User Privacy Protection Scheme Based on Verifiable Outsourcing Attribute-Based Encryption

,


Introduction
In the era of big data, large amounts of data are rapidly generated from different sources (e.g., smartphones, sensors, and social networks). Traditional computer systems have been unable to store and process these data. e emerging cloud storage technology has been extensively utilized due to its advantages of low cost, large capacity, transparent access, and ability to provide services at any time [1,2]. With the continuous development of cloud storage technology and mobile terminals, users can store their data in the cloud and rely on cloud servers to share data with other users. However, when data are outsourced to a cloud server, users lose physical control over their data, and the cloud service provider cannot be fully trusted. To solve the data security problem of cloud server users, Lai et al. [3] proposed a verifiable outsourcing decryption scheme, which can effectively verify the correctness of cloud computing results by establishing validation labels. As access policies are appended in plaintext to ciphertext, access policies may reveal user privacy. For example, if Alice encrypts her data to an ophthalmologist, then the attributes that an access policy may contain are ophthalmologists and doctors.
Although the data cannot be decrypted, a person that views the data may speculate that Alice has an eye disease, which violates Alice's privacy. To enable end users to effectively control their data access, sensitive data privacy protection mechanisms must be established for cloud storage. According to the literature, the existing cloud storage model has some shortcomings regarding encrypting and decrypting attributes based on outsourcing. e model has low computational efficiency and reliability and cannot adapt to large-scale user access. In this context, this paper proposes an efficient and verifiable fully outsourced CP-ABE scheme.
is scheme can simultaneously realize the outsourcing of key generation, encryption, and decryption, verify the correctness of outsourcing calculation results, and build a secure and efficient cloud storage access control model.

Related Work
Traditional access control is based on trusted servers. To satisfy the requirements of cloud storage services, a cryptographic mechanism that is based on traditional access control is necessary. Attribute-based encryption (ABE) is a promising technology that cannot only guarantee the security of data storage but also realize flexible access permission settings [4,5]. Currently, two classical algorithms exist for the attribute-based cryptosystem. e first algorithm is an attribute encryption algorithm that is based on ciphertext policy ABE (CP-ABE), which embeds access strategy into ciphertext, while the user's private key binds a set of attributes to represent the user's identity [6,7]. Wang et al. [8] adopted the method [9] and extended most attribute encryption schemes based on a bilinear pairing operation to outsourced attribute encryption schemes. Lai et al. [10] considered the security verification of outsourcing decryption based on [9] and proposed an ABE scheme that supports verifiable outsourcing decryption and proves the security of the scheme with the standard model; however, the efficiency of the scheme is low. Subsequently, Lin et al. [11] systematically solved the security verification problem of outsourcing decryption; the efficiency of the proposed scheme was nearly half higher than that of [10]. In addition, Li et al. [12] used the MapReduce method to implement ABE-encrypted outsourcing computing. is scheme supports a tree access strategy and has a rich expressive ability but does not consider outsourcing decrypted computing. Fan et al. [13] proposed an ABE scheme that supports private key generation and decryption outsourcing, which employs two key generation service providers to help attribute authorization agencies complete the work of private key generation. Li et al. [14] proposed a verifiable outsourced multiauthorization access control scheme, which outsources most of the encryption and decryption tasks to fog nodes to reduce the user's computing burden. e scheme can verify the correctness of the outsourced computing results. Li et al. [15] proposed a new verifiable outsourcing decryption ABE scheme. In this scheme, the length of ciphertext is not related to the complexity of the access policy. However, the scheme only supports the outsourcing of decryption computing, and the expression ability of the access policy is limited. None of these schemes can be completely outsourced, that is, private key generation, encryption, and decryption computing are simultaneously outsourced to third parties. Although Zhang et al. [15] proposed a completely outsourced CP-ABE scheme, which outsources key generation, encryption, and decryption to cloud service providers and completes the security certification of the scheme, the scheme could not verify the correctness of the outsourced calculation results. Ma et al. proposed a new construction of attribute-based encryption (ABE) which can outsource the complicated encryption task to a Encryption Service Provider (ESP) in a verifiable manner [16]. Hu et al. showed that Ma et al.'s proposal fails to provide the verifiability property for outsourced encryption [17]. However, verifiability is very important for cloud storage system applications.
Due to the shortcomings of existing research, this paper proposes a verifiable complete outsourcing CP-ABE scheme.
e scheme can realize the outsourcing of key generation, encryption, and decryption and verify the correctness of the outsourcing calculation results. Specifically, attributes authorization agencies employ two collude cloud service providers to generate an intermediate private e attribute authorization authority can complete the work of private key generation by simple calculation according to ISK x . is paper introduces the default attribute ξ to reconstruct the access policy to complete the encryption outsourcing work. Using the private key SK, reconstruct the transform key TK and retrieve the key RK. e cloud service providers complete part of the decryption of ciphertext via TK. In addition, two hash functions are used to verify the correctness of the outsourcing calculation results. is scheme can effectively reduce the computational burden of attribute authorization agencies and users. Based on the decision-making q-Bilinear Diffie-Hellman Exponent (q-BDHE) hypothesis, this paper proves the indistinguishable security of the proposed scheme in selecting plaintext attacks with the random oracle model and provides the verifiability proof of the proposed scheme. e theoretical analysis and experimental verification show that the proposed scheme has advantages of functionality and efficiency and is more suitable for practical application.

Research Model
e system model of the scheme proposed in this paper is shown in Figure 1. ese components provide private key generation services, data encryption services, data decryption services, and data storage services. During the process of service, however, the components cannot know the user's private key and data plaintext.
In this scheme, the data owner (DO) can use a mobile computing terminal to encrypt plaintext information and store it in the cloud. e data user (DU) can use mobile computing terminals to download ciphertext information from the cloud and decrypt it; mobile computing terminals can withstand this computing load. is paper assumes that the Attribute Authority (AA) is a fully trusted key distribution agency. Cloud service providers are honest but curious, that is, cloud service providers honestly follow the proper steps but due to curiosity will pry into the privacy of data during the course of their work [15]. Two KG − CSP cannot collude with each other to share data; thus, ISK obtained is information that is hidden relative to two KG − CSP.

Bilinear Group.
A bilinear group is an important key technology in the cryptosystem. Let ψ be a group generation algorithm that considers the safety parameter λ as the input and output (p, G, G T , and e), where p is a prime determined by the safety parameter λ and G and G T are cyclic groups of the order prime p. Bilinear mapping e: G × G⟶G T satisfies the following properties: (1) Bilinear: ∀u and v ∈ G, a and b ∈ Z P , and e(u a , v b ) � e(u, v) ab (2) Non-degeneracy: g ∈ G exists such that the order of e(g, g) in G T is p, s ∈ Z p (3) Computability: for ∀u and v ∈ G, e(u, v) can be effectively calculated

Linear Secret Sharing
Scheme. e linear secret sharing scheme (LSSS) is defined as follows: if one of the key sharing schemes Π in the participant set p satisfies the following two conditions, then the scheme is referred to as a linear secret sharing scheme on Z p .
(1) e secret share of each entity constitutes a vector on Z p . Consider vector v � (s, y 2 , . . . , y n ), where s ∈ Z p is a shared key, y 2 , . . . , y n ∈ Z p is a random selection that is used to hide s, and M v is a vector that consists of l secret shares. λ i � (Mv i ) represents the secret share of participant ρ(i).
e LSSS scheme has a linear reconstruction property. Assume that Π is a linear secret sharing of access policy A. Let S ∈ A be an access authorization set, which is defined as I � i: ρ(i) ∈ S . If λ i is the effective share of secret s, then a set of constants w i ∈ Z p i∈I can be established in polynomial time, and equation i∈I w i λ i � S holds.

Decision-Making q-BDHE Hypothesis.
Let G denote a bilinear group whose order is prime p, and let g and h be two independent generators of group G. Choose the random value a ∈ Z * P , and define y g,a,l � (g 1 , g 2 , . . . , g l , g l+2 , . . . , g 2l ) ∈ G 2l− 1 among g i � g (α i ) . e algorithm guesses by the output value z ∈ 0, 1 { }. If |p r [B(g, h, y g,α,l , e(g l+1 , h)) � 0] − p r [B(g, h, y g,α,l , Z) � 0]| ≥ ε, then the dominant ε is defined to solve the decision-making q-BDHE problem for group G and G T . If there are no polynomial time algorithm existing, which cannot be disregarded to solve the decision-making q-BDHE problem, then we conclude that the decision-making q-BDHE hypothesis is valid in groups G and G T .

Hybrid Access Policy.
is paper proposes a verifiable full outsourcing CP-ABE scheme based on Waters' CP-ABE scheme [18]. In this scheme, the user's private key is associated with the attribute set S, and the ciphertext is associated with the access policy (M, ρ). To ensure the confidentiality of data in the process of encrypting outsourcing, this paper establishes the hybrid access policy Str � (M, ρ)∧ ξ { }, where "∧" represents the "AND" gate, (M, ρ) represents the original access policy, and ξ represents the default attribute. For any given access policy T, the hybrid access policy Str � (M, ρ)∧ ξ { } in this paper is constructed by introducing the default attribute ξ into the original access policy (M, ρ) using the "AND" gate. By this ingenious construction, the original access policy can be arbitrary. In the process of encryption, the data owner completes ξ encryption, and E-CSP completes (M, ρ) encryption without leaking plaintext information.

Encryption Scheme.
e data security access control scheme in this article is as follows: (1) Setup(1 λ ): the algorithm chooses the bilinear group G, whose order is prime p, g is the generator of group G, and h ξ , h 1 , . . . , h U ∈ G is a random group element. In addition, the exponent α and β ∈ Z p is randomly selected and g 1 � g β . Select the hash e system masterprivate key MSK � 〈g〉 a and the system public key PK � 〈G, g, g 1 (2) Key Gen init (PK, N): the algorithm randomly chooses exponent r ′ and calculates D ′ � g βr′ and L ′ � g r′ .
e algorithm takes PK, (M, ρ), EK E−CSP as input parameters. M is a l × n matrix. Function ρ is a projective function that maps every row of M to an attribute. e algorithm randomly chooses vector v � (s 1 , y 2 , . . . , y n ) ∈ Z p , which is used to encrypt index s 1 . For i � 1 to l, If λ i is an effective share of secret S 1 , then the set of constants w i ∈ Z p i∈I exists in polynomial time; thus, i∈I w i λ i � S 1 . We note that several different ways to choose w i may exist to satisfy this formula. In addition, the decryption algorithm only needs to know M and I to determine these constants. DU sends TK to D − CSP. D − CSP is calculated according to the following formula: We can calculate and obtain T � e(g, g) αsδ . e output converted the ciphertext TC � 〈C, C ″ , T〉. D − CSP sends the converted ciphertext TC to DU. In this paper, the author assumes that x � 1, and then, A attempts to decrypt the ciphertext of other normal users.
Choose the plaintext attack security game. e scheme proposed in this paper describes the Chosen Plaintext Attack (CPA) security game, which is described as follows: (1) System initialization: the access strategy (M * , ρ * ) that adversary A will challenge is transmitted to emulator B (2) System establishment: B executes the Setup algorithm and sends PK to rival A Query phase 1: simulator B initializes empty table T 0 , empty set E, and integer j � 0. Rival A can repeat any of the following queries on attribute set S.  Guessing stage: rival A outputs the value b ′ ∈ 0, 1 { } as a guess of b. If b ′ � b, we consider that rival A won the game. e advantage of rival A in the game is defined as follows: Definition 1. If no polynomial time exists, the rival uses the advantages that cannot be disregarded to attack the security model. We note that the objective of the proposed scheme is to choose plaintext security. Verifiability game: verifiability ensures correct execution during the transformation phase. e verifiability of the proposed scheme is described by the game between simulator B and rival A. e specific process is detailed as follows: System establishment: simulator B executes the Set up algorithm, sends PK to rival A, and retains the masterprivate key MSK. Definition 2. If no polynomial time exists, the rival uses the advantages that cannot be disregarded to attack the security model. We note that the scheme proposed in this paper is verifiable.  , y g,α,l , and Z), where Z is a random element or e(g l+1 , h) and y g,α,l � (g 1 , g 2 , . . . , g l , g l+2 , . . . , g 2l

Proof of Safety
System initialization: rival A chooses the access strategy T * � (M * , ρ) * , which needs to be challenged, and sends it to the emulator B.
Establish system: B calculates PK � 〈G, g, g 1 � g a , e(g, g) a , h 1 , . . . , h U , h ξ 〉 by the way of challenger C in [18], and then, emulator B sends the public key PK to rival A.
Query phase 1: B initializes empty tables T 0 , T 1 , and T 2 , empty set E, and integer j � 0. Rival A can repeat any of the following queries on the set of attributes.
Simulator B sends CT * � 〈C, C ″ , C ξ ′ , C ξ , C ′ , C i i∈ [1,l] Query phase 2: similar to query phase 1, rival A continues to submit a list of attributes to B.
Guessing stage: rival A outputs the value b ′ ∈ 0, 1 { } as a guess of b. If b ′ � b, B output 0 indicates the guess  Z � h(g n+1 , h). Otherwise, output 1 indicates the guess that Z is a random element in group G T . When Z � e(g n+1 , h), simulator B can provide an effective simulation. Accordingly, we conclude that Pr[B(g, h, y g,α,l , e(g l+1 , h)) � 0] � 1/2 + Adv A . When Z is a random element in G T , m b is completely random for A. Accordingly, we conclude that P[B(g, h, y g,α,l , Z) � 0] � 1/2. erefore, B has the advantage that it cannot be disregarded to attack the decisionmaking q-BDHE hypothesis. e proof is complete. Challenge phase: rival A submits the challenge plaintext m * and access strategy (M * , ρ * ). Simulator B calculates the ciphertext CT R * � 〈C, C ′ , C i , C ξ ′ , C ξ 〉 of the random value R * ∈ M and then calculates t * � H * 2 (R * ), C ' ′ * � m * ⊕t * , and

Proof of Verifiability
Retain VK * m and (R * , C ″ * ). Query phase 2: B responds to the query of rival A in the way of query phase 1 but adversary A cannot query the attribute set S that satisfies the access policy (M * , ρ * ).

Security and Communication Networks
will break the ability of H * 2 to resist a collusion attack.
Based on this analysis, the security proof of eorem 2 is completed. e proof is complete.

5.1.
eoretical Analysis. To evaluate the computational efficiency of the scheme proposed in this paper, the computational overhead in the stages of private key generation, encryption, and decryption is theoretically analysed. e computational efficiency of this scheme is compared with that of the ABE scheme in [8,[13][14][15]18]. In the process of the comparison, |U| represents the number of all attributes in the system, |S| denotes the number of attributes of DU, s represents a set of attributes that satisfies the decryption requirements, and l represents the number of rows in matrix M in LSSS. In addition, E G and E GT represent modular exponential operations in G and G T , respectively. P represents bilinear pairing operations. To compare the fairness, [13] is assumed to have only one AA. Table 1 shows the efficiency comparison of each scheme. Wang et al. [8] used offline or online technology in the encryption phase. To facilitate the comparison, other outsourcing technologies are compared.
e comparison of calculation efficiency of each scheme is shown in Table 1. e work by Waters [18] is a CP-ABEbased scheme, which is also a solution without outsourcing. In [18], attribute authorization agencies, data users, and data owners need to compute a large number of pairwise and exponential operations. And, this paper proposes the author's scheme based on [18]. e scheme achieves a verifiable and complete outsourcing function. is scheme can reduce the computational burden of AA, DO, and DU and considerably ease the computational burden of computing resource-constrained terminals. Li et al. [14] only support outsourced decryption calculation and can verify the correctness of the calculation results. Although the work [14] does not support the outsourcing computing function of key generation and encryption, it achieves the constant length of ciphertext and requires less computation in the key generation and encryption stage. e disadvantage is that [14] only supports the "AND" gate access strategy and has limited expressive ability. Wang et al. [8] support offline/online encryption and decryption outsourcing but the scheme does not support validation of the correctness of outsourcing decryption, and AA requires a large number of exponential operations. Kai et al. [13] support encryption and decryption outsourcing and verify the correctness of the calculation results but their AA requires numerous exponential operations. Rui et al. [15] and the author's scheme realize the outsourcing functions of key generation, encryption, and decryption. However, Rui et al. [15] does not support verifiability and cannot guarantee the correctness of the calculation results. e comprehensive analysis shows that only the author's scheme achieves the outsourcing computing functions of key generation, encryption, and decryption, reduces the computing load of the terminal, and supports verifiability. Outsourcing computing is important for mobile devices with limited electricity and computing resources. erefore, the author's scheme is effective and practical.

Experimental
Analysis. Via theoretical analysis, the author's scheme has advantages of function and efficiency. To further evaluate the actual performance of the author's scheme, the author tested the computational time of [15] and the author's scheme in terms of private key generation, data encryption, and data decryption by the following experimental environments. e experimental environment configuration is shown in Table 2.
In the CP-ABE scheme, access complexity affects the time of encryption and decryption. To illustrate this point, this paper uses (S 1 AND S 2 AND . . . S n )'s access strategy to simulate the most complex situation, where each S i is an attribute. is method ensures that all ciphertext components are involved in decryption computation. In this form, each time increment is 10, from 10 to 100, which produces 10 different access strategies. For each access strategy, 20 experiments are repeated, each experiment is completely independent, and the average is considered the experimental result.
Attribute-based encryption usually cooperates with symmetric encryption to encrypt plaintext data, that is, encrypt plaintext with the symmetric key, and then encapsulates the symmetric key with attribute-based encryption. erefore, to obtain benchmark results, a 128 bit symmetric key is encapsulated based on the previously mentioned access strategy.
e experimental results are shown in Figure 2. Figure 2 has three subgraphs. Each subgraph compares the execution time of the author's scheme and Rui et al.'s [15] scheme. Figure 2(a) shows that KG − CSP undertakes most of the key generation, and the time of key generation linearly increases with the number of attributes. Attribute authorization agencies only need to undertake a small amount of computation to complete the key generation. In the foregoing section, the author analyses that the calculation amount of AA is 0. e author disregards multiplication and hash operations as they are secondary factors. Figure 2(b) shows that E − CSP undertakes most of the encryption work, and the encryption time linearly increases with the complexity of the access policy. e data owner only requires a constant amount of computation to complete the encryption work. Figure 2(c) shows that D − CSP undertakes most of the decryption work, and the ciphertext conversion time linearly increases with the complexity of the access strategy. User decryption only requires constant computation to complete the decryption work, which is unrelated to the complexity of the access policy. Figure 2 shows that the key generation time, encryption time, and decryption time increase with the complexity of the attribute sets or access policies. By comparing the two schemes, the computing cost of the author's scheme in the Table  1: Comparative analysis of computational efficiency.

Schemes
Reference [18] Reference [8] Reference [14] Reference [15] Reference [13] Author's scheme  and DU in [15] require less computation than the author's scheme. However, this gap is very small and does not change with the number of attributes or the complexity of the access policies. e computation of the author's scheme in the cloud is less than that in [15] and becomes more distinct with an increase in the number of attributes or the complexity of the access strategy, which helps AA and enables users to rent less cloud computing resources and reduce costs. e local computational complexity of the author's scheme is slightly higher than that of [15]. However, this gap is very small and does not change with an increase in the number of attributes or the complexity of the access strategy. In addition, the author's scheme supports the verifiability of decryption outsourcing, which is not available in [15].

Concluding Remarks
To improve the efficiency of the CP-ABE scheme, the author proposes a verifiable full outsourcing scheme. e scheme can simultaneously realize the outsourcing function of key generation, encryption, and decryption calculation and verify the correctness of the outsourcing calculation results.
is scheme can effectively alleviate the computational burden of attribute authorization agencies, data owners, and data users, especially for cloud storage systems with a large number of users and users with limited resources, and the advantages are more distinct. With the random oracle model, the indistinguishable security of the author's scheme against a plaintext attack and the verifiability of the author's scheme are proved. e theoretical analysis and experimental verification show that the author's scheme has advantages of functionality and efficiency and is more suitable for practical application [19][20][21][22][23][24].

Data Availability
e data used to support the findings of the study are included within the article.

Conflicts of Interest
e author declares that there are no conflicts of interest regarding the publication.