Practical Direct Chosen Ciphertext Secure Key-Policy Attribute-Based Encryption with Public Ciphertext Test

We propose a direct Key-Policy Attribute-Based Encryption (KP-ABE) scheme with semantic security against adaptively chosen ciphertext attacks (CCA2) in the standard model. Compared with its counterpart with security against chosen-plaintext attacks (CPA), the cost of our scheme is only a Chameleon hash. In contrast to the Boyen-Mei-Waters shrink approach from CPA-secure (l + 1)-Hierarchical Identity Based Encryption ((l + 1)-HIBE) to CCA2-secure l-HIBE, our approach only adds one on-the-fly dummy attribute. Further, our approach only requires that the underlying ABE is selectively secure and allows public ciphertext test. A major obstacle for the security proof in this scenario is that the simulator cannot prepare the challenge ciphertext associated with the on-the-fly dummy attribute due to the selective security constraint. We circumvent this obstacle with a Chameleon hash. Technically, unlike existing use of Chameleon hash in (online/offline) signature applications, our work shows Chameleon hash can also have unique applications in encryption schemes.