Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant Ciphertext Length

Outsourced decryption ABE system largely reduces the computation cost for users who intend to access the encrypted files stored in cloud. However, the correctness of the transformation ciphertext cannot be guaranteed because the user does not have the original ciphertext. Lai et al. provided an ABE scheme with verifiable outsourced decryption which helps the user to check whether the transformation done by the cloud is correct. In order to improve the computation performance and reduce communication overhead, we propose a new verifiable outsourcing scheme with constant ciphertext length. To be specific, our scheme achieves the following goals. (1) Our scheme is verifiable which ensures that the user efficiently checks whether the transformation is done correctly by the CSP. (2)The size of ciphertext and the number of expensive pairing operations are constant, which do not grow with the complexity of the access structure. (3)The access structure in our scheme is AND gates on multivalued attributes and we prove our scheme is verifiable and it is secure against selectively chosen-plaintext attack in the standard model. (4)We give some performance analysis which indicates that our scheme is adaptable for various limited bandwidth and computation-constrained devices, such as mobile phone.


Introduction
Attribute-based encryption (ABE) derives from identitybased encryption (IBE) introduced in [1].A user's identity in IBE system is indicated by a binary bit string and the corresponding representation in ABE system is extended to an attribute set.The identity represented by an attribute set is not unique so ABE can realize the one-to-many encryption.Traditional IBE schemes can only provide coarse-grained access control.In order to solve this problem, Goyal et al. [2] presented a new scheme in which the fine-grained access control is associated with the user's private keys and ciphertexts are associated with a descriptive attribute set.ABE can be divided into two categories, namely, key-policy attribute-based encryption (KP-ABE) [2][3][4] and ciphertext-policy attributebased encryption (CP-ABE) [5][6][7][8][9][10][11].One of the main defects of current ABE schemes is expensive decryption operation for mobile device with low computing power and limited battery.
To improve efficiency, Green et al. [12] presented an efficient ABE scheme by outsourcing expensive decryption operation to the cloud service provider (CSP).In their scheme, a user uses proxy reencryption method [13,14] to generate a transformation key and sends the transformation key and ABE ciphertext to the CSP.Given the transformation key, the CSP transforms an ABE ciphertext into a simple ciphertext, from which the user recovers plaintext by using less computation overhead.In this process, the CSP does not get any information about original plaintext.Chase [15] extended single authority ABE to propose a multiauthority ABE scheme.However, he only proves that the scheme is secure against the selective ID model.Liu et al. [16] provided a fully secure multiauthority CP-ABE.In order to protect privacy of the user, Han et al. [17] presented a decentralized key-policy attributebased encryption with preserving privacy.Qian et al. [18] provided a decentralized CP-ABE with fully hidden access structure.Furthermore, they [19] proposed a privacy-preserving personal health record using multiauthority ABE with revocation.Several traceable CP-ABE schemes [20][21][22] were constructed to trace the identity of a misbehaving user who leaks its decryption key to others and thus reduces the trust assumptions on both users and attribute authorities.Recently, Li et al. [23] presented flexible and fine-grained attributebased data storage in cloud computing.To protect data privacy, the sensitive data should be encrypted by the data owner prior to outsourcing.As the amount of encrypted files stored in cloud is becoming very huge, searchable encryption scheme over encrypted cloud data is a very challenging issue.To deal with above problem, Li et al. [24,25] proposed a new cryptographic primitive called attribute-based encryption scheme with keyword search function [26][27][28].In the proposed scheme, cloud service provider (CSP) performs partial decryption task delegated by data user without knowing anything about the plaintext.Moreover, the CSP can perform encrypted keyword search without knowing anything about the keywords embedded in trapdoor.In order to protect the privacy for the encryptor and decryptor, Li et al. [29] propose a CP-ABE scheme with hidden access policy and testing.
Our Motivations and Contributions.With the cloud service being more and more popular in modern society, ABE technology has become a promising orientation.It allows users to use flexible access control to access files stored in the cloud server with encrypted form.Though its advantages make it a powerful tool for cloud, one of its main performance challenges is that the complexity of decryption computation is linearly correlated with the access structure.By using the proxy reencryption technology, outsourced decryption ABE system can largely reduce the computation cost for users who intend to access the encrypted files stored in cloud.Given a ciphertext and a transformation key, CSP transforms a ciphertext into a simple ciphertext.The user only needs to spend less computational overhead to recover the plaintext from simple ciphertext.However, the correctness of the transformation ciphertext which the CSP gives to the user cannot be guaranteed because the latter does not have the original ciphertext.It is a security threat that malicious cloud service provider (CSP) may replace the original ciphertext and give the user a transformed ciphertext from another ciphertext which CSP wants the user to decrypt.The user is not aware of the CSP's malicious behavior.Mutual verifiable provable data auditing [30] in public cloud storage is a potential method to solve remote data possession checking.The security property about ABE with outsourcing decryption ensures that the malicious cloud server cannot obtain anything with respect to the encrypted message; nonetheless, the scheme does not ensure the validity of the transformation done by the CSP.In order to solve this problem, Lai et al. [31] put forward an ABE scheme with verifiable outsourcing decryption which guarantees verifiability of the transformation.Recently, Li et al. [32] presented an outsourcing ABE scheme which can check validity of the outsourced computation results.There is no doubt that verifiability brings about great progress to outsourced decryption of ABE.However, the ciphertext length and the amount of expensive pairing computations grow with the number of the attributes, which greatly limits its application in power constrained and bandwidth limited devices.Schemes in [33,34] put forward a good solution to this problem in which the ciphertext length is constant.In this article, we present a novel verifiable outsourced CP-ABE scheme with constant ciphertext length to save the communication cost.The security of our scheme reduces to that of scheme in [33].Similar to the proof in [31], the verifiability of our scheme reduces to the discrete logarithm assumption.
Organization.We organized the rest of the paper as follows.
In Section 2, we review some preliminary knowledge and introduce the CP-ABE model of outsourced decryption.We also give the security definitions used in our paper in this section.In Section 3, we provide a new verifiable outsourced CP-ABE scheme with constant ciphertext length.We prove security and verifiability of our scheme in Section 4. In Section 5, we give some performance comparison with the existing schemes.Finally, we conclude the paper in Section 6.

Preliminaries
We introduce some basic knowledge about bilinear groups, security assumption, access structure, and CP-ABE which our scheme relies on.

Outline of CP-ABE with Outsourced Decryption.
Briefly speaking, a user interacts with the CSP as illustrated in Figure 1.Data owner encrypts message  into ciphertext CT and uploads it to the storage in cloud.A user who is permitted to access the data downloads the ciphertext.Then the user sends the ciphertext and transformation key to the CSP for outsourcing decryption.CSP computes partially decrypted ciphertext CT  and sends it to the user.The user computes the message from the partially decrypted ciphertext and verifies whether the message is the original one.We review the notion of CP-ABE in [31] with outsourced decryption.It is described by the seven algorithms as follows.  (, ,   ,   ).This algorithm takes PK, CT, CT  , and RK  for  as input.It outputs message  or ⊥.

Security Model for CP-ABE with Outsourcing Decryption.
Lai et al. [31] described security properties and verifiability for CP-ABE which supports outsourcing decryption.The traditional concept of security for chosen-ciphertext attack (CCA) is not suitable for the above CP-ABE scheme because it does not permit modifying any bit for the ciphertext.Therefore, they use a relaxation named replayed CCA (RCCA) security [35], which permits alternation for the ciphertext, so that they can change the potential message in a significant way.

Security.
The RCCA security of outsourced decryption CP-ABE is described as a game in both an adversary and a challenger.According to the game in [31], it is described as follows.
Setup.The challenger C performs setup algorithm to get the public parameter PK and master secret key MK.It sends PK to the adversary A and keeps MK secret.
Query Phase 1.The challenger maintains a table Tb and a set  which are initialized empty.The adversary A adaptively issues queries.
(1) Private Key Query for Attribute Set .The challenger runs SK  ← KeyGen(PK, MK, ) and sets  =  ∪ {}.It then sends the private key SK  to the adversary.
(2) Transformation Key Query on Attribute Set .C scans the tuple (, SK  , TK  , RK  ) in table Tb.If such a tuple exists, it returns TK  as the transformation key.Otherwise, it runs SK  ← KeyGen(PK, MK, ) and (TK  , RK  ) ← GenTK out (PK, SK  ) and stores the tuple in table Tb.It then returns the transformation key TK  to the adversary.
Without loss of generality, we suppose that an adversary does not launch transformation key query for attribute set , if a private key query about the same attribute set  has been issued.Since anyone can generate a transformation key of the user utilizing the user's private key and GenTK out algorithm by himself, the assumption is rational.Challenge.A sends  0 and  1 with equal length and an access policy A * to C subject to the restriction that, for all  ∈ , A * cannot be satisfied by .The challenger chooses  ∈ {0, 1} and computes CT * = Encrypt(PK,   , A * ).Then the challenger sends the challenge ciphertext CT * to A.

Query Phase 2.
A proceeds to adaptively launch transformation key, decryption, Decryption out , and private key queries as in phase 1 with the following restrictions: (1) A cannot make private key query which results in attribute set  that satisfies the target access policy A * . (

Construction of Our New Scheme
Our new scheme consists of seven algorithms.
If there exist  and   such that ∑ V , ∈  , = ∑ V , ∈   , , the user with attribute set   is able to decrypt ciphertext related to A, where   ⊭ A,  ⊨ A, and  ̸ =   .We have that the assumption holds with overwhelming probability: where  = ∏  =1   .If we randomly choose  , ∈ Z  as secret key, then our assumption is reasonable.

Security Proof
Note that, in our scheme, a ciphertext consists of three parts: ( 1 ,  2 ,  3 ), (  1 ,   2 ,   3 ), and Ĉ.The first two elements are ciphertexts for message  and random message M, respectively, utilizing the encryption algorithm [33].In essence, the second and the third elements are redundant information.
The redundant information is mainly used to design a CP-ABE scheme with verifiable outsourcing decryption from [33], which has been proven to be selectively CPA-secure.We denote the first four algorithms as Basic CP-ABE.To guarantee the security for our scheme, we firstly prove that if the scheme in [33] is selectively CPA-secure, then Basic CP-ABE scheme is selectively CPA-secure.Theorem 6. Assume that the scheme in [33] is selectively CPAsecure.Then the Basic CP-ABE scheme is also selectively CPAsecure.
Proof.We prove that our Basic CP-ABE scheme is selectively CPA-secure by the following two games. 0 .Game 0 is the originally selective CPA security game. 1 .In Game 1 , the challenger randomly selects Ĉ ∈  1 and generates the remaining parts of the challenge ciphertext CT = (A, Ĉ,  1 ,  2 ,  3 ,   1 ,   2 ,   3 ) as in Game 0 .
This theorem is proven via the following lemmas.Lemma 7 shows that Game 0 and Game 1 are indistinguishable.Lemma 8 shows that the advantage for an adversary in Game 1 is negligible.Thus, we come to a conclusion that the advantage for an adversary in Game 0 is negligible.Theorem 6 is correct from the two lemmas below.Lemma 7. Assume that the scheme in [33] is selectively CPAsecure; Game 0 and Game 1 are computationally indistinguishable.
Proof.If the adversary A is able to distinguish Game 0 and Game 1 at nonnegligible advantage, then we find an algorithm B which attacks the scheme [33] under the selective CPA security model at nonnegligible advantage.
Let C be the challenger for the selective CPA security game in scheme [33].B and the adversary A interact as follows.
Init.A gives A * to B as its challenge access policy.B sends A * to C as its challenge access policy.C sends the public parameters PK  = (,  1 , ℎ, , { , } ∈ [1,𝑛],∈[1,  ] ) of the scheme [33]  Note that if  = , B appropriately simulates Game 0 ; else, B appropriately simulates Game 1 .Therefore, if A is able to distinguish Game 0 and Game 1 at nonnegligible advantage, we are able to find an algorithm B that attacks the scheme [33] in selective CPA security model at nonnegligible advantage.Lemma 8. Assume that the CP-ABE scheme in [33] is selectively CPA-secure; the advantage for the adversary A on Game 1 is negligible.
Proof.If the adversary A has a nonnegligible advantage in Game 1 , then we can find an algorithm B which attacks the scheme [33] at a nonnegligible advantage.
Let C be the challenger with respect to B of the scheme [33].B interacts with A as demonstrated in the following steps.
Setup.B chooses , ,  ∈  Z  and sets  =    1 , V =  Challenge.A submits messages  0 ,  1 with equal size.B sends  0 ,  1 and A * to C. C randomly chooses  ∈ {0, 1}; the message   is encrypted by PK  and A * using the encryption algorithm in [33] and sends the resulting ciphertext CT *  to B. B parses CT *  as CT *  = (A * ,  1 ,  2 ,  3 ).B selects   ∈  Z  , M ∈    , and Ĉ ∈   1 and computes Query Phase 2. A adaptively launches private key query as in phase 1. B answers the queries as in phase 1.

Guess.
A gives a guess   ∈ {0, 1} on B. B returns   as its guess for .Obviously, B has appropriately simulated Game 1 .
If A has a nonnegligible advantage in Game 1 , then B attacks the scheme in [33] at a nonnegligible advantage.Now we have proven that the Basic CP-ABE scheme is selectively CPA-secure.After that we prove that if Basic CP-ABE scheme is selectively CPA-secure, then our new scheme is selectively CPA-secure.Theorem 9. Assume that Basic CP-ABE scheme is selectively CPA-secure.Then our new scheme is selectively CPA-secure.
Proof.If A breaks our new CP-ABE scheme at nonnegligible advantage, then we find an algorithm B which breaks Basic CP-ABE scheme at nonnegligible advantage.We assume that C is the challenger with respect to B for Basic CP-ABE.B interacts with A as demonstrated in the following steps.

Setup. B sends PK to A.
Query Phase 1. B maintains a table Tb and a set  which are initialized as empty.A adaptively launches queries.
(1) Private Key Query on Attribute Set .B obtains the private key SK  by calling the key generation oracle of C with respect to .Then, B lets  =  ∪ {} and sends the private key SK  to A.
(2) Transformation Key Query on Attribute Set .B scans the tuple (, SK  , TK  , RK  ) in table Tb.If such a tuple exists, it sends the transformation key TK  to A. Otherwise, B selects random exponents ,  ∈ Z  .B computes   1 = ℎ  ( )  and   2 =   1 .B stores the tuple (, * , TK  = (,   1 ,   2 ), ) in table Tb and returns TK  to A. Observe that B does not know the actual retrieving key RK  = /.Here, we compute as follows: Challenge.A submits messages  0 ,  1 with same length and challenge access policy A * .B gives  0 ,  1 and A * to C to obtain the challenge ciphertext CT * .B returns CT * to A as its challenge ciphertext.

Query Phase 2.
A adaptively launches private key query as in phase 1, and B answers the queries as in phase 1.

Guess.
A obtains   .B also obtains   .If the guess   for A of our scheme is correct, the guess of B for Basic CP-ABE scheme is correct too.So we can conclude that if A can attack our scheme at nonnegligible advantage, then we will find an algorithm B which attacks Basic CP-ABE scheme under the selective CPA security model at nonnegligible advantage.
Theorem 10.Our CP-ABE scheme is verifiable if the discrete logarithm assumption defined in Section 2.2 holds.
Proof.Suppose that there exists an adversary A that attacks verifiability of our new scheme at nonnegligible advantage.We find an algorithm B that can solve the DL problem at nonnegligible advantage.

Setup
where  ̸ =  * and  * , M * , , M, ,  are obtained by B. Because  is a collision-resistant hash function, ( * ) is not equal to () with overwhelming probability.Thus, B gets  = (( M * ) − ( M))/(() − ( * )), which breaks the DL assumption.It is paradoxical, so our CP-ABE scheme is verifiable  Tables 1-3 show that our scheme is efficient.Table 1 illustrates that the size of private key, ciphertext, and transform key in our scheme is constant.However, the size of private key, ciphertext, and transform key in [11,12,31] depends upon the number of attributes.Therefore, our scheme greatly reduces the communication overhead and is very suitable for bandwidth limited devices.As the operation cost over Z  is much smaller than group and pairing operation, we ignore the computation time over Z  .Compared with the scheme in [11,12,31], the computational overhead for the decryption and transformation operations in our scheme is much smaller.From Table 2, we observe that the computational overhead over group and pairing in [11,12,31] depends on the number of attributes, while it is constant in our scheme.The computational overhead for the outsourcing decryption is constant in above schemes.Table 3 illustrates that only our scheme satisfies all properties.In order to evaluate the efficiency for our scheme, we implement our scheme with java pairing-based cryptography (JPBC) library [36], a port for the pairing-based cryptography (PBC) library in C [37].The elliptic curve parameter we choose is type-A, and the order of group is 160 bits.We run our code on a PC with 64-bit 2.6-GHz Intel Core i5-3320M CPU, with 6 GB RAM, and mobile phone with 4-core 1.8 GHz Processor 2 G memory Android OS 4.4.2,respectively.We also implement the scheme [31] for comparison.Figure 2 compares the times of decryption algorithm spent in our scheme and Lai et al. 's scheme [31].The result shows that our scheme is much more efficient than Lai et al. 's scheme [31] because the time spent in our scheme does not grow with the amount of attributes involved in the access policy.Figure 3 shows the time of the transformation algorithm in PC and mobile phone for two schemes.Similar to the decryption algorithm, the time required by transformation grows linearly with the number of attributes for Lai et al. 's scheme [31],   while it is almost constant for our scheme.Figure 4 shows that the times of the outsourcing decryption algorithm in PC and mobile phone for two schemes are nearly same.Figure 5 shows the ciphertext length in our scheme and Lai et al. 's scheme [31].We can find that the ciphertext length in our scheme is constant, while it will grow with the amount of attributes involved in access policy linearly.So we can conclude that our scheme greatly reduces the communication overhead and is very suitable for bandwidth limited devices.Figure 6 illustrates that the length of partially decrypted ciphertext in two schemes is almost same.

Conclusions
In this article, we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and, moreover, we prove that our scheme is secure and verifiable in standard model.Security in our scheme is reduced to that of scheme in [33] and verifiability is reduced to DL assumption.The computational overhead for the decryption and transformation operations in our scheme is constant, which does not rely on the amount of attributes.In addition, we outsource the expensive operation to the cloud service provider and leave the slight operations to be done on user's device.Therefore, our scheme is very efficient.What is more, the ciphertext length in our scheme does not grow with the number of attributes, which reduces the communication cost greatly.
The proposed scheme has the potential application in various

Figure 1 :
Figure 1: System architecture of our scheme.

𝐺𝑒𝑛𝑇𝐾
(,   ).This algorithm takes PK and SK  as input.It outputs transformation key TK  associated with  and a corresponding retrieving key RK  . (, ,   ).This algorithm takes PK, CT, and TK  as input.It outputs a partially decrypted ciphertext CT  .

( 4 )
Query for Attribute Set  and Ciphertext (,   ).C searches the tuple (, SK  , TK  , RK  ) in table Tb.If such a tuple exists, it runs algorithm  ← Decrypt out (PK, CT, CT  , RK  ) and returns  to C; otherwise, it returns ⊥.
et al. 's scheme in PC Lai et al. 's scheme
, ,   , , ,   ), where  ∈  is randomly selected, the DL problem for (, ,   , ) is to calculate .Assume that  = {att 1 , . . ., att  } is an attribute universe.  = {V ,1 , V ,2 , . . ., V ,  } are some feasible values, where   is the amount of feasible values of att  ∈ .Let This algorithm takes PK, message , and access structure A as input and outputs ciphertext CT. (,   , ).This algorithm takes PK, SK  , and CT as input.It outputs  if SK  associated with  satisfies A.
) A cannot issue any trivial decryption queries.Namely, Decryption out and decryption queries are replied to as phase 1; if the response is either  0 or  1 , then C returns ⊥.Guess.The adversary A gives a guess   ∈ {0, 1} for  and succeeds in the game if   = .An outsourcing decryption CP-ABE scheme is RCCA secure if all probabilistic polynomial-time (PPT) adversaries have at most a negligible advantage of winning in this game.CPA Security.An outsourcing decryption CP-ABE scheme is secure under chosen-plaintext attack (CPA) if A cannot launch decryption queries in the above game.Selective Security.An outsourcing decryption CP-ABE scheme is selective security if we add an initialization phase prior to setup algorithm in above game, where the adversary gives the challenger access structure A * .2.5.2.Verifiability.The verifiability for CP-ABE with outsourced decryption is depicted via a game in both an adversary and a challenger.The game proceeds as follows.Setup.C performs algorithm setup to generate the public parameters PK and master secret key MSK.It returns PK to A and keeps MSK secret.Query Phase 1. C initializes an empty table .A adaptively issues the following queries.(1) Private Key Query for Attribute Set .C runs SK  ← KeyGen(PK, MK, ) and returns the private key SK  to the adversary.(2) Transformation Key Query for Attribute Set .The challenger runs SK  ← KeyGen(PK, MK, ) and (TK  , RK  ) ← GenTK out (PK, SK  ) and stores the entry (, SK  , TK  , RK  ) in table .It then returns the transformation key TK  to the adversary.Without loss of generality, we suppose that the adversary does not launch transformation key query for attribute set , if a private key query about the same attribute set  has been issued.Anyone can generate a transformation key of the user utilizing the user's private key and GenTK out algorithm by himself.(3) Decryption Query for Attribute Set  and a Ciphertext .C runs SK  ← KeyGen(PK, MK, ) and  ← Decrypt(PK, SK  , CT).It sends  to C.   Query for Attribute Set  and Ciphertexts (,   ).C searches the tuple (, SK  , TK  , RK  ) in table .If such a tuple exists, it runs  ← Decrypt out (PK, CT, CT  , RK  ) and returns  to C; otherwise, it returns ⊥.Challenge.A sends challenge message  * and challenge access policy A * to the challenger C. C computes CT * = Encrypt(PK,  * , A * ) and returns CT * to A as its challenge ciphertext.Output.A returns attribute set  * and transformed ciphertext CT *  .We suppose that tuple ( * , SK  * , TK  * , RK  * ) is included in table .Otherwise, the challenger generates the tuple as the reply for transformation key query.A succeeds in the game if Decrypt out (PK, CT * , CT *  , RK  * ) ∉ { * , ⊥}.Definition 5.An outsourcing decryption CP-ABE scheme is verifiable if PPT adversary has at most a negligible advantage in the above game.
| Pr(  = )−1/2| is defined as the advantage for the adversary A in the game.Definition 4.
:   → Z *  is a secure hash function.B sends PK = (,  1 , ℎ, , V, , , { , } ∈[1,],∈[1,  ] , ) to the adversary A. Query Phase 1.A adaptively launches private key query of attribute set   ; B gets the private key SK   via calling key generation oracle of C with respect to   .B sends the private key SK   to A.

Table 1 :
Size of each value.

Table 3 :
Property of each scheme.| 1 |, |  |, and |Z  | denote the bit-length of the elements belonging to  1 ,   , and Z  .  , , and  1 denote the -times computation in the pairing, hash function, and group  1 , respectively. = {att 1 , . . ., att  } denote the attribute universe. 1 and  2 are the amounts of the attributes related to ciphertext and private key, respectively. = ∑  =1   denotes the total number of possible attribute values.