A lightweight verifiable outsourced decryption of attribute-based encryption scheme for blockchain-enabled wireless body area network in fog computing

Abstract

Wireless body area network includes some tiny wearable sensors for monitoring the physiological data of user, which has been a promising method of promoting the quality and efficiency greatly in healthcare. The collected physical signs are aggregated into the medical documents and uploaded to cloud server for utilizing by the remote user. As these files are highly sensitive privacy data, there is a vital challenge that constructs a secure and efficient communication architecture in this application scenario. Based on this standpoint, we present a lightweight verifiability ciphertext-policy attribute-based encryption protocol with outsourced decryption in this article. Specifically, our construction enjoys the following six features: (1) Although the outsourced decryption enables to save the computation overhead of the data user sharply in an attribute-based encryption scheme, the ciphertext is out of control and the correctness cannot be guaranteed by the data owner. The proposal provides the verifiability of ciphertext that ensures the user to check the correctness efficiently. (2) The size of the ciphertext is constant that is not increased with the complexity of attribute and access structure. (3) For Internet of Things devices, it introduces the fog computing into our protocol for the purpose of low latency and relation interactions, which has virtually saved the bandwidth. (4) With the help of blockchain technique, we encapsulate the hash value of public parameter, original and transformed ciphertext and transformed key into a block, so that the tamper-resistance is facilitated against an adversary from inside and outside the system. (5) In the standard model, we prove that it is selectively chosen-plaintext attack-secure and verifiable provided that the computational bilinear Diffie–Hellman assumption holds. (6) It implements this protocol and shows the result of performance measurement, which indicates a significant reduction on communication and computation costs burden on every entity in wireless body area network.

Keywords

Verifiability outsourced decryption attribute-based encryption fog computing blockchain

Introduction

Internet of Things (IoTs) connect physical devices on Internet, including sensor nodes, smart terminals, and other wireless communication equipments.^1–3 As a main application of IoTs, the wireless body area network (WBAN) has attracted a tremendous attention recently.^4–6 WBAN consists of various wearable intelligent sensors on the body, which are connected in the form of wireless communication link. The sensors in WBAN provide the constant health monitoring (for example, the heart beat, the body temperature, the blood pressure, and electrocardiogram), and real-time feedback to the data user (DU) or medical staff. Taking advantages of WBAN, the patient enjoys a promising physical mobility and experiences a high-quality healthcare service at home. In addition, these collected physiological data are uploaded to the cloud platform for being utilized by the DU.

As a distributed computation model over a shared pool, cloud computing provides infrastructure as a service like physical computing resources, data partitioning, storage, and so on.^7–9 In the cloud paradigm, the user just pays for enjoying the corresponding cloud services supported by the cloud service provider (CSP) instead of managing and maintaining the infrastructure, which reduces the local storage overhead and provides the convenient data access service. Uploading the physiological data in WBAN to cloud platform, it realizes the real-time data sharing, the elastic computation resource distribution and the accurate response in time. However, the data owner (DO) loses the capacity of controlling over it physically after being stored on the cloud platform, and the physiological data contains some sensitive privacy. Therefore, it is essential to implement the confidentiality protection with access control against the unauthorized user and curious CSP.

For enjoying the confidentiality and access control in cloud, the attribute-based encryption (ABE) scheme was proposed as a preeminent cryptographic primitive.¹⁰ ABE is an one-to-many encryption mode that the authorized entity is able to decrypt the protected data only if the access structure and attribute attached with private key and ciphertext. Moreover, this scheme is divided into two types, key-policy ABE (KP-ABE) schemes^11–13 and ciphertext-policy ABE (CP-ABE) schemes.^14–17 In the former, the private key is related to designated policies, while the ciphertext is labeled by some attributes. The user decrypts this ciphertext successfully unless these access policies are met by some attributes of such ciphertext, which reflects the permission of this user. On the contrary, in the latter, the ciphertext is associated with access policy, while some attribute sets are embedded into private key. CP-ABE scheme shows some requirements for the decryptor. In the cloud-assisted WBAN, the physiological data are stored on the cloud storage server (CSS), and shared among the authorized DUs. Consequently, it is more practical to adopt CP-ABE scheme to support confidentiality and access control in the cloud-assisted WBAN. Unfortunately, in the CP-ABE scheme, there is a shortcoming that the overhead is expensive due to the complexity of access structure in the phase of decryption, which impedes the application of ABE in IoTs device with limited resource.

For decreasing the computation overhead of decryption burdened on the DU, the concept of outsourced decryption was presented.¹⁸ Concretely, a ciphertext and a transformation key are given to CSS, and it transforms this ciphertext into a partial one, rather that is directly decrypted by the DU. The user only spends a little cost in accessing the plaintext from this partial ciphertext. Nevertheless, the validity of this transformed ciphertext cannot be ensured for an untrusted CSS. Some curious CSS may distort and tamper the transformed ciphertext. Therefore, the verifiability of the transformed ciphertext is necessary for the outsourced decryption ABE.¹⁹

Moreover, the blockchain technique is a desirable method of resisting the data tampering as well.^20,21 Blockchain technology is a backbone of the Bitcoin cryptocurrency,²² which is considered as a peer-to-peer distributed ledger technology to record data. The distinguishing features of this technology are decentralized maintenance, secure transporting and accessing the data as well as anti-tamper and undeniability. Taking blockchain into outsourced decryption ABE protocol, the ciphertext, the partial ciphertext, the transformation key, and other important parameters are encapsulated into a block chronologically, which avoids to be tampered from any entity, including the inside and outside adversary.

At the same time of enjoying the convenience, the cloud-assisted IoTs also suffers from the huge network latency, the massive data, and other various drawbacks.²³ To avoid these drawbacks, one of the preeminent technique measure is fog computing. As shown in Figure 1, fog computing is presented for extending the cloud service to the edge of the IoTs,^24–26 which promotes the resources and services to be closer to the IoTs devices. In the face of the explosion of data in IoTs, fog computing enables to provide small latency and real-time application.

Figure 1.

The underlying structure of fog computing.

Related works

ABE is a popular topic that enjoys the confidentiality and fine-grained access control. However, the weakness of original ABE scheme is that it needs some expensive operations in decryption, and the overhead is related to the complexity of access structure. Green et al.¹⁸ introduced the model of ABE with outsourced computing to reduce the computational cost in decryption, which transformed the decryption operation to CSS and reduced the overhead of the DU significantly. Unfortunately, the correctness of transformed ciphertext in Green et al.¹⁸ cannot be checked. Lai et al.¹⁹ presented a verifiability ABE protocol with outsourced decryption to verify the validity of the transformed ciphertext. To improve the efficiency, Lin et al.²⁷ combined an attribute-based key encapsulation mechanism (KEM), a commitment protocol, and a symmetric key encryption scheme to achieve efficient verifiability. Moreover, they also put forward a unified model for outsourced decryption ABE with verifiability. Qin et al.²⁸ encrypted the data in symmetric encryption, and this symmetric key is encrypted under ABE scheme. By comparing the hash values, this protocol realized the verification of the outsourced ciphertext in correctness. Mao et al.²⁹ designed an improved verifiability ABE protocol with outsourced decryption to cut down the size of ciphertext and computational cost obviously, which committed to such plaintext by means of a random parameter. The scheme in Li et al.³⁰ gave a novel verifiable outsourced decryption of ABE scheme that the size of ciphertext is constant, which not only verified the validity of transformed ciphertext, but also made the overhead be irrelevant to the complexity of access structure. Li et al.³¹ introduced an ABE protocol with fully verifiable oursourced decryption as well, and all the users (including authorized and unauthorized) enabled to check the correctness of transformed ciphertext. Recently, the scheme in Li et al.³² demonstrated an verifiability ABE with outsourced computing in both the encryption and decryption phases. This protocol caused the cost of transformed key generation to be constant and shifted the burden on both the DO and user.

Furthermore, the blockchain technology is also employed to guarantee the validity of the outsourced data. If only encapsulated the vital parameters into a block, any entity (including the authorized user and trusted or curious authority from inside, and the unauthorized user and adversary from outside) could not tamper these data. Guo et al.³³ encapsulated the electronic health records (EHRs) in blockchain to guarantee the validity in the attribute-based cryptography primitive, every patient endorsed a message according to his attribute for avoiding to reveal his or her privacy. For applying in distribution system, the protocol in Guo et al.³⁴ demonstrated a multi-authority ABE for medical data. Taking advantage of the blockchain technique, the integrity of these private data in cloud is protected. Liu et al.³⁵ adopted the CP-ABE to provide strong privacy preservation in data sharing. Moreover, the index of physiological data is stored in the blockchain, which ensured that such sensitive data could not be modified arbitrarily. The schemes^36–39 are all focused on the integrity and correctness of the outsourced data in cloud depending on the blockchain technology.

Although ABE scheme with outsourced decryption reduces the cost significantly, the mass data processing from sensor nodes is still greatly hindering the application of resource-limited IoT devices. Taking cloud-fog architecture into consideration, fog node (FN) is likely to be a proxy that executes partial computation. With the assistance of FN, it will need less calculation cost on the resource-limited IoT device. In the environment of fog computing, Zuo et al.⁴⁰ first presented the chosen-ciphertext attack (CCA)-secure model in ABE with outsourced decryption. Integrating CP-ABE and searchable encryption, Miao et al.⁴¹ proposed an efficient fine-grained ciphertext searching system, which shifted partial computation overhead from the DU to the selected FN. Fan et al.⁴² introduced an access control scheme with multiple authorities for privacy preservation in the fog-assisted IoT architecture, which operated the verifiable outsourced decryption by FN and ensured a real-time application. Considering the computing capacity of the sensor node, Wang et al.⁴³ presented a fine-grained access control with distributed outsourced computing, in which the receiver and sender just executed little calculation with the help of the FN.

Contributions

To this article, for preserving the privacy in WBAN, a lightweight verifiability CP-ABE protocol with outsourced decryption is presented. The contributions of our protocol are listed as following.

By adding verification algorithm in decryption, this scheme enjoys the verifiability of ciphertext to check the correctness by the DU. Moreover, depending on the blockchain technology, it encapsulates the important data into a block chronologically and protects these data from being tampered by inside and outside adversary.

The size of ciphertext is constant that is independent with the complexity of attributed set and access policy. Moreover, FN affords partial computation and storage task that cuts the cost of IoT device equipped by the DO.

Provided that the assumption of computational bilinear Diffie–Hellman (CBDH) holds, we formally prove this proposal is verifiable in the standard model, and selectively chosen-plaintext attack (CPA)-secure.

As for simulation and comparison, we implement our constrution and demonstrate the result of performance measurement, which indicates a significant reduction on the bandwidth of communication and computation for every entity in this protocol.

Organization

The remaining paper is organized as follows. Section “Preliminaries” introduces some basic knowledges and concepts, such as the notions of bilinear map, security assumption and access structure, the definition and security model of verifiability CP-ABE scheme with outsourced decryption in this article. Section “The architecture of system model” describes the detailed characters in our system model. Section “Our construction” presents our concrete CP-ABE scheme with verifiable oursourced decryption for WBAN. Section “Security analysis” proves the security and verifiability of this proposal. Section “Performance evaluation” demonstrates the experimental results on the performance comparison with the related schemes. Finally, Section “Conclusion” states our conclusions of such article.

Preliminaries

In this part, some preliminary knowledges regarding the cryptographic primitives that our scheme depends on are introduced.

Bilinear map

Suppose that $(G, +)$ and $(G_{T}, \times)$ are bilinear cyclic groups with the prime order $p$ . A bilinear map $\hat{e} : G \times G \to G_{T}$ possesses the following three properties:

Bilinearity: ∀ $P, Q \in G$ , $a, b \in Z_{p}^{*}$ , $\hat{e} (aP, bQ) = \hat{e} (P, Q)^{ab}$ holds.

Non-degeneracy: It exists $P, Q \in G$ such that $\hat{e} (P, Q) \neq 1 \in G_{T}$ .

Computability: ∀ $P, Q \in G$ , it exists an efficient algorithm to calculate $\hat{e} (P, Q)$ .

Complexity assumption

Let $G$ be a finite cyclic group with prime order $p$ , and $a, b, c \in Z_{p}^{*}$ be selected uniformly at random. The difficult problem underlying the security of our protocol are shown as below.

Definition 1

CBDH problem

Given a tuple of elements ${A = aP, B = bP, C = cP} \in G^{3}$ , the CBDH problem in $(p, G, G_{T}, \hat{e})$ is to calculate the bilinear pairing $\hat{e} (P, P)^{abc}$ .

The CBDH assumption in $(p, G, G_{T}, \hat{e})$ is that there is no probabilistic polynomial-time (PPT) algorithm $A$ to solve CBDH problem successfully with non-negligible advantage. The advantage of $A$ is defined as

\Pr [A (p, G, G_{T}, \hat{e}, A, B, C) = \hat{e} (g, g)^{abc}]

where this probability is over the randomly chosen tuple of $(p, a, b, c)$ .

Access structure

Definition 2

Access structure

Suppose that ${P_{1}, P_{2}, \dots, P_{n}}$ is a set of parties. There is a monotone collection $A \subseteq 2^{{P_{1}, P_{2}, \dots, P_{n}}}$ , where if $B \in A, B \subseteq C$ , $C \in A$ for any $B$ and $C$ . Moreover, the access structure $A$ (respectively, monotone access structure) is called a collection (respectively, monotone access structure) of non-empty subsets of ${P_{1}, P_{2}, \dots, P_{n}}$ , that is, $A \subseteq 2^{{P_{1}, P_{2}, \dots, P_{n}}} \ {\emptyset}$ . Hence, the set belonging to $A$ is an authorized set. Otherwise, it is unauthorized.

Formal definition of CP-ABE with outsourced decryption

The CP-ABE scheme with outsourced decryption consists of seven algorithms as follows.

$Setup (1^{λ}) \to (PK, MSK)$ : This algorithm inputs security parameter $1^{λ}$ , and then it outputs the public parameters $PK$ and master secret key $MSK$ of this system.

$KeyGen (PK, MSK, Att) \to S K_{Att}$ : This algorithm inputs the public parameters $PK$ , master secret key $MSK$ , and an attribute set $Att$ . Then, returns $S K_{Att}$ as a private key for $Att$ .

$Encrypt (PK, M, A) \to CT$ : This algorithm inputs public parameters $PK$ , a message $M$ and an access policy $A$ , and then it returns the ciphertext $CT$ of $M$ as an answer.

$Decrypt (PK, S K_{Att}, CT) \to M$ : This algorithm inputs the public parameters $PK$ , the private key $S K_{Att}$ for $Att$ and the ciphertext $CT$ , and then it returns $M$ as an answer if $S K_{Att}$ satisfies the access structure $A$ .

$GenT K_{out} (PK, S K_{Att}) \to (T K_{Att}, R K_{Att})$ : This algorithm inputs the public parameters $PK$ and the private key $S K_{Att}$ for attribute set $Att$ , and then it returns a transformation key $T K_{Att}$ and a retrieving key $R K_{Att}$ correspondingly as an answer.

$Transfor m_{out} (PK, CT, T K_{Att}) \to CT'$ : This algorithm inputs the public parameters $PK$ , the ciphertext $CT$ , and the transformation key $T K_{Att}$ for $Att$ , and then it returns a partial ciphertext $CT'$ as an answer.

$Decryp t_{out} (PK, CT, CT', R K_{Att}) \to M$ : This algorithm inputs the public parameters $PK$ , the ciphertext $CT$ , the partial ciphertext $CT'$ , and the retrieving key $R K_{Att}$ , and then returns message $M$ as an answer.

Security model for CP-ABE with outsourced decryption

Confidentiality

As the traditional CCA-secure does not permit any changes on bits of ciphertext, which is not suitable for the above model of CP-ABE with outsourced decryption. Thus, it proposes the selectively CPA-secure model in the following game between a challenge $C$ and an adversary $A$ .

Init: The adversary $A$ submits $A^{*}$ as a challenge access policy.

Setup: The challenger $C$ selects a security parameter $1^{λ}$ for executing Setup, and then it returns the public parameters $PK$ to $A$ and keeps master secret key $MSK$ secretly.

Query Phase 1: Challenger $C$ maintains an empty list $L$ and a set E. Adversary $A$ issues two queries as below.

Private-Key-Extraction: Adversary $A$ queries this oracle on the attribute set $Att$ , and the challenger $C$ executes KeyGen and sets E=E $\cup {Att}$ . It outputs the private key $S K_{Att}$ to $A$ , and it cannot make this query for the private key $S K_{Att}$ that satisfies the challenge access structure $A^{*}$ .

Transformation-Key-Extraction: Adversary $A$ launches this query on attribute set $Att$ . The challenger searches $〈 Att, S K_{Att}, T K_{Att}, R K_{Att} 〉$ from the list $L$ . If such tuple exists, $C$ outputs $T K_{Att}$ to $A$ . Otherwise, the challenger executes KeyGen and GenTK_out, and stores the generated tuple $〈 Att, S K_{Att}, T K_{Att}, R K_{Att} 〉$ in the list $L$ . At last, it returns transformation key $T K_{Att}$ to $A$ . In addition, if it has queried Private-Key-Extraction based on $Att$ , $A$ is forbidden to make queries on Transformation-Key-Extraction for the same set $Att$ .

Challenge: Adversary $A$ submits two messages $M_{0}$ and $M_{1}$ with the same length, and a challenge access policy $A^{*}$ that cannot be satisfied by $Att$ . $C$ randomly selects $b \in {0, 1}$ and calculates $C T^{*} = Encrypt (PK, M_{b}, A^{*})$ . After that, $C$ returns the challenge ciphertext $C T^{*}$ to $A$ .

Query Phase 2: The adversary continues to make the same queries on Private-Key-Extraction and Transformation-Key-Extraction as in Query Phase 1. However, the private key should not meet the challenge access policy $A^{*}$ .

Guess: Adversary $A$ returns its guess $b' \in {0, 1}$ on $b$ . If $b' = b$ , $A$ wins the game.

The advantage of $A$ in this game is defined as

{Adv}_{AB E_{out}, A}^{Con} (1^{λ}) = | \Pr [b' = b] - \frac{1}{2} |

Definition 3

This verifiability CP-ABE protocol with outsourced decryption is selectively CPA-secure if the advantage of all the PPT adversaries is negligible in the above security model.

Verifiability

The verifiability for CP-ABE protocol with outsourced decryption is proposed by the interaction between adversary and challenger in the following.

Init: Adversary $A$ submits $A^{*}$ as a challenge access policy.

Setup: Challenger $C$ operates Setup to generate the public parameters $PK$ and the master secret key $MSK$ . After that, it returns $PK$ to adversary.

Query Phase 1: Adversary queries on Private-Key-Extraction and Transformation-Key-Extraction as in Query Phase 1 of the above security game.

Challenge: Adversary $A$ submits a message $M^{*}$ and a challenge access structure $A^{*}$ to $C$ , it calculates $C T^{*} = Encrypt (PK, M^{*}, A^{*})$ and reponses it to $A$ as a challenge ciphertext.

Query Phase 2: The adversary adaptively launches the query in Query Phase 1.

Output: Adversary $A$ returns attribute set $At t^{*}$ and transformed ciphertext $C T^{*'}$ . We suppose that the tuple $(At t^{*}, S K_{At t^{*}}, T K_{At t^{*}}, R K_{At t^{*}})$ is included in the list $L$ . Otherwise, $C$ generates this tuple by querying on Private-Key-Extraction and Transformation-Key-Extraction. $A$ wins this game if $Decryp t_{out} (PK, C T^{*}, C T^{*'}, R K_{At t^{*}}) \in {M^{*}, ⊥}$ . Moreover, the advantage of $A$ in above model is defined as

\begin{matrix} {Adv}_{AB E_{out}, A}^{Ver} (1^{λ}) \\ = \Pr [Decryp t_{out} (PK, C T^{*}, C T^{*'}, R K_{At t^{*}}) \in {M^{*}, ⊥}] \end{matrix}

Definition 4

Verifiability

This CP-ABE scheme with outsourced decryption is verifiable, if the advantage ${Adv}_{AB E_{out}, A}^{Ver} (1^{λ})$ for all PPT adversaries $A$ is negligible.

The architecture of system model

The architecture of this system consists of the DO (such as patient), the FNs, the CSS, the trusted authority (TA) and the DU (such as doctor and researcher). The relationship between them is described in Figure 2 and elaborated as follows.

Figure 2.

The system model of blockchain-enabled WBAN in fog computing.

DO in this system is considered as a patient, who enjoys the medical monitoring service from CSP. The wearable IoT devices collect the physiological data and medical images of the patient in WBAN, such as electrocardiograph (ECG), physical status video (PSV), blood pressure (BP), and so on. And then, these data are delivered to a collection device by the wireless network. Since the physical data are sensitive privacy information, for the sake of protecting the medical data and realizing fine-grained access control, DO designs an access policy that is used to encrypt the data under the verifiable outsourced decryption CP-ABE scheme with public system parameter $PK$ acquired from TA. After that, the encrypted data is uploaded to the FN via Internet.

FN are located on the edge of network, which has the ability of computing, transmitting, and temporarily storing the medical data. There are three primary missions in our proposal. First, FN is in charge of retransmitting the ciphertext from DO to CSS. Second, after receiving the transformation key $TK$ from DU, FN computes the transformed ciphertext $CT$ and returns it back to DU. Third, FN manages and maintains a blockchain that stores the hash value of a public parameter $PK$ , a transformation key $TK$ , a ciphertext $CT$ , and a transformed ciphertext $CT'$ in every encrypting into a block chronologically. Depending on the purpose of anti-tamper, all the data stored in the blockchain will never be distorted by anyone. Specifically, according to this mode, any variations on this key or ciphertext would change the corresponding hash value in the blockchain, and all the entities in this system will perceive these variations. Consequently, blockchain is beneficial for protecting integrity in a verifiable and permanent method from inside and outside adversary.

CSS owns considerable storage space and calculation capability, which supplies outsourced storage and computation service to the customers. In this system, CSS is responsible for storing the outsourced data from DO in the form of ciphertext, which could be accessed by DU.

TA is a system parameter generator center, whose responsibility is generating the public parameters $PK$ and master secret key, and distributing secret key to the registered DO and DU. Furthermore, it executes Setup and KeyGen algorithms as well.

DU represents the medical staff for diagnosis, the researcher for medical science and the relatives for solicitude, and so on. Each of registered user accepts the attribute secret key relying on its characteristics. If their attributes meet the access policy of DO, DU enables to access his or her medical data. In detail, after receiving the partial encrypted medical file (i.e. the transformed ciphertext $CT'$ ) from FN, DU downloads the ciphertext $CT$ from CSS for verification and decryption by taking advantage of attribute secret key and transformation key pair to achieve the accurate plaintext medical data.

Our construction

In this section, it lists some employed notations in Table 1. Furthermore, it designs seven concrete algorithms that are demonstrated in the following.

$Setup (1^{λ}) \to (PK, MSK)$ : TA takes $1^{λ}$ as input, it selects a bilinear map $\hat{e} : G \times G \to G_{T}$ , where $G$ and $G_{T}$ are additional and multiplicative cyclic groups with prime order $p$ . Let $P$ be a generator of $G$ , TA chooses $α, β \in Z_{p}^{*}$ randomly and calculates $A = \hat{e} (P, P)^{α}, B = β P, B' = (1 / β) P$ . Then, it picks two collision resistance hash functions $H_{1} : {0, 1}^{*} \to Z_{p}^{*}$ and $H_{2} : G_{T} \to {0, 1}^{*}$ . At last, TA returns the public parameters $params = 〈 \hat{e}, G, G_{T}, p, P, A, B, B', B, H_{1}, H_{2} 〉$ and master secret key $MSK = 〈 α, β 〉$ .

$KeyGen (PK, MK, Att) \to S K_{Att}$ : Considering that $Π$ is linear secret sharing scheme (LSSS) for an access policy $A$ ,³⁰ Att is an authorized attribute set and $I = | Att |$ . Then, it obtains shares ${a_{i}}_{i \in I}$ of the secret $γ \in Z_{p}^{*}$ , and $γ = \sum_{i \in I} a_{i} t_{i}$ denotes the party corresponding to shares ${a_{i}}_{i \in I}$ as $at t_{i} \in Att$ , where ${t_{i} \in Z_{p}}_{i \in I}$ is the attribute underlying $at t_{i}$ . For the different Att and Att′, $(γ = \sum_{i \in I} a_{i} t_{i})_{at t_{i} \in Att} \neq (γ' = \sum_{i \in I'} {a_{i}}^{'} {t_{i}}^{'})_{at t'_{i} \in Att'}$ holds. TA computes $K_{1} = ((α + γ) / β) P$ , $K_{2} = γ P$ , and sends $S K_{Att} = 〈 K_{1}, K_{2} 〉$ to DU with attribute Att.

$Encrypt (PK, M, A) \to CT$ : To encrypt $M \in {0, 1}^{*}$ , it first selects $\tilde{M} \in {0, 1}^{*}$ and $s, s' \in Z_{p}^{*}$ . Next, DO computes

\begin{matrix} \hat{C} = H_{1} (M) H_{1} (\tilde{M}) P, C_{1} = M \oplus H_{2} (A^{s}), C_{2} = sB, C_{3} = sP \\ C'_{1} = \tilde{M} \oplus H_{2} (A^{s'}), C'_{2} = s' B, C'_{3} = s' P \end{matrix}

Table 1.

Notions and meanings.

Notions	Meanings
$G$	The additional cyclic group with prime order $p$ .
$G_{T}$	The multiplicative cyclic group with prime order $p$ .
$P$	The generator of $G$ .
$H_{i}$	The collision resistance hash function $i = 1, 2$ .
$PK$	The public parameters of this system.
$MSK$	The master secret key of this system.
Att	The authorized attribute set.
$I$	The number of attribute in Att.
$S K_{Att}$	The private key of user with attribute Att.
$T K_{Att}$	The transformation key of user with attribute Att.
$R K_{Att}$	The retrieving key of user with attribute Att.

After that, it returns the ciphertext

CT = 〈 A, \hat{C}, C_{1}, C_{2}, C_{3}, C'_{1}, C'_{2}, C'_{3} 〉

$Decrypt (PK, S K_{Att}, CT) \to M$ : Input the private key $S K_{Att}$ and ciphertext $CT$ , DU calculates $〈 D, D' 〉$ as follows

\begin{matrix} D = \frac{\hat{e} (C_{2}, K_{1})}{\hat{e} (C_{3}, K_{2})} = \frac{\hat{e} (s β P, ((α + γ) / β) P)}{\hat{e} (sP, γ P)} \\ = \frac{\hat{e} {(P, P)}^{s (α + γ)}}{\hat{e} {(P, P)}^{s γ}} = \hat{e} (P, P)^{s α} \end{matrix}

\begin{matrix} D' = \frac{\hat{e} (C'_{2}, K_{1})}{\hat{e} (C'_{3}, K_{2})} = \frac{\hat{e} (s' β P, ((α + γ) / β) P)}{\hat{e} (s' P, γ P)} \\ = \frac{\hat{e} {(P, P)}^{s' (α + γ)}}{\hat{e} {(P, P)}^{s' γ}} = \hat{e} (P, P)^{s' α} \end{matrix}

Then, it computes $M = C_{1} \oplus H_{2} (D)$ and $\tilde{M} = C'_{1} \oplus H_{2} (D')$ . At last, if $\hat{e} (\hat{C}, P) = \hat{e} (H_{1} (M) B, H_{1} (\tilde{M}) B')$ holds, it outputs the message $M$ . Otherwise, outputs ⊥ and aborts.

$GenT K_{out} (PK, S K_{Att}) \to (T K_{Att}, R K_{Att})$ : This algorithms takes the private key $S K_{Att}$ as input, DU generates its transformation key pair by choosing $t \in Z_{p}^{*}$ randomly and computing $T K_{Att} = 〈 K'_{1} = (1 / t) K_{1}, K'_{2} = (1 / t) K_{2} 〉$ as a pair of transformation key, and $R K_{Att} = t$ as a retrieving key.

$Transfor m_{out} (PK, CT, T K_{Att}) \to CT'$ : Given ciphertext $CT$ and transformation key $T K_{Att}$ , FN computes as belows

\begin{matrix} \frac{\hat{e} (C_{2}, K'_{1})}{\hat{e} (C_{3}, K'_{2})} = \frac{\hat{e} (s β P, ((α + γ) / t β) P)}{\hat{e} (sP, (γ / t) P)} \\ = \frac{\hat{e} {(P, P)}^{(s (α + γ)) / t}}{\hat{e} {(P, P)}^{s γ / t}} = \hat{e} (P, P)^{s α / t} = T \end{matrix}

\begin{matrix} \frac{\hat{e} (C'_{2}, K'_{1})}{\hat{e} (C'_{3}, K'_{2})} = \frac{\hat{e} (s' β P, ((α + γ) / t β) P)}{\hat{e} (s' P, (γ / t) P)} \\ = \frac{\hat{e} {(P, P)}^{((s' (α + γ)) / t)}}{\hat{e} {(P, P)}^{s' γ / t}} = \hat{e} (P, P)^{s' α / t} = T' \end{matrix}

Outputting the transformed ciphertext as

CT' = 〈 \hat{T} = \hat{C}, T, T' 〉 .

$Decryp t_{out} (PK, CT, CT', R K_{Att}) \to M$ : DU downloads the ciphertext $CT$ from CCS and checks whether $\hat{T} = \hat{C}$ . If not, it outputs ⊥ and aborts. Otherwise, computes $M = C_{1} \oplus H_{2} (T^{t})$ and $\tilde{M} = C'_{1} \oplus H_{2} (T'^{t})$ . Then, it verifies $\hat{e} (\hat{T}, P) = \hat{e} (H_{1} (M) B, H_{1} (\tilde{M}) B')$ holds or not. If it is, returns the message $M$ . Otherwise, outputs ⊥ and aborts.

Security analysis

In this part, it proves that this protocol is selectively CPA-secure and verifiable in the standard model.

Theorem 1

Provided that the protocol in Waters¹⁷ is selectively CPA-secure, our proposal is selectively CPA-secure as well.

Proof

This protocol is selectively CPA-secure under the following two games.

$Gam e_{0}$ : It is the original selectively CPA-secure game in CP-ABE protocol.

$Gam e_{1}$ : Challenger picks $\hat{C} \in G$ at random, and keeps the rest of challenge ciphertext to generate $CT = 〈 A, \hat{C}, C_{1}, C_{2}, C_{3}, C'_{1}, C'_{2}, C'_{3} 〉$ as in $Gam e_{0}$ .

The proof of this theorem consists of the following two lemmas. Lemma 1 proves the indistinguishability between $Gam e_{0}$ and $Gam e_{1}$ , while Lemma 2 demonstrates that the advantage of adversary in $Gam e_{1}$ is negligible. Consequently, it concludes that the advantage in $Gam e_{0}$ is also negligible.

Lemma 1

Assume that the scheme in Waters¹⁷ is selectively CPA-secure, $Gam e_{0}$ and $Gam e_{1}$ are computationally indistinguishable.

Proof

Suppose that an adversary $A$ distinguishes $Gam e_{0}$ and $Gam e_{1}$ with non-negligible probability, and an simulator $B$ attacks the scheme¹⁷ under the selective CPA security model with non-negligible advantage.

$C$ is a challenger in the selective CPA security model in Waters.¹⁷ A simulator interacts with $A$ by executing the following algorithms.

Init: The adversary $A$ delivers $A^{*}$ to $B$ as a challenge access structure. Then, the simulator gives this policy to $C$ . The challenger feeds back the public parameters in additional group $PK' = 〈 p, G, G_{T}, \hat{e}, P, aP, \hat{e} (P, P)^{α}, {T_{i} = s_{i} P}_{\forall i} 〉$ of Waters.¹⁷

Setup: $B$ chooses $x, y \in Z_{p}^{*}$ at random and gets $B = xP, B' = yP$ . Moreover, it chooses $H_{1} : {0, 1}^{*} \to Z_{p}^{*}$ and $H_{2} : G_{T} \to {0, 1}^{*}$ as two collision-resistant hash functions. $B$ transmits $PK = 〈 \hat{e}, G, G_{T}, p, P, A, B, B', H_{1}, H_{2} 〉$ to $A$ .

Query Phase 1: The adversary $A$ makes a private key query on attribute set $At t_{i}$ . Simulator queries Private-Key-Extraction with $C$ on $At t_{i}$ , and then accesses the private key $S K_{At t_{i}}$ . At last, $B$ returns the private keys $S K_{At t_{i}}$ to adversary.

Challenge: $A$ submits two challenge plaintexts $M_{0}$ and $M_{1}$ with equal size to the simulator. It picks a value $η \in {0, 1}$ and two message ${\tilde{M}}_{0}, {\tilde{M}}_{1} \in {0, 1}^{*}$ randomly. Then, it sends $〈 {\tilde{M}}_{0}, {\tilde{M}}_{1}, A^{*} 〉$ to the challenger. $C$ selects random $θ \in {0, 1}$ , encrypts the message ${\tilde{M}}_{θ}$ under $PK'$ and $A^{*}$ according to the encryption in Waters.¹⁷ After that, the ciphertext $C T^{*'} = 〈 A^{*}, C'_{1}, C'_{2}, C'_{3} 〉$ is sent to $B$ . The simulator chooses $s \in Z_{p}^{*}$ randomly and computes $\hat{C} = H_{1} (M_{η}) H_{1} ({\tilde{M}}_{η}) P, C_{1} = M_{η} \oplus H_{2} (A^{s}), C_{2} = sB$ and $C_{3} = sP$ . At last, $B$ transmits the challenge ciphertext $C T^{*} = 〈 A^{*}, \hat{C}, C_{1}, C_{2}, C_{3}, C'_{1}, C'_{2}, C'_{3} 〉$ to $A$ .

Query Phase 2: $A$ queries on Private-Key-Extraction adaptively as in Query Phase 1, and $B$ responds it as before.

Guess: $A$ returns its guess $η' \in {0, 1}$ for $B$ , and it outputs $η'$ as its guess for $θ$ .

Provided that $η = θ$ , $B$ has simulated $Gam e_{0}$ appropriately. Otherwise, $B$ has appropriately simulated $Gam e_{1}$ with non-negligible advantage, we design an algorithm $B$ as a simulator who attacks the selectively CPA-secure protocol with non-negligible advantage.

Lemma 2

Provided that the scheme in Waters¹⁷ is selectively CPA-secure, the adversary’s advantage in $Gam e_{1}$ is negligible.

Proof

Suppose that the advantage of $A$ in $Gam e_{1}$ is non-negligible. Besides, there is an algorithm $B$ as a simulator who attacks the protocol ¹⁷ in the selectively CPA-secure model with a non-negligible advantage.

Assume that $C$ is a challenger in selective CPA-security model, $B$ interacts with $A$ by running the algorithms as below.

Init: $A$ transmits a challenge access structure $A^{*}$ to $B$ . Simulator also gives $A^{*}$ to $C$ . The challenger $C$ delivers the public parameters in the additional group $PK' = 〈 p, G, G_{T}, \hat{e}, P, aP, \hat{e} (P, P)^{α}, {T_{i} = s_{i} P}_{\forall i} 〉$ of Waters¹⁷ back to simulator.

Setup: Simulator picks random $x, y \in Z_{p}^{*}$ , computes $B = xP, B' = yP$ , and there are two hash functions $H_{1} : {0, 1}^{*} \to Z_{p}^{*}$ and $H_{2} : G_{T} \to {0, 1}^{*}$ with collision-resistant. After that, $B$ transmits $PK = 〈 \hat{e}, G, G_{T}, p, P, A, B, B', H_{1}, H_{2} 〉$ to adversary.

Query Phase 1: $A$ adaptively issues the private key query on $At t_{i}$ . Simulator receives a private key $S K_{At t_{i}}$ by querying Private-Key-Extraction with $C$ on $At t_{i}$ . Then, the simulator returns the private key $S K_{At t_{i}}$ to adversary.

Challenge: The adversary $A$ submits two equal size messages $M_{0}$ and $M_{1}$ . Simulator sends $〈 M_{0}, M_{1}, A^{*} 〉$ to $C$ . After that, $C$ picks $θ \in {0, 1}$ at random, encrypts $M_{θ}$ under $PK'$ and $A^{*}$ as the encryption in Waters.¹⁷ Then, it gives the result ciphertext $C T^{*'} = 〈 A^{*}, C_{1}, C_{2}, C_{3} 〉$ back to $B$ . The simulator $B$ chooses $s' \in Z_{p}^{*}$ , $\tilde{M} \in {0, 1}^{*}$ and $\hat{C} \in G_{T}$ randomly, and calculates $C'_{1} = \tilde{M} \oplus H_{2} (A^{s'}), C'_{2} = s' B, C'_{3} = s' P$ . At last, $B$ transmits $C T^{*} = 〈 A^{*}, \hat{C}, C_{1}, C_{2}, C_{3}, C'_{1}, C'_{2}, C'_{3} 〉$ to $A$ as a challenge ciphertext.

Query Phase 2: Adversary queries on Private-Key-Extraction adaptively as in Query Phase 1. Simulator responses this query correspondingly.

Guess: Finally, adversary returns a guess $η' \in {0, 1}$ to simulator, it also takes $η'$ as its guess for $θ$ .

Obviously, $B$ has simulated $Gam e_{1}$ appropriately. Provided that the advantage of adversary in $Gam e_{1}$ is non-negligible, $B$ attacks selectively CPA-secure protocol¹⁷ with non-negligible advantage.

In conclusion, these two lemmas show that the first four algorithms in our protocol as basic CP-ABE protocol is selectively CPA-secure. After that, in the following theorem, we will prove that if basic CP-ABE protocol is selectively CPA-secure, the whole protocol is selectively CPA-secure as well.

Theorem 2

Provided that basic CP-ABE protocol is selectively CPA-secure, this protocol with outsourced decryption is selectively CPA-secure as well.

Proof

Suppose that, in the selectively CPA-secure model, the advantage of $A$ is non-negligible. $B$ acts as a simulator to attack the basic CP-ABE scheme with non-negligible advantage.

$C$ is a challenger in the selectively CPA-secure model of basic CP-ABE protocol. Simulator interacts with $A$ according to the algorithms as below.

Init: The adversary $A$ gives $A^{*}$ to $B$ as a challenge access structure. Then, simulator transmits this structure to $C$ . Challenger outputs the public parameters $PK = 〈 \hat{e}, G, G_{T}, p, P, A, B, B', H_{1}, H_{2} 〉$ of basic CP-ABE scheme to $B$ .

Setup: Simulator gives the above parameters $PK$ to $A$ .

Query Phase 1: $B$ maintains an empty list $L$ as well as a set E. $A$ launches the following queries adaptively.

Private-Key-Extraction: Based on the attribute set $Att$ , $B$ queries the key generation oracle to receive the private key $S K_{Att}$ . After that, $B$ sets E=E $\cup {Att}$ and responses a private key $S K_{Att}$ to $A$ .

Transformation-Key-Extraction: Based on the attribute set $Att$ , $B$ searches $〈 Att, S K_{Att}, T K_{Att}, R K_{Att} 〉$ from the list $L$ . And outputting the transformation key $T K_{Att}$ to the adversary $A$ if it exists. Otherwise, $B$ picks $u, v \in Z_{p}^{*}$ , computes $K'_{1} = ((u + v) / β) P, K'_{2} = vP$ , and $B$ stores this tuple $〈 Att, *, T K_{Att} = (Att, K'_{1}, K'_{2}), u 〉$ into $L$ and transmits it to $A$ .

Note that, the simulator $B$ is unable to access the actual retrieving key $R K_{Att} = α / u$ . It computes the following:

\begin{matrix} \frac{\hat{e} (C_{2}, K'_{1})}{\hat{e} (C_{3}, K'_{2})} = \frac{\hat{e} (s β P, (\frac{u + v}{β}) P)}{\hat{e} (sP, vP)} \\ = \frac{\hat{e} {(P, P)}^{s (u + v)}}{\hat{e} {(P, P)}^{sv}} = \hat{e} (P, P)^{su} = T \end{matrix}

\begin{matrix} C_{1} \oplus H_{2} (T^{R K_{Att}}) \\ = M \oplus H_{2} (\hat{e} (P, P)^{s α}) \oplus H_{2} (\hat{e} (P, P)^{su \frac{α}{u}}) = M \end{matrix}

Challenge: Adversary submits two equal size messages $〈 M_{0}, M_{1} 〉$ and $A^{*}$ as a challenge access policy. $B$ transmits the tuple $〈 M_{0}, M_{1}, A^{*} 〉$ to challenger to compute $C T^{*}$ on $M_{η}$ as a challenge ciphertext, where $η \in {0, 1}$ . After that, $B$ returns $C T^{*}$ to $A$ .

Query Phase 2: $A$ makes a private key query adaptively as in Query Phase 1. $B$ returns the answer correspondingly.

Guess: $A$ returns a value $η'$ as its guess on $η$ , and $B$ responses $η'$ as well.

Provided that the guess $η'$ of $A$ in this protocol is correct, the guess in basic CP-ABE scheme is also correct. Therefore, it concludes that if $A$ enables to attack the proposal with non-negligible advantage, in the selectively CPA-secure model, there is a simulator $B$ that attacks basic CP-ABE protocol with non-negligible advantage.

Theorem 3

Provided that CBDH assumption defined in Definition 1 holds, this CP-ABE protocol with outsourced decryption is verifiable.

Proof

Assume that $A$ attacks verifiability of this scheme with non-negligible advantage. In addition, $B$ acts as a simulator that enables to solve CBDH problem with non-negligible advantage.

Setup: Simulator $B$ randomly picks $α, x, y \in Z_{p}^{*}$ , let $H_{1} : {0, 1}^{*} \to Z_{p}^{*}$ and $H_{2} : G_{T} \to {0, 1}^{*}$ be collision-resistant hash functions. After that, simulator defines the public parameters $PK = 〈 \hat{e}, G, G_{T}, p, P, A = \hat{e} (P, P)^{α}, B = xP, B' = yP, H_{1}, H_{2} 〉$ , and master secret key $MSK = α$ . It returns $PK$ to adversary.

Query Phase 1: $A$ makes some queries on $KeyGen (PK, MK, Att)$ , $Transfor m_{out} (PK, CT, T K_{Att})$ , $Decrypt (PK, S K_{Att}, CT)$ and $Decryp t_{out} (PK, CT, CT', R K_{Att})$ algorithms. As simulator possesses master secret key $MSK$ , it is able to response these queries properly.

Challenge: $A$ submits a message $M^{*}$ and a challenge access policy $A^{*}$ to $B$ . The simulator calculates the ciphertext $C T^{*}$ of $M^{*}$ and returns $C T^{*} = 〈 A^{*}, \hat{C}, C_{1}, C_{2}, C_{3}, C'_{1}, C'_{2}, C'_{3} 〉$ to $A$ , where $\hat{C} = H_{1} (M^{*}) H_{1} ({\tilde{M}}^{*}) P$ and ${\tilde{M}}^{*} \in {0, 1}^{*}$ is selected by the simulator at random. Note that, $B$ is forbidden to access the random parameter $s$ .

Query Phase 2: Adversary launches the same query on private key as in Query Phase 1, and simulator responses as before.

Output: $A$ returns an attribute set $At t^{*}$ and the transformed ciphertext $C T^{*'} = 〈 \hat{T} = \hat{C}, T, T' 〉$ . Simulator $B$ computes $C_{1} \oplus H_{2} (T^{t_{At t^{*}}}) = M$ and $C'_{1} \oplus H_{2} (T'^{t_{At t^{*}}}) = \tilde{M}$ , where $t_{At t^{*}}$ is a retrieving key for the attribute set $At t^{*}$ controlled by simulator $B$ .

Furthermore, if $A$ wins the above game, $B$ has ability of computing

\begin{matrix} {[\frac{\hat{e} (C_{2}, K_{1})}{\hat{e} (C_{2}, γ B')}]}^{\frac{1}{α}} = {[\frac{\hat{e} (sxP, (α + γ) yP)}{\hat{e} (sxP, γ yP)}]}^{\frac{1}{α}} \\ = {[\frac{\hat{e} {(P, P)}^{xys (α + γ)}}{\hat{e} {(P, P)}^{xys γ}}]}^{\frac{1}{α}} = \hat{e} (P, P)^{xys} \end{matrix}

where $α$ and $γ$ are controlled by the simulator $B$ . Thus, $B$ solves the CDBH problem, which is paradoxical. Therefore, this CP-ABE protocol with outsourced decryption is verifiable.

Performance evaluation

In this section, it demonstrates the cost evaluation between this protocol and other related schemes^{19,28–31,40} from the aspects of communication and computation overhead.

Communication overhead

Let $| G |$ and $| G_{T} |$ be the element length in the additional cyclic group $G$ and the multiplicative cyclic group $G_{T}$ , respectively. $N$ denotes the number of attribute, and $L_{M}$ denotes the length of message. For scheme in Qin et al.,²⁸ $L_{SE}$ is denoted to the length of a symmetric encryption ciphertext, and $L_{VK}$ is the length of a verification key. Moreover, for protocol in Mao et al.,²⁹ $L_{CM}$ is represented to the length of commit on a message. As shown in Table 2, it compares the communication cost in the phase of KeyGen, Encrypt, GenTK_out, and Transform_out. In the algorithm of KeyGen, the communication overhead between TA and DU is $2 | G |$ . In the algorithm of Encrypt, the communication overhead between DO and CSS in our scheme is $(5 | G | + 2 L_{M})$ . In the phase of transformation key generation, the overhead in communication is also $2 | G |$ . Meanwhile, in the algorithm of Transform_out, the communication overhead between FN and DU is $(| G | + 2 | G_{T} |)$ . To sum up, from this table, we can conclude that the size of the transmitted data with constant length in every phase is the smallest, which indicates a significant advantage of our protocol in communication.

Table 2.

Comparison of communication overhead.

Schemes	KeyGen	Encrypt	GenTK_out	Transform_out
Lai et al.¹⁹	$N + (N + 2) \| G_{T} \|$	$(4 N + 3) \| G \| + 2 \| G_{T} \|$	$N + (N + 2) \| G_{T} \|$	$\| G \| + 4 \| G_{T} \|$
Qin et al.²⁸	$(N + 2) \| G_{T} \|$	$(2 N + 1) \| G \| + \| G_{T} \| + L_{SE} + L_{VK}$	$(N + 2) \| G_{T} \|$	$2 \| G_{T} \| + L_{SE} + L_{VK}$
Mao et al.²⁹	$N + (N + 2) \| G_{T} \|$	$(2 N + 2) \| G \| + L_{M} + L_{CM}$	$N + (N + 2) \| G_{T} \|$	$\| G \| + \| G_{T} \| + L_{M} + L_{CM}$
Li et al.³⁰	$2 \| G_{T} \|$	$5 \| G \| + 2 \| G_{T} \|$	$2 \| G_{T} \|$	$\| G \| + 4 \| G_{T} \|$
Li et al.³¹	$N + (N + 2) \| G_{T} \|$	$(2 N + 3) \| G \| + L_{M}$	$N + (N + 2) \| G_{T} \|$	$2 \| G \| + \| G_{T} \| + L_{M}$
Zuo et al.⁴⁰	$(2 N + 1) \| G_{T} \|$	$(N + 2) \| G_{T} \| + 2 L_{M}$	$(2 N + 1) \| G_{T} \|$	$\| G_{T} \| + 2 L_{M}$
Ours	$2 \| G \|$	$5 \| G \| + 2 L_{M}$	$2 \| G \|$	$\| G \| + 2 \| G_{T} \|$

Computation overhead

We implement our scheme with previous works^30,31,40 depending on pairing-based cryptography (PBC) library,⁴⁴ the operations are executed on the 64-bit Windows 10 operation system, 2.20-GHz Intel Core i5-5200u CPU with 8-GB RAM. Concretely, we select the Type A elliptic curve parameter with the 160-bit order. Figures 3 –7 demonstrate the experimental results in the average time of 100 operations. Specifically, in Figure 3, because of integrating the attribute into $γ$ , it is obvious that the overhead of key generation in this protocol is constant and more efficient than others. We compare the time of encryption spent among these four schemes in Figure 4, which shows that our cost is much less than others for the reason that the overhead in this protocol is not increased with the quantity of attribute embedded in the access policy. Figures 5 and 7 show that the cost of decryption and outsourced decryption, respectively. However, the overhead of our proposal is a little more than Li et al.’s protocol³⁰ for the reason that it needs one more bilinear pairing operations in our verification algorithm. Finally, in Figure 6, it demonstrates that the operation cost of this proposal is equal to the scheme in Li et al.³⁰ in the phase of transformation. Conclusions as a result, this protocol shows a better performance in the phases of KeyGen, Encrypt, Decrypt, Transform_out, and Decrypt_out, respectively.

Figure 3.

The cost of KeyGen algorithm.

Figure 4.

The cost of Encrypt algorithm.

Figure 5.

The cost of Decrypt algorithm.

Figure 6.

The cost of Transform_out algorithm.

Figure 7.

The cost of Decrypt_out algorithm.

Conclusion

In this article, it presents a lightweight verifiable outsourced CP-ABE protocol for the typical WBAN in IoT, which enables a user to verify the correctness of the transformed ciphertext. The security is proven to be selectively CPA-secure, and the verifiability is reduced to CBDH assumption in the standard model. In addition, the complicated decryption operation is outsourced to the FN instead of being laid on the device of DU. As for the communication and computation overhead, they do not depend on the amount of attributes, which reduces the cost of the whole system greatly. Therefore, this scheme has some applications in the limited power devices, such as IoTs. Moreover, our scheme takes advantage of fog computing to provide low latency and real-time interactions, while the blockchain protects the public parameter and ciphertext from being tampered by the inside and outside adversary.

Footnotes

Handling Editor: Zheng Chang

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National Key R&D Program of China under Grant 2017YFB0802000; the Natural Science Foundation of China under Grants 61802303, 61772418, and 61602378; the Key Research and Development Program of Shaanxi under Grant 2019KW-053; the Innovation Ability Support Program in Shaanxi Province of China under Grant 2017KJXX-47; the Natural Science Basic Research Plan in Shaanxi Province of China under Grants 2019JQ-866, 2018JZ6001, and 2016JM6033; the Research Program of Education Bureau of Shaanxi Province under Grant 19JK0803; the New Star Team of Xi’an University of Posts and Telecommunications under Grant 2016-02; the Fundamental Research Funds for the Central Universities under Grant GK201903005; and Guangxi Cooperative Innovation Center of Cloud Computing and Big Data under Grant YD1903.

ORCID iD

Rui Guo

References

International Telecommunication Union (ITU). Internet of Things global standards initiative, https://www.itu.int/en/ITU-T/gsi/iot/pages/default.aspx

Peng

Niu

, et al. A robust and energy efficient authentication protocol for industrial internet of things. IEEE Internet Things J 2018; 5(3): 1606–1615.

Sun

Lyu

, et al. Towards efficient, secure, and fine-grained access control system in MSNs with flexible revocations. Int J Distrib Sens Netw 2015; 11: 857405.

Latré

Brarm

Moerman

, et al. A survey on wireless body area networks. Wirel Netw 2011; 17(1): 1–18.

Ibrahim

Kumari

, et al. Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. Comput Netw 2017; 129(2): 429–443.

Huo

, et al. Secure and efficient data communication protocol for wireless body area networks. IEEE Trans Multi-Scale Comput Syst 2016; 2(2): 94–107.

Mell

Grance

. The NIST definition of cloud computing (SP 800-145), 2011, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

Zhang

Deng

Zheng

, et al. Efficient and robust certificateless signature for data crowdsensing in cloud-assisted industrial IoT. IEEE Trans Ind Inform 2019; 15: 5099–5108.

Zhang

Deng

Liu

, et al. Outsourcing service fair payment based on blockchain and its applications in cloud computing. IEEE Trans Serv Comput. Epub ahead of print 7 August 2018. DOI: 10.1109/TSC.2018.2864191

10.

Sahai

Waters

Fuzzy identity-based encryption. In: Proceedings of the 24th annual international conference on theory and applications of cryptographic techniques (EUROCRYPT’05), Aarhus, 22–26 May 2005, pp.457–473. Berlin: Springer.

11.

Goyal

Pandey

Sahai

, et al. Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM conference on computer and communications security (CCS’06), Alexandria, VA, 30 October–3 November 2006, pp.89–98. New York: ACM.

12.

Ostrovsky

Sahai

Waters

Attribute-based encryption with non-monotonic access structures. In: Proceedings of the 14th ACM conference on computer and communications security (CCS’07), Alexandria, VA, 28–31 October 2007, pp.195–203. New York: ACM.

13.

Lewko

Waters

Unbounded HIBE and attribute-based encryption. In: Proceedings of the 30th annual international conference on theory and applications of cryptographic techniques (EUROCRYPT’11), Tallinn, 15–19 May 2011, pp.547–567. Berlin: Springer.

14.

Lewko

Okamoto

Sahai

, et al. Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Proceedings of the 29th annual international conference on theory and applications of cryptographic techniques (EUROCRYPT’10), French Riviera, 30 May–3 June 2010, pp.62–91. Berlin: Springer.

15.

Okamoto

Takashima

. Fully secure functional encryption with general relations from the decisional linear assumption. In: Proceedings of the 30th annual conference on advances in cryptology (CRYPTO’10), Santa Barbara, CA, 15–19 August 2010, pp.191–208. Berlin: Springer.

16.

Bethencourt

Sahai

Waters

. Ciphertext-policy attribute-based encryption. In: Proceedings of the 2007 IEEE symposium on security and privacy (SP’07), Berkeley, CA, 20–23 May 2007, pp.321–334. New York: IEEE.

17.

Waters

Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Proceedings of the 14th international conference on practice and theory in public key cryptography conference on public key cryptography (PKC’11), Taormina, 6–9 March 2011, pp.53–70. Berlin: Springer.

18.

Green

Hohenberger

Waters

. Outsourcing the decryption of ABE ciphertexts. In: Proceedings of the 20th USENIX conference on security (SEC’11), San Francisco, CA, 8–12 August 2011, pp.34–34. New York: ACM.

19.

Lai

Deng

Guan

, et al. Attribute-based encryption with verifiable outsourced decryption. IEEE Trans Inf Foren Sec 2013; 8(8): 1343–1354.

20.

Zhang

Deng

Liu

, et al. Blockchain based efficient and robust fair payment for outsourcing services in cloud computing. Inform Sciences 2018; 462: 262–277.

21.

Zhang

Wen

. The IoT electric business model: using blockchain technology for the Internet of Things. Peer Peer Netw Appl 2017; 10(4): 983–994.

22.

Nakamoto

. Bitcoin: a peer-to-peer electronic cash system, 2008, https://bitcoin.org/bitcoin.pdf

23.

Puliafito

Mingozzi

Anastasi

. Fog computing for the internet of mobile things: issues and challenges. In: Proceedings of the 2017 IEEE international conference on smart computing (SMARTCOMP’17), Hong Kong, 29–31 May 2017, pp.1–6. New York: IEEE.

24.

Bonomi

Milito

Zhu

, et al. Fog computing and its role in the Internet of Things. In: Proceedings of the first edition of the MCC workshop on mobile cloud computing (MCC’12), Helsinki, 17 August 2012, pp 13–16. New York: ACM.

25.

Roca

Milito

Nemirovsky

, et al. Tackling IoT ultra large scale systems: fog computing in support of hierarchical emergent behaviors. In: Rahmani

Liljeberg

Preden

, et al. (eds) Fog computing in the Internet of Things. Cham: Springer, 2018, pp.33–48.

26.

Dhelim

Ning

, et al. Survey on fog computing: architecture, key technologies, applications and open issues. J Netw Comput Appl 2017; 98: 27–42.

27.

Lin

Zhang

, et al. Revisiting attribute-based encryption with verifiable outsourced decryption. IEEE Trans Inf Foren Sec 2015; 10(10): 2119–2130.

28.

Qin

Deng

Liu

, et al. Attribute-based encryption with efficient verifiable outsourced decryption. IEEE Trans Inf Foren Sec 2015; 10(7): 1384–1393.

29.

Mao

Lai

Mei

, et al. Generic and efficient constructions of attribute-based encryption with verifiable outsourced decryption. IEEE Trans Depend Secure 2016; 13(5): 533–546.

30.

Sha

Zhang

, et al. Verifiable outsourced decryption of attribute-based encryption with constant ciphertext length. Secur Commun Netw 2017; 2017(2): 1–11.

31.

Wang

Zhang

, et al. Full verifiability for outsourced decryption in attribute based encryption. IEEE Trans Serv Comput. Epub ahead of print 31 May 2017. DOI: 10.1109/TSC.2017.2710190

32.

Jin

, et al. An efficient ABE scheme with verifiable outsourced encryption and decryption. IEEE Access 2019; 7: 29023–29037.

33.

Guo

Shi

Zhao

, et al. Secure attribute-based signature scheme with multiple authorities for blockchain in electronic health records systems. IEEE Access 2018; 6: 11676–11686.

34.

Guo

Shi

Zheng

, et al. Flexible and efficient blockchain-based ABE scheme with multi-authority for medical on demand in telemedicine system. IEEE Access 2019; 7: 88012–88025.

35.

Liu

, et al. BPDS: a blockchain based privacy-preserving data sharing for electronic medical records. In: Proceedings of the 2018 IEEE global communications conference (Globecom’18), Abu Dhabi, United Arab Emirates, 9–13 December 2018. New York: IEEE.

36.

Oliveira

Reis

LHA

Carrano

, et al. Towards a blockchain-based secure electronic medical record for healthcare applications. In: Proceedings of the ICC 2019-2019 IEEE international conference on communications (ICC’19), Shanghai, China, 20–24 May 2019. New York: IEEE.

37.

Rahman

MDA

Hossain

Loukas

, et al. Blockchain-based mobile edge computing framework for secure therapy applications. IEEE Access 2018; 6: 72469–72478.

38.

Ferrag

Derdour

Mukherjee

, et al. Blockchain technologies for the Internet of Things: research issues and challenges. IEEE Internet Things 2019; 6(2): 2188–2204.

39.

Zhu

Gai

, et al. Controllable and trustworthy blockchain-based cloud data management. Future Gener Comput Syst 2019; 91: 527–535.

40.

Zuo

Shao

Wei

, et al. CCA-secure ABE with outsourced decryption for fog computing. Future Gener Comput Syst 2018; 78: 730–738.

41.

Miao

Liu

, et al. Lightweight fine-grained search over encrypted data in fog computing. IEEE Trans Serv Comput 2019; 12: 772–785.

42.

Fan

Gao

, et al. Efficient and privacy preserving access control scheme for fog-enabled IoT. Future Gener Comput Syst 2019; 99: 134–142.

43.

Wang

, et al. A distributed access control with outsourced computation in fog computing. Secur Commun Netw 2019; 2019: 6782753.

44.

Lynn

. PBC (pairing-based cryptography) library, 2012, http://crypto.stanford.edu/pbc/

Schemes	KeyGen	Encrypt	GenTK_out	Transform_out
Lai et al.¹⁹	$N + (N + 2) \| G_{T} \|$	$(4 N + 3) \| G \| + 2 \| G_{T} \|$	$N + (N + 2) \| G_{T} \|$	$\| G \| + 4 \| G_{T} \|$
Qin et al.²⁸	$(N + 2) \| G_{T} \|$	$(2 N + 1) \| G \| + \| G_{T} \| + L_{SE} + L_{VK}$	$(N + 2) \| G_{T} \|$	$2 \| G_{T} \| + L_{SE} + L_{VK}$
Mao et al.²⁹	$N + (N + 2) \| G_{T} \|$	$(2 N + 2) \| G \| + L_{M} + L_{CM}$	$N + (N + 2) \| G_{T} \|$	$\| G \| + \| G_{T} \| + L_{M} + L_{CM}$
Li et al.³⁰	$2 \| G_{T} \|$	$5 \| G \| + 2 \| G_{T} \|$	$2 \| G_{T} \|$	$\| G \| + 4 \| G_{T} \|$
Li et al.³¹	$N + (N + 2) \| G_{T} \|$	$(2 N + 3) \| G \| + L_{M}$	$N + (N + 2) \| G_{T} \|$	$2 \| G \| + \| G_{T} \| + L_{M}$
Zuo et al.⁴⁰	$(2 N + 1) \| G_{T} \|$	$(N + 2) \| G_{T} \| + 2 L_{M}$	$(2 N + 1) \| G_{T} \|$	$\| G_{T} \| + 2 L_{M}$
Ours	$2 \| G \|$	$5 \| G \| + 2 L_{M}$	$2 \| G \|$	$\| G \| + 2 \| G_{T} \|$