#### Abstract

The invention of the Ciphertext-Policy Attribute-Based Encryption scheme opened a new perspective for realizing attribute-based access control systems without being forced to trust the storage service provider, which is the case in traditional systems where data are sent to the storage service provider in clear and the storage service provider is the party that controls the access to these data. In the Ciphertext-Policy Attribute-Based Encryption model, the data owner encrypts data using an attribute-based access structure before sending them to the storage service, and only users with authorized sets of attributes can successfully decrypt the generated ciphertext. However, Ciphertext-Policy Attribute-Based Encryption schemes employ expensive operations (i.e., bilinear pairings and modular exponentiations) and generate long ciphertexts and secret keys, which makes them hard to implement in real-life applications especially for resource-constrained devices. In this paper, we propose two Ciphertext-Policy Attribute-Based Encryption Key Encapsulation Mechanisms that can be provided as services in the cloud, minimizing the user’s encryption and decryption costs without exposing any sensitive information to the public cloud provider. In the first scheme, the ABE Service Provider is considered fully untrusted. On the other hand, the second scheme requires the ABE Service Provider to be semi-trusted (Honest-but-Curious) and does not collude with illegitimate users. Both schemes are proved to be selectively CPA-secure in the random oracle. The theoretical and experimental performance results show that both our first and second schemes are more efficient than the reviewed outsourced CP-ABE schemes in terms of user-side computation, communication, and storage costs.

#### 1. Introduction

In the past, businesses were suffering from the overheads of dealing with their IT infrastructure installation and management. Nowadays, they can easily minimize these costs by externalizing their activities to one of the existing cloud solutions and paying only the amount of resources they consumed. This new paradigm is beneficial for both users and cloud providers, and this is what makes cloud services continue to attract more enterprises and individual users, helping them to start or improve their businesses easily. Cloud Storage is one of the services offered by cloud providers to help companies and individuals store, manage, and share data efficiently. Nevertheless, when outsourcing data, data owners are also outsourcing the control over their data. Therefore, this creates data security and confidentiality challenges against a third party who comprised the cloud server to steal data or even against a curious cloud provider [1]. Hence, data owners should encrypt data before outsourcing them to make sure that only authorized users can decrypt and gain access to the data.

Cryptosystems in traditional public cryptography are one-to-one ciphers, meaning that the data owner should retrieve the public key of all the authorized users and encrypt a copy of his data for each user with the corresponding public key. For example, if a data owner wants to share a document with 100 users, he must create 100 copies of the document, retrieve 100 public keys, and encrypt each copy with the public key of the corresponding user. Thus, this solution is not practical since it produces huge computation, storage, and communication overheads.

In 2005, Sahai and Waters [2] proposed a Fuzzy Identity-Based Encryption (FIBE) scheme with a new model that is not based on users’ public keys or identities (as in Identity-Based Encryption schemes), but instead, their model is using attributes to encrypt data and to generate secret keys. In this model, a Trusted Authority (TA) generates users’ secret keys based on their sets of attributes, and data owners specify a set of attributes and a threshold (which is the minimum number of attributes in the encryption set of attributes that should exist in the user’s set of attributes) and encrypt data using this set of attributes and threshold. Only users with a number of attributes existing in the encryption set of attributes that is greater than the threshold will be able to decrypt the ciphertext using their secret keys.

Later on, two main variants of FIBE were proposed. Goyal et al. proposed the Key-Policy Attribute-Based Encryption (KP-ABE) scheme [3] where the data owner encrypts data with a set of attributes and users’ secret keys are generated based on an access policy that is associated with them. Bethencourt et al. presented the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) scheme [4] where the data owner encrypts data with an access policy and users’ secret keys are generated based on their sets of attributes.

The computation overhead in ABE schemes is the most challenging part that makes them hard to be adopted in real-life applications. This is due to the number of expensive modular exponentiations and pairing operations that increases linearly with the size of the access policy.

Many contributions were proposed to optimize this computation overhead. Some of these contributions used different techniques to minimize the number of these operations in the encryption and decryption phases [5, 6] or to split them into two phases: in the first phase, most of the expensive operations are performed offline before knowing the message, and the second phase rapidly assembles the ciphertext [7, 8]. Others replaced the expensive modular exponentiations and pairing operations with the lightweight elliptic curve additions and point-scalar multiplications [9–11]. However, these solutions are still hard to be implemented in the applications where devices are resource-constrained such as the Internet of Things (IoT) and Wireless Sensor Networks (WSN). Computation outsourcing is another direction that achieved better results. In this solution, a big part of the encryption and decryption computation is outsourced to the cloud without revealing any sensitive information to the cloud providers that can help them reveal the plaintexts.

##### 1.1. Our Contribution

Based on [4], we propose two CP-ABE with Outsourced Encryption and Decryption (CP-ABE-OED) Key Encapsulation Mechanisms (KEM) where the public ABE Service Provider performs all the encryption and decryption expensive operations leaving only one modular exponentiation and simple multiplications to be executed by the user when encrypting or decrypting data. The first scheme is suitable for the applications that consider the cloud service provider untrusted. On the other hand, the second scheme requires that the ABE Service Provider is a semi-trusted party that cannot collude with unauthorized users. Both schemes achieve provable CPA-security selectively in the random oracle.

##### 1.2. Organization

The rest of our paper will be organized as follows. In Section 2, we will discuss the related work. Next, we define the preliminaries in Section 3. Later on, we present our 1^{st} and 2^{nd} CP-ABE-OED KEMs and their security analysis in Section 4. Section 5 is dedicated to showing and analysing the performance results. Finally, we conclude our paper in Section 6.

#### 2. Related Work

In 2011, Green et al. [12] proposed the first outsourced CP-ABE scheme, which is selectively CPA-secure. They outsourced a big part of the expensive decryption operations in Waters’s large universe construction [13] to a decryption proxy (e.g., Cloud Server), leaving only one modular exponentiation to be executed by the user. In the registration phase, the Trusted Authority () generates a public transformation key and a secret decryption key for each user. To decrypt a ciphertext , the user sends his to the decryption proxy which transforms to a short ElGamal-style [14] ciphertext. Then, using the decryption key , the user decrypts the transformed ciphertext. To decrypt an ABE ciphertext containing 100 attributes, it takes nearly 30 seconds of sustained computation on a 412 MHz ARM-based iPhone 3G with 128 MB of RAM using the original CP-ABE scheme [13], while it requires only 60 milliseconds using Green et al.‘s scheme [12]. Besides, thousands of lines of code, dedicated to determining how a key satisfies the access policy, were removed from the user’s side. For instance, in libfenc [15], about 3000 lines are dedicated to access policy handling, excluding dependencies. An improved scheme is also provided in [12] that is selectively secure in the Replayable Chosen-Ciphertext Attack (RCCA) security model using Fujisaki and Okamoto techniques [16].

Afterward, many contributions added the notion of verifiability (i.e., the ability to verify the correctness of the transformation performed by a proxy) to the mechanism of decryption outsourcing [17–21]. In 2016, Mao et al. [21] proposed a generic construction that transforms any (selectively) CPA-secure ABE scheme with outsourced decryption (e.g., Green et al. [12]) into a (selectively) CPA-secure ABE scheme with verifiable outsourced decryption. In contrast with [17] that separately encrypts an extra random message (which is used to commit to the true message), [21] is encrypting the true message and a random message together. It then commits the random value to the message using a commitment scheme that satisfies the hiding and binding properties (at least computationally). In the decryption phase, the user receives the partially decrypted ciphertext from the decryption proxy and the commitment from the storage server and runs the revealing algorithm of the commitment scheme to verify the correctness of the transformation. The authors showed that the instantiation of this construction in the standard model using Green et al.‘s small-universe, backward-compatible, and selectively CPA-secure CP-ABE scheme with outsourced decryption [12] and Pedersen Commitment [22] as the underlying commitment scheme is more efficient than Lai et al.‘s scheme [17]. They also proposed a second generic construction to transform any (selectively) CPA-secure ABE scheme with outsourced decryption, that has ciphertext verifiability (i.e., the possibility to verify whether a normal ciphertext will be recovered into the same plaintext under two different decryption keys with two specific attributes) or delegatability (i.e., the capability to use a key to derive another inferior key), into a (selectively) RCCA-secure ABE scheme with verifiable outsourced decryption. They claimed that this is the first RCCA-secure construction that does not rely on a random oracle. In this construction, they combined a secure encapsulation scheme, a strong one-time message authentication code, and a secure commitment scheme.

Obviously, the previous schemes are not suitable for IoT applications where lightweight devices encrypt data and not only decrypt them (e.g., Wireless Sensor Networks) because the encryption cost produced in these schemes is still high. Accordingly, outsourcing the encryption operations in addition to the decryption operations became a new direction [23–27].

Based on [4], Zhou et al. proposed a CP-ABE scheme with outsourced encryption and decryption [23]. They outsourced a big part of the encryption operations by subdividing the access policy into two parts: (data owner’s access tree) and (Encryption Service Provider’s access tree) such that . The data owner generates a random number and a random 1-degree polynomial , where , and and computes and . Then, he generates the ciphertext components and for his sub-tree in the same way as CP-ABE [4] using as the shared key and sends to the Encryption Service Provider (ESP). Similarly, ESP computes the ciphertext components and for using as the shared key. The final ciphertext is . The decryption outsourcing is achieved using almost the same key-blinding technique of Green et al. [12]. However, an untrusted ESP can reveal the encrypted data by colluding with unauthorized users with sets of attributes that satisfy . Therefore, this solution is suitable only for applications where the ESP is at least semi-trusted.

In 2014, Asim et al. [25] proposed a new CP-ABE scheme where they outsourced a part of the encryption operations to a semi-trusted proxy A and they outsourced the decryption phase to a semi-trusted proxy B following the same technique employed in [12]. Using an encryption secret key generated by the Trusted Authority, the proxy A computes and uses it as the access policy root’s secret to generate the access policy’s leaf nodes’ components . Afterward, it multiplies each leaf node’s component with the corresponding attribute component in the partially encrypted ciphertext received from the host. The authors claim that their construction is secure in the generic group model under the assumption that proxy A and proxy B will not collude with unauthorized users and will not collude with each other. However, unauthorized users with at least one attribute () that exists in the access policy can reveal the plaintext using the partially encrypted ciphertext and the ciphertext generated by proxy A . For each leaf node of the access policy, the attacker retrieves from and from and computes . Then, he executes PolicyGeneration function backward to retrieve and computes . Finally, the attacker reveals the plaintext . In addition, their scheme is not correct (i.e., given an of a set of attributes that satisfies the access policy , ). In the PolicyGeneration phase, they used (instead of ) as the shared key to get the shares . However, in the decryption phase they used the polynomial interpolation on , which will result in a value that is different than and, as a result, the decryption output will be different than *M*.

Subsequently, Zhang et al. [26] presented a fully outsourced CP-ABE scheme that, for the first time, achieves outsourced key generation, encryption, and decryption simultaneously. In their system, two Key Generation Service Providers (KGSP1, KGSP2) help TA to generate Intermediate Secret Keys (ISKs), and two Encryption Service Providers (ESP1, ESP2) help users to generate Intermediate Ciphertexts (ITs). Decryption outsourcing is achieved using the same key blinding used in Green et al.‘s scheme [12]. The extra communication costs that had arisen from outsourced key generation and encryption are offline, meaning that TA and users can communicate with the cloud servers in their spare time. The system is proved to be secure under the assumption that two KGSPs (ESPs) do not collude with each other, so the final combined ISK (IT) should be information-theoretically hidden from two servers. It is selectively CPA-secure against corrupt users colluding with KGSP1, ESP1, and SSP and corrupt users colluding with KGSP2, ESP2, and SSP who can obtain the conversion key at Decryption Service Provider.

Other contributions proposed outsourced CP-ABE schemes using trusted parties such as fog nodes [28] or a trusted private cloud provider [29].

#### 3. Preliminaries

##### 3.1. Bilinear Maps [4]

Let and be two multiplicative cyclic groups of prime order . Let be a generator of and be a bilinear map, , that has the following properties:(i)Bilinearity: for all and , we have (ii)Non-degeneracy:

We say is a bilinear group if the group operation in and the bilinear map are both efficiently computable.

##### 3.2. Access Structure [30]

Let be a set of parties. A collection is monotone if . An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) of non-empty subsets of ; i.e., . The sets in are called the authorized sets, and the sets not in are called the unauthorized sets.

In our context, we will use a monotone access structure where the attributes play the role of the parties, which means that the access structure will contain the authorized sets of attributes.

##### 3.3. Linear Secret Sharing Scheme (LSSS) [13]

A secret-sharing scheme over a set of parties is called linear (over ) if the following is satisfied:(i)The shares for each party form a vector over .(ii)There exists a matrix with rows and columns called the share-generating matrix for . For all , the ’th row of , we let the function define the party labeling row as . When we consider the column vector , where is the secret to be shared, and are randomly chosen; then is the vector of shares of the secret according to . The share belongs to party .

It is shown in [30] that every linear secret sharing-scheme according to the above definition also enjoys the linear reconstruction property, defined as follows: suppose that is an LSSS for the access structure . Let be any authorized set, and let be defined as . Then, there exist constants such that, if are valid shares of any secret according to , then .

Furthermore, it is shown in [30] that these constants can be found in time polynomial in the size of the share-generating matrix *M*.

We note that we use the convention that vector is the “target” vector for any linear secret sharing scheme. For any satisfying set of rows in , we will have that the target vector is in the span of . For any unauthorized set of rows I, the target vector is not in the span of the rows of the set I. Moreover, there will exist a column vector such that and for all .

Using standard techniques [30], one can convert any monotonic Boolean formula into an LSSS representation. An access tree of nodes will result in an LSSS matrix of rows. We refer the reader to the appendix of [31] for a discussion of how to perform this conversion.

##### 3.4. CPA-Security Game

(i)*Setup*. The challenger runs the Setup algorithm and gives the public parameters PK to the adversary.(ii)*Phase 1*. When the adversary queries the decryption key and the transformation key on , the challenger passes on to the key generation oracle to get the corresponding decryption key and transformation key and then returns the result to .(iii)*Challenge*. The adversary submits the access structure (which is not satisfied by any of the sets of attributes passed in phase 1) to be challenged on and requests the challenge . The challenger flips a random coin . If , it returns to , where the first element in is a random . If , it returns to , where the first element in is a well-constructed .(iv)*Phase 2*. Phase 1 is repeated with the restriction that the adversary cannot obtain a decryption key for a set of attributes that satisfies .(v)*Guess*. The adversary outputs 0 if is random and 1 if is a well-constructed key.

#### 4. Our Proposed Constructions

##### 4.1. The 1^{st} Proposed CP-ABE-OED Key Encapsulation Mechanism

In this scheme, the ABE Service Provider is considered to be an untrusted party.

###### 4.1.1. The Construction

(1) *Setup Phase*. In this phase, we execute the function that takes as input a security parameter , which determines the size of the groups. chooses a bilinear group of prime order with a generator and a bilinear map .

It also defines a hash function mapping each attribute (described as a binary string) to a random group element, and a hash function .

Afterward, it generates two random numbers . Then, it secretly stores the master key and publishes the public parameters:

(2) *Registration and Key Generation Phase*. In Figure 1, Alice and Bob represent two users. Bob plays the role of the data owner and Alice plays the role of the data receiver. In the registration phase, both Alice and Bob behave in the same way.

First, the Trusted Authority (TA) registers Alice and Bob and associates a set of attributes to each of them ( for Alice and for Bob) and executes

is defined as follows:(i)First, it generates the encryption key where is picked randomly in , and the decryption key where is a random number in .(ii)Afterward, it computes the user’s parameters as follows: .(iii)It also computes the Transformation Key (). First, it chooses a random number and for each it picks randomly. Then, it computes .(iv)Finally, it outputs .

TA sends securely to the user and sends publically to the ABE Service Provider.

(3) *Encryption Phase*. As shown in Figure 2, the encryption phase consists of two steps. In the first step, Bob uses its encryption key and an LSSS access structure and calls the function

is defined as follows:(i)First, it generates a random column vector to share the encryption exponent .(ii)For each , it computes where is the th row of .(iii)Then, it generates(iv)Finally, it outputs .

Afterward, Bob sends to the ABE Service Provider.

In the second step, the ABE Service Provider executes the function after receiving .

performs the following instructions:(i)For each, it computes(ii)Then, it outputs .

Finally, the ABE Service Provider sends to the Cloud Storage Provider (CSP).

(4) *Decryption Phase*. First, as shown in Figure 3, Alice requests the transformed ciphertext from the ABE Service Provider. The ABE Service Provider receives from the CSP and executes the function

is defined as follows:(i)If Alice’s set of attributes does not satisfy the access structure, then it outputs . Otherwise, let and such that .(ii)Then, it computes(iii)Finally, it outputs generated as follows:

The ABE Service Provider sends to Alice.

After receiving , Alice decrypts it using its decryption key by calling the function

executes the following instructions:(i)It computes(ii)Then, it outputs the .

###### 4.1.2. Security Analysis

Before starting our security proof, we will create a modified version of Bethencourt et al.‘s CP-ABE scheme [4] and prove that it achieves the same security level of the original scheme in the random oracle. Then, we will prove that our 1^{st} CP-ABE-OED KEM is selectively CPA-secure in the random oracle if the modified version of Bethencourt et al.‘s scheme is selectively CPA-secure in the random oracle. Thus, our 1^{st} CP-ABE-OED KEM is selectively CPA-secure in the random oracle if Bethencourt et al.‘s scheme is selectively CPA-secure in the random oracle.

We create the modified Bethencourt et al.‘s scheme by modifying the encryption phase as follows:(i)Instead of using Shamir’s Secret Sharing Scheme to build the access policy, we use the LSSS access structure in the same way as in our scheme and generate the shares .(ii)We choose a random number and compute for each row of : (the hash function must be defined in the public parameters).(iii)The generated ciphertext will be defined as follows:

It is obvious that the modified Bethencourt et al.‘s scheme achieves the same security level as the original scheme in the random oracle. That is because if we consider random, then is random and the attacker cannot compute from without knowing . Therefore, an attacker cannot distinguish between the distributions and , where is a random number.

Now, we prove the following theorem:

Theorem 1. *Our 1 ^{st} CP-ABE-OED KEM is selectively CPA-secure in the random oracle if the modified Bethencourt et al. scheme is selectively CPA-secure in the random oracle.*

Suppose that we have an adversary with non-negligible advantage in the selective CPA-security game against our construction. We show how to build a simulator that can attack the modified Bethencourt et al. scheme in the selective CPA-security model with advantage .

(1) *Init*. The adversary gives the challenge access structure to the simulator . sends to the challenger.

(2) *Setup*. The simulator obtains the public parameters from the challenger:

The random oracles and are programmed by the challenger.

Then, sends the public parametersto the adversary

(3) *Phase I*. The adversary sends request queries of sets of attributes that do not satisfy the challenge access structure to . The simulator calls the challenger’s key generation oracle on to obtain the key

The simulator chooses a random value and sets the decryption key as and the transformation key as

(4) *Challenge*. The simulator sends two distinct random messages and to the challenger. The challenger flips a coin and creates

Then, the challenger sends to the simulator.

Later on, the simulator computeswhere and are random numbers.

Then, creates as follows:

Finally, the simulator flips a coin and computes and then sends , , and to the adversary.

(5) *Phase 2*. The simulator continues to answer queries as in Phase 1.

(6) *Guess*. The adversary will eventually output a guess of . The adversary outputs 0 to guess that is random, and outputs 1 to guess that . The simulator outputs if ; otherwise it outputs . Thus, if the adversary wins the selective CPA-security game with a non-negligible advantage, then can break the security of the modified Bethencourt et al.‘s scheme with the same advantage.

##### 4.2. The 2^{nd} Proposed CP-ABE-OED Key Encapsulation Mechanism

###### 4.2.1. The Construction

In this scheme, we consider the ABE Service Provider semi-trusted, which means that it cannot collude with illegitimate users to reveal the plaintext.

We will only describe the modified methods that are different from the previous scheme.(1)(i)First, it generates the encryption key where is picked randomly in , and the decryption key where is a random number in .(ii)Afterward, it computes the user’s parameters as follows: (iii)It also computes the Transformation Key (). First, it chooses a random number and for each it picks randomly. Then, it computes .(iv)Finally, it outputs .(2)(i)It picks a random number and computes(ii)Then, it outputs .(3)(i)First, it chooses a random column vector .(ii)For each , it computes where is the th row of .(iii)Then, for each, it computes(iv)Then, it outputs . The decryption phase will perform in the same way as in the previous scheme; however, we will describe it here to show the correctness of our scheme.(4).(i)If Alice’s set of attributes does not satisfy the access structure, then it outputs . Otherwise, let and such that .(ii)Then, it computes(iii)Finally, it outputs generated as follows:(5)(i)It computes(ii)Then, it outputs the .

###### 4.2.2. Security Analysis

In this security proof, we will consider two types of adversaries:(i)Type-1 adversary: which refers to illegitimate users trying to break our scheme(ii)Type-2 adversary: which refers to a curious ABE cloud provider trying to reveal sensitive information

For the Type-1 adversary, our scheme is viewed as Bethencourt et al.‘s scheme [4] with outsourced decryption.

Now, we prove the following theorem:

Theorem 2. *Our 2 ^{nd} CP-ABE-OED KEM is selectively CPA-secure in the random oracle against Type-1 adversaries if Bethencourt et al.‘s scheme [4] is selectively CPA-secure in the random oracle.*

Suppose we have an adversary with non-negligible advantage in the selective CPA-security game against our construction. We show how to build a simulator that can attack Bethencourt et al.‘s scheme [4] in the selective CPA-security model with advantage .

(1) *Init*. The adversary gives the challenge access structure to the simulator . sends the challenge access structure to the challenger.

(2) *Setup*. The simulator obtains Bethencourt et al.‘s [4] public parameters

and forwards them to the adversary .

(3) *Phase I*. The adversary sends request queries of sets of attributes that do not satisfy the challenge access structure to . The simulator calls Bethencourt et al.‘s [4] key generation oracle on to obtain the key

The simulator chooses a random value and sets the decryption key as and the transformation key as

(4) *Challenge*. The simulator sends two distinct random messages and to the challenger. The challenger flips a coin and creates

Then, the challenger sends to the simulator.

Later on, the simulator computeswhere are random numbers.

Later on, the simulator constructs as follows:

Finally, the simulator flips a coin and computes , then sends , , and to the adversary.

(5). *Phase 2*. The simulator continues to answer queries as in Phase 1.

(6). *Guess*. The adversary will eventually output a guess of . The adversary outputs 0 to guess that is random, and outputs 1 to guess that. The simulator outputs if ; otherwise it outputs . Thus, if the adversary wins the selective CPA-security game with a non-negligible advantage, then can break the security of Bethencourt et al.‘s scheme with the same advantage.

The Type-2 adversary is not allowed to collude with unauthorized users. Thus, he can request only the transformation keys and not the decryption keys from the key generation oracle.

Now, we prove the following theorem:

Theorem 3. *Our 2 ^{nd} CP-ABE-OED KEM is selectively CPA-secure in the random oracle against Type-2 adversaries if our 2^{nd} CP-ABE-OED KEM is selectively CPA-secure in the random oracle against Type-1 adversaries.*

It is obvious that Type-2 adversary cannot distinguish between two pre-ciphertexts and whereand where is a random number.

That is because is random since is random, and the adversary cannot retrieve without knowing . Thus, Type-2 adversary has no advantage over Type-1 adversary since the only additional information () he has compared to the Type-1 adversary is not useful. Hence, Theorem 3 is proved.

#### 5. Performance Results and Analysis

##### 5.1. Theoretical Results and Analysis

In this section, we theoretically compare the user’s computation, communication, and storage costs between our two schemes and the following schemes:(i)The CPA-secure construction of [12].(ii)The CPA-secure construction of [21] based on [12] using Pedersen Commitment as a commitment scheme.(iii)Zhou et al.‘s scheme [23].(iv)Zhang et al.‘s scheme [26].(v)Li et al.‘s scheme [27].

We normalized all the schemes based on the following rules:(i)The transformation key is created by TA and not the user.(ii)We will consider all the schemes as Key Encapsulation Mechanisms (KEMs), meaning that we neglect the part where the message is encrypted (e.g., ) and leave only the parts responsible for sharing the key .(iii)We consider that each user has the ability to encrypt and decrypt.(iv)We ignored the access structure and the set of attributes when computing the size of the ciphertexts and the keys since they are common elements between all the schemes.

In Table 1, we define the notations used in this section.

In Table 2, we compare the number of operations executed in each phase (registration phase, encryption phase, and decryption phase) between our proposed schemes and the reviewed schemes.

Obviously, the user is not involved in the computations of the registration phase in all the schemes.

In [12, 21], the user-side encryption cost is very expensive, because the encryption in these schemes is not outsourced. Based on the results in Table 3, which were computed using a Type A curve of the JPBC Library [32] on a Windows 8.1 Core i7 2 GHz PC with 8 GB of RAM, we have the following:(i)(ii)(iii)(iv)

We mention that the hashes were computed using the Element.setFromHash() method based on SHA-256.

If we convert the encryption costs of the reviewed schemes, we get the following:(i) for our 1^{st} CP-ABE-OED KEM(ii) for our 2^{nd} CP-ABE-OED KEM(iii) for [23](iv) for [26](v) for [27]

We observe that, for access policies smaller than 425 leaf nodes, the user-side encryption in [27] is more efficient than [23].

If , which is the smallest value can take, the user-side encryption in [26] will be more efficient than [27] (respectively, [23]) for access policies with less than 200 leaf nodes (respectively, 270 leaf nodes). If , [27] (respectively, [23]) will achieve better efficiency than [26] for all the access policies bigger than 30 leaf nodes (respectively, 50 leaf nodes). Overall, we can say that [26] is more efficient than [23, 27] for small access policies; however, [23, 27] are more efficient for large access policies.

Our 1^{st} CP-ABE-OED KEM achieves a higher user-side encryption efficiency than [26] for all the access policy sizes. It also achieves higher efficiency than [23] for access policies with less than 500 leaf nodes, and higher efficiency than [27] for access policies with less than 630 leaf nodes.

Obviously, our 2^{nd} CP-ABE-OED KEM is more efficient than all the schemes for all the access policy sizes.

The decryption phase costs are almost the same (one modular exponentiation) in all the schemes since they all use the same key blinding technique used in [12]. In [21], the user performs 2 more modular exponentiations to reveal the commitment.

Table 4 shows the communication costs generated in the registration phase, the encryption phase, and the decryption phase between our proposed schemes and the reviewed schemes. In [12, 21, 23, 26], TA sends and to the user in the registration phase, which costs elements in and elements in for [26], elements in and one element in for [23], and elements in and one element for [12, 21]. In [27], TA sends the encryption transformation key and to the user, which costs two elements and elements in . However, in our proposed schemes, only two elements in ( and ) are communicated between TA and the user. The reason is that in our proposed schemes is transferred by TA directly to the ABE Service Provider.

In the encryption phase, the user in [26] receives two Intermediate Ciphertexts from the ABE Service Provider offline, each of them containing elements in and elements in , and sends the ciphertext to CSP, which costs elements in and elements in . This makes [26] the most expensive scheme for the users in terms of communication cost produced in the encryption phase. In [12, 21], the user communicates to CSP; this costs elements in for [12] and an additional element in for [21] generated by the commitment element . The user in [27] sends the partially encrypted ciphertext and the outsourcing parameters to the ABE service provider. This costs elements in and elements in , which makes [27] slightly more efficient than [12, 21]. In our 1^{st} CP-ABE-OED KEM, the user sends to the ABE Service Provider, which costs him one element and elements in . In [23], the user sends that costs only elements in and one element in to the ABE Service Provider. In our 2^{nd} CP-ABE-OED KEM, the transfer of to the ABE Service Provider costs only one element and one element, which makes it the most efficient scheme in terms of user’s communication cost in the encryption phase.

In the decryption phase, the user receives the transformed ciphertext from the ABE Service Provider in all the schemes, which costs two elements in [23] and only one element in the other schemes. In addition, the user should first communicate his to the ABE Service Provider, which costs elements in and elements in for [26], elements in for [23], and elements in for [12, 21, 27]. In [21], the user also receives the commitment from CSP, which costs one element. In our proposed schemes, the user does not need to send or receive anything from CSP or the ABE Service Provider except ; is already sent by TA to the ABE Service Provider in the Registration Phase. Thus, our proposed schemes are the most efficient schemes in terms of user’s communication cost produced in the decryption phase.

Table 5 compares the user’s storage cost for each scheme. In general, [26] is the scheme that requires the biggest user-side storage space to store , , and two Intermediate Ciphertextx (). The user in [27] stores elements in and one element for the encryption transformation key , and one element for the decryption key . Thus, for large universe applications, [27] is considered the most storage space consuming scheme for users. In [12, 21, 23], the user stores and . costs one element in all the schemes and costs elements in for [23] and elements in for [12, 21]. In our proposed schemes, the user stores the encryption key and the decryption key ; each of them costs only one element. Therefore, our proposed schemes are the most lightweight schemes in terms of user-side storage.

##### 5.2. Experimental Results and Analysis

In this section, we will experimentally compare the running times of the user-side encryption and decryption of our 1^{st} outsourced CP-ABE scheme (CP-ABE-OED1), our 2^{nd} outsourced CP-ABE scheme (CP-ABE-OED2), the original CP-ABE scheme [4], ZHCP-ABE [23], and LiCP-ABE [27]. The implementations of the studied schemes were developed in Java using the JPBC Library [32] and the hashes were computed using method of the *Element* class based on *SHA-256*.

We run 200 experiments for each on a Windows 8.1 Core i7 2 GHz PC with 8 GB of RAM where the access policy is defined as follows and the user’s set of attributes is . This approach simulates the worst-case scenario where the decryption phase depends on all the access policy’s components. For each , we repeat the experiment 10 times and calculate the average running time in milliseconds to smooth any experimental variability.

In Figure 4, the *x*-axis represents the size of the access policy and the *y*-axis represents the of the user-side encryption running time in milliseconds.

The experimental results confirmed our theoretical results. Besides, the theoretical results showed that CP-ABE-OED1 is more efficient than ZHCP-ABE [23] (respectively, LiCP-ABE [27]) for access policies with less than 500 leaf nodes (respectively, for access policies with less than 630 leaf nodes). However, the experimental results showed that CP-ABE-OED1 is more efficient than ZHCP-ABE [23] and LiCP-ABE [27] for all the access policy sizes up to 1000.

We observe that the difference in running time between CP-ABE-OED1 and CP-ABE-OED2 is linearly increasing with a relatively small slope, and this is due to the number of multiplications and hashing operations performed in CP-ABE-OED1 that is linear to the size of the access policy.

In Figure 5, the *x*-axis represents the size of the user’s set of attributes and the *y*-axis represents the of the user-side decryption running time in milliseconds.

As expected, the running times of the user-side decryption in all the studied outsourced CP-ABE schemes are constant and equivalent; that is because they all used the same decryption outsourcing technique firstly proposed by [12]. The user needs only about 2 ms (since according to Figure 5) to decrypt a ciphertext regardless the size of the access policy or the length of her set of attributes.

#### 6. Conclusion

In this paper, we proposed two efficient CP-ABE Key Encapsulation Mechanisms that can be provided as services in the cloud, minimizing the user-side computation, communication, and storage costs. The first scheme is suitable for applications where the ABE Service Provider is untrusted, whereas the second scheme, which is more efficient, requires the ABE Service Provider to be at least semi-trusted. Both schemes are proved to be selectively CPA-secure in the random oracle. However, our systems support only one TA that is responsible for the registration of all the users. Hence, our systems will face a bottleneck problem if TA does not use a very powerful device or if the registration requests are very frequent. Therefore, in the future, it will be interesting to extend our schemes to use a multi-authority architecture to handle this problem. Converting our schemes to support a multi-authority architecture might also improve the security of the systems by preventing the key-escrow problem produced when attackers compromise the TA’s master key. In a multi-authority approach, compromising some authorities’ master keys by attackers will not break the system.

#### Data Availability

No data were used to support this study.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work was supported by the National Center for Scientific and Technical Research (CNRST) (scholarship number: 4UIZ2017).