Contents Introduction
The use oriented IT services to users is offered by cloud computing. Two of the outstanding advantages are the large storage space and the strong computing power for cloud computing. Nowadays, with the development of cloud computing persons gradually have gotten accustomed to store their pictures, contacts or some other files to the cloud servers. Meanwhile, strong computing power is also utilized by persons or companies. For the convenience of people’s daily life, many novel applications are proposed in cloud computing.
On the one hand, cloud users/terminals can save their cost via outsourcing their data storage or computation to the cloud servers, while the cloud users/terminals are only viewed as “devices” of input and output. On the other hand, a user’s data are out of control by herself/himself, how to protect the users’ privacy is a key issue in academia and industry. Thus a sequence of security issues is considered, such as remotely auditing [1], [2], outsourcing computation [3], outsourcing verification [4] and keyword searching [5]. Although various cryptographic skills and methods were put forward, attribute-based encryption (ABE) [6], a fine-grained and flexible scheme for access structure becomes one of the most hot notions to be researched in cloud computing.
ABE put forward by Sahai and Waters [6], was taken into account an extended version of notion of identity-based encryption (IBE). It is efficient to perform one-to-many encryption model but other than broadcast encryption. Lately, according to the access control policy deploying, ABE schemes were categorized two distinct types, key-policy ABE (KP-ABE) [7] and ciphertext-policy ABE (CP-ABE) [8]. However, one main barrier is that the decryption cost of these ABE schemes is very high. Because the user’s decryption cost and the ciphertext’s length linearly grow with the access policy’s complexity. It has become a critical obstacle for various applications in cloud computing, such as the applications on wireless sensor, smart phone.
In order to reduce the computation cost of ABE’s decryption algorithm and use powerful computational capability of the cloud server or some proxies, Green et al. [9] presented the notion of ABE with outsourced decryption (ABE-OD), which was called GHW method. A user need spend a small cost decrypting a ciphertext via a cloud server completes a large number of computation in their scheme. That is to say, the cloud server first outputs a transformed ciphertext by computing a delegated transformation key and the original ciphertext, and next the user can obtain the corresponding plaintext via computing “decryption” algorithm. While for security consideration, the ABE-OD scheme at the outsourcing process couldn’t leak any information about the plaintext. However, there are two other issues they didn’t solve in their ABE-OD scheme. One is that there is no mechanism to ensure the transformed ciphertext’s correctness. The other is that the authority needs to firstly generate user’s private key and then generate user’s transformation key (the private key cannot be used any longer), which causes the scheme isn’t fine-grained for user and increments the overhead of the authority.
To solve these problems, Lai et al. [10] used the GHW method to construct an ABE-OD scheme called verifiable outsourced decryption of ABE (ABE-VOD), which can verify the transformed ciphertext’s correctness by a proxy or the cloud server. A random message and a plaintext are encrypted and meanwhile generated a commitment by the data owner in their ABE-VOD scheme. While the data receiver can make use of her/his private key to create a retrieving key and a transformation key which is utilized to produce a transformed ciphertext. In their decryption algorithm or outsourced decryption algorithm, the commitment is to make use of checking the generated transformed ciphertext’s correctness. When the attributes set meets the ciphertext’s access structure, the user is able to verify the transformed ciphertext’s correctness. The model of their ABE-OD is described in FIGURE 1. Subsequently, relying on distinct scenarios or different correctness-checking methods, several ABE-VOD schemes were presented [11]–[29], while all these schemes used the GHW skill to design the outsourced decryption. Although Qin et al. [30] and Zhao and Wang [21] also put forward ABE-VOD schemes, they required the authority to produce the transformation key. Xu et al. [31] constructed an ABE-VOD scheme from multilinear map [32] that is secure based on
Arbitrary usage of cloud computing can lead to uneconomical energy consumption in data storage, processing and communication. Hence, green cloud computing solutions aim not only to save energy but also reduce operational costs and carbon footprints on the environment [34].
While green computing is the atmosphere conscientious and recyclable utility of resources [35]. The green cloud networks can reduce their energy requirements by adapting their performance when it deploys, manages and provides the services [36].
A. Motivation
It is the key technique for implementing the green cloud computing to reuse the resource and reduce the total energy consumption on the condition of guaranteeing the quality of service for performing the same task.
We analyze the outsourced decryption model proposed by Lai et al. [10] in the FIGURE 1. Every user generates her/his transformation key and retrieving key. When a user 
\begin{equation*} TCT_{1} \not = TCT_{2}.\end{equation*}
Although we suppose that the cloud server has much strongly computation power, it seems that the existing outsourced decryption manner wastes the computing resource of the cloud server which is required to help the users to repeatedly convert the same ciphertext into the transformed ciphertexts which correspond the same plaintext respectively. Thus, an ideal solution is that the cloud server can repeatedly use the transformed ciphertext of a ciphertex
To our best knowledge, all existing ABE-OD schemes solved the problem of reducing the computation cost of the users and preventing the cloud server from cheating for every outsourced decryption. No scheme solves the problem of efficiently reduceing the total computation cost of the cloud server besides the users at the same time.
Thus, the goal of our work is to find an efficient outsourced decryption method of ABE scheme to reduce the cloud server’s computation cost besides reducing the computation cost of users.
B. Contribution
In this article, we propose a new approach to outsource the decryption of the ABE scheme. Compared with the GHW method, our method is much more efficient for the cloud server besides reducing the computation cost of decryption of users if many users require the outsourced decryption services for the same ciphertext. Because the cloud server only computes the transformed ciphertext once for each ciphertext and many users satisfying the common access policy. To the best of our knowledge, there is no other scheme researching efficiency of the computation cost of the cloud server and users at the same time. Our approach has some advantages as follows.
For the cloud server, our method only needs to compute the transformed ciphertext once for any ciphertext and an access policy. That is to say, when the cloud server find that checks the transformation keys are used and the transformed ciphertext of the ciphertext has been generated (from the record having done), it returns the same transformed ciphertext.
For any user, our method doesn’t require the additional computation cost to produce the transformation key and additional storage space to store the user’s transformation key, besides storing the user’s private key.
C. Organization
The rest sections are organized below. Some basic notions are recalled in section 2. Then in section 3 we propose our construction. We analyze our construction’s performance and security in section 4 and 5, respectively. In section 6 we utilize our method to design a RCCA-secure construction and analyze its security. Finally, we concludes our paper in last section.
Preliminaries
Firstly we recall some notions, the ABE-OD model and its security model.
A. Notation
In order to clearly understand our paper, the abbreviations used in the paper are given in TABLE 1.
B. Bilinear Map
The order of two multiplicative groups
Bilinear: For any elements
$u,v\in \mathbb {Z}_{p}^{*},\,\,e(g^{u},g^{v})=e(g,g)^{uv}$ Non-degenerate:
$e(g,g)\neq 1_{\mathbb {G}_{2}}$ $1_{\mathbb {G}_{2}}$ $1_{\mathbb {G}_{1}}$ $\mathbb {G}_{2}$ $\mathbb {G}_{1}$ Computable: For every element
$g'',g' \in \mathbb {G}_{1},~e(g'',g')$
Defintion 1.
$e(g,g)^{\eta \theta \vartheta }$ $g,g^{\eta },g^{\theta },g^{\vartheta } \in \mathbb {G}_{1}$ $\eta,~\theta,~\vartheta \in \mathbb {Z}_{p}^{*}$
For any PPT algorithm \begin{equation*} \mathrm {Pr}[\mathcal {A}(g,g^{\eta },g^{\theta },g^{\vartheta })=e(g,g)^{\eta \theta \vartheta }: g,g^{\eta },g^{\theta },g^{\vartheta }\in \mathbb {G}_{1}].\end{equation*}
C. Linear Secret Sharing Schemes
The linear secret sharing scheme (LSSS)
Each party’s secret shares form a vector in
$\mathbb {Z}_{p}$ $A$ $n$ $l$ $\rho:~i \rightarrow \rho (i)$ $\rho (i)$ $i$ $A_{i}$ $A$ $i$ $\vec {v}_{i}=(s, \nu _{2},\ldots, \nu _{n})^{T},\,\,s, \nu _{2}, \ldots, \nu _{n} \in \mathbb {Z}_{p}$ $s \in \mathbb {Z}_{p}$ $(A\vec {v})_{i}$ $\rho (i).~A\vec {v}$ $l$ $s$ $\Pi $ Let
$\mathbb {A}$ $\Pi $ $S$ $\mathbb {A}$ $I = \{i:\rho (i) \in S\}$ $[l] = \{1,2, \ldots, l\}$ $\{(A\vec {v})_{i}\}_{i \in I}$ $s$ $\Pi $ $\{o_{i} \in \mathbb {Z}_{p}\}_{i \in I}$ $\sum \limits _{i\in I}o_{i}(A\vec {v})_{i} = s$
D. System Model
Since the model of ABE-OD Scheme [9] required that the authority generates the transformation key, it doesn’t include Decrypt algorithm and GenTK
Setup
$(1^{\tau }, U)$ $msk$ $PK$ $1^{\tau }$ $U$ KeyGen
$(msk, PK, S)$ $SK$ $S$ Encrypt
$(PK,M,\mathbb {A})$ $CT$ $\mathbb {A}$ Decrypt
$(SK, CT)$ $SK$ $S$ $\mathbb {A}$ GenTK
$_{out}(PK,SK)$ $TK$ $RK$ Transform
$_{out}(TK,CT)$ $TCT$ Decrypt
$_{out}(CT,TCT,RK)$ $S$ $\mathbb {A}$ $CT,~TCT$ $RK$ $'\perp '$
E. Security Model
Firstly, we recall the definition of chosen plaintext attack (CPA) for ABE-OD in [15]. We take into account the selectively CPA security model for ABE-OD via the interactive game between
Init.
$\mathcal {A}$ $\mathbb {A}^{*}$ Setup.
$\mathcal {C}$ $PK$ $\mathcal {A}$ $\mathcal {C}$ $msk$ Phase 1. The challenger
$\mathcal {C}$ $T$ $D$ $\mathcal {A}$ $Private~key$ $\mathcal {A}$ $S$ $D.~\mathcal {C}$ $S$ $\mathbb {A}^{*}$ $Transformation~key$ $\mathcal {A}$ $S,~\mathcal {C}$ $T$
Challenge. In this phase,
$\mathcal {C}$ $c\in \{0,1\}$ $M_{0}$ $M_{1}$ $\mathcal {A}$ \begin{equation*} CT^{*} = Encrypt(PK, M_{c}, \mathbb {A}^{*}).\end{equation*} View Source\begin{equation*} CT^{*} = Encrypt(PK, M_{c}, \mathbb {A}^{*}).\end{equation*}
$\mathcal {C}$ $CT^{*}$ Phase 2.
$\mathcal {A}$ Guess.
$\mathcal {A}$ $c'\in \{0,1\}$ $c$
\begin{equation*} |\frac {1}{2}-\mathrm {Pr}[c=c']|,\end{equation*}
Definition 3:
An ABE-OD scheme is selectively CPA-secure if the above advantage is negligible in
Next, we recall the definition of the RCCA-secure of the ABE-OD. Compared with the CPA-secure, the RCCA adversary
Phase 1.
$Decrypt$ $\mathcal {A}$ $S$ $CT$ $\mathcal {C}$ $M$ Phase 2.
$Decrypt$ $\mathcal {A}$ $\mathcal {C}$ $M_{0}$ $M_{1}$
\begin{equation*} |\frac {1}{2}-\mathrm {Pr}[c=c']|,\end{equation*}
Definition 4.
An ABE-OD scheme is selectively RCCA-secure if the above advantage is negligible in
Our CPA-Secure Construction
We design an ABE-OD scheme which is based on the construction of Waters [40] below.
Setup
$(1^{\tau },U)$ $1^{\tau }$ $U$ $\{at_{1}, \cdots, at_{l} \}$ $e$ $\mathbb {G}_{1},\mathbb {G}_{2}$ $\mathbb {G}_{1},~\mathbb {G}_{2}$ $p$ $g \not = 1_{\mathbb {G}_{1}}$ $\mathbb {G}_{1}$ $a, \alpha \in \mathbb {Z}_{p}^{*}$ $l$ $T_{1},~\cdots,~T_{l}$ $\mathbb {G}_{1}$ \begin{equation*} y = g^{a}, Y = e(g,g)^{\alpha }.\end{equation*} View Source\begin{equation*} y = g^{a}, Y = e(g,g)^{\alpha }.\end{equation*}
$PK$ $(\mathbb {G}_{1},~g,~y,~Y,~\mathbb {G}_{2},~T_{1}, \cdots, T_{l})$ $msk = \alpha $ KeyGen
$(msk, PK, S)$ $\lambda \in \mathbb {Z}_{p}^{*}$ \begin{equation*} \{K_{i}=T_{i}^{\lambda }\}_{at_{i} \in S}, K = y^{\lambda }g^{\alpha }, K_{0} = g^{\lambda }.\end{equation*} View Source\begin{equation*} \{K_{i}=T_{i}^{\lambda }\}_{at_{i} \in S}, K = y^{\lambda }g^{\alpha }, K_{0} = g^{\lambda }.\end{equation*}
$SK_{S} =$ \begin{equation*} (S, \{K_{i}: at_{i} \in S\}, K, K_{0})\end{equation*} View Source\begin{equation*} (S, \{K_{i}: at_{i} \in S\}, K, K_{0})\end{equation*}
Encrypt
$(M,\mathbb {A})$ $M\in \mathbb {G}_{2}$ $\mathbb {A}$ $(A,\rho)$ $l \times n$ $A$ $\rho $ $\lambda _{i} \in \mathbb {Z}_{p}^{*}$ $\vec {v} =$ \begin{equation*} (\nu, \nu _{2}, \cdots, \nu _{n}) \in \mathbb {Z}_{p}^{n},\end{equation*} View Source\begin{equation*} (\nu, \nu _{2}, \cdots, \nu _{n}) \in \mathbb {Z}_{p}^{n},\end{equation*}
$\nu $ \begin{align*} C_{0}=&g^{\nu }, C_{M} = Y^{\nu } M,\\ (D_{1}=&g^{\lambda _{1}}, C_{1} = T_{\rho (1)}^{-\lambda _{1}}g^{aA_{1} \cdot \vec {v}}),\\&\cdots, (D_{l} = g^{\lambda _{l}}, C_{l} = T_{\rho (l)}^{-\lambda _{l}}g^{aA_{l} \cdot \vec {v}}).\end{align*} View Source\begin{align*} C_{0}=&g^{\nu }, C_{M} = Y^{\nu } M,\\ (D_{1}=&g^{\lambda _{1}}, C_{1} = T_{\rho (1)}^{-\lambda _{1}}g^{aA_{1} \cdot \vec {v}}),\\&\cdots, (D_{l} = g^{\lambda _{l}}, C_{l} = T_{\rho (l)}^{-\lambda _{l}}g^{aA_{l} \cdot \vec {v}}).\end{align*}
$CT = (C_{0}, C_{M}, (D_{1}, C_{1}), \cdots, (D_{l}, C_{l}))$ Decrypt
$(SK,S,CT)$ $CT$ $SK,~S$ $(\mathbb {A}, CT)$ When
$S$ $\mathbb {A}$ $o_{i} \in \mathbb {Z}_{p}^{*}$ $i \in I$ $\Sigma _{i\in I}o_{i}A_{i} = (1,0,\cdots,0)$ \begin{equation*} M' = \frac {C_{M}\prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}}}{e(C_{0},K)}.\end{equation*} View Source\begin{equation*} M' = \frac {C_{M}\prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}}}{e(C_{0},K)}.\end{equation*}
GenTK
$_{out}(SK)$ $SK $ $(K, K_{0}, \{K_{i}: at_{i} \in S\})$ $(K_{0},~\{K_{i}: at_{i} \in S\})$ $TK$ $K$ $RK$ Transform
$_{out}(TK,CT)$ $CT$ $TK$ \begin{equation*} TCT = \prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}},\end{equation*} View Source\begin{equation*} TCT = \prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}},\end{equation*}
$e(g,g)^{a \nu \lambda }$ Decrypt
$_{out}(CT, TCT,RK)$ $CT$ $TCT$ $RK$ \begin{equation*} M' = \frac {C_{M}TCT}{e(C_{0},K)}.\end{equation*} View Source\begin{equation*} M' = \frac {C_{M}TCT}{e(C_{0},K)}.\end{equation*}
Note: Compared the GHW method to generate the transformation key, our approach does neither store the transformation key (if compute the transformation key offline), nor increase the overhead of outsourcing decryption (if compute the transformation key online). It is obvious for the correctness of our scheme, we omit it.
Performance Analysis
The main goal of our method is to reduce the total overhead of the cloud server for outsourced decryption of ABE scheme besides decreasing the user’s overhead of the decryption of ABE scheme when many users submit the outsourced decryption service to the cloud server. Although Green et al. [9] and Li et al. [15] used the same outsourcing method to outsource the decryption, the entities to generate the transformation key were different and subsequent works were used these two methods, respectively. We compare their methods with ours in TABLE 2.
For every ciphertext, the cloud server for the GHW method [9], [15] needs to compute
Then, we analyze the difference between these two methods for users further in TABLE 2. For our method, every user needs to store the private key of an attributes set satisfying the access policy, eg.
The last column represents the entity who generates the transformation key. For flexibility, we take into account the model proposed by Li et al. [15]. For the GHW model, our approach is also useful to reduce the total overhead of the cloud server being outsourced decryption for all users and the cost generating the transformation key.
Thus, compared with the existing schemes, our approach can reduce the total overhead for the cloud server when
Security Analysis
Intuitively, our scheme is as secure as the scheme proposed by Waters [40]. For Waters’s scheme, any adversary can select an element \begin{equation*} TK'_{S}=(K'_{0} = g^{\lambda '}, \{K_{i}' = T_{i}^{\lambda '}\}_{at_{i} \in S}).\end{equation*}
$Fact~1$ $TK_{S}$ $TK'_{S}$ $Fact~2$ $TK'_{S}$ $K' = g^{\alpha }y^{\lambda '}$ $K'$ $\lambda '$ $(K', TK'_{S})$ $S$
Lemma:
Let the Waters’s CP-ABE scheme [40] be selectively CPA-secure. The scheme is also selectively CPA-secure even if
For our scheme, any untrusted cloud server is able to obtain the transformation key from
Theorem 1:
Our construction is selectively CPA-secure if the Waters’s CP-ABE scheme [40] is selectively CPA-secure.
Our RCCA-Secure Construction
Here, we extend our scheme to the stronger selectively RCCA-secure construction. We get this result by also using the technique proposed by Fujisaki and Okamoto [41]. The construction similar to [9] is described below.
Setup
$(1^{\tau },U)$ \begin{align*}&H_{2}: \{0,1\}^{*} \rightarrow \{0,1\}^{k},\\&H_{1}: \{0,1\}^{*} \rightarrow \mathbb {Z}_{p}^{*}.\end{align*} View Source\begin{align*}&H_{2}: \{0,1\}^{*} \rightarrow \{0,1\}^{k},\\&H_{1}: \{0,1\}^{*} \rightarrow \mathbb {Z}_{p}^{*}.\end{align*}
KeyGen
$(msk, PK, S)$ Encrypt
$(M,\mathbb {A})$ $M\in \{0,1\}^{k}$ $\mathbb {A}$ $(A,\rho)$ $R$ $\mathbb {G}_{2}$ \begin{equation*} \nu = H_{1}(R,M)\in \mathbb {Z}_{p}^{*}~\mathrm {and}~r = H_{2}(R) \in \{0,1\}^{k}.\end{equation*} View Source\begin{equation*} \nu = H_{1}(R,M)\in \mathbb {Z}_{p}^{*}~\mathrm {and}~r = H_{2}(R) \in \{0,1\}^{k}.\end{equation*}
$\nu $ $(D_{1},C_{1}), \ldots, (D_{l}, C_{l})$ $\nu $ $\vec {v}$ \begin{equation*}C_{0} = g^{\nu }, C_{R} = Y^{\nu } R, C_{M} = r \oplus M,\end{equation*} View Source\begin{equation*}C_{0} = g^{\nu }, C_{R} = Y^{\nu } R, C_{M} = r \oplus M,\end{equation*}
$CT = (C_{0}, C_{M}, C_{R}, (D_{1},C_{1}), \ldots, (D_{l}, C_{l}))$ $(SK,S,CT)$ $SK$ $S$ $(\mathbb {A}, CT)$ \begin{equation*} R' = \frac {C_{R}\prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}}}{e(C_{0},K)}.\end{equation*} View Source\begin{equation*} R' = \frac {C_{R}\prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}}}{e(C_{0},K)}.\end{equation*}
$M' = H_{2}(R') \oplus C_{M}$ \begin{equation*} g^{H_{1}(R',M')} \overset {?}{=} C_{0}.\end{equation*} View Source\begin{equation*} g^{H_{1}(R',M')} \overset {?}{=} C_{0}.\end{equation*}
$M'$ $\perp $ GenTK
$_{out}(SK)$ Transform
$_{out}(TK,CT)$ Decrypt
$_{out}(CT, TCT,RK)$ $CT$ $TCT$ $RK$ \begin{equation*} R' = \frac {C_{R} \cdot TCT}{e(C_{0},K)}.\end{equation*} View Source\begin{equation*} R' = \frac {C_{R} \cdot TCT}{e(C_{0},K)}.\end{equation*}
\begin{equation*} M' = H_{2}(R') \oplus C_{M},\end{equation*} View Source\begin{equation*} M' = H_{2}(R') \oplus C_{M},\end{equation*}
\begin{equation*} g^{H_{1}(R',M')} \overset {?}{=} C_{0}.\end{equation*} View Source\begin{equation*} g^{H_{1}(R',M')} \overset {?}{=} C_{0}.\end{equation*}
$M'$ $\perp $
Theorem 2:
In the random oracle model our construction above is selectively RCCA-secure if the Waters’s CP-ABE scheme [40] is selectively CPA-secure.
Obviously, the efficiency of the RCCA-secure construction put forward by Green et al. [9] and it of our RCCA-secure construction are similar to them in section IV.
Our method cannot only be used to construct the KP-ABE-OD scheme which is analogous to describe the GHW KP-ABE-OD scheme [9], but also can be used to construct the ABE-VOD schemes [10]–[13]. Here, we omit these concrete constructions.
Conclusion
The resource is reused and on the condition of guaranteeing the quality of service the total energy consumption is reduced for performing the same task are key features in the green cloud computing. In this paper, we considered the outsourced decryption of ABE scheme in the green cloud computing. In order to reduce the total overhead of the cloud server when many users satisfying the access policy require their outsourced decryptions for the same ciphertext, we put forward a new and secure method used in the ABE-OD schemes. Our approach can reduce the overhead of both users and the cloud server. That is to say, the cloud server’s overhead only needs constant computation cost for all outsourced decryptions of the same ciphertext besides reducing the user’s computation cost. Finally, we extended our approach to a RCCA-secure ABE-OD scheme.