Sage Journals: Discover world-class research

Abstract

Attribute-based encryption is an efficient and flexible fine-grained access control scheme. However, how to realize the attribute privacy concerns in the access policy and optimize the heavy computing overhead have been not adequately addressed. First, in view of the open-access policies formulated by data owners in the cloud environment and the linear growth of bilinear pairing operations with the number of attributes in the decryption process, a verifiable outsourced attribute-based encryption with partial policy hidden scheme is proposed, in which the attribute name of access policy can be sent while attribute value involving sensitive information can be hidden, so nobody can infer information from the access policy. Second, the bilinear pairing operation and modular power operation are outsourced to the cloud server, then users only need to perform constant exponential operation to decrypt. In addition, the proposed scheme is based on the composite order bilinear group and satisfies full secure under the standard model. Finally, compared with other schemes in term of function and performance, it shows that this scheme is more efficient and suitable for resource-constrained mobile devices in outsourcing environment.

Keywords

Attribute-based encryption partial policy hidden outsourced decryption

Introduction

With the rapid development of cloud computing, it is increasingly favored by all fields of the Internet because of its powerful computing resources and storage performance, thus lead to a new computing pattern: outsourcing computing.¹ Under cloud computing environment, users with limited computing and storage resources can outsource some time-consuming computing to the cloud server in order to reduce the burden. Based on the pay-as-you-go service, users can enjoy various information services provided by the cloud. When the data owner (DO) uploads the encrypted data to the cloud, he also loses actual control of the data. However, the cloud server is not completely trusted, so how to protect the private information in the uploaded data has become a popular research. Because DO encrypts data under access policy, ciphertexts can be decrypted by anyone with a set of attributes that satisfies the access policy. In attribute-based encryption (ABE) schemes, access policy is embedded in ciphertext implicitly and outsourced to cloud service provider (CSP) together with the ciphertext in a cloud environment. Because access policies are publicly available, everyone can access policies that contain private information. For example, in an electronic medical system, a patient authorizes a cardiologist to access encrypted data through the access policy as {Department: Cardiology; Doctor: Alice}. Without decryption, anyone who gains access to the encrypted data and can conclude that the patient might suffer from “heart disease.” If the content of the attribute value in the policy is not visible, that is, the policy is set as {Department: XXX; Doctor: XXX}, then the patient’s privacy can be guaranteed. Thus, the idea that a policy is not uploaded to the cloud with ciphertext is produced by Nishide et al.² and Lai et al.³ Subsequently, Li et al.⁴ proposed an efficient ABE scheme with partial hidden policy. The scheme has less decryption cost, but the public parameters, ciphertext, and attribute information related to the policy are easily obtained by arbitrary malicious users. Therefore, Yin et al.⁵ proposed a more efficient scheme to supplement the deficiency of the scheme proposed by Li et al.⁴ in the standard model. And it was successfully reduced to the Decisional Bilinear Diffie–Hellman (DBDH) assumption.

However, most of the above schemes are based on the construction of prime order group. Cui et al.⁶ proposed a construction based on the composite order group supporting the attribute value hidden, but it only achieves selective security. In the application scenario of the electronic medical system, Zhang et al.⁷ not only implement policy concealment but also render less computing cost and storage overhead during the decryption process. In addition, the scheme is full secure under the standard model. However, the bilinear pairing operation and modular power operation involved in the decryption process are still associated with the number of attributes. To decrease the complicate pairing operation, Zhang et al.⁸ proposed a semi-hiding ABE scheme with a constant pairing operation; however, modular power operation remains linearly related to the number of attributes. To solve communication delay in remote cloud service centers, Xiong et al.⁹ introduced an attribute-based broadcast encryption scheme with partial policy hidden, user revocation, and outsourced decryption in the edge computing environment. The scheme has more practical function, but it was proved to be only selective secure.

In addition to implement partial policy hidden, the proposed scheme transfers the decryption load from user’s local device to the cloud. Therefore, the proposed scheme can easily be executed in resource-constrained devices (like mobile phones or Internet of things (IoT) devices). Because local computing nodes in an IoT environment are limited in computation and energy. For example, the merging of distributed ledger technology and IoT system is also the embodiment of outsourcing application in F Shahid et al.’s¹⁰ scheme. Therefore, to satisfy the typical IoT requirements, the proposed scheme transfers decryption load from local terminal to the cloud.

Our contribution

In order to preserve users’ privacy, the modern ABE schemes offer a “hidden access structure.” These schemes divide the “access structure” into two parts, namely, “attribute name” and “attribute value,” such that, attribute name is publicized and attribute value remains confidential. However, many of the existing ABE schemes are either inefficient or offer just a “selective security.” In almost all of the existing schemes, the decryption cost increases linearly with “number of attributes.” This article proposes a “full secure” ABE scheme with an outsourced decryption. The proposed system model transfers the decryption load from users’ local device to the highly resourceful cloud nodes. The proposed scheme has the characteristics of partial policy hiding and flexible expression. With respect to attribute hiding, the attribute is divided into two parts: attribute name and attribute value. When encrypting the data, the attribute value is only used to compute the ciphertext and not sent to the cloud along with the ciphertext. In addition,

It has a flexible expression in access policy. The proposed scheme employs linear secret sharing scheme (LSSS) to support “AND,”“OR,” and “Threshold” structure.

It offers outsourced decryption, while at the same time, and simultaneously eliminates redundant ciphertext components. In the decryption process, the bilinear pairing operation and modular power operation are outsourced to the CSP which will execute to compute the computation instead of the users. Users only need to verify the calculation results returned by CSP and perform a constant exponential operation to recover the plaintext.

It is proven to be full secure against chosen plaintext attack (CPA). Some of the abovementioned schemes satisfy selective secure by adding the “Init” stage, that is, adversary commits the challenge object in advance; however, selective secure is weaker than full secure. The proposed scheme was proven to be full secure through dual system encryption technology.¹¹

It has advantages in terms of performance and function. From the comparison and experiment, it shows that our scheme is more effective in terms of function, communication cost, and computing cost than the previously established schemes.^3,5,7

Related work

ABE

Sahai and Waters¹² proposed a new public key cryptosystem, ABE, which can be divided into two categories according to the location of the access policy: KP-ABE¹³ and CP-ABE,¹⁴ the policy in the KP-ABE scheme is embedded in the key and the policy in the CP-ABE scheme is contained in the ciphertext. Bethencourt et al.¹⁴ gave the CP-ABE scheme first, but only supported the “AND” gate structure. In order to achieve better ability of policy expression, Waters¹⁵ proposed the CP-ABE based on LSSS under the standard model. Since the policy is embedded in the ciphertext for CP-ABE, it means that the DO can set the policy to determine which attributes can access to the ciphertext, namely, making a fine-grained access control of the data. Compared to KP-ABE, CP-ABE is more widely used than KP-ABE, such as personal health care systems and fine-grained sharing in cloud storage.

Policy hidden

In order to resolve the privacy issue of user attributes in the cloud environment, Nishide et al.² first proposed a CP-ABE scheme that supports the hiding of the access structure. The access structure is set implicitly in the ciphertext, which is not sent along with the ciphertext. Lewko et al.¹⁶ proposed a full secure CP-ABE scheme using the dual system encryption technology under the standard model. In Lai et al.’s³ scheme, the attribute is divided into two parts: attribute name and attribute value. The attribute name can be publicized, while the attribute value is hidden. And Jin et al.¹⁷ established a CP-ABE scheme supporting partial policy hiding. The ABE scheme achieves full secure, but the access structure uses the “AND” gate structure. In order to reduce the bilinear pairwise operation and modular exponentiation involved in decryption process, other specific schemes^3,18–20 have been established. First, it is judged whether the attribute of users is matched with access policy before decryption first, if matched successfully, then the decryption operation is performed. But some of the proposed schemes^18–20 only support “AND” gate structure, and the linear pair operation and modular exponentiation are still linearly related to the number of attributes during decryption process. Moreover, the schemes are proved to be only selective secure. Lai et al.³ adopted more flexible LSSS structure, and the scheme is full secure under the standard model. But the bilinear pairing operations and modular exponentiations involved in the user testing phase and decryption phase increase linearly with the complexity of the policy. Yan et al.²¹ introduced a multi-authority ABE of partial policy hidden with dynamic policy updating. In the above schemes, the policy hiding is only to hide the attribute value, hence it is called semi-hidden policy. Hao et al.²² used the Bloom filter to achieve complete hidden, that is, neither the attribute name nor attribute value is disclosed. In addition to judging whether the attribute information is in the set, the Bloom filter can also remove the mapping function between the matrix and the attribute, making the attribute completely hidden. However, the formal implementation of attribute privacy protection is not provided in the security proof process. In addition, the function of attribute hidden completely can also be realized using the inner product predicate encryption technology.²³ Nevertheless, most of them only support the “AND” gate structure with weak expression ability, which limits in the actual application process.

Outsourced ABE

For the first time, Green et al.²⁴ proposed an outsourced ABE scheme that is secure in random oracle model. The scheme commits the decryption operation to the decryption server provider (DSP), thus the ciphertext is converted into the Elgamal type, and then delivered to users to reduce the computing cost of data user (DU). Li et al.²⁵ presented an offline/online ABE scheme, which reduces the computational overhead during the encryption phase using offline/online technology. Furthermore, “chameleon” hash function is introduced to implement verification before the decryption phase. The scheme is proved to satisfy the adaptive chosen ciphertext attack security, but the bilinear pairing operation involved in decryption process remains a large overhead for the user. Fan et al.²⁶ introduced a verifiable outsource scheme for multi-authorization in cloud-fog computing, which outsources encryption and decryption to fog nodes close to the end user. Relative to the remote CSP, fog nodes can handle data with low latency, which is ideal choice for real-time calculation of data. Zhang et al.²⁷ proposed an access control of full outsourcing scheme for the first time, in which the key generation, encryption, and decryption operations are all handled by the cloud, but it lacks a verification mechanism. Zhao et al.²⁸ proposed a verifiable full outsourcing scheme based on the original scheme.²⁷ The scheme supports verification and optimizes performance such that the computational cost does not increase significantly with the number of attributes or access policy complexity. For the issue of key leakage, Yan et al.²⁹ proposed a traceable CP-ABE scheme in a multi-domain environment.

Organization

The rest of the article is organized as follows. Some background knowledges are provided in section “Preliminaries.” The algorithm definition and security model of outsourced CP-ABE are introduced in section “System architecture and security model.” Our outsourced CP-ABE of supporting partial policy hidden is stated in section “Our construction.” The scheme’s security is analyzed in “Security proof.” The performance comparison is provided in “Performance analysis.” The article is concluded in section “Conclusion.”

Preliminaries

Composite order bilinear group

The scheme of this article is based on the design of composite order bilinear group whose order is the product of four distinct primes. Let $Φ$ be an algorithm that inputs security parameter $1^{λ}$ and outputs a tuple $(p_{1}, p_{2}, p_{3}, p_{4}, G, G_{T}, e)$ , where $p_{1}, p_{2}, p_{3}, and p_{4}$ are the four distinct primes, $G and G_{T}$ are the cycle groups of order $N = p_{1} p_{2} p_{3} p_{4}$ , and $e : G \times G \to G_{T}$ is a map function such that

Bilinear: $\forall g, h \in G, a, b \in Z_{N}, e (g^{a}, h^{b}) = e (g, g)^{ab}$ .

Non-degenerate: if $\exists g \in G$ such that the order of $e (g, g)$ is N in $G_{T}$ .

Assuming that there is an group operation in $G and G_{T}$ and the mapping function e, it is computable in polynomial time in $λ$ . Let $G_{p_{1}}, G_{p_{2}}, G_{p_{3}}, and G_{p_{4}}$ represent the subgroups of G, the subgroups have order $p_{1}, p_{2}, p_{3}, and p_{4}$ , respectively, then $G = G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}} \times G_{p_{4}}$ . If $g_{1} \in G_{p_{1}}$ , $g_{2} \in G_{p_{2}}$ , then $e (g_{1}, g_{2}) = 1$ . If the elements in the mapping function e are elements of different subgroups, the equation still hold; thus, the composite order bilinear group is said to satisfy its orthogonality.

LSSS

The secret sharing scheme on the participant set P is called the LSSS if the following conditions are met.

A vector can be formed by the secret share of each party over $Z_{p}$ .

For the secret sharing scheme $Π$ , there is a matrix M of size $ℓ \times n$ that maps each row of the matrix to an associated participant P. For $i = 1, . . ., ℓ$ , $ρ (i)$ is the party associated with the ith row of M . We first generate a column vector $v = (s, y_{2}, y_{3}, . . ., y_{n})$ , where $s \in Z_{p}$ is a shared secret and $r_{i}$ is randomly selected, $i = 2, . . ., n$ . According to scheme $Π$ , $Mv$ is $ℓ$ secret shares of the shared secret s, which indicates that $λ_{i} = (Mv)_{i}$ held the secret share by the participants $ρ (i)$ .

The LSSS has the characteristics of linear reconstruction. If $S \in A$ is an access authorization set, then there is a constant ${ω_{i} \in Z_{p}}_{i \in I}$ that let $\sum_{i \in I} ω_{i} λ_{i} = s$ hold, where $λ_{i}$ is the effective share of the secret s, $I = {i : ρ (i) \in S}$ .

Complexity assumption

The security of this article is based on the following complexity assumptions, and a detailed description of the complexity assumptions is given.

Assumption 1

Given a group generation algorithm $Φ$ , define the following distribution

\begin{matrix} (N = p_{1} p_{2} p_{3} p_{4}, G, G_{T}, e) \overset{R}{\leftarrow} Φ, g \overset{R}{\leftarrow} G_{p_{1}}, \\ X_{3} \overset{R}{\leftarrow} G_{P_{3}}, X_{4} \overset{R}{\leftarrow} G_{P_{4}}, D = (N, G, G_{T}, e, g, X_{3}, X_{4}), \\ T_{1} \overset{R}{\leftarrow} G_{p_{1}} \times G_{p_{2}}, T_{2} \overset{R}{\leftarrow} G_{p_{1}} \end{matrix}

If the advantage of adversary $A$ satisfies $Adv 1_{Φ, A} (λ) = | \Pr [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1] |$ , then this assumption can be broken.

Definition 1

For any probability polynomial time, if $Adv 1_{Φ, A} (λ)$ is a negligible function, then the algorithm meets Assumption 1.

Assumption 2

Given a group generation algorithm $Φ$ , define the following distribution

\begin{matrix} (N = p_{1} p_{2} p_{3} p_{4}, G, G_{T}, e) \overset{R}{\leftarrow} Φ, g X_{1} \overset{R}{\leftarrow} G_{p_{1}}, \\ X_{2}, Y_{2} \overset{R}{\leftarrow} G_{p_{2}}, X_{3}, Y_{3} \overset{R}{\leftarrow} G_{P_{3}}, X_{4} \overset{R}{\leftarrow} G_{p_{4}}, \\ D = (N, G, G_{T}, e, g, X_{1} X_{2}, Y_{2} Y_{3}, X_{3}, X_{4}), \\ T_{1} \overset{R}{\leftarrow} G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}}, T_{2} \overset{R}{\leftarrow} G_{p_{1}} \times G_{p_{3}} \end{matrix}

If the advantage of adversary $A$ satisfies $Adv 2_{Φ, A} (λ) = | \Pr [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1] |$ , then this assumption can be broken.

Definition 2

For any probability polynomial time, if $Adv 2_{Φ, A} (λ)$ is a negligible function, then the algorithm meets Assumption 2.

Assumption 3

Given a group generation algorithm $Φ$ , define the following distribution

\begin{matrix} (N = p_{1} p_{2} p_{3} p_{4}, G, G_{T}, e) \overset{R}{\leftarrow} Φ, α, s \overset{R}{\leftarrow} Z_{N}, g \overset{R}{\leftarrow} G_{p_{1}}, \\ g_{2}, X_{2}, Y_{2} \overset{R}{\leftarrow} G_{p_{2}}, X_{3} \overset{R}{\leftarrow} G_{p_{3}}, X_{4} \overset{R}{\leftarrow} G_{p_{4}}, \\ D = (N, G, G_{T}, e, g, g_{2}, g^{α} X_{2}, g^{s} Y_{2}, X_{3}, X_{4}), \\ T_{1} = e (g, g)^{α s}, T_{2} \overset{R}{\leftarrow} G_{T} \end{matrix}

If the advantage of adversary $A$ satisfies $Adv 3_{Φ, A} (λ) = | \Pr [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1] |$ , then this assumption can be broken.

Definition 3

For any probability polynomial time, if $Adv 3_{Φ, A} (λ)$ is a negligible function, then the algorithm meets Assumption 3.

Assumption 4

Given a group generation algorithm $Φ$ , define the following distribution

\begin{matrix} (N = p_{1} p_{2} p_{3} p_{4}, G, G_{T}, e) \overset{R}{\leftarrow} Φ, t', \\ r' \overset{R}{\leftarrow} Z_{N}, g, h \overset{R}{\leftarrow} G_{p_{1}}, g_{2}, X_{2}, A_{2}, B_{2}, D_{2} \overset{R}{\leftarrow} G_{p_{2}}, \\ X_{3} \overset{R}{\leftarrow} G_{p_{3}}, X_{4}, Z, A_{4}, D_{4} \overset{R}{\leftarrow} G_{p_{4}}, \\ D = (N, G, G_{T}, e, g, g_{2}, g^{t'} B_{2}, h^{t'} Y_{2}, X_{3}, X_{4}, hZ, g^{r'} D_{2} D_{4}), \\ T_{1} = h^{r'} A_{2} A_{4}, T_{2} \overset{R}{\leftarrow} G_{p_{1}} \times G_{p_{2}} \times G_{p_{4}} \end{matrix}

If the advantage of adversary $A$ satisfies $Adv 4_{Φ, A} (λ) = | \Pr [A (D, T_{1}) = 1] - \Pr [A (D, T_{2}) = 1] |$ , then this assumption can be broken.

Definition 4

For any probability polynomial time, if $Adv 4_{Φ, A} (λ)$ is a negligible function, then the algorithm meets Assumption 4.

System architecture and security model

System model

The system model proposed in this article is shown in Figure 1, including DO, storage service provider (SSP), DSP, DU, and attribute authority (AA).

Figure 1.

System model of outsourced ABE.

The DO specifies an access policy and performs an encryption algorithm on the data using the public parameter (PK) generated by AA, which generates a complete ciphertext (CT), and outsources the policy of the hiding of attribute value along with the ciphertext (CT) to the cloud server.

The DU can access the ciphertext file in the cloud server and download the ciphertext from the SSP. Due to the terminal device of limited resources, the module exponent and the bilinear pairing operation involved in the decryption process are performed by the DSP that uses the transformed key (TK) generated by the AA. The DSP generates the transformed ciphertext and sends it to the DU. The DU verifies the computing result returned by the DSP and decrypts it with the secret key (SK) saved by itself and recovers the plaintext.

Algorithm definition

This article assumes that collusion does not occur between servers. AA is a key distribution center and is completely trusted. The algorithm contained in the scheme consists of the following six algorithms.

$Setup (1^{λ}) \to (PK, MSK)$ : Create the public parameter (PK) and the master secret key (MSK) upon inputting security parameter $λ$ .

$KeyGen (PK, MSK, ς) \to S K'$ : The algorithm returns the secret key $S K'$ by inputting the public parameter (PK), the master secret key (MSK), and the attribute set $ς$ .

$Encrypt (PK, m, (M, ρ, ψ)) \to CT$ : Generate a ciphertext (CT) upon receiving public parameter (PK), message m, and access control policy $(M, ρ, ψ)$ as input, where $ψ$ is the set of attribute value that is sent along with CT to CSP.

$KeyGe n_{out} (S K', z) \to (TK, SK)$ : The algorithm outputs the transformed key (TK) for outsourcing decryption and the secret key (SK) of decryption by inputting $S K'$ and selecting a random value $z \in Z_{N}^{*}$ .

$T rans for m_{out} (TK, CT) \to C T'$ : Generate partial decryption ciphertext $C T'$ by inputting the transformed key (TK) and the ciphertext (CT).

$Decrypt (SK, C T') \to m$ : The plaintext m is recovered by inputting the secret key (SK) of user’s local decryption and partially decryption ciphertext $C T'$ .

Security model

We define the security model of this article through the security game between simulator $B$ and adversary A. The game process is as follows:

Setup: Challenger $B$ performs the Setup algorithm and outputs the public parameter (PK) and the master secret key (MSK) to the adversary $A$ .

Phase 1: The adversary $A$ adaptively issues a polynomial bounded key query to the key generation oracle, query as follows:

$O_{KeyGen}$ : The adversary submits the attribute set $ς$ , and the simulator executes the $KeyGe n_{out}$ algorithm to output the secret key $S K_{ς}$ , which will be transmitted to adversary $A$ .

Challenge: Adversary $A$ submits to simulator $B$ two equal length messages $m_{0} and m_{1}$ and two access policies ${A'}_{0} = (M, ρ, ψ_{0})$ and ${A'}_{1} = (M, ρ, ψ_{1})$ with the restriction that none of them can be satisfied by any of the queried attribute sets in phase 1. $B$ flips a random coin $β \in {0, 1}$ and outputs the challenge ciphertext $C T_{β}$ under the access policy $A = (M, ρ, ψ_{β})$ to $A$ .

Phase 2: Similar to Phase 1, but adversary $A$ cannot query $B$ for a set of attributes that satisfy the policies $A'_{0} and A'_{1}$ .

Guess: The adversary $A$ outputs the guess value $β' = {0, 1}$ , and if $β' = β$ , then the adversary $A$ wins the game.

Our construction

The verifiable outsourced ABE scheme proposed that supports policy hiding in the cloud environment is based on the scheme of Zhang et al.,⁷ which can realize the attribute hiding in the policy and support the outsourced decryption procession. The scheme is composed of the following seven algorithms, and the detailed description of each algorithm is as follows:

1. Initialization: AA performs group generation algorithm $Φ (1^{λ})$ , receives a security parameter $λ$ as input, outputs $(N, p_{1}, p_{2}, p_{3}, p_{4}, G, G_{T}, e)$ , and sets the attribute universe $U = Z_{N}$ .

2. Setup ( $1^{λ}$ ): AA selects $α, a \in {{}_{R}Z}_{N}$ , $g, h \in {{}_{R}G}_{p_{1}}, X_{3} \in {{}_{R}G}_{p_{3}}, Z, X_{4} \in {{}_{R}G}_{p_{4}}$ , computes $H = h \cdot Z$ , sets two hash functions $H_{1} : {0, 1}^{*} \to Z_{N}$ , $H_{2} : {0, 1}^{*} \to {0, 1}^{λ}$ simultaneously, and finally outputs the system $PK = (N, g, g^{a}, e (g, g)^{α}, H, X_{4}, H_{1}, H_{2})$ and the master secret key $MSK = (α, h, X_{3})$ .

The user attribute set is defined as $ς = (χ_{S}, S)$ , where $χ_{S}$ represents the attribute name index, $χ_{S} \subseteq Z_{N}$ , and $S = {s_{i}}_{i \in χ_{S}}$ represents the attribute value set.

3. KeyGen $(PK, MSK, ς)$ : The algorithm chooses $t \in {{}_{R}Z}_{N}$ and $R, R', R_{i} \in {{}_{R}G}_{p_{3}}$ , where $i \in χ_{S}$ , then returns $S K' = (K' = g^{α} \cdot g^{at} R, L' = g^{t} R', {K_{i}' = (g^{s_{i}} h)^{t} \cdot R_{i}}_{i \in χ_{S}})$ .

4. Encrypt (PK, m, $A$ ): The DO specifies the access policy $A = (M, ρ, Ψ)$ , where $M$ is a matrix of $ℓ \times n$ , and $ρ$ is a function that maps the xth row of the matrix $M_{x}$ to the attribute name index. And $Ψ = (t_{ρ (1)}, t_{ρ (2)}, \dots t_{ρ (ℓ)}) \in Z_{N}^{ℓ}$ is the attribute value set associated with access policy $(M, ρ)$ .

The algorithm selects $r \in G_{T}$ and computes $s = H_{1} (r, m)$ and $F = H_{2} (r)$ . Taking the system public parameter (PK) and message m, the DO can receive $C = r \cdot e (g, g)^{α s}, C' = g^{s}, C^{″} = m \oplus R$ . Then, select a vector $v = (s, v_{1}, v_{2}, \dots v_{n})$ , $r_{x} \in {{}_{R}Z}_{N}, Z_{c, x}, and Z_{d, x} \in {{}_{R}G}_{p_{4}}$ , compute $C_{1, x} = g^{a \cdot M_{x} \cdot v} \cdot (g^{t_{ρ (x)}} H)^{- r_{x}} \cdot Z_{c, x}$ , $D_{1, x} = g^{r_{x}} \cdot Z_{d, x}$ , and finally generate ciphertext $CT = ((M, ρ), C, C', C ″, {C_{1, x}, D_{1, x}}_{1 \leq x \leq ℓ})$ .

5. $KeyGe n_{out} (S K', z)$ : The algorithm inputs $SK' = (K' = g^{α} \cdot g^{at} R, L' = g^{t} R', {K'_{i} = (g^{s_{i}} h)^{t} \cdot R_{i}}_{i \in χ_{S}})$

generated by running the KeyGen algorithm then selects $z \in {{}_{R}Z}_{N}$ to obtain transformed key $TK = (K = K'^{1 / z} = g^{α / z} \cdot g^{at / z} R^{1 / z}, L = L'^{1 / z} = g^{t / z} R'^{1 / z}, {K_{i} = K_{i}'^{1 / z} = (g^{s_{i}} h)^{t / z} \cdot {R_{i}}^{1 / z}}_{i \in χ_{S}})$ and user’s secret key $SK = (z, TK)$ .

6. $Transfor m_{out} (TK, CT)$ : After receiving the transformed key (TK) and the ciphertext (CT), if the attributes set $ς$ satisfies access policy A, there is a subset $χ \in I_{(M, ρ)}$ that satisfies ${ρ (i) | i \in χ} \subseteq χ_{S}$ , where $I_{(M, ρ)} \subseteq {1, 2, \dots, ℓ}$ denotes the subset of ${1, 2, \dots, ℓ}$ that meets $(M, ρ)$ , then there exists a set of constants ${ω_{i}}_{i \in χ}$ such that $\sum_{i \in χ} ω_{i} λ_{i} = s$ holds, $λ_{i}$ is the valid share of the secret s. The procedure of transformed ciphertext $C T_{transform}$ follows the steps below.

\begin{matrix} C T_{transform} = \frac{e (C', K)}{Π_{i \in χ} {(e (C_{1, i}, L) \cdot e (D_{1, i}, K_{ρ (i)}))}^{ω_{i}}} \\ = e (g, g)^{α s / z} \end{matrix}

Finally, gain partial ciphertext $C T' = (C, C^{″}, C T_{transform})$ .

7. $Decrypt (SK, C T') :$ The algorithm is run by DU, which takes $C T' = (C, C^{″}, C T_{transform})$ and SK as input, then computes $r = C / {CT}_{transform}^{z}, m = C \oplus H_{1} (r)$ and $s = H_{1} (r, m)$ . If $C = r \cdot e (g, g)^{α s}$ , $C T_{transform} = e (g, g)^{α s / z}$ , then it indicates that the result returned by the cloud server is correct, and the plaintext m is output finally.

Security proof

Theorem 1

If the Assumptions 1–4 hold, then the proposed scheme based on the defined security model is proved to be full secure and satisfy CPA security.

The security proof of the scheme is similar to the literature,³ that is, the dual system encryption technology is used to prove its security. First, define two semi-functional structures: semi-functional ciphertext and semi-functional key. The normal secret key can decrypt normal ciphertext and semi-functional ciphertext, but the semi-functional secret key cannot decrypt semi-functional ciphertext. And semi-functional key and semi-functional ciphertext are only used in security proof and do not appear in actual systems.

Semi-functional ciphertext: We set the $C T_{normal} = ((M, ρ), C, C', C^{″}, {C_{1, x}, D_{1, x}}_{1 \leq x \leq ℓ})$ as the normal ciphertext and select the generator $g_{2}$ of the subgroup $G_{p_{2}}$ , $c' \in {{}_{R}Z}_{N}$ , $ω' \in {{}_{R}Z}_{N}^{n}$ , and $z_{i} \in {{}_{R}Z}_{N}$ associated with the attribute, $γ_{x} \in {{}_{R}Z}_{N}$ related to the number of matrix rows $M_{x}$ . We can set the semi-functional ciphertext $C T_{semi} = (C, C', {C_{1, x}, D_{1, x}}_{1 \leq x \leq ℓ})$ , where

\begin{matrix} C = r \cdot e (g, g)^{α s}, C' = g^{s} \cdot {g_{2}}^{c'} \\ C_{1, x} = g^{a \cdot M_{x} \cdot v} \cdot (g^{t_{ρ (x)}} H)^{- r_{x}} \cdot Z_{c, x} \cdot {g_{2}}^{M_{x} \cdot ω' + γ_{x} \cdot z_{ρ (x)}} \\ D_{1, x} = g^{r_{x}} \cdot Z_{d, x} \cdot {g_{2}}^{- γ_{x}} \end{matrix}

Semi-functional key: we set $S K_{normal} = (z, PK, K = g^{α / z} \cdot g^{at / z} R, L = g^{t / z} R^{'^{1 / z}}, {K_{i} = (g^{s_{i}} h)^{t / z} \cdot {R_{i}}^{1 / z}}_{i \in χ_{S}})$ and select $d_{1}, d_{2}, {d_{i}}_{i \in χ_{S}} \in {{}_{R}Z}_{N}$ . The semi-functional key may be one of the following three cases:

Semi-functional key of type 1

(\begin{matrix} K_{1} = g^{α / z} \cdot g^{at / z} R \cdot {g_{2}}^{d_{1}}, L = g^{t / z} R^{'^{1 / z}} \cdot {g_{2}}^{d_{2}} \\ {K_{i} = (g^{s_{i}} h)^{t / z} \cdot {R_{i}}^{1 / z} \cdot {g_{2}}^{d_{2} \cdot z_{i}}}_{i \in χ_{S}} \end{matrix})

Semi-functional key of type 2

(\begin{matrix} K_{1} = g^{α / z} \cdot g^{at / z} R \cdot {g_{2}}^{d_{1}}, L = g^{t / z} R^{'^{1 / z}} \\ {K_{i} = (g^{s_{i}} h)^{t / z} \cdot {R_{i}}^{1 / z}}_{i \in χ_{S}} \end{matrix})

Semi-functional key of type 3

(\begin{matrix} K_{1} = g^{α / z} \cdot g^{at / z} R \cdot {g_{2}}^{d_{1}}, L = g^{t / z} R^{'^{1 / z}} \cdot {g_{2}}^{d_{2}} \\ {K_{i} = (g^{s_{i}} h)^{t / z} \cdot {R_{i}}^{1 / z} \cdot {g_{2}}^{d_{i}}}_{i \in χ_{S}} \end{matrix})

The proof of this article’s security is based on the Assumptions 1–4 and is demonstrated through a series of games, now we define the following games:

$Gam e_{0}$ : In the first game, all ciphertext and keys are normal.

$Gam e_{r}$ : As the second game, the challenge ciphertext is semi-functional, and all keys are normal and $Gam e_{r}$ represent $Gam e_{0, 3}$ .

The number of key query between the simulator and adversary is set to q. We define the following game, where $q \in [1, q]$ .

$Gam e_{k, 1}$ : In this game, the challenge ciphertext is semi-functional, the first k − 1 keys are semi-functional of type 3, the kth key is semi-functional of type 1, and the latter keys are normal.

$Gam e_{k, 2}$ : In this game, the challenge ciphertext is semi-functional, the first k − 1 keys are semi-functional of type 3, the kth key is semi-functional of type 2, and the latter keys are normal.

$Gam e_{k, 3}$ : In this game, the challenge ciphertext is semi-functional, the first k keys are semi-functional of type 3 and the latter keys are normal. Note that the challenge ciphertext in the $Gam e_{q, 3}$ is semi-functional, and all keys are semi-functional of type 3.

$Gam e_{F_{0}}$ : In this game, the challenge ciphertext is a semi-functional ciphertext generated by selecting an encrypted message from $m_{0} and m_{1}$ given the adversary, and all keys are semi-functional of type 3.

$Gam e_{F_{1}}$ : The last game is the same as $Gam e_{F_{0}}$ , except that $C_{1, x}$ in the challenge ciphertext is the random elements in the group $G_{p_{1}} \times G_{p_{2}} \times G_{p_{4}}$ . However, the challenge ciphertext in the game is one of the opponents randomly selected in $[ψ_{0}, ψ_{1}]$ , so the advantage of the adversary $A$ is 0.

We can prove that these games are indistinguishable based on Lemmas 1–6. If the Assumptions 1–4 hold, it can be proved that $Gam e_{real}$ and $Gam e_{F 1}$ are indistinguishable, so the adversary does not exist to break this solution with a non-negligible advantage.

Lemma 1

Suppose the algorithm $Φ$ satisfies Assumption 1, then the $Gam e_{real}$ and $Gam e_{0}$ are computationally indistinguishable.

Proof

If there exists an advantage of adversary $A$ such that $| Gam e_{real} Ad v_{A} - Gam e_{0} Ad v_{A} | = ε$ in $Gam e_{real}$ and $Gam e_{0}$ , then we can construct a simulator $B$ to break Assumption 1 with $Adv 1_{Φ, A} (λ) = ε$ . $B$ gets $g, X_{3}, X_{4}, T$ and simulates $Gam e_{real}$ or $Gam e_{0}$ with adversary $A$ .

Phase 1: $B$ has the response of $A$ ’s key request. Since $B$ knows the master secret key $MSK = (α, h, X_{3})$ , it can generate a normal key through the key generation algorithm.

Challenge: Adversary $A$ submits to simulator $B$ two equal length messages $m_{0} and m_{1}$ and two access policies ${A'}_{0} = (M, ρ, ψ_{0})$ and ${A'}_{1} = (M, ρ, ψ_{1})$ with the restriction that none of them can be satisfied by any of the queried attribute sets in phase 1. Let $ψ_{β} = (t_{ρ (1)}, t_{ρ (2)}, \dots, t_{ρ (ℓ)})$ . $B$ flips a random coin $β \in {0, 1}$ and performs the following steps:

1. $B$ creates $\tilde{v} = (1, {\tilde{v}}_{2}, \dots, {\tilde{v}}_{n})$ , where ${\tilde{v}}_{i} \in {{}_{R}Z}_{N}$ and $2 \leq i \leq n$ .

2. $B$ selects ${\tilde{r}}_{x} \in {{}_{R}Z}_{N}, {\hat{s}}_{x} = (a_{0} + t_{ρ (x)})^{- 1}$ , ${\tilde{Z}}_{c, x}, Z_{d, x} \in {{}_{R}G}_{p_{4}}$ , where $1 \leq x \leq ℓ$ .

3. $B$ selects $\tilde{s} \in {{}_{R}Z}_{N}$ , lets $ψ_{β} = (t_{ρ (1)}, t_{ρ (2)}, \dots, t_{ρ (ℓ)})$ and obtains $r_{β}$ associated the $m_{β}$ , then it does the following calculations

\begin{matrix} C = r_{β} \cdot e (g^{α}, T), C' = T, C^{″} = m_{β} \oplus F \\ C_{1, x} = T^{a M_{x} \cdot {\tilde{v}}_{i}} T^{- (a_{0} + t_{ρ (x)}) \tilde{r}} {\tilde{Z}}_{c, x}, D_{1, x} = T^{{\tilde{r}}_{x}} Z_{d, x} \end{matrix}

4. $B$ sets the challenge ciphertext as $C T_{β} = ((M, ρ), C, C', C^{″}, {C_{1, x}, D_{1, x}}_{1 \leq x \leq ℓ})$ and sends it to $A$ . If $T \leftarrow G_{p_{1}} \times G_{p_{2}}$ , let $T = g^{s} g_{2}^{c}$ , then

\begin{matrix} C = r_{β} e (g, g)^{α s}, C' = g^{s} g_{2}^{c} \\ C_{1, x} = T^{a M_{x} \cdot {\tilde{v}}_{i}} T^{- (a_{0} + t_{ρ (x)}) \tilde{r}} {\tilde{Z}}_{c, x} {g_{2}}^{M_{x} \cdot ω + γ_{x} \cdot z_{ρ (x)}} \\ D_{1, x} = T^{{\tilde{r}}_{x}} Z_{d, x} {g_{2}}^{- γ_{x}} \end{matrix}

where

\begin{matrix} v = s \tilde{v}, v_{1} = s, r_{x} = s {\tilde{r}}_{x}, Z_{c, x} = Z^{s {\tilde{r}}_{x}} {\tilde{Z}}_{c, x} \\ z_{ρ (x)} = a_{0} + t_{ρ (x)}, ω = ca \tilde{v}, γ_{x} = - c {\tilde{r}}_{x} \end{matrix}

Hence, this challenge ciphertext is semi-functional and $B$ simulates game $Gam e_{0}$ , if $T \leftarrow G_{p_{1}}$ , then $B$ simulates $Gam e_{real}$ and it is normal ciphertext.

Phase 2: Similar to Phase 1, but adversary $A$ cannot query $B$ for a set of attributes that satisfy the policies $A'_{0} and A'_{1}$ . Note that, if $T \leftarrow G_{p_{1}} \times G_{p_{2}}$ , then $B$ simulates $Gam e_{0}$ ; if $T \leftarrow G_{p_{1}}$ , then $B$ simulates $Gam e_{Re al}$ . Finally, $B$ can distinguish T and $Adv 1_{Φ, A} (λ) = ε$ according to the output of $A$ .

Lemma 2

Suppose the algorithm $Φ$ satisfies Assumption 2, then the $G am e_{k - 1, 3}$ and $Gam e_{k, 1}$ are computationally indistinguishable.

Proof

If there exists an advantage of adversary $A$ such that $| Gam e_{k - 1, 3} Ad v_{A} - Gam e_{k, 1} Ad v_{A} | = ε$ in $Gam e_{k - 1, 3}$ and $Gam e_{k, 1}$ , then we can construct a simulator $B$ to break Assumption 2 with $Adv 1_{Φ, A} (λ) = ε$ . $B$ gets $g, X_{1} X_{2}, Y_{2} Y_{3}, X_{3}, X_{4}, and T$ and simulates $Gam e_{k - 1, 3}$ or $Gam e_{k, 1}$ with adversary $A$ .

Setup: $B$ chooses $α, a, a_{0} \in {{}_{R}Z}_{N}$ , and $Z \in {{}_{R}G}_{p_{4}}$ , then sets $Y = e (g, g)^{α}, h = g^{a_{0}}, and H = h \cdot Z$ and sends the system public parameter (PK) to $A$ . $B$ has the response of $A$ ’s key query. Since $B$ knows the master secret key, it can generate a normal key through the key generation algorithm.

Phase 1: $B$ answers the jth secret key query associated with attribute set $ς = (χ_{S}, S)$ . The procedure is as follow:

1. For $j < k$ , $B$ selects $t, \tilde{d}, \tilde{d}' \in {{}_{R}Z}_{N}$ , ${{\tilde{d}}_{i} \in {{}_{R}Z}_{N}}_{i \in χ_{S}}$ and creates a semi-functional key of type 3. The specific steps are as follows

\begin{matrix} K = g^{α} g^{at} (Y_{2} Y_{3})^{\tilde{d}}, L = g^{t} (Y_{2} Y_{3})^{\tilde{d}'} \\ {K_{i} = (g^{s_{i}} h)^{t} (Y_{2} Y_{3})^{{\tilde{d}}_{i}}}_{i \in χ_{S}} \end{matrix}

Note that it is semi-functional of type 3, because the value of $t, \tilde{d}, \tilde{d}' \in {{}_{R}Z}_{N}$ modulo $p_{2}$ is not uncorrelated to the value of the modulo $p_{3}$ .

2. For $j > k$ , because $B$ knows the master secret key $MSK = (α, h, X_{3})$ , it can generate normal key through the key generation algorithm.

3. $B$ responds to the kth secret key query and randomly selects $\tilde{R}, \tilde{R}', {\tilde{R}}_{i} \in {{}_{R}Z}_{p_{3}}$ , where $i \in χ_{S}$ , then computes $K = g^{α} T^{a} \tilde{R}', L = T \tilde{R}', and {K_{i} = T^{a_{0} + s_{i}} {\tilde{R}}_{i}}_{i \in χ_{S}}$ . The procession is as follow:

(a) If $T \leftarrow G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}}$ , let $T = g^{t} {g_{2}}^{d'} \hat{R}$ , then generate semi-functional key of type 1

\begin{matrix} K = g^{α} g^{at} {Rg}_{2}^{d'}, L = g^{t} R' g_{2}^{d'} \\ {K_{i} = (g^{s_{i}} h)^{t} R_{i} g_{2}^{d' z_{i}}}_{i \in χ_{S}} \end{matrix}

where

\begin{matrix} R = {\hat{R}}^{a} \tilde{R}, d = a d', R' = \hat{R} \tilde{R}' \\ R_{i} = {\hat{R}}^{a_{0} + s_{i}} {\tilde{R}}_{i}, z_{i} = a_{0} + s_{i} \end{matrix}

Note that the value of $a, a_{0}, s_{i}$ modulo $p_{2}$ is not uncorrelated to the value of the modulo $p_{3}$ .

(b) If $T \leftarrow G_{p_{1}} \times G_{p_{3}}$ , it is normal key.

Challenge: Adversary $A$ submits to simulator $B$ two equal length messages $m_{0} and m_{1}$ and two access policies ${A'}_{0} = (M, ρ, ψ_{0})$ , ${A'}_{1} = (M, ρ, ψ_{1})$ with the restriction that none of them can be satisfied by any of the queried attribute sets in Phase 1. $B$ flips a random coin $β \in {0, 1}$ and performs the following steps:

1. $B$ creates $\tilde{v} = (1, {\tilde{v}}_{2}, \dots, {\tilde{v}}_{n})$ , where ${\tilde{v}}_{i} \in {{}_{R}Z}_{N}$ , $2 \leq i \leq n$ .

2. $B$ selects ${\tilde{r}}_{x} \in {{}_{R}Z}_{N}, {\hat{s}}_{x} = (a_{0} + t_{ρ (x)})^{- 1}$ , ${\tilde{Z}}_{c, x}, and Z_{d, x} \in {{}_{R}G}_{p_{4}}$ , where $1 \leq x \leq ℓ$ .

3. $B$ selects $\tilde{s} \in {{}_{R}Z}_{N}$ and obtains $r_{β}$ associated the $m_{β}$ , then it does the following calculations

\begin{matrix} C = r_{β} \cdot e (g^{α}, X_{1} X_{2}), C' = X_{1} X_{2}, C ″ = m_{β} \oplus F \\ C_{1, x} = X_{1} {X_{2}}^{a M_{x} \cdot {\tilde{v}}_{i}} X_{1} {X_{2}}^{- (a_{0} + t_{ρ (x)}) \tilde{r}} {\tilde{Z}}_{c, x} \\ D_{1, x} = X_{1} {X_{2}}^{{\tilde{r}}_{x}} Z_{d, x} \end{matrix}

\begin{matrix} C = r_{β} e (g, g)^{α s}, C' = g^{s} g_{2}^{c} \\ C_{1, x} = T^{a M_{x} \cdot {\tilde{v}}_{i}} T^{- (a_{0} + t_{ρ (x)}) \tilde{r}} {\tilde{Z}}_{c, x} {g_{2}}^{M_{x} \cdot ω + γ_{x} \cdot z_{ρ (x)}} \\ D_{1, x} = T^{{\tilde{r}}_{x}} Z_{d, x} {g_{2}}^{- γ_{x}} \end{matrix}

where

\begin{matrix} v = s \tilde{v}, v_{1} = s, r_{x} = s {\tilde{r}}_{x}, Z_{c, x} = Z^{s {\tilde{r}}_{x}} {\tilde{Z}}_{c, x} \\ z_{ρ (x)} = a_{0} + t_{ρ (x)}, ω = ca \tilde{v}, γ_{x} = - c {\tilde{r}}_{x} \end{matrix}

We know this challenge ciphertext is semi-functional and the value of $a, a_{0}, {t_{ρ (x)}}_{1 \leq x \leq ℓ}, \tilde{s}, {{\tilde{v}}_{i}}_{1 \leq x \leq ℓ}, and {{\tilde{r}}_{x}}_{1 \leq x \leq ℓ}$ modulo $p_{1}$ is not uncorrelated to the value of the modulo $p_{2}$ .

Phase 2: Similar to Phase 1, but adversary $A$ cannot query $B$ for a set of attributes that satisfy the policies $A'_{0} and A'_{1}$ . Note that, if $T \leftarrow G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}}$ , then $B$ simulates $Gam e_{k, 1}$ ; if $T \leftarrow G_{p_{1}} \times G_{p_{3}}$ , then $B$ simulates $Gam e_{k - 1, 3}$ . Finally, $B$ can distinguish T and $Adv 2_{Φ, A} (λ) = ε$ according to the output of $A$ .

Lemma 3

Suppose the algorithm $Φ$ satisfies Assumption 2, then the $Gam e_{k, 1}$ and $Gam e_{k, 2}$ are computationally indistinguishable.

Proof

If there exists an advantage of adversary $A$ such that $| Gam e_{k, 1} Ad v_{A} - Gam e_{k, 2} Ad v_{A} | = ε$ in $Gam e_{k, 1}$ and $Gam e_{k, 2}$ , then we can construct a simulator $B$ to break Assumption 2 with $Adv 2_{Φ, A} (λ) = ε$ . $B$ gets $g, X_{1} X_{2}, Y_{2} Y_{3}, X_{3}, X_{4}, and T$ and simulates $Gam e_{k, 1}$ or $Gam e_{k, 2}$ with adversary $A$ .

Setup: $B$ chooses $α, a, a_{0} \in {{}_{R}Z}_{N}$ , and $Z \in {{}_{R}G}_{p_{4}}$ , then sets $Y = e (g, g)^{α}, h = g^{a_{0}}, and H = h \cdot Z$ and sends the system public parameter (PK) to $A$ . $B$ has the response of $A$ ’s key request. Since B knows the master secret key $MSK = (α, h, X_{3})$ , it can generate a normal key through the key generation algorithm.

Phase 1: $B$ answers the jth secret key query associated with attribute set $ς = (χ_{S}, S)$ . The first k − 1 type 3 semi-functional keys and the kth and the following are constructed as normal keys according to the method of Lemma 2.

Similarly, to answer the kth key request, $B$ additionally selects $τ \in {{}_{R}Z}_{N}$ , and sets $K = g^{α} T^{a} \tilde{R} (Y_{2} Y_{3})^{τ}, L = T \tilde{R}',$ and ${K_{i} = T^{a_{0} + s_{i}} {\tilde{R}}_{i}}_{i \in χ_{S}}$ . The reason of making this change is to add $(Y_{2} Y_{3})^{τ}$ term which randomizes the $G_{p_{2}}$ part of the key component K. If $T \leftarrow G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}}$ , it is semi-functional key of type 1; if $T \leftarrow G_{p_{1}} \times G_{p_{3}}$ , it is semi-functional key of type 2.

Challenge: Same as Lemma 2.

Phase 2: Similar to Phase 1, but adversary $A$ cannot query $B$ for a set of attributes that satisfy the policies $A'_{0} and A'_{1}$ . Note that, if $T \leftarrow G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}}$ , then $B$ simulates $Gam e_{k, 1}$ ; if $T \leftarrow G_{p_{1}} \times G_{p_{3}}$ , then $B$ simulates $Gam e_{k, 2}$ . Finally, $B$ can distinguish T and $Adv 2_{Φ, A} (λ) = ε$ according to the output of $A$ .

Lemma 4

Suppose the algorithm $Φ$ satisfies Assumption 2, then the $Gam e_{k, 2}$ and $Gam e_{k, 3}$ are computationally indistinguishable.

Proof

If there exists an advantage of adversary $A$ such that $| Gam e_{k, 2} Ad v_{A} - Gam e_{k, 3} Ad v_{A} | = ε$ in $Gam e_{k, 2}$ and $Gam e_{k, 3}$ , then we can construct a simulator $B$ to break Assumption 2 with $Adv 2_{Φ, A} (λ) = ε$ . $B$ gets $g, X_{1} X_{2}, Y_{2} Y_{3}, X_{3}, X_{4}, and T$ and simulates $Gam e_{k, 2}$ or $Gam e_{k, 3}$ with adversary $A$ .

Setup: $B$ chooses $α, a, a_{0} \in {{}_{R}Z}_{N}$ , and $Z \in {{}_{R}G}_{p_{4}}$ , then sets $Y = e (g, g)^{α}, h = g^{a_{0}}, and H = h \cdot Z$ and sends the system public parameter (PK) to $A$ . $B$ has the response of $A$ ’s key request. Since $B$ knows the master secret key $MSK = (α, h, X_{3})$ , it can generate a normal key through the key generation algorithm.

$B$ responds to the kth secret key query and randomly selects $r, τ \in {{}_{R}Z}_{N}, \tilde{R}, \tilde{R}', and {\tilde{R}}_{i} \in {{}_{R}Z}_{p_{3}}$ , where $i \in χ_{S}$ , then computes $K = g^{α} T^{ra} \tilde{R} (Y_{2} Y_{3})^{τ}, L = T^{r} \tilde{R}', {K_{i} = T^{(a_{0} + s_{i}) r} {\tilde{R}}_{i}}_{i \in χ_{S}}$ . The procession is as follow:

(a) If $T \leftarrow G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}}$ , let $T = g^{t'} {g_{2}}^{\tilde{d}} \hat{R}$ , then generate semi-functional key of type 3

K = g^{α} g^{at} {Rg}_{2}^{d}, L = g^{t} R' g_{2}^{d'}, {K_{i} = (g^{s_{i}} h)^{t} R_{i} g_{2}^{d_{i}}}_{i \in χ_{S}}

where

\begin{matrix} t = rt', g_{2}^{d} = g_{2}^{ar \tilde{d}} Y_{2}^{τ}, R = {\hat{R}}^{ar} \tilde{R} Y_{3}^{τ}, \\ d' = r \tilde{d}, R' = {\hat{R}}^{r} \tilde{R}' \\ R_{i} = {\hat{R}}^{(a_{0} + s_{i})} {\tilde{R}}_{i}, d_{i} = r (a_{0} + s_{i}) \tilde{d} \end{matrix}

Note that the value of $τ$ modulo $p_{2}$ is not uncorrelated to its value modulo $p_{3}$ .

(b) If $T \leftarrow G_{p_{1}} \times G_{p_{3}}$ , it is semi-functional key of type 2.

Challenge: Same as Lemma 2.

Phase 2: Similar to Phase 1, but adversary $A$ cannot query $B$ for a set of attributes that satisfy the policies $A'_{0} and A'_{1}$ . Note that, if $T \leftarrow G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}}$ , then $B$ simulates $Gam e_{k, 2}$ ; if $T \leftarrow G_{p_{1}} \times G_{p_{3}}$ , then $B$ simulates $Gam e_{k, 3}$ . Finally, $B$ can distinguish T and $Adv 2_{Φ, A} (λ) = ε$ according to the output of $A$ .

Lemma 5

Suppose the algorithm $Φ$ satisfies Assumption 3, then the $G am e_{q, 3}$ and $Gam e_{F_{0}}$ are computationally indistinguishable.

Proof

If there exists an advantage of adversary $A$ such that $| Gam e_{q, 3} Ad v_{A} - Gam e_{F 0} Ad v_{A} | = ε$ in $Gam e_{q, 3}$ and $Gam e_{F 0}$ , then we can construct a simulator B to break Assumption 3 with $Adv 3_{Φ, A} (λ) = ε$ . $B$ gets $g, g_{2}, X_{1} X_{2}, Y_{2} Y_{3}, X_{3}, X_{4}, and T$ and simulates $Gam e_{q, 3}$ or $Gam e_{F 0}$ with adversary $A$ .

Phase 1: $B$ answers the secret key query associated with attribute set $ς = (χ_{S}, S)$ and selects $t, \tilde{d}, d' \in {{}_{R}Z}_{N}, {d_{i} \in {{}_{R}Z}_{N}}_{i \in χ_{S}}, \tilde{R}, \tilde{R}', and {\tilde{R}}_{i} \in {{}_{R}G}_{p_{3}}$ . Then, semi-functional key of type 3 is created as follows

\begin{matrix} K = (g^{α} X_{2}) g^{at} {Rg}_{2}^{\tilde{d}} = g^{α} g^{at} {Rg}_{2}^{d} \\ L = g^{t} R' g_{2}^{d'}, {K_{i} = (g^{s_{i}} h)^{t} R_{i} g_{2}^{d_{i}}}_{i \in χ_{S}} \end{matrix}

where $g_{2}^{d} = X_{2} g_{2}^{\tilde{d}}$ .

Challenge: Adversary $A$ submits to simulator $B$ two equal length messages $m_{0} and m_{1}$ and two access policies ${A'}_{0} = (M, ρ, ψ_{0})$ and ${A'}_{1} = (M, ρ, ψ_{1})$ with the restriction that none of them can be satisfied by any of the queried attribute sets in Phase 1. $B$ flips a random coin $β \in {0, 1}$ and performs the following steps:

1. $B$ creates $\tilde{v} = (1, {\tilde{v}}_{2}, \dots, {\tilde{v}}_{n})$ , where ${\tilde{v}}_{i} \in {{}_{R}Z}_{N}$ , $2 \leq i \leq n$ .

2. $B$ selects ${\tilde{r}}_{x} \in {{}_{R}Z}_{N}, {\hat{s}}_{x} = (a_{0} + t_{ρ (x)})^{- 1}$ , ${\tilde{Z}}_{c, x}, and Z_{d, x} \in {{}_{R}G}_{p_{4}}$ , where $1 \leq x \leq ℓ$ .

3. $B$ selects $\tilde{s} \in {{}_{R}Z}_{N}$ , lets $ψ_{β} = (t_{ρ (1)}, t_{ρ (2)}, \dots, t_{ρ (ℓ)})$ , and obtains $r_{β}$ associated the $m_{β}$ , then it does the following calculations

\begin{matrix} C = r_{β} \cdot T, C' = g^{s} Y_{2}, C ″ = m_{β} \oplus F \\ C_{1, x} = (g^{s} Y_{2})^{a M_{x} \cdot {\tilde{v}}_{i}} (g^{s} Y_{2})^{- (a_{0} + t_{ρ (x)}) {\tilde{r}}_{x}} {\tilde{Z}}_{c, x} \\ D_{1, x} = (g^{s} Y_{2})^{{\tilde{r}}_{x}} Z_{d, x} \end{matrix}

4. $B$ sets the challenge ciphertext as $C T_{β} = ((M, ρ), C, C', C ″, {C_{1, x}, D_{1, x}}_{1 \leq x \leq ℓ})$ and sends it to $A$ . If $g^{s} Y_{2} = g^{s} g_{2}^{c}$ , then

\begin{matrix} C = r_{β} e (g, g)^{α s}, C' = g^{s} g_{2}^{c} \\ C_{1, x} = T^{a M_{x} \cdot v} (g^{t_{ρ (x)}} H)^{- r_{x}} {\tilde{Z}}_{c, x} {g_{2}}^{M_{x} \cdot ω + γ_{x} \cdot z_{ρ (x)}} \\ D_{1, x} = (g^{s} Y_{2})^{{\tilde{r}}_{x}} Z_{d, x} = g^{r_{x}} Z_{d, x} {g_{2}}^{- γ_{x}} \end{matrix}

where

\begin{matrix} v = s \tilde{v}, v_{1} = s, r_{x} = s {\tilde{r}}_{x}, Z_{c, x} = Z^{s {\tilde{r}}_{x}} {\tilde{Z}}_{c, x} \\ z_{ρ (x)} = a_{0} + t_{ρ (x)}, ω = ca \tilde{v}, γ_{x} = - c {\tilde{r}}_{x} \end{matrix}

Note that the value of $a, a_{0}, {t_{ρ (x)}}_{1 \leq x \leq ℓ}, \tilde{s}, {{\tilde{v}}_{i}}_{1 \leq x \leq ℓ}, {{\tilde{r}}_{x}}_{1 \leq x \leq ℓ}$ modulo $p_{1}$ is not uncorrelated to its value modulo $p_{2}$ .

Phase 2: Similar to Phase 1, but adversary $A$ cannot query $B$ for a set of attributes that satisfy the policies $A'_{0} and A'_{1}$ . Note that, if $T = e (g, g)^{α s}$ , the challenge ciphertext is a semi-functional ciphertext generated by encryption of $m_{β}$ , then $B$ simulates $Gam e_{q, 3}$ . Otherwise it is a semi-functional ciphertext that is encrypted by random messages in $G_{T}$ , then $B$ simulates $Gam e_{F 0}$ . Finally, $B$ can distinguish T and $Adv 3_{Φ, A} (λ) = ε$ according to the output of $A$ .

Lemma 6

Suppose the algorithm $Φ$ satisfies Assumption 4, then the $G am e_{F 0}$ and $Gam e_{F 1}$ are computationally indistinguishable.

Proof

If there exists an advantage of adversary $A$ such that $| Gam e_{F 0} Ad v_{A} - Gam e_{F 1} Ad v_{A} | = ε$ in $Gam e_{F 0}$ and $Gam e_{F 1}$ , then we can construct a simulator $B$ to break Assumption 4 with $Adv 4_{Φ, A} (λ) = ε$ . $B$ gets $g, g_{2}, g^{t'}, B_{2}, h^{t'} Y_{2}, X_{3}, X_{4}, hZ, g^{r'} D_{2} D_{4}, and T$ and simulates $Gam e_{F 0}$ or $Gam e_{F 1}$ with adversary $A$ .

Phase 1: $B$ answers the secret key query associated with attribute set $ς = (χ_{S}, S)$ and selects $\tilde{t} \in {{}_{R}Z}_{N}, R, R', and R_{i} \in {{}_{R}G}_{p_{3}}$ . Then, semi-functional key of type 3 is created as follows

\begin{matrix} K = (g^{α} g^{t'} B_{2}) g^{a \tilde{t}} R, L = (g^{t'} B_{2})^{\tilde{t}} R' \\ {K_{i} = (g^{t'} B_{2})^{s_{i} \tilde{t}} (h^{t'} Y_{2})^{\tilde{t}} R_{i}}_{i \in χ_{S}} \end{matrix}

We observed $K = g^{α} g^{at} {Rg}_{2}^{d}, L = g^{t} R' g_{2}^{d'}, and {K_{i} = (g^{s_{i}} h)^{t} R_{i} g_{2}^{d_{i}}}_{i \in χ_{S}}$ , where $t = t' \tilde{t}, g_{2}^{d} = B_{2}^{at}, g_{2}^{d'} = B_{2}^{\tilde{t}}, and g_{2}^{d_{i}} = B_{2}^{s_{i} \tilde{t}} Y_{2}^{\tilde{t}}$ . Note that the value of $a, \tilde{t}, {s_{i}}_{1 \leq i \leq n}$ modulo $p_{1}$ is not uncorrelated to its value modulo $p_{2}$ .

Challenge: Adversary $A$ submits to simulator $B$ two equal length messages $m_{0} and m_{1}$ and two access policies ${A'}_{0} = (M, ρ, ψ_{0})$ and ${A'}_{1} = (M, ρ, ψ_{1})$ with the restriction that none of them can be satisfied by any of the queried attribute sets in Phase 1. Let $ψ_{β} = (t_{ρ (1)}, t_{ρ (2)}, \dots, t_{ρ (ℓ)})$ . $B$ flips a random coin $β \in {0, 1}$ and performs the following steps:

1. $B$ creates $\tilde{v} = (1, {\tilde{v}}_{2}, \dots, {\tilde{v}}_{n})$ , where ${\tilde{v}}_{i} \in {{}_{R}Z}_{N}$ and $2 \leq i \leq n$ .

2. $B$ selects ${\tilde{r}}_{x} \in {{}_{R}Z}_{N}, {\hat{s}}_{x} = (a_{0} + t_{ρ (x)})^{- 1}$ , ${\tilde{Z}}_{c, x}, and Z_{d, x} \in {{}_{R}G}_{p_{4}}$ , where $1 \leq x \leq ℓ$ .

3. $B$ selects $c \in {{}_{R}Z}_{N}$ , lets $ψ_{β} = (t_{ρ (1)}, t_{ρ (2)}, \dots, t_{ρ (ℓ)})$ , and obtains $r_{β}$ associated the $m_{β}$ , then it does the following calculations

\begin{matrix} C = G_{T}, C' = g^{s} g_{2}^{c}, C ″ = m_{β} \oplus F \\ C_{1, x} = g^{a M_{x} \cdot v} (g^{r'} D_{2} D_{4})^{- {\tilde{r}}_{x} \cdot t_{ρ (x)}} T^{- {\tilde{r}}_{x}} g_{2}^{M_{x} \cdot ω} {\tilde{Z}}_{c, x} \\ D_{1, x} = (g^{r'} D_{2} D_{4})^{{\tilde{r}}_{x}} \end{matrix}

4. $B$ sets the challenge ciphertext as $C T_{β} = ((M, ρ), C, C', C ″, {C_{1, x}, D_{1, x}}_{1 \leq x \leq ℓ})$ and sends it to $A$ . If $T = h^{r'} A_{2} A_{4}$ , and suppose $h = g^{τ_{1}}, D_{2} = g^{γ}, A_{2} = g^{γ τ_{2}}, τ_{1}, τ_{2}, γ \in {{}_{R}Z}_{N}$ , then

\begin{matrix} C \leftarrow G_{T}, C' = g^{s} g_{2}^{c} \\ C_{1, x} = g^{a M_{x} \cdot v} (g^{t_{ρ (x)}} H)^{- r_{x}} {g_{2}}^{M_{x} \cdot ω + γ_{x} \cdot z_{ρ (x)}} Z_{c, x} \\ D_{1, x} = (g^{r'} D_{2} D_{4})^{{\tilde{r}}_{x}} = g^{r_{x}} Z_{d, x} {g_{2}}^{- γ_{x}} \end{matrix}

where

\begin{matrix} r_{x} = r' {\tilde{r}}_{x}, Z_{c, x} = D_{4}^{- {\tilde{r}}_{x} t_{ρ (x)}} A_{4}^{- {\tilde{r}}_{x}} Z^{r' {\tilde{r}}_{x}} {\tilde{Z}}_{c, x} \\ z_{ρ (x)} = τ_{2} + t_{ρ (x)}, γ_{x} = - c {\tilde{r}}_{x}, Z_{d, x} = D_{4}^{{\tilde{r}}_{x}} \end{matrix}

Phase 2: Similar to Phase 1, but adversary $A$ cannot query $B$ for a set of attributes that satisfy the policies $A'_{0} and A'_{1}$ . Note that, if $T = h^{r'} A_{2} A_{4}$ , the challenge ciphertext is a semi-functional ciphertext generated by encryption of $m_{β}$ , then $B$ simulates $Gam e_{F 0}$ . If $T \leftarrow G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}}$ , it is a semi-functional ciphertext that is encrypted by random messages in $G_{T}$ , and $C_{1, x}$ is the random element in $G_{p_{1}} \times G_{p_{2}} \times G_{p_{3}}$ , then $B$ simulates $Gam e_{F 1}$ . Finally, $B$ can distinguish T and $Adv 4_{Φ, A} (λ) = ε$ according to the output of $A$ .

Performance analysis

The scheme of this article is compared with that of Lai et al.,³ Yin et al.,⁵ and Zhang et al.⁷ from the perspectives of function and performance. In the scheme comparison process, $G_{p_{i}}$ represents the subgroup of the order $p_{i}$ , and $G_{p_{i} p_{j}}$ represents the subgroup of the order $p_{i} p_{j}$ , N represents the number of attribute universe, $| ℓ |$ represents the number of the matrix M row, $| S |$ represents the number of user attributes, and $| y |$ represents the number of attribute sets that satisfy the policy. We use $Exp$ , $Ex p_{T}$ , and P to denote a module exponential operation in G, a module exponential operation in $G_{T}$ , and a bilinear pair operation, respectively. Because the main computing overhead of this scheme contains linear pairwise operation and modular exponentiation, module multiplication and hash operation can be ignored.

Theoretical analysis

Table 1 mainly compares the functionalities of the schemes. It can be seen that the schemes all implement the policy-hiding function, and they are all proven to be full secure apart from the scheme proposed by Yin et al.⁵ is selective secure under the standard model and this scheme⁵ does not support outsourced decryption operations. However, the schemes of Lai et al.³ and Zhang et al.⁷ are constructed based on the composite order group, which realizes the full security of the scheme, but does not support outsourcing decryption as well. The proposed scheme is based on the composite order group, and it not only realizes policy hidden but also supports outsourced decryption operations, which reduces the user’s computational cost. In addition, it is proved to satisfy full secure under the standard model.

Table 1.

Comparison of performance.

Scheme	Policy hiding	Full secure	Outsource decryption	Group order	Standard model
Lai et al.³	√	√	×	Composite	√
Yin et al.⁵	√	×	×	Prime	√
Zhang et al.⁷	√	√	×	Composite	√
This article	√	√	√	Composite	√

Table 2 mainly shows the comparison of the public key size (PK size), user’s secret key (SK size), and ciphertext size (CT size). Because the scheme proposed by Yin et al.⁵ is based on the prime order group and the rest of the schemes are the composite order group, only the schemes of Lai et al.,³ Zhang et al.,⁷ and this article are analyzed in Table 2. It can be seen from Table 2 that the size of the proposed scheme’ secret key is $| S | + 3$ , while the schemes of Lai et al.³ and Zhang et al.⁷ are both $| S | + 2$ . However, the CT size of the proposed scheme is much shorter by $| ℓ | + 1$ in scheme of Zhang et al.⁷ and $2 | ℓ | + 1$ in scheme of Lai et al.³ and the PK size of the proposed scheme is shorter by N in scheme of Lai et al.³

Table 2.

Comparison of communication overhead.

Scheme	PK size		SK size	CT size
	$G_{p_{i}}$	$G_{T}$	$G_{p_{i} p_{j}}$	$G_{p_{i} p_{j}}$	$G_{T}$
Lai et al.³	N + 4	1	$\| S \| + 2$	$4 \| ℓ \| + 2$	2
Zhang et al.⁷	4	1	$\| S \| + 2$	$3 \| ℓ \| + 2$	2
This article	4	1	$\| S \| + 3$	$2 \| ℓ \| + 1$	1

PK: public parameter; SK: secret key; CT: ciphertext.

Table 3 shows the computational overhead. In the encryption process, the exponent operation involved in this scheme is $(4 | ℓ | + 1) Exp + 1 Ex p_{T}$ , which is much lower than other schemes of Lai et al.³ and Zhang et al.,⁷ but slightly higher than the scheme proposed by Yin et al.⁵ Since the outsourcing decryption operation is not supported in schemes of Lai et al.,³ Zhang et al.,⁷ and Yin et al.,⁵ the decryption process can be separated into two phases: decryption match test and data decryption. It is first judged whether to match the policy in decryption match test period. If matched successfully, then perform the decryption operation. But the linear pair operation and the modular exponentiation operation during the decryption period are performed, which are still linearly increasing with the number of attributes. The scheme transfers the most decryption operation to the cloud server, and the cost of outsourced decryption is still less than other schemes, so the DU in this scheme only needs 1 exponent time to complete the decryption procession, which greatly reduces the user’s computational overhead.

Table 3.

Comparison of computing overhead.

Scheme	DO	Cloud server	DU
	Encryption phase	Outsourced decryption	Decryption test	Decryption phase
Lai et al.³	$(7 \| ℓ \| + 2) Exp + 2 Ex p_{T}$	–	$1 \| y \| Exp + 1 Ex p_{T} + (\| y \| + 2) P$	$\| y \| Exp + \| y \| Ex p_{T} + (\| y \| + 2) P$
Yin et al.⁵	$(\| ℓ \| + 2) Exp + 3 Ex p_{T} + 1 P$	–	$1 Ex p_{T} + 1 P$	$(\| y \| + 2) Ex p_{T} + (\| y \| + 1) P$
Zhang et al.⁷	$(6 \| ℓ \| + 2) Exp + 2 Ex p_{T}$	–	$2 \| y \| Exp + 2 P$	$\| y \| Exp + \| y \| Ex p_{T} + (\| y \| + 2) P$
This article	$(4 \| ℓ \| + 1) Exp + 1 Ex p_{T}$	$\| y \| Ex p_{T} + (2 \| y \| + 1) P$	–	$1 Ex p_{T}$

DO: data owner; DU: data user.

The proposed scheme makes a trade-off between ciphertext size and cost of decryption. More precisely, the scheme accepts unnecessary exercises of decryption process in order to reduce the ciphertext size. However, because decryption is performed by sufficiently powerful cloud nodes; therefore, additional decryption exercises are acceptable. From the analysis above, our scheme not only has the characteristic of outsourcing decryption and policy hidden but also has certain performance advantages.

Experiment analysis

Through the above theoretical analysis, our scheme has more advantages in terms of function and efficiency. In order to more accurately evaluate the actual performance of the scheme, we further analysis computing overhead through experiments, including the encryption time and the decryption time.

Experimental environment: Windows 10, Inter® Core^TM i5-8300H (2.30 GHz), memory 8 GB, the experimental code is based on java pairing-based cryptography library (JPBC-2.0.0), and MyEclipse development environment. In the experiment, the paired structure of type A is used to construct an elliptic curve $y^{2} = x^{3} + x$ on a finite field. The order of the group is r, and the order of the base field is q. Here, we take r = 160 bit, q = 512 bit, where the pairing operation and modular exponent invoked pairing.pairing() and G-1.powZn(), respectively, in the library for testing.

Experimental setup: In the ciphertext-policy ABE scheme, the number of attributes in the access policy affects the encryption and decryption time. In the experiment process, because the high computational overhead is outsourced to the cloud server for calculation, we only test the computing time of the terminal device. In the experiment, we set the number of attributes as 50 and increase by 10 the number of attributes each time, generating five different access policies. By comparing the computing time of the terminal user under different access policies, we tested 10 times for each policy and took an average value as the experimental result.

Figure 2 has two subgraphs (Figure 2(a) and (b)), which represents the execution time of the DO’s encryption and the execution time of the DU’s decryption. In Figure 2(a), we can see that the execution time of the proposed scheme is lower than the computational time of other schemes of Lai et al.³ and Yin et al.,⁵ but slightly higher than the calculation time of the scheme proposed by Yin et al.⁵ In Figure 2(b), during the procedure of user’s decryption, the schemes of Lai et al.,³ Yin et al.,⁵ and Zhang et al.⁷ do not support the outsourced decryption operation. And they involve the computational cost of the bilinear pair operation and the computational cost increasing linearly with the number of attributes. This scheme achieves outsourcing decryption operations and verification operations, so the user only needs to perform constant exponential operation, which greatly reduces the user’s computational overhead.

Figure 2.

Comparison of computing time: (a) encryption time of DO and (b) decryption time of DU.

By comprehensive analysis, the proposed scheme is superior to other schemes in terms of function, communication, and computational burden, so it is effective and feasible in the application of cloud computing.

Conclusion

In order to solve the problem of privacy protection and heavy computing overhead in the cloud outsourcing environment, this article proposes a partial policy-hiding ABE scheme that can verify the result of outsourcing decryption. The privacy of user attributes is realized by dividing attributes into two parts: attribute name and attribute value, attribute name disclosure and attribute value concealment. For the bilinear pairing operation and module power operation, this article will decrypt the operation by outsourcing to the cloud server and verify the outsourced calculation results to ensure the accuracy of the returned calculation results. It is proved that the scheme based on the static assumption problem can achieve full secure under the standard model. Finally, through theoretical and experiment analysis, it shows that our scheme has more advantages than other schemes.

Footnotes

Handling Editor: Iftikhar Ahmad

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was funded by the National Natural Science Foundation of China (Grant No. 61802117), in part by the Research Foundation of Young Core Instructor in Henan province (Grant No. 2018GGJS058), and in part by the Innovative Scientists and Technicians team of Henan Provincial High Education (Grant No. 20IRTSTHN013).

ORCID iD

Guanghui He

References

Zhao

Song

, et al. Towards dependable and trustworthy outsourced computing: a comprehensive survey and tutorial. J Netw Comput Appl 2019; 131: 55–65.

Nishide

Yoneyama

Ohta

. Attribute-based encryption with partially hidden encryptor-specified access structures. In: Proceedings of the international conference on applied cryptography and network security (ACNS), 2009, pp.13–23. Springer, https://link.springer.com/content/pdf/10.1007%2F978-3-540-68914-0_7.pdf

Lai

Deng

. Expressive CP-ABE with partially hidden access structures. In: Proceedings of the 7th ACM symposium on information, computer and communications security (ASIACCS), Seoul, South Korea, 2012, pp.18–19, https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=2648&context=sis_research

Wang

Zhang

, et al. Ciphertext-policy attribute-based encryption with hidden access policy and testing. KSII Trans Internet Inform Syst 2016; 10(7): 3339–3352.

Yin

Zhang

Cui

YL.

Improving security in ciphertext-policy attributed-based encryption with hidden access policy and testing. KSII Trans Internet Inform Syst 2019; 13(5): 2768–2780.

Cui

Deng

Lai

, et al. An efficient and expressive ciphertext-policy attributed-based encryption scheme with partially hidden access structures, revisited. Comput Netw 2018; 133: 157–165.

Zhang

Zheng

Deng

. Security and privacy in smart health: efficient policy-hiding attribute-based access control. IEEE Internet Things J 2018; 5(3): 2130–2145.

Zhang

, et al. Hidden ciphertext policy attribute-based encryption with fast decryption for personal health record system. IEEE Access 2019; 7: 33202–33213.

Xiong

Zhao

Peng

, et al. Partially policy-hidden attribute-based broadcast encryption with secure delegation in edge computing. Future Gener Comput Syst 2019; 97: 453–461.

10.

Shahid

Khan

Jeon

. Post-quantum distributed ledger for internet of things. Comput Electr Eng 2020; 83: 106581.

11.

Waters

. Dual system encryption: realizing fully secure IBE and HIBE under simple assumption. In: Proceedings of the annual international cryptology conference, Santa Barbara, CA, 2009, pp.619–636, https://eprint.iacr.org/2009/385.pdf

12.

Sahai

Waters

. Fuzzy identity-based encryption. In: Proceedings of the annual international conference on the theory and applications of cryptographic techniques (EUROCRYPT), Aarhus, 2005, pp.457–473, https://eprint.iacr.org/2004/086.pdf

13.

Goyal

Pandey

Sahai

, et al. Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM conference on computer and communications security, Alexandria, VA, 2006, pp.89–98, https://tjkopena.com/wiki/uploads/Papers/p89-goyal.pdf

14.

Bethencourt

Sahai

Waters

. Ciphertext-policy attribute-based encryption. In: Proceedings of the IEEE symposium on security and privacy, Berkeley, CA, 2007, pp.321–334, https://www.cs.utexas.edu/~bwaters/publications/papers/cp-abe.pdf

15.

Waters

. Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Proceedings of the international workshop on public key cryptography, 2011, pp.53–70. Berlin: Springer, https://eprint.iacr.org/2008/290.pdf

16.

Lewko

Okamoto

Sahai

, et al. Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Proceedings of the annual international conference on the theory and applications of cryptographic techniques (EUROCRYPT), 2010, pp.62–91, https://eprint.iacr.org/2010/110.pdf

17.

Jin

Feng

Shen

. Fully secure hidden ciphertext policy attribute-based encryption with short ciphertext size. In: Proceedings of the 6th international conference on communication and network security (ICCNS), Singapore, 2016, pp.91–98, https://dl.acm.org/doi/10.1145/3017971.3017981

18.

Zhang

Chen

, et al. Anonymous attribute-based encryption supporting efficient decryption test. In: Proceedings of the 8th ACM SIGSAC symposium on information, computer and communications security (ASIACCS), Hangzhou, China, 2013, pp.511–516, https://dl.acm.org/doi/10.1145/2484313.2484381

19.

Zhang

Chen

, et al. Anonymous attribute-based proxy re-encryption for access control in cloud computing. Secur Commun Netw 2016; 9(14): 2397–2411.

20.

Zhang

Chen

, et al. Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing. Inform Sci 2017; 379: 42–61.

21.

Yan

Liu

, et al. Privacy-preserving multi-authority attribute-based encryption with dynamic policy updating in PHR. Comput Sci Inform Syst 2019; 16(3): 831–847.

22.

Hao

Huang

, et al. Fine-grained data access control with attribute-hiding policy for cloud-based IoT. Comput Netw 2019; 153: 1–10.

23.

Katz

Sahai

Waters

. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Proceedings of the annual international conference on the theory and applications of cryptographic techniques (EUROCRYPT), 2008, pp.146–162, https://www.cs.umd.edu/~jkatz/papers/ec08.pdf

24.

Green

Hohenberger

Waters

. Outsourcing the decryption of ABE ciphertexts. In: Proceedings of the 20th USENIX conference on security, San Francisco, CA, 2011, pp.1–16, https://static.usenix.org/events/sec11/tech/full_papers/Green.pdf

25.

Zhang

Chen

, et al. Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 2018; 72: 1–12.

26.

Fan

Wang

, et al. A secure and verifiable outsourced access control scheme in fog-cloud computing. Sensors 2017; 17(7): 1695–1710.

27.

Zhang

. Fine-grained access control system based on fully outsourced attribute-based encryption. J Syst Softw 2017; 125(3): 344–353.

28.

Zhao

Wang

, et al. Fully outsourced attribute-based encryption with verifiability for cloud storage. J Comput Res Develop 2019; 56(2): 442–452.

29.

Yan

, et al. White-box traceable ciphertext-policy attribute-based encryption in multi-domain environment. IEEE Access 2019; 7: 128298–128312.

Outsourced ciphertext-policy attribute-based encryption with partial policy hidden

Abstract

Keywords

Introduction

Our contribution

Related work

ABE

Policy hidden

Outsourced ABE

Organization

Preliminaries

Composite order bilinear group

LSSS

Complexity assumption

Assumption 1

Definition 1

Assumption 2

Definition 2

Assumption 3

Definition 3

Assumption 4

Definition 4

System architecture and security model

System model

Algorithm definition

Security model

Our construction

Security proof

Theorem 1

Lemma 1

Proof

Lemma 2

Proof

Lemma 3

Proof

Lemma 4

Proof

Lemma 5

Proof

Lemma 6

Proof

Performance analysis

Theoretical analysis

Experiment analysis

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References