verifiable outsourced decryption of attribute-based...

12
Research Article Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant Ciphertext Length Jiguo Li, 1 Fengjie Sha, 1 Yichen Zhang, 1 Xinyi Huang, 2 and Jian Shen 3 1 College of Computer and Information, Hohai University, Nanjing 211000, China 2 School of Mathematics and Computer Science, Fujian Normal University, Fuzhou 350117, China 3 School of Computer and Soſtware, Nanjing University of Information Science and Technology, Nanjing 210044, China Correspondence should be addressed to Jiguo Li; [email protected] Received 28 June 2016; Accepted 1 September 2016; Published 10 January 2017 Academic Editor: ´ Angel Mart´ ın Del Rey Copyright © 2017 Jiguo Li et al. is is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Outsourced decryption ABE system largely reduces the computation cost for users who intend to access the encrypted files stored in cloud. However, the correctness of the transformation ciphertext cannot be guaranteed because the user does not have the original ciphertext. Lai et al. provided an ABE scheme with verifiable outsourced decryption which helps the user to check whether the transformation done by the cloud is correct. In order to improve the computation performance and reduce communication overhead, we propose a new verifiable outsourcing scheme with constant ciphertext length. To be specific, our scheme achieves the following goals. (1) Our scheme is verifiable which ensures that the user efficiently checks whether the transformation is done correctly by the CSP. (2) e size of ciphertext and the number of expensive pairing operations are constant, which do not grow with the complexity of the access structure. (3) e access structure in our scheme is AND gates on multivalued attributes and we prove our scheme is verifiable and it is secure against selectively chosen-plaintext attack in the standard model. (4) We give some performance analysis which indicates that our scheme is adaptable for various limited bandwidth and computation-constrained devices, such as mobile phone. 1. Introduction Attribute-based encryption (ABE) derives from identity- based encryption (IBE) introduced in [1]. A user’s identity in IBE system is indicated by a binary bit string and the cor- responding representation in ABE system is extended to an attribute set. e identity represented by an attribute set is not unique so ABE can realize the one-to-many encryption. Tra- ditional IBE schemes can only provide coarse-grained access control. In order to solve this problem, Goyal et al. [2] pre- sented a new scheme in which the fine-grained access control is associated with the user’s private keys and ciphertexts are associated with a descriptive attribute set. ABE can be divided into two categories, namely, key-policy attribute-based encryption (KP-ABE) [2–4] and ciphertext-policy attribute- based encryption (CP-ABE) [5–11]. One of the main defects of current ABE schemes is expensive decryption operation for mobile device with low computing power and limited battery. To improve efficiency, Green et al. [12] presented an efficient ABE scheme by outsourcing expensive decryption operation to the cloud service provider (CSP). In their scheme, a user uses proxy reencryption method [13, 14] to generate a trans- formation key and sends the transformation key and ABE ciphertext to the CSP. Given the transformation key, the CSP transforms an ABE ciphertext into a simple ciphertext, from which the user recovers plaintext by using less computation overhead. In this process, the CSP does not get any infor- mation about original plaintext. Chase [15] extended single authority ABE to propose a multiauthority ABE scheme. However, he only proves that the scheme is secure against the selective ID model. Liu et al. [16] provided a fully secure mul- tiauthority CP-ABE. In order to protect privacy of the user, Han et al. [17] presented a decentralized key-policy attribute- based encryption with preserving privacy. Qian et al. [18] pro- vided a decentralized CP-ABE with fully hidden access struc- ture. Furthermore, they [19] proposed a privacy-preserving Hindawi Security and Communication Networks Volume 2017, Article ID 3596205, 11 pages https://doi.org/10.1155/2017/3596205

Upload: others

Post on 21-Jun-2020

39 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

Research ArticleVerifiable Outsourced Decryption of Attribute-Based Encryptionwith Constant Ciphertext Length

Jiguo Li1 Fengjie Sha1 Yichen Zhang1 Xinyi Huang2 and Jian Shen3

1College of Computer and Information Hohai University Nanjing 211000 China2School of Mathematics and Computer Science Fujian Normal University Fuzhou 350117 China3School of Computer and Software Nanjing University of Information Science and Technology Nanjing 210044 China

Correspondence should be addressed to Jiguo Li ljg1688163com

Received 28 June 2016 Accepted 1 September 2016 Published 10 January 2017

Academic Editor Angel Martın Del Rey

Copyright copy 2017 Jiguo Li et al This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Outsourced decryption ABE system largely reduces the computation cost for users who intend to access the encrypted files storedin cloud However the correctness of the transformation ciphertext cannot be guaranteed because the user does not have theoriginal ciphertext Lai et al provided an ABE scheme with verifiable outsourced decryption which helps the user to check whetherthe transformation done by the cloud is correct In order to improve the computation performance and reduce communicationoverhead we propose a new verifiable outsourcing scheme with constant ciphertext length To be specific our scheme achievesthe following goals (1) Our scheme is verifiable which ensures that the user efficiently checks whether the transformation is donecorrectly by the CSP (2)The size of ciphertext and the number of expensive pairing operations are constant which do not growwith the complexity of the access structure (3)The access structure in our scheme is AND gates on multivalued attributes and weprove our scheme is verifiable and it is secure against selectively chosen-plaintext attack in the standard model (4)We give someperformance analysis which indicates that our scheme is adaptable for various limited bandwidth and computation-constraineddevices such as mobile phone

1 Introduction

Attribute-based encryption (ABE) derives from identity-based encryption (IBE) introduced in [1] A userrsquos identityin IBE system is indicated by a binary bit string and the cor-responding representation in ABE system is extended to anattribute setThe identity represented by an attribute set is notunique so ABE can realize the one-to-many encryption Tra-ditional IBE schemes can only provide coarse-grained accesscontrol In order to solve this problem Goyal et al [2] pre-sented a new scheme in which the fine-grained access controlis associated with the userrsquos private keys and ciphertexts areassociatedwith a descriptive attribute set ABE can be dividedinto two categories namely key-policy attribute-basedencryption (KP-ABE) [2ndash4] and ciphertext-policy attribute-based encryption (CP-ABE) [5ndash11] One of the main defectsof currentABE schemes is expensive decryption operation formobile device with low computing power and limited battery

To improve efficiency Green et al [12] presented an efficientABE scheme by outsourcing expensive decryption operationto the cloud service provider (CSP) In their scheme a useruses proxy reencryption method [13 14] to generate a trans-formation key and sends the transformation key and ABEciphertext to the CSP Given the transformation key the CSPtransforms an ABE ciphertext into a simple ciphertext fromwhich the user recovers plaintext by using less computationoverhead In this process the CSP does not get any infor-mation about original plaintext Chase [15] extended singleauthority ABE to propose a multiauthority ABE schemeHowever he only proves that the scheme is secure against theselective IDmodel Liu et al [16] provided a fully secure mul-tiauthority CP-ABE In order to protect privacy of the userHan et al [17] presented a decentralized key-policy attribute-based encryptionwith preserving privacyQian et al [18] pro-vided a decentralized CP-ABE with fully hidden access struc-ture Furthermore they [19] proposed a privacy-preserving

HindawiSecurity and Communication NetworksVolume 2017 Article ID 3596205 11 pageshttpsdoiorg10115520173596205

2 Security and Communication Networks

personal health record using multiauthority ABE with revo-cation Several traceable CP-ABE schemes [20ndash22] wereconstructed to trace the identity of a misbehaving user wholeaks its decryption key to others and thus reduces the trustassumptions on both users and attribute authorities RecentlyLi et al [23] presented flexible and fine-grained attribute-based data storage in cloud computing To protect dataprivacy the sensitive data should be encrypted by the dataowner prior to outsourcing As the amount of encrypted filesstored in cloud is becoming very huge searchable encryptionscheme over encrypted cloud data is a very challenging issueTo deal with above problem Li et al [24 25] proposed a newcryptographic primitive called attribute-based encryptionscheme with keyword search function [26ndash28] In the pro-posed scheme cloud service provider (CSP) performs partialdecryption task delegated by data user without knowinganything about the plaintext Moreover the CSP can performencrypted keyword search without knowing anything aboutthe keywords embedded in trapdoor In order to protect theprivacy for the encryptor and decryptor Li et al [29] proposea CP-ABE scheme with hidden access policy and testing

Our Motivations and Contributions With the cloud servicebeing more and more popular in modern society ABEtechnology has become a promising orientation It allowsusers to use flexible access control to access files stored inthe cloud server with encrypted formThough its advantagesmake it a powerful tool for cloud one of itsmain performancechallenges is that the complexity of decryption computationis linearly correlated with the access structure By using theproxy reencryption technology outsourced decryption ABEsystem can largely reduce the computation cost for users whointend to access the encrypted files stored in cloud Givena ciphertext and a transformation key CSP transforms aciphertext into a simple ciphertext The user only needs tospend less computational overhead to recover the plaintextfrom simple ciphertextHowever the correctness of the trans-formation ciphertext which the CSP gives to the user cannotbe guaranteed because the latter does not have the originalciphertext It is a security threat that malicious cloud serviceprovider (CSP) may replace the original ciphertext and givethe user a transformed ciphertext from another ciphertextwhich CSP wants the user to decryptThe user is not aware ofthe CSPrsquos malicious behavior Mutual verifiable provable dataauditing [30] in public cloud storage is a potential method tosolve remote data possession checkingThe security propertyabout ABE with outsourcing decryption ensures that themalicious cloud server cannot obtain anything with respectto the encrypted message nonetheless the scheme does notensure the validity of the transformation done by the CSPIn order to solve this problem Lai et al [31] put forward anABE scheme with verifiable outsourcing decryption whichguarantees verifiability of the transformation Recently Li etal [32] presented an outsourcing ABE scheme which cancheck validity of the outsourced computation results Thereis no doubt that verifiability brings about great progressto outsourced decryption of ABE However the ciphertextlength and the amount of expensive pairing computationsgrow with the number of the attributes which greatly limits

its application in power constrained and bandwidth limiteddevices Schemes in [33 34] put forward a good solutionto this problem in which the ciphertext length is constantIn this article we present a novel verifiable outsourced CP-ABE scheme with constant ciphertext length to save thecommunication cost The security of our scheme reducesto that of scheme in [33] Similar to the proof in [31] theverifiability of our scheme reduces to the discrete logarithmassumption

Organization We organized the rest of the paper as followsIn Section 2 we review some preliminary knowledge andintroduce the CP-ABE model of outsourced decryption Wealso give the security definitions used in our paper in thissection In Section 3 we provide a new verifiable outsourcedCP-ABE scheme with constant ciphertext length We provesecurity and verifiability of our scheme in Section 4 InSection 5 we give some performance comparison with theexisting schemes Finally we conclude the paper in Section 6

2 Preliminaries

We introduce some basic knowledge about bilinear groupssecurity assumption access structure andCP-ABEwhich ourscheme relies on

21 Bilinear Pairing

Definition 1 (bilinear map) 1198661 and 119866119879 are multiplicativecyclic groups with prime order 119901 Suppose 119892 is a generatorin 1198661 119890 1198661 times 1198661 rarr 119866119879 is bilinear map if it satisfies thefollowing properties

(1) Bilinearity for all 119906 V isin 1198661 119890(119906119886 V119887) = 119890(119906 V)119886119887where 119886 119887 isin Z119901 are selected randomly

(2) Nondegeneracy there exists 119906 V isin 1198661 such that119890(119906 V) = 1(3) Computability for all 119906 V isin 1198661 there is an efficient

algorithm to compute 119890(119906 V)22 Security Assumption

Definition 2 (discrete logarithm (DL) assumption [31]) Let(119901 119866 119866119879 119890) be a prime-order bilinear group system Given(119901 119866 119866119879 119890 119892 119892119909) where 119892 isin 119866 is randomly selected the DLproblem for (119901 119866 119866119879 119890) is to calculate 119909 The DL assump-tion in (119901 119866 119866119879 119890) is that no probabilistic polynomial-time (PPT) algorithm A solves the DL problem at non-negligible advantage The advantage for A is defined asPr[A(119901 119866 119866119879 119890 119892 119892119909) = 119909]23 Access Structure Access structure is being referred toin [33] we utilize AND gates with respect to multivaluedattributes as follows

Definition 3 Assume that 119880 = att1 att119899 is an attributeuniverse 119881119894 = V1198941 V1198942 V119894119899119894 are some feasible valueswhere 119899119894 is the amount of feasible values of att119894 isin 119880 Let

Security and Communication Networks 3

Compute and verify

Compute partially decrypted

User

ciphertext CT

CT

Out

sour

ce (C

T T

K)

Downloa

d CT

Upload

searc

h index

for T

KSearch TK for index

TK of the userCloud service providerStorage

Upl

oad

CT

Cloud

Data owner

Encrypt

M CT

Figure 1 System architecture of our scheme

119878 = [1198781 1198782 119878119899] let 119878119894 isin 119881119894 be an attribute set for a userand A = [A1A2 A119899] let A119894 isin 119881119894 be an access structureThe notation 119878 ⊨ A denotes that an attribute set 119878 satisfies anaccess structure A that is to say 119878119894 = A119894 (119894 = 1 2 119899)

24 Outline of CP-ABE with Outsourced Decryption Brieflyspeaking a user interacts with the CSP as illustrated inFigure 1 Data owner encrypts message119872 into ciphertext CTand uploads it to the storage in cloud A user who is permittedto access the data downloads the ciphertext Then the usersends the ciphertext and transformation key to the CSP foroutsourcing decryption CSP computes partially decryptedciphertext CT1015840 and sends it to the userThe user computes themessage from the partially decrypted ciphertext and verifieswhether the message is the original one

We review the notion of CP-ABE in [31] with outsourceddecryption It is described by the seven algorithms as follows

119878119890119905119906119901(120582 119880) This algorithm takes the security parameter 120582and attribute universe119880 as input It outputs public parameterPK and master secret key MK

119870119890119910119866119890119899(119875119870119872119870 119878) This algorithm takes PK MK andattribute set 119878 as input It outputs private key SK119878 related to119878119864119899119888119903119910119901119905(119875119870119872A) This algorithm takes PK message 119872and access structure A as input and outputs ciphertext CT

119863119890119888119903119910119901119905(119875119870 119878119870119878 119862119879)This algorithm takes PK SK119878 andCTas input It outputs119872 if SK119878 associated with 119878 satisfies A

119866119890119899119879119870119900119906119905(119875119870 119878119870119878) This algorithm takes PK and SK119878 asinput It outputs transformation key TK119878 associated with 119878and a corresponding retrieving key RK119878

119879119903119886119899119904119891119900119903119898119900119906119905(119875119870 119862119879 119879119870119878) This algorithm takes PK CTand TK119878 as input It outputs a partially decrypted ciphertextCT1015840

119863119890119888119903119910119901119905119900119906119905(119875119870 119862119879 1198621198791015840 119877119870119878) This algorithm takes PK CTCT1015840 and RK119878 for 119878 as input It outputs message119872 or perp25 Security Model for CP-ABE with Outsourcing DecryptionLai et al [31] described security properties and verifiabilityfor CP-ABE which supports outsourcing decryption Thetraditional concept of security for chosen-ciphertext attack(CCA) is not suitable for the above CP-ABE scheme becauseit does not permitmodifying any bit for the ciphertextThere-fore they use a relaxation named replayed CCA (RCCA)security [35] which permits alternation for the ciphertextso that they can change the potential message in a significantway

251 Security The RCCA security of outsourced decryptionCP-ABE is described as a game in both an adversary and achallenger According to the game in [31] it is described asfollows

Setup The challenger C performs setup algorithm to get thepublic parameter PK and master secret key MK It sends PKto the adversaryA and keeps MK secret

4 Security and Communication Networks

Query Phase 1 The challenger maintains a table Tb and a set119863 which are initialized empty The adversary A adaptivelyissues queries

(1) Private Key Query for Attribute Set 119878 The challenger runsSK119878 larr KeyGen(PKMK 119878) and sets 119863 = 119863 cup 119878 It thensends the private key SK119878 to the adversary

(2) Transformation Key Query on Attribute Set 119878 C scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tupleexists it returns TK119878 as the transformation key Otherwiseit runs SK119878 larr KeyGen(PKMK 119878) and (TK119878RK119878) larrGenTKout(PK SK119878) and stores the tuple in table Tb It thenreturns the transformation key TK119878 to the adversary

Without loss of generality we suppose that an adversarydoes not launch transformation key query for attribute set 119878if a private key query about the same attribute set 119878 has beenissued Since anyone can generate a transformation key of theuser utilizing the userrsquos private key and GenTKout algorithmby himself the assumption is rational

(3) Decryption Query for Attribute Set 119878 and Ciphertext119862119879 C runs SK119878 larr KeyGen(PKMK 119878) and 119872 larrDecrypt(PK SK119878CT) It sends119872 to the adversary

(4) 119863119890119888119903119910119901119905119894119900119899119900119906119905 Query for Attribute Set 119878 and Cipher-text (119862119879 1198621198791015840) C searches the tuple (119878 SK119878TK119878RK119878) intable Tb If such a tuple exists it runs algorithm 119872 larrDecryptout(PKCTCT1015840RK119878) and returns 119872 to C other-wise it returns perpChallenge A sends 1198720 and 1198721 with equal length and anaccess policy Alowast to C subject to the restriction that for all119878 isin 119863 Alowast cannot be satisfied by 119878 The challenger chooses119887 isin 0 1 and computes CTlowast = Encrypt(PK119872119887Alowast) Thenthe challenger sends the challenge ciphertext CTlowast toA

Query Phase 2A proceeds to adaptively launch transforma-tion key decryption Decryptionout and private key queriesas in phase 1 with the following restrictions

(1) A cannot make private key query which results inattribute set 119878 that satisfies the target access policyAlowast

(2) A cannot issue any trivial decryption queriesNamely Decryptionout and decryption queries arereplied to as phase 1 if the response is either 1198720 or1198721 thenC returns perp

Guess The adversary A gives a guess 1198871015840 isin 0 1 for 119887 andsucceeds in the game if 1198871015840 = 119887|Pr(1198871015840 = 119887)minus12| is defined as the advantage for the adver-saryA in the game

Definition 4 An outsourcing decryption CP-ABE schemeis RCCA secure if all probabilistic polynomial-time (PPT)adversaries have at most a negligible advantage of winningin this game

CPA Security An outsourcing decryption CP-ABE schemeis secure under chosen-plaintext attack (CPA) if A cannotlaunch decryption queries in the above game

Selective Security An outsourcing decryption CP-ABEscheme is selective security if we add an initialization phaseprior to setup algorithm in above game where the adversarygives the challenger access structure Alowast

252 Verifiability The verifiability for CP-ABE with out-sourced decryption is depicted via a game in both anadversary and a challenger The game proceeds as follows

Setup C performs algorithm setup to generate the publicparameters PK and master secret key MSK It returns PK toA and keeps MSK secret

Query Phase 1 C initializes an empty table 119879 A adaptivelyissues the following queries

(1) Private Key Query for Attribute Set 119878 C runs SK119878 larrKeyGen(PKMK 119878) and returns the private key SK119878 to theadversary

(2) Transformation Key Query for Attribute Set 119878 The chal-lenger runs SK119878 larr KeyGen(PKMK 119878) and (TK119878RK119878) larrGenTKout(PK SK119878) and stores the entry (119878 SK119878TK119878RK119878) intable 119879 It then returns the transformation key TK119878 to theadversary

Without loss of generality we suppose that the adversarydoes not launch transformation key query for attribute set119878 if a private key query about the same attribute set 119878 hasbeen issued Anyone can generate a transformation key of theuser utilizing the userrsquos private key and GenTKout algorithmby himself

(3) Decryption Query for Attribute Set 119878 and a Ciphertext119862119879 C runs SK119878 larr KeyGen(PKMK 119878) and 119872 larrDecrypt(PK SK119878CT) It sends119872 toC

(4) 119863119890119888119903119910119901119905119894119900119899119900119906119905 Query for Attribute Set 119878 and Ciphertexts(119862119879 1198621198791015840) C searches the tuple (119878 SK119878TK119878RK119878) intable 119879 If such a tuple exists it runs 119872 larrDecryptout(PKCTCT1015840RK119878) and returns 119872 to C other-wise it returns perpChallenge A sends challenge message 119872lowast and challengeaccess policy Alowast to the challenger C C computes CTlowast =Encrypt(PK119872lowastAlowast) and returns CTlowast to A as its challengeciphertext

Query Phase 2A proceeds to adaptively launch transforma-tion key decryption Decryptionout and private key queriesas in phase 1

Output A returns attribute set 119878lowast and transformed cipher-text CTlowast1015840 We suppose that tuple (119878lowast SK119878lowast TK119878lowast RK119878lowast) isincluded in table 119879 Otherwise the challenger generates thetuple as the reply for transformation key query A succeedsin the game if Decryptout(PKCTlowastCTlowast1015840RK119878lowast) notin 119872lowast perp

Security and Communication Networks 5

Definition 5 An outsourcing decryption CP-ABE scheme isverifiable if PPT adversary has at most a negligible advantagein the above game

3 Construction of Our New Scheme

Our new scheme consists of seven algorithms

119878119890119905119906119901(1119896) A trusted authority (TA) picks two bilinear groups(1198661 119866119879) of prime-order 119901 1198921 isin 1198661 ℎ 119906 V 119889 isin 1198661119910 isin119877Z119901 and 119905119894119895 isin119877Z119901 (119894 isin [1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a hash function TA computes 119884 = 119890(1198921 ℎ)119910119879119894119895 = 1198921199051198941198951 (119894 isin [1 119899] 119895 isin [1 119899119894]) It generates PK =(119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) as public parametersand MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) as master secret key Notethat forall119878 1198781015840 (119878 = 1198781015840) sumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 is assumed

119870119890119910119866119890119899(119875119870119872119878119870 119878) TA selects 119903 isin119877Z119901 computes 1198701 =ℎ119910(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 1198702 = 1198921199031 and sends SK119878 = (1198701 1198702) to auser associated with attribute set 119878119864119899119888119903119910119901119905(119875119870119872A) An encryptor randomly selects119904 1199041015840 isin119877Z119901 isin 119866119879 He calculates = 119906119867(119872)V119867()1198891198621 = 119872 sdot 119884119904 1198622 = 1198921199041 1198623 = (prodV119894119895isinA119879119894119895)119904 11986210158401 = sdot 1198841199041015840 and 11986210158402 = 11989211990410158401 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 The sender generatesCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403)119863119890119888119903119910119901119905(119875119870 119878119870119878 119862119879) A decryptor calculates as follows

1198621 sdot 119890 (1198623 1198702)119890 (1198622 1198701) = 119872 sdot 119890 (1198921 ℎ)119904119910 119890 ((119892sumV119894119895isinA119905119894119895

1 )119904 1198921199031)119890(1198921199041 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= 119872 sdot 119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

= 11987211986210158401 sdot 119890 (11986210158403 1198702)119890 (11986210158402 1198701)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890((119892sumV119894119895isinA

119905119894119895

1 )1199041015840 1198921199031)119890(11989211990410158401 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isin119878119905119894119895

=

(1)

If = 119906119867(119872)V119867()119889 it outputs the message 119872 other-wise it outputs perp119866119890119899119879119870119900119906119905(119875119870 119878119870119878) A user generates his transformationkey pair as follows He chooses 119911 isin119877Z119901 and computes thetransformation key as TK119878 = (11987010158401 11987010158402) where 11987010158401 = 11987011199111 and

11987010158402 = 11987011199112 The retrieving key is RK119878 = 119911 Note that withoverwhelming probability 119911 has multiplicative inverse

119879119903119886119899119904119891119900119903119898119900119906119905(119875119870 119862119879 119879119870119878) Given ciphertext CT and trans-formation key TK119878 the CSP computes as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890(1198921199041 ℎ119910119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903119911)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031199111 )

= 119890 (1198921 ℎ)119904119910119911 119890 (1198921 1198921)119904119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119910119911 = 1198791015840119890 (11986210158402 11987010158401)119890 (11986210158403 11987010158402) =

119890(11989211990410158401 ℎ119910119911 (119892sumV119894119895isin119878119905119894119895

1 )119903119911)119890((prodV119894119895isinA119879119894119895)119904

1015840 1198921199031199111 )

= 119890 (1198921 ℎ)1199041015840119910119911 119890 (1198921 1198921)1199041015840119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)1199041015840119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)1199041015840119910119911 = 11987910158401015840

(2)

and it outputs the transformed ciphertext as CT1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)119863119890119888119903119910119901119905119900119906119905(119875119870 119862119879 1198621198791015840 119877119870119878) A user checks whether thetransformed ciphertext = or 1198791 = 1198621 or 11987910158401 = 11986210158401 if theequations do not hold he outputsperp Otherwise he computes119872 = 11986211198791015840119911 and = 1198621015840111987910158401015840119911 If = 119906119867(119872)V119867()119889 heoutputs the message119872 otherwise he outputs perp

Note thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 according to assumptionIf there exist 119878 and 1198781015840 such thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 the userwith attribute set 1198781015840 is able to decrypt ciphertext related toAwhere 1198781015840 ⊭ A 119878 ⊨ A and 119878 = 1198781015840We have that the assumptionholds with overwhelming probability

119901 (119901 minus 1) sdot sdot sdot (119901 minus (119873 minus 1))119901119873 gt (119901 minus (119873 minus 1))119873

119901119873= (1 minus 119873 minus 1119901 )119873 gt 1 minus 119873 (119873 minus 1)119901 gt 1 minus 1198732119901

(3)

where119873 = prod119899119894=1119899119894 If we randomly choose 119905119894119895 isin Z119901 as secret

key then our assumption is reasonable

4 Security Proof

Note that in our scheme a ciphertext consists of three parts(1198621 1198622 1198623) (11986210158401 11986210158402 11986210158403) and The first two elements areciphertexts for message119872 and random message respec-tively utilizing the encryption algorithm [33] In essence thesecond and the third elements are redundant information

6 Security and Communication Networks

The redundant information is mainly used to design a CP-ABE scheme with verifiable outsourcing decryption from[33] which has been proven to be selectively CPA-secureWe denote the first four algorithms as Basic CP-ABE Toguarantee the security for our scheme we firstly prove that ifthe scheme in [33] is selectively CPA-secure then Basic CP-ABE scheme is selectively CPA-secure

Theorem6 Assume that the scheme in [33] is selectively CPA-secure Then the Basic CP-ABE scheme is also selectively CPA-secure

Proof We prove that our Basic CP-ABE scheme is selectivelyCPA-secure by the following two games

1198661198861198981198900 Game0 is the originally selective CPA security game

1198661198861198981198901 In Game1 the challenger randomly selects isin 1198661and generates the remaining parts of the challenge ciphertextCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) as in Game0

This theorem is proven via the following lemmasLemma7 shows thatGame0 andGame1 are indistinguishableLemma 8 shows that the advantage for an adversary inGame1 is negligible Thus we come to a conclusion that theadvantage for an adversary in Game0 is negligibleTheorem 6is correct from the two lemmas below

Lemma 7 Assume that the scheme in [33] is selectively CPA-secure Game0 and Game1 are computationally indistinguish-able

Proof If the adversary A is able to distinguish Game0 andGame1 at nonnegligible advantage then we find an algorithmB which attacks the scheme [33] under the selective CPAsecurity model at nonnegligible advantage

Let C be the challenger for the selective CPA securitygame in scheme [33] B and the adversary A interact asfollows

InitA gives Alowast toB as its challenge access policyB sendsAlowast to C as its challenge access policy C sends the publicparameters PK1015840 = (119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of the scheme[33] toB

Setup B selects 119909 119910 119911 isin119877Z119901 and computes 119906 = 1198921199091 V = 1198921199101 and 119889 = 1198921199111 B also selects hash function 119867 119866119879 rarr Zlowast119901B sends PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to theadversaryA

Query Phase 1 A adaptively launches private key query onattribute set 119878119894 then B gets the private key SK119878119894 via callingkey generation oracle of C with respect to 119878119894 B returns theprivate key SK119878119894 toA

Challenge A sends two equal size messages11987201198721 to B asthe challenge plaintextB selects a random bit 120573 and randommessages 0 1 isin 119866119879B sends 0 1 isin 119866119879 andAlowast toCC randomly selects 120574 isin 0 1 the message 120574 is encrypted

by PK1015840 and Alowast using the encryption algorithm in [32] andsends the resulting ciphertext CTlowast1015840 toBB denotes CTlowast1015840 asCTlowast1015840 = (Alowast 11986210158401 11986210158402 11986210158403)B selects 119904 isin119877Z119901 and computes =119906119867(119872120573)V119867(120573)1198891198621 = 119872120573 sdot1198841199041198622 = 1198921199041 and1198623 = (prodV119894119895isinA119879119894119895)119904and sends CTlowast = (Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) to A as itschallenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 of B B outputs 1205731015840 as aguess of 120574

Note that if120573 = 120574B appropriately simulates Game0 elseB appropriately simulates Game1 Therefore if A is able todistinguishGame0 andGame1 at nonnegligible advantage weare able to find an algorithmB that attacks the scheme [33] inselective CPA securitymodel at nonnegligible advantage

Lemma 8 Assume that the CP-ABE scheme in [33] is selec-tively CPA-secure the advantage for the adversaryA onGame1is negligible

Proof If the adversary A has a nonnegligible advantage inGame1 then we can find an algorithm B which attacks thescheme [33] at a nonnegligible advantage

Let C be the challenger with respect to B of the scheme[33] B interacts with A as demonstrated in the followingsteps

Init A submits challenge access policy Alowast to B B givesAlowast to C as its challenge access policy C returns PK1015840 =(119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of scheme [25] to B as publicparameters

Setup B chooses 119909 119910 119911 isin119877Z119901 and sets 119906 = 1198921199091 V = 1198921199101 and119889 = 1198921199111 119867 119866119879 rarr Zlowast119901 is a secure hash function B sendsPK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to the adversaryA

Query Phase 1 A adaptively launches private key query ofattribute set 119878119894 B gets the private key SK119878119894 via calling keygeneration oracle ofCwith respect to 119878119894B sends the privatekey SK119878119894 toA

Challenge A submits messages 11987201198721 with equal size Bsends11987201198721 and Alowast to C C randomly chooses 120574 isin 0 1themessage119872120574 is encrypted by PK

1015840 andAlowast using the encryp-tion algorithm in [33] and sends the resulting ciphertext CTlowast1015840to B B parses CTlowast1015840 as CTlowast1015840 = (Alowast 1198621 1198622 1198623) B selects1199041015840 isin119877Z119901 isin119877119866119879 and isin1198771198661 and computes 11986210158401 = sdot1198841199041015840 11986210158402 = 11989211990410158401 and 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 B sends CTlowast =(Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) toA as its challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 on B B returns 1205731015840 as itsguess for 120574 ObviouslyB has appropriately simulatedGame1

Security and Communication Networks 7

IfA has a nonnegligible advantage in Game1 thenB attacksthe scheme in [33] at a nonnegligible advantage

Now we have proven that the Basic CP-ABE scheme isselectively CPA-secure After that we prove that if Basic CP-ABE scheme is selectively CPA-secure then our new schemeis selectively CPA-secure

Theorem 9 Assume that Basic CP-ABE scheme is selectivelyCPA-secure Then our new scheme is selectively CPA-secure

Proof IfA breaks our new CP-ABE scheme at nonnegligibleadvantage then we find an algorithm B which breaks BasicCP-ABE scheme at nonnegligible advantage We assume thatC is the challenger with respect to B for Basic CP-ABE Binteracts withA as demonstrated in the following steps

Init A sends B its challenge access policy Alowast B giveschallenge access policy Alowast to C and obtains the publicparameters PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) forBasic CP-ABE

SetupB sends PK toA

Query Phase 1Bmaintains a table Tb and a set119863 which areinitialized as emptyA adaptively launches queries

(1) Private Key Query on Attribute Set 119878B obtains the privatekey SK119878 by calling the key generation oracle ofCwith respectto 119878 ThenB lets119863 = 119863 cup 119878 and sends the private key SK119878toA

(2) Transformation Key Query on Attribute Set 119878 B scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tuple existsit sends the transformation key TK119878 to A Otherwise Bselects random exponents 119911 119903 isin Z119901 B computes 11987010158401 =ℎ119911(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 11987010158402 = 1198921199031 B stores the tuple (119878 lowastTK119878 =(119878 11987010158401 11987010158402) 119911) in table Tb and returns TK119878 toA Observe thatB does not know the actual retrieving key RK119878 = 119910119911 Herewe compute as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890 (1198921199041 ℎ119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031)

= 119890 (1198921 ℎ)119904119911 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119911 = 119879101584011986211198791015840RK119878 = 119872 sdot 119890 (1198921 ℎ)119910119904

119890 (1198921 ℎ)119904119911sdot119910119911 = 119872

(4)

ChallengeA submits messages11987201198721 with same length andchallenge access policy Alowast B gives11987201198721 and Alowast to C toobtain the challenge ciphertext CTlowastB returns CTlowast toA asits challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1 andB answers the queries as in phase 1

GuessA obtains 1205831015840B also obtains 1205831015840If the guess 1205831015840 for A of our scheme is correct the guess

of B for Basic CP-ABE scheme is correct too So we canconclude that if A can attack our scheme at nonnegligibleadvantage then we will find an algorithm B which attacksBasic CP-ABE scheme under the selective CPA securitymodel at nonnegligible advantage

Theorem 10 Our CP-ABE scheme is verifiable if the discretelogarithm assumption defined in Section 22 holds

Proof Suppose that there exists an adversary A that attacksverifiability of our new scheme at nonnegligible advantageWe find an algorithm B that can solve the DL problem atnonnegligible advantage

SetupB chooses 119909 119910119898 119897 isin119877Z119901 ℎ isin1198771198661 and 119905119894119895 isin119877Z119901 (119894 isin[1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a secure hashfunction PK = (119890 1198921 ℎ 119906 = 1198921199091 V = 1198921198981 119889 = 1198921198971 119884 =119890(1198921 ℎ)119910 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) is the public parameter Themaster secret key is MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) B returnsPK toA

Query Phase 1 A adaptively launches transformation keyprivate key decryption and Decryptionout queries As Bknows MK it can answer the queries properly

ChallengeA gives119872lowast and challenge access policy Alowast toBB computes the ciphertext CTlowast of119872lowast using the encryptionalgorithm in [33] and returns CTlowast = (Alowast 1198621 1198622 119862311986210158401 11986210158402 11986210158403) to A where = 119906119867(119872lowast)V119867(lowast)119889 and lowast isin 119866119879is chosen byB randomly

Query Phase 2 A adaptively launches private key queries asin phase 1B answers queries as in phase 1

OutputA returns attribute set 119878lowast and transformed ciphertextCTlowast1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)

B computes 11987911198791015840119911119878lowast = 119872 and 1198791015840111987910158401015840119911119878lowast = where 119911119878lowastis the retrieving key for attribute set 119878lowast If A wins the abovegame thenB can obtain

119892119909119867(119872lowast)+119898119867(lowast)+1198971 = 119906119867(119872lowast)V119867(lowast)119889 = = = 119906119867(119872)V119867()119889 = 119892119909119867(119872)+119898119867()+1198971 (5)

where119872 = 119872lowast and119872lowast lowast119872 119898 119897 are obtained byBBecause119867 is a collision-resistant hash function119867(119872lowast) is notequal to119867(119872) with overwhelming probability ThusB gets119909 = 119898(119867(lowast)minus119867())(119867(119872)minus119867(119872lowast)) which breaks theDL assumption It is paradoxical so our CP-ABE scheme isverifiable

8 Security and Communication Networks

Table 1 Size of each value

PK MK SK CT TK RK CT1015840

LCL 13 [11] (119899 + 4) 100381610038161003816100381611986611003816100381610038161003816 |Z119901| None (1198731 + 2) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 21198732 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816LDG 13 [31] (5 + 119899) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 (2 + 1198732)|1198661| (41198731 + 3) 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 100381610038161003816100381611986611003816100381610038161003816 + 4|119866119879|GHW 11 [12] 2 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 None (21198731 + 1) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 2 10038161003816100381610038161198661198791003816100381610038161003816Our scheme (119873 + 5)|1198661| + |119866119879| (119873 + 1)|Z119901| 2|1198661| 5|1198661| + 2|119866119879| 2|1198661| |Z119901| |1198661| + 4|119866119879|

Table 2 Computational times

Encrypt Decrypt Transform DecryptoutLCL 13 [11] 119862119890 + 2119866119879 + (3 + 21198731)1198661 None 2(1198732 minus 1)119862119890 + 21198732119866119879 2119862119890 + 3119866119879LDG 13 [31] 2119867 + (10 + 81198731)1198661 + 4119866119879 4(1198732 minus 1)119862119890 + 41198732119866119879 (41198732 minus 2)119866119879 + (41198732 minus 2)119862119890 4119866119879GHW 11 [12] (41198731 + 1)1198661 + 3119866119879 + 1198731119867 None (31198732 minus 1)1198661 + (1198732 + 1)119866119879 + (1198732 + 2)119862119890 2119866119879Our scheme 2119867 + (21198731 + 6)1198661 + 4119866119879 4119862119890 + 4119866119879 4119862119890 + 2119866119879 4119866119879

Table 3 Property of each scheme

Outsourcing Verifiability Constant ciphertext lengthLCL 13 [11] Yes No NoLDG 13 [31] Yes Yes NoGHW 11 [12] Yes No NoOur scheme Yes Yes Yes

5 Performance Comparison

PK MK SK CT TK RK and CT1015840 represent the lengthof public key master key private key ciphertext transformkey retrieving key and transformed ciphertext without theaccess policy respectively Additionally Encrypt DecryptTransform and Decryptout represent the computational costsof the algorithmsrsquo encryption decryption transformationand outsourcing decryption respectively |1198661| |119866119879| and |Z119901|denote the bit-length of the elements belonging to 1198661 119866119879and Z119901 119896119862119890 119896119867 and 1198961198661 denote the 119896-times computationin the pairing hash function and group1198661 respectively119880 =att1 att119899 denote the attribute universe 1198731 and 1198732 arethe amounts of the attributes related to ciphertext and privatekey respectively 119873 = sum119899119894=1 119899119894 denotes the total number ofpossible attribute values

Tables 1ndash3 show that our scheme is efficient Table 1 illus-trates that the size of private key ciphertext and transformkey in our scheme is constant However the size of privatekey ciphertext and transform key in [11 12 31] dependsupon the number of attributesTherefore our scheme greatlyreduces the communication overhead and is very suitable forbandwidth limited devices As the operation cost over Z119901 ismuch smaller than group and pairing operation we ignorethe computation time overZ119901 Compared with the scheme in[11 12 31] the computational overhead for the decryption andtransformation operations in our scheme is much smallerFrom Table 2 we observe that the computational overheadover group and pairing in [11 12 31] depends on thenumber of attributes while it is constant in our scheme Thecomputational overhead for the outsourcing decryption isconstant in above schemes Table 3 illustrates that only ourscheme satisfies all properties

Dec

rypt

ion

time (

s)

minus20

0

20

40

60

80

100

120

140

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos schemeLai et alrsquos scheme

Figure 2 Decryption time

In order to evaluate the efficiency for our scheme weimplement our scheme with java pairing-based cryptography(JPBC) library [36] a port for the pairing-based cryptography(PBC) library in C [37] The elliptic curve parameter wechoose is type-A and the order of group is 160 bits We runour code on a PC with 64-bit 26-GHz Intel Core i5-3320MCPU with 6GBRAM andmobile phonewith 4-core 18 GHzProcessor 2G memory Android OS 442 respectively Wealso implement the scheme [31] for comparison Figure 2compares the times of decryption algorithm spent in ourscheme and Lai et alrsquos scheme [31] The result shows that ourscheme is much more efficient than Lai et alrsquos scheme [31]because the time spent in our scheme does not grow with theamount of attributes involved in the access policy Figure 3shows the time of the transformation algorithm in PC andmobile phone for two schemes Similar to the decryptionalgorithm the time required by transformation grows linearlywith the number of attributes for Lai et alrsquos scheme [31]

Security and Communication Networks 9

minus50

0

50

100

150

200

250

Tran

sform

atio

n tim

e (s)

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 3 Transformation time

Our scheme in PCOur scheme in mobile phone

in mobile phone

00

05

10

15

20

Out

sour

cing

dec

rypt

ion

time (

s)

0 40 60 80 10020

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 4 Outsourcing decryption time

while it is almost constant for our scheme Figure 4 showsthat the times of the outsourcing decryption algorithm inPC and mobile phone for two schemes are nearly sameFigure 5 shows the ciphertext length in our scheme and Laiet alrsquos scheme [31] We can find that the ciphertext length inour scheme is constant while it will grow with the amountof attributes involved in access policy linearly So we canconclude that our scheme greatly reduces the communicationoverhead and is very suitable for bandwidth limited devicesFigure 6 illustrates that the length of partially decryptedciphertext in two schemes is almost same

Ciphertext of our schemeCiphertext of Lai et alrsquos scheme

8040 6020 1000

Attribute number

0

10

20

30

40

50

60

Leng

th (k

b)

Figure 5 Ciphertext length

80 1006020 400

Attribute number

Partial decryption ciphertext length of our schemePartial decryption ciphertext length of Lai et alrsquos scheme

00

02

04

06

08

10

12

14

Leng

th (k

b)

Figure 6 Partial decryption ciphertext length

6 Conclusions

In this article we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and moreoverwe prove that our scheme is secure and verifiable in standardmodel Security in our scheme is reduced to that of scheme in[33] and verifiability is reduced to DL assumption The com-putational overhead for the decryption and transformationoperations in our scheme is constant which does not relyon the amount of attributes In addition we outsource theexpensive operation to the cloud service provider and leavethe slight operations to be done on userrsquos device Thereforeour scheme is very efficient What is more the ciphertextlength in our scheme does not grow with the number ofattributes which reduces the communication cost greatlyThe proposed scheme has the potential application in various

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 2: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

2 Security and Communication Networks

personal health record using multiauthority ABE with revo-cation Several traceable CP-ABE schemes [20ndash22] wereconstructed to trace the identity of a misbehaving user wholeaks its decryption key to others and thus reduces the trustassumptions on both users and attribute authorities RecentlyLi et al [23] presented flexible and fine-grained attribute-based data storage in cloud computing To protect dataprivacy the sensitive data should be encrypted by the dataowner prior to outsourcing As the amount of encrypted filesstored in cloud is becoming very huge searchable encryptionscheme over encrypted cloud data is a very challenging issueTo deal with above problem Li et al [24 25] proposed a newcryptographic primitive called attribute-based encryptionscheme with keyword search function [26ndash28] In the pro-posed scheme cloud service provider (CSP) performs partialdecryption task delegated by data user without knowinganything about the plaintext Moreover the CSP can performencrypted keyword search without knowing anything aboutthe keywords embedded in trapdoor In order to protect theprivacy for the encryptor and decryptor Li et al [29] proposea CP-ABE scheme with hidden access policy and testing

Our Motivations and Contributions With the cloud servicebeing more and more popular in modern society ABEtechnology has become a promising orientation It allowsusers to use flexible access control to access files stored inthe cloud server with encrypted formThough its advantagesmake it a powerful tool for cloud one of itsmain performancechallenges is that the complexity of decryption computationis linearly correlated with the access structure By using theproxy reencryption technology outsourced decryption ABEsystem can largely reduce the computation cost for users whointend to access the encrypted files stored in cloud Givena ciphertext and a transformation key CSP transforms aciphertext into a simple ciphertext The user only needs tospend less computational overhead to recover the plaintextfrom simple ciphertextHowever the correctness of the trans-formation ciphertext which the CSP gives to the user cannotbe guaranteed because the latter does not have the originalciphertext It is a security threat that malicious cloud serviceprovider (CSP) may replace the original ciphertext and givethe user a transformed ciphertext from another ciphertextwhich CSP wants the user to decryptThe user is not aware ofthe CSPrsquos malicious behavior Mutual verifiable provable dataauditing [30] in public cloud storage is a potential method tosolve remote data possession checkingThe security propertyabout ABE with outsourcing decryption ensures that themalicious cloud server cannot obtain anything with respectto the encrypted message nonetheless the scheme does notensure the validity of the transformation done by the CSPIn order to solve this problem Lai et al [31] put forward anABE scheme with verifiable outsourcing decryption whichguarantees verifiability of the transformation Recently Li etal [32] presented an outsourcing ABE scheme which cancheck validity of the outsourced computation results Thereis no doubt that verifiability brings about great progressto outsourced decryption of ABE However the ciphertextlength and the amount of expensive pairing computationsgrow with the number of the attributes which greatly limits

its application in power constrained and bandwidth limiteddevices Schemes in [33 34] put forward a good solutionto this problem in which the ciphertext length is constantIn this article we present a novel verifiable outsourced CP-ABE scheme with constant ciphertext length to save thecommunication cost The security of our scheme reducesto that of scheme in [33] Similar to the proof in [31] theverifiability of our scheme reduces to the discrete logarithmassumption

Organization We organized the rest of the paper as followsIn Section 2 we review some preliminary knowledge andintroduce the CP-ABE model of outsourced decryption Wealso give the security definitions used in our paper in thissection In Section 3 we provide a new verifiable outsourcedCP-ABE scheme with constant ciphertext length We provesecurity and verifiability of our scheme in Section 4 InSection 5 we give some performance comparison with theexisting schemes Finally we conclude the paper in Section 6

2 Preliminaries

We introduce some basic knowledge about bilinear groupssecurity assumption access structure andCP-ABEwhich ourscheme relies on

21 Bilinear Pairing

Definition 1 (bilinear map) 1198661 and 119866119879 are multiplicativecyclic groups with prime order 119901 Suppose 119892 is a generatorin 1198661 119890 1198661 times 1198661 rarr 119866119879 is bilinear map if it satisfies thefollowing properties

(1) Bilinearity for all 119906 V isin 1198661 119890(119906119886 V119887) = 119890(119906 V)119886119887where 119886 119887 isin Z119901 are selected randomly

(2) Nondegeneracy there exists 119906 V isin 1198661 such that119890(119906 V) = 1(3) Computability for all 119906 V isin 1198661 there is an efficient

algorithm to compute 119890(119906 V)22 Security Assumption

Definition 2 (discrete logarithm (DL) assumption [31]) Let(119901 119866 119866119879 119890) be a prime-order bilinear group system Given(119901 119866 119866119879 119890 119892 119892119909) where 119892 isin 119866 is randomly selected the DLproblem for (119901 119866 119866119879 119890) is to calculate 119909 The DL assump-tion in (119901 119866 119866119879 119890) is that no probabilistic polynomial-time (PPT) algorithm A solves the DL problem at non-negligible advantage The advantage for A is defined asPr[A(119901 119866 119866119879 119890 119892 119892119909) = 119909]23 Access Structure Access structure is being referred toin [33] we utilize AND gates with respect to multivaluedattributes as follows

Definition 3 Assume that 119880 = att1 att119899 is an attributeuniverse 119881119894 = V1198941 V1198942 V119894119899119894 are some feasible valueswhere 119899119894 is the amount of feasible values of att119894 isin 119880 Let

Security and Communication Networks 3

Compute and verify

Compute partially decrypted

User

ciphertext CT

CT

Out

sour

ce (C

T T

K)

Downloa

d CT

Upload

searc

h index

for T

KSearch TK for index

TK of the userCloud service providerStorage

Upl

oad

CT

Cloud

Data owner

Encrypt

M CT

Figure 1 System architecture of our scheme

119878 = [1198781 1198782 119878119899] let 119878119894 isin 119881119894 be an attribute set for a userand A = [A1A2 A119899] let A119894 isin 119881119894 be an access structureThe notation 119878 ⊨ A denotes that an attribute set 119878 satisfies anaccess structure A that is to say 119878119894 = A119894 (119894 = 1 2 119899)

24 Outline of CP-ABE with Outsourced Decryption Brieflyspeaking a user interacts with the CSP as illustrated inFigure 1 Data owner encrypts message119872 into ciphertext CTand uploads it to the storage in cloud A user who is permittedto access the data downloads the ciphertext Then the usersends the ciphertext and transformation key to the CSP foroutsourcing decryption CSP computes partially decryptedciphertext CT1015840 and sends it to the userThe user computes themessage from the partially decrypted ciphertext and verifieswhether the message is the original one

We review the notion of CP-ABE in [31] with outsourceddecryption It is described by the seven algorithms as follows

119878119890119905119906119901(120582 119880) This algorithm takes the security parameter 120582and attribute universe119880 as input It outputs public parameterPK and master secret key MK

119870119890119910119866119890119899(119875119870119872119870 119878) This algorithm takes PK MK andattribute set 119878 as input It outputs private key SK119878 related to119878119864119899119888119903119910119901119905(119875119870119872A) This algorithm takes PK message 119872and access structure A as input and outputs ciphertext CT

119863119890119888119903119910119901119905(119875119870 119878119870119878 119862119879)This algorithm takes PK SK119878 andCTas input It outputs119872 if SK119878 associated with 119878 satisfies A

119866119890119899119879119870119900119906119905(119875119870 119878119870119878) This algorithm takes PK and SK119878 asinput It outputs transformation key TK119878 associated with 119878and a corresponding retrieving key RK119878

119879119903119886119899119904119891119900119903119898119900119906119905(119875119870 119862119879 119879119870119878) This algorithm takes PK CTand TK119878 as input It outputs a partially decrypted ciphertextCT1015840

119863119890119888119903119910119901119905119900119906119905(119875119870 119862119879 1198621198791015840 119877119870119878) This algorithm takes PK CTCT1015840 and RK119878 for 119878 as input It outputs message119872 or perp25 Security Model for CP-ABE with Outsourcing DecryptionLai et al [31] described security properties and verifiabilityfor CP-ABE which supports outsourcing decryption Thetraditional concept of security for chosen-ciphertext attack(CCA) is not suitable for the above CP-ABE scheme becauseit does not permitmodifying any bit for the ciphertextThere-fore they use a relaxation named replayed CCA (RCCA)security [35] which permits alternation for the ciphertextso that they can change the potential message in a significantway

251 Security The RCCA security of outsourced decryptionCP-ABE is described as a game in both an adversary and achallenger According to the game in [31] it is described asfollows

Setup The challenger C performs setup algorithm to get thepublic parameter PK and master secret key MK It sends PKto the adversaryA and keeps MK secret

4 Security and Communication Networks

Query Phase 1 The challenger maintains a table Tb and a set119863 which are initialized empty The adversary A adaptivelyissues queries

(1) Private Key Query for Attribute Set 119878 The challenger runsSK119878 larr KeyGen(PKMK 119878) and sets 119863 = 119863 cup 119878 It thensends the private key SK119878 to the adversary

(2) Transformation Key Query on Attribute Set 119878 C scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tupleexists it returns TK119878 as the transformation key Otherwiseit runs SK119878 larr KeyGen(PKMK 119878) and (TK119878RK119878) larrGenTKout(PK SK119878) and stores the tuple in table Tb It thenreturns the transformation key TK119878 to the adversary

Without loss of generality we suppose that an adversarydoes not launch transformation key query for attribute set 119878if a private key query about the same attribute set 119878 has beenissued Since anyone can generate a transformation key of theuser utilizing the userrsquos private key and GenTKout algorithmby himself the assumption is rational

(3) Decryption Query for Attribute Set 119878 and Ciphertext119862119879 C runs SK119878 larr KeyGen(PKMK 119878) and 119872 larrDecrypt(PK SK119878CT) It sends119872 to the adversary

(4) 119863119890119888119903119910119901119905119894119900119899119900119906119905 Query for Attribute Set 119878 and Cipher-text (119862119879 1198621198791015840) C searches the tuple (119878 SK119878TK119878RK119878) intable Tb If such a tuple exists it runs algorithm 119872 larrDecryptout(PKCTCT1015840RK119878) and returns 119872 to C other-wise it returns perpChallenge A sends 1198720 and 1198721 with equal length and anaccess policy Alowast to C subject to the restriction that for all119878 isin 119863 Alowast cannot be satisfied by 119878 The challenger chooses119887 isin 0 1 and computes CTlowast = Encrypt(PK119872119887Alowast) Thenthe challenger sends the challenge ciphertext CTlowast toA

Query Phase 2A proceeds to adaptively launch transforma-tion key decryption Decryptionout and private key queriesas in phase 1 with the following restrictions

(1) A cannot make private key query which results inattribute set 119878 that satisfies the target access policyAlowast

(2) A cannot issue any trivial decryption queriesNamely Decryptionout and decryption queries arereplied to as phase 1 if the response is either 1198720 or1198721 thenC returns perp

Guess The adversary A gives a guess 1198871015840 isin 0 1 for 119887 andsucceeds in the game if 1198871015840 = 119887|Pr(1198871015840 = 119887)minus12| is defined as the advantage for the adver-saryA in the game

Definition 4 An outsourcing decryption CP-ABE schemeis RCCA secure if all probabilistic polynomial-time (PPT)adversaries have at most a negligible advantage of winningin this game

CPA Security An outsourcing decryption CP-ABE schemeis secure under chosen-plaintext attack (CPA) if A cannotlaunch decryption queries in the above game

Selective Security An outsourcing decryption CP-ABEscheme is selective security if we add an initialization phaseprior to setup algorithm in above game where the adversarygives the challenger access structure Alowast

252 Verifiability The verifiability for CP-ABE with out-sourced decryption is depicted via a game in both anadversary and a challenger The game proceeds as follows

Setup C performs algorithm setup to generate the publicparameters PK and master secret key MSK It returns PK toA and keeps MSK secret

Query Phase 1 C initializes an empty table 119879 A adaptivelyissues the following queries

(1) Private Key Query for Attribute Set 119878 C runs SK119878 larrKeyGen(PKMK 119878) and returns the private key SK119878 to theadversary

(2) Transformation Key Query for Attribute Set 119878 The chal-lenger runs SK119878 larr KeyGen(PKMK 119878) and (TK119878RK119878) larrGenTKout(PK SK119878) and stores the entry (119878 SK119878TK119878RK119878) intable 119879 It then returns the transformation key TK119878 to theadversary

Without loss of generality we suppose that the adversarydoes not launch transformation key query for attribute set119878 if a private key query about the same attribute set 119878 hasbeen issued Anyone can generate a transformation key of theuser utilizing the userrsquos private key and GenTKout algorithmby himself

(3) Decryption Query for Attribute Set 119878 and a Ciphertext119862119879 C runs SK119878 larr KeyGen(PKMK 119878) and 119872 larrDecrypt(PK SK119878CT) It sends119872 toC

(4) 119863119890119888119903119910119901119905119894119900119899119900119906119905 Query for Attribute Set 119878 and Ciphertexts(119862119879 1198621198791015840) C searches the tuple (119878 SK119878TK119878RK119878) intable 119879 If such a tuple exists it runs 119872 larrDecryptout(PKCTCT1015840RK119878) and returns 119872 to C other-wise it returns perpChallenge A sends challenge message 119872lowast and challengeaccess policy Alowast to the challenger C C computes CTlowast =Encrypt(PK119872lowastAlowast) and returns CTlowast to A as its challengeciphertext

Query Phase 2A proceeds to adaptively launch transforma-tion key decryption Decryptionout and private key queriesas in phase 1

Output A returns attribute set 119878lowast and transformed cipher-text CTlowast1015840 We suppose that tuple (119878lowast SK119878lowast TK119878lowast RK119878lowast) isincluded in table 119879 Otherwise the challenger generates thetuple as the reply for transformation key query A succeedsin the game if Decryptout(PKCTlowastCTlowast1015840RK119878lowast) notin 119872lowast perp

Security and Communication Networks 5

Definition 5 An outsourcing decryption CP-ABE scheme isverifiable if PPT adversary has at most a negligible advantagein the above game

3 Construction of Our New Scheme

Our new scheme consists of seven algorithms

119878119890119905119906119901(1119896) A trusted authority (TA) picks two bilinear groups(1198661 119866119879) of prime-order 119901 1198921 isin 1198661 ℎ 119906 V 119889 isin 1198661119910 isin119877Z119901 and 119905119894119895 isin119877Z119901 (119894 isin [1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a hash function TA computes 119884 = 119890(1198921 ℎ)119910119879119894119895 = 1198921199051198941198951 (119894 isin [1 119899] 119895 isin [1 119899119894]) It generates PK =(119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) as public parametersand MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) as master secret key Notethat forall119878 1198781015840 (119878 = 1198781015840) sumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 is assumed

119870119890119910119866119890119899(119875119870119872119878119870 119878) TA selects 119903 isin119877Z119901 computes 1198701 =ℎ119910(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 1198702 = 1198921199031 and sends SK119878 = (1198701 1198702) to auser associated with attribute set 119878119864119899119888119903119910119901119905(119875119870119872A) An encryptor randomly selects119904 1199041015840 isin119877Z119901 isin 119866119879 He calculates = 119906119867(119872)V119867()1198891198621 = 119872 sdot 119884119904 1198622 = 1198921199041 1198623 = (prodV119894119895isinA119879119894119895)119904 11986210158401 = sdot 1198841199041015840 and 11986210158402 = 11989211990410158401 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 The sender generatesCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403)119863119890119888119903119910119901119905(119875119870 119878119870119878 119862119879) A decryptor calculates as follows

1198621 sdot 119890 (1198623 1198702)119890 (1198622 1198701) = 119872 sdot 119890 (1198921 ℎ)119904119910 119890 ((119892sumV119894119895isinA119905119894119895

1 )119904 1198921199031)119890(1198921199041 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= 119872 sdot 119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

= 11987211986210158401 sdot 119890 (11986210158403 1198702)119890 (11986210158402 1198701)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890((119892sumV119894119895isinA

119905119894119895

1 )1199041015840 1198921199031)119890(11989211990410158401 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isin119878119905119894119895

=

(1)

If = 119906119867(119872)V119867()119889 it outputs the message 119872 other-wise it outputs perp119866119890119899119879119870119900119906119905(119875119870 119878119870119878) A user generates his transformationkey pair as follows He chooses 119911 isin119877Z119901 and computes thetransformation key as TK119878 = (11987010158401 11987010158402) where 11987010158401 = 11987011199111 and

11987010158402 = 11987011199112 The retrieving key is RK119878 = 119911 Note that withoverwhelming probability 119911 has multiplicative inverse

119879119903119886119899119904119891119900119903119898119900119906119905(119875119870 119862119879 119879119870119878) Given ciphertext CT and trans-formation key TK119878 the CSP computes as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890(1198921199041 ℎ119910119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903119911)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031199111 )

= 119890 (1198921 ℎ)119904119910119911 119890 (1198921 1198921)119904119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119910119911 = 1198791015840119890 (11986210158402 11987010158401)119890 (11986210158403 11987010158402) =

119890(11989211990410158401 ℎ119910119911 (119892sumV119894119895isin119878119905119894119895

1 )119903119911)119890((prodV119894119895isinA119879119894119895)119904

1015840 1198921199031199111 )

= 119890 (1198921 ℎ)1199041015840119910119911 119890 (1198921 1198921)1199041015840119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)1199041015840119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)1199041015840119910119911 = 11987910158401015840

(2)

and it outputs the transformed ciphertext as CT1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)119863119890119888119903119910119901119905119900119906119905(119875119870 119862119879 1198621198791015840 119877119870119878) A user checks whether thetransformed ciphertext = or 1198791 = 1198621 or 11987910158401 = 11986210158401 if theequations do not hold he outputsperp Otherwise he computes119872 = 11986211198791015840119911 and = 1198621015840111987910158401015840119911 If = 119906119867(119872)V119867()119889 heoutputs the message119872 otherwise he outputs perp

Note thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 according to assumptionIf there exist 119878 and 1198781015840 such thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 the userwith attribute set 1198781015840 is able to decrypt ciphertext related toAwhere 1198781015840 ⊭ A 119878 ⊨ A and 119878 = 1198781015840We have that the assumptionholds with overwhelming probability

119901 (119901 minus 1) sdot sdot sdot (119901 minus (119873 minus 1))119901119873 gt (119901 minus (119873 minus 1))119873

119901119873= (1 minus 119873 minus 1119901 )119873 gt 1 minus 119873 (119873 minus 1)119901 gt 1 minus 1198732119901

(3)

where119873 = prod119899119894=1119899119894 If we randomly choose 119905119894119895 isin Z119901 as secret

key then our assumption is reasonable

4 Security Proof

Note that in our scheme a ciphertext consists of three parts(1198621 1198622 1198623) (11986210158401 11986210158402 11986210158403) and The first two elements areciphertexts for message119872 and random message respec-tively utilizing the encryption algorithm [33] In essence thesecond and the third elements are redundant information

6 Security and Communication Networks

The redundant information is mainly used to design a CP-ABE scheme with verifiable outsourcing decryption from[33] which has been proven to be selectively CPA-secureWe denote the first four algorithms as Basic CP-ABE Toguarantee the security for our scheme we firstly prove that ifthe scheme in [33] is selectively CPA-secure then Basic CP-ABE scheme is selectively CPA-secure

Theorem6 Assume that the scheme in [33] is selectively CPA-secure Then the Basic CP-ABE scheme is also selectively CPA-secure

Proof We prove that our Basic CP-ABE scheme is selectivelyCPA-secure by the following two games

1198661198861198981198900 Game0 is the originally selective CPA security game

1198661198861198981198901 In Game1 the challenger randomly selects isin 1198661and generates the remaining parts of the challenge ciphertextCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) as in Game0

This theorem is proven via the following lemmasLemma7 shows thatGame0 andGame1 are indistinguishableLemma 8 shows that the advantage for an adversary inGame1 is negligible Thus we come to a conclusion that theadvantage for an adversary in Game0 is negligibleTheorem 6is correct from the two lemmas below

Lemma 7 Assume that the scheme in [33] is selectively CPA-secure Game0 and Game1 are computationally indistinguish-able

Proof If the adversary A is able to distinguish Game0 andGame1 at nonnegligible advantage then we find an algorithmB which attacks the scheme [33] under the selective CPAsecurity model at nonnegligible advantage

Let C be the challenger for the selective CPA securitygame in scheme [33] B and the adversary A interact asfollows

InitA gives Alowast toB as its challenge access policyB sendsAlowast to C as its challenge access policy C sends the publicparameters PK1015840 = (119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of the scheme[33] toB

Setup B selects 119909 119910 119911 isin119877Z119901 and computes 119906 = 1198921199091 V = 1198921199101 and 119889 = 1198921199111 B also selects hash function 119867 119866119879 rarr Zlowast119901B sends PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to theadversaryA

Query Phase 1 A adaptively launches private key query onattribute set 119878119894 then B gets the private key SK119878119894 via callingkey generation oracle of C with respect to 119878119894 B returns theprivate key SK119878119894 toA

Challenge A sends two equal size messages11987201198721 to B asthe challenge plaintextB selects a random bit 120573 and randommessages 0 1 isin 119866119879B sends 0 1 isin 119866119879 andAlowast toCC randomly selects 120574 isin 0 1 the message 120574 is encrypted

by PK1015840 and Alowast using the encryption algorithm in [32] andsends the resulting ciphertext CTlowast1015840 toBB denotes CTlowast1015840 asCTlowast1015840 = (Alowast 11986210158401 11986210158402 11986210158403)B selects 119904 isin119877Z119901 and computes =119906119867(119872120573)V119867(120573)1198891198621 = 119872120573 sdot1198841199041198622 = 1198921199041 and1198623 = (prodV119894119895isinA119879119894119895)119904and sends CTlowast = (Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) to A as itschallenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 of B B outputs 1205731015840 as aguess of 120574

Note that if120573 = 120574B appropriately simulates Game0 elseB appropriately simulates Game1 Therefore if A is able todistinguishGame0 andGame1 at nonnegligible advantage weare able to find an algorithmB that attacks the scheme [33] inselective CPA securitymodel at nonnegligible advantage

Lemma 8 Assume that the CP-ABE scheme in [33] is selec-tively CPA-secure the advantage for the adversaryA onGame1is negligible

Proof If the adversary A has a nonnegligible advantage inGame1 then we can find an algorithm B which attacks thescheme [33] at a nonnegligible advantage

Let C be the challenger with respect to B of the scheme[33] B interacts with A as demonstrated in the followingsteps

Init A submits challenge access policy Alowast to B B givesAlowast to C as its challenge access policy C returns PK1015840 =(119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of scheme [25] to B as publicparameters

Setup B chooses 119909 119910 119911 isin119877Z119901 and sets 119906 = 1198921199091 V = 1198921199101 and119889 = 1198921199111 119867 119866119879 rarr Zlowast119901 is a secure hash function B sendsPK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to the adversaryA

Query Phase 1 A adaptively launches private key query ofattribute set 119878119894 B gets the private key SK119878119894 via calling keygeneration oracle ofCwith respect to 119878119894B sends the privatekey SK119878119894 toA

Challenge A submits messages 11987201198721 with equal size Bsends11987201198721 and Alowast to C C randomly chooses 120574 isin 0 1themessage119872120574 is encrypted by PK

1015840 andAlowast using the encryp-tion algorithm in [33] and sends the resulting ciphertext CTlowast1015840to B B parses CTlowast1015840 as CTlowast1015840 = (Alowast 1198621 1198622 1198623) B selects1199041015840 isin119877Z119901 isin119877119866119879 and isin1198771198661 and computes 11986210158401 = sdot1198841199041015840 11986210158402 = 11989211990410158401 and 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 B sends CTlowast =(Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) toA as its challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 on B B returns 1205731015840 as itsguess for 120574 ObviouslyB has appropriately simulatedGame1

Security and Communication Networks 7

IfA has a nonnegligible advantage in Game1 thenB attacksthe scheme in [33] at a nonnegligible advantage

Now we have proven that the Basic CP-ABE scheme isselectively CPA-secure After that we prove that if Basic CP-ABE scheme is selectively CPA-secure then our new schemeis selectively CPA-secure

Theorem 9 Assume that Basic CP-ABE scheme is selectivelyCPA-secure Then our new scheme is selectively CPA-secure

Proof IfA breaks our new CP-ABE scheme at nonnegligibleadvantage then we find an algorithm B which breaks BasicCP-ABE scheme at nonnegligible advantage We assume thatC is the challenger with respect to B for Basic CP-ABE Binteracts withA as demonstrated in the following steps

Init A sends B its challenge access policy Alowast B giveschallenge access policy Alowast to C and obtains the publicparameters PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) forBasic CP-ABE

SetupB sends PK toA

Query Phase 1Bmaintains a table Tb and a set119863 which areinitialized as emptyA adaptively launches queries

(1) Private Key Query on Attribute Set 119878B obtains the privatekey SK119878 by calling the key generation oracle ofCwith respectto 119878 ThenB lets119863 = 119863 cup 119878 and sends the private key SK119878toA

(2) Transformation Key Query on Attribute Set 119878 B scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tuple existsit sends the transformation key TK119878 to A Otherwise Bselects random exponents 119911 119903 isin Z119901 B computes 11987010158401 =ℎ119911(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 11987010158402 = 1198921199031 B stores the tuple (119878 lowastTK119878 =(119878 11987010158401 11987010158402) 119911) in table Tb and returns TK119878 toA Observe thatB does not know the actual retrieving key RK119878 = 119910119911 Herewe compute as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890 (1198921199041 ℎ119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031)

= 119890 (1198921 ℎ)119904119911 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119911 = 119879101584011986211198791015840RK119878 = 119872 sdot 119890 (1198921 ℎ)119910119904

119890 (1198921 ℎ)119904119911sdot119910119911 = 119872

(4)

ChallengeA submits messages11987201198721 with same length andchallenge access policy Alowast B gives11987201198721 and Alowast to C toobtain the challenge ciphertext CTlowastB returns CTlowast toA asits challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1 andB answers the queries as in phase 1

GuessA obtains 1205831015840B also obtains 1205831015840If the guess 1205831015840 for A of our scheme is correct the guess

of B for Basic CP-ABE scheme is correct too So we canconclude that if A can attack our scheme at nonnegligibleadvantage then we will find an algorithm B which attacksBasic CP-ABE scheme under the selective CPA securitymodel at nonnegligible advantage

Theorem 10 Our CP-ABE scheme is verifiable if the discretelogarithm assumption defined in Section 22 holds

Proof Suppose that there exists an adversary A that attacksverifiability of our new scheme at nonnegligible advantageWe find an algorithm B that can solve the DL problem atnonnegligible advantage

SetupB chooses 119909 119910119898 119897 isin119877Z119901 ℎ isin1198771198661 and 119905119894119895 isin119877Z119901 (119894 isin[1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a secure hashfunction PK = (119890 1198921 ℎ 119906 = 1198921199091 V = 1198921198981 119889 = 1198921198971 119884 =119890(1198921 ℎ)119910 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) is the public parameter Themaster secret key is MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) B returnsPK toA

Query Phase 1 A adaptively launches transformation keyprivate key decryption and Decryptionout queries As Bknows MK it can answer the queries properly

ChallengeA gives119872lowast and challenge access policy Alowast toBB computes the ciphertext CTlowast of119872lowast using the encryptionalgorithm in [33] and returns CTlowast = (Alowast 1198621 1198622 119862311986210158401 11986210158402 11986210158403) to A where = 119906119867(119872lowast)V119867(lowast)119889 and lowast isin 119866119879is chosen byB randomly

Query Phase 2 A adaptively launches private key queries asin phase 1B answers queries as in phase 1

OutputA returns attribute set 119878lowast and transformed ciphertextCTlowast1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)

B computes 11987911198791015840119911119878lowast = 119872 and 1198791015840111987910158401015840119911119878lowast = where 119911119878lowastis the retrieving key for attribute set 119878lowast If A wins the abovegame thenB can obtain

119892119909119867(119872lowast)+119898119867(lowast)+1198971 = 119906119867(119872lowast)V119867(lowast)119889 = = = 119906119867(119872)V119867()119889 = 119892119909119867(119872)+119898119867()+1198971 (5)

where119872 = 119872lowast and119872lowast lowast119872 119898 119897 are obtained byBBecause119867 is a collision-resistant hash function119867(119872lowast) is notequal to119867(119872) with overwhelming probability ThusB gets119909 = 119898(119867(lowast)minus119867())(119867(119872)minus119867(119872lowast)) which breaks theDL assumption It is paradoxical so our CP-ABE scheme isverifiable

8 Security and Communication Networks

Table 1 Size of each value

PK MK SK CT TK RK CT1015840

LCL 13 [11] (119899 + 4) 100381610038161003816100381611986611003816100381610038161003816 |Z119901| None (1198731 + 2) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 21198732 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816LDG 13 [31] (5 + 119899) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 (2 + 1198732)|1198661| (41198731 + 3) 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 100381610038161003816100381611986611003816100381610038161003816 + 4|119866119879|GHW 11 [12] 2 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 None (21198731 + 1) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 2 10038161003816100381610038161198661198791003816100381610038161003816Our scheme (119873 + 5)|1198661| + |119866119879| (119873 + 1)|Z119901| 2|1198661| 5|1198661| + 2|119866119879| 2|1198661| |Z119901| |1198661| + 4|119866119879|

Table 2 Computational times

Encrypt Decrypt Transform DecryptoutLCL 13 [11] 119862119890 + 2119866119879 + (3 + 21198731)1198661 None 2(1198732 minus 1)119862119890 + 21198732119866119879 2119862119890 + 3119866119879LDG 13 [31] 2119867 + (10 + 81198731)1198661 + 4119866119879 4(1198732 minus 1)119862119890 + 41198732119866119879 (41198732 minus 2)119866119879 + (41198732 minus 2)119862119890 4119866119879GHW 11 [12] (41198731 + 1)1198661 + 3119866119879 + 1198731119867 None (31198732 minus 1)1198661 + (1198732 + 1)119866119879 + (1198732 + 2)119862119890 2119866119879Our scheme 2119867 + (21198731 + 6)1198661 + 4119866119879 4119862119890 + 4119866119879 4119862119890 + 2119866119879 4119866119879

Table 3 Property of each scheme

Outsourcing Verifiability Constant ciphertext lengthLCL 13 [11] Yes No NoLDG 13 [31] Yes Yes NoGHW 11 [12] Yes No NoOur scheme Yes Yes Yes

5 Performance Comparison

PK MK SK CT TK RK and CT1015840 represent the lengthof public key master key private key ciphertext transformkey retrieving key and transformed ciphertext without theaccess policy respectively Additionally Encrypt DecryptTransform and Decryptout represent the computational costsof the algorithmsrsquo encryption decryption transformationand outsourcing decryption respectively |1198661| |119866119879| and |Z119901|denote the bit-length of the elements belonging to 1198661 119866119879and Z119901 119896119862119890 119896119867 and 1198961198661 denote the 119896-times computationin the pairing hash function and group1198661 respectively119880 =att1 att119899 denote the attribute universe 1198731 and 1198732 arethe amounts of the attributes related to ciphertext and privatekey respectively 119873 = sum119899119894=1 119899119894 denotes the total number ofpossible attribute values

Tables 1ndash3 show that our scheme is efficient Table 1 illus-trates that the size of private key ciphertext and transformkey in our scheme is constant However the size of privatekey ciphertext and transform key in [11 12 31] dependsupon the number of attributesTherefore our scheme greatlyreduces the communication overhead and is very suitable forbandwidth limited devices As the operation cost over Z119901 ismuch smaller than group and pairing operation we ignorethe computation time overZ119901 Compared with the scheme in[11 12 31] the computational overhead for the decryption andtransformation operations in our scheme is much smallerFrom Table 2 we observe that the computational overheadover group and pairing in [11 12 31] depends on thenumber of attributes while it is constant in our scheme Thecomputational overhead for the outsourcing decryption isconstant in above schemes Table 3 illustrates that only ourscheme satisfies all properties

Dec

rypt

ion

time (

s)

minus20

0

20

40

60

80

100

120

140

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos schemeLai et alrsquos scheme

Figure 2 Decryption time

In order to evaluate the efficiency for our scheme weimplement our scheme with java pairing-based cryptography(JPBC) library [36] a port for the pairing-based cryptography(PBC) library in C [37] The elliptic curve parameter wechoose is type-A and the order of group is 160 bits We runour code on a PC with 64-bit 26-GHz Intel Core i5-3320MCPU with 6GBRAM andmobile phonewith 4-core 18 GHzProcessor 2G memory Android OS 442 respectively Wealso implement the scheme [31] for comparison Figure 2compares the times of decryption algorithm spent in ourscheme and Lai et alrsquos scheme [31] The result shows that ourscheme is much more efficient than Lai et alrsquos scheme [31]because the time spent in our scheme does not grow with theamount of attributes involved in the access policy Figure 3shows the time of the transformation algorithm in PC andmobile phone for two schemes Similar to the decryptionalgorithm the time required by transformation grows linearlywith the number of attributes for Lai et alrsquos scheme [31]

Security and Communication Networks 9

minus50

0

50

100

150

200

250

Tran

sform

atio

n tim

e (s)

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 3 Transformation time

Our scheme in PCOur scheme in mobile phone

in mobile phone

00

05

10

15

20

Out

sour

cing

dec

rypt

ion

time (

s)

0 40 60 80 10020

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 4 Outsourcing decryption time

while it is almost constant for our scheme Figure 4 showsthat the times of the outsourcing decryption algorithm inPC and mobile phone for two schemes are nearly sameFigure 5 shows the ciphertext length in our scheme and Laiet alrsquos scheme [31] We can find that the ciphertext length inour scheme is constant while it will grow with the amountof attributes involved in access policy linearly So we canconclude that our scheme greatly reduces the communicationoverhead and is very suitable for bandwidth limited devicesFigure 6 illustrates that the length of partially decryptedciphertext in two schemes is almost same

Ciphertext of our schemeCiphertext of Lai et alrsquos scheme

8040 6020 1000

Attribute number

0

10

20

30

40

50

60

Leng

th (k

b)

Figure 5 Ciphertext length

80 1006020 400

Attribute number

Partial decryption ciphertext length of our schemePartial decryption ciphertext length of Lai et alrsquos scheme

00

02

04

06

08

10

12

14

Leng

th (k

b)

Figure 6 Partial decryption ciphertext length

6 Conclusions

In this article we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and moreoverwe prove that our scheme is secure and verifiable in standardmodel Security in our scheme is reduced to that of scheme in[33] and verifiability is reduced to DL assumption The com-putational overhead for the decryption and transformationoperations in our scheme is constant which does not relyon the amount of attributes In addition we outsource theexpensive operation to the cloud service provider and leavethe slight operations to be done on userrsquos device Thereforeour scheme is very efficient What is more the ciphertextlength in our scheme does not grow with the number ofattributes which reduces the communication cost greatlyThe proposed scheme has the potential application in various

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 3: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

Security and Communication Networks 3

Compute and verify

Compute partially decrypted

User

ciphertext CT

CT

Out

sour

ce (C

T T

K)

Downloa

d CT

Upload

searc

h index

for T

KSearch TK for index

TK of the userCloud service providerStorage

Upl

oad

CT

Cloud

Data owner

Encrypt

M CT

Figure 1 System architecture of our scheme

119878 = [1198781 1198782 119878119899] let 119878119894 isin 119881119894 be an attribute set for a userand A = [A1A2 A119899] let A119894 isin 119881119894 be an access structureThe notation 119878 ⊨ A denotes that an attribute set 119878 satisfies anaccess structure A that is to say 119878119894 = A119894 (119894 = 1 2 119899)

24 Outline of CP-ABE with Outsourced Decryption Brieflyspeaking a user interacts with the CSP as illustrated inFigure 1 Data owner encrypts message119872 into ciphertext CTand uploads it to the storage in cloud A user who is permittedto access the data downloads the ciphertext Then the usersends the ciphertext and transformation key to the CSP foroutsourcing decryption CSP computes partially decryptedciphertext CT1015840 and sends it to the userThe user computes themessage from the partially decrypted ciphertext and verifieswhether the message is the original one

We review the notion of CP-ABE in [31] with outsourceddecryption It is described by the seven algorithms as follows

119878119890119905119906119901(120582 119880) This algorithm takes the security parameter 120582and attribute universe119880 as input It outputs public parameterPK and master secret key MK

119870119890119910119866119890119899(119875119870119872119870 119878) This algorithm takes PK MK andattribute set 119878 as input It outputs private key SK119878 related to119878119864119899119888119903119910119901119905(119875119870119872A) This algorithm takes PK message 119872and access structure A as input and outputs ciphertext CT

119863119890119888119903119910119901119905(119875119870 119878119870119878 119862119879)This algorithm takes PK SK119878 andCTas input It outputs119872 if SK119878 associated with 119878 satisfies A

119866119890119899119879119870119900119906119905(119875119870 119878119870119878) This algorithm takes PK and SK119878 asinput It outputs transformation key TK119878 associated with 119878and a corresponding retrieving key RK119878

119879119903119886119899119904119891119900119903119898119900119906119905(119875119870 119862119879 119879119870119878) This algorithm takes PK CTand TK119878 as input It outputs a partially decrypted ciphertextCT1015840

119863119890119888119903119910119901119905119900119906119905(119875119870 119862119879 1198621198791015840 119877119870119878) This algorithm takes PK CTCT1015840 and RK119878 for 119878 as input It outputs message119872 or perp25 Security Model for CP-ABE with Outsourcing DecryptionLai et al [31] described security properties and verifiabilityfor CP-ABE which supports outsourcing decryption Thetraditional concept of security for chosen-ciphertext attack(CCA) is not suitable for the above CP-ABE scheme becauseit does not permitmodifying any bit for the ciphertextThere-fore they use a relaxation named replayed CCA (RCCA)security [35] which permits alternation for the ciphertextso that they can change the potential message in a significantway

251 Security The RCCA security of outsourced decryptionCP-ABE is described as a game in both an adversary and achallenger According to the game in [31] it is described asfollows

Setup The challenger C performs setup algorithm to get thepublic parameter PK and master secret key MK It sends PKto the adversaryA and keeps MK secret

4 Security and Communication Networks

Query Phase 1 The challenger maintains a table Tb and a set119863 which are initialized empty The adversary A adaptivelyissues queries

(1) Private Key Query for Attribute Set 119878 The challenger runsSK119878 larr KeyGen(PKMK 119878) and sets 119863 = 119863 cup 119878 It thensends the private key SK119878 to the adversary

(2) Transformation Key Query on Attribute Set 119878 C scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tupleexists it returns TK119878 as the transformation key Otherwiseit runs SK119878 larr KeyGen(PKMK 119878) and (TK119878RK119878) larrGenTKout(PK SK119878) and stores the tuple in table Tb It thenreturns the transformation key TK119878 to the adversary

Without loss of generality we suppose that an adversarydoes not launch transformation key query for attribute set 119878if a private key query about the same attribute set 119878 has beenissued Since anyone can generate a transformation key of theuser utilizing the userrsquos private key and GenTKout algorithmby himself the assumption is rational

(3) Decryption Query for Attribute Set 119878 and Ciphertext119862119879 C runs SK119878 larr KeyGen(PKMK 119878) and 119872 larrDecrypt(PK SK119878CT) It sends119872 to the adversary

(4) 119863119890119888119903119910119901119905119894119900119899119900119906119905 Query for Attribute Set 119878 and Cipher-text (119862119879 1198621198791015840) C searches the tuple (119878 SK119878TK119878RK119878) intable Tb If such a tuple exists it runs algorithm 119872 larrDecryptout(PKCTCT1015840RK119878) and returns 119872 to C other-wise it returns perpChallenge A sends 1198720 and 1198721 with equal length and anaccess policy Alowast to C subject to the restriction that for all119878 isin 119863 Alowast cannot be satisfied by 119878 The challenger chooses119887 isin 0 1 and computes CTlowast = Encrypt(PK119872119887Alowast) Thenthe challenger sends the challenge ciphertext CTlowast toA

Query Phase 2A proceeds to adaptively launch transforma-tion key decryption Decryptionout and private key queriesas in phase 1 with the following restrictions

(1) A cannot make private key query which results inattribute set 119878 that satisfies the target access policyAlowast

(2) A cannot issue any trivial decryption queriesNamely Decryptionout and decryption queries arereplied to as phase 1 if the response is either 1198720 or1198721 thenC returns perp

Guess The adversary A gives a guess 1198871015840 isin 0 1 for 119887 andsucceeds in the game if 1198871015840 = 119887|Pr(1198871015840 = 119887)minus12| is defined as the advantage for the adver-saryA in the game

Definition 4 An outsourcing decryption CP-ABE schemeis RCCA secure if all probabilistic polynomial-time (PPT)adversaries have at most a negligible advantage of winningin this game

CPA Security An outsourcing decryption CP-ABE schemeis secure under chosen-plaintext attack (CPA) if A cannotlaunch decryption queries in the above game

Selective Security An outsourcing decryption CP-ABEscheme is selective security if we add an initialization phaseprior to setup algorithm in above game where the adversarygives the challenger access structure Alowast

252 Verifiability The verifiability for CP-ABE with out-sourced decryption is depicted via a game in both anadversary and a challenger The game proceeds as follows

Setup C performs algorithm setup to generate the publicparameters PK and master secret key MSK It returns PK toA and keeps MSK secret

Query Phase 1 C initializes an empty table 119879 A adaptivelyissues the following queries

(1) Private Key Query for Attribute Set 119878 C runs SK119878 larrKeyGen(PKMK 119878) and returns the private key SK119878 to theadversary

(2) Transformation Key Query for Attribute Set 119878 The chal-lenger runs SK119878 larr KeyGen(PKMK 119878) and (TK119878RK119878) larrGenTKout(PK SK119878) and stores the entry (119878 SK119878TK119878RK119878) intable 119879 It then returns the transformation key TK119878 to theadversary

Without loss of generality we suppose that the adversarydoes not launch transformation key query for attribute set119878 if a private key query about the same attribute set 119878 hasbeen issued Anyone can generate a transformation key of theuser utilizing the userrsquos private key and GenTKout algorithmby himself

(3) Decryption Query for Attribute Set 119878 and a Ciphertext119862119879 C runs SK119878 larr KeyGen(PKMK 119878) and 119872 larrDecrypt(PK SK119878CT) It sends119872 toC

(4) 119863119890119888119903119910119901119905119894119900119899119900119906119905 Query for Attribute Set 119878 and Ciphertexts(119862119879 1198621198791015840) C searches the tuple (119878 SK119878TK119878RK119878) intable 119879 If such a tuple exists it runs 119872 larrDecryptout(PKCTCT1015840RK119878) and returns 119872 to C other-wise it returns perpChallenge A sends challenge message 119872lowast and challengeaccess policy Alowast to the challenger C C computes CTlowast =Encrypt(PK119872lowastAlowast) and returns CTlowast to A as its challengeciphertext

Query Phase 2A proceeds to adaptively launch transforma-tion key decryption Decryptionout and private key queriesas in phase 1

Output A returns attribute set 119878lowast and transformed cipher-text CTlowast1015840 We suppose that tuple (119878lowast SK119878lowast TK119878lowast RK119878lowast) isincluded in table 119879 Otherwise the challenger generates thetuple as the reply for transformation key query A succeedsin the game if Decryptout(PKCTlowastCTlowast1015840RK119878lowast) notin 119872lowast perp

Security and Communication Networks 5

Definition 5 An outsourcing decryption CP-ABE scheme isverifiable if PPT adversary has at most a negligible advantagein the above game

3 Construction of Our New Scheme

Our new scheme consists of seven algorithms

119878119890119905119906119901(1119896) A trusted authority (TA) picks two bilinear groups(1198661 119866119879) of prime-order 119901 1198921 isin 1198661 ℎ 119906 V 119889 isin 1198661119910 isin119877Z119901 and 119905119894119895 isin119877Z119901 (119894 isin [1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a hash function TA computes 119884 = 119890(1198921 ℎ)119910119879119894119895 = 1198921199051198941198951 (119894 isin [1 119899] 119895 isin [1 119899119894]) It generates PK =(119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) as public parametersand MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) as master secret key Notethat forall119878 1198781015840 (119878 = 1198781015840) sumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 is assumed

119870119890119910119866119890119899(119875119870119872119878119870 119878) TA selects 119903 isin119877Z119901 computes 1198701 =ℎ119910(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 1198702 = 1198921199031 and sends SK119878 = (1198701 1198702) to auser associated with attribute set 119878119864119899119888119903119910119901119905(119875119870119872A) An encryptor randomly selects119904 1199041015840 isin119877Z119901 isin 119866119879 He calculates = 119906119867(119872)V119867()1198891198621 = 119872 sdot 119884119904 1198622 = 1198921199041 1198623 = (prodV119894119895isinA119879119894119895)119904 11986210158401 = sdot 1198841199041015840 and 11986210158402 = 11989211990410158401 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 The sender generatesCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403)119863119890119888119903119910119901119905(119875119870 119878119870119878 119862119879) A decryptor calculates as follows

1198621 sdot 119890 (1198623 1198702)119890 (1198622 1198701) = 119872 sdot 119890 (1198921 ℎ)119904119910 119890 ((119892sumV119894119895isinA119905119894119895

1 )119904 1198921199031)119890(1198921199041 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= 119872 sdot 119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

= 11987211986210158401 sdot 119890 (11986210158403 1198702)119890 (11986210158402 1198701)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890((119892sumV119894119895isinA

119905119894119895

1 )1199041015840 1198921199031)119890(11989211990410158401 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isin119878119905119894119895

=

(1)

If = 119906119867(119872)V119867()119889 it outputs the message 119872 other-wise it outputs perp119866119890119899119879119870119900119906119905(119875119870 119878119870119878) A user generates his transformationkey pair as follows He chooses 119911 isin119877Z119901 and computes thetransformation key as TK119878 = (11987010158401 11987010158402) where 11987010158401 = 11987011199111 and

11987010158402 = 11987011199112 The retrieving key is RK119878 = 119911 Note that withoverwhelming probability 119911 has multiplicative inverse

119879119903119886119899119904119891119900119903119898119900119906119905(119875119870 119862119879 119879119870119878) Given ciphertext CT and trans-formation key TK119878 the CSP computes as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890(1198921199041 ℎ119910119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903119911)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031199111 )

= 119890 (1198921 ℎ)119904119910119911 119890 (1198921 1198921)119904119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119910119911 = 1198791015840119890 (11986210158402 11987010158401)119890 (11986210158403 11987010158402) =

119890(11989211990410158401 ℎ119910119911 (119892sumV119894119895isin119878119905119894119895

1 )119903119911)119890((prodV119894119895isinA119879119894119895)119904

1015840 1198921199031199111 )

= 119890 (1198921 ℎ)1199041015840119910119911 119890 (1198921 1198921)1199041015840119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)1199041015840119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)1199041015840119910119911 = 11987910158401015840

(2)

and it outputs the transformed ciphertext as CT1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)119863119890119888119903119910119901119905119900119906119905(119875119870 119862119879 1198621198791015840 119877119870119878) A user checks whether thetransformed ciphertext = or 1198791 = 1198621 or 11987910158401 = 11986210158401 if theequations do not hold he outputsperp Otherwise he computes119872 = 11986211198791015840119911 and = 1198621015840111987910158401015840119911 If = 119906119867(119872)V119867()119889 heoutputs the message119872 otherwise he outputs perp

Note thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 according to assumptionIf there exist 119878 and 1198781015840 such thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 the userwith attribute set 1198781015840 is able to decrypt ciphertext related toAwhere 1198781015840 ⊭ A 119878 ⊨ A and 119878 = 1198781015840We have that the assumptionholds with overwhelming probability

119901 (119901 minus 1) sdot sdot sdot (119901 minus (119873 minus 1))119901119873 gt (119901 minus (119873 minus 1))119873

119901119873= (1 minus 119873 minus 1119901 )119873 gt 1 minus 119873 (119873 minus 1)119901 gt 1 minus 1198732119901

(3)

where119873 = prod119899119894=1119899119894 If we randomly choose 119905119894119895 isin Z119901 as secret

key then our assumption is reasonable

4 Security Proof

Note that in our scheme a ciphertext consists of three parts(1198621 1198622 1198623) (11986210158401 11986210158402 11986210158403) and The first two elements areciphertexts for message119872 and random message respec-tively utilizing the encryption algorithm [33] In essence thesecond and the third elements are redundant information

6 Security and Communication Networks

The redundant information is mainly used to design a CP-ABE scheme with verifiable outsourcing decryption from[33] which has been proven to be selectively CPA-secureWe denote the first four algorithms as Basic CP-ABE Toguarantee the security for our scheme we firstly prove that ifthe scheme in [33] is selectively CPA-secure then Basic CP-ABE scheme is selectively CPA-secure

Theorem6 Assume that the scheme in [33] is selectively CPA-secure Then the Basic CP-ABE scheme is also selectively CPA-secure

Proof We prove that our Basic CP-ABE scheme is selectivelyCPA-secure by the following two games

1198661198861198981198900 Game0 is the originally selective CPA security game

1198661198861198981198901 In Game1 the challenger randomly selects isin 1198661and generates the remaining parts of the challenge ciphertextCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) as in Game0

This theorem is proven via the following lemmasLemma7 shows thatGame0 andGame1 are indistinguishableLemma 8 shows that the advantage for an adversary inGame1 is negligible Thus we come to a conclusion that theadvantage for an adversary in Game0 is negligibleTheorem 6is correct from the two lemmas below

Lemma 7 Assume that the scheme in [33] is selectively CPA-secure Game0 and Game1 are computationally indistinguish-able

Proof If the adversary A is able to distinguish Game0 andGame1 at nonnegligible advantage then we find an algorithmB which attacks the scheme [33] under the selective CPAsecurity model at nonnegligible advantage

Let C be the challenger for the selective CPA securitygame in scheme [33] B and the adversary A interact asfollows

InitA gives Alowast toB as its challenge access policyB sendsAlowast to C as its challenge access policy C sends the publicparameters PK1015840 = (119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of the scheme[33] toB

Setup B selects 119909 119910 119911 isin119877Z119901 and computes 119906 = 1198921199091 V = 1198921199101 and 119889 = 1198921199111 B also selects hash function 119867 119866119879 rarr Zlowast119901B sends PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to theadversaryA

Query Phase 1 A adaptively launches private key query onattribute set 119878119894 then B gets the private key SK119878119894 via callingkey generation oracle of C with respect to 119878119894 B returns theprivate key SK119878119894 toA

Challenge A sends two equal size messages11987201198721 to B asthe challenge plaintextB selects a random bit 120573 and randommessages 0 1 isin 119866119879B sends 0 1 isin 119866119879 andAlowast toCC randomly selects 120574 isin 0 1 the message 120574 is encrypted

by PK1015840 and Alowast using the encryption algorithm in [32] andsends the resulting ciphertext CTlowast1015840 toBB denotes CTlowast1015840 asCTlowast1015840 = (Alowast 11986210158401 11986210158402 11986210158403)B selects 119904 isin119877Z119901 and computes =119906119867(119872120573)V119867(120573)1198891198621 = 119872120573 sdot1198841199041198622 = 1198921199041 and1198623 = (prodV119894119895isinA119879119894119895)119904and sends CTlowast = (Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) to A as itschallenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 of B B outputs 1205731015840 as aguess of 120574

Note that if120573 = 120574B appropriately simulates Game0 elseB appropriately simulates Game1 Therefore if A is able todistinguishGame0 andGame1 at nonnegligible advantage weare able to find an algorithmB that attacks the scheme [33] inselective CPA securitymodel at nonnegligible advantage

Lemma 8 Assume that the CP-ABE scheme in [33] is selec-tively CPA-secure the advantage for the adversaryA onGame1is negligible

Proof If the adversary A has a nonnegligible advantage inGame1 then we can find an algorithm B which attacks thescheme [33] at a nonnegligible advantage

Let C be the challenger with respect to B of the scheme[33] B interacts with A as demonstrated in the followingsteps

Init A submits challenge access policy Alowast to B B givesAlowast to C as its challenge access policy C returns PK1015840 =(119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of scheme [25] to B as publicparameters

Setup B chooses 119909 119910 119911 isin119877Z119901 and sets 119906 = 1198921199091 V = 1198921199101 and119889 = 1198921199111 119867 119866119879 rarr Zlowast119901 is a secure hash function B sendsPK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to the adversaryA

Query Phase 1 A adaptively launches private key query ofattribute set 119878119894 B gets the private key SK119878119894 via calling keygeneration oracle ofCwith respect to 119878119894B sends the privatekey SK119878119894 toA

Challenge A submits messages 11987201198721 with equal size Bsends11987201198721 and Alowast to C C randomly chooses 120574 isin 0 1themessage119872120574 is encrypted by PK

1015840 andAlowast using the encryp-tion algorithm in [33] and sends the resulting ciphertext CTlowast1015840to B B parses CTlowast1015840 as CTlowast1015840 = (Alowast 1198621 1198622 1198623) B selects1199041015840 isin119877Z119901 isin119877119866119879 and isin1198771198661 and computes 11986210158401 = sdot1198841199041015840 11986210158402 = 11989211990410158401 and 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 B sends CTlowast =(Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) toA as its challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 on B B returns 1205731015840 as itsguess for 120574 ObviouslyB has appropriately simulatedGame1

Security and Communication Networks 7

IfA has a nonnegligible advantage in Game1 thenB attacksthe scheme in [33] at a nonnegligible advantage

Now we have proven that the Basic CP-ABE scheme isselectively CPA-secure After that we prove that if Basic CP-ABE scheme is selectively CPA-secure then our new schemeis selectively CPA-secure

Theorem 9 Assume that Basic CP-ABE scheme is selectivelyCPA-secure Then our new scheme is selectively CPA-secure

Proof IfA breaks our new CP-ABE scheme at nonnegligibleadvantage then we find an algorithm B which breaks BasicCP-ABE scheme at nonnegligible advantage We assume thatC is the challenger with respect to B for Basic CP-ABE Binteracts withA as demonstrated in the following steps

Init A sends B its challenge access policy Alowast B giveschallenge access policy Alowast to C and obtains the publicparameters PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) forBasic CP-ABE

SetupB sends PK toA

Query Phase 1Bmaintains a table Tb and a set119863 which areinitialized as emptyA adaptively launches queries

(1) Private Key Query on Attribute Set 119878B obtains the privatekey SK119878 by calling the key generation oracle ofCwith respectto 119878 ThenB lets119863 = 119863 cup 119878 and sends the private key SK119878toA

(2) Transformation Key Query on Attribute Set 119878 B scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tuple existsit sends the transformation key TK119878 to A Otherwise Bselects random exponents 119911 119903 isin Z119901 B computes 11987010158401 =ℎ119911(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 11987010158402 = 1198921199031 B stores the tuple (119878 lowastTK119878 =(119878 11987010158401 11987010158402) 119911) in table Tb and returns TK119878 toA Observe thatB does not know the actual retrieving key RK119878 = 119910119911 Herewe compute as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890 (1198921199041 ℎ119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031)

= 119890 (1198921 ℎ)119904119911 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119911 = 119879101584011986211198791015840RK119878 = 119872 sdot 119890 (1198921 ℎ)119910119904

119890 (1198921 ℎ)119904119911sdot119910119911 = 119872

(4)

ChallengeA submits messages11987201198721 with same length andchallenge access policy Alowast B gives11987201198721 and Alowast to C toobtain the challenge ciphertext CTlowastB returns CTlowast toA asits challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1 andB answers the queries as in phase 1

GuessA obtains 1205831015840B also obtains 1205831015840If the guess 1205831015840 for A of our scheme is correct the guess

of B for Basic CP-ABE scheme is correct too So we canconclude that if A can attack our scheme at nonnegligibleadvantage then we will find an algorithm B which attacksBasic CP-ABE scheme under the selective CPA securitymodel at nonnegligible advantage

Theorem 10 Our CP-ABE scheme is verifiable if the discretelogarithm assumption defined in Section 22 holds

Proof Suppose that there exists an adversary A that attacksverifiability of our new scheme at nonnegligible advantageWe find an algorithm B that can solve the DL problem atnonnegligible advantage

SetupB chooses 119909 119910119898 119897 isin119877Z119901 ℎ isin1198771198661 and 119905119894119895 isin119877Z119901 (119894 isin[1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a secure hashfunction PK = (119890 1198921 ℎ 119906 = 1198921199091 V = 1198921198981 119889 = 1198921198971 119884 =119890(1198921 ℎ)119910 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) is the public parameter Themaster secret key is MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) B returnsPK toA

Query Phase 1 A adaptively launches transformation keyprivate key decryption and Decryptionout queries As Bknows MK it can answer the queries properly

ChallengeA gives119872lowast and challenge access policy Alowast toBB computes the ciphertext CTlowast of119872lowast using the encryptionalgorithm in [33] and returns CTlowast = (Alowast 1198621 1198622 119862311986210158401 11986210158402 11986210158403) to A where = 119906119867(119872lowast)V119867(lowast)119889 and lowast isin 119866119879is chosen byB randomly

Query Phase 2 A adaptively launches private key queries asin phase 1B answers queries as in phase 1

OutputA returns attribute set 119878lowast and transformed ciphertextCTlowast1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)

B computes 11987911198791015840119911119878lowast = 119872 and 1198791015840111987910158401015840119911119878lowast = where 119911119878lowastis the retrieving key for attribute set 119878lowast If A wins the abovegame thenB can obtain

119892119909119867(119872lowast)+119898119867(lowast)+1198971 = 119906119867(119872lowast)V119867(lowast)119889 = = = 119906119867(119872)V119867()119889 = 119892119909119867(119872)+119898119867()+1198971 (5)

where119872 = 119872lowast and119872lowast lowast119872 119898 119897 are obtained byBBecause119867 is a collision-resistant hash function119867(119872lowast) is notequal to119867(119872) with overwhelming probability ThusB gets119909 = 119898(119867(lowast)minus119867())(119867(119872)minus119867(119872lowast)) which breaks theDL assumption It is paradoxical so our CP-ABE scheme isverifiable

8 Security and Communication Networks

Table 1 Size of each value

PK MK SK CT TK RK CT1015840

LCL 13 [11] (119899 + 4) 100381610038161003816100381611986611003816100381610038161003816 |Z119901| None (1198731 + 2) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 21198732 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816LDG 13 [31] (5 + 119899) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 (2 + 1198732)|1198661| (41198731 + 3) 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 100381610038161003816100381611986611003816100381610038161003816 + 4|119866119879|GHW 11 [12] 2 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 None (21198731 + 1) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 2 10038161003816100381610038161198661198791003816100381610038161003816Our scheme (119873 + 5)|1198661| + |119866119879| (119873 + 1)|Z119901| 2|1198661| 5|1198661| + 2|119866119879| 2|1198661| |Z119901| |1198661| + 4|119866119879|

Table 2 Computational times

Encrypt Decrypt Transform DecryptoutLCL 13 [11] 119862119890 + 2119866119879 + (3 + 21198731)1198661 None 2(1198732 minus 1)119862119890 + 21198732119866119879 2119862119890 + 3119866119879LDG 13 [31] 2119867 + (10 + 81198731)1198661 + 4119866119879 4(1198732 minus 1)119862119890 + 41198732119866119879 (41198732 minus 2)119866119879 + (41198732 minus 2)119862119890 4119866119879GHW 11 [12] (41198731 + 1)1198661 + 3119866119879 + 1198731119867 None (31198732 minus 1)1198661 + (1198732 + 1)119866119879 + (1198732 + 2)119862119890 2119866119879Our scheme 2119867 + (21198731 + 6)1198661 + 4119866119879 4119862119890 + 4119866119879 4119862119890 + 2119866119879 4119866119879

Table 3 Property of each scheme

Outsourcing Verifiability Constant ciphertext lengthLCL 13 [11] Yes No NoLDG 13 [31] Yes Yes NoGHW 11 [12] Yes No NoOur scheme Yes Yes Yes

5 Performance Comparison

PK MK SK CT TK RK and CT1015840 represent the lengthof public key master key private key ciphertext transformkey retrieving key and transformed ciphertext without theaccess policy respectively Additionally Encrypt DecryptTransform and Decryptout represent the computational costsof the algorithmsrsquo encryption decryption transformationand outsourcing decryption respectively |1198661| |119866119879| and |Z119901|denote the bit-length of the elements belonging to 1198661 119866119879and Z119901 119896119862119890 119896119867 and 1198961198661 denote the 119896-times computationin the pairing hash function and group1198661 respectively119880 =att1 att119899 denote the attribute universe 1198731 and 1198732 arethe amounts of the attributes related to ciphertext and privatekey respectively 119873 = sum119899119894=1 119899119894 denotes the total number ofpossible attribute values

Tables 1ndash3 show that our scheme is efficient Table 1 illus-trates that the size of private key ciphertext and transformkey in our scheme is constant However the size of privatekey ciphertext and transform key in [11 12 31] dependsupon the number of attributesTherefore our scheme greatlyreduces the communication overhead and is very suitable forbandwidth limited devices As the operation cost over Z119901 ismuch smaller than group and pairing operation we ignorethe computation time overZ119901 Compared with the scheme in[11 12 31] the computational overhead for the decryption andtransformation operations in our scheme is much smallerFrom Table 2 we observe that the computational overheadover group and pairing in [11 12 31] depends on thenumber of attributes while it is constant in our scheme Thecomputational overhead for the outsourcing decryption isconstant in above schemes Table 3 illustrates that only ourscheme satisfies all properties

Dec

rypt

ion

time (

s)

minus20

0

20

40

60

80

100

120

140

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos schemeLai et alrsquos scheme

Figure 2 Decryption time

In order to evaluate the efficiency for our scheme weimplement our scheme with java pairing-based cryptography(JPBC) library [36] a port for the pairing-based cryptography(PBC) library in C [37] The elliptic curve parameter wechoose is type-A and the order of group is 160 bits We runour code on a PC with 64-bit 26-GHz Intel Core i5-3320MCPU with 6GBRAM andmobile phonewith 4-core 18 GHzProcessor 2G memory Android OS 442 respectively Wealso implement the scheme [31] for comparison Figure 2compares the times of decryption algorithm spent in ourscheme and Lai et alrsquos scheme [31] The result shows that ourscheme is much more efficient than Lai et alrsquos scheme [31]because the time spent in our scheme does not grow with theamount of attributes involved in the access policy Figure 3shows the time of the transformation algorithm in PC andmobile phone for two schemes Similar to the decryptionalgorithm the time required by transformation grows linearlywith the number of attributes for Lai et alrsquos scheme [31]

Security and Communication Networks 9

minus50

0

50

100

150

200

250

Tran

sform

atio

n tim

e (s)

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 3 Transformation time

Our scheme in PCOur scheme in mobile phone

in mobile phone

00

05

10

15

20

Out

sour

cing

dec

rypt

ion

time (

s)

0 40 60 80 10020

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 4 Outsourcing decryption time

while it is almost constant for our scheme Figure 4 showsthat the times of the outsourcing decryption algorithm inPC and mobile phone for two schemes are nearly sameFigure 5 shows the ciphertext length in our scheme and Laiet alrsquos scheme [31] We can find that the ciphertext length inour scheme is constant while it will grow with the amountof attributes involved in access policy linearly So we canconclude that our scheme greatly reduces the communicationoverhead and is very suitable for bandwidth limited devicesFigure 6 illustrates that the length of partially decryptedciphertext in two schemes is almost same

Ciphertext of our schemeCiphertext of Lai et alrsquos scheme

8040 6020 1000

Attribute number

0

10

20

30

40

50

60

Leng

th (k

b)

Figure 5 Ciphertext length

80 1006020 400

Attribute number

Partial decryption ciphertext length of our schemePartial decryption ciphertext length of Lai et alrsquos scheme

00

02

04

06

08

10

12

14

Leng

th (k

b)

Figure 6 Partial decryption ciphertext length

6 Conclusions

In this article we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and moreoverwe prove that our scheme is secure and verifiable in standardmodel Security in our scheme is reduced to that of scheme in[33] and verifiability is reduced to DL assumption The com-putational overhead for the decryption and transformationoperations in our scheme is constant which does not relyon the amount of attributes In addition we outsource theexpensive operation to the cloud service provider and leavethe slight operations to be done on userrsquos device Thereforeour scheme is very efficient What is more the ciphertextlength in our scheme does not grow with the number ofattributes which reduces the communication cost greatlyThe proposed scheme has the potential application in various

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 4: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

4 Security and Communication Networks

Query Phase 1 The challenger maintains a table Tb and a set119863 which are initialized empty The adversary A adaptivelyissues queries

(1) Private Key Query for Attribute Set 119878 The challenger runsSK119878 larr KeyGen(PKMK 119878) and sets 119863 = 119863 cup 119878 It thensends the private key SK119878 to the adversary

(2) Transformation Key Query on Attribute Set 119878 C scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tupleexists it returns TK119878 as the transformation key Otherwiseit runs SK119878 larr KeyGen(PKMK 119878) and (TK119878RK119878) larrGenTKout(PK SK119878) and stores the tuple in table Tb It thenreturns the transformation key TK119878 to the adversary

Without loss of generality we suppose that an adversarydoes not launch transformation key query for attribute set 119878if a private key query about the same attribute set 119878 has beenissued Since anyone can generate a transformation key of theuser utilizing the userrsquos private key and GenTKout algorithmby himself the assumption is rational

(3) Decryption Query for Attribute Set 119878 and Ciphertext119862119879 C runs SK119878 larr KeyGen(PKMK 119878) and 119872 larrDecrypt(PK SK119878CT) It sends119872 to the adversary

(4) 119863119890119888119903119910119901119905119894119900119899119900119906119905 Query for Attribute Set 119878 and Cipher-text (119862119879 1198621198791015840) C searches the tuple (119878 SK119878TK119878RK119878) intable Tb If such a tuple exists it runs algorithm 119872 larrDecryptout(PKCTCT1015840RK119878) and returns 119872 to C other-wise it returns perpChallenge A sends 1198720 and 1198721 with equal length and anaccess policy Alowast to C subject to the restriction that for all119878 isin 119863 Alowast cannot be satisfied by 119878 The challenger chooses119887 isin 0 1 and computes CTlowast = Encrypt(PK119872119887Alowast) Thenthe challenger sends the challenge ciphertext CTlowast toA

Query Phase 2A proceeds to adaptively launch transforma-tion key decryption Decryptionout and private key queriesas in phase 1 with the following restrictions

(1) A cannot make private key query which results inattribute set 119878 that satisfies the target access policyAlowast

(2) A cannot issue any trivial decryption queriesNamely Decryptionout and decryption queries arereplied to as phase 1 if the response is either 1198720 or1198721 thenC returns perp

Guess The adversary A gives a guess 1198871015840 isin 0 1 for 119887 andsucceeds in the game if 1198871015840 = 119887|Pr(1198871015840 = 119887)minus12| is defined as the advantage for the adver-saryA in the game

Definition 4 An outsourcing decryption CP-ABE schemeis RCCA secure if all probabilistic polynomial-time (PPT)adversaries have at most a negligible advantage of winningin this game

CPA Security An outsourcing decryption CP-ABE schemeis secure under chosen-plaintext attack (CPA) if A cannotlaunch decryption queries in the above game

Selective Security An outsourcing decryption CP-ABEscheme is selective security if we add an initialization phaseprior to setup algorithm in above game where the adversarygives the challenger access structure Alowast

252 Verifiability The verifiability for CP-ABE with out-sourced decryption is depicted via a game in both anadversary and a challenger The game proceeds as follows

Setup C performs algorithm setup to generate the publicparameters PK and master secret key MSK It returns PK toA and keeps MSK secret

Query Phase 1 C initializes an empty table 119879 A adaptivelyissues the following queries

(1) Private Key Query for Attribute Set 119878 C runs SK119878 larrKeyGen(PKMK 119878) and returns the private key SK119878 to theadversary

(2) Transformation Key Query for Attribute Set 119878 The chal-lenger runs SK119878 larr KeyGen(PKMK 119878) and (TK119878RK119878) larrGenTKout(PK SK119878) and stores the entry (119878 SK119878TK119878RK119878) intable 119879 It then returns the transformation key TK119878 to theadversary

Without loss of generality we suppose that the adversarydoes not launch transformation key query for attribute set119878 if a private key query about the same attribute set 119878 hasbeen issued Anyone can generate a transformation key of theuser utilizing the userrsquos private key and GenTKout algorithmby himself

(3) Decryption Query for Attribute Set 119878 and a Ciphertext119862119879 C runs SK119878 larr KeyGen(PKMK 119878) and 119872 larrDecrypt(PK SK119878CT) It sends119872 toC

(4) 119863119890119888119903119910119901119905119894119900119899119900119906119905 Query for Attribute Set 119878 and Ciphertexts(119862119879 1198621198791015840) C searches the tuple (119878 SK119878TK119878RK119878) intable 119879 If such a tuple exists it runs 119872 larrDecryptout(PKCTCT1015840RK119878) and returns 119872 to C other-wise it returns perpChallenge A sends challenge message 119872lowast and challengeaccess policy Alowast to the challenger C C computes CTlowast =Encrypt(PK119872lowastAlowast) and returns CTlowast to A as its challengeciphertext

Query Phase 2A proceeds to adaptively launch transforma-tion key decryption Decryptionout and private key queriesas in phase 1

Output A returns attribute set 119878lowast and transformed cipher-text CTlowast1015840 We suppose that tuple (119878lowast SK119878lowast TK119878lowast RK119878lowast) isincluded in table 119879 Otherwise the challenger generates thetuple as the reply for transformation key query A succeedsin the game if Decryptout(PKCTlowastCTlowast1015840RK119878lowast) notin 119872lowast perp

Security and Communication Networks 5

Definition 5 An outsourcing decryption CP-ABE scheme isverifiable if PPT adversary has at most a negligible advantagein the above game

3 Construction of Our New Scheme

Our new scheme consists of seven algorithms

119878119890119905119906119901(1119896) A trusted authority (TA) picks two bilinear groups(1198661 119866119879) of prime-order 119901 1198921 isin 1198661 ℎ 119906 V 119889 isin 1198661119910 isin119877Z119901 and 119905119894119895 isin119877Z119901 (119894 isin [1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a hash function TA computes 119884 = 119890(1198921 ℎ)119910119879119894119895 = 1198921199051198941198951 (119894 isin [1 119899] 119895 isin [1 119899119894]) It generates PK =(119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) as public parametersand MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) as master secret key Notethat forall119878 1198781015840 (119878 = 1198781015840) sumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 is assumed

119870119890119910119866119890119899(119875119870119872119878119870 119878) TA selects 119903 isin119877Z119901 computes 1198701 =ℎ119910(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 1198702 = 1198921199031 and sends SK119878 = (1198701 1198702) to auser associated with attribute set 119878119864119899119888119903119910119901119905(119875119870119872A) An encryptor randomly selects119904 1199041015840 isin119877Z119901 isin 119866119879 He calculates = 119906119867(119872)V119867()1198891198621 = 119872 sdot 119884119904 1198622 = 1198921199041 1198623 = (prodV119894119895isinA119879119894119895)119904 11986210158401 = sdot 1198841199041015840 and 11986210158402 = 11989211990410158401 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 The sender generatesCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403)119863119890119888119903119910119901119905(119875119870 119878119870119878 119862119879) A decryptor calculates as follows

1198621 sdot 119890 (1198623 1198702)119890 (1198622 1198701) = 119872 sdot 119890 (1198921 ℎ)119904119910 119890 ((119892sumV119894119895isinA119905119894119895

1 )119904 1198921199031)119890(1198921199041 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= 119872 sdot 119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

= 11987211986210158401 sdot 119890 (11986210158403 1198702)119890 (11986210158402 1198701)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890((119892sumV119894119895isinA

119905119894119895

1 )1199041015840 1198921199031)119890(11989211990410158401 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isin119878119905119894119895

=

(1)

If = 119906119867(119872)V119867()119889 it outputs the message 119872 other-wise it outputs perp119866119890119899119879119870119900119906119905(119875119870 119878119870119878) A user generates his transformationkey pair as follows He chooses 119911 isin119877Z119901 and computes thetransformation key as TK119878 = (11987010158401 11987010158402) where 11987010158401 = 11987011199111 and

11987010158402 = 11987011199112 The retrieving key is RK119878 = 119911 Note that withoverwhelming probability 119911 has multiplicative inverse

119879119903119886119899119904119891119900119903119898119900119906119905(119875119870 119862119879 119879119870119878) Given ciphertext CT and trans-formation key TK119878 the CSP computes as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890(1198921199041 ℎ119910119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903119911)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031199111 )

= 119890 (1198921 ℎ)119904119910119911 119890 (1198921 1198921)119904119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119910119911 = 1198791015840119890 (11986210158402 11987010158401)119890 (11986210158403 11987010158402) =

119890(11989211990410158401 ℎ119910119911 (119892sumV119894119895isin119878119905119894119895

1 )119903119911)119890((prodV119894119895isinA119879119894119895)119904

1015840 1198921199031199111 )

= 119890 (1198921 ℎ)1199041015840119910119911 119890 (1198921 1198921)1199041015840119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)1199041015840119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)1199041015840119910119911 = 11987910158401015840

(2)

and it outputs the transformed ciphertext as CT1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)119863119890119888119903119910119901119905119900119906119905(119875119870 119862119879 1198621198791015840 119877119870119878) A user checks whether thetransformed ciphertext = or 1198791 = 1198621 or 11987910158401 = 11986210158401 if theequations do not hold he outputsperp Otherwise he computes119872 = 11986211198791015840119911 and = 1198621015840111987910158401015840119911 If = 119906119867(119872)V119867()119889 heoutputs the message119872 otherwise he outputs perp

Note thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 according to assumptionIf there exist 119878 and 1198781015840 such thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 the userwith attribute set 1198781015840 is able to decrypt ciphertext related toAwhere 1198781015840 ⊭ A 119878 ⊨ A and 119878 = 1198781015840We have that the assumptionholds with overwhelming probability

119901 (119901 minus 1) sdot sdot sdot (119901 minus (119873 minus 1))119901119873 gt (119901 minus (119873 minus 1))119873

119901119873= (1 minus 119873 minus 1119901 )119873 gt 1 minus 119873 (119873 minus 1)119901 gt 1 minus 1198732119901

(3)

where119873 = prod119899119894=1119899119894 If we randomly choose 119905119894119895 isin Z119901 as secret

key then our assumption is reasonable

4 Security Proof

Note that in our scheme a ciphertext consists of three parts(1198621 1198622 1198623) (11986210158401 11986210158402 11986210158403) and The first two elements areciphertexts for message119872 and random message respec-tively utilizing the encryption algorithm [33] In essence thesecond and the third elements are redundant information

6 Security and Communication Networks

The redundant information is mainly used to design a CP-ABE scheme with verifiable outsourcing decryption from[33] which has been proven to be selectively CPA-secureWe denote the first four algorithms as Basic CP-ABE Toguarantee the security for our scheme we firstly prove that ifthe scheme in [33] is selectively CPA-secure then Basic CP-ABE scheme is selectively CPA-secure

Theorem6 Assume that the scheme in [33] is selectively CPA-secure Then the Basic CP-ABE scheme is also selectively CPA-secure

Proof We prove that our Basic CP-ABE scheme is selectivelyCPA-secure by the following two games

1198661198861198981198900 Game0 is the originally selective CPA security game

1198661198861198981198901 In Game1 the challenger randomly selects isin 1198661and generates the remaining parts of the challenge ciphertextCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) as in Game0

This theorem is proven via the following lemmasLemma7 shows thatGame0 andGame1 are indistinguishableLemma 8 shows that the advantage for an adversary inGame1 is negligible Thus we come to a conclusion that theadvantage for an adversary in Game0 is negligibleTheorem 6is correct from the two lemmas below

Lemma 7 Assume that the scheme in [33] is selectively CPA-secure Game0 and Game1 are computationally indistinguish-able

Proof If the adversary A is able to distinguish Game0 andGame1 at nonnegligible advantage then we find an algorithmB which attacks the scheme [33] under the selective CPAsecurity model at nonnegligible advantage

Let C be the challenger for the selective CPA securitygame in scheme [33] B and the adversary A interact asfollows

InitA gives Alowast toB as its challenge access policyB sendsAlowast to C as its challenge access policy C sends the publicparameters PK1015840 = (119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of the scheme[33] toB

Setup B selects 119909 119910 119911 isin119877Z119901 and computes 119906 = 1198921199091 V = 1198921199101 and 119889 = 1198921199111 B also selects hash function 119867 119866119879 rarr Zlowast119901B sends PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to theadversaryA

Query Phase 1 A adaptively launches private key query onattribute set 119878119894 then B gets the private key SK119878119894 via callingkey generation oracle of C with respect to 119878119894 B returns theprivate key SK119878119894 toA

Challenge A sends two equal size messages11987201198721 to B asthe challenge plaintextB selects a random bit 120573 and randommessages 0 1 isin 119866119879B sends 0 1 isin 119866119879 andAlowast toCC randomly selects 120574 isin 0 1 the message 120574 is encrypted

by PK1015840 and Alowast using the encryption algorithm in [32] andsends the resulting ciphertext CTlowast1015840 toBB denotes CTlowast1015840 asCTlowast1015840 = (Alowast 11986210158401 11986210158402 11986210158403)B selects 119904 isin119877Z119901 and computes =119906119867(119872120573)V119867(120573)1198891198621 = 119872120573 sdot1198841199041198622 = 1198921199041 and1198623 = (prodV119894119895isinA119879119894119895)119904and sends CTlowast = (Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) to A as itschallenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 of B B outputs 1205731015840 as aguess of 120574

Note that if120573 = 120574B appropriately simulates Game0 elseB appropriately simulates Game1 Therefore if A is able todistinguishGame0 andGame1 at nonnegligible advantage weare able to find an algorithmB that attacks the scheme [33] inselective CPA securitymodel at nonnegligible advantage

Lemma 8 Assume that the CP-ABE scheme in [33] is selec-tively CPA-secure the advantage for the adversaryA onGame1is negligible

Proof If the adversary A has a nonnegligible advantage inGame1 then we can find an algorithm B which attacks thescheme [33] at a nonnegligible advantage

Let C be the challenger with respect to B of the scheme[33] B interacts with A as demonstrated in the followingsteps

Init A submits challenge access policy Alowast to B B givesAlowast to C as its challenge access policy C returns PK1015840 =(119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of scheme [25] to B as publicparameters

Setup B chooses 119909 119910 119911 isin119877Z119901 and sets 119906 = 1198921199091 V = 1198921199101 and119889 = 1198921199111 119867 119866119879 rarr Zlowast119901 is a secure hash function B sendsPK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to the adversaryA

Query Phase 1 A adaptively launches private key query ofattribute set 119878119894 B gets the private key SK119878119894 via calling keygeneration oracle ofCwith respect to 119878119894B sends the privatekey SK119878119894 toA

Challenge A submits messages 11987201198721 with equal size Bsends11987201198721 and Alowast to C C randomly chooses 120574 isin 0 1themessage119872120574 is encrypted by PK

1015840 andAlowast using the encryp-tion algorithm in [33] and sends the resulting ciphertext CTlowast1015840to B B parses CTlowast1015840 as CTlowast1015840 = (Alowast 1198621 1198622 1198623) B selects1199041015840 isin119877Z119901 isin119877119866119879 and isin1198771198661 and computes 11986210158401 = sdot1198841199041015840 11986210158402 = 11989211990410158401 and 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 B sends CTlowast =(Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) toA as its challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 on B B returns 1205731015840 as itsguess for 120574 ObviouslyB has appropriately simulatedGame1

Security and Communication Networks 7

IfA has a nonnegligible advantage in Game1 thenB attacksthe scheme in [33] at a nonnegligible advantage

Now we have proven that the Basic CP-ABE scheme isselectively CPA-secure After that we prove that if Basic CP-ABE scheme is selectively CPA-secure then our new schemeis selectively CPA-secure

Theorem 9 Assume that Basic CP-ABE scheme is selectivelyCPA-secure Then our new scheme is selectively CPA-secure

Proof IfA breaks our new CP-ABE scheme at nonnegligibleadvantage then we find an algorithm B which breaks BasicCP-ABE scheme at nonnegligible advantage We assume thatC is the challenger with respect to B for Basic CP-ABE Binteracts withA as demonstrated in the following steps

Init A sends B its challenge access policy Alowast B giveschallenge access policy Alowast to C and obtains the publicparameters PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) forBasic CP-ABE

SetupB sends PK toA

Query Phase 1Bmaintains a table Tb and a set119863 which areinitialized as emptyA adaptively launches queries

(1) Private Key Query on Attribute Set 119878B obtains the privatekey SK119878 by calling the key generation oracle ofCwith respectto 119878 ThenB lets119863 = 119863 cup 119878 and sends the private key SK119878toA

(2) Transformation Key Query on Attribute Set 119878 B scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tuple existsit sends the transformation key TK119878 to A Otherwise Bselects random exponents 119911 119903 isin Z119901 B computes 11987010158401 =ℎ119911(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 11987010158402 = 1198921199031 B stores the tuple (119878 lowastTK119878 =(119878 11987010158401 11987010158402) 119911) in table Tb and returns TK119878 toA Observe thatB does not know the actual retrieving key RK119878 = 119910119911 Herewe compute as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890 (1198921199041 ℎ119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031)

= 119890 (1198921 ℎ)119904119911 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119911 = 119879101584011986211198791015840RK119878 = 119872 sdot 119890 (1198921 ℎ)119910119904

119890 (1198921 ℎ)119904119911sdot119910119911 = 119872

(4)

ChallengeA submits messages11987201198721 with same length andchallenge access policy Alowast B gives11987201198721 and Alowast to C toobtain the challenge ciphertext CTlowastB returns CTlowast toA asits challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1 andB answers the queries as in phase 1

GuessA obtains 1205831015840B also obtains 1205831015840If the guess 1205831015840 for A of our scheme is correct the guess

of B for Basic CP-ABE scheme is correct too So we canconclude that if A can attack our scheme at nonnegligibleadvantage then we will find an algorithm B which attacksBasic CP-ABE scheme under the selective CPA securitymodel at nonnegligible advantage

Theorem 10 Our CP-ABE scheme is verifiable if the discretelogarithm assumption defined in Section 22 holds

Proof Suppose that there exists an adversary A that attacksverifiability of our new scheme at nonnegligible advantageWe find an algorithm B that can solve the DL problem atnonnegligible advantage

SetupB chooses 119909 119910119898 119897 isin119877Z119901 ℎ isin1198771198661 and 119905119894119895 isin119877Z119901 (119894 isin[1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a secure hashfunction PK = (119890 1198921 ℎ 119906 = 1198921199091 V = 1198921198981 119889 = 1198921198971 119884 =119890(1198921 ℎ)119910 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) is the public parameter Themaster secret key is MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) B returnsPK toA

Query Phase 1 A adaptively launches transformation keyprivate key decryption and Decryptionout queries As Bknows MK it can answer the queries properly

ChallengeA gives119872lowast and challenge access policy Alowast toBB computes the ciphertext CTlowast of119872lowast using the encryptionalgorithm in [33] and returns CTlowast = (Alowast 1198621 1198622 119862311986210158401 11986210158402 11986210158403) to A where = 119906119867(119872lowast)V119867(lowast)119889 and lowast isin 119866119879is chosen byB randomly

Query Phase 2 A adaptively launches private key queries asin phase 1B answers queries as in phase 1

OutputA returns attribute set 119878lowast and transformed ciphertextCTlowast1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)

B computes 11987911198791015840119911119878lowast = 119872 and 1198791015840111987910158401015840119911119878lowast = where 119911119878lowastis the retrieving key for attribute set 119878lowast If A wins the abovegame thenB can obtain

119892119909119867(119872lowast)+119898119867(lowast)+1198971 = 119906119867(119872lowast)V119867(lowast)119889 = = = 119906119867(119872)V119867()119889 = 119892119909119867(119872)+119898119867()+1198971 (5)

where119872 = 119872lowast and119872lowast lowast119872 119898 119897 are obtained byBBecause119867 is a collision-resistant hash function119867(119872lowast) is notequal to119867(119872) with overwhelming probability ThusB gets119909 = 119898(119867(lowast)minus119867())(119867(119872)minus119867(119872lowast)) which breaks theDL assumption It is paradoxical so our CP-ABE scheme isverifiable

8 Security and Communication Networks

Table 1 Size of each value

PK MK SK CT TK RK CT1015840

LCL 13 [11] (119899 + 4) 100381610038161003816100381611986611003816100381610038161003816 |Z119901| None (1198731 + 2) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 21198732 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816LDG 13 [31] (5 + 119899) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 (2 + 1198732)|1198661| (41198731 + 3) 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 100381610038161003816100381611986611003816100381610038161003816 + 4|119866119879|GHW 11 [12] 2 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 None (21198731 + 1) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 2 10038161003816100381610038161198661198791003816100381610038161003816Our scheme (119873 + 5)|1198661| + |119866119879| (119873 + 1)|Z119901| 2|1198661| 5|1198661| + 2|119866119879| 2|1198661| |Z119901| |1198661| + 4|119866119879|

Table 2 Computational times

Encrypt Decrypt Transform DecryptoutLCL 13 [11] 119862119890 + 2119866119879 + (3 + 21198731)1198661 None 2(1198732 minus 1)119862119890 + 21198732119866119879 2119862119890 + 3119866119879LDG 13 [31] 2119867 + (10 + 81198731)1198661 + 4119866119879 4(1198732 minus 1)119862119890 + 41198732119866119879 (41198732 minus 2)119866119879 + (41198732 minus 2)119862119890 4119866119879GHW 11 [12] (41198731 + 1)1198661 + 3119866119879 + 1198731119867 None (31198732 minus 1)1198661 + (1198732 + 1)119866119879 + (1198732 + 2)119862119890 2119866119879Our scheme 2119867 + (21198731 + 6)1198661 + 4119866119879 4119862119890 + 4119866119879 4119862119890 + 2119866119879 4119866119879

Table 3 Property of each scheme

Outsourcing Verifiability Constant ciphertext lengthLCL 13 [11] Yes No NoLDG 13 [31] Yes Yes NoGHW 11 [12] Yes No NoOur scheme Yes Yes Yes

5 Performance Comparison

PK MK SK CT TK RK and CT1015840 represent the lengthof public key master key private key ciphertext transformkey retrieving key and transformed ciphertext without theaccess policy respectively Additionally Encrypt DecryptTransform and Decryptout represent the computational costsof the algorithmsrsquo encryption decryption transformationand outsourcing decryption respectively |1198661| |119866119879| and |Z119901|denote the bit-length of the elements belonging to 1198661 119866119879and Z119901 119896119862119890 119896119867 and 1198961198661 denote the 119896-times computationin the pairing hash function and group1198661 respectively119880 =att1 att119899 denote the attribute universe 1198731 and 1198732 arethe amounts of the attributes related to ciphertext and privatekey respectively 119873 = sum119899119894=1 119899119894 denotes the total number ofpossible attribute values

Tables 1ndash3 show that our scheme is efficient Table 1 illus-trates that the size of private key ciphertext and transformkey in our scheme is constant However the size of privatekey ciphertext and transform key in [11 12 31] dependsupon the number of attributesTherefore our scheme greatlyreduces the communication overhead and is very suitable forbandwidth limited devices As the operation cost over Z119901 ismuch smaller than group and pairing operation we ignorethe computation time overZ119901 Compared with the scheme in[11 12 31] the computational overhead for the decryption andtransformation operations in our scheme is much smallerFrom Table 2 we observe that the computational overheadover group and pairing in [11 12 31] depends on thenumber of attributes while it is constant in our scheme Thecomputational overhead for the outsourcing decryption isconstant in above schemes Table 3 illustrates that only ourscheme satisfies all properties

Dec

rypt

ion

time (

s)

minus20

0

20

40

60

80

100

120

140

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos schemeLai et alrsquos scheme

Figure 2 Decryption time

In order to evaluate the efficiency for our scheme weimplement our scheme with java pairing-based cryptography(JPBC) library [36] a port for the pairing-based cryptography(PBC) library in C [37] The elliptic curve parameter wechoose is type-A and the order of group is 160 bits We runour code on a PC with 64-bit 26-GHz Intel Core i5-3320MCPU with 6GBRAM andmobile phonewith 4-core 18 GHzProcessor 2G memory Android OS 442 respectively Wealso implement the scheme [31] for comparison Figure 2compares the times of decryption algorithm spent in ourscheme and Lai et alrsquos scheme [31] The result shows that ourscheme is much more efficient than Lai et alrsquos scheme [31]because the time spent in our scheme does not grow with theamount of attributes involved in the access policy Figure 3shows the time of the transformation algorithm in PC andmobile phone for two schemes Similar to the decryptionalgorithm the time required by transformation grows linearlywith the number of attributes for Lai et alrsquos scheme [31]

Security and Communication Networks 9

minus50

0

50

100

150

200

250

Tran

sform

atio

n tim

e (s)

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 3 Transformation time

Our scheme in PCOur scheme in mobile phone

in mobile phone

00

05

10

15

20

Out

sour

cing

dec

rypt

ion

time (

s)

0 40 60 80 10020

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 4 Outsourcing decryption time

while it is almost constant for our scheme Figure 4 showsthat the times of the outsourcing decryption algorithm inPC and mobile phone for two schemes are nearly sameFigure 5 shows the ciphertext length in our scheme and Laiet alrsquos scheme [31] We can find that the ciphertext length inour scheme is constant while it will grow with the amountof attributes involved in access policy linearly So we canconclude that our scheme greatly reduces the communicationoverhead and is very suitable for bandwidth limited devicesFigure 6 illustrates that the length of partially decryptedciphertext in two schemes is almost same

Ciphertext of our schemeCiphertext of Lai et alrsquos scheme

8040 6020 1000

Attribute number

0

10

20

30

40

50

60

Leng

th (k

b)

Figure 5 Ciphertext length

80 1006020 400

Attribute number

Partial decryption ciphertext length of our schemePartial decryption ciphertext length of Lai et alrsquos scheme

00

02

04

06

08

10

12

14

Leng

th (k

b)

Figure 6 Partial decryption ciphertext length

6 Conclusions

In this article we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and moreoverwe prove that our scheme is secure and verifiable in standardmodel Security in our scheme is reduced to that of scheme in[33] and verifiability is reduced to DL assumption The com-putational overhead for the decryption and transformationoperations in our scheme is constant which does not relyon the amount of attributes In addition we outsource theexpensive operation to the cloud service provider and leavethe slight operations to be done on userrsquos device Thereforeour scheme is very efficient What is more the ciphertextlength in our scheme does not grow with the number ofattributes which reduces the communication cost greatlyThe proposed scheme has the potential application in various

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 5: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

Security and Communication Networks 5

Definition 5 An outsourcing decryption CP-ABE scheme isverifiable if PPT adversary has at most a negligible advantagein the above game

3 Construction of Our New Scheme

Our new scheme consists of seven algorithms

119878119890119905119906119901(1119896) A trusted authority (TA) picks two bilinear groups(1198661 119866119879) of prime-order 119901 1198921 isin 1198661 ℎ 119906 V 119889 isin 1198661119910 isin119877Z119901 and 119905119894119895 isin119877Z119901 (119894 isin [1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a hash function TA computes 119884 = 119890(1198921 ℎ)119910119879119894119895 = 1198921199051198941198951 (119894 isin [1 119899] 119895 isin [1 119899119894]) It generates PK =(119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) as public parametersand MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) as master secret key Notethat forall119878 1198781015840 (119878 = 1198781015840) sumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 is assumed

119870119890119910119866119890119899(119875119870119872119878119870 119878) TA selects 119903 isin119877Z119901 computes 1198701 =ℎ119910(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 1198702 = 1198921199031 and sends SK119878 = (1198701 1198702) to auser associated with attribute set 119878119864119899119888119903119910119901119905(119875119870119872A) An encryptor randomly selects119904 1199041015840 isin119877Z119901 isin 119866119879 He calculates = 119906119867(119872)V119867()1198891198621 = 119872 sdot 119884119904 1198622 = 1198921199041 1198623 = (prodV119894119895isinA119879119894119895)119904 11986210158401 = sdot 1198841199041015840 and 11986210158402 = 11989211990410158401 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 The sender generatesCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403)119863119890119888119903119910119901119905(119875119870 119878119870119878 119862119879) A decryptor calculates as follows

1198621 sdot 119890 (1198623 1198702)119890 (1198622 1198701) = 119872 sdot 119890 (1198921 ℎ)119904119910 119890 ((119892sumV119894119895isinA119905119894119895

1 )119904 1198921199031)119890(1198921199041 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= 119872 sdot 119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)119904119910 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

= 11987211986210158401 sdot 119890 (11986210158403 1198702)119890 (11986210158402 1198701)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890((119892sumV119894119895isinA

119905119894119895

1 )1199041015840 1198921199031)119890(11989211990410158401 ℎ119910 (119892sumV119894119895isin119878

119905119894119895

1 )119903)

= sdot 119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isinA119905119894119895

119890 (1198921 ℎ)1199041015840119910 119890 (1198921 1198921)1199041015840119903sumV119894119895isin119878119905119894119895

=

(1)

If = 119906119867(119872)V119867()119889 it outputs the message 119872 other-wise it outputs perp119866119890119899119879119870119900119906119905(119875119870 119878119870119878) A user generates his transformationkey pair as follows He chooses 119911 isin119877Z119901 and computes thetransformation key as TK119878 = (11987010158401 11987010158402) where 11987010158401 = 11987011199111 and

11987010158402 = 11987011199112 The retrieving key is RK119878 = 119911 Note that withoverwhelming probability 119911 has multiplicative inverse

119879119903119886119899119904119891119900119903119898119900119906119905(119875119870 119862119879 119879119870119878) Given ciphertext CT and trans-formation key TK119878 the CSP computes as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890(1198921199041 ℎ119910119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903119911)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031199111 )

= 119890 (1198921 ℎ)119904119910119911 119890 (1198921 1198921)119904119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119910119911 = 1198791015840119890 (11986210158402 11987010158401)119890 (11986210158403 11987010158402) =

119890(11989211990410158401 ℎ119910119911 (119892sumV119894119895isin119878119905119894119895

1 )119903119911)119890((prodV119894119895isinA119879119894119895)119904

1015840 1198921199031199111 )

= 119890 (1198921 ℎ)1199041015840119910119911 119890 (1198921 1198921)1199041015840119903119911sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)1199041015840119903119911sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)1199041015840119910119911 = 11987910158401015840

(2)

and it outputs the transformed ciphertext as CT1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)119863119890119888119903119910119901119905119900119906119905(119875119870 119862119879 1198621198791015840 119877119870119878) A user checks whether thetransformed ciphertext = or 1198791 = 1198621 or 11987910158401 = 11986210158401 if theequations do not hold he outputsperp Otherwise he computes119872 = 11986211198791015840119911 and = 1198621015840111987910158401015840119911 If = 119906119867(119872)V119867()119889 heoutputs the message119872 otherwise he outputs perp

Note thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 according to assumptionIf there exist 119878 and 1198781015840 such thatsumV119894119895isin119878 119905119894119895 = sumV119894119895isin1198781015840 119905119894119895 the userwith attribute set 1198781015840 is able to decrypt ciphertext related toAwhere 1198781015840 ⊭ A 119878 ⊨ A and 119878 = 1198781015840We have that the assumptionholds with overwhelming probability

119901 (119901 minus 1) sdot sdot sdot (119901 minus (119873 minus 1))119901119873 gt (119901 minus (119873 minus 1))119873

119901119873= (1 minus 119873 minus 1119901 )119873 gt 1 minus 119873 (119873 minus 1)119901 gt 1 minus 1198732119901

(3)

where119873 = prod119899119894=1119899119894 If we randomly choose 119905119894119895 isin Z119901 as secret

key then our assumption is reasonable

4 Security Proof

Note that in our scheme a ciphertext consists of three parts(1198621 1198622 1198623) (11986210158401 11986210158402 11986210158403) and The first two elements areciphertexts for message119872 and random message respec-tively utilizing the encryption algorithm [33] In essence thesecond and the third elements are redundant information

6 Security and Communication Networks

The redundant information is mainly used to design a CP-ABE scheme with verifiable outsourcing decryption from[33] which has been proven to be selectively CPA-secureWe denote the first four algorithms as Basic CP-ABE Toguarantee the security for our scheme we firstly prove that ifthe scheme in [33] is selectively CPA-secure then Basic CP-ABE scheme is selectively CPA-secure

Theorem6 Assume that the scheme in [33] is selectively CPA-secure Then the Basic CP-ABE scheme is also selectively CPA-secure

Proof We prove that our Basic CP-ABE scheme is selectivelyCPA-secure by the following two games

1198661198861198981198900 Game0 is the originally selective CPA security game

1198661198861198981198901 In Game1 the challenger randomly selects isin 1198661and generates the remaining parts of the challenge ciphertextCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) as in Game0

This theorem is proven via the following lemmasLemma7 shows thatGame0 andGame1 are indistinguishableLemma 8 shows that the advantage for an adversary inGame1 is negligible Thus we come to a conclusion that theadvantage for an adversary in Game0 is negligibleTheorem 6is correct from the two lemmas below

Lemma 7 Assume that the scheme in [33] is selectively CPA-secure Game0 and Game1 are computationally indistinguish-able

Proof If the adversary A is able to distinguish Game0 andGame1 at nonnegligible advantage then we find an algorithmB which attacks the scheme [33] under the selective CPAsecurity model at nonnegligible advantage

Let C be the challenger for the selective CPA securitygame in scheme [33] B and the adversary A interact asfollows

InitA gives Alowast toB as its challenge access policyB sendsAlowast to C as its challenge access policy C sends the publicparameters PK1015840 = (119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of the scheme[33] toB

Setup B selects 119909 119910 119911 isin119877Z119901 and computes 119906 = 1198921199091 V = 1198921199101 and 119889 = 1198921199111 B also selects hash function 119867 119866119879 rarr Zlowast119901B sends PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to theadversaryA

Query Phase 1 A adaptively launches private key query onattribute set 119878119894 then B gets the private key SK119878119894 via callingkey generation oracle of C with respect to 119878119894 B returns theprivate key SK119878119894 toA

Challenge A sends two equal size messages11987201198721 to B asthe challenge plaintextB selects a random bit 120573 and randommessages 0 1 isin 119866119879B sends 0 1 isin 119866119879 andAlowast toCC randomly selects 120574 isin 0 1 the message 120574 is encrypted

by PK1015840 and Alowast using the encryption algorithm in [32] andsends the resulting ciphertext CTlowast1015840 toBB denotes CTlowast1015840 asCTlowast1015840 = (Alowast 11986210158401 11986210158402 11986210158403)B selects 119904 isin119877Z119901 and computes =119906119867(119872120573)V119867(120573)1198891198621 = 119872120573 sdot1198841199041198622 = 1198921199041 and1198623 = (prodV119894119895isinA119879119894119895)119904and sends CTlowast = (Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) to A as itschallenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 of B B outputs 1205731015840 as aguess of 120574

Note that if120573 = 120574B appropriately simulates Game0 elseB appropriately simulates Game1 Therefore if A is able todistinguishGame0 andGame1 at nonnegligible advantage weare able to find an algorithmB that attacks the scheme [33] inselective CPA securitymodel at nonnegligible advantage

Lemma 8 Assume that the CP-ABE scheme in [33] is selec-tively CPA-secure the advantage for the adversaryA onGame1is negligible

Proof If the adversary A has a nonnegligible advantage inGame1 then we can find an algorithm B which attacks thescheme [33] at a nonnegligible advantage

Let C be the challenger with respect to B of the scheme[33] B interacts with A as demonstrated in the followingsteps

Init A submits challenge access policy Alowast to B B givesAlowast to C as its challenge access policy C returns PK1015840 =(119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of scheme [25] to B as publicparameters

Setup B chooses 119909 119910 119911 isin119877Z119901 and sets 119906 = 1198921199091 V = 1198921199101 and119889 = 1198921199111 119867 119866119879 rarr Zlowast119901 is a secure hash function B sendsPK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to the adversaryA

Query Phase 1 A adaptively launches private key query ofattribute set 119878119894 B gets the private key SK119878119894 via calling keygeneration oracle ofCwith respect to 119878119894B sends the privatekey SK119878119894 toA

Challenge A submits messages 11987201198721 with equal size Bsends11987201198721 and Alowast to C C randomly chooses 120574 isin 0 1themessage119872120574 is encrypted by PK

1015840 andAlowast using the encryp-tion algorithm in [33] and sends the resulting ciphertext CTlowast1015840to B B parses CTlowast1015840 as CTlowast1015840 = (Alowast 1198621 1198622 1198623) B selects1199041015840 isin119877Z119901 isin119877119866119879 and isin1198771198661 and computes 11986210158401 = sdot1198841199041015840 11986210158402 = 11989211990410158401 and 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 B sends CTlowast =(Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) toA as its challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 on B B returns 1205731015840 as itsguess for 120574 ObviouslyB has appropriately simulatedGame1

Security and Communication Networks 7

IfA has a nonnegligible advantage in Game1 thenB attacksthe scheme in [33] at a nonnegligible advantage

Now we have proven that the Basic CP-ABE scheme isselectively CPA-secure After that we prove that if Basic CP-ABE scheme is selectively CPA-secure then our new schemeis selectively CPA-secure

Theorem 9 Assume that Basic CP-ABE scheme is selectivelyCPA-secure Then our new scheme is selectively CPA-secure

Proof IfA breaks our new CP-ABE scheme at nonnegligibleadvantage then we find an algorithm B which breaks BasicCP-ABE scheme at nonnegligible advantage We assume thatC is the challenger with respect to B for Basic CP-ABE Binteracts withA as demonstrated in the following steps

Init A sends B its challenge access policy Alowast B giveschallenge access policy Alowast to C and obtains the publicparameters PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) forBasic CP-ABE

SetupB sends PK toA

Query Phase 1Bmaintains a table Tb and a set119863 which areinitialized as emptyA adaptively launches queries

(1) Private Key Query on Attribute Set 119878B obtains the privatekey SK119878 by calling the key generation oracle ofCwith respectto 119878 ThenB lets119863 = 119863 cup 119878 and sends the private key SK119878toA

(2) Transformation Key Query on Attribute Set 119878 B scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tuple existsit sends the transformation key TK119878 to A Otherwise Bselects random exponents 119911 119903 isin Z119901 B computes 11987010158401 =ℎ119911(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 11987010158402 = 1198921199031 B stores the tuple (119878 lowastTK119878 =(119878 11987010158401 11987010158402) 119911) in table Tb and returns TK119878 toA Observe thatB does not know the actual retrieving key RK119878 = 119910119911 Herewe compute as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890 (1198921199041 ℎ119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031)

= 119890 (1198921 ℎ)119904119911 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119911 = 119879101584011986211198791015840RK119878 = 119872 sdot 119890 (1198921 ℎ)119910119904

119890 (1198921 ℎ)119904119911sdot119910119911 = 119872

(4)

ChallengeA submits messages11987201198721 with same length andchallenge access policy Alowast B gives11987201198721 and Alowast to C toobtain the challenge ciphertext CTlowastB returns CTlowast toA asits challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1 andB answers the queries as in phase 1

GuessA obtains 1205831015840B also obtains 1205831015840If the guess 1205831015840 for A of our scheme is correct the guess

of B for Basic CP-ABE scheme is correct too So we canconclude that if A can attack our scheme at nonnegligibleadvantage then we will find an algorithm B which attacksBasic CP-ABE scheme under the selective CPA securitymodel at nonnegligible advantage

Theorem 10 Our CP-ABE scheme is verifiable if the discretelogarithm assumption defined in Section 22 holds

Proof Suppose that there exists an adversary A that attacksverifiability of our new scheme at nonnegligible advantageWe find an algorithm B that can solve the DL problem atnonnegligible advantage

SetupB chooses 119909 119910119898 119897 isin119877Z119901 ℎ isin1198771198661 and 119905119894119895 isin119877Z119901 (119894 isin[1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a secure hashfunction PK = (119890 1198921 ℎ 119906 = 1198921199091 V = 1198921198981 119889 = 1198921198971 119884 =119890(1198921 ℎ)119910 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) is the public parameter Themaster secret key is MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) B returnsPK toA

Query Phase 1 A adaptively launches transformation keyprivate key decryption and Decryptionout queries As Bknows MK it can answer the queries properly

ChallengeA gives119872lowast and challenge access policy Alowast toBB computes the ciphertext CTlowast of119872lowast using the encryptionalgorithm in [33] and returns CTlowast = (Alowast 1198621 1198622 119862311986210158401 11986210158402 11986210158403) to A where = 119906119867(119872lowast)V119867(lowast)119889 and lowast isin 119866119879is chosen byB randomly

Query Phase 2 A adaptively launches private key queries asin phase 1B answers queries as in phase 1

OutputA returns attribute set 119878lowast and transformed ciphertextCTlowast1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)

B computes 11987911198791015840119911119878lowast = 119872 and 1198791015840111987910158401015840119911119878lowast = where 119911119878lowastis the retrieving key for attribute set 119878lowast If A wins the abovegame thenB can obtain

119892119909119867(119872lowast)+119898119867(lowast)+1198971 = 119906119867(119872lowast)V119867(lowast)119889 = = = 119906119867(119872)V119867()119889 = 119892119909119867(119872)+119898119867()+1198971 (5)

where119872 = 119872lowast and119872lowast lowast119872 119898 119897 are obtained byBBecause119867 is a collision-resistant hash function119867(119872lowast) is notequal to119867(119872) with overwhelming probability ThusB gets119909 = 119898(119867(lowast)minus119867())(119867(119872)minus119867(119872lowast)) which breaks theDL assumption It is paradoxical so our CP-ABE scheme isverifiable

8 Security and Communication Networks

Table 1 Size of each value

PK MK SK CT TK RK CT1015840

LCL 13 [11] (119899 + 4) 100381610038161003816100381611986611003816100381610038161003816 |Z119901| None (1198731 + 2) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 21198732 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816LDG 13 [31] (5 + 119899) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 (2 + 1198732)|1198661| (41198731 + 3) 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 100381610038161003816100381611986611003816100381610038161003816 + 4|119866119879|GHW 11 [12] 2 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 None (21198731 + 1) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 2 10038161003816100381610038161198661198791003816100381610038161003816Our scheme (119873 + 5)|1198661| + |119866119879| (119873 + 1)|Z119901| 2|1198661| 5|1198661| + 2|119866119879| 2|1198661| |Z119901| |1198661| + 4|119866119879|

Table 2 Computational times

Encrypt Decrypt Transform DecryptoutLCL 13 [11] 119862119890 + 2119866119879 + (3 + 21198731)1198661 None 2(1198732 minus 1)119862119890 + 21198732119866119879 2119862119890 + 3119866119879LDG 13 [31] 2119867 + (10 + 81198731)1198661 + 4119866119879 4(1198732 minus 1)119862119890 + 41198732119866119879 (41198732 minus 2)119866119879 + (41198732 minus 2)119862119890 4119866119879GHW 11 [12] (41198731 + 1)1198661 + 3119866119879 + 1198731119867 None (31198732 minus 1)1198661 + (1198732 + 1)119866119879 + (1198732 + 2)119862119890 2119866119879Our scheme 2119867 + (21198731 + 6)1198661 + 4119866119879 4119862119890 + 4119866119879 4119862119890 + 2119866119879 4119866119879

Table 3 Property of each scheme

Outsourcing Verifiability Constant ciphertext lengthLCL 13 [11] Yes No NoLDG 13 [31] Yes Yes NoGHW 11 [12] Yes No NoOur scheme Yes Yes Yes

5 Performance Comparison

PK MK SK CT TK RK and CT1015840 represent the lengthof public key master key private key ciphertext transformkey retrieving key and transformed ciphertext without theaccess policy respectively Additionally Encrypt DecryptTransform and Decryptout represent the computational costsof the algorithmsrsquo encryption decryption transformationand outsourcing decryption respectively |1198661| |119866119879| and |Z119901|denote the bit-length of the elements belonging to 1198661 119866119879and Z119901 119896119862119890 119896119867 and 1198961198661 denote the 119896-times computationin the pairing hash function and group1198661 respectively119880 =att1 att119899 denote the attribute universe 1198731 and 1198732 arethe amounts of the attributes related to ciphertext and privatekey respectively 119873 = sum119899119894=1 119899119894 denotes the total number ofpossible attribute values

Tables 1ndash3 show that our scheme is efficient Table 1 illus-trates that the size of private key ciphertext and transformkey in our scheme is constant However the size of privatekey ciphertext and transform key in [11 12 31] dependsupon the number of attributesTherefore our scheme greatlyreduces the communication overhead and is very suitable forbandwidth limited devices As the operation cost over Z119901 ismuch smaller than group and pairing operation we ignorethe computation time overZ119901 Compared with the scheme in[11 12 31] the computational overhead for the decryption andtransformation operations in our scheme is much smallerFrom Table 2 we observe that the computational overheadover group and pairing in [11 12 31] depends on thenumber of attributes while it is constant in our scheme Thecomputational overhead for the outsourcing decryption isconstant in above schemes Table 3 illustrates that only ourscheme satisfies all properties

Dec

rypt

ion

time (

s)

minus20

0

20

40

60

80

100

120

140

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos schemeLai et alrsquos scheme

Figure 2 Decryption time

In order to evaluate the efficiency for our scheme weimplement our scheme with java pairing-based cryptography(JPBC) library [36] a port for the pairing-based cryptography(PBC) library in C [37] The elliptic curve parameter wechoose is type-A and the order of group is 160 bits We runour code on a PC with 64-bit 26-GHz Intel Core i5-3320MCPU with 6GBRAM andmobile phonewith 4-core 18 GHzProcessor 2G memory Android OS 442 respectively Wealso implement the scheme [31] for comparison Figure 2compares the times of decryption algorithm spent in ourscheme and Lai et alrsquos scheme [31] The result shows that ourscheme is much more efficient than Lai et alrsquos scheme [31]because the time spent in our scheme does not grow with theamount of attributes involved in the access policy Figure 3shows the time of the transformation algorithm in PC andmobile phone for two schemes Similar to the decryptionalgorithm the time required by transformation grows linearlywith the number of attributes for Lai et alrsquos scheme [31]

Security and Communication Networks 9

minus50

0

50

100

150

200

250

Tran

sform

atio

n tim

e (s)

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 3 Transformation time

Our scheme in PCOur scheme in mobile phone

in mobile phone

00

05

10

15

20

Out

sour

cing

dec

rypt

ion

time (

s)

0 40 60 80 10020

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 4 Outsourcing decryption time

while it is almost constant for our scheme Figure 4 showsthat the times of the outsourcing decryption algorithm inPC and mobile phone for two schemes are nearly sameFigure 5 shows the ciphertext length in our scheme and Laiet alrsquos scheme [31] We can find that the ciphertext length inour scheme is constant while it will grow with the amountof attributes involved in access policy linearly So we canconclude that our scheme greatly reduces the communicationoverhead and is very suitable for bandwidth limited devicesFigure 6 illustrates that the length of partially decryptedciphertext in two schemes is almost same

Ciphertext of our schemeCiphertext of Lai et alrsquos scheme

8040 6020 1000

Attribute number

0

10

20

30

40

50

60

Leng

th (k

b)

Figure 5 Ciphertext length

80 1006020 400

Attribute number

Partial decryption ciphertext length of our schemePartial decryption ciphertext length of Lai et alrsquos scheme

00

02

04

06

08

10

12

14

Leng

th (k

b)

Figure 6 Partial decryption ciphertext length

6 Conclusions

In this article we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and moreoverwe prove that our scheme is secure and verifiable in standardmodel Security in our scheme is reduced to that of scheme in[33] and verifiability is reduced to DL assumption The com-putational overhead for the decryption and transformationoperations in our scheme is constant which does not relyon the amount of attributes In addition we outsource theexpensive operation to the cloud service provider and leavethe slight operations to be done on userrsquos device Thereforeour scheme is very efficient What is more the ciphertextlength in our scheme does not grow with the number ofattributes which reduces the communication cost greatlyThe proposed scheme has the potential application in various

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 6: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

6 Security and Communication Networks

The redundant information is mainly used to design a CP-ABE scheme with verifiable outsourcing decryption from[33] which has been proven to be selectively CPA-secureWe denote the first four algorithms as Basic CP-ABE Toguarantee the security for our scheme we firstly prove that ifthe scheme in [33] is selectively CPA-secure then Basic CP-ABE scheme is selectively CPA-secure

Theorem6 Assume that the scheme in [33] is selectively CPA-secure Then the Basic CP-ABE scheme is also selectively CPA-secure

Proof We prove that our Basic CP-ABE scheme is selectivelyCPA-secure by the following two games

1198661198861198981198900 Game0 is the originally selective CPA security game

1198661198861198981198901 In Game1 the challenger randomly selects isin 1198661and generates the remaining parts of the challenge ciphertextCT = (A 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) as in Game0

This theorem is proven via the following lemmasLemma7 shows thatGame0 andGame1 are indistinguishableLemma 8 shows that the advantage for an adversary inGame1 is negligible Thus we come to a conclusion that theadvantage for an adversary in Game0 is negligibleTheorem 6is correct from the two lemmas below

Lemma 7 Assume that the scheme in [33] is selectively CPA-secure Game0 and Game1 are computationally indistinguish-able

Proof If the adversary A is able to distinguish Game0 andGame1 at nonnegligible advantage then we find an algorithmB which attacks the scheme [33] under the selective CPAsecurity model at nonnegligible advantage

Let C be the challenger for the selective CPA securitygame in scheme [33] B and the adversary A interact asfollows

InitA gives Alowast toB as its challenge access policyB sendsAlowast to C as its challenge access policy C sends the publicparameters PK1015840 = (119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of the scheme[33] toB

Setup B selects 119909 119910 119911 isin119877Z119901 and computes 119906 = 1198921199091 V = 1198921199101 and 119889 = 1198921199111 B also selects hash function 119867 119866119879 rarr Zlowast119901B sends PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to theadversaryA

Query Phase 1 A adaptively launches private key query onattribute set 119878119894 then B gets the private key SK119878119894 via callingkey generation oracle of C with respect to 119878119894 B returns theprivate key SK119878119894 toA

Challenge A sends two equal size messages11987201198721 to B asthe challenge plaintextB selects a random bit 120573 and randommessages 0 1 isin 119866119879B sends 0 1 isin 119866119879 andAlowast toCC randomly selects 120574 isin 0 1 the message 120574 is encrypted

by PK1015840 and Alowast using the encryption algorithm in [32] andsends the resulting ciphertext CTlowast1015840 toBB denotes CTlowast1015840 asCTlowast1015840 = (Alowast 11986210158401 11986210158402 11986210158403)B selects 119904 isin119877Z119901 and computes =119906119867(119872120573)V119867(120573)1198891198621 = 119872120573 sdot1198841199041198622 = 1198921199041 and1198623 = (prodV119894119895isinA119879119894119895)119904and sends CTlowast = (Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) to A as itschallenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 of B B outputs 1205731015840 as aguess of 120574

Note that if120573 = 120574B appropriately simulates Game0 elseB appropriately simulates Game1 Therefore if A is able todistinguishGame0 andGame1 at nonnegligible advantage weare able to find an algorithmB that attacks the scheme [33] inselective CPA securitymodel at nonnegligible advantage

Lemma 8 Assume that the CP-ABE scheme in [33] is selec-tively CPA-secure the advantage for the adversaryA onGame1is negligible

Proof If the adversary A has a nonnegligible advantage inGame1 then we can find an algorithm B which attacks thescheme [33] at a nonnegligible advantage

Let C be the challenger with respect to B of the scheme[33] B interacts with A as demonstrated in the followingsteps

Init A submits challenge access policy Alowast to B B givesAlowast to C as its challenge access policy C returns PK1015840 =(119890 1198921 ℎ 119884 119879119894119895119894isin[1119899]119895isin[1119899119894]) of scheme [25] to B as publicparameters

Setup B chooses 119909 119910 119911 isin119877Z119901 and sets 119906 = 1198921199091 V = 1198921199101 and119889 = 1198921199111 119867 119866119879 rarr Zlowast119901 is a secure hash function B sendsPK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) to the adversaryA

Query Phase 1 A adaptively launches private key query ofattribute set 119878119894 B gets the private key SK119878119894 via calling keygeneration oracle ofCwith respect to 119878119894B sends the privatekey SK119878119894 toA

Challenge A submits messages 11987201198721 with equal size Bsends11987201198721 and Alowast to C C randomly chooses 120574 isin 0 1themessage119872120574 is encrypted by PK

1015840 andAlowast using the encryp-tion algorithm in [33] and sends the resulting ciphertext CTlowast1015840to B B parses CTlowast1015840 as CTlowast1015840 = (Alowast 1198621 1198622 1198623) B selects1199041015840 isin119877Z119901 isin119877119866119879 and isin1198771198661 and computes 11986210158401 = sdot1198841199041015840 11986210158402 = 11989211990410158401 and 11986210158403 = (prodV119894119895isinA119879119894119895)1199041015840 B sends CTlowast =(Alowast 1198621 1198622 1198623 11986210158401 11986210158402 11986210158403) toA as its challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1B answers the queries as in phase 1

Guess A gives a guess 1205731015840 isin 0 1 on B B returns 1205731015840 as itsguess for 120574 ObviouslyB has appropriately simulatedGame1

Security and Communication Networks 7

IfA has a nonnegligible advantage in Game1 thenB attacksthe scheme in [33] at a nonnegligible advantage

Now we have proven that the Basic CP-ABE scheme isselectively CPA-secure After that we prove that if Basic CP-ABE scheme is selectively CPA-secure then our new schemeis selectively CPA-secure

Theorem 9 Assume that Basic CP-ABE scheme is selectivelyCPA-secure Then our new scheme is selectively CPA-secure

Proof IfA breaks our new CP-ABE scheme at nonnegligibleadvantage then we find an algorithm B which breaks BasicCP-ABE scheme at nonnegligible advantage We assume thatC is the challenger with respect to B for Basic CP-ABE Binteracts withA as demonstrated in the following steps

Init A sends B its challenge access policy Alowast B giveschallenge access policy Alowast to C and obtains the publicparameters PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) forBasic CP-ABE

SetupB sends PK toA

Query Phase 1Bmaintains a table Tb and a set119863 which areinitialized as emptyA adaptively launches queries

(1) Private Key Query on Attribute Set 119878B obtains the privatekey SK119878 by calling the key generation oracle ofCwith respectto 119878 ThenB lets119863 = 119863 cup 119878 and sends the private key SK119878toA

(2) Transformation Key Query on Attribute Set 119878 B scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tuple existsit sends the transformation key TK119878 to A Otherwise Bselects random exponents 119911 119903 isin Z119901 B computes 11987010158401 =ℎ119911(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 11987010158402 = 1198921199031 B stores the tuple (119878 lowastTK119878 =(119878 11987010158401 11987010158402) 119911) in table Tb and returns TK119878 toA Observe thatB does not know the actual retrieving key RK119878 = 119910119911 Herewe compute as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890 (1198921199041 ℎ119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031)

= 119890 (1198921 ℎ)119904119911 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119911 = 119879101584011986211198791015840RK119878 = 119872 sdot 119890 (1198921 ℎ)119910119904

119890 (1198921 ℎ)119904119911sdot119910119911 = 119872

(4)

ChallengeA submits messages11987201198721 with same length andchallenge access policy Alowast B gives11987201198721 and Alowast to C toobtain the challenge ciphertext CTlowastB returns CTlowast toA asits challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1 andB answers the queries as in phase 1

GuessA obtains 1205831015840B also obtains 1205831015840If the guess 1205831015840 for A of our scheme is correct the guess

of B for Basic CP-ABE scheme is correct too So we canconclude that if A can attack our scheme at nonnegligibleadvantage then we will find an algorithm B which attacksBasic CP-ABE scheme under the selective CPA securitymodel at nonnegligible advantage

Theorem 10 Our CP-ABE scheme is verifiable if the discretelogarithm assumption defined in Section 22 holds

Proof Suppose that there exists an adversary A that attacksverifiability of our new scheme at nonnegligible advantageWe find an algorithm B that can solve the DL problem atnonnegligible advantage

SetupB chooses 119909 119910119898 119897 isin119877Z119901 ℎ isin1198771198661 and 119905119894119895 isin119877Z119901 (119894 isin[1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a secure hashfunction PK = (119890 1198921 ℎ 119906 = 1198921199091 V = 1198921198981 119889 = 1198921198971 119884 =119890(1198921 ℎ)119910 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) is the public parameter Themaster secret key is MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) B returnsPK toA

Query Phase 1 A adaptively launches transformation keyprivate key decryption and Decryptionout queries As Bknows MK it can answer the queries properly

ChallengeA gives119872lowast and challenge access policy Alowast toBB computes the ciphertext CTlowast of119872lowast using the encryptionalgorithm in [33] and returns CTlowast = (Alowast 1198621 1198622 119862311986210158401 11986210158402 11986210158403) to A where = 119906119867(119872lowast)V119867(lowast)119889 and lowast isin 119866119879is chosen byB randomly

Query Phase 2 A adaptively launches private key queries asin phase 1B answers queries as in phase 1

OutputA returns attribute set 119878lowast and transformed ciphertextCTlowast1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)

B computes 11987911198791015840119911119878lowast = 119872 and 1198791015840111987910158401015840119911119878lowast = where 119911119878lowastis the retrieving key for attribute set 119878lowast If A wins the abovegame thenB can obtain

119892119909119867(119872lowast)+119898119867(lowast)+1198971 = 119906119867(119872lowast)V119867(lowast)119889 = = = 119906119867(119872)V119867()119889 = 119892119909119867(119872)+119898119867()+1198971 (5)

where119872 = 119872lowast and119872lowast lowast119872 119898 119897 are obtained byBBecause119867 is a collision-resistant hash function119867(119872lowast) is notequal to119867(119872) with overwhelming probability ThusB gets119909 = 119898(119867(lowast)minus119867())(119867(119872)minus119867(119872lowast)) which breaks theDL assumption It is paradoxical so our CP-ABE scheme isverifiable

8 Security and Communication Networks

Table 1 Size of each value

PK MK SK CT TK RK CT1015840

LCL 13 [11] (119899 + 4) 100381610038161003816100381611986611003816100381610038161003816 |Z119901| None (1198731 + 2) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 21198732 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816LDG 13 [31] (5 + 119899) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 (2 + 1198732)|1198661| (41198731 + 3) 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 100381610038161003816100381611986611003816100381610038161003816 + 4|119866119879|GHW 11 [12] 2 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 None (21198731 + 1) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 2 10038161003816100381610038161198661198791003816100381610038161003816Our scheme (119873 + 5)|1198661| + |119866119879| (119873 + 1)|Z119901| 2|1198661| 5|1198661| + 2|119866119879| 2|1198661| |Z119901| |1198661| + 4|119866119879|

Table 2 Computational times

Encrypt Decrypt Transform DecryptoutLCL 13 [11] 119862119890 + 2119866119879 + (3 + 21198731)1198661 None 2(1198732 minus 1)119862119890 + 21198732119866119879 2119862119890 + 3119866119879LDG 13 [31] 2119867 + (10 + 81198731)1198661 + 4119866119879 4(1198732 minus 1)119862119890 + 41198732119866119879 (41198732 minus 2)119866119879 + (41198732 minus 2)119862119890 4119866119879GHW 11 [12] (41198731 + 1)1198661 + 3119866119879 + 1198731119867 None (31198732 minus 1)1198661 + (1198732 + 1)119866119879 + (1198732 + 2)119862119890 2119866119879Our scheme 2119867 + (21198731 + 6)1198661 + 4119866119879 4119862119890 + 4119866119879 4119862119890 + 2119866119879 4119866119879

Table 3 Property of each scheme

Outsourcing Verifiability Constant ciphertext lengthLCL 13 [11] Yes No NoLDG 13 [31] Yes Yes NoGHW 11 [12] Yes No NoOur scheme Yes Yes Yes

5 Performance Comparison

PK MK SK CT TK RK and CT1015840 represent the lengthof public key master key private key ciphertext transformkey retrieving key and transformed ciphertext without theaccess policy respectively Additionally Encrypt DecryptTransform and Decryptout represent the computational costsof the algorithmsrsquo encryption decryption transformationand outsourcing decryption respectively |1198661| |119866119879| and |Z119901|denote the bit-length of the elements belonging to 1198661 119866119879and Z119901 119896119862119890 119896119867 and 1198961198661 denote the 119896-times computationin the pairing hash function and group1198661 respectively119880 =att1 att119899 denote the attribute universe 1198731 and 1198732 arethe amounts of the attributes related to ciphertext and privatekey respectively 119873 = sum119899119894=1 119899119894 denotes the total number ofpossible attribute values

Tables 1ndash3 show that our scheme is efficient Table 1 illus-trates that the size of private key ciphertext and transformkey in our scheme is constant However the size of privatekey ciphertext and transform key in [11 12 31] dependsupon the number of attributesTherefore our scheme greatlyreduces the communication overhead and is very suitable forbandwidth limited devices As the operation cost over Z119901 ismuch smaller than group and pairing operation we ignorethe computation time overZ119901 Compared with the scheme in[11 12 31] the computational overhead for the decryption andtransformation operations in our scheme is much smallerFrom Table 2 we observe that the computational overheadover group and pairing in [11 12 31] depends on thenumber of attributes while it is constant in our scheme Thecomputational overhead for the outsourcing decryption isconstant in above schemes Table 3 illustrates that only ourscheme satisfies all properties

Dec

rypt

ion

time (

s)

minus20

0

20

40

60

80

100

120

140

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos schemeLai et alrsquos scheme

Figure 2 Decryption time

In order to evaluate the efficiency for our scheme weimplement our scheme with java pairing-based cryptography(JPBC) library [36] a port for the pairing-based cryptography(PBC) library in C [37] The elliptic curve parameter wechoose is type-A and the order of group is 160 bits We runour code on a PC with 64-bit 26-GHz Intel Core i5-3320MCPU with 6GBRAM andmobile phonewith 4-core 18 GHzProcessor 2G memory Android OS 442 respectively Wealso implement the scheme [31] for comparison Figure 2compares the times of decryption algorithm spent in ourscheme and Lai et alrsquos scheme [31] The result shows that ourscheme is much more efficient than Lai et alrsquos scheme [31]because the time spent in our scheme does not grow with theamount of attributes involved in the access policy Figure 3shows the time of the transformation algorithm in PC andmobile phone for two schemes Similar to the decryptionalgorithm the time required by transformation grows linearlywith the number of attributes for Lai et alrsquos scheme [31]

Security and Communication Networks 9

minus50

0

50

100

150

200

250

Tran

sform

atio

n tim

e (s)

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 3 Transformation time

Our scheme in PCOur scheme in mobile phone

in mobile phone

00

05

10

15

20

Out

sour

cing

dec

rypt

ion

time (

s)

0 40 60 80 10020

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 4 Outsourcing decryption time

while it is almost constant for our scheme Figure 4 showsthat the times of the outsourcing decryption algorithm inPC and mobile phone for two schemes are nearly sameFigure 5 shows the ciphertext length in our scheme and Laiet alrsquos scheme [31] We can find that the ciphertext length inour scheme is constant while it will grow with the amountof attributes involved in access policy linearly So we canconclude that our scheme greatly reduces the communicationoverhead and is very suitable for bandwidth limited devicesFigure 6 illustrates that the length of partially decryptedciphertext in two schemes is almost same

Ciphertext of our schemeCiphertext of Lai et alrsquos scheme

8040 6020 1000

Attribute number

0

10

20

30

40

50

60

Leng

th (k

b)

Figure 5 Ciphertext length

80 1006020 400

Attribute number

Partial decryption ciphertext length of our schemePartial decryption ciphertext length of Lai et alrsquos scheme

00

02

04

06

08

10

12

14

Leng

th (k

b)

Figure 6 Partial decryption ciphertext length

6 Conclusions

In this article we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and moreoverwe prove that our scheme is secure and verifiable in standardmodel Security in our scheme is reduced to that of scheme in[33] and verifiability is reduced to DL assumption The com-putational overhead for the decryption and transformationoperations in our scheme is constant which does not relyon the amount of attributes In addition we outsource theexpensive operation to the cloud service provider and leavethe slight operations to be done on userrsquos device Thereforeour scheme is very efficient What is more the ciphertextlength in our scheme does not grow with the number ofattributes which reduces the communication cost greatlyThe proposed scheme has the potential application in various

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 7: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

Security and Communication Networks 7

IfA has a nonnegligible advantage in Game1 thenB attacksthe scheme in [33] at a nonnegligible advantage

Now we have proven that the Basic CP-ABE scheme isselectively CPA-secure After that we prove that if Basic CP-ABE scheme is selectively CPA-secure then our new schemeis selectively CPA-secure

Theorem 9 Assume that Basic CP-ABE scheme is selectivelyCPA-secure Then our new scheme is selectively CPA-secure

Proof IfA breaks our new CP-ABE scheme at nonnegligibleadvantage then we find an algorithm B which breaks BasicCP-ABE scheme at nonnegligible advantage We assume thatC is the challenger with respect to B for Basic CP-ABE Binteracts withA as demonstrated in the following steps

Init A sends B its challenge access policy Alowast B giveschallenge access policy Alowast to C and obtains the publicparameters PK = (119890 1198921 ℎ 119906 V 119889 119884 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) forBasic CP-ABE

SetupB sends PK toA

Query Phase 1Bmaintains a table Tb and a set119863 which areinitialized as emptyA adaptively launches queries

(1) Private Key Query on Attribute Set 119878B obtains the privatekey SK119878 by calling the key generation oracle ofCwith respectto 119878 ThenB lets119863 = 119863 cup 119878 and sends the private key SK119878toA

(2) Transformation Key Query on Attribute Set 119878 B scansthe tuple (119878 SK119878TK119878RK119878) in table Tb If such a tuple existsit sends the transformation key TK119878 to A Otherwise Bselects random exponents 119911 119903 isin Z119901 B computes 11987010158401 =ℎ119911(119892sumV119894119895isin119878

119905119894119895

1 )119903 and 11987010158402 = 1198921199031 B stores the tuple (119878 lowastTK119878 =(119878 11987010158401 11987010158402) 119911) in table Tb and returns TK119878 toA Observe thatB does not know the actual retrieving key RK119878 = 119910119911 Herewe compute as follows

119890 (1198622 11987010158401)119890 (1198623 11987010158402) =119890 (1198921199041 ℎ119911 (119892sumV119894119895isin119878

119905119894119895

1 )119903)119890 ((prodV119894119895isinA119879119894119895)119904 1198921199031)

= 119890 (1198921 ℎ)119904119911 119890 (1198921 1198921)119904119903sumV119894119895isin119878119905119894119895

119890 (1198921 1198921)119904119903sumV119894119895isinA119905119894119895

= 119890 (1198921 ℎ)119904119911 = 119879101584011986211198791015840RK119878 = 119872 sdot 119890 (1198921 ℎ)119910119904

119890 (1198921 ℎ)119904119911sdot119910119911 = 119872

(4)

ChallengeA submits messages11987201198721 with same length andchallenge access policy Alowast B gives11987201198721 and Alowast to C toobtain the challenge ciphertext CTlowastB returns CTlowast toA asits challenge ciphertext

Query Phase 2A adaptively launches private key query as inphase 1 andB answers the queries as in phase 1

GuessA obtains 1205831015840B also obtains 1205831015840If the guess 1205831015840 for A of our scheme is correct the guess

of B for Basic CP-ABE scheme is correct too So we canconclude that if A can attack our scheme at nonnegligibleadvantage then we will find an algorithm B which attacksBasic CP-ABE scheme under the selective CPA securitymodel at nonnegligible advantage

Theorem 10 Our CP-ABE scheme is verifiable if the discretelogarithm assumption defined in Section 22 holds

Proof Suppose that there exists an adversary A that attacksverifiability of our new scheme at nonnegligible advantageWe find an algorithm B that can solve the DL problem atnonnegligible advantage

SetupB chooses 119909 119910119898 119897 isin119877Z119901 ℎ isin1198771198661 and 119905119894119895 isin119877Z119901 (119894 isin[1 119899] 119895 isin [1 119899119894]) 119867 119866119879 rarr Zlowast119901 is a secure hashfunction PK = (119890 1198921 ℎ 119906 = 1198921199091 V = 1198921198981 119889 = 1198921198971 119884 =119890(1198921 ℎ)119910 119879119894119895119894isin[1119899]119895isin[1119899119894] 119867) is the public parameter Themaster secret key is MK = (119910 119905119894119895119894isin[1119899]119895isin[1119899119894]) B returnsPK toA

Query Phase 1 A adaptively launches transformation keyprivate key decryption and Decryptionout queries As Bknows MK it can answer the queries properly

ChallengeA gives119872lowast and challenge access policy Alowast toBB computes the ciphertext CTlowast of119872lowast using the encryptionalgorithm in [33] and returns CTlowast = (Alowast 1198621 1198622 119862311986210158401 11986210158402 11986210158403) to A where = 119906119867(119872lowast)V119867(lowast)119889 and lowast isin 119866119879is chosen byB randomly

Query Phase 2 A adaptively launches private key queries asin phase 1B answers queries as in phase 1

OutputA returns attribute set 119878lowast and transformed ciphertextCTlowast1015840 = ( = 1198791 = 1198621 11987910158401 = 11986210158401 1198791015840 11987910158401015840)

B computes 11987911198791015840119911119878lowast = 119872 and 1198791015840111987910158401015840119911119878lowast = where 119911119878lowastis the retrieving key for attribute set 119878lowast If A wins the abovegame thenB can obtain

119892119909119867(119872lowast)+119898119867(lowast)+1198971 = 119906119867(119872lowast)V119867(lowast)119889 = = = 119906119867(119872)V119867()119889 = 119892119909119867(119872)+119898119867()+1198971 (5)

where119872 = 119872lowast and119872lowast lowast119872 119898 119897 are obtained byBBecause119867 is a collision-resistant hash function119867(119872lowast) is notequal to119867(119872) with overwhelming probability ThusB gets119909 = 119898(119867(lowast)minus119867())(119867(119872)minus119867(119872lowast)) which breaks theDL assumption It is paradoxical so our CP-ABE scheme isverifiable

8 Security and Communication Networks

Table 1 Size of each value

PK MK SK CT TK RK CT1015840

LCL 13 [11] (119899 + 4) 100381610038161003816100381611986611003816100381610038161003816 |Z119901| None (1198731 + 2) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 21198732 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816LDG 13 [31] (5 + 119899) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 (2 + 1198732)|1198661| (41198731 + 3) 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 100381610038161003816100381611986611003816100381610038161003816 + 4|119866119879|GHW 11 [12] 2 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 None (21198731 + 1) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 2 10038161003816100381610038161198661198791003816100381610038161003816Our scheme (119873 + 5)|1198661| + |119866119879| (119873 + 1)|Z119901| 2|1198661| 5|1198661| + 2|119866119879| 2|1198661| |Z119901| |1198661| + 4|119866119879|

Table 2 Computational times

Encrypt Decrypt Transform DecryptoutLCL 13 [11] 119862119890 + 2119866119879 + (3 + 21198731)1198661 None 2(1198732 minus 1)119862119890 + 21198732119866119879 2119862119890 + 3119866119879LDG 13 [31] 2119867 + (10 + 81198731)1198661 + 4119866119879 4(1198732 minus 1)119862119890 + 41198732119866119879 (41198732 minus 2)119866119879 + (41198732 minus 2)119862119890 4119866119879GHW 11 [12] (41198731 + 1)1198661 + 3119866119879 + 1198731119867 None (31198732 minus 1)1198661 + (1198732 + 1)119866119879 + (1198732 + 2)119862119890 2119866119879Our scheme 2119867 + (21198731 + 6)1198661 + 4119866119879 4119862119890 + 4119866119879 4119862119890 + 2119866119879 4119866119879

Table 3 Property of each scheme

Outsourcing Verifiability Constant ciphertext lengthLCL 13 [11] Yes No NoLDG 13 [31] Yes Yes NoGHW 11 [12] Yes No NoOur scheme Yes Yes Yes

5 Performance Comparison

PK MK SK CT TK RK and CT1015840 represent the lengthof public key master key private key ciphertext transformkey retrieving key and transformed ciphertext without theaccess policy respectively Additionally Encrypt DecryptTransform and Decryptout represent the computational costsof the algorithmsrsquo encryption decryption transformationand outsourcing decryption respectively |1198661| |119866119879| and |Z119901|denote the bit-length of the elements belonging to 1198661 119866119879and Z119901 119896119862119890 119896119867 and 1198961198661 denote the 119896-times computationin the pairing hash function and group1198661 respectively119880 =att1 att119899 denote the attribute universe 1198731 and 1198732 arethe amounts of the attributes related to ciphertext and privatekey respectively 119873 = sum119899119894=1 119899119894 denotes the total number ofpossible attribute values

Tables 1ndash3 show that our scheme is efficient Table 1 illus-trates that the size of private key ciphertext and transformkey in our scheme is constant However the size of privatekey ciphertext and transform key in [11 12 31] dependsupon the number of attributesTherefore our scheme greatlyreduces the communication overhead and is very suitable forbandwidth limited devices As the operation cost over Z119901 ismuch smaller than group and pairing operation we ignorethe computation time overZ119901 Compared with the scheme in[11 12 31] the computational overhead for the decryption andtransformation operations in our scheme is much smallerFrom Table 2 we observe that the computational overheadover group and pairing in [11 12 31] depends on thenumber of attributes while it is constant in our scheme Thecomputational overhead for the outsourcing decryption isconstant in above schemes Table 3 illustrates that only ourscheme satisfies all properties

Dec

rypt

ion

time (

s)

minus20

0

20

40

60

80

100

120

140

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos schemeLai et alrsquos scheme

Figure 2 Decryption time

In order to evaluate the efficiency for our scheme weimplement our scheme with java pairing-based cryptography(JPBC) library [36] a port for the pairing-based cryptography(PBC) library in C [37] The elliptic curve parameter wechoose is type-A and the order of group is 160 bits We runour code on a PC with 64-bit 26-GHz Intel Core i5-3320MCPU with 6GBRAM andmobile phonewith 4-core 18 GHzProcessor 2G memory Android OS 442 respectively Wealso implement the scheme [31] for comparison Figure 2compares the times of decryption algorithm spent in ourscheme and Lai et alrsquos scheme [31] The result shows that ourscheme is much more efficient than Lai et alrsquos scheme [31]because the time spent in our scheme does not grow with theamount of attributes involved in the access policy Figure 3shows the time of the transformation algorithm in PC andmobile phone for two schemes Similar to the decryptionalgorithm the time required by transformation grows linearlywith the number of attributes for Lai et alrsquos scheme [31]

Security and Communication Networks 9

minus50

0

50

100

150

200

250

Tran

sform

atio

n tim

e (s)

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 3 Transformation time

Our scheme in PCOur scheme in mobile phone

in mobile phone

00

05

10

15

20

Out

sour

cing

dec

rypt

ion

time (

s)

0 40 60 80 10020

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 4 Outsourcing decryption time

while it is almost constant for our scheme Figure 4 showsthat the times of the outsourcing decryption algorithm inPC and mobile phone for two schemes are nearly sameFigure 5 shows the ciphertext length in our scheme and Laiet alrsquos scheme [31] We can find that the ciphertext length inour scheme is constant while it will grow with the amountof attributes involved in access policy linearly So we canconclude that our scheme greatly reduces the communicationoverhead and is very suitable for bandwidth limited devicesFigure 6 illustrates that the length of partially decryptedciphertext in two schemes is almost same

Ciphertext of our schemeCiphertext of Lai et alrsquos scheme

8040 6020 1000

Attribute number

0

10

20

30

40

50

60

Leng

th (k

b)

Figure 5 Ciphertext length

80 1006020 400

Attribute number

Partial decryption ciphertext length of our schemePartial decryption ciphertext length of Lai et alrsquos scheme

00

02

04

06

08

10

12

14

Leng

th (k

b)

Figure 6 Partial decryption ciphertext length

6 Conclusions

In this article we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and moreoverwe prove that our scheme is secure and verifiable in standardmodel Security in our scheme is reduced to that of scheme in[33] and verifiability is reduced to DL assumption The com-putational overhead for the decryption and transformationoperations in our scheme is constant which does not relyon the amount of attributes In addition we outsource theexpensive operation to the cloud service provider and leavethe slight operations to be done on userrsquos device Thereforeour scheme is very efficient What is more the ciphertextlength in our scheme does not grow with the number ofattributes which reduces the communication cost greatlyThe proposed scheme has the potential application in various

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 8: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

8 Security and Communication Networks

Table 1 Size of each value

PK MK SK CT TK RK CT1015840

LCL 13 [11] (119899 + 4) 100381610038161003816100381611986611003816100381610038161003816 |Z119901| None (1198731 + 2) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 21198732 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 2 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816LDG 13 [31] (5 + 119899) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 (2 + 1198732)|1198661| (41198731 + 3) 100381610038161003816100381611986611003816100381610038161003816 + 2 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 100381610038161003816100381611986611003816100381610038161003816 + 4|119866119879|GHW 11 [12] 2 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 None (21198731 + 1) 100381610038161003816100381611986611003816100381610038161003816 + 10038161003816100381610038161198661198791003816100381610038161003816 (2 + 1198732) 100381610038161003816100381611986611003816100381610038161003816 10038161003816100381610038161003816Z11990110038161003816100381610038161003816 2 10038161003816100381610038161198661198791003816100381610038161003816Our scheme (119873 + 5)|1198661| + |119866119879| (119873 + 1)|Z119901| 2|1198661| 5|1198661| + 2|119866119879| 2|1198661| |Z119901| |1198661| + 4|119866119879|

Table 2 Computational times

Encrypt Decrypt Transform DecryptoutLCL 13 [11] 119862119890 + 2119866119879 + (3 + 21198731)1198661 None 2(1198732 minus 1)119862119890 + 21198732119866119879 2119862119890 + 3119866119879LDG 13 [31] 2119867 + (10 + 81198731)1198661 + 4119866119879 4(1198732 minus 1)119862119890 + 41198732119866119879 (41198732 minus 2)119866119879 + (41198732 minus 2)119862119890 4119866119879GHW 11 [12] (41198731 + 1)1198661 + 3119866119879 + 1198731119867 None (31198732 minus 1)1198661 + (1198732 + 1)119866119879 + (1198732 + 2)119862119890 2119866119879Our scheme 2119867 + (21198731 + 6)1198661 + 4119866119879 4119862119890 + 4119866119879 4119862119890 + 2119866119879 4119866119879

Table 3 Property of each scheme

Outsourcing Verifiability Constant ciphertext lengthLCL 13 [11] Yes No NoLDG 13 [31] Yes Yes NoGHW 11 [12] Yes No NoOur scheme Yes Yes Yes

5 Performance Comparison

PK MK SK CT TK RK and CT1015840 represent the lengthof public key master key private key ciphertext transformkey retrieving key and transformed ciphertext without theaccess policy respectively Additionally Encrypt DecryptTransform and Decryptout represent the computational costsof the algorithmsrsquo encryption decryption transformationand outsourcing decryption respectively |1198661| |119866119879| and |Z119901|denote the bit-length of the elements belonging to 1198661 119866119879and Z119901 119896119862119890 119896119867 and 1198961198661 denote the 119896-times computationin the pairing hash function and group1198661 respectively119880 =att1 att119899 denote the attribute universe 1198731 and 1198732 arethe amounts of the attributes related to ciphertext and privatekey respectively 119873 = sum119899119894=1 119899119894 denotes the total number ofpossible attribute values

Tables 1ndash3 show that our scheme is efficient Table 1 illus-trates that the size of private key ciphertext and transformkey in our scheme is constant However the size of privatekey ciphertext and transform key in [11 12 31] dependsupon the number of attributesTherefore our scheme greatlyreduces the communication overhead and is very suitable forbandwidth limited devices As the operation cost over Z119901 ismuch smaller than group and pairing operation we ignorethe computation time overZ119901 Compared with the scheme in[11 12 31] the computational overhead for the decryption andtransformation operations in our scheme is much smallerFrom Table 2 we observe that the computational overheadover group and pairing in [11 12 31] depends on thenumber of attributes while it is constant in our scheme Thecomputational overhead for the outsourcing decryption isconstant in above schemes Table 3 illustrates that only ourscheme satisfies all properties

Dec

rypt

ion

time (

s)

minus20

0

20

40

60

80

100

120

140

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos schemeLai et alrsquos scheme

Figure 2 Decryption time

In order to evaluate the efficiency for our scheme weimplement our scheme with java pairing-based cryptography(JPBC) library [36] a port for the pairing-based cryptography(PBC) library in C [37] The elliptic curve parameter wechoose is type-A and the order of group is 160 bits We runour code on a PC with 64-bit 26-GHz Intel Core i5-3320MCPU with 6GBRAM andmobile phonewith 4-core 18 GHzProcessor 2G memory Android OS 442 respectively Wealso implement the scheme [31] for comparison Figure 2compares the times of decryption algorithm spent in ourscheme and Lai et alrsquos scheme [31] The result shows that ourscheme is much more efficient than Lai et alrsquos scheme [31]because the time spent in our scheme does not grow with theamount of attributes involved in the access policy Figure 3shows the time of the transformation algorithm in PC andmobile phone for two schemes Similar to the decryptionalgorithm the time required by transformation grows linearlywith the number of attributes for Lai et alrsquos scheme [31]

Security and Communication Networks 9

minus50

0

50

100

150

200

250

Tran

sform

atio

n tim

e (s)

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 3 Transformation time

Our scheme in PCOur scheme in mobile phone

in mobile phone

00

05

10

15

20

Out

sour

cing

dec

rypt

ion

time (

s)

0 40 60 80 10020

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 4 Outsourcing decryption time

while it is almost constant for our scheme Figure 4 showsthat the times of the outsourcing decryption algorithm inPC and mobile phone for two schemes are nearly sameFigure 5 shows the ciphertext length in our scheme and Laiet alrsquos scheme [31] We can find that the ciphertext length inour scheme is constant while it will grow with the amountof attributes involved in access policy linearly So we canconclude that our scheme greatly reduces the communicationoverhead and is very suitable for bandwidth limited devicesFigure 6 illustrates that the length of partially decryptedciphertext in two schemes is almost same

Ciphertext of our schemeCiphertext of Lai et alrsquos scheme

8040 6020 1000

Attribute number

0

10

20

30

40

50

60

Leng

th (k

b)

Figure 5 Ciphertext length

80 1006020 400

Attribute number

Partial decryption ciphertext length of our schemePartial decryption ciphertext length of Lai et alrsquos scheme

00

02

04

06

08

10

12

14

Leng

th (k

b)

Figure 6 Partial decryption ciphertext length

6 Conclusions

In this article we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and moreoverwe prove that our scheme is secure and verifiable in standardmodel Security in our scheme is reduced to that of scheme in[33] and verifiability is reduced to DL assumption The com-putational overhead for the decryption and transformationoperations in our scheme is constant which does not relyon the amount of attributes In addition we outsource theexpensive operation to the cloud service provider and leavethe slight operations to be done on userrsquos device Thereforeour scheme is very efficient What is more the ciphertextlength in our scheme does not grow with the number ofattributes which reduces the communication cost greatlyThe proposed scheme has the potential application in various

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 9: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

Security and Communication Networks 9

minus50

0

50

100

150

200

250

Tran

sform

atio

n tim

e (s)

Our scheme in PCOur scheme in mobile phone

in mobile phone

20 40 60 80 1000

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 3 Transformation time

Our scheme in PCOur scheme in mobile phone

in mobile phone

00

05

10

15

20

Out

sour

cing

dec

rypt

ion

time (

s)

0 40 60 80 10020

Attribute number

Lai et alrsquos scheme in PCLai et alrsquos scheme

Figure 4 Outsourcing decryption time

while it is almost constant for our scheme Figure 4 showsthat the times of the outsourcing decryption algorithm inPC and mobile phone for two schemes are nearly sameFigure 5 shows the ciphertext length in our scheme and Laiet alrsquos scheme [31] We can find that the ciphertext length inour scheme is constant while it will grow with the amountof attributes involved in access policy linearly So we canconclude that our scheme greatly reduces the communicationoverhead and is very suitable for bandwidth limited devicesFigure 6 illustrates that the length of partially decryptedciphertext in two schemes is almost same

Ciphertext of our schemeCiphertext of Lai et alrsquos scheme

8040 6020 1000

Attribute number

0

10

20

30

40

50

60

Leng

th (k

b)

Figure 5 Ciphertext length

80 1006020 400

Attribute number

Partial decryption ciphertext length of our schemePartial decryption ciphertext length of Lai et alrsquos scheme

00

02

04

06

08

10

12

14

Leng

th (k

b)

Figure 6 Partial decryption ciphertext length

6 Conclusions

In this article we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and moreoverwe prove that our scheme is secure and verifiable in standardmodel Security in our scheme is reduced to that of scheme in[33] and verifiability is reduced to DL assumption The com-putational overhead for the decryption and transformationoperations in our scheme is constant which does not relyon the amount of attributes In addition we outsource theexpensive operation to the cloud service provider and leavethe slight operations to be done on userrsquos device Thereforeour scheme is very efficient What is more the ciphertextlength in our scheme does not grow with the number ofattributes which reduces the communication cost greatlyThe proposed scheme has the potential application in various

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 10: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

10 Security and Communication Networks

lower power devices with limited computational power suchas mobile phone

Competing Interests

The authors declare that they have no competing interests

Acknowledgments

This research is supported by the National Natural Sci-ence Foundation of China (61272542 61472083 6120245061402110 and 61672207) Jiangsu Provincial Natural ScienceFoundation of China (BK20161511) the Priority AcademicProgram Development of Jiangsu Higher Education Institu-tions the Fundamental Research Funds for the Central Uni-versities (2016B10114) Jiangsu Collaborative Innovation Cen-ter on Atmospheric Environment and Equipment Technol-ogy and the Project of Scientific Research Innovation for Col-lege Graduate Student of Jiangsu Province (KYZZ15 0151)

References

[1] D Boneh and M Franklin ldquoIdentity-based encryption fromthe weil pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference (CRYPTO rsquo01) Santa Barbara CalifUSA August 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer Berlin Germany 2001

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 ACMNovember 2006

[3] J Li C Jia J Li and X Chen ldquoOutsourcing encryption ofattribute-based encryption with MapReducerdquo in Informationand Communications Security T W Chim and T H YuenEds vol 7618 of Lecture Notes in Computer Science pp 191ndash201Springer Berlin Germany 2012

[4] A Lewko and B Waters ldquoUnbounded HIBE and attribute-based encryptionrdquo in Proceedings of the 30th Annual Interna-tional Conference on the Theory and Applications of Crypto-graphic Techniques (EUROCRYPT rsquo11) Tallinn Estonia May2011 vol 6632 of Lecture Notes in Computer Science pp 547ndash567 Springer Berlin Germany 2011

[5] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[6] B D Qin R H Deng S L Liu and S Q Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

[7] H Deng Q Wu B Qin et al ldquoCiphertext-policy hierarchicalattribute-based encryption with short ciphertextsrdquo InformationSciences vol 275 pp 370ndash384 2014

[8] R Ostrovsky A Sahai and B Waters ldquoAttribute-based encryp-tion with non-monotonic access structuresrdquo in Proceedings ofthe 14th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo07) pp 195ndash203 ACM Alexandria Va USANovember 2007

[9] TOkamoto andK Takashima ldquoFully secure functional encryp-tion with general relations from the decisional linear assump-tionrdquo in Advances in CryptologymdashCRYPTO 2010 T Rabin Ed

vol 6223 of Lecture Notes in Computer Science pp 191ndash208Springer Berlin Germany 2010

[10] L Cheung and C Newport ldquoProvably secure ciphertext policyABErdquo in Proceedings of the 14th ACM Conference on Computerand Communications Security (CCS rsquo07) pp 456ndash465 Novem-ber 2007

[11] J Li X Chen J Li C Jia J Ma and W Lou ldquoFine-grainedaccess control system based on outsourced attribute-basedencryptionrdquo in Computer SecuritymdashESORICS 2013 J Cramp-ton S Jajodia and K Mayes Eds vol 8134 of Lecture Notesin Computer Science pp 592ndash609 Springer Berlin Germany2013

[12] M Green S Hohenberger and B Waters ldquoOutsourcing thedecryption of ABE ciphertextsrdquo in Proceedings of the 20thUSENIX Conference on Security (SEC rsquo11) p 34 2011

[13] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquoACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[14] M Blaze G Bleumer and M Strauss ldquoDivertible protocolsand atomic proxy cryptographyrdquo in Advances in CryptologymdashEUROCRYPTrsquo98 K Nyberg Ed vol 1403 of Lecture Notes inComputer Science pp 127ndash144 Springer Berlin Germany 1998

[15] M Chase ldquoMulti-authority attribute based encryptionrdquo in Pro-ceedings of the 4thTheory of Cryptography Conference (TCC rsquo07)Amsterdam The Netherlands February 2007 Lecture Notesin Computer Science pp 515ndash534 Springer Berlin Germany2007

[16] Z Liu Z Cao Q Huang D S Wong and T H YuenldquoFully secure multi-authority ciphertext-policy attribute-basedencryption without random oraclesrdquo in Computer SecuritymdashESORICS 2011 16th European Symposium on Research in Com-puter Security Leuven Belgium September 12ndash142011 Proceed-ings vol 6879 ofLectureNotes in Computer Science pp 278ndash297Springer Berlin Germany 2011

[17] J G Han W Susilo Y Mu and J Yan ldquoPrivacy-preservingdecentralized key-policy attribute-based encryptionrdquo IEEETransactions on Parallel and Distributed Systems vol 23 no 11pp 2150ndash2162 2012

[18] H L Qian J G Li and Y C Zhang ldquoPrivacy-preserving decen-tralized ciphertext-policy attribute-based encryption with fullyhidden access structurerdquo in Proceedings of the 15th Interna-tional Conference on Information and Communications Security(ICICS rsquo13) vol 8233 of Lecture Notes in Computer ScienceLNCS pp 363ndash372 Springer Berlin Germany 2013

[19] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[20] Z Liu Z F Cao and D S Wong ldquoBlackbox traceable CP-ABEhow to catch people leaking their keys by selling decryptiondevices on eBayrdquo in Proceedings of the ACM SIGSAC Conferenceon Computer and Communications Security (CCS rsquo13) pp 475ndash486 Berlin Germany November 2013

[21] Z Liu Z F Cao and D S Wong ldquoWhite-box traceableciphertext-policy attribute-based encryption supporting anymonotone access structuresrdquo IEEE Transactions on InformationForensics and Security vol 8 no 1 pp 76ndash88 2013

[22] J T Ning Z F Cao X L Dong L F Wei and X D LinldquoLarge universe ciphertext-policy attribute-based encryptionwith white-box traceabilityrdquo in Computer SecuritymdashESORICS2014 19th European Symposium on Research in Computer

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 11: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

Security and Communication Networks 11

Security Wroclaw Poland September 7ndash11 2014 ProceedingsPart II vol 8713 of Lecture Notes in Computer Science pp 55ndash72Springer Berlin Germany 2014

[23] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing 2016

[24] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing 2016

[25] J G Li Y R Shi and Y C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems 2015

[26] Z J Fu X M Sun Q Liu L Zhou and J G Shu ldquoAchievingefficient cloud search services multi-keyword ranked searchover encrypted cloud data supporting parallel computingrdquoIEICE Transactions on Communications vol 98 no 1 pp 190ndash200 2015

[27] Z H Xia X H Wang X M Sun and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2015

[28] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[29] J G Li H P Wang Y C Zhang and J Shen ldquoCiphertext-policy attribute-based encryptionwith hidden access policy andtestingrdquo KSII Transactions on Internet and Information Systemsvol 10 no 8 pp 3339ndash3352 2016

[30] Y-J Ren J Shen J Wang J Han and S-Y Lee ldquoMutualverifiable provable data auditing in public cloud storagerdquoJournal of Internet Technology vol 16 no 2 pp 317ndash323 2015

[31] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013

[32] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[33] K Emura A Miyaji A Nomura K Omote and M SoshildquoA Ciphertext-policy attribute-based encryption scheme withconstant ciphertext lengthrdquo in Information Security Practiceand Experience 5th International Conference ISPEC 2009 XirsquoanChina April 13ndash15 2009 Proceedings vol 5451 of Lecture Notesin Computer Science pp 13ndash23 Springer Berlin Germany2009

[34] JHerranz F Laguillaumie andC Rafols ldquoConstant size cipher-texts in threshold attribute-based encryptionrdquo in Proceedingsof the 13th International Conference on Practice and Theory inPublic Key Cryptography (PKC rsquo10) Paris France May 2010 vol6056 of Lecture Notes in Computer Science pp 19ndash34 SpringerBerlin Germany 2010

[35] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the 23rd Annual Inter-national Cryptology Conference (CRYPTO rsquo03) Santa BarbaraCalif USA August 2003 vol 2729 of Lecture Notes in ComputerScience pp 565ndash582 Springer Berlin Germany 2003

[36] A D Caro ldquoJava pairing-based cryptography libraryrdquo 2012httplibecciodiaunisaitprojectsjpbc

[37] B Lynn PBC (Pairing-Based Cryptography) Library 2012httpcryptostanfordedupbc

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

Page 12: Verifiable Outsourced Decryption of Attribute-Based ...downloads.hindawi.com/journals/scn/2017/3596205.pdf · Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of