Efficient Ciphertext-Policy Attribute-Based Encryption Constructions with Outsourced Encryption and Decryption

-e invention of the Ciphertext-Policy Attribute-Based Encryption scheme opened a new perspective for realizing attribute-based access control systems without being forced to trust the storage service provider, which is the case in traditional systems where data are sent to the storage service provider in clear and the storage service provider is the party that controls the access to these data. In the Ciphertext-Policy Attribute-Based Encryption model, the data owner encrypts data using an attribute-based access structure before sending them to the storage service, and only users with authorized sets of attributes can successfully decrypt the generated ciphertext. However, Ciphertext-Policy Attribute-Based Encryption schemes employ expensive operations (i.e., bilinear pairings and modular exponentiations) and generate long ciphertexts and secret keys, which makes them hard to implement in real-life applications especially for resource-constrained devices. In this paper, we propose two Ciphertext-Policy Attribute-Based Encryption Key Encapsulation Mechanisms that can be provided as services in the cloud, minimizing the user’s encryption and decryption costs without exposing any sensitive information to the public cloud provider. In the first scheme, the ABE Service Provider is considered fully untrusted. On the other hand, the second scheme requires the ABE Service Provider to be semi-trusted (Honest-but-Curious) and does not collude with illegitimate users. Both schemes are proved to be selectively CPA-secure in the random oracle. -e theoretical and experimental performance results show that both our first and second schemes are more efficient than the reviewed outsourced CP-ABE schemes in terms of user-side computation, communication, and storage costs.


Introduction
In the past, businesses were suffering from the overheads of dealing with their IT infrastructure installation and management. Nowadays, they can easily minimize these costs by externalizing their activities to one of the existing cloud solutions and paying only the amount of resources they consumed. is new paradigm is beneficial for both users and cloud providers, and this is what makes cloud services continue to attract more enterprises and individual users, helping them to start or improve their businesses easily. Cloud Storage is one of the services offered by cloud providers to help companies and individuals store, manage, and share data efficiently. Nevertheless, when outsourcing data, data owners are also outsourcing the control over their data. erefore, this creates data security and confidentiality challenges against a third party who comprised the cloud server to steal data or even against a curious cloud provider [1]. Hence, data owners should encrypt data before outsourcing them to make sure that only authorized users can decrypt and gain access to the data.
Cryptosystems in traditional public cryptography are one-to-one ciphers, meaning that the data owner should retrieve the public key of all the authorized users and encrypt a copy of his data for each user with the corresponding public key. For example, if a data owner wants to share a document with 100 users, he must create 100 copies of the document, retrieve 100 public keys, and encrypt each copy with the public key of the corresponding user. us, this solution is not practical since it produces huge computation, storage, and communication overheads.
In 2005, Sahai and Waters [2] proposed a Fuzzy Identity-Based Encryption (FIBE) scheme with a new model that is not based on users' public keys or identities (as in Identity-Based Encryption schemes), but instead, their model is using attributes to encrypt data and to generate secret keys. In this model, a Trusted Authority (TA) generates users' secret keys based on their sets of attributes, and data owners specify a set of attributes and a threshold (which is the minimum number of attributes in the encryption set of attributes that should exist in the user's set of attributes) and encrypt data using this set of attributes and threshold. Only users with a number of attributes existing in the encryption set of attributes that is greater than the threshold will be able to decrypt the ciphertext using their secret keys.
Later on, two main variants of FIBE were proposed. Goyal et al. proposed the Key-Policy Attribute-Based Encryption (KP-ABE) scheme [3] where the data owner encrypts data with a set of attributes and users' secret keys are generated based on an access policy that is associated with them. Bethencourt et al. presented the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) scheme [4] where the data owner encrypts data with an access policy and users' secret keys are generated based on their sets of attributes. e computation overhead in ABE schemes is the most challenging part that makes them hard to be adopted in reallife applications.
is is due to the number of expensive modular exponentiations and pairing operations that increases linearly with the size of the access policy.
Many contributions were proposed to optimize this computation overhead. Some of these contributions used different techniques to minimize the number of these operations in the encryption and decryption phases [5,6] or to split them into two phases: in the first phase, most of the expensive operations are performed offline before knowing the message, and the second phase rapidly assembles the ciphertext [7,8]. Others replaced the expensive modular exponentiations and pairing operations with the lightweight elliptic curve additions and point-scalar multiplications [9][10][11]. However, these solutions are still hard to be implemented in the applications where devices are resourceconstrained such as the Internet of ings (IoT) and Wireless Sensor Networks (WSN). Computation outsourcing is another direction that achieved better results. In this solution, a big part of the encryption and decryption computation is outsourced to the cloud without revealing any sensitive information to the cloud providers that can help them reveal the plaintexts.

Our Contribution.
Based on [4], we propose two CP-ABE with Outsourced Encryption and Decryption (CP-ABE-OED) Key Encapsulation Mechanisms (KEM) where the public ABE Service Provider performs all the encryption and decryption expensive operations leaving only one modular exponentiation and simple multiplications to be executed by the user when encrypting or decrypting data. e first scheme is suitable for the applications that consider the cloud service provider untrusted. On the other hand, the second scheme requires that the ABE Service Provider is a semi-trusted party that cannot collude with unauthorized users. Both schemes achieve provable CPA-security selectively in the random oracle.

Organization.
e rest of our paper will be organized as follows. In Section 2, we will discuss the related work. Next, we define the preliminaries in Section 3. Later on, we present our 1 st and 2 nd CP-ABE-OED KEMs and their security analysis in Section 4. Section 5 is dedicated to showing and analysing the performance results. Finally, we conclude our paper in Section 6.

Related Work
In 2011, Green et al. [12] proposed the first outsourced CP-ABE scheme, which is selectively CPA-secure. ey outsourced a big part of the expensive decryption operations in Waters's large universe construction [13] to a decryption proxy (e.g., Cloud Server), leaving only one modular exponentiation to be executed by the user. In the registration phase, the Trusted Authority (TA) generates a public transformation key TK and a secret decryption key z for each user. To decrypt a ciphertext CT, the user sends his TK to the decryption proxy which transforms CT to a short ElGamal-style [14] ciphertext. en, using the decryption key z, the user decrypts the transformed ciphertext. To decrypt an ABE ciphertext containing 100 attributes, it takes nearly 30 seconds of sustained computation on a 412 MHz ARM-based iPhone 3G with 128 MB of RAM using the original CP-ABE scheme [13], while it requires only 60 milliseconds using Green et al.'s scheme [12]. Besides, thousands of lines of code, dedicated to determining how a key satisfies the access policy, were removed from the user's side. For instance, in libfenc [15], about 3000 lines are dedicated to access policy handling, excluding dependencies. An improved scheme is also provided in [12] that is selectively secure in the Replayable Chosen-Ciphertext Attack (RCCA) security model using Fujisaki and Okamoto techniques [16].
Afterward, many contributions added the notion of verifiability (i.e., the ability to verify the correctness of the transformation performed by a proxy) to the mechanism of decryption outsourcing [17][18][19][20][21]. In 2016, Mao et al. [21] proposed a generic construction that transforms any (selectively) CPA-secure ABE scheme with outsourced decryption (e.g., Green et al. [12]) into a (selectively) CPAsecure ABE scheme with verifiable outsourced decryption. In contrast with [17] that separately encrypts an extra random message (which is used to commit to the true message), [21] is encrypting the true message and a random message together. It then commits the random value to the message using a commitment scheme that satisfies the hiding and binding properties (at least computationally). In the decryption phase, the user receives the partially decrypted ciphertext from the decryption proxy and the commitment from the storage server and runs the revealing algorithm of the commitment scheme to verify the correctness of the transformation. e authors showed that the instantiation of this construction in the standard model using Green et al.'s small-universe, backward-compatible, and selectively CPA-secure CP-ABE scheme with outsourced decryption [12] and Pedersen Commitment [22] as the underlying commitment scheme is more efficient than Lai et al.'s scheme [17]. ey also proposed a second generic construction to transform any (selectively) CPA-secure ABE scheme with outsourced decryption, that has ciphertext verifiability (i.e., the possibility to verify whether a normal ciphertext will be recovered into the same plaintext under two different decryption keys with two specific attributes) or delegatability (i.e., the capability to use a key to derive another inferior key), into a (selectively) RCCA-secure ABE scheme with verifiable outsourced decryption. ey claimed that this is the first RCCA-secure construction that does not rely on a random oracle. In this construction, they combined a secure encapsulation scheme, a strong one-time message authentication code, and a secure commitment scheme.
Obviously, the previous schemes are not suitable for IoT applications where lightweight devices encrypt data and not only decrypt them (e.g., Wireless Sensor Networks) because the encryption cost produced in these schemes is still high. Accordingly, outsourcing the encryption operations in addition to the decryption operations became a new direction [23][24][25][26][27].
Based on [4], Zhou et al. proposed a CP-ABE scheme with outsourced encryption and decryption [23]. ey outsourced a big part of the encryption operations by subdividing the access policy T into two parts: T DO (data owner's access tree) and T ESP (Encryption Service Provider's access tree) such that T � T ESP AND T DO . e data owner generates a random number s ∈ Z p and a random 1-degree polynomial q R (x), where q R (0) � s, q R (1) � s 1 and q R (2) � s 2 and computes C � M.e(g, g) α.s and C � g β.s . en, he generates the ciphertext components C y and C y ′ for his subtree T DO in the same way as CP-ABE [4] using s 2 as the shared key and sends C, C, C y , C y ′ y∈Y DO , T DO , T ESP , s 1 to the Encryption Service Provider (ESP). Similarly, ESP computes the ciphertext components C y and C y ′ for T ESP using s 1 as the shared key. e final ciphertext is cryption outsourcing is achieved using almost the same keyblinding technique of Green et al. [12]. However, an untrusted ESP can reveal the encrypted data by colluding with unauthorized users with sets of attributes that satisfy T DO . erefore, this solution is suitable only for applications where the ESP is at least semi-trusted.
In 2014, Asim et al. [25] proposed a new CP-ABE scheme where they outsourced a part of the encryption operations to a semi-trusted proxy A and they outsourced the decryption phase to a semi-trusted proxy B following the same technique employed in [12]. Using an encryption secret key generated by the Trusted Authority, the proxy A computes g s and uses it as the access policy root's secret to generate the access policy's leaf nodes' components g s j . Afterward, it multiplies each leaf node's component with the corresponding attribute component C j � H 1 (a j ) − s in the partially encrypted ciphertext received from the host. e authors claim that their construction is secure in the generic group model under the assumption that proxy A and proxy B will not collude with unauthorized users and will not collude with each other. However, unauthorized users with at least one attribute (a x ) that exists in the access policy can reveal the plaintext using the partially encrypted ciphertext CT and the ciphertext generated by proxy A (CT). For each leaf node j of the access policy, the attacker retrieves C j � H 1 (a j ) − s from CT and C j � g s j · H 1 (a j ) − s from CT and computes g s j � C j /C j . en, he executes PolicyGeneration function backward to retrieve g s and computes x )) z . Finally, the attacker reveals the plaintext M � C ⊕ H 2 (A s ). In addition, their scheme is not correct (i.e., given an SK of a set of attributes S that satisfies the access policy τ, Dec(Enc(M, τ), SK) ≠ M). In the PolicyGeneration phase, they used g s (instead of s ) as the shared key to get the shares g s j . However, in the decryption phase they used the polynomial interpolation on s j , which will result in a value that is different than g s and, as a result, the decryption output will be different than M.
Subsequently, Zhang et al. [26] presented a fully outsourced CP-ABE scheme that, for the first time, achieves outsourced key generation, encryption, and decryption simultaneously. In their system, two Key Generation Service Providers (KGSP1, KGSP2) help TA to generate Intermediate Secret Keys (ISKs), and two Encryption Service Providers (ESP1, ESP2) help users to generate Intermediate Ciphertexts (ITs). Decryption outsourcing is achieved using the same key blinding used in Green et al.'s scheme [12]. e extra communication costs that had arisen from outsourced key generation and encryption are offline, meaning that TA and users can communicate with the cloud servers in their spare time.
e system is proved to be secure under the assumption that two KGSPs (ESPs) do not collude with each other, so the final combined ISK (IT) should be informationtheoretically hidden from two servers. It is selectively CPAsecure against corrupt users colluding with KGSP1, ESP1, and SSP and corrupt users colluding with KGSP2, ESP2, and SSP who can obtain the conversion key at Decryption Service Provider.
Other contributions proposed outsourced CP-ABE schemes using trusted parties such as fog nodes [28] or a trusted private cloud provider [29]. [4]. Let G and G T be two multiplicative cyclic groups of prime order p. Let g be a generator of G and e be a bilinear map, e : G × G ⟶ G T , that has the following properties:

Security and Communication Networks 3
We say G is a bilinear group if the group operation in G and the bilinear map e : G × G ⟶ G T are both efficiently computable. [30]. Let P 1 , P 2 , . . . , P n be a set of

Access Structure
An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of non-empty subsets of P 1 , P 2 , . . . , P n ; i.e., A ⊆ 2 P 1 ,P 2 , ..., P n { }∖ ∅ { } . e sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets.
In our context, we will use a monotone access structure where the attributes play the role of the parties, which means that the access structure A will contain the authorized sets of attributes. [13]. A secretsharing scheme Π over a set of parties P is called linear (over Z p ) if the following is satisfied:

Linear Secret Sharing Scheme (LSSS)
(i) e shares for each party form a vector over Z p .
(ii) ere exists a matrix M with l rows and n columns called the share-generating matrix for Π. For all i � 1, . . . , l, the i'th row of M, we let the function ρ define the party labeling row i as ρ(i). When we consider the column vector v � (s, r 2 , . . . , r n ), where s ∈ Z p is the secret to be shared, and r 2 , . . . , r n ∈ Z p are randomly chosen; then M.v is the vector of l shares of the secret s according to Π. e share (M.v) i belongs to party ρ(i).
It is shown in [30] that every linear secret sharingscheme according to the above definition also enjoys the linear reconstruction property, defined as follows: suppose that Π is an LSSS for the access structure A. Let S ∈ A be any authorized set, and let I ⊂ 1, . . . , l { } be defined as en, there exist constants w i ∈ Z p i∈I such that, if λ i are valid shares of any secret s according to Π, then i∈I w i .λ i � s.
Furthermore, it is shown in [30] that these constants w i can be found in time polynomial in the size of the sharegenerating matrix M.
We note that we use the convention that vector (1, 0, 0, . . . , 0) is the "target" vector for any linear secret sharing scheme. For any satisfying set of rows I in M, we will have that the target vector is in the span of I. For any unauthorized set of rows I, the target vector is not in the span of the rows of the set I. Moreover, there will exist a column vector w such that (1, 0, 0 . . . , 0) · w � −1 and M i · w � 0 for all i ∈ I.
Using standard techniques [30], one can convert any monotonic Boolean formula into an LSSS representation. An access tree of l nodes will result in an LSSS matrix of l rows. We refer the reader to the appendix of [31] for a discussion of how to perform this conversion.

CPA-Security Game
(i) Setup. e challenger runs the Setup algorithm and gives the public parameters PK to the adversary. (ii) Phase 1. When the adversary A queries the decryption key and the transformation key on S, the challenger passes S on to the key generation oracle to get the corresponding decryption key and transformation key and then returns the result to A.
e adversary A submits the access structure (M * , ρ * ) (which is not satisfied by any of the sets of attributes S passed in phase 1) to be challenged on and requests the challenge Key * . e challenger flips a random coin b ∈ 0, 1 where the first element in CT * is a well-constructed Key * . (iv) Phase 2. Phase 1 is repeated with the restriction that the adversary cannot obtain a decryption key for a set of attributes that satisfies (M * , ρ * ). (v) Guess. e adversary outputs 0 if Key * is random and 1 if Key * is a well-constructed key.

e 1 st Proposed CP-ABE-OED Key Encapsulation
Mechanism. In this scheme, the ABE Service Provider is considered to be an untrusted party.

e Construction.
(1) Setup Phase. In this phase, we execute the function setup(λ) that takes as input a security parameter λ, which determines the size of the groups. setup(λ) chooses a bilinear group G of prime order p with a generator g and a bilinear map e : G × G ⟶ G T .
It also defines a hash function H 1 : 0, 1 { } * ⟶ G mapping each attribute (described as a binary string) to a random group element, and a hash function Afterward, it generates two random numbers α, β ∈ Z p . en, it secretly stores the master key MK � g α , β and publishes the public parameters: (2) Registration and Key Generation Phase. In Figure 1, Alice and Bob represent two users. Bob plays the role of the data owner and Alice plays the role of the data receiver. In the registration phase, both Alice and Bob behave in the same way.
First, the Trusted Authority (TA) registers Alice and Bob and associates a set of attributes to each of them (S A for Alice and S B for Bob) and executes KeyGen(U, MK, S i ).
KeyGen(U, MK, S i ) is defined as follows: (i) First, it generates the encryption key EK i � s i where s i is picked randomly in Z p , and the decryption key (ii) Afterward, it computes the user's parameters as (iii) It also computes the Transformation Key (TK i ).
First, it chooses a random number r i ∈ Z p and for each j ∈ S i it picks r i,j ∈ Z p randomly. en, it computes TA sends (EK i , DK i ) securely to the user i and sends (UP i , TK i ) publically to the ABE Service Provider.
(3) Encryption Phase. As shown in Figure 2, the encryption phase consists of two steps. In the first step, Bob uses its encryption key EK B and an l × n LSSS access structure (M, ρ) and calls the function Encrypt(PK, EK B , (M, ρ)).
Afterward, Bob sends preCT to the ABE Service Provider.
In the second step, the ABE Service Provider executes the function OutEncrypt(PK, UP B , preCT) after receiving preCT.
OutEncrypt(PK, UP B , preCT) performs the following instructions: OutDecrypt(PK, CT, TK A ) is defined as follows: (i) If Alice's set of attributes S A does not satisfy the access structure, then it outputs ⊥. Otherwise, let I � i : ρ(i) ∈ S A and w i ∈ Z p i∈I such that (iii) Finally, it outputs transCT generated as follows: transCT e ABE Service Provider sends transCT to Alice. After receiving transCT, Alice decrypts it using its decryption key DK A by calling the function Decrypt(PK, transCT, DK A ).
Decrypt(PK, transCT, DK A ) executes the following instructions: (ii) en, it outputs the Key. (iii) e generated ciphertext will be defined as follows: It is obvious that the modified Bethencourt et al.'s scheme achieves the same security level as the original scheme in the random oracle. at is because if we consider H 2 (ρ(i)||s B ) random, then R i is random and the attacker cannot compute λ i from R i without knowing H 2 (ρ(i)||s B ). erefore, an attacker cannot distinguish between the dis- Now, we prove the following theorem: Suppose that we have an adversary A with non-negligible advantage ε in the selective CPA-security game against our construction. We show how to build a simulator B that can attack the modified Bethencourt et al. scheme in the selective CPA-security model with advantage ε.
(2) Setup. e simulator B obtains the public parameters from the challenger: e random oracles H 1 (·) and H 2 (·) are programmed by the challenger. en, B sends the public parameters PK � G, g, e(·, ·), H 1 (·), H 2 (·), h � g β′ , e(g, g) α′ , (9) to the adversary A (3) Phase I. e adversary sends request queries of sets of attributes S that do not satisfy the challenge access structure (M * , ρ * ) to B. e simulator B calls the challenger's key generation oracle on S to obtain the key Security and Communication Networks 7 e simulator chooses a random value z ∈ Z p and sets the decryption key as DK � z and the transformation key as (4) Challenge. e simulator sends two distinct random messages m 0 and m 1 to the challenger. e challenger flips a coin π ∈ 0, 1 { } and creates ∀i � 1, . . . , l : en, the challenger sends CT ' to the simulator. Later on, the simulator computes where t u ∈ Z p and x u ∈ G are random numbers. en, B creates CT * as follows: Finally, the simulator flips a coin b ∈ 0, 1 { } and computes Key * � C ' /m b and then sends CT * , UP * , and Key * to the adversary.
(5) Phase 2. e simulator continues to answer queries as in Phase 1.
(6) Guess. e adversary will eventually output a guess b ′ of b. e adversary outputs 0 to guess that Key * is random, and outputs 1 to guess that Key * � e(g, g) α′s′ .
e simulator outputs b if b ′ � 1; otherwise it outputs b. us, if the adversary wins the selective CPA-security game with a non-negligible advantage, then B can break the security of the modified Bethencourt et al.'s scheme with the same advantage.

e Construction.
In this scheme, we consider the ABE Service Provider semi-trusted, which means that it cannot collude with illegitimate users to reveal the plaintext.
We will only describe the modified methods that are different from the previous scheme.
(1) KeyGen(U, MK, S i ) (i) First, it generates the encryption key EK i � s i where s i is picked randomly in Z p , and the decryption key DK i � z i where z i is a random number in Z p . (ii) Afterward, it computes the user's parameters as (iii) It also computes the Transformation Key (TK i ).
First, it chooses a random number r i ∈ Z p and for each j ∈ S i it picks r i,j ∈ Z p randomly.
e decryption phase will perform in the same way as in the previous scheme; however, we will describe it here to show the correctness of our scheme.
(i) If Alice's set of attributes S A does not satisfy the access structure, then it outputs ⊥. Otherwise, let I � i : ρ(i) ∈ S A and w i ∈ Z p i∈I such that i∈I w i .M i � (1, 0, 0, . . . , 0).

(ii) en, it computes
(iii) Finally, it outputs transCT generated as follows: (ii) en, it outputs the Key.

Security Analysis.
In this security proof, we will consider two types of adversaries: (i) Type-1 adversary: which refers to illegitimate users trying to break our scheme (ii) Type-2 adversary: which refers to a curious ABE cloud provider trying to reveal sensitive information For the Type-1 adversary, our scheme is viewed as Bethencourt et al.'s scheme [4] with outsourced decryption. Now, we prove the following theorem: [4] is selectively CPA-secure in the random oracle.

Theorem 2. Our 2 nd CP-ABE-OED KEM is selectively CPAsecure in the random oracle against Type-1 adversaries if Bethencourt et al.'s scheme
Suppose we have an adversary A with non-negligible advantage ε in the selective CPA-security game against our construction. We show how to build a simulator B that can attack Bethencourt et al.'s scheme [4] in the selective CPAsecurity model with advantage ε.
(1) Init. e adversary gives the challenge access structure (M * , ρ * ) to the simulator B. B sends the challenge access structure to the challenger.
e simulator chooses a random value z ∈ Z p and sets the decryption key as DK � z and the transformation key as (4) Challenge. e simulator sends two distinct random messages m 0 and m 1 to the challenger. e challenger flips a coin π ∈ 0, 1 { } and creates ∀i � 1, . . . , l : Security and Communication Networks en, the challenger sends CT ' to the simulator. Later on, the simulator computes where t u ∈ Z p are random numbers. Later on, the simulator constructs CT * as follows: ∀i � 1, . . . , l : Finally, the simulator flips a coin b ∈ 0, 1 { } and computes Key * � C ′ /m b , then sends CT * , UP * , and Key * to the adversary.
(5). Phase 2. e simulator continues to answer queries as in Phase 1. (6). Guess. e adversary will eventually output a guess b ′ of b. e adversary outputs 0 to guess that Key * is random, and outputs 1 to guess thatKey * � e(g, g) α′s′ . e simulator outputs b if b ′ � 1; otherwise it outputs b. us, if the adversary wins the selective CPA-security game with a nonnegligible advantage, then B can break the security of Bethencourt et al.'s scheme with the same advantage.
e Type-2 adversary is not allowed to collude with unauthorized users. us, he can request only the transformation keys and not the decryption keys from the key generation oracle. Now, we prove the following theorem: Theorem 3. Our 2 nd CP-ABE-OED KEM is selectively CPAsecure in the random oracle against Type-2 adversaries if our 2 nd CP-ABE-OED KEM is selectively CPA-secure in the random oracle against Type-1 adversaries.
It is obvious that Type-2 adversary cannot distinguish between two pre-ciphertexts preCT * 0 and preCT * 1 where and where R ∈ Z p is a random number.
at is because C pre * is random since s B is random, and the adversary cannot retrieve s without knowing s B . us, Type-2 adversary has no advantage over Type-1 adversary since the only additional information (C pre * � s B · s) he has compared to the Type-1 adversary is not useful. Hence, eorem 3 is proved.

eoretical Results and Analysis.
In this section, we theoretically compare the user's computation, communication, and storage costs between our two schemes and the following schemes: (i) e CPA-secure construction of [12].
We normalized all the schemes based on the following rules: (i) e transformation key is created by TA and not the user. (ii) We will consider all the schemes as Key Encapsulation Mechanisms (KEMs), meaning that we neglect the part where the message m is encrypted (e.g., C � m · e(g, g) α.s ) and leave only the parts responsible for sharing the key e(g, g) α.s .   (iii) We consider that each user has the ability to encrypt and decrypt.
(iv) We ignored the access structure A and the set of attributes S when computing the size of the ciphertexts and the keys since they are common elements between all the schemes.
In Table 1, we define the notations used in this section.
In Table 2, we compare the number of operations executed in each phase (registration phase, encryption phase, and decryption phase) between our proposed schemes and the reviewed schemes.
Obviously, the user is not involved in the computations of the registration phase in all the schemes.
In [12,21], the user-side encryption cost is very expensive, because the encryption in these schemes is not outsourced. Based on the results in Table 3, which were computed using a Type A curve of the JPBC Library [32] on a Windows 8.1 Core i7 2 GHz PC with 8 GB of RAM, we have the following: We mention that the hashes were computed using the Element.setFromHash() method based on SHA-256.
If we convert the encryption costs of the reviewed schemes, we get the following: We observe that, for access policies smaller than 425 leaf nodes, the user-side encryption in [27] is more efficient than [23].
If N l � l, which is the smallest value N l can take, the user-side encryption in [26] will be more efficient than [27] (respectively, [23]) for access policies with less than 200 leaf nodes (respectively, 270 leaf nodes). If N l � 5.l, [27] (respectively, [23]) will achieve better efficiency than [26] for all the access policies bigger than 30 leaf nodes (respectively, 50 leaf nodes). Overall, we can say that [26] is more efficient than [23,27] for small access policies; however, [23,27] are more efficient for large access policies.
Our 1 st CP-ABE-OED KEM achieves a higher user-side encryption efficiency than [26] for all the access policy sizes. It also achieves higher efficiency than [23] for access policies with less than 500 leaf nodes, and higher efficiency than [27] for access policies with less than 630 leaf nodes.
Obviously, our 2 nd CP-ABE-OED KEM is more efficient than all the schemes for all the access policy sizes. e decryption phase costs are almost the same (one modular exponentiation) in all the schemes since they all use the same key blinding technique used in [12]. In [21], the user performs 2 more modular exponentiations to reveal the commitment. Table 4 shows the communication costs generated in the registration phase, the encryption phase, and the decryption phase between our proposed schemes and the reviewed schemes. In [12,21,23,26], TA sends TK and DK to the user in the registration phase, which costs (2 + 2.|S|) elements in G and (2 + |S|) elements in Z p for [26], (1 + 2.|S|) elements in G and one element in Z p for [23], and (2 + |S|) elements in G and one Z p element for [12,21]. In [27], TA sends the encryption transformation key ETK and DK to the user, which costs two Z p elements and |U| elements in G. However, in our proposed schemes, only two elements in Z p (EK and DK) are communicated between TA and the user. e reason is that TK in our proposed schemes is transferred by TA directly to the ABE Service Provider.
In the encryption phase, the user in [26] receives two Intermediate Ciphertexts (ITs) from the ABE Service Provider offline, each of them containing (1 + 3.N l ) elements in G and (1 + 3.N l ) elements in Z p , and sends the ciphertext CT to CSP, which costs (1 + 3.l) elements in G and 2.l elements in Z p . is makes [26] the most expensive scheme for the users in terms of communication cost produced in the encryption phase. In [12,21], the user communicates CT to CSP; this costs (1 + 2.l) elements in G for [12] and an additional element in G for [21] generated by the commitment element cm. e user in [27] sends the partially encrypted ciphertext preCT and the outsourcing parameters to the ABE service provider. is costs (2 + l) elements in G and (l + 1) elements in Z p , which makes [27] slightly more efficient than [12,21]. In our 1 st CP-ABE-OED KEM, the user sends preCT to the ABE Service Provider, which costs him one G element and l elements in Z p . In [23], the user sends preCT that costs only 3 elements in G and one element in Z p to the ABE Service Provider. In our 2 nd CP-ABE-OED KEM, the transfer of preCT to the ABE Service Provider costs only one G element and one Z p element, which makes it the most efficient scheme in terms of user's communication cost in the encryption phase.
In the decryption phase, the user receives the transformed ciphertext transCT from the ABE Service Provider in all the schemes, which costs two G T elements in [23] and    [26], (1 + 2.|S|) elements in G for [23], and (2 + |S|) elements in G for [12,21,27]. In [21], the user also receives the commitment from CSP, which costs one G element. In our proposed schemes, the user does not need to send or receive anything from CSP or the ABE Service Provider except transCT; TK is already sent by TA to the ABE Service Provider in the Registration Phase. us, our proposed schemes are the most efficient schemes in terms of user's communication cost produced in the decryption phase. Table 5 compares the user's storage cost for each scheme. In general, [26] is the scheme that requires the biggest userside storage space to store TK, DK, and two Intermediate Ciphertextx (ITs). e user in [27] stores |U| elements in G and one Z p element for the encryption transformation key ETK, and one Z p element for the decryption key DK. us, for large universe applications, [27] is considered the most storage space consuming scheme for users. In [12,21,23], the user stores TK and DK. DK costs one Z p element in all  65  95  125  155  185  215  245  275  305  335  365  395  425  455  485  515  545  575  605  635  665  695  725  755  785  815  845  875  905  935  965  995 Minimum number of satisfied attributes the schemes and TK costs (1 + 2.|S|) elements in G for [23] and (2 + |S|) elements in G for [12,21]. In our proposed schemes, the user stores the encryption key EK and the decryption key DK; each of them costs only one Z p element. erefore, our proposed schemes are the most lightweight schemes in terms of user-side storage.

Experimental Results and Analysis.
In this section, we will experimentally compare the running times of the userside encryption and decryption of our 1 st outsourced CP-ABE scheme (CP-ABE-OED1), our 2 nd outsourced CP-ABE scheme (CP-ABE-OED2), the original CP-ABE scheme [4], ZHCP-ABE [23], and LiCP-ABE [27]. e implementations of the studied schemes were developed in Java using the JPBC Library [32] and the hashes were computed using setFromHash method of the Element class based on SHA-256.
We run 200 experiments for each N � 5, 10, 15, { 20, 25, . . . , 1000} on a Windows 8.1 Core i7 2 GHz PC with 8 GB of RAM where the access policy is defined as follows (A 1 AND A 2 AND A 3 . . . AND A N ) and the user's set of attributes is A 1 , A 2 , A 3 , . . . , A N . is approach simulates the worst-case scenario where the decryption phase depends on all the access policy's components. For each N, we repeat the experiment 10 times and calculate the average running time in milliseconds to smooth any experimental variability.
In Figure 4, the x-axis represents the size of the access policy and the y-axis represents the Log 10 of the user-side encryption running time in milliseconds. e experimental results confirmed our theoretical results. Besides, the theoretical results showed that CP-ABE-OED1 is more efficient than ZHCP-ABE [23] (respectively, LiCP-ABE [27]) for access policies with less than 500 leaf nodes (respectively, for access policies with less than 630 leaf nodes). However, the experimental results showed that CP-ABE-OED1 is more efficient than ZHCP-ABE [23] and LiCP-ABE [27] for all the access policy sizes up to 1000.
We observe that the difference in running time between CP-ABE-OED1 and CP-ABE-OED2 is linearly increasing with a relatively small slope, and this is due to the number of multiplications and hashing operations performed in CP-ABE-OED1 that is linear to the size of the access policy.
In Figure 5, the x-axis represents the size of the user's set of attributes and the y-axis represents the Log 2 of the userside decryption running time in milliseconds.
As expected, the running times of the user-side decryption in all the studied outsourced CP-ABE schemes are constant and equivalent; that is because they all used the same decryption outsourcing technique firstly proposed by [12].
e user needs only about 2 ms (since Log 2 (t) � 1 according to Figure 5) to decrypt a ciphertext regardless the size of the access policy or the length of her set of attributes.

Conclusion
In this paper, we proposed two efficient CP-ABE Key Encapsulation Mechanisms that can be provided as services in the cloud, minimizing the user-side computation, communication, and storage costs. e first scheme is suitable for applications where the ABE Service Provider is untrusted, whereas the second scheme, which is more efficient, requires the ABE Service Provider to be at least semitrusted. Both schemes are proved to be selectively CPAsecure in the random oracle. However, our systems support only one TA that is responsible for the registration of all the users. Hence, our systems will face a bottleneck problem if TA does not use a very powerful device or if the registration requests are very frequent. erefore, in the future, it will be interesting to extend our schemes to use a multi-authority architecture to handle this problem. Converting our schemes to support a multi-authority architecture might also improve the security of the systems by preventing the key-escrow problem produced when attackers compromise the TA's master key. In a multi-authority approach, compromising some authorities' master keys by attackers will not break the system.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.