Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2017, Article ID 3596205, 11 pages
https://doi.org/10.1155/2017/3596205
Research Article

Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant Ciphertext Length

1College of Computer and Information, Hohai University, Nanjing 211000, China
2School of Mathematics and Computer Science, Fujian Normal University, Fuzhou 350117, China
3School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing 210044, China

Correspondence should be addressed to Jiguo Li; moc.361@8861gjl

Received 28 June 2016; Accepted 1 September 2016; Published 10 January 2017

Academic Editor: Ángel Martín Del Rey

Copyright © 2017 Jiguo Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Outsourced decryption ABE system largely reduces the computation cost for users who intend to access the encrypted files stored in cloud. However, the correctness of the transformation ciphertext cannot be guaranteed because the user does not have the original ciphertext. Lai et al. provided an ABE scheme with verifiable outsourced decryption which helps the user to check whether the transformation done by the cloud is correct. In order to improve the computation performance and reduce communication overhead, we propose a new verifiable outsourcing scheme with constant ciphertext length. To be specific, our scheme achieves the following goals. Our scheme is verifiable which ensures that the user efficiently checks whether the transformation is done correctly by the CSP. The size of ciphertext and the number of expensive pairing operations are constant, which do not grow with the complexity of the access structure. The access structure in our scheme is AND gates on multivalued attributes and we prove our scheme is verifiable and it is secure against selectively chosen-plaintext attack in the standard model. We give some performance analysis which indicates that our scheme is adaptable for various limited bandwidth and computation-constrained devices, such as mobile phone.

1. Introduction

Attribute-based encryption (ABE) derives from identity-based encryption (IBE) introduced in [1]. A user’s identity in IBE system is indicated by a binary bit string and the corresponding representation in ABE system is extended to an attribute set. The identity represented by an attribute set is not unique so ABE can realize the one-to-many encryption. Traditional IBE schemes can only provide coarse-grained access control. In order to solve this problem, Goyal et al. [2] presented a new scheme in which the fine-grained access control is associated with the user’s private keys and ciphertexts are associated with a descriptive attribute set. ABE can be divided into two categories, namely, key-policy attribute-based encryption (KP-ABE) [24] and ciphertext-policy attribute-based encryption (CP-ABE) [511]. One of the main defects of current ABE schemes is expensive decryption operation for mobile device with low computing power and limited battery. To improve efficiency, Green et al. [12] presented an efficient ABE scheme by outsourcing expensive decryption operation to the cloud service provider (CSP). In their scheme, a user uses proxy reencryption method [13, 14] to generate a transformation key and sends the transformation key and ABE ciphertext to the CSP. Given the transformation key, the CSP transforms an ABE ciphertext into a simple ciphertext, from which the user recovers plaintext by using less computation overhead. In this process, the CSP does not get any information about original plaintext. Chase [15] extended single authority ABE to propose a multiauthority ABE scheme. However, he only proves that the scheme is secure against the selective ID model. Liu et al. [16] provided a fully secure multiauthority CP-ABE. In order to protect privacy of the user, Han et al. [17] presented a decentralized key-policy attribute-based encryption with preserving privacy. Qian et al. [18] provided a decentralized CP-ABE with fully hidden access structure. Furthermore, they [19] proposed a privacy-preserving personal health record using multiauthority ABE with revocation. Several traceable CP-ABE schemes [2022] were constructed to trace the identity of a misbehaving user who leaks its decryption key to others and thus reduces the trust assumptions on both users and attribute authorities. Recently, Li et al. [23] presented flexible and fine-grained attribute-based data storage in cloud computing. To protect data privacy, the sensitive data should be encrypted by the data owner prior to outsourcing. As the amount of encrypted files stored in cloud is becoming very huge, searchable encryption scheme over encrypted cloud data is a very challenging issue. To deal with above problem, Li et al. [24, 25] proposed a new cryptographic primitive called attribute-based encryption scheme with keyword search function [2628]. In the proposed scheme, cloud service provider (CSP) performs partial decryption task delegated by data user without knowing anything about the plaintext. Moreover, the CSP can perform encrypted keyword search without knowing anything about the keywords embedded in trapdoor. In order to protect the privacy for the encryptor and decryptor, Li et al. [29] propose a CP-ABE scheme with hidden access policy and testing.

Our Motivations and Contributions. With the cloud service being more and more popular in modern society, ABE technology has become a promising orientation. It allows users to use flexible access control to access files stored in the cloud server with encrypted form. Though its advantages make it a powerful tool for cloud, one of its main performance challenges is that the complexity of decryption computation is linearly correlated with the access structure. By using the proxy reencryption technology, outsourced decryption ABE system can largely reduce the computation cost for users who intend to access the encrypted files stored in cloud. Given a ciphertext and a transformation key, CSP transforms a ciphertext into a simple ciphertext. The user only needs to spend less computational overhead to recover the plaintext from simple ciphertext. However, the correctness of the transformation ciphertext which the CSP gives to the user cannot be guaranteed because the latter does not have the original ciphertext. It is a security threat that malicious cloud service provider (CSP) may replace the original ciphertext and give the user a transformed ciphertext from another ciphertext which CSP wants the user to decrypt. The user is not aware of the CSP’s malicious behavior. Mutual verifiable provable data auditing [30] in public cloud storage is a potential method to solve remote data possession checking. The security property about ABE with outsourcing decryption ensures that the malicious cloud server cannot obtain anything with respect to the encrypted message; nonetheless, the scheme does not ensure the validity of the transformation done by the CSP. In order to solve this problem, Lai et al. [31] put forward an ABE scheme with verifiable outsourcing decryption which guarantees verifiability of the transformation. Recently, Li et al. [32] presented an outsourcing ABE scheme which can check validity of the outsourced computation results. There is no doubt that verifiability brings about great progress to outsourced decryption of ABE. However, the ciphertext length and the amount of expensive pairing computations grow with the number of the attributes, which greatly limits its application in power constrained and bandwidth limited devices. Schemes in [33, 34] put forward a good solution to this problem in which the ciphertext length is constant. In this article, we present a novel verifiable outsourced CP-ABE scheme with constant ciphertext length to save the communication cost. The security of our scheme reduces to that of scheme in [33]. Similar to the proof in [31], the verifiability of our scheme reduces to the discrete logarithm assumption.

Organization. We organized the rest of the paper as follows. In Section 2, we review some preliminary knowledge and introduce the CP-ABE model of outsourced decryption. We also give the security definitions used in our paper in this section. In Section 3, we provide a new verifiable outsourced CP-ABE scheme with constant ciphertext length. We prove security and verifiability of our scheme in Section 4. In Section 5, we give some performance comparison with the existing schemes. Finally, we conclude the paper in Section 6.

2. Preliminaries

We introduce some basic knowledge about bilinear groups, security assumption, access structure, and CP-ABE which our scheme relies on.

2.1. Bilinear Pairing

Definition 1 (bilinear map). and are multiplicative cyclic groups with prime order . Suppose is a generator in . is bilinear map if it satisfies the following properties: (1)Bilinearity: for all , , where are selected randomly.(2)Nondegeneracy: there exists such that .(3)Computability: for all , there is an efficient algorithm to compute .

2.2. Security Assumption

Definition 2 (discrete logarithm (DL) assumption [31]). Let be a prime-order bilinear group system. Given , where is randomly selected, the DL problem for is to calculate . The DL assumption in is that no probabilistic polynomial-time (PPT) algorithm solves the DL problem at nonnegligible advantage. The advantage for is defined as .

2.3. Access Structure

Access structure is being referred to in [33]; we utilize AND gates with respect to multivalued attributes as follows.

Definition 3. Assume that is an attribute universe. are some feasible values, where is the amount of feasible values of . Let , let be an attribute set for a user, and ; let be an access structure. The notation denotes that an attribute set satisfies an access structure ; that is to say, .

2.4. Outline of CP-ABE with Outsourced Decryption

Briefly speaking, a user interacts with the CSP as illustrated in Figure 1. Data owner encrypts message into ciphertext and uploads it to the storage in cloud. A user who is permitted to access the data downloads the ciphertext. Then the user sends the ciphertext and transformation key to the CSP for outsourcing decryption. CSP computes partially decrypted ciphertext and sends it to the user. The user computes the message from the partially decrypted ciphertext and verifies whether the message is the original one.

Figure 1: System architecture of our scheme.

We review the notion of CP-ABE in [31] with outsourced decryption. It is described by the seven algorithms as follows.

. This algorithm takes the security parameter and attribute universe as input. It outputs public parameter and master secret key .

. This algorithm takes , , and attribute set as input. It outputs private key related to .

. This algorithm takes , message , and access structure as input and outputs ciphertext .

. This algorithm takes , , and as input. It outputs if associated with satisfies .

. This algorithm takes and as input. It outputs transformation key associated with and a corresponding retrieving key .

. This algorithm takes , , and as input. It outputs a partially decrypted ciphertext .

. This algorithm takes , , , and for as input. It outputs message or .

2.5. Security Model for CP-ABE with Outsourcing Decryption

Lai et al. [31] described security properties and verifiability for CP-ABE which supports outsourcing decryption. The traditional concept of security for chosen-ciphertext attack (CCA) is not suitable for the above CP-ABE scheme because it does not permit modifying any bit for the ciphertext. Therefore, they use a relaxation named replayed CCA (RCCA) security [35], which permits alternation for the ciphertext, so that they can change the potential message in a significant way.

2.5.1. Security

The RCCA security of outsourced decryption CP-ABE is described as a game in both an adversary and a challenger. According to the game in [31], it is described as follows.

Setup. The challenger performs setup algorithm to get the public parameter and master secret key . It sends to the adversary and keeps secret.

Query Phase 1. The challenger maintains a table Tb and a set which are initialized empty. The adversary adaptively issues queries.

(1) Private Key Query for Attribute Set . The challenger runs and sets . It then sends the private key to the adversary.

(2) Transformation Key Query on Attribute Set . scans the tuple in table Tb. If such a tuple exists, it returns as the transformation key. Otherwise, it runs and and stores the tuple in table Tb. It then returns the transformation key to the adversary.

Without loss of generality, we suppose that an adversary does not launch transformation key query for attribute set , if a private key query about the same attribute set has been issued. Since anyone can generate a transformation key of the user utilizing the user’s private key and algorithm by himself, the assumption is rational.

(3) Decryption Query for Attribute Set and Ciphertext . runs and . It sends to the adversary.

(4) Query for Attribute Set and Ciphertext . searches the tuple in table Tb. If such a tuple exists, it runs algorithm and returns to ; otherwise, it returns .

Challenge. sends and with equal length and an access policy to subject to the restriction that, for all , cannot be satisfied by . The challenger chooses and computes . Then the challenger sends the challenge ciphertext to .

Query Phase 2. proceeds to adaptively launch transformation key, decryption, , and private key queries as in phase 1 with the following restrictions:(1) cannot make private key query which results in attribute set that satisfies the target access policy .(2) cannot issue any trivial decryption queries. Namely, and decryption queries are replied to as phase 1; if the response is either or , then returns .

Guess. The adversary gives a guess for and succeeds in the game if .

is defined as the advantage for the adversary in the game.

Definition 4. An outsourcing decryption CP-ABE scheme is RCCA secure if all probabilistic polynomial-time (PPT) adversaries have at most a negligible advantage of winning in this game.

CPA Security. An outsourcing decryption CP-ABE scheme is secure under chosen-plaintext attack (CPA) if cannot launch decryption queries in the above game.

Selective Security. An outsourcing decryption CP-ABE scheme is selective security if we add an initialization phase prior to setup algorithm in above game, where the adversary gives the challenger access structure .

2.5.2. Verifiability

The verifiability for CP-ABE with outsourced decryption is depicted via a game in both an adversary and a challenger. The game proceeds as follows.

Setup. performs algorithm setup to generate the public parameters and master secret key . It returns to and keeps secret.

Query Phase 1. initializes an empty table . adaptively issues the following queries.

(1) Private Key Query for Attribute Set . runs and returns the private key to the adversary.

(2) Transformation Key Query for Attribute Set . The challenger runs and and stores the entry in table . It then returns the transformation key to the adversary.

Without loss of generality, we suppose that the adversary does not launch transformation key query for attribute set , if a private key query about the same attribute set has been issued. Anyone can generate a transformation key of the user utilizing the user’s private key and algorithm by himself.

(3) Decryption Query for Attribute Set and a Ciphertext . runs and . It sends to .

(4) Query for Attribute Set and Ciphertexts . searches the tuple in table . If such a tuple exists, it runs and returns to ; otherwise, it returns .

Challenge. sends challenge message and challenge access policy to the challenger . computes and returns to as its challenge ciphertext.

Query Phase 2. proceeds to adaptively launch transformation key, decryption, , and private key queries as in phase 1.

Output. returns attribute set and transformed ciphertext . We suppose that tuple is included in table . Otherwise, the challenger generates the tuple as the reply for transformation key query. succeeds in the game if .

Definition 5. An outsourcing decryption CP-ABE scheme is verifiable if PPT adversary has at most a negligible advantage in the above game.

3. Construction of Our New Scheme

Our new scheme consists of seven algorithms.

. A trusted authority (TA) picks two bilinear groups of prime-order , , , , and . is a hash function. TA computes ; . It generates as public parameters and as master secret key. Note that, , is assumed.

. TA selects , computes and , and sends to a user associated with attribute set .

. An encryptor randomly selects ; . He calculates , , , , and . The sender generates .

. A decryptor calculates as follows:

If, it outputs the message ; otherwise, it outputs .

. A user generates his transformation key pair as follows. He chooses and computes the transformation key as , where and . The retrieving key is . Note that, with overwhelming probability, has multiplicative inverse.

. Given ciphertext and transformation key , the CSP computes as follows: and it outputs the transformed ciphertext as .

. A user checks whether the transformed ciphertext or or ; if the equations do not hold, he outputs . Otherwise, he computes and . If , he outputs the message ; otherwise, he outputs .

Note that according to assumption. If there exist and such that , the user with attribute set is able to decrypt ciphertext related to , where , , and . We have that the assumption holds with overwhelming probability:where . If we randomly choose as secret key, then our assumption is reasonable.

4. Security Proof

Note that, in our scheme, a ciphertext consists of three parts: , , and . The first two elements are ciphertexts for message and random message , respectively, utilizing the encryption algorithm [33]. In essence, the second and the third elements are redundant information. The redundant information is mainly used to design a CP-ABE scheme with verifiable outsourcing decryption from [33], which has been proven to be selectively CPA-secure. We denote the first four algorithms as Basic CP-ABE. To guarantee the security for our scheme, we firstly prove that if the scheme in [33] is selectively CPA-secure, then Basic CP-ABE scheme is selectively CPA-secure.

Theorem 6. Assume that the scheme in [33] is selectively CPA-secure. Then the Basic CP-ABE scheme is also selectively CPA-secure.

Proof. We prove that our Basic CP-ABE scheme is selectively CPA-secure by the following two games.
. is the originally selective CPA security game.
. In , the challenger randomly selects and generates the remaining parts of the challenge ciphertext as in .

This theorem is proven via the following lemmas. Lemma 7 shows that and are indistinguishable. Lemma 8 shows that the advantage for an adversary in is negligible. Thus, we come to a conclusion that the advantage for an adversary in is negligible. Theorem 6 is correct from the two lemmas below.

Lemma 7. Assume that the scheme in [33] is selectively CPA-secure; and are computationally indistinguishable.

Proof. If the adversary is able to distinguish and at nonnegligible advantage, then we find an algorithm which attacks the scheme [33] under the selective CPA security model at nonnegligible advantage.
Let be the challenger for the selective CPA security game in scheme [33]. and the adversary interact as follows.
Init. gives to as its challenge access policy. sends to as its challenge access policy. sends the public parameters of the scheme [33] to .
Setup. selects and computes , , and . also selects hash function . sends to the adversary .
Query Phase 1. adaptively launches private key query on attribute set ; then gets the private key via calling key generation oracle of with respect to . returns the private key to .
Challenge. sends two equal size messages to as the challenge plaintext. selects a random bit and random messages . sends and to . randomly selects ; the message is encrypted by and using the encryption algorithm in [32] and sends the resulting ciphertext to . denotes as . selects and computes , , , and and sends to as its challenge ciphertext.
Query Phase 2. adaptively launches private key query as in phase 1. answers the queries as in phase 1.
Guess. gives a guess of . outputs as a guess of .
Note that if , appropriately simulates ; else, appropriately simulates . Therefore, if is able to distinguish and at nonnegligible advantage, we are able to find an algorithm that attacks the scheme [33] in selective CPA security model at nonnegligible advantage.

Lemma 8. Assume that the CP-ABE scheme in [33] is selectively CPA-secure; the advantage for the adversary on is negligible.

Proof. If the adversary has a nonnegligible advantage in , then we can find an algorithm which attacks the scheme [33] at a nonnegligible advantage.
Let be the challenger with respect to of the scheme [33]. interacts with as demonstrated in the following steps.
Init. submits challenge access policy to . gives to as its challenge access policy. returns of scheme [25] to as public parameters.
Setup. chooses and sets , , and . is a secure hash function. sends to the adversary .
Query Phase 1. adaptively launches private key query of attribute set ; gets the private key via calling key generation oracle of with respect to . sends the private key to .
Challenge. submits messages with equal size. sends and to . randomly chooses ; the message is encrypted by and using the encryption algorithm in [33] and sends the resulting ciphertext to . parses as . selects , , and and computes , , and . sends to as its challenge ciphertext.
Query Phase 2. adaptively launches private key query as in phase 1. answers the queries as in phase 1.
Guess. gives a guess on . returns as its guess for . Obviously, has appropriately simulated . If has a nonnegligible advantage in , then attacks the scheme in [33] at a nonnegligible advantage.
Now we have proven that the Basic CP-ABE scheme is selectively CPA-secure. After that we prove that if Basic CP-ABE scheme is selectively CPA-secure, then our new scheme is selectively CPA-secure.

Theorem 9. Assume that Basic CP-ABE scheme is selectively CPA-secure. Then our new scheme is selectively CPA-secure.

Proof. If breaks our new CP-ABE scheme at nonnegligible advantage, then we find an algorithm which breaks Basic CP-ABE scheme at nonnegligible advantage. We assume that is the challenger with respect to for Basic CP-ABE. interacts with as demonstrated in the following steps.
Init. sends its challenge access policy . gives challenge access policy to and obtains the public parameters for Basic CP-ABE.
Setup. sends to .
Query Phase 1. maintains a table Tb and a set which are initialized as empty. adaptively launches queries.
(1) Private Key Query on Attribute Set . obtains the private key by calling the key generation oracle of with respect to . Then, lets and sends the private key to .
(2) Transformation Key Query on Attribute Set . scans the tuple in table Tb. If such a tuple exists, it sends the transformation key to . Otherwise, selects random exponents . computes and . stores the tuple in table Tb and returns to . Observe that does not know the actual retrieving key . Here, we compute as follows: Challenge. submits messages with same length and challenge access policy . gives and to to obtain the challenge ciphertext . returns to as its challenge ciphertext.
Query Phase 2. adaptively launches private key query as in phase 1, and answers the queries as in phase 1.
Guess. obtains . also obtains .
If the guess for of our scheme is correct, the guess of for Basic CP-ABE scheme is correct too. So we can conclude that if can attack our scheme at nonnegligible advantage, then we will find an algorithm which attacks Basic CP-ABE scheme under the selective CPA security model at nonnegligible advantage.

Theorem 10. Our CP-ABE scheme is verifiable if the discrete logarithm assumption defined in Section 2.2 holds.

Proof. Suppose that there exists an adversary that attacks verifiability of our new scheme at nonnegligible advantage. We find an algorithm that can solve the DL problem at nonnegligible advantage.
Setup. chooses , , and . is a secure hash function. is the public parameter. The master secret key is . returns to .
Query Phase 1. adaptively launches transformation key, private key, decryption, and queries. As knows , it can answer the queries properly.
Challenge. gives and challenge access policy to . computes the ciphertext of using the encryption algorithm in [33] and returns to , where and is chosen by randomly.
Query Phase 2. adaptively launches private key queries as in phase 1. answers queries as in phase 1.
Output. returns attribute set and transformed ciphertext .
computes and , where is the retrieving key for attribute set . If wins the above game, then can obtainwhere and are obtained by . Because is a collision-resistant hash function, is not equal to with overwhelming probability. Thus, gets , which breaks the DL assumption. It is paradoxical, so our CP-ABE scheme is verifiable

5. Performance Comparison

, , , , , , and represent the length of public key, master key, private key, ciphertext, transform key, retrieving key, and transformed ciphertext without the access policy, respectively. Additionally, Encrypt, Decrypt, Transform, and represent the computational costs of the algorithms’ encryption, decryption, transformation, and outsourcing decryption, respectively. , , and denote the bit-length of the elements belonging to , , and . , , and denote the -times computation in the pairing, hash function, and group , respectively. denote the attribute universe. and are the amounts of the attributes related to ciphertext and private key, respectively. denotes the total number of possible attribute values.

Tables 13 show that our scheme is efficient. Table 1 illustrates that the size of private key, ciphertext, and transform key in our scheme is constant. However, the size of private key, ciphertext, and transform key in [11, 12, 31] depends upon the number of attributes. Therefore, our scheme greatly reduces the communication overhead and is very suitable for bandwidth limited devices. As the operation cost over is much smaller than group and pairing operation, we ignore the computation time over . Compared with the scheme in [11, 12, 31], the computational overhead for the decryption and transformation operations in our scheme is much smaller. From Table 2, we observe that the computational overhead over group and pairing in [11, 12, 31] depends on the number of attributes, while it is constant in our scheme. The computational overhead for the outsourcing decryption is constant in above schemes. Table 3 illustrates that only our scheme satisfies all properties.

Table 1: Size of each value.
Table 2: Computational times.
Table 3: Property of each scheme.

In order to evaluate the efficiency for our scheme, we implement our scheme with java pairing-based cryptography (JPBC) library [36], a port for the pairing-based cryptography (PBC) library in C [37]. The elliptic curve parameter we choose is type-A, and the order of group is 160 bits. We run our code on a PC with 64-bit 2.6-GHz Intel Core i5-3320M CPU, with 6 GB RAM, and mobile phone with 4-core 1.8 GHz Processor 2 G memory Android OS 4.4.2, respectively. We also implement the scheme [31] for comparison. Figure 2 compares the times of decryption algorithm spent in our scheme and Lai et al.’s scheme [31]. The result shows that our scheme is much more efficient than Lai et al.’s scheme [31] because the time spent in our scheme does not grow with the amount of attributes involved in the access policy. Figure 3 shows the time of the transformation algorithm in PC and mobile phone for two schemes. Similar to the decryption algorithm, the time required by transformation grows linearly with the number of attributes for Lai et al.’s scheme [31], while it is almost constant for our scheme. Figure 4 shows that the times of the outsourcing decryption algorithm in PC and mobile phone for two schemes are nearly same. Figure 5 shows the ciphertext length in our scheme and Lai et al.’s scheme [31]. We can find that the ciphertext length in our scheme is constant, while it will grow with the amount of attributes involved in access policy linearly. So we can conclude that our scheme greatly reduces the communication overhead and is very suitable for bandwidth limited devices. Figure 6 illustrates that the length of partially decrypted ciphertext in two schemes is almost same.

Figure 2: Decryption time.
Figure 3: Transformation time.
Figure 4: Outsourcing decryption time.
Figure 5: Ciphertext length.
Figure 6: Partial decryption ciphertext length.

6. Conclusions

In this article, we propose a new verifiable outsourced CP-ABE scheme with constant ciphertext length and, moreover, we prove that our scheme is secure and verifiable in standard model. Security in our scheme is reduced to that of scheme in [33] and verifiability is reduced to DL assumption. The computational overhead for the decryption and transformation operations in our scheme is constant, which does not rely on the amount of attributes. In addition, we outsource the expensive operation to the cloud service provider and leave the slight operations to be done on user’s device. Therefore, our scheme is very efficient. What is more, the ciphertext length in our scheme does not grow with the number of attributes, which reduces the communication cost greatly. The proposed scheme has the potential application in various lower power devices with limited computational power, such as mobile phone.

Competing Interests

The authors declare that they have no competing interests.

Acknowledgments

This research is supported by the National Natural Science Foundation of China (61272542, 61472083, 61202450, 61402110, and 61672207), Jiangsu Provincial Natural Science Foundation of China (BK20161511), the Priority Academic Program Development of Jiangsu Higher Education Institutions, the Fundamental Research Funds for the Central Universities (2016B10114), Jiangsu Collaborative Innovation Center on Atmospheric Environment and Equipment Technology, and the Project of Scientific Research Innovation for College Graduate Student of Jiangsu Province (KYZZ15_0151).

References

  1. D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” in Proceedings of the 21st Annual International Cryptology Conference (CRYPTO '01), Santa Barbara, Calif, USA, August 2001, vol. 2139 of Lecture Notes in Computer Science, pp. 213–229, Springer, Berlin, Germany, 2001. View at Publisher · View at Google Scholar
  2. V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06), pp. 89–98, ACM, November 2006. View at Publisher · View at Google Scholar · View at Scopus
  3. J. Li, C. Jia, J. Li, and X. Chen, “Outsourcing encryption of attribute-based encryption with MapReduce,” in Information and Communications Security, T. W. Chim and T. H. Yuen, Eds., vol. 7618 of Lecture Notes in Computer Science, pp. 191–201, Springer, Berlin, Germany, 2012. View at Publisher · View at Google Scholar
  4. A. Lewko and B. Waters, “Unbounded HIBE and attribute-based encryption,” in Proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT '11), Tallinn, Estonia, May 2011, vol. 6632 of Lecture Notes in Computer Science, pp. 547–567, Springer, Berlin, Germany, 2011. View at Publisher · View at Google Scholar
  5. J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '07), pp. 321–334, May 2007. View at Publisher · View at Google Scholar · View at Scopus
  6. B. D. Qin, R. H. Deng, S. L. Liu, and S. Q. Ma, “Attribute-based encryption with efficient verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 7, pp. 1384–1393, 2015. View at Publisher · View at Google Scholar · View at Scopus
  7. H. Deng, Q. Wu, B. Qin et al., “Ciphertext-policy hierarchical attribute-based encryption with short ciphertexts,” Information Sciences, vol. 275, pp. 370–384, 2014. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  8. R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption with non-monotonic access structures,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 195–203, ACM, Alexandria, Va, USA, November 2007. View at Publisher · View at Google Scholar · View at Scopus
  9. T. Okamoto and K. Takashima, “Fully secure functional encryption with general relations from the decisional linear assumption,” in Advances in Cryptology—CRYPTO 2010, T. Rabin, Ed., vol. 6223 of Lecture Notes in Computer Science, pp. 191–208, Springer, Berlin, Germany, 2010. View at Publisher · View at Google Scholar
  10. L. Cheung and C. Newport, “Provably secure ciphertext policy ABE,” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07), pp. 456–465, November 2007. View at Publisher · View at Google Scholar · View at Scopus
  11. J. Li, X. Chen, J. Li, C. Jia, J. Ma, and W. Lou, “Fine-grained access control system based on outsourced attribute-based encryption,” in Computer Security—ESORICS 2013, J. Crampton, S. Jajodia, and K. Mayes, Eds., vol. 8134 of Lecture Notes in Computer Science, pp. 592–609, Springer, Berlin, Germany, 2013. View at Publisher · View at Google Scholar
  12. M. Green, S. Hohenberger, and B. Waters, “Outsourcing the decryption of ABE ciphertexts,” in Proceedings of the 20th USENIX Conference on Security (SEC '11), p. 34, 2011.
  13. G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “Improved proxy re-encryption schemes with applications to secure distributed storage,” ACM Transactions on Information and System Security, vol. 9, no. 1, pp. 1–30, 2006. View at Publisher · View at Google Scholar · View at Scopus
  14. M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic proxy cryptography,” in Advances in Cryptology—EUROCRYPT'98, K. Nyberg, Ed., vol. 1403 of Lecture Notes in Computer Science, pp. 127–144, Springer, Berlin, Germany, 1998. View at Publisher · View at Google Scholar
  15. M. Chase, “Multi-authority attribute based encryption,” in Proceedings of the 4th Theory of Cryptography Conference (TCC '07), Amsterdam, The Netherlands, February 2007, Lecture Notes in Computer Science, pp. 515–534, Springer, Berlin, Germany, 2007. View at Google Scholar
  16. Z. Liu, Z. Cao, Q. Huang, D. S. Wong, and T. H. Yuen, “Fully secure multi-authority ciphertext-policy attribute-based encryption without random oracles,” in Computer Security—ESORICS 2011: 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12–14,2011. Proceedings, vol. 6879 of Lecture Notes in Computer Science, pp. 278–297, Springer, Berlin, Germany, 2011. View at Publisher · View at Google Scholar
  17. J. G. Han, W. Susilo, Y. Mu, and J. Yan, “Privacy-preserving decentralized key-policy attribute-based encryption,” IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 11, pp. 2150–2162, 2012. View at Publisher · View at Google Scholar · View at Scopus
  18. H. L. Qian, J. G. Li, and Y. C. Zhang, “Privacy-preserving decentralized ciphertext-policy attribute-based encryption with fully hidden access structure,” in Proceedings of the 15th International Conference on Information and Communications Security (ICICS '13), vol. 8233 of Lecture Notes in Computer Science LNCS, pp. 363–372, Springer, Berlin, Germany, 2013.
  19. H. L. Qian, J. G. Li, Y. C. Zhang, and J. G. Han, “Privacy-preserving personal health record using multi-authority attribute-based encryption with revocation,” International Journal of Information Security, vol. 14, no. 6, pp. 487–497, 2015. View at Publisher · View at Google Scholar · View at Scopus
  20. Z. Liu, Z. F. Cao, and D. S. Wong, “Blackbox traceable CP-ABE: how to catch people leaking their keys by selling decryption devices on eBay,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS '13), pp. 475–486, Berlin, Germany, November 2013. View at Publisher · View at Google Scholar · View at Scopus
  21. Z. Liu, Z. F. Cao, and D. S. Wong, “White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 76–88, 2013. View at Publisher · View at Google Scholar · View at Scopus
  22. J. T. Ning, Z. F. Cao, X. L. Dong, L. F. Wei, and X. D. Lin, “Large universe ciphertext-policy attribute-based encryption with white-box traceability,” in Computer Security—ESORICS 2014: 19th European Symposium on Research in Computer Security, Wroclaw, Poland, September 7–11, 2014. Proceedings, Part II, vol. 8713 of Lecture Notes in Computer Science, pp. 55–72, Springer, Berlin, Germany, 2014. View at Publisher · View at Google Scholar
  23. J. G. Li, W. Yao, Y. C. Zhang, H. L. Qian, and J. G. Han, “Flexible and fine-grained attribute-based data storage in cloud computing,” IEEE Transactions on Services Computing, 2016. View at Publisher · View at Google Scholar
  24. J. G. Li, X. N. Lin, Y. C. Zhang, and J. G. Han, “KSF-OABE: outsourced attribute-based encryption with keyword search function for cloud storage,” IEEE Transactions on Services Computing, 2016. View at Publisher · View at Google Scholar
  25. J. G. Li, Y. R. Shi, and Y. C. Zhang, “Searchable ciphertext-policy attribute-based encryption with revocation in cloud storage,” International Journal of Communication Systems, 2015. View at Publisher · View at Google Scholar
  26. Z. J. Fu, X. M. Sun, Q. Liu, L. Zhou, and J. G. Shu, “Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing,” IEICE Transactions on Communications, vol. 98, no. 1, pp. 190–200, 2015. View at Publisher · View at Google Scholar · View at Scopus
  27. Z. H. Xia, X. H. Wang, X. M. Sun, and Q. Wang, “A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 2, pp. 340–352, 2015. View at Google Scholar
  28. Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, “Enabling personalized search over encrypted outsourced data with efficiency improvement,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 9, pp. 2546–2559, 2016. View at Publisher · View at Google Scholar
  29. J. G. Li, H. P. Wang, Y. C. Zhang, and J. Shen, “Ciphertext-policy attribute-based encryption with hidden access policy and testing,” KSII Transactions on Internet and Information Systems, vol. 10, no. 8, pp. 3339–3352, 2016. View at Publisher · View at Google Scholar
  30. Y.-J. Ren, J. Shen, J. Wang, J. Han, and S.-Y. Lee, “Mutual verifiable provable data auditing in public cloud storage,” Journal of Internet Technology, vol. 16, no. 2, pp. 317–323, 2015. View at Publisher · View at Google Scholar · View at Scopus
  31. J.-Z. Lai, R. H. Deng, C. Guan, and J. Weng, “Attribute-based encryption with verifiable outsourced decryption,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 8, pp. 1343–1354, 2013. View at Publisher · View at Google Scholar · View at Scopus
  32. J. Li, X. Y. Huang, J. W. Li, X. F. Chen, and Y. Xiang, “Securely outsourcing attribute-based encryption with checkability,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 8, pp. 2201–2210, 2014. View at Publisher · View at Google Scholar · View at Scopus
  33. K. Emura, A. Miyaji, A. Nomura, K. Omote, and M. Soshi, “A Ciphertext-policy attribute-based encryption scheme with constant ciphertext length,” in Information Security Practice and Experience: 5th International Conference, ISPEC 2009 Xi'an, China, April 13–15, 2009 Proceedings, vol. 5451 of Lecture Notes in Computer Science, pp. 13–23, Springer, Berlin, Germany, 2009. View at Publisher · View at Google Scholar
  34. J. Herranz, F. Laguillaumie, and C. Rafols, “Constant size ciphertexts in threshold attribute-based encryption,” in Proceedings of the 13th International Conference on Practice and Theory in Public Key Cryptography (PKC '10), Paris, France, May 2010, vol. 6056 of Lecture Notes in Computer Science, pp. 19–34, Springer, Berlin, Germany, 2010. View at Google Scholar
  35. R. Canetti, H. Krawczyk, and J. B. Nielsen, “Relaxing chosen-ciphertext security,” in Proceedings of the 23rd Annual International Cryptology Conference (CRYPTO '03), Santa Barbara, Calif, USA, August 2003, vol. 2729 of Lecture Notes in Computer Science, pp. 565–582, Springer, Berlin, Germany, 2003. View at Google Scholar
  36. A. D. Caro, “Java pairing-based cryptography library,” 2012, http://libeccio.dia.unisa.it/projects/jpbc/.
  37. B. Lynn, PBC (Pairing-Based Cryptography) Library, 2012, http://crypto.stanford.edu/pbc/.