An efficient outsourced attribute-based encryption scheme in the device-to-device mobile network

Abstract

Device-to-device communication is considered as one of the hopeful technologies for proximal communication, which plays a vital role in the wireless systems and 5G cellular networks. The outsourced attribute-based encryption scheme is convinced to be very suitable for secure device-to-device communication since it allows not only fine-grained sharing of encrypted data but also achieves high efficiency in the decryption of general attribute-based encryption schemes. However, almost all existing outsourced attribute-based encryption schemes can hardly be applied directly in the device-to-device communication because many heavy computation operations, such as pairing and modular exponentiations, cannot be taken on the mobile devices in the device-to-device network. In this article, we propose a concept of outsourcing threshold decryption for attribute-based encryption and design a new efficient outsourcing threshold decryption scheme for ciphertext-policy attribute-based encryption. In our definition of outsourcing threshold decryption, the decryption, which is a computationally expensive operation, is outsourced to multiple semi-trusted and lightweight computing devices determined by an access structure and can be jointly taken by these devices. Our scheme supports proxy re-encryption which enables the decryption delegation. Finally, security and efficiency analyses of our proposed method indicate that our proposal guarantees strong security against chosen plaintext attacks and requires less outsourced computation and communication cost than the existing outsourced attribute-based encryption schemes.

Keywords

Attribute-based encryption device-to-device mobile network outsourced decryption proxy re-encryption

Introduction

As one of the next-generation wireless communication systems, Long Term Evolution-Advanced (LTE-A) supports mobile content forwarding,¹ and the device-to-device (D2D) technology is proposed as an indispensable component of 5G cellular networks to meet the growing demand for downloading required contents from the local area network.^2–4 D2D communication is the underlay of the cellular network to enhance spectrum efficiency and enable a lot of devices to link directly, which helps discover geographically dense devices and allows direct communication among these neighboring devices at low power through reuse of spectrum resources. In general, the D2D technology enables two adjacent users to connect directly in the physical layer. Devices gain energy from reproducible energy sources in the energy layer, and users build social networks representing solid relationships and social structures in the social layer. Thus, it is highly essential for LTE-A to exploit the D2D technology, since it can reduce power consumption, effectually offload traffic and increase spectral efficiency,^3,5 on account of the potential reuse gain and physical proximity. In recent years, the D2D technologies have been studied by more and more scholars, and the scope of application is becoming more and more extensive, such as the healthcare system^6,7 and fog computing.⁸ Many performance problems in the healthcare systems have been studied in the study by.^9,10

However, for mobile applications in the D2D communication where users employ devices with^11,12 limited computing power, and short battery lifetime,¹¹ almost all existing public key encryption schemes cannot be applied directly due to the heavy computations required by the attribute-based encryption (ABE) schemes, such as pairing computations and modular exponentiations. An ABE scheme ensures confidentiality of sharing data for cloud services,^13,14 which is not necessary for the data owner to store the public key(s) of data receiver(s). For example, data is encrypted with given attributes and access policies, so that it can only be decrypted and shown by the receiver whose decryption key satisfies the specific attributes and access policies. Almost all existing ABE schemes involve pairing computations or modular exponentiations, and their computational complexity increases linearly with the amount of attributes, respectively, access policy size. It means that the ABE scheme is representatively computationally intensive, which is acceptable for common desktop computers but not for restricted computational resources portable devices. To solve this problem, Green et al.¹⁵ proposed the outsourcing ABE scheme first, which introduced a semi-trusted server to reduce the ciphertext decryption computational complexity on portable devices. After that, more and more outsourcing decryption of ABE schemes were introduced.^16–18 However, the outsourcing decryption of ABE schemes still cannot be directly applied to the D2D network, since these ABE schemes are based on the assumption that a server has enough computation power to deal with the heavy computations, such as pairing and modular exponentiations, and thus it is usually designed for outsourcing to a cloud server. For the D2D mobile network, as shown in Figure 1, in relay-coverage or out-of-coverage situation, the devices may not be able to build connections to cloud server.¹⁹ The users may prefer to outsource their computation tasks to other D2D mobile devices with which the connections are built by some social ties, as they do not want to upload or download much data to or from the Internet. Therefore, we have to consider how to make the ABE scheme adapted to this situation in the D2D mobile network. In the case of the lower right corner of Figure 1, the user can complete the decryption through other D2D devices to reduce the data communication of the mobile phone.

Figure 1.

D2D communication application scenarios.

Our contributions

In this article, we give the concept of outsourcing threshold decryption (OTD) for ABE and its security model and propose a new efficient OTD scheme for ciphertext-policy ABE. In our definition, an access structure in a linear secret-sharing scheme (LSSS) is used as a threshold for outsourcing decryption. It allows the devices to outsource the computationally expensive decryption to multiple devices, the decryption keys of which satisfy the access structure, and the numerous devices jointly take the computational task of decryption, which relieves the problem of devices’ restriction and satisfies the outsourcing requirements in the D2D mobile network where devices are semi-trusted, and their computational capability is limited. Our proposed scheme supports proxy re-encryption, which enables the decryption rights delegation, and it is useful for a mobile user to relieve encryption computation pressure. The formal security and efficiency analyses for our ABE scheme in the D2D mobile network are also present, indicating that our proposal achieves the strong security against chosen plaintext attacks (CPAs) and requires less outsourced computation and communication cost than the existing outsourced attribute-based encryption (OABE) schemes.

Organization of the article

The rest of the article is organized as follows. Section “Related work” briefly describes some related works. Some preliminaries are introduced in section “Preliminaries.” The definition and security model are given in section “Definition and security model for OTD of CP-ABE.” Our scheme construction is described in section “OTD of CP-ABE scheme.” The formal security and efficiency analyses of our scheme are present in section “Security and efficiency analysis.” Finally, the conclusion is drawn in section “Conclusion.”

Related work

In 2005, Sahai and Waters¹³ proposed the concept of fuzzy identity-based encryption (IBE). In their scheme, they use attribute sets to replace identities for IBE schemes. It is the first ABE scheme. ABE can provide fine-grained access control in the cloud environment.²⁰ Then, more and more efficient and flexible ABE constructions have been proposed. Goyal et al.²⁰ classified ABE schemes into two variants, ciphertext-policy attribute-based encyption (CP-ABE) and key-policy attribute-based encryption (KP-ABE). In CP-ABE, the ciphertext will specify an access policy and each user’s private key is related to a set of attributes. On the contrary, in a KP-ABE scheme, each user’s key is related to an access structure, and ciphertext is related to attribute sets. The difference between KP-ABE and CP-ABE is that which component decides the access policy for the ABE scheme. Goyal et al.²⁰ proposed the first KP-ABE scheme, which supports the monotonic access structures. Furthermore, Ostrovsky et al.²¹ proposed an improved KP-ABE construction, which realizes non-monotone structures’ expression. In other words, their scheme supports more flexible access policies. In general, for the KP-ABE scheme, the access policy is determined when the system generates the user’s decryption key, which makes the encryption algorithm more difficult for a data owner. The encrypter needs to compare receivers’ access policies to those of all other users to select an appropriate attribute set for the ciphertext. Then, the first CP-ABE scheme is proposed by Bethencourt et al.,²² which is more flexible than KP-ABE. But their scheme has an obvious drawback that it is proved to be secure only under the generic group model. This drawback is overcome by another CP-ABE scheme proposed by Cheung and Newport,²³ whose security is proved under the standard model. Furthermore, based on the number theoretic assumption, Goyal et al.²⁴ also proposed another CP-ABE scheme for more advanced access structures.

To outsource a large proportion of decryption computation, a new paradigm of outsourcing decryption was proposed by Green et al.¹⁵ Similar to the idea of proxy re-encryption,^25,26 it allows a proxy to convert an encryption message $M$ under Alice’s public key into an encryption of the same message $M$ under Bob’s public key without the proxy knowing anything about the message $M$ . A method of outsourcing the decryption computation is to delegate pairing computations on ABE ciphertext to a more powerful device, such as the pairing computation delegation proposed by Chevallier-Mames et al.²⁷ Furthermore, Chung et al.²⁸ and Gennaro et al.,²⁹ respectively, proposed the verifiable computation schemes, which are based on the fully homomorphic encryption. Then, the verifiable outsourced decryption ABE schemes were proposed by Lai et al.¹⁷ and Lin et al.³⁰ Besides, based on the outsourced encryption of the ABE scheme proposed by Li et al.^31,32 also proposed an outsourced decryption and key generating ABE scheme.

Threshold decryption is particularly useful when the centralization of the power to decrypt is a concern, as pointed by Baek and Zheng.³³ An identity-based threshold decryption scheme, which allowed a set of users with valid decryption shares to decrypt the corresponding ciphertext, was constructed by Baek and Zheng.³³ For the ABE, the threshold decryption scheme was proposed by Herranz et al.,³⁴ where users are authorized to decrypt their data as they hold at least $t$ attributes among a certain universe of attributes, for a certain threshold $t$ chosen by the sender. However, to our best knowledge, no corresponding ABE schemes where threshold decryption can be outsourced to multiple users have been put forward yet.

Preliminaries

Bilinear groups

Let $G$ be a cyclic additive group of prime order $p$ , $G_{T}$ be a cyclic multiplicative group of the same prime order $p$ and $g$ be a generator of $G$ . A bilinear pairing is a map $e : G \times G \to G_{T}$ if it has the following properties:

Bilinearity: for all $u, v \in G$ and $a, b \in Z_{p}^{*}$ , we have $e (u^{a}, v^{b}) = e (u, v)^{ab}$ .

Non-degeneracy: $e (g, g) \neq 1$ .

Computable: for all $u, v \in G$ , the $e (u, v)$ can be computed efficiently.

The Decisional Bilinear Diffie–Hellman (DBDH) assumption based on the studies by Sahai and Waters¹³ and Boneh and Boyen³⁵ is defined as follows.

DBDH assumption

The decisional BDH assumption is that no probabilistic polynomial time algorithm $B$ can distinguish the tuple $(A = g^{a}, B = g^{b}, C = g^{c}, e (g, g)^{abc})$ from the tuple $(A = g^{a}, B = g^{b}, C = g^{c}, e (g, g)^{z})$ with more than a negligible advantage. (The complexity class of decision problems for which answers can be checked by an algorithm whose run time is polynomial in the size of the input. Note that this does not require or imply that an answer can be found quickly, only that any claimed solution can be verified quickly. “No probabilistic polynomial time” is the class that a Nondeterministic Turing machine accepts in Polynomial time.)

LSSS

A secret-sharing scheme $Π$ over a set of parties $P$ is called linear (over $Z_{p}$ ) if

The shares of the parties form a vector over $Z_{p}$ .

There exists a matrix $M$ with $l$ rows and $n$ columns called the share-generating matrix for $Π$ . There exists a function $ρ$ , which maps each row of the matrix to an associated party. That is for $i = 1, 2, \dots, l$ , the value $ρ (i)$ is the party associated with row $i$ . In the column vector $v = (s, r_{2}, \dots, r_{n})$ , $s \in Z_{p}$ is the secret to be shared, and $r_{2}, \dots, r_{n} \in Z_{p}$ are randomly chosen. $Mv$ is the vector of $l$ shares of the secret s according to $Π$ . The share $(Mv)_{i}$ belongs to party $ρ (i)$ .

It is shown in the study by Beimel³⁶ that every LSSS according to the aforementioned definition enjoys the linear reconstruction property, defined as follows.

Suppose that $Π$ is an LSSS for the access structure $A$ . Let $S \in A$ be any authorized set, and let $I \subset {1, 2, \dots, l}$ be defined as $I = {i : ρ (i) \in S}$ . Then, there exist constants ${ω_{i} \in Z_{p}}_{i \in I}$ such that, if ${λ_{i}}$ are valid shares of any secret $s$ according to $Π$ , then $Σ_{i \in I} ω_{i} λ_{i} = s$ . As shown in the study by Beimel,³⁶ these constants ${ω_{i}}$ can be found in polynomial time in the size of the share-generating matrix $M$ .

Access structures can also be described in terms of monotonic boolean formulas. Using standard techniques, one can convert any monotonic Boolean formula into an LSSS representation. We can represent the Boolean formula as an access tree. An access tree of $l$ nodes will result in an LSSS matrix of $l$ rows.

Definition and security model for OTD of CP-ABE

The symbols used in the following definitions are listed in Table 1. An OTD of the CP-ABE scheme generally consists of the following eight algorithms:

$Setup (λ, U) \to (PK, MK)$ . The setup algorithm takes the security parameter $λ$ and the number of attributes as input and output public parameters $PK$ and master key $MK$ . The authority keeps the $MK$ as its secret.

$Encrypt (PK, M, A) \to (CT)$ . The encryption algorithm takes the public parameters $PK$ , a message $M$ , and an access structure $A$ as input, and outputs the ciphertext $CT$ .

$KeyGen (MK, S, GID) \to (SK)$ . The key generation algorithm takes the master key $MK$ , a set of attributes $S$ that describe the key and the global identifier $GID$ as input, and outputs a private key $SK$ .

$OutKeyGen (SK) \to (RK, OutK)$ . The outsourced key generation algorithm takes the private key $SK$ as input and outputs a retrieve key $RK$ and an outsourced key $OutK$ .

$TransKeyGen (MK, S_{2}) \to (TK)$ . It first calls the $KeyGen$ algorithm, and then calls the $Encrypt$ algorithm to encrypt $d_{1}, d_{2}$ under the attributes set $S_{2}$ , and finally outputs the transform key $TK$ .

$ReEnc (TK, CT) \to (C T_{2})$ . This algorithm takes as input the $TK$ and $CT$ that is associated with $A$ . Finally, it outputs the updated ciphertext $C T_{2}$ .

$Decrypt (CT, SK, C T_{2}, S K_{2}) \to (M)$ . The decrypt algorithm takes in the updated ciphertext $C T_{2}$ , the private key $SK$ . It outputs the plaintext $M$ if decryption succeeds, and a rejected symbol ⊥ otherwise.

$OutDecrypt (RK, OutK, CT) \to (M)$ . The $OutDecrypt$ algorithm takes as input a retrieve key $RK$ , an outsourced key $OutK$ and ciphertext $CT$ . It outputs the message $M$ if $S \in A$ and a rejected symbol ⊥ otherwise. $A$ is usually the access structure for an LSSS, which is a threshold.

We now define the security model for OTD of ciphertext-policy ABE on the basis of the studies by Green et al.¹⁵ and Goyal et al.,²⁰ which can achieve the security against CPA. It allows an adversary to query for any private keys $SK$ as long as the queried keys cannot be used to decrypt the challenge ciphertext. The formal security model is given as the following game.

Init. The adversary $A$ declares the challenge set of attributes $S^{*}$ at the outset of the game. Then, he commits to the challenger ciphertext policy $A^{*}$ .

Setup. The challenger takes in a security parameter $λ$ and executes the $Setup$ algorithm. It gives the system public parameters $PK$ to the adversary $A$ .

Phase 1. The adversary $A$ can repeatedly make any of the following queries:

$Extract (S_{1}^{*})$ . The adversary $A$ can issue polynomially private key queries $q_{1}, \dots, q_{m}$ corresponding to $S_{1}^{*}$ . $S$ responds by executing $KeyGen$ algorithms to produce the private key $S K_{S_{1}^{*}}$ . $S$ sends $S K_{S_{1}^{*}}$ to $A$ .

$TKExtract (S K_{S_{1}^{*}}, A^{*})$ . The adversary $A$ can submit $S K_{S_{1}^{*}}$ and access structure $A^{*}$ for a $TK$ query, the challenger gives the adversary the transform key $T K_{S_{1}^{*}}$ .

Challenge. Once $A$ decides that $Phase 1$ is over, it outputs an set of attributes $S^{*}$ on which it wants to be challenged. $A$ did not query a private key for $S^{*}$ in $Phase 1$ . The adversary $A$ submits two equal-length messages $M_{0}, M_{1}$ . The simulator $S$ flips a random coin $b \in {0, 1}$ , computes the challenge ciphertext $C T^{*} = Encrypt$ $(PK, M, A)$ and $ReEnc (TK, CT)$ to gain $C T_{2}$ and returns to $A$ .

Phase 2. Phase 1 is repeated for additional $S_{1}^{*}$ satisfying $S^{*} ⊈ S_{1}^{*}$ .

Guess. The adversary $A$ outputs a guess $b' \in {0, 1}$ of $b$ and wins the game if $b' = b$ .

Table 1.

Symbols and description.

Symbol	Description
$λ$	Security parameters
$U$	Number of attributes
$H$	Hash function
$PK$	Public parameters
$MK$	Master security key
$M$	Message
$TK$	Transform key
$N$	Number of D2D available
$(M, ρ)$	LSSS access structure
$CT$	Cipher text
$S$	An attribute set
$GID$	Global identifier
$SK$	Private key
$RK$	Retrieve key
$OutK$	Outsourced key

D2D: device-to-device; LSSS: linear secret-sharing scheme

Define adversary $A$ ’s advantage in attacking the aforementioned game is

Ad v_{A} (λ) = | \Pr [b = b'] - \frac{1}{2} |

Definition

An ABE scheme is indistinguishability under chosen plaintext attack (IND-CPA) secure if for any polynomial time adversary $A$ , the function $Ad v_{A} (λ)$ is negligible.

OTD of the CP-ABE scheme

In this section, we first describe our proposed CP-ABE scheme, and the framework is shown in Figure 2. Then the correctness analysis is given.

Figure 2.

Framework of outsourcing threshold decryption of the CP-ABE scheme.

The construction

Setup. The system parameters are generated as follows. The algorithm takes as input the security parameter $λ$ and the number of attributes in the system. The authority will choose a bilinear group $G$ of prime order $p$ . The generator of the $G$ is $g$ and $U$ random group elements $h_{1}, \dots, h_{U} \in G$ that are associated with the $U$ attributes in the system. Define a cryptographic hash function $H$ . Furthermore, it randomly chooses values $a, α, β, γ \in Z_{p}$ and $h \in G$ . The public parameters $PK$ and master secret key $MK$ are

\begin{matrix} PK = e {(g, g)}^{α}, g^{a}, H, g, g^{β}, g^{γ}, h, h_{1}, \dots, h_{U} \\ MK = α, β, γ \end{matrix}

Encrypt. The encryption algorithm takes as input the public parameters $PK$ , a message $M$ to encrypt, and an LSSS access structure $(M, ρ)$ . The function $ρ$ associates rows of $M$ to attributes. Let $M$ be a $l \times n$ matrix. The algorithm first chooses a random vector $v = (s, y_{2}, \dots, y_{n}) \in Z_{p}^{n}$ . These values will be used to share the encryption exponent $s$ . For $i = 1$ to $l$ , it calculates $λ_{i} = v \cdot M_{i}$ , where $M_{i}$ is the vector corresponding to the ith row of $M$ . In addition, the algorithm chooses random $r_{1}, \dots, r_{l} \in Z_{p}$ . The ciphertext is published as $CT$ along with a description of $(M, ρ)$

\begin{matrix} CT = {C = Me {(g, g)}^{α s}, C' = g^{s}, C ″ = g^{β s}, \\ C ″' = g^{γ s}, (C_{1} = g^{a λ_{1}} h_{ρ (1)}^{- r_{1}}, D_{1} = g^{r_{1}}), . . ., \\ (C_{l} = g^{a λ_{l}} h_{ρ (l)}^{- r_{l}}, D_{l} = g^{r_{l}})} \end{matrix}

KeyGen. The authority takes as input the master key $MK$ , a set of attributes $S_{1}$ that describe the key and user’s global identifier $GID = u$ . It randomly chooses $t \in Z_{p}^{*}$ and computes the private key $SK$ as

K = g^{α} g^{at} h^{u β}, L_{1} = g^{t}, L_{2} = h^{γ}, K_{x} = h_{x}^{t}, \forall x \in S_{1}

OutKeyGen. To create a outsourced key for the private key $SK$ . The user chooses a random value $z \in Z_{p}^{*}$ and gets the retrieve key $RK = z$ . The outsourced key $OutK$ are published as

\begin{matrix} K' = g^{α / z} g^{at / z} h^{u β / z}, {L'}_{1} = g^{t / z}, {L'}_{2} = h^{γ / z} \\ {L'}_{3} = h^{u / z}, {K'}_{x} = h_{x}^{t / z}, \forall x \in S_{1} \end{matrix}

TransKeyGen. The authority calls the $KeyGen$ algorithm, then chooses random $t', d_{1}, d_{2} \in Z_{p}$ , and compute $H (d_{1}), H (d_{2})$ . Then, it encrypts $d_{1}, d_{2}$ with the access structure $A_{2}$ using the $Encrypt (PK, (d_{1}, d_{2}), A_{2})$ algorithm. It outputs the $TK$ as

\begin{matrix} T = g^{α} g^{at'} h^{H (d_{1}) H (d_{2})}, T' = g^{t'}, T_{x} = h_{x}^{t'}, \forall x \in S_{1} \\ T ″ = E n_{A_{2}} (d_{1}, d_{2}) \end{matrix}

ReEnc. This algorithm takes as input the $TK$ and $CT$ that is associated with $A$ . Suppose that $S_{1}$ satisfies the access structure $(M_{1}, ρ_{1})$ and let $I_{1} \subset {1, 2, \dots, l_{1}}$ be defined as $I_{1} = {i : ρ_{1} (i) \in S_{1}}$ . Then, let ${ω_{i} \in Z_{p}}_{i \in I_{1}}$ be a set of constants such that if $λ_{i}$ is a valid share of any secret $s$ according to $M_{1}$ , then $Σ_{i \in I_{1}} ω_{i} λ_{i} = s$ . It outputs the updated ciphertext $C T_{2}$ as follows

\begin{matrix} {C'}_{1} = Me {(g, g)}^{α s}, {C'}_{3} = E n_{A_{2}} (d_{1}, d_{2}), {C'}_{4} = g^{s} \\ {C'}_{2} = \frac{e (C', T)}{Π_{i \in I} {(e (C_{i}, T') e (D_{i}, T_{ρ (i)}))}^{ω_{i}}} \\ = e {(g, g)}^{α s} e {(g, h)}^{sH (d_{1}) H (d_{2})} \end{matrix}

Decrypt. The recipient can decrypt the ciphertext if his key’s attributes satisfy the access structure associated with the ciphertext. To decrypt $CT$ using the private key $SK$ , the recipient first checks whether the equation $e (L_{2}, C'^{u}) = e (h^{u}, C ″')$ holds. If it cannot pass the verification, which means that the key comes from a malicious authority, the recipient will stop the process, which can avoid the waste of network resource due to invalid secret keys. Next, the recipient computes

\frac{e (C', K)}{e (h^{u}, C ″) Π_{i \in I} {(e (C_{i}, L_{1}) e (D_{i}, K_{ρ (i)}))}^{ω_{i}}} = e {(g, g)}^{α s}

Then, the message $M$ can be got by computing $C / e (g, g)^{α s}$ .

To decrypt the $C T_{2}$ using the private key $S K_{2}$ , the recipient gets $(d_{1}, d_{2})$ . Next, the recipient computes

\frac{{C'}_{1}}{({C'}_{2} / e (π) ({C'}_{4}, h^{H (d_{1}) H (d_{2})}))} = M

OutDecrypt. The algorithm takes as input a outsourced key $OutK$ for a set $S$ , a ciphertext $CT$ for access structure $(M, ρ)$ and the retrieve key $RK$ . Suppose that $S$ satisfies the access structure $(M, ρ)$ and let $I \subset {0, 1, 2, \dots, l, l + 1, \dots, 2 l}$ be defined as $I = {i : ρ (i) \in S}$ , where $ρ (l + i) = ρ (i)$ and $ρ (0) = ρ (1)$ . Then, let ${ω_{i} \in Z_{p}}_{i \in I}$ be a set of constants such that if $λ_{i}$ is a valid share of any secret $s$ according to $M$ , then $Σ_{i \in I} ω_{i} λ_{i} = s$ . If $N$ D2D devices are available at this time

\begin{array}{l} O u t K_{N} = {K^{'}, {L^{'}}_{1}, L_{2}^{'}, L_{3}^{'}, K_{x}^{'}, \forall x \in {ρ (2 N ⌊ \frac{l}{N} ⌋), \dots, \\ ρ (2 (N - 1) ⌊ \frac{l}{N} ⌋)}}, N \subset {1, 2, \dots, N} \end{array}

Then, each device computes $(e (C_{i}, L'_{1}) e (D_{i}, K'_{ρ (i)}))^{ω_{i}}$ and returns the results into a table $V$ . The algorithm first verifies whether the results are equal to $l + i$ and $i$ . If it cannott pass the verification, which means that either device computes incorrect results, the algorithm recomputes the equation by the other device and traces to the devices computing incorrect results. Next, the algorithm computes

\frac{e (C', K')}{e ({L'}_{3}, C ″) Π_{i \subset {1, 2, . . ., l}} {(e (C_{i}, {L'}_{1}) e (D_{i}, {K'}_{ρ (i)}))}^{ω_{i}}} = e (g, g)^{α s / z}

Then, the recipient can get message $M$ through computing $C / (e (g, g)^{α s / z})^{RK}$ by himself or herself.

The pseudocode of the algorithm is shown in Algorithms 1 –3.

Algorithm 1. Authority
Input: $λ, U$ $Setup (λ, U) \to (PK, MK)$ return $PK$ to all users ———————- Input S, GID $KeyGen (MK, S, GID) \to SK$ return $SK$ to user 2

Algorithm 2. User 1
Input: $PK, M, A$ $Encrypt (PK, M, A) \to CT$ return $CT$

Algorithm 3. User 2
Input: $SK$ $OutkeyGen (SK) \to (RK, OutK)$ return $OutK$ to all mobile devices ———————- $OutDecrypt (RK, OutK, CT) \to M$

Correctness

We present the correctness analysis for the aforementioned scheme. Since

\begin{matrix} D = e (C', K) = e {(g, g)}^{α s} e {(g, g)}^{ats} e {(g, h)}^{u β s} \\ E = e (h^{u}, C ″) Π_{i \in I} {(e (C_{i}, L_{1}) e (D_{i}, K_{ρ (i)}))}^{ω_{i}} \\ = e {(g, h)}^{u β s} Π_{i \in I} {(e (g^{a λ_{i}} h_{ρ (i)}^{- r_{i}}, g^{t}) e (g^{r_{i}}, h_{ρ (i)}^{t}))}^{ω_{i}} \end{matrix}

we have

\frac{C}{D / E} = \frac{Me {(g, g)}^{α s}}{\frac{e {(g, g)}^{α s} e {(g, g)}^{ats} e {(g, g)}^{u β s}}{e {(g, g)}^{u β s} Π_{i \in I} e {(g, g)}^{at λ_{i} ω_{i}}}} = M

Security and efficiency analysis

In this section, we prove that our proposed CP-ABE method has strong security against the CPA. It allows an adversary to query for any private keys $SK$ as long as the queried keys cannot be used to decrypt the challenge ciphertext. Efficiency comparison between our scheme and other methods is provided.

Theorem

If there is an adversary $A$ against our proposed CP-ABE system with non-negligible advantage, then there exists a simulator $S$ that can break the DBDH assumption with non-negligible advantage.

Proof

Suppose there exists a probabilistic polynomial time adversary $A$ , who plays the security game as described in section “Definition and security model for OTD of CP-ABE” and succeeds with non-negligible probability.

Init. Given a DBDH tuple ${g, g^{a}, g^{b}, g^{c}}$ . The simulator $S$ starts the game. The adversary $A$ gives the challenge policy $A^{*}$ to $S$ .

Setup. We first let the challenger run the $Setup (λ)$ of groups $G$ and set a problem instance $g, H, g^{a}, g^{b}, g^{c}, T$ where $a, b, c \in Z_{p}^{*}$ and $g^{a}, g^{b}, g^{c}, g^{ab}, g^{bc}, g^{ac}, g^{abc} \in G$ . $T$ is either $e (g, g)^{abc}$ or a random group element in $G_{T}$ . $S$ chooses random $θ, ϕ, φ, ψ \in Z_{p}^{*}$ and computes: $T^{θ}$ , $g^{ϕ}$ , $g^{φ}$ and $g^{ψ}$ . $S$ sends $(T^{θ}, g^{ϕ}, g^{φ}, g^{ψ})$ to $A$ .

Phase 1. The adversary $A$ issues polynomially private key queries $q_{1}, . . ., q_{m}$ corresponding to $S_{m}$ .

For $A$ queries $S_{m} \subseteq S_{A}$

The simulator $S$ takes $r_{1}, r_{2}, r_{3}, r_{4}$ as some known randomization value. For TKExtract $(S K_{S_{1}^{*}}, A^{*})$ , the authority randomly chooses a $r_{1}$ from $Z_{p}$ . The key components are $K = g^{θ} g^{ϕ r_{1}} h^{u φ}, L_{1} = g^{r_{1}}, L_{2} = h^{ψ}, K_{x} = h_{x}^{r_{1}}, \forall x \in S_{1}^{*}$ . For $Extract (S_{1}^{*})$ , the authority randomly chooses $r_{2}, r_{3}, r_{4}$ from $Z_{p}$ . The transform key components are $T = g^{θ} g^{ϕ r_{2}} h^{H (r_{3}) H (r_{4})}, T^{'} = g^{r_{2}},$ $T_{x} = h_{x}^{r_{2}}, \forall x \in S_{1}^{*},$ and $T ″ = E n_{A^{*}} (r_{3}, r_{4})$ .

For $A$ queries $S_{m} ⊈ S_{A}$

The simulator $S$ takes $r_{1}, r_{2}, r_{3}, r_{4}$ as $a^{v}$ plus some unknown randomization value. For $Extract (S_{1}^{*})$ , the authority randomly chooses a $η_{1}$ from $Z_{p}$ , then computes $r_{1} = a + η_{1}$ . The key components are $K = g^{θ} g^{ϕ (a + η_{1})} h^{u φ},$ $L_{1} = g^{a + η_{1}}, L_{2} = h^{ψ}, L_{2} = h^{ψ}, K_{x} = h_{x}^{a + η_{1}}, \forall x \in S_{1}^{*}$ . For $TKExtract (S K_{S_{1}^{*}}, A^{*})$ , the authority randomly chooses $η_{2}, η_{3}, η_{4}$ from $Z_{p}$ , then sets $r_{2} = a + η_{2}, r_{3} = a^{η_{3}}, r_{4} = a^{η_{4}}$ . The transform key components are $T = g^{θ} g^{ϕ (a + η_{2})}$ , $h^{H (a^{η_{3}}) H (a^{η_{4}})},$ $T^{'} = g^{a + η_{2}}, T_{x} = h_{x}^{a + η_{2}}, \forall x \in S_{1}^{*}, T^{″} =$ $E n_{A^{*}} (a^{η_{3}}, a^{η_{4}})$ .

Challenge. $A$ decides that $Phase 1$ is over. The adversary $A$ submits two equal-length messages $M_{0}, M_{1}$ . The simulator $S$ flips a random coin $b \in {0, 1}$ and creates the challenge ciphertext as $C T = (M_{b} T^{θ s}, g^{φ s}, g^{γ s}, g^{s}, C_{1} = g^{ϕ λ_{1}} h_{ρ (1)}^{- r_{1}}, D_{1} = g^{r_{1}}), \dots, (C_{l} = g^{ϕ λ_{l}} h_{ρ (l)}^{- r_{l}}, D_{l} = g^{r_{l}})$ . If $T = e (g, g)^{abc}$ , this is an encryption of $M_{1}$ , else if $T$ is a random group element in $G_{T}$ , it is an encryption of $M_{0}$ .

Phase 2. The Phase 1 is repeated, the adversary $A$ queries for additional $S_{i}$ under the restriction that $S_{i}$ cannot satisfy $A^{*}$ .

Guess. The adversary $A$ will eventually output a guess $M'$ of $M$ . The simulator $S$ guesses $T = e (g, g)^{abc}$ is a tuple if $M' = M_{1}$ and outputs $1$ , otherwise $T$ is a random group element in $G_{T}$ and outputs $0$ .

When $T$ is a tuple, the simulator $S$ runs a perfect simulation. We have $\Pr [S (\vec{r}, T = e (g, g)^{abc}) = 1] = (1 / 2) + Ad v_{A}$ . When $T$ is a random group element in $G_{T}$ , the adversary $A$ cannot gain any information of $M_{b}$ . We have $\Pr [S (\vec{r}, T = R) = 1] = 1 / 2$ . The simulator $S$ can execute the DBDH game with non-negligible advantage.

If the adversary $A$ has a non-negligible advantage to break the scheme, simulator $S$ will have a non-negligible advantage to break the DBDH assumption.

The security comparison is shown in Table 2. Our proposed scheme can guarantee the selective CPA security. Compared with other schemes, the security of our scheme is enough to satisfy the requirements in the D2D mobile network.

Table 2.

The security comparison of outsourced CP-ABE schemes.

Scheme	Assumption	Model	Security
Green et al.¹⁵	$q - BDHE$	Random Oracle	RCCA
Lai et al.¹⁷	$DL$	Standard	Selective CPA
Qin et al.¹⁸	$q - BDHE$	Standard	Selective CPA
Ours	$DBDH$	Random Oracle	Selective CPA

CP-ABE: ciphertext-policy attribute-based encyption; RCCA: replayable chosen ciphertext attack; CPA: chosen plaintext attacks.

Now, we make an efficiency analysis for our outsourcing to multiple devices decryption of the CP-ABE scheme in terms of the performance with other three outsourced ABE schemes.^15,17,18 $e$ denotes the time to compute a pairing, $n$ the number of D2D validation devices, $E_{G}$ the time of an exponentiation operation in $G$ , and $E_{G_{T}}$ the time of an exponentiation operation in $G_{T}$ . $l$ refers to an LSSS access structure with an $l \times n$ matrix. We analyze our CP-ABE system efficiency and cost in the D2D mobile network.

We implement our scheme using the libfenc library.³⁷ All dominant group operations use the PBC library,³⁸ which is written natively in C. A 201-bit MNT elliptic curve(Miyaji, Nakabayashi and Takano introduced the first method to construct families of prime-order elliptic curves with small embedding degrees, namely (k = 3, 4), and 6. These curves is so-called MNT curves.) and the corresponding asymmetric elliptic curve (EC) group are chosen from the Stanford Pairing-Based Crypto library.^38,39 Our code implementations are executed on two dedicated hardware platforms: an Intel i5-4590 CPU (3.30 GHz quad-core processor) with 3380 MB of RAM, running 64-bit Ubuntu Server 16.04, and a Huawei Nexus 6P with Qualcomm Octa-core (4 × 1.55 GHz Cortex-A53 and 4 × 2.0 GHz Cortex-A57) and 3 GB of RAM running Android 6.0.

Computation. We make a functionality comparison of outsourced CP-ABE schemes, and the result is shown in Table 3. Our scheme can make use of distributed mobile resources to decrypt the ciphertext. We make a comparison of time cost of the outsourced computation for a device, including the recipient and the verification computation shown in Table 4. The experiment results are shown in Figure 3. The average time of a single modular exponentiation operation is 5 ms, and the time of one bilinear pairings operation is 32.5 ms in our experiment environment. As shown in Figure 4, the computation cost of recipient is about 32.5 ms in our scheme,^15,18 while the cost of Lai et al.¹⁷ reaches about 75 ms. From a perspective of light computation requirement for every device, our scheme can realize this target in the D2D mobile network. In other words, the outsourced computation of our CP-ABE system for a single device is light, which means that our CP-ABE system can be used in many devices with low computation ability, such as sensors or mobile phones. For a recipient, most of the decryption computation can be done by other devices in the D2D mobile network and just little computation is taken. Furthermore, our CP-ABE scheme provides verification and traceability.

Ciphertext Size. We make a comparison of the outsourced ciphertext size, the local ciphertext size and the proxy re-encryption with some related works in Table 5. The experiment results in the PC environment are shown in Figure 5. Our scheme’s communication cost and local ciphertext storage overhead are $(2 + 4 l) | G |$ and $| G_{T} |$ . For a lightweight device’s local storage overhead, the scheme is at a low cost. Besides, the complexity of ciphertext policy has an important influence on the decryption time and the ciphertext size. We design ciphertext policies in the form of ( $A_{1}, A_{2}, \dots, A_{n}$ ) (i.e. the worst situation over the policy), where each $A_{i}$ is an attribute. This method ensures that all ciphertext components are involved in the decryption computation. We design 100 distinct policies in this form, increasing from 1 to 100. The statistics data on decryption time and ciphertext size are presented in Figure 6. We show the size of standard ABE ciphertext, the time of generating an outsourcing key, the standard ABE decryption time and the time of transforming the ABE ciphertext in the mobile environment in Figure 6. As expected, outsourcing substantially reduces the computation time required for devices with limited computing resources to recover the plaintext. Our scheme can be used in the D2D network. The D2D mobile network enables devices to communicate directly with each other without the involvement of fixed networking infrastructures; our scheme’s communication cost is so low that it can be applied in practice. Meanwhile, we should adequately design the complexity of ciphertext policy to improve the energy efficiency of mobile devices. Optimizing the experiments and testing for more kinds of mobile terminals with different computing power will be carried out in our future work.

Table 3.

The functionality comparison of outsourced CP-ABE schemes.

Scheme	Verification	Outsourcing decryption	Distributed computing resources	Discretionary access control
Green et al.¹⁵	–	√	–	√
Lai et al.¹⁷	√	√	–	√
Qin et al.¹⁸	√	√	–	√
This study	√	√	√	√

CP-ABE: ciphertext-policy attribute-based encyption.

Table 4.

The efficiency comparison of outsourced CP-ABE schemes.

Scheme	Out.Comp.Cost	Rec.Comp.Cost
Green et al.¹⁵	$\leq (2 + l) e + 2 l E_{G}$	$E_{G_{T}}$
Lai et al.¹⁷	$\leq (4 + 2 l) e + (2 + 4 l) E_{G}$	$2 E_{G_{T}} + 2 E_{G}$
Qin et al.¹⁸	$\leq (2 + l) e + 2 l E_{G}$	$E_{G_{T}}$
This work	$\leq 2 ⌊ l / n ⌋ (2 e + E_{G_{T}})$	$E_{G_{T}}$

CP-ABE: ciphertext-policy attribute-based encyption.

Figure 3.

The comparison of Out.Comp.Cost.

Figure 4.

The comparison of recipient computation cost. The vertical coordinate represents time cost of bilinear pairing operations and modular exponentiation operations for recipients.

Table 5.

The ciphertext size comparison of outsourced CP-ABE schemes.

Scheme	Out.Ciphertext.Cost	Local.Ciphertext.Cost	Re-encryption
Green et al.¹⁵	$(1 + 2 l) \| G \|$	$\| G_{T} \|$	–
Lai et al.¹⁷	$(3 + 4 l) \| G \|$	$2 \| G_{T} \| + G$	–
Qin et al.¹⁸	$(1 + 2 l) \| G \| + l_{H}$	$\| G_{T} \| + l_{H}$	–
This study	$(2 + 4 l) \| G \|$	$\| G_{T} \|$	√

CP-ABE: ciphertext-policy attribute-based encyption.

Figure 5.

The comparison of Local.Ciphertext.Cost.

Figure 6.

Performance of our scheme in the D2D network.

Conclusion

In this article, we propose an OTD for a ciphertext policy ABE scheme to relieve the problem of device restriction and particular outsourcing requirements in the D2D settings. This scheme can outsource the expensive decryption computation to multiple devices in the D2D mobile network. The security and efficiency analyses show that our proposal is more secure and efficient compared with other existing research works. Following are the limitations of our proposed scheme. First, some additional information for decryption occupies some storage space, which will burden mobile devices with a low storage ability. Second, the total power consumption of all involved mobile devices is increased. Our future research will focus on computation efficiency improvement and power consumption reduction.

Footnotes

Handling Editor: Pascal Lorenz

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iD

Huawei Wang

References

Sesia

Toufik

Baker

. LTE, The UMTS long term evolution: from theory to practice. Hoboken, NJ: Wiley, 2009.

Doppler

Rinne

Wijting

et al . Device-to-device communication as an underlay to LTE-advanced networks. IEEE Commun Mag 2009; 47(12): 42–49.

Fodor

Dahlman

Mildh

et al . Design aspects of network assisted device-to-device communications. IEEE Commun Mag 2012; 50(3): 170–177.

Lei

Zhong

Lin

et al . Operator controlled device-to-device communications in LTE-advanced networks. IEEE Wirel Commun 2012; 19(3): 96–104.

Kwon

Kim

Hahn

et al . Secure authentication using ciphertext policy attribute-based encryption in mobile multi-hop networks. Multimed Tool Appl 2017; 76(19): 19507–19521.

Sodhro

Luo

Sangaiah

et al . Mobile edge computing based QoS optimization in medical healthcare applications. Int J Inform Manage 2019; 45: 308–318.

Sodhro

Pirbhulal

Qaraqe

et al . Power control algorithms for media transmission in remote healthcare systems. IEEE Access 2018; 6: 42384–42393.

Sodhro

Pirbhulal

Sangaiah

et al . 5G-based transmission power control mechanism in fog computing for internet of things devices. Sustainability 2018; 10(4): 1258.

Sodhro

Malokani

Sodhro

et al . An adaptive QoS computation for medical data processing in intelligent healthcare applications. Neur Comput Appl 2019; 30: 1–12.

10.

Sodhro

Pirbhulal

Sodhro

et al . A joint transmission and duty-cycle power control approach for smart healthcare system. IEEE Sens J 2018; 99: 1.

11.

Sodhro

Shah

. Energy-efficient adaptive transmission power control for wireless body area networks. IET Commun 2016; 10(1): 81–90.

12.

Sodhro

Pirbhulal

de Albuquerque

. Artificial intelligence driven mechanism for edge computing based industrial applications. IEEE T Ind Inform 2019; 15: 4235–4243.

13.

Sahai

Waters

. Fuzzy identity-based encryption. Theor Appl Cryptogr Techn 2005; 2004: 457–473.

14.

Waters

. Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. Publ Key Cryptogr 2011; 2008: 53–70.

15.

Green

Hohenberger

Waters

. Outsourcing the decryption of ABE ciphertexts. In: SEC’11 Proceedings of the 20th USENIX conference on security, 2011, pp.34–34, https://www.usenix.org/legacy/event/sec11/tech/full_papers/Green.pdf

16.

Chen

et al . Fine-grained access control system based on outsourced attribute-based encryption. In: Proceedings of the European symposium on research in computer security, 2013, pp.592–609, https://link.springer.com/content/pdf/10.1007%2F978-3-642-40203-6_33.pdf

17.

Lai

Deng

Guan

et al . Attribute-based encryption with verifiable outsourced decryption. IEEE T Inform Foren Sec 2013; 8(8): 1343–1354.

18.

Qin

Deng

Liu

et al . Attribute-based encryption with efficient verifiable outsourced decryption. IEEE T Inform Foren Sec 2015; 10(7): 1384–1393.

19.

Wang

Yan

Security in D2D communications: a review. In: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, 2015, pp.1199–1204, https://www.researchgate.net/publication/308806942_Security_in_D2D_Communications_A_Review

20.

Goyal

Pandey

Sahai

et al . Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM conference on computer and communications security, 2006, pp.89–98, https://eprint.iacr.org/2006/309.pdf

21.

Ostrovsky

Sahai

Waters

Attribute-based encryption with non-monotonic access structures. In: Proceedings of the 14th ACM conference on computer and communications security, 2007, pp.195–203, https://eprint.iacr.org/2007/323.pdf

22.

Bethencourt

Sahai

Waters

. Ciphertext-policy attribute-based encryption. In: Proceedings of the 2007 IEEE symposium on security and privacy (SP’07), 2007, pp.321–334, https://www.cs.utexas.edu/∼bwaters/publications/papers/cp-abe.pdf

23.

Cheung

Newport

CC.

Provably secure ciphertext policy ABE. In: Proceedings of the 14th ACM conference on computer and communications security, 2007, pp.456–465, https://eprint.iacr.org/2007/183.pdf

24.

Goyal

Jain

Pandey

et al . Bounded ciphertext policy attribute based encryption. In: ICALP’08 Proceedings of the 35th international colloquium on automata, languages and programming, part II, 2008, pp.579–591, http://www.cs.jhu.edu/∼abhishek/papers/bcpabe.pdf

25.

Ateniese

Green

et al . Improved proxy re-encryption schemes with applications to secure distributed storage. ACM T Inform Syst Sec 2006; 9(1): 1–30.

26.

Blaze

Bleumer

Strauss

. Divertible protocols and atomic proxy cryptography. Theor Appl Cryptogr Techn 1998; 1403: 127–144.

27.

Chevallier-Mames

Coron

McCullagh

et al . Secure delegation of elliptic-curve pairing. In: Proceedings of the smart card research and advanced application conference, vol. 6035, 2010, pp.24–35, https://eprint.iacr.org/2005/150.pdf

28.

Chung

Kalai

Vadhan

. Improved delegation of computation using fully homomorphic encryption. In: Proceedings of the international cryptology conference, 2010, pp.483–501, https://eprint.iacr.org/2010/241.pdf

29.

Gennaro

Gentry

Parno

Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Proceedings of the international cryptology conference, 2010, pp.465–482, https://eprint.iacr.org/2009/547.pdf

30.

Lin

Zhang

et al . Revisiting attribute-based encryption with verifiable outsourced decryption. IEEE T Inform Foren Sec 2015; 10(10): 2119–2130.

31.

Jia

et al . Outsourcing encryption of attribute-based encryption with mapreduce. In: ICICS’12 Proceedings of the 14th international conference on information and communications security, 2012, pp.191–201, https://jingwei87.github.io/publication/icics12.pdf

32.

Huang

et al . Securely outsourcing attribute-based encryption with checkability. IEEE T Parall Distrib Syst 2014; 25(8): 2201–2210.

33.

Baek

Zheng

. Identity-based threshold decryption. Publ Key Cryptogr 2004; 2003: 262–276.

34.

Herranz

Laguillaumie

Rafols

Constant size ciphertexts in threshold attribute-based encryption. In: PKC’10 Proceedings of the 13th international conference on practice and theory in public key cryptography, vol. 6056, 2010, pp.19–34, https://link.springer.com/content/pdf/10.1007%2F978-3-642-13013-7_2.pdf

35.

Boneh

Boyen

. Efficient selective-ID secure identity-based encryption without random oracles. Theor Appl Cryptogr Techn 2004; 2004: 223–238.

36.

Beimel

. Secure schemes for secret sharing and key distribution, PhD Thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996.

37.

Green

Akinyele

Rushanan

. Libfenc: the functional encryption library[Online], 2012, http://code.google.com/p/libfenc.

38.

Lynn

. The Stanford pairing based crypto library, http://crypto.stanford.edu/pbc (accessed May 7, 2014).

39.

Rouselakis

Waters

. Efficient statically-secure large-universe multi-authority attribute-based encryption. Financ Cryptogr 2015; 8975: 315–332.