal bit * (). Since * (0) = * (1) (both keys satisfy or not satisfy the access structure), in the latter schema the random coin of the oracle remains hidden in the information-theoretic sense. This implies that the advantage of any adversary is 1/2 in distinguish between 0 and 1. As the introduced modifications do not alter the advantage except for at most a negligible probability, the advantage of any adversary in the original game is negligibly close to 1/2. □