Security and Communication Networks

Security and Communication Networks / 2021 / Article
Special Issue

Security, Trust and Privacy for Cloud, Fog and Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2021 |Article ID 6676862 | https://doi.org/10.1155/2021/6676862

Zhishuo Zhang, Wei Zhang, Zhiguang Qin, "Fully Constant-Size CP-ABE with Privacy-Preserving Outsourced Decryption for Lightweight Devices in Cloud-Assisted IoT", Security and Communication Networks, vol. 2021, Article ID 6676862, 16 pages, 2021. https://doi.org/10.1155/2021/6676862

Fully Constant-Size CP-ABE with Privacy-Preserving Outsourced Decryption for Lightweight Devices in Cloud-Assisted IoT

Academic Editor: Chien-Ming Chen
Received01 Dec 2020
Revised27 Dec 2020
Accepted20 Apr 2021
Published05 May 2021

Abstract

In recent years, ciphertext-policy attribute-based encryption (CP-ABE) has been recognized as a solution to the challenge of the information privacy and data confidentiality in cloud-assisted Internet-of-Things (IoT). Since the devices in cloud-assisted IoT are generally resource-constrained, the lightweight CP-ABE is more suitable for the cloud-assisted IoT. So how to construct the lightweight CP-ABE for the cloud-assisted IoT to achieve the fine-grained access control and ensure the privacy and confidentiality simultaneously is a prominent challenge. Thus, in this paper, we propose a constant-size CP-ABE scheme with outsourced decryption for the cloud-assisted IoT. In our scheme, the ciphertexts and the attribute-based private keys for users are both of constant size, which can alleviate the transmission overhead and reduce the occupied storage space. Our outsourced decryption algorithm is privacy-protective, which means the proxy server cannot know anything about the access policy of the ciphertext and the attributes set of the user during performing the online partial decryption algorithm. This will prevent the privacy from leaking out to the proxy server. And we rigorously prove that our scheme is selectively indistinguishably secure under the chosen ciphertext attacks (IND-CCA) in the random oracle model (ROM). Finally, by evaluating and implementing our scheme as well as other CP-ABE schemes, we can observe that our scheme is more suitable and applicable for cloud-assisted IoT.

1. Introduction

IoT has been recognized as a new paradigm in the network and information area in recent years [1, 2]. By means of the widespread deployment of spatially distributed devices, such as sensors, radio-frequency identification (RFID), wireless devices, and smartphones, IoT has the perfect sensing and actuation capabilities and makes the existing information system intelligent. Though IoT gives a new dimension to the Internet and has envisioned a future in which digital and physical entities can be linked in anywhere [35], security is still a critical obstacle for enabling the widespread adoption of the cloud-assisted IoT. To solve the security and privacy problem in IoT environment, many works design some authentication protocols [6], signature schemes [7] for Industrial Internet of Things (IIoT) [8, 9], Internet of Vehicles (IoV) [10, 11], and RFID networks [12]. But how to design a one-to-many and fine-grained access control encryption mechanism for the cloud-assisted IoT is still being an open issue.

In cloud-assisted IoT, the data owners and the users all use the smart IoT devices. In traditional cloud-assisted IoT system, data owners transmit the data to the cloud server over the transmission media and the users download the data from the cloud storage. A hacker can easily access and steal the data in cleartext stored on the cloud storage. So, an encryption mechanism should be deployed in the cloud-assisted IoT architecture to ensure the data confidentiality and prevent the unauthorized access of the data [13, 14]. Figure 1 shows the comparison of the traditional cloud-assisted IoT system and the encryption mechanism-based cloud-assisted IoT system.

ABE [15] is a new cryptographic primitive widely researched in recent years which supports one-to-many encryption and refines the access control to the attribute level. So, ABE has been regarded as a powerful encryption mechanism for the cloud-assisted IoT. Particularly, CP-ABE [1618], which is a type of ABE, enables the data owner to customize an access formula over a set of attributes for each ciphertext and only if the user’s attributes set meets the access policy, the user can decrypt the ciphertext. So, in CP-ABE, the data owner can precisely control the access to his/her data, and this makes CP-ABE a more applicable encryption tool for the cloud-based system. Nevertheless, in cloud-assisted IoT, the devices are generally resource-constrained (e.g., limited battery life, storage, and computing capability); the traditional CP-ABE is too complex to be fit-for-purpose. In typical CP-ABE, as [1618], the ciphertext length grows linearly with the number of the attributes in the access policy and the size of the user’s attribute-based private key also grows linearly with the size of the user’s attributes set. Furthermore, as the access structure becomes more complex, the decryption time by the user will become longer, which not only increases the power consumption of the user’s portable devices, but also makes the system less useful. To make CP-ABE applicable for the lightweight devices in the cloud-assisted IoT, in this paper, we propose a lightweight CP-ABE scheme with both constant-size ciphertexts and private keys. And we also invent a privacy-preserving outsourced decryption algorithm for the users to alleviate their computing burden. The privacy-preserving outsourced decryption algorithm can protect the privacy of the users and the data owners from divulging to the proxy server that means during performing the online partial decryption phase, the proxy server cannot know anything about the access policy associated with the ciphertext and the attributes set of the user. This will prevent the privacy from leaking out to the proxy server. To rigorously prove that our scheme is selectively IND-CCA secure in ROM, we reduce our scheme to n-aMSE-DDH problem [1921].

1.1. Related Works

Lately, some researchers improve CP-ABE in two approaches to make the pure CP-ABE schemes applicable for the resource-constrained devices in IoT environment. One way is to construct the lightweight CP-ABE to mitigate the transmission overhead of the system. And another way is outsourcing the decryption phase to proxy server to relieve the computing burden of the users used IoT devices.

1.1.1. Constant-Size CP-ABE

These works [20, 22] construct the constant-size ciphertext CP-ABE schemes which are using “Threshold policy” as their access structures. The scheme in [21] improves the work [20] to make a constant-size ciphertext CP-ABE scheme based on “Threshold policy” without dummy attributes. Emura et al. [23] build a fully constant-size CP-ABE scheme with both constant-size ciphertexts and private keys, but the access structure in their scheme [23] is using the less expressive “Strict AND-gate Policy.” And these works [24, 25] use [23] as their base construction also using the less expressive “Strict AND-gate Policy.” To make a trade-off between the expressiveness of the access structure and scale of the scheme, Yang et.al [26], Doshi and Jinwala [27], and Han et al. [28] use “AND-gate Policy with Wildcards” as their access structures to build the CP-ABE schemes with constant-size ciphertexts. To further lighten the CP-ABE schemes and reduce the transmission pressure, these schemes [19, 29] use “Tolerant AND-gate Policy based on Bits String” as their access structures which encoding an access structure to a bit string.

1.1.2. Outsourced Decryption

Green et al. firstly proposed a new cryptographic primitive of outsourced decryption CP-ABE in [30]. But in their schemes, a malicious proxy server could return a wrong transformed ciphertext to the user by disloyally running the outsourced transforming algorithm. Thus, their scheme [30] does not strictly guarantee the correctness of the transformed ciphertext sent to users. To solve this flaw, Lai et al. [31] add a verification function to [30], but their scheme [31] adds some redundant components to the original ciphertext; this will make their ciphertext being twice length of the original ciphertext. To increase the efficiency of [31], Lin et al. [32], Qin et al. [33], and Mao et al. [34], respectively, designed a CP-ABE scheme with outsourced decryption and efficient decryption verification simultaneously. And all the schemes above [3034] are based on [17]. Recently, Ning et al. [35] proposed an auditable time outsourced CP-ABE scheme based on [18], which can achieve higher security and can resist various types of attacks such as key-leakage attacks. And some schemes [3638] with different properties combine with the outsourced decryption to make their schemes more suitable for IoT devices. But the users in all the above outsourced CP-ABE schemes will expose their attribute sets to the proxy server for running the semidecryption, which will lead to the disclosure of the privacy.

2. Preliminaries

2.1. AND-gate Access Structures
2.1.1. Strict AND-gate Policy

Let be the set of the attribute names. And is the possible values set of the name . is the attribute set of a user, where is an element in . The is a strict AND-gate policy where is an element in . Iff for all , holds, we call satisfies the policy . The scheme in [23] uses the “Strict AND-gate Policy” as its access structure.

2.1.2. AND-Gate Policy with Wildcards

Let be the set of the attribute names. And is the possible values set of the name . is the attribute set of a user where is an element in . The is an AND-gate policy with wildcards where is an element in or the wildcard . is the set of indices in which ; that is, . Iff for all , holds, we call satisfies the policy . The schemes in [26, 27] use the “AND-gate Policy with Wildcards” as their access structure.

2.1.3. Tolerant AND-Gate Policy Based on Bits String

Let be the attribute universe. is an n-bit string used to denote a user’s attribute set where . If , it means that the user has the attribute and if , it means that the user does not have the attribute . And is the policy n-bit string. If , it means that the access policy needs the attribute and if , it means that the access policy does not care about attribute . is the set of indices in which ; that is, . denotes the size of . Iff for all , holds, we call the attributes set satisfies the access policy . For instance, suppose and two attribute sets as and . The access policy is . So, we can observe that can satisfy and cannot meet . The schemes in [19, 39] use the “Tolerant AND-gate Policy based on Bits String” as their access structure.

Through the description of the three types of AND-gate access structures, we can observe that the “AND-gate Policy with Wildcards” and “Tolerant AND-gate Policy based on Bits String” are more flexible and expressive than the “Strict AND-gate Policy.” Furthermore, encoding an access structure to a bit string can compress the size of the access structure and which also can mitigate the communication burden. Our scheme uses the “Tolerant AND-gate Policy Based on Bits String” as the access structure.

2.2. Bilinear Pairings

are two elliptic groups and is a multiplicative group. is a generator of and is a generator of . are all with prime order . is called the bilinear pairing if(i)For any and , we have .(ii)If is a generator of and is a generator of , is a generator of .(iii)Group operations in and are both efficiently computable. If and are the same group, that is, , we call the symmetric bilinear pairing.

And, the terms are called the bilinear pairing terms.

2.3. n-aMSE-DDH Problem [1921]

Let be the bilinear pairing terms. Let and be two coprime polynomials in . Choose where “” means “randomly choose from.” Give to any probabilistic polynomial-time (PPT) adversary. Then, no adversary has the nonnegligible advantage to distinguish or , where is a random element in . And

3. Our Constant-Size CP-ABE Scheme with Privacy-Preserving Outsourced Decryption

3.1. System Architecture

The framework of our cloud-assisted IoT system used our scheme is shown in Figure 2. There are six entities involved in our system which are stated as follows.

3.1.1. Attribute Authority (AA)

AA is in charge of initializing the system and generating the private keys for users.

3.1.2. Cloud Storage

The cloud storage stores the ciphertexts for data owners (DOs).

3.1.3. Data Owner (DOs)

DOs encrypt the data to ciphertexts and upload the ciphertexts to the cloud.

3.1.4. Users

The users download the ciphertexts from the cloud storage then retrieve the plaintext by the decryption algorithm. The users have two types. One type is Users with PCs and the other is Users with smart IoT devices.(i)Users with PCs: users with PCs retrieve the plaintext by running the local-decryption phase(ii)Users with IoT devices: the users with smartphones or the smart tablets can retrieve the data by performing the privacy-preserving outsourced decryption phase

3.1.5. Proxy Server

Proxy servers take charge of running the online partial decryption algorithm for the users with smart IoT devices. Note that the proxy servers cannot know anything about the user’s attributes and the access policy associated with the ciphertext during running the partial decryption.

3.2. Algorithm Definitions

The workflow of our cloud-assisted IoT system used in our scheme is shown in Figure 3. There are four algorithms in our scheme described as below.

3.2.1. Setup

AA initializes the system by executing the Setup algorithm to export the public parameters and master private key of the system. AA preserves the private master key privately and publishes the public parameters to all the entities in the system.

3.2.2. AttrKeyGen

A user forms his attribute set as a bit string then sends his/her bit string-based attribute set to the AA; AA runs the AttrKeyGen algorithm to generate the constant-size attribute-based private key for the user. Then, the user will preserve the attribute-based key privately. If the user’s attribute set can meet the access policy associated with the ciphertext, he/she can use his/her private key to decrypt the ciphertext.

3.2.3. Encrypt

A DO customizes a bit string formed attribute-based access policy for the data; then, by the Encrypt algorithm, the DO encrypts the data under the customized access policy to a ciphertext, which is constant size. Then, the DO uploads the ciphertext with the bit string formed access policy onto the cloud storage.

3.2.4. Decrypt

A user downloads the ciphertext with the access policy from the cloud storage. If the user’s attribute set meets the access policy, then he/she can retrieve the data by running the Decrypt algorithm. And, the Decrypt algorithm has two modes. One mode is local decryption. The local decryption means all the computations are running on the user’s local device, and this mode is suitable for the users with PCs. If the user is using the smart IoT devices, then the user can choose the other decryption mode called privacy-preserving outsourced decryption to securely and privately outsource some complex computations to the proxy server. This will reduce the decryption time of the user and save the battery power of the user’s smart IoT device. Note that the proxy servers cannot know anything about the user’s attributes and the access policy associated with the ciphertext during partially decrypting the ciphertext.

3.3. Security Model

We define a selectively IND-CCA security game for our scheme which involves an adversary algorithm and a challenge algorithm in.(i)Initialization. sends a bit string based AND-gate challenge access structure to .(ii)Setup. runs setup algorithm to generate the master private key and public parameters . Then, sends to .(iii)Key Query 1. queries a list of bit strings to for the key queries. Note that all the key queries cannot satisfy the challenge access structure .(iv)Decryption Query 1. queries the decryption of ciphertext from .(v)Challenge. sends two messages and to for challenge. and sends back to .(vi)Key Query 2. Same as Key Query 1. Notice that all key queries in this phase also cannot satisfy the access structure .(vii)Decryption Query 2. Same as Decryption Query 1. And notice that the decryption queries cannot be the challenge messages and .(viii)Guess. outputs a guess .

. wins the confidentiality game if is nonnegligible.

3.4. Scheme Construction
3.4.1. Setup

AA performs the Setup phase to initialize the system by the following steps.(i)AA exports a bilinear pairing from the security parameter . is a generator of and is a generator of . Then, AA chooses four one-way collision-resistance hash function as , , .(ii)AA defines the attribute universe of the system, . Then, AA and computes .(iii)Finally, AA preserves the master private key () and publishes the public parameters () as

3.4.2. AttrKeyGen

A user forms his attribute set as a bit string where and then sends to the AA via a secure channel. Then, AA generates the attribute-based private key for the user by the following steps.(i)AA generates an at most polynomial function in by using the bit string . Then, AA computes .(ii)AA and computes with the condition , that is, .(iii)Finally, AA computes the attribute-based private key for the user and sends to the user via a secure channel.

3.4.3. Encrypt

DO performs the following steps to encrypt the data .(i)DO customizes an AND-gate access structure based on bit string as where for the data . is the set of indices in which , that is, . And denotes the size of . Notice that . Then, DO generates a polynomial in by using the access bit string . Let be the coefficient of in .(ii)DO and computes .(iii)Finally, DO computes the ciphertext for the data as and then sends to the cloud storage.

3.4.4. Decryption

The user downloads the ciphertext from the cloud storage. If the user’s attributes set can meet the access policy associated with the ciphertext, the user can decrypt the ciphertext in two ways. One way is the local decryption and another is the privacy-preserving outsourced decryption. If the user uses the PC, he/she can use the local decryption algorithm to obtain the data. Or if the user uses the IoT device, such as smartphone, he/she can use the privacy-preserving outsourced decryption to obtain the data without the computing pressure. Notice that if and only if meets , the user can generate a at most polynomial in where is the coefficient of and it is clear that . is the coefficient vector of in .

Local decryption: the user runs the local decryption by the following steps:

Then, the user computes and verifies . If the equation holds, this indicates the user decrypts the ciphertext successfully .

Privacy-preserving outsourced decryption: the user and computes the blinded coefficient vector in and the blinded private key as

Then, the user sends to the proxy server. It is clear that the proxy server only cannot know anything about and from the blind coefficient vector and the blind private key . The proxy server uses to compute

Then, proxy server sends back to the user. The user uses to compute

Then, the user computes and verifies . If the equation holds, this indicates the user decrypts the ciphertext successfully .

3.5. Security Analysis

Theorem. If the n-aMSE-DDH problem holds, then our scheme is selectively IND-CCA-secure.

Proof. Suppose there is a PPT adversary who can break the security of our scheme with a nonnegligible advantage . Then, we can construct a PPT simulator algorithm which is able to solve the n-aMSE-DDH problem with the nonnegligible advantage by interacting with in the following manner where is the order of group and is the number of the queries to the oracle .

3.5.1. Initialization

Note that there are attributes in the scheme. submits the challenge access bit string where to . . is the size of . and sets is a polynomial in and is a polynomial in .

sends and to the n-aMSE-DHH problem and receives the problem instances from n-aMSE-DHH problem. is the challenge term and or where is a random element in . And where is a generator of and is a generator of and mod p.

3.5.2. Setup

and implicitly sets master private key as

The public parameters are computed as

Finally, sends to .

3.5.3. Hash Queries

can access the hash oracles , and maintains the hash lists to record the queries and responses, respectively. If the query has a previous response and the output result recorded in the hash lists, will respond with the recorded result in the hash lists. Otherwise, will perform as follows.(i)Oracle. Let the input of be in . If the input of is , sets as the output. And the term will be recorded i .(ii)Oracle. Let the input of be . responds with a random . And the term will be recorded in .(iii)Oracle. Let the query to be . responds with a random . And the term will be recorded in .(iv)Oracle. Let the query to be . responds with a random . And the term will be recorded in .

3.5.4. Key Query 1

sends an attribute bit string where to for one key query. Note that cannot meet the challenge policy . sets are the terms in and are the terms in . can be computed by the part of terms in and . And if does not fulfill the challenge access structure , the degree of the polynomial is nonzero.

and implicitly sets by computing

Implicitly set

computes as

We denote

Let be the coefficient of in . is a at most polynomial in .

can be computed by the terms in as

So, can be computed as

Finally, sends to .

3.5.5. Decryption Query 1

For any decryption query on , if there exists in the hash lists such that the ciphertext is generated using , sets as the output of the decryption query to . Otherwise, outputs . No query will be aborted since all valid encryptions need the response from hash oracles , and the response contains the random number which is used in encryption.

3.5.6. Challenge

sends two messages and to for challenge. implicitly defines by setting

Then, randomly chooses and computes

Finally, sends to .

3.5.7. Key Query 2

It is the same as Key Query 1. Notice that all key queries in this phase also cannot satisfy the access structure .

3.5.8. Decryption Query 2

It is the same as Decryption Query 1. And notice that the decryption queries cannot be the challenge messages and .

3.5.9. Guess

Eventually, gives the guess of to the simulator .

If , the simulator outputs 0 and guesses ; otherwise, outputs 1 and guesses .

If the n-aMSE-DHH problem sends to the simulator . The attacker plays the real security game as our actual scheme. Referring to our supposition, the attacker has selectively breaking our actual scheme. So,

If the n-aMSE-DHH problem sends to , all the bits in are hidden due to . So,

The only error event is that , but it is queried to oracle. This occurs with probability at most where is the order of group and is the number of the queries to the oracle . So,

So, the simulator can solve the n-aMSE-DHH problem in PPT.

4. Evaluation and Implementation

4.1. Properties Evaluation

In this section, we compare our scheme with some related CP-ABE schemes in terms of the properties in Table 1. From Table 1, we can know that only our scheme provides “constant-size ciphertext,” “constant-size private key,” and “privacy-preserving outsourced decryption” simultaneously. The schemes in [23, 24] are also with constant-size ciphertext and constant-size private key, but their access structures—“Strict AND-gate Policy” are less expressive and too strict. Thus, these schemes [23, 24] cannot achieve fine-grained access control. And the work [25] based on [23] also uses the less expressive “Strict AND-gate Policy” as its access structure. So, the data owner in [25] also cannot customize the flexible access policy for his/her ciphertext. And these works [2022] apply the Threshold policy in their schemes, so their schemes [2022] cannot realize the precise and flexible attribute-based access control.


SchemeAccess structureConstant-size ciphertextConstant-size private keyOutsourced decryptionSecurityBilinear group

[23]Strict AND-gate PolicySelectively IND-CPA securePrime order
[20]ThresholdSelectively IND-CPA securePrime order
[21]ThresholdSelectively IND-CPA securePrime order
[16]Access treeSelectively IND-CPA securePrime order
[17]Linear secret sharing schemes (LSSS) [40]Selectively IND-CPA-securePrime order
[18]LSSSSelectively IND-CPA securePrime order
[41]LSSSFully (adaptively) IND-CPA secureComposite order
[26]AND-gate policy with wildcardsSelectively IND-CPA securePrime order
[27]AND-gate policy with wildcardsFully (adaptively) IND-CPA secureComposite order
[19]Tolerant AND-gate Policy based on bits stringSelectively IND-CCA securePrime order
[31]LSSS(not privacy-preserving)Selectively IND-CPA securePrime order
[34]LSSS(not privacy-preserving)Selectively IND-CPA securePrime order
[33]LSSS(not privacy-preserving)Selectively IND-CPA securePrime order
[29]Tolerant AND-gate policy based on bits stringSelectively IND-CPA securePrime order
[25]Strict AND-gate policySelectively IND-CPA securePrime order
[22]ThresholdSelectively IND-CCA2 securePrime order
[24]Strict AND-gate policySelectively IND-CPA securePrime order
[28]AND-gate policy with wildcardsSelectively IND-CPA securePrime order
OursTolerant AND-gate policy based on bits string(privacy-preserving)Selectively IND-CCA securePrime order

4.2. Theoretical Analysis and Simulation Experiments

In this section, we choose some representative schemes [1921, 23, 26, 29, 34] in Table 1 as well as our scheme for theoretical analysis in terms of the transmission load and computational complexity. To make the theoretical comparison clearer, we adopt the symmetric bilinear pairing for the schemes to be compared and evaluated. The definitions of the notations for theoretical analysis are presented in Table 2. The evaluation of the transmission load is shown in Table 3. From Table 3, we can observe that in our scheme, no matter how many attributes a user has and how complexity an access policy is, the length of the user’s private key is only and the size of the ciphertext is only . The comparison of the computational complexity in terms of the five algorithms as AttrKeyGen, Encrypt, Blind KeyGen (by user), Online Decryption (by proxy server), and Offline Decryption (by users) is presented in Table 4.


NotationsMeaning

//Size of element in the group //. mod p is a symmetric bilinear pairing.
Time for a group exponential operation in (3.351 ms).
Time for a group exponential operation in (0.538 ms).
Time for a symmetric bilinear pairing mod p (5.325 ms).
The number of rows of the LSSS matrix.
The number of the attributes in system.
The number of the attributes in the user’s attribute set.
The bit string-based AND-gate access policy , where .
The size of .
The size of the set . is one subset of , that is, ; all the attributes in can satisfy the LSSS access policy.
The threshold of the threshold policy.
The number of the attributes in the threshold policy.


SchemePrivate key lengthCiphertext length

[20]
[21]
[23]
[24]
[26]
[34]
[19]
[29]
Ours


SchemeAttrKeyGenEncryptOnline decryption (by proxy server)Blind KeyGen (by user)/offline decryption (by user)

[20]/
[21]/
[23]