1. Introduction
Cloud computing has gained widespread support and adoption as an emerging service model that provides users with powerful computing and storage, among other capabilities. It brings many benefits for geographically dispersed users to share data and significantly reduces the cost of local storage management and maintenance. For mobile devices with limited computing resources (e.g., cell phones), enterprises or individuals can outsource intensively and complexly computing operations to a cloud service provider, thereby increasing local computing efficiency. However, although cloud service providers (CSP) bring convenience to users, they also bring a series of security issues and challenges [1-3].
When an enterprise or individual stores its data (especially sensitive data) directly in the cloud in plaintext, it loses direct control over his data. To ensure the privacy and security of outsourcing sensitive data, the most common method to ensure data confidentiality is currently to encrypt the outsourced data and then upload the ciphertext to the cloud service provider so that the cloud service provider is unable to access and obtain any valuable information from the outsourced data [4]. However, the sharing of encrypted data also poses some difficulties among users. When an enterprise or an individual wants to share the encrypted data or files with other users, the users cannot decrypt these encrypted data directly after downloading the ciphertext. Shamir et al. [5] first proposed identity-based encryption (IBE) scheme in 1984 which can securely implement the function of access control, where IBE is a cryptosystem which allows a user to generate its public key using some unique information about the identity of the user (e.g. a user's name). In this case, a sender can access to the public parameters of the system to encrypt a message using the text-value of the receiver's name as a key, and the receiver can obtain its decryption key from a central authority. Therefore, users can use this scheme to encrypt data, which can not only ensure the security of data but also realize the data sharing with other users.
However, most of the identity-based encryption schemes are constructed based on elliptic curve bilinear groups, which involve more bilinear pairing and power operations, resulting in less efficient decryption algorithms. When users execute the decryption algorithm, the computation of decryption grows linearly with the number of users. To this end, this paper proposes an outsourcing decryption scheme of verifiable transformed ciphertext (VTC-OD). The main contributions of this paper are listed below.
1) Considering that users of mobile devices with insufficient computing power need to consume huge computing overhead in performing the decryption, and that cloud service providers have strong computing power, users can perform partial decryption operations at the cloud service provider side with the powerful computing power and obtain the partial decrypted ciphertext, who only need to do a simple decryption operation to get the plaintext.
2) Since cloud service providers are not fully trustworthy, they may not perform the outsourced decryption request required by the users due to "laziness" to save computing resources or for some benefit, and try to falsify the outsourced decryption result resulting in the users not getting the correct and valid plaintext. Therefore, it is especially important to verify the correctness of the outsourced decryption operation and decrypted ciphertext.
3) Theoretical and experimental analyses are performed. We implement a system prototype and analyze the experimental evaluation, which shows the efficiency of our algorithm.
The rest of this paper is organized as follows. Section 2 summarizes the related work in this paper. Section 3 describes the cloud data sharing system model and presents the current problems. Section 4 proposes an outsourcing decryption scheme of verifiable transformed ciphertext. Section 5 analyzes the security and rationality of this algorithm. Section 6 illustrates the performance of the proposed algorithm in theoretical analysis and experimental simulation. Finally, Section 7 concludes the work and suggests future directions.
2. Related Work
To ensure the security of data and solve the problem that users of mobile devices with insufficient computing power need to consume huge computational overhead and long decryption time to perform decryption, this paper focuses on outsourcing decryption.
Many research scholars have proposed large amounts of outsourcing decryption schemes [6-27]. In 2011, Green et al. [6] introduced the first outsourced decryption in attribute-based encryption systems by outsourcing the complex decryption operations to CSP, and the basic idea of this scheme is to blind the user's private key, and then outsource the large number of power and bilinear pairing operations involved in the decryption process to CSP for performing, thus effectively reducing the computational overhead of decryption. Subsequently, attribute-based encryption (ABE) schemes supporting outsourced encryption were proposed in the literature [14-15], where ABE is a cryptosystem which enables fine grained access control of encrypted data using authorization policies. In this case, the secret key of a user and the ciphertext is dependent upon attributes (e.g. its email address, or the kind of subscription it has), and the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext. Since CSP are usually semi-trustworthy, to verify the correctness of the outsourced decryption results returned by CSP, Lai et al. [7] formally introduced the concept of verifiability and proposed an ABE scheme for verifiable outsourced decryption in 2013. After this, verifiable outsourced decryption algorithms were further investigated in the literature [8-10], where Ma and Zhang et al. [8] proposed verifiable and exempt attribute encryption, Lin and Zhang et al. [9] revisited the relationship between attribute-based encryption and verifiable outsourced decryption, and Zhang and Chen et al. [10] proposed a fog computing with outsourcing capability and access control scheme for attribute updating.
Moreover, the identity-based encryption has also been extended to the cryptosystem of proxy re-encryption (PRE) for allowing third parties (proxies) to alter a ciphertext which has been encrypted for one party and then it may be decrypted by another. Green et al. [28] proposed identity-based proxy re-encryption (IB-PRE), which uses the user's unique identity information as the public key, and is characterized by unidirectionality, non-transmissibility, and non-interactivity. Subsequently, many identity-based proxy re-encryption schemes have been proposed [29-31], which combine proxy re-encryption and identity-based encryption, and are more convenient in practical application scenarios. Ge et al. [29] proposed the revocable identity-based proxy re-encryption (RIB-BPRE) scheme, which dynamically shares the encrypted data by updating re-encryption keys and generating re-encrypted ciphertexts. Xu et al. [30] proposed the conditional identity-based broadcast proxy re-encryption (CIBPRE) scheme, which combines the ideas of conditional control and broadcasting, the re-encryption keys and ciphertexts have constant size. Kim et al. [31] proposed a broadcast proxy re-encryption (BPRE) scheme, which combines broadcast encryption and proxy re-encryption, is used for the redistribution of data uploaded on the cloud to multiple users.
However, these works do not address the authorization period of outsourced decryption, which can result in outsourced decryption ciphertexts that have passed the authorization period remaining valid. Therefore, it needs to develop a secure and verifiable outsourced decryption scheme based on the authorization period.
3. System Model and Problem Description
3.1 System Model
In the cloud storage, encrypted data sharing system model is shown in Fig. 1 and consists of four main entities: content provider (CP), users, key generation center (KGC), and cloud service provider (CSP).
Fig. 1. System model
1) Cloud service provider: CSP is to provide CP with a storage service for storing outsourced data or files and a computing service for transforming stored data. That is, the CSP can transform the data stored by the CP from IBE ciphertext to identity-based broadcast encryption (IBBE) ciphertext and then send it to the user for accessing the ciphertext.
2) Content provider: to protect data privacy, the CP can process the data using the IBE encryption mechanism and then outsource the encrypted data to the CSP. If the CP wishes to share the data with the users, an authorization token is generated and sent to the CSP.
3) Users: users access the data through CSP, get the encrypted data, and decrypt the ciphertext with their private keys.
4) Key generation center: KGC is a trusted participant responsible for responding to registration requests, and generates system parameters and private keys.
The encrypted data sharing model in the cloud storage consists of six main polynomial time algorithms, i.e., Setup, Keygen, Encrypt, Authorize, Transform, Decrypt, which are composed of the following process.
1) Setup (1𝜆, 𝑚) → (𝑚𝑠𝑘, 𝑝𝑝). This algorithm is executed by KGC. It inputs the security parameters 1𝜆 and 𝑚, outputs system parameters 𝑝𝑝 and the master key msk, where 𝑚 denotes the maximum number of authorized users. The system parameters are public and the master key is kept secret by KGC.
2) Register (𝑝𝑝, 𝑚𝑠𝑘, ID) → 𝑠𝑘ID. This algorithm is executed by KGC. It inputs the system parameters 𝑝𝑝, the master key 𝑚𝑠𝑘, user identity ID ∈ {0, 1}∗, and outputs the user's private key 𝑠𝑘ID which is sent to the user over a secure channel.
3) Encrypt (𝑝𝑝, 𝑀, ID) → CTID. This algorithm is executed by CP. It inputs the system parameters 𝑝𝑝, the plaintext 𝑀, CP’s identity ID, and outputs a ciphertext CTID in IBE format which is uploaded to CSP.
4) Authorize(𝑝𝑝, 𝑠𝑘ID, 𝑆) → TKID→𝑆. This algorithm is executed by CP. It inputs the system parameters 𝑝𝑝, the private key of CP 𝑠𝑘IDcp, the set of authorized users 𝑆 = {IDi}ni=1, and outputs authorization token TKID→𝑆 that is sent to CSP over a secure channel.
5) Transform (𝑝𝑝, TKID→𝑆, CTID) → CT𝑆. This algorithm is executed by CSP. It inputs the system parameters 𝑝𝑝, the authorization token TKID→𝑆, and a ciphertext CTID in IBE format, and outputs a transformed ciphertext CT𝑆 in IBBE format.
6) Decrypt (𝑝𝑝, 𝑠𝑘ID′ , CTID/CT𝑆 ) → (𝑀/⊥). This algorithm is executed by the user. It inputs the system parameters 𝑝𝑝, the private key 𝑠𝑘ID′ and a ciphertext CTID or CT𝑆. For the ciphertext CTID, if ID′ = ID, CP executes the algorithm and outputs a plaintext message 𝑀, otherwise outputs error flag ⊥. For ciphertext CT𝑆, if ID ∈ 𝑆, users execute the algorithm and output a plaintext message 𝑀, otherwise output error flag ⊥.
3.2 Threat Model
Definition 1. Authorization period. The authorization period is the period between the start time and the end time when the users are authorized. Users are granted access to data in the shared system within the limits of the authorization period (e.g., the data service period purchased by the user). During the authorization period assigned by the system, users can access and decrypt the shared data in the system. Once the authorization period expires, users will no longer be able to access and decrypt the shared data, especially the data that was accessed and decrypted during the authorization period.
This paper assumes that CP and KGC are reliable, while users and CSP are semi-trustworthy, i.e., they will follow data sharing protocols "in good faith", but there may be some malicious behavior. Therefore,the following attacks are considered:
1) Unauthorized ciphertext decryption attack. Unauthorized users and semi-trusted CSP may try to decrypt part of the decrypted ciphertext transformed by the CSP without the private key by means of spoofing, eavesdropping, brute force cracking, etc.
2) Forgery attack. To charge users more and save computational resources, a semi-trusted CSP may directly return randomly decrypted packets that look similar to the real ones (e.g., strings of the same length) without performing the packet decryption.
3) Repudiation attack. Even if the CSP returns the correct result, the user may make a false statement to accuse the CSP of returning an incorrect outsourced decrypted ciphertext in order to avoid paying for resource consumption.
3.3 Problem Description and Design Objective
As analyzed in the above threat model, the new problems facing outsourced data sharing in this paper are as follows: 1) When decryption is performed by mobile devices, the decryption time is too long due to its limited computing power; 2) A semi-trusted CSP may not perform the outsourced decryption as requested by the user, but directly return a forged decryption result to the user in order to make more profit; 3) The user falsely claims that the CSP has returned the wrong decryption result for its benefit when the CSP returns the correct decryption result.
Based on the above problems, the design objectives of the proposed algorithm are as follows: 1) Shortening the decryption time of ciphertext; 2) Privacy-protected outsourced decryption; 3) Verifiability of outsourcing decryption.
3.4 Security Model
The security model guarantees that unauthorized attackers and malicious CSP cannot obtain any valuable information from the ciphertext. The traditional security definition for resisting adaptable selective ciphertext attack (CCA) [32] is to disallow changing any bits of the ciphertext, which is contrary to the ciphertext compression property of outsourced decryption. Therefore, it adopts the replayable chosen-ciphertext attack (RCCA) security, which allows the modification of a given legitimate ciphertext but not the underlying plaintext information.
Definition 2. RCCA security. A scheme is RCCA safe if the attacker 𝒜 can win the following game in probabilistic polynomial time by a negligible advantage AdvRCCAOur, 𝒜.
In this paper, a game between the challenger 𝒞 and the attacker 𝒜 is designed, and the game proceeds as follows.
1) Setup phase. The challenger 𝒞 runs the algorithm Setup(1𝜆, 𝑚) to generate the system parameters 𝑝𝑝 and the master key 𝑚𝑠𝑘, and sends 𝑝𝑝 to the attacker 𝒜.
2) Query phase 1. The challenger 𝒞 first initializes an empty table 𝑇 and an empty data set 𝐷. The attacker 𝒜 can repeat the following queries to the challenger 𝒞.
①Private key query 𝒬SK(IDi): the attacker 𝒜 submits the identity IDi to the challenger 𝒞 for private key query, if IDi ≠ IDcp* , the challenger 𝒞 runs the algorithm KeyGen (𝑝𝑝, 𝑚𝑠𝑘, IDi, [tIDi ,t′IDi ]) to generate the private key SKIDi and sends it to 𝒜.
②Authorization key query \(\begin{align}\mathcal{Q}_{\widetilde{S K}}\end{align}\) (IDi): 𝒜 makes a mobile user's authorization key query to the challenger 𝒞. The challenger 𝒞 first searches the information corresponding to the identity IDi in table 𝑇. If it finds the tuple (IDi, SKIDi, \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) , \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\) ), it returns the authorization key \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) to the attacker 𝒜. Otherwise, the challenger 𝒞 runs KeyGen() to obtain the private key SKIDi corresponding to the identity IDi , runs AuthKeyGen(SKIDi, [tIDi, t′IDi ]) → \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) for the mobile user, adds the table 𝑇 into the tuple (IDi, SKIDi , \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) , \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\) ), and finally the challenger 𝒞 sends (\(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) , \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\) ) to 𝒜. It assumes that an attacker will not issue an authorization key query for the same identity IDi if it has already issued a private key query for the same identity. Since anyone can obtain a license key \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) by running the mobile user's license key generation algorithm using that user's private key, the assumptions are reasonable.
③User's final decryption query 𝒬Dec(IDi): 𝒜 submits (IDi, CTS|𝜔, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) to 𝒞 for the user's final decryption query. 𝒞 first searches for the tuple (IDi, SKIDi, \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\) , \(\begin{align}\widetilde{\tau}\end{align}\) , \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), CTF) in table 𝑇. If it finds the corresponding tuple about the identity IDi tuple, the decryption algorithm UsersDec(𝑝𝑝, SKIDi , \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\) \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), CTF) is executed and the decryption result is returned to 𝒜. If the corresponding tuple is not found, the challenger 𝒞 outputs ⊥.
3) Challenge phase. The attacker 𝒜 submits two challenge plaintexts (𝑀0, 𝑀1) to the challenger 𝒞. The challenger 𝒞 runs KeyEncrypt (𝑝𝑝, IDcp, 𝑀𝑏, 𝜔) to generate the challenge ciphertext CT*cp|𝜔 and sends CT*cp|𝜔 to the attacker 𝒜, where 𝑏 is chosen randomly at {0,1}.
4) Query phase 2. After receiving the challenge ciphertext, 𝒜 continues to initiate the private key query, the authorization key query, and the user's final decryption query as in query phase 1. The restriction of this phase query is that 𝒜 has never queried the private key of IDcp*and cannot be any 𝑆 at the same time querying 𝒬Dec(IDi) and 𝒬sk(IDi). That is if the decryption result of 𝒜 in the final decryption query is 𝑀0 or 𝑀1, then 𝒞 outputs ⊥ to 𝒜.
5) Guessing phase. The attacker 𝒜 outputs a guess value 𝑏′ ∈ {0,1}. If 𝑏′ = 𝑏, then the attacker 𝒜 wins. The advantage of the attacker 𝒜 win in the game is defined as
\(\begin{align}A d v_{\text {Our },{ }_{\mathcal{A}}}^{R C C A}=\left|\operatorname{Pr}\left[b^{\prime}=b\right]-\frac{1}{2}\right|\end{align}\).
4. Design of VTC-OD Scheme
4.1 Scheme Overview
Mobile cloud computing is a very attractive service paradigm in which data computation and storage are moved from mobile devices to the cloud. Mobile users with insufficient computing power can hardly afford the huge overhead of decryption computation due to the processor performance and battery capacity so that they outsource all decryption computation to CSP. However CSP may return incorrect decryption results to save computing resources. Since most current IBE encryption schemes are constructed based on elliptic curve or bilinear groups, more bilinear pairing and power operations are involved in the algorithm. Among them, in the phase of data decryption, the computation volume of authorized users performing decryption operations grows linearly with the number of authorized users |𝑆|. Since the computational outsourcing can effectively reduce the computational load of the mobile device, it is applied to improve the real-time computing efficiency. In addition, this paper mainly studies from the user's perspective since the user is only involved in the decryption phase. Therefore, the decryption outsourcing solution for cloud data sharing becomes an urgent need. Thus, an outsourcing decryption of verifiable transformed ciphertext scheme is proposed to alleviate the time-consuming problem of decryption in mobile devices, which mainly consists of four algorithms, i.e., AuthKeyGen, ProxyDec, Verify, UsersDec, as shown in Fig. 2.
Fig. 2. Outsourcing decryption of verifiable transformed ciphertext
1) AuthKeyGen(SKIDi ,[tIDi, t'IDi]) → \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) . User inputs the private key SKIDi , the start time tIDi of the authorized private key , and the end time t'IDi of the authorized private key, and it outputs the authorized key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) = (\(\begin{align}{\widetilde{s k_1}}\end{align}\) , \(\begin{align}{\widetilde{s k_2}}\end{align}\) 𝜎IDi , 𝑇𝑖).
2) ProxyDec(CTs|𝜔, \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) ) → \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\). CSP inputs the transformed ciphertext CTs|𝜔 = ( 𝐶′1, 𝐶′2, 𝐶′3, 𝐶′4, 𝐶′5, 𝐶′6) and the user's authorized private key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) = (\(\begin{align}{\widetilde{s k_1}}\end{align}\), \(\begin{align}{\widetilde{s k_2}}\end{align}\) 𝜎IDi , 𝑇𝑖), and it outputs the partially decrypted ciphertext of the transformed ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\)= (\(\begin{align}{\widetilde{s k_1}}\end{align}\), \(\begin{align}{\widetilde{s k_2}}\end{align}\) 𝜎IDi , 𝑇𝑖).
3) Verify(𝑝𝑝, pk𝜎, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) → (1/0). User inputs the system public parameter 𝑝𝑝, the signed public key pk𝜎 of the CSP and the partially decrypted ciphertext returned by the CSP \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), and outputs 1 correctly and 0 otherwise.
4) UsersDec (𝑝𝑝, SKIDi, \(\begin{align}\widetilde{p k}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\), \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , CTF) → (𝐹/⊥). The authorized users inputs the system parameters 𝑝𝑝, the user's private key SKIDi, the decryption parameters \(\begin{align}\widetilde{p k}\end{align}\) and \(\begin{align}\widetilde{\tau}\end{align}\) returned by the CSP, the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , the data ciphertext CTF, and outputs the plaintext message 𝐹 or the error flag ⊥.
To facilitate the description of the proposed algorithm, the definition of the symbols used in this paper is given in Table 1.
Table 1. Symbol definition
4.2 Generation of authorized keys
Since the existing IBE schemes whose decryption requires complex power and bilinear pairing operations, it takes a lot of time for mobile users with limited computing power to decrypt, and users who have expired the authorization period can still decrypt outsourced decrypted ciphertexts on CSP that have been accessed during the authorization period. The basic idea is that the mobile user outsources most of his complex decryption computation operations to the CSP without revealing his private key and data privacy. Therefore, the user sends the generated authorization key to the CSP by running the authorized key generation algorithm AuthKeyGen to blind the private key in order not to reveal the private key.
AuthKeyGen(SKIDi, [tIDi, t'IDi]) → \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) . The process is executed by the user. It is based on the private key SKIDi entered by the user, the start time of the authorized private key tIDi and the end time of the authorized private key t'IDi, and outputs authorized key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) = (\(\begin{align}{\widetilde{s k}}_{1}\end{align}\) , \(\begin{align}{\widetilde{s k}}_{2}\end{align}\) , 𝜎𝐼𝐷𝑖 , 𝑇𝑖). The specific calculation procedure is as follows:
First, the user generates the authorized key using his private key. The algorithm randomly selects a random number 𝜃 ∈ ℤ∗𝑞 and makes \(\begin{align}{\widetilde{p k}}\end{align}\) = 𝜃, and performs a mask operation on the user's private key SKIDi = (𝑠𝑘1, 𝑠𝑘2, 𝜎𝐼𝐷𝑖) to generate the authorized key. The authorized key is calculated by
\(\begin{align}{\widetilde{SK}_{ID_l}}=\left\{\begin{array}{l}\widetilde{s k_1}=s k_{1}=g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}} ; \\ \widetilde{s k_2}=s k_{2}{ }^{\widetilde{p k}}=\left(y_{\left\{t_{I D_{i}},\right.}, t_{I D_{i}}^{\prime}\right\}^{r_{i} \cdot \widetilde{p k}}=h^{r_{i} \cdot \widetilde{p k} \cdot a^{t_{I D_{i}}} b^{z-t_{I D_{i}}^{\prime}}};\\ \sigma_{I D_{i}}=g^{\frac{1}{\beta+H_{1}\left(t_{I D_{i}}^{\prime}\right)}} ;\\ \\ T_{i}=\left[t_{I D_{i}}, t_{I D_{i}}^{\prime}\right].\end{array}\right.\end{align}\) (1)
Second, the user initiates an authorization decryption operation request to the CSP. The user sends the authorized key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) output by the algorithm to the CSP.
Finally, after the CSP accepts the request, the user sends the authorized key to the CSP and stores the decryption parameters \(\begin{align}{\widetilde{p k}}\end{align}\) locally.
4.3 Partial decryption of transformed ciphertext
CSP can provide outsourcing decryption service for the user because of its powerful computing power. When CSP receives the authorized key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) of the user’s decryption request, he gets the current time 𝑡𝑥 and then runs the partial decryption algorithm ProxyDec to perform partial decryption of transformed ciphertext for the user and sends the partially decrypted ciphertext to the user.
ProxyDec(CTs|𝜔, \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) ) → \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) . The process is performed by CSP. It inputs the transformed ciphertext CTs|𝜔 = (𝐶′1, 𝐶′2, 𝐶′3, 𝐶′4, 𝐶′5, 𝐶′6) , the user's authorized private key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) = (\(\begin{align}{\widetilde{s k}}_{1}\end{align}\) , \(\begin{align}{\widetilde{s k}}_{2}\end{align}\) , 𝜎𝐼𝐷𝑖 , 𝑇𝑖), and outputs partial decryption of the transformed ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) = (\(\begin{align}{\widetilde{D K}}_{ID_l}\end{align}\) , 𝜑). The specific calculation procedure is as follows:
First, the CSP determines whether the end time of the authorized user 𝑇𝑖 = [tIDi, t'IDi] has been forged or tampered with based on t'IDi in the user's authorized private key. The verification formula is
\(\begin{align}e\left(g^{H_{1}\left(t_{I D_{i}}^{\prime}\right)} \cdot g^{\beta}, g^{\frac{1}{\beta+H_{1}\left(t_{I D_{i}}^{\prime}\right)}}\right) \stackrel{?}{=} e(g, g)\end{align}\). (2)
If Formula (2) does not hold, CSP returns the error flag ⊥ and marks the identity of this authorized user as a revoked user. Otherwise, the CSP marks the authorized user as revoked based on \(\begin{align}\widetilde{s k_{2}}=\left(y_{\left\{t_{I D_{i}},\right.}, t_{I D_{i}}^{\prime}\right)^{r_{i} \cdot \widetilde{p k}}=h^{r_{i}} \cdot \widetilde{p k} \cdot a^{t_{I D_{i}} \cdot b^{z-t_{I D_{i}}}}\end{align}\), which further determines whether the authorization period of this user has expired or not. Applying Formula (1), if the multidimensional range derivative function is not computable to output the error flag ⊥, it indicates that 𝑡𝑥 ≤ tIDi or tx ≥ t'IDi , i.e., the authorization period of the user's private key has expired. In this case, the CSP terminates the partial decryption operation. If the multidimensional range derivation function is computable, it indicates that tIDi ≤ 𝑡𝑥 and t'IDi ≥ 𝑡𝑥 , i.e., the authorization period of the user's private key has not expired. The multidimensional range derivation function is specifically computed by
\(\begin{align}F_{x}=F_{t_{I D_{i}} \leq t_{x}, t_{I D_{i}}^{\prime}}^{\prime} \geq t_{x}\left(y_{\left\{t_{I D_{i}},\right.} t_{I D_{i}}^{\prime}\right\}^{r_{i} \cdot \widetilde{p k}}=\left(y_{\left\{t_{x}, t_{x}\right\}}\right)^{r_{i} \cdot \widetilde{p k}}\end{align}\) . (3)
After calculating the 𝐹𝑥, it is combined with formulas (4)-(6) to calculate
\(\begin{align}\varphi=\frac{C_{5}^{\prime}}{F_{x}}=\frac{h^{r_{j} \cdot a^{t_{c}} \cdot b^{z-t_{c}}}}{h^{r_{i} \cdot \widetilde{p k} \cdot a^{t_{x}} \cdot b^{z-t_{x}}}}\end{align}\). (4)
From formula (4), it shows that the calculation of 𝜑 is different from the calculation of 𝜀 in the decryption step. The decryption operation was previously considered to be performed by the user on his local machine. However, considering the limited computing power of the users of mobile devices, some decryption operations on the user side need to be handed over to the CSP. The decryption operations are performed on the user's local machine.
Second, CSP calculates 𝑠𝑘1 = \(\begin{align}g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}}\end{align}\) based on the user's authorization key by
\(\begin{align}\tilde{B}=\left(e\left(C_{1}^{\prime}, h^{\rho_{i, S}(\alpha)}\right) \cdot e\left(s k_{1}, C_{2}^{\prime}\right)\right)^{\frac{1}{\Pi_{j=1, j \neq i}^{S} H_{1}\left(I D_{j}\right)}}\end{align}\) (5)
where 𝜌𝑖,𝑆(𝛼) = \(\begin{align}\frac{1}{\alpha} \cdot\left(\prod_{j=1, j \neq i}^{s}\left(\alpha+H_{1}\left(I D_{j}\right)\right)-\prod_{j=1, j \neq i}^{s} H_{1}\left(I D_{j}\right)\right)\end{align}\) . Substituting 𝐶′1 = 𝑔1−𝑟′ and 𝐶′2 = ℎ𝑟′⋅𝜫𝒏𝒋=𝟏 (𝛼+𝐻1(IDj)) into formula (5), it uses polynomial interpolation to calculate
\(\begin{align}\tilde{B}=\left(e\left(g^{\alpha \cdot\left(-r^{\prime}\right)}, h^{\rho_{i, S}(\alpha)}\right) \cdot e\left(g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}}, h^{r^{\prime} \cdot \Pi_{j=1}^{n}\left(\alpha+H_{1}\left(I D_{j}\right)\right)}\right)\right)^{\frac{1}{\Pi_{j=1, j \neq i}^{S} H_{1}\left(I D_{j}\right)}}=e(g, h)^{r^{\prime}}\end{align}\) (6)
After obtaining \(\begin{align}\tilde{B}\end{align}\) , it substitutes \(\tilde{B}\) into 𝐶′3 = 𝐻2(𝑒(𝑔, ℎ)𝑟′ ) ∙ ℎ𝑠 , and yields 𝐶′3 = 𝐻2(𝑒(𝑔, ℎ)𝑟′ ) ∙ ℎ𝑠. From ℎ𝑠 it can be calculated by
\(\begin{align}\widetilde{D K_{I D_{l}}}=\frac{C_{6}^{\prime}}{e\left(h^{s}, C_{4}^{\prime}\right)}\end{align}\) (7)
Substituting 𝐶′4 = (𝑢 ∙ 𝜇𝜔) 𝑟⋅(𝛼+𝐻1(IDcp)) and 𝐶′6 = 𝑀 ⋅ 𝑒 (𝑔, ℎ𝑎𝑡𝑐∙𝑏𝑧−𝑡𝑐 ) 𝑟𝑗 ∙ 𝑒( ℎ𝑟∙𝑠, (𝑢 ∙ 𝜇𝜔)(𝛼+𝐻1((IDcp))) into formula (7), it has
\(\begin{align}\widetilde{D K_{I D_{l}}}=\frac{C_{6}^{\prime}}{e\left(h^{s}, C_{4}^{\prime}\right)}=M \cdot e\left(g, h^{a^{t_{c} \cdot b^{z-t_{c}}}}\right)^{r_{j}}\end{align}\) (8)
After computing \(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\), CSP applies the evidence generation algorithm Prove(𝑝𝑝, 𝑠𝑘𝜎, 𝑥) for the verifiable random function, and randomly selects a random number 𝛿 ∈ ℤ∗𝑞 such that 𝑥 = \(\begin{align}\delta \| \widetilde{D K_{I D_{l}}}\end{align}\) . Let the signature key pair of CSP be (pk𝜎, 𝑠𝑘𝜎) = (𝛾, 𝑔𝛾2) . Applying verifiable random functions (VRF) [33-34], the VRF evidence generation algorithm outputs 𝑃 = (𝑥, 𝑦, π), where 𝑦 = \(\begin{align}\mathrm{e}\left(g_{2}, g_{2}\right)^{\frac{1}{H_{1}(x)+\gamma}}\end{align}\) is the VRF function value, π = \(\begin{align}g_2{\frac{1}{H_{1}(x)+\gamma}}\\\end{align}\) is the evidence.
Applying formulas (4) and (8) and 𝑃, CSP calculates the partially decrypted ciphertext by
\(\begin{align}\widetilde{C T_{S \mid \omega}}=\left(\widetilde{D K_{I D_{l}}}, \varphi, x, y, \pi\right)\end{align}\) (9)
Finally, the CSP sends the partial decryption result of the computed transformed ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) to the user.
4.4 Verification of partial decryption of transformed ciphertext
Although CSP can provide users with powerful decryption outsourcing computing services, CSP may not execute the outsourced decryption requests initiated by users, and try to falsify the outsourced decryption results to return to users. Therefore, the user needs to verify the correctness of the decrypted ciphertext sent by the CSP before performing the decryption operation. When the user obtains the partially decrypted ciphertext returned by the CSP \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), he uses the signed public key pk𝜎 of the CSP to verify the correctness of the partially decrypted ciphertext.
Verify(𝑝𝑝, pk𝜎, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) → (1/0). The process is performed by the user. It inputs the system public parameter 𝑝𝑝, the signed public key pk𝜎 of the CSP and the partially decrypted ciphertext returned by the CSP \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) = (\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) , 𝜑, 𝑥, 𝑦, π), and outputs 1 which means the partially decrypted ciphertext is correct, and outputs 0 which means CSP returns the wrong outsourced decryption result. The specific calculation process is as follows:
First, when the user obtains the partially decrypted ciphertext returned by the CSP, he applies the CSP's public key pk𝜎 to initiate a verification request on the partially decrypted ciphertext returned by the CSP.
Second, the user runs the decryption verification algorithm Verify(𝑝𝑝, pk𝜎, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) of the transformed ciphertext to judge the result returned by CSP, and the verification formula is
\(\begin{align}\left\{\begin{array}{l}y \stackrel{?}{=} e\left(g_{2}, \pi\right) \\ e\left(g_{2}{ }^{H_{1}(x)} \cdot p k_{\sigma}, \pi\right) \stackrel{?}{=} e\left(g_{2}, g_{2}\right) .\end{array}\right.\end{align}\) (10)
If formula (10) does not hold, the algorithm outputs 0 and the user terminates the decryption operation. If the algorithm outputs 1, it indicates that the partially decrypted ciphertext returned by the CSP is correct, i.e., the verifiability of the outsourced decryption is achieved.
Finally, if the user gets an output value of 1 from the verification algorithm, the final decryption algorithm can be executed.
4.5 Final decryption of transformed ciphertext
After the user receives the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) from the CSP, he downloads \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) and the data ciphertext CTF to the local area, and decrypts the data. The user does it with the assistance of the CSP to connect to the network and get the timestamp 𝑡𝑦 of the decryption request from the CSP, then runs the final decryption algorithm UsersDec(𝑝𝑝, SKIDi , \(\begin{align}\widetilde{pk}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\) , \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , CTF) for the transformation ciphertext. Eventually, the transformed ciphertext is decrypted to obtain the plaintext.
1) Getting timestamp
First, the CSP makes a judgment according to formula (1). If the multidimensional range derivative function is not computable to output the error flag ⊥, it indicates that the time 𝑡𝑦 of the user's decryption request is not within the user's authorized time range [𝑡𝑥, 𝑡′𝐼𝐷𝑖 ], and the algorithm terminates the decryption operation. If the multidimensional range derivation function is computable, it indicates that the time 𝑡𝑦 of the user's decryption request is within the user's authorized time range [𝑡𝑥, 𝑡′𝐼𝐷𝑖], i.e., the authorization period of the user's private key has not expired. Its calculation formula is
\(\begin{align}F_{y}=F_{t_{x} \leq t_{y}, t_{I D_{i}}^{\prime} \geq t_{y}} F_{x}=h^{\widetilde{p k} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}}\end{align}\). (11)
Next, after deriving 𝐹𝑦 according to formulas (5)-(11), it is combined with formula (3) to calculate
\(\begin{align}\tilde{\varphi}=\frac{F_{x}}{F_{y}}=\frac{h^{r_{i}} \cdot \tilde{p k} \cdot a^{t_{x}} \cdot b^{z-t_{x}}}{h^{\widetilde{p k} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}}}\end{align}\). (12)
Finally, the CSP returns the time-dependent parameter \(\begin{align}\tilde{\tau}=\left(t_{y}, \tilde{\varphi}\right)\end{align}\) to this user.
2) Final decryption of the transformed ciphertext
The final decryption algorithmUsersDec is run to obtain the plaintext when the user gets the time-related parameter \(\begin{align}\widetilde{\tau}\end{align}\) of the decryption request from the CSP.
UsersDec(𝑝𝑝, SKIDi , \(\begin{align}\widetilde{pk}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\), \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , CTF) → (𝐹/⊥) . The authorized users execute the algorithm. It inputs the system parameters 𝑝𝑝, the user's private key SKIDi , the decryption parameters \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) and 𝜏̃ returned by the CSP, the partially decrypted ciphertext \(\begin{align}\widetilde{p k}\end{align}\) and the data ciphertext CTF, and outputs the plaintext 𝐹 or the error flag ⊥. The specific computation process is as follows:
First, the algorithm calculates the timestamps 𝑡𝑦 and 𝑠𝑘2 = ℎ𝑟𝑖∙𝑎𝑡𝐼𝐷𝑖∙𝑏 𝑧−𝑡′𝐼𝐷𝑖 for the user’s decryption request by
\(\begin{align}\widetilde{F_{y}}=F_{t_{I D_{i}} \leq t_{y}, t_{I D_{i}}^{\prime} \geq t_{y}}\left(y_{\left\{t_{I D_{i}}, t_{\left.I D_{i}\right\}}^{\prime}\right\}}\right)^{r_{i}}=h^{r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}}=\left(y_{\left\{t_{y}, t_{y}\right\}}\right)^{r_{i}}\end{align}\) (13)
Second, from formulas (5)-(13) and 𝜏̃, 𝜑 returned by CSP, the user's \(\begin{align}\widetilde{p k}\end{align}\) = 𝜃 can be calculated by
\(\begin{align}\widetilde{A=} \varphi \cdot \widetilde{F_{y}}{ }^{\widetilde{p_{k}}} \cdot \tilde{\varphi}=h^{r_{j} \cdot a^{t_{c} \cdot} \cdot b^{z-t_{c}}}\end{align}\). (14)
From formula (14), the construction of \(\begin{align}\widetilde{A}\end{align}\) nsures that only legitimate users within the authorization period can eventually decrypt the transformed ciphertext, and malicious CSP or illegal users cannot access and decrypt it.
Finally, applying \(\begin{align}\widetilde{p k}\end{align}\) = 𝜃, CTF, \(\begin{align}\widetilde{A}\end{align}\) and \(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\), it can obtain the plaintext by
\(\begin{align}\frac{C T_{F}}{\widetilde{D K_{I D_{l}}} \cdot \mathrm{e}(g, \tilde{A})^{-1}}=\frac{F \cdot M}{M \cdot e\left(g, h^{a^{t} c \cdot b^{z-t_{c}}}\right)^{r_{j}} \cdot e\left(g, h^{r_{j} \cdot a^{t^{c}} \cdot b^{z-t_{c}}}\right)^{-1}}=F\end{align}\).
The algorithm finally returns the output plaintext 𝐹 to this user.
5. Security analysis
5.1 Correctness of ciphertext
Ciphertext correctness means that when a user sends the authorization key \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) to the CSP, CSP correctly executes the partial decryption algorithm of the transformed ciphertext and correctly generates the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) so that the user who has not been exceeded the authorization period can correctly decrypt the ciphertext and obtain the original plaintext with his private key.
Lemma 2. Given the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) correctly executed by the CSP, any authorized user within the authorization period, i.e., ID𝑖 ∈ 𝑆 and 𝜔 = 𝜔′ , can use the private key SKIDi provided by KGC and 𝜏̃ returned by CSP to perform the final decryption of the transformed ciphertext and obtain the originally shared plaintext 𝐹.
Proof: for the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) which is correctly transformed by the CSP, any user under the condition that ID𝑖 ∈ 𝑆 and 𝜔 = 𝜔′ can perform the decryption algorithm by entering his private key SKIDi and 𝜏̃ returned by the CSP.
First, the algorithm uses 𝑠𝑘2 in the private key to compute
Second, applying \(\begin{align}\widetilde{F_{y}}, \widetilde{\varphi}=\frac{h^{r_{i}} \cdot \widetilde{p_{k}} \cdot a^{t_{x}} \cdot b^{z-t_{x}}}{h^{\widetilde{p k} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}}}\end{align}\) and \(\begin{align}\varphi=\frac{h^{r_{j} \cdot a^{t^{c}} \cdot \cdot b^{z-t_{c}}}}{h^{r_{i} \cdot \theta \cdot a^{t_{x} \cdot b^{z-t_{x}}}}}\end{align}\), it has
\(\begin{align}\tilde{A}=\varphi \cdot \widetilde{F}_{y}{ }^{\widetilde{p k}} \cdot \tilde{\varphi}=\frac{h^{r_{j} \cdot a^{t_{c}} \cdot b^{z-t_{c}}}}{h^{r_{i}} \widetilde{p_{k} \cdot} \cdot a^{t_{x} \cdot b^{z-t_{X}}}} \cdot h^{{\widetilde{p k}} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}} \cdot \frac{h^{r_{i}} \cdot \widetilde{p k} \cdot a^{t_{x} \cdot b^{z-t_{x}}}}{h^{\widetilde{p k}} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}} = h^{{r_{j}} \cdot a^{t_{c} \cdot b^{z-t_{c}}}}\end{align}\)
Finally, the plaintext 𝐹 can be obtained applying \(\begin{align}\widetilde{p k}\end{align}\) = 𝜃, CTF, \(\begin{align}\widetilde{A}\end{align}\) and \(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) by
\(\begin{align}Left=\frac{C T_{F}}{\widetilde{D K_{I D_{l}}} \cdot \mathrm{e}(g, \tilde{A})^{-1}} = \frac {F \cdot M} {M \cdot e\left(g, h^{a^{t_{c}} \cdot b^{z-t_{c}}}\right)^{r_{j}} \cdot e\left(g, h^{r_{j} \cdot a^{t^{t}} \cdot b^{z-t_{c}}}\right)^{-1}} =Right\end{align}\)
So when IDi ∈ 𝑆, it has UserDec(𝑝𝑝, SKIDi , \(\begin{align}\widetilde{p k}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\) , \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , CTF) = 𝐹.
From the above proof process, it is obvious that the partially decrypted ciphertext which is correctly transformed by the CSP can be decrypted by the authorized unexpired user with the private key to obtain the original plaintext.
5.2 Proof of security
5.2.1 Resisting unauthorized ciphertext decryption attacks
Unauthorized ciphertext decryption attack refers to the possibility that unauthorized users and semi-trusted CSP may try to decrypt partially decrypted ciphertexts without private keys by means of spoofing, eavesdropping, brute force cracking, etc.
Assume that the attacker 𝒜 can breach the proposed scheme in this paper with a negligible advantage AdvRCCAOur, 𝒜 in probabilistic polynomial time. It can construct an algorithm ℬ simulating the interaction between the challenger 𝒞 and the attacker 𝒜. The specific RCCA secure instance is described as follows.
1) Setup phase: given the system security parameter 𝜆 and the maximum number of receivers 𝑚 allowed in encryption. It first runs the algorithm Setup(1𝜆, 𝑚) to obtain the group-related parameters (𝑞, 𝔾, 𝔾𝑇, 𝑒), where 𝔾 and 𝔾𝑇 are multiplicative cyclic groups of order prime 𝑞, 𝑒: 𝔾 × 𝔾 → 𝔾𝑇 is a bilinear map, and 𝑔 and ℎ are two generating elements of the group 𝔾. Then it chooses the two hash functions 𝐻1: {0, 1}∗ → ℤ∗𝑞 and 𝐻2: 𝔾𝑇 → 𝔾, several random numbers (𝛼, 𝛽, 𝛾, 𝑣) ∈ ℤ∗𝑞 , computes 𝑢 ∙ 𝜇 = ℎ𝛾,(𝑢 ∙ 𝜇)𝛼 = ℎ𝛼𝛾, pksign = 𝑔𝛽, and sets the maximum number 𝑚 = 𝑛 of data users allowed to access the same data. Finally, the algorithm outputs the master key 𝑚𝑠𝑘 = 𝛼 and the system public parameters 𝑝𝑝 = (𝑞, 𝔾, 𝔾𝑇, 𝑒(𝑔, ℎ), 𝑔1, pksign, 𝑢, 𝑢𝛼, ℎ, ℎ𝛼, ℎ𝛼2 , … , ℎ𝛼𝑛 , 𝐻1, 𝐻2).
2) Query phase 1: The attacker 𝒜 can repeat the following query to the challenger 𝒞.
①Private key query 𝒬SK(IDi): the attacker 𝒜 initiates a private key query request. First,𝒜 sends ℬ the identity IDi that asks for the. If IDi = ID*, ℬ returns the invalid flag ⊥; otherwise, ℬ queries the identity IDi in table 𝑇 to process as follows. If (IDi, SKIDi) exists, then ℬ returns the private key SKIDi and its corresponding authorization period [tIDi, t'IDi] to the attacker 𝒜. Otherwise, ℬ applies the identity and authorization period [tIDi, t'IDi] of the attacker 𝒜 to compute SKIDi = (𝑠𝑘1 = \(\begin{align}g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}}\end{align}\) , 𝑠𝑘2= ℎ𝑟𝑖∙𝑎𝑡𝐼𝐷𝑖∙𝑏𝑧−𝑡′𝐼𝐷𝑖 , 𝜎𝐼𝐷𝑖 = \(\begin{align}g^{\frac{1}{\beta+H_{1}\left(t_{I D_{i}}^{\prime}\right)}}\end{align}\) and return it to the attacker 𝒜, while recording (IDi, 𝑤𝑖, SKIDi) in Table 𝑇1.
②Authorization key query: The attacker 𝒜 makes a user authorization key query to the challenger 𝒞. The challenger 𝒞 first searches the information corresponding to the identity IDi in table 𝑇. If it finds the tuple (IDi, \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\), \(\begin{align}\widetilde{p k}\end{align}\) ), then it directly returns the authorization key \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) to the attacker𝒜. Otherwise, the challenger 𝒞 runs the private key generation algorithm to obtain the private key SKIDi corresponding to the identity IDi, and then runs the user authorization key generation algorithm AuthKeyGen(SKIDi, [tIDi, t'IDi]) to compute \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) = (𝑠𝑘1 = \(\begin{align}g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}}\end{align}\) , \(\begin{align}\widetilde{s k_{2}} = sk_2^{\widetilde{p k}} = h^{{r_{i}} \widetilde{p k} \cdot a^{t_{I D}} i \cdot b^{z-t_{I D_{i}}^{\prime}}}\end{align}\) , \(\begin{align}\sigma_{I D_{i}}=g^{\frac{1}{\beta+H_{1}\left(t_{I D_{i}}^{\prime}\right)}}\end{align}\), Ti = [tIDi, t'IDi]) and add the tuple (IDi, \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) , \(\begin{align}\widetilde{p k}\end{align}\)) to the table 𝑇. Finally, 𝒞 sends (\(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\), \(\begin{align}\widetilde{p k}\end{align}\)) to 𝒜.
③Partial decryption query 𝒬CSP(IDi): the attacker 𝒜 submits the authorization key and ciphertext CTS|𝜔 corresponding to the identity IDi to the challenger 𝒞 for decryption query. The challenger 𝒞 first runs the private key generation algorithm to generate the private key \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) corresponding to the identity IDi . Then it executes the decryption algorithm ProxyDec(CTS|𝜔, \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) ) to compute the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) = (\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) = 𝑀 ⋅ 𝑒(𝑔, ℎ𝑎𝑡𝑐∙𝑏𝑧−𝑡𝑐 )𝑟𝑗 , \(\begin{align}\varphi=\frac{h^{r_{j} \cdot a^{t_{c}} \cdot \cdot b^{z-t_{c}}}}{h^{r_{i} \cdot \widetilde{p^{\prime}} \cdot a^{t^{t}} x \cdot b^{z-t_{x}}}}\end{align}\), and finally returns \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) to the attacker 𝒜.
④Final decryption query 𝒬Dec(IDi): the attacker 𝒜 submits (IDi, CTS|𝜔, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) to the challenger 𝒞 for the final decryption query of the authorized user. The challenger 𝒞 first searches for the tuple (IDi, SKIDi , \(\begin{align}\widetilde{p k}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\), \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), CTF)in table 𝑇. If it finds the corresponding tuple about identity IDi , it executes the authorized user decryption algorithm UserDec(𝑝𝑝, SKIDi , \(\begin{align}\widetilde{p k}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\), \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), CTF) to compute \(\begin{align}\widetilde{F_{y}}\end{align}\)= (𝑦{𝑡𝑦,𝑡𝑦})𝑟𝑖 and \(\begin{align}\widetilde{A}\end{align}\) = ℎ𝑟𝑗⋅𝑎𝑡𝑐∙𝑏𝑧−𝑡𝑐 and returns the decryption result to the attacker 𝒜. If the corresponding tuple is not found, the challenger 𝒞 outputs ⊥.
3) Challenge phase. The attacker 𝒜 submits two challenge plaintexts (𝑀0, 𝑀1) to the challenger 𝒞 .The challenger 𝒞 first runs KeyEncrypt(𝑝𝑝, 𝐼𝐷cp, 𝑀𝑏, 𝜔) to generate the original ciphertext CT*cp|𝜔 , where 𝑏 is chosen randomly at {0,1}, then runs Trans(𝑝𝑝, 𝑇𝑘cp→𝑆|𝜔, CTcp|𝜔, 𝑡𝑐) to convert the ciphertext CT*cp|𝜔 to CT*S|𝜔 using the authorization token 𝑇𝑘cp→𝑆|𝜔 , and finally runs ProxyDec(CTS|𝜔, \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) ) to compute a partially transformed decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\)= (\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) = 𝑀 ⋅ 𝑒(𝑔, ℎ𝑎𝑡𝑐∙𝑏𝑧−𝑡𝑐 )𝑟𝑗, \(\begin{align}\varphi=\frac{h^{r_{j} \cdot a^{t^{c}} \cdot \cdot b^{z-t_{c}}}}{h^{r_{i} \cdot \theta \cdot a^{t_{x} \cdot b^{z-t_{x}}}}}\end{align}\) and send it to the attacker𝒜 as a challenge.
4) Query phase 2. In addition to the restrictions described in the RCCA game, the attacker 𝒜 continues with the queries in query phase 1.
5) Guessing phase. The attacker 𝒜 outputs a guess 𝑏′ ∈ {0,1}, and if 𝑏′ = 𝑏, then the attacker 𝒜 wins.
Probabilistic analysis: if the attacker 𝒜 can break the security of RCCA in the above RCCA security game with negligible probability \(\begin{align}\left|\operatorname{Pr}\left[b^{\prime}=b\right]-\frac{1}{2}\right|\end{align}\) of the VTC-OD scheme, the security of RCCA can be breached. But the above probability depends on the random number 𝑏′ used by the attacker 𝒜 and the challenger 𝒞, and the probability of the random number 𝑏′ is \(\begin{align}\frac{1}{2}\end{align}\) and non-negligible, so the security of RCCA cannot be breached, i.e., it can resist unauthorized access attacks.
5.2.2 Resisting forgery and repudiation attacks
The forgery attack means that a semi-trusted CSP may return a random outsourced decryption message without actually performing the outsourced decryption. The repudiation attack means that even if the CSP returns the correct result, the user makes a false statement to accuse the CSP of returning an incorrect outsourced decryption result to evade outsourcing decryption fee.
Referring to the verifiable random function VRF has the binding property, the value 𝑦𝑦 of the VRF function in the verification auxiliary message 𝑝 returned by the CSP can be used to achieve verifiability of the outsourced decryption. In the process of CSP executing the partial decryption, the CSP uses the signed private key sk𝜎 to compute the VRF evidence 𝜋 on the combination 𝛿||\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) . If the CSP incorrectly performs the outsourced decryption, it sends an incorrectly transformed outsourced decryption ciphertext to the authorized user, i.e., \(\begin{align}{\widetilde{C T_{S \mid \omega}}}^{*}\end{align}\) ≠ \(\begin{align}{\widetilde{C T_{S \mid \omega}}}\end{align}\) . In this case, the authentication algorithm of the VRF results in that formula (9) does not hold, i.e., 𝑦 ≠ e(𝑔2, π) and e(𝑔2𝐻1(𝑥) ∙ pk𝜎, π) ≠ e(𝑔2, 𝑔2), and the authorized user will recover a different combination from the outsourced decrypted ciphertext, i.e.𝛿∗||\(\begin{align}\widetilde{D K_{I D_{l}}}^{*}\end{align}\) ≠ 𝛿||\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) . Because, the VRF binding ensures that for different inputs 𝑥, the VRF function value 𝑦 is different. Therefore, 𝑦 does not match 𝑥 and the outsourced decryption is incorrect.
If the authorized user accuses the CSP of returning an incorrect outsourced decryption ciphertext, he needs to forge an evidence π. Similarly, the CSP executes the verification algorithm of the VRF function. If it outputs 0, formula (9) does not hold, i.e., 𝑦 ≠ e(𝑔2, π) and e(𝑔2 𝐻1(𝑥) ∙ pk𝜎, π) ≠ e(𝑔2, 𝑔2), and the authorized user lies. Therefore, the algorithm can resist the forgery attack of CSP and the repudiation attack of authorized users.
6. Performance analysis
6.1 Theoretical analysis
In this section, Table 2 gives a comparison of the computational overhead of decryption between the scheme VTC-OD in this paper and the attribute-based outsourced decryption scheme FA-ABE [3] and the revocable identity-based broadcast proxy re-encryption scheme RIB-BPRE [29]. Both the proposed scheme and the compared schemes dynamically share encrypted data by updating the re-encrypted key and generating a re-encrypted ciphertext, and both of the above compared schemes are representative of their respective fields. The exponential operations and bilinear pairing calculations are mainly considered in the computational overhead. The hash function is omitted here since it is much smaller than the operation of bilinear pairing and exponential in the group. In the table, |𝑺| denotes the total number of authorized user identity sets 𝑺, |𝑰| denotes the number of attributes that satisfy the access policy, 𝒕𝒆 denotes the time spent to perform one exponential operation, and 𝒕𝒑 denotes the time spent to perform one bilinear pairing operation.
Table 2. Comparison of the computational overhead
As can be seen from Table 2, the proposed scheme needs to perform the exponential operation in group 𝔾 twice in the user authorization key generation phase. In the partial decryption phase of CSP, the computation overhead of scheme FA-ABE grows linearly with the number of attributes of the access policy, and the computation overhead of RIB-BPRE is 0 because it does not implement outsourced decryption, and the computation overhead of VTC-OD grows linearly with the authorized users |S|. In the verification phase, VTC-OD performs one more bilinear pairing operation than FA-ABE, and the overhead of RIB-BPRE is 0 because the verifiability is not implemented. In the final user decryption phase, the cost of RIB-BPRE is linearly related to the authorized users |𝑺|, and VTC-OD performs one less exponential operation than FA-ABE, and its computational overhead is slightly smaller.
6.2 Experimental analysis
To further compare the performance of the proposed algorithm, we choose the experimental environment of CSP with AliCloud shared standard (1 core 2G) ECS and universal (4 core 16G) ECS, operating system Ubuntu 20.04 64-bit, and the experimental environment of user with Xiaomi Mi MIX2 cell phone (Snapdragon 835). The elliptic curve chosen for the experiment is Type A(y^2=x^3+x), so q is a 160-bit prime, 𝔾 element has a size of 256 bits. JPBC library is used in the experiments to implement the proposed and compared schemes. Run 20 times for each experimental to obtain the average execution time as the final experimental data, set the maximum of the authorized users 𝑚 = 100, and vary |S| from 20 to 100. Considering that this paper focuses on outsourcing decryption, only the decryption algorithms are compared here to analyze the performance experimentally.
1) Computational overhead on the user side
The computational overhead at the user side refers to the execution time of the three-step operations of the mobile user to perform the authorized key generation, the partial transformed ciphertext decryption verification, and the final transformed ciphertext decryption.
The execution time of authorization key generation AuthKeyGen(. ) is shown in Fig. 3. The overhead of both RIB-BPRE and FA-ABE is 0 since they do not execute this operation. The overhead of VTC-OD is greater and independent of the number of authorized users |S| since the mobile user blinds his private key in this stage, and he is independent of the other users. The execution time of the partial decryption verification Verify(. ) is shown in Fig. 4. The computational overhead of RIB-BPRE is 0 since it does not perform the verification process on the transformed ciphertext of CSP. The computational overhead of VTC-OD is slightly larger than that of FA-ABE since VTC-OD performs one more bilinear pairing operation when verifying the partially decrypted ciphertext returned by CSP.
Fig. 3. Time of the authorization key generation
Fig. 4. Time of partial decryption verification
The execution time of the final decryption UsersDec(.) is shown in Fig. 5. The cost of VTC-OD is independent of the number of authorized users and is less than that of FA-ABE, since it performs one less exponential operation when users perform the final decryption of the transformed ciphertext. Moreover, the overhead of VTC-OD is also lower than that of RIB-BPRE, since VTC-OD outsources the mobile user’s complex bilinear pairing operations and exponential operations to the CSP so that the mobile user only performs a small part of the decryption computation, which greatly reduces the computation overhead of the mobile user.
Fig. 5. Time of the final decryption
2) Computational overhead on the CSP side
The computation overhead of the CSP is the time that the CSP calculates the decryption timestamp parameter or performs the partial decryption of the transformed ciphertext based on the decryption request from the mobile user. For the transformation ciphertext partial decryption ProxyDec(. ), CSPs with different performance execute the experiments, and the results are shown in Fig. 6 (a) and (b), respectively.
Fig. 6. Partial decryption time of transformed ciphertext
When using a 1-core 2G ECS, it can be seen in Fig. 6 (a) that the computation overhead of FA-ABE is much larger than that of RIB-BPRE and VTC-OD, since the computation overhead of CSP for FA-ABE is positively related to the number of attributes of access policy when computing both exponential and bilinear pairing operations. However, the computation overhead of CSP for VTC-OD is slightly larger than that of RIB-BPRE, since VTC-OD outsources part of the user’s decryption to CSP for calculation, and performs more operations than RIB-BPRE. In addition, the computation overhead of FA-ABE grows rapidly with the number of attributes of the access policy. Also, the overhead of RIB-BPRE and VTC-OD grows linearly with the number of authorized users, but its growth is slow.
By comparing Fig. 6 (a) and (b), it can be seen that when using a 4-core 16G ECS, the execution time of CSP for FA-ABE, RIB-BPRE and VTC-OD is approximately 30ms, 10ms, and 41ms lower than that of using a 1-core 2G ECS, respectively. The reason is that CSP equipped with better performance has faster computation speed and shorter outsourced decryption time.
3) Total computational overhead of decryption
The total computation overhead of decryption refers to the sum of the time consumed by the user and the CSP in the decryption, and contains four algorithms: the generation algorithm of the authorized key, the partial decryption algorithm of the transformed ciphertext, the verification algorithm of the partial decryption of the transformed ciphertext, and the final decryption of the transformed ciphertext. Thus, CSPs with different performance execute the experiments, and the results are shown in Fig. 7 (a) and (b), respectively.
Fig. 7. Total computational time of decryption
When using a 1-core 2G ECS, it can be seen in Fig. 7 (a) that the total computation time of VTC-OD is smaller than that of RIB-BPRE since the user of VTC-OD outsources the complex bilinear pairing and power operations to the computationally powerful CSP, which reduces the user’s computation overhead and makes the total decryption overhead slightly smaller. In addition, the total computation time of FA-ABE grows linearly and rapidly with the number of attributes, but that of RIB-BPRE and VTC-OD grows slowly with the number of authorized users and remains the same. The reason is that although both FA-ABE and VTC-OD implement outsourced decryption, the computation overhead at the CSP side for FA-ABE increases significantly with the number of attributes.
By comparing Fig. 7 (a) and (b), it can be seen that when using a 4-core 16G ECS, the execution time of CSP for FA-ABE, RIB-BPRE and VTC-OD is about 30ms, 8ms and 28ms less than that of using a 1-core 2G ECS, and the total decryption time of VTC-OD is the smallest. Thus, it can be concluded that VTC-OD reduces the decryption time of mobile devices with limited computing power, since the CSP with better performance has more computational power and performs outsourced decryption faster.
In summary, the proposed algorithm achieves both the outsourced decryption function and the verifiable function of the mobile user for the partially decrypted ciphertext returned by the CSP. Moreover, the proposed algorithm can decrypt the ciphertext without revealing it to the CSP. Also, it can be seen that the decryption computation overhead at the mobile user side is reduced by outsourcing the complex decryption computation to the CSP.
7. Conclusion
To address the problem that mobile devices with limited computational power take too long to decrypt the shared ciphertext, an outsourcing decryption scheme of verifiable transformed ciphertext is proposed to reduce the computational overhead of the user's decryption. In this scheme, users with limited computing power can generate the authorized key by executing the authorized key generation algorithm, and then initiate the outsourced decryption request of the transformed ciphertext to the CSP and outsource the large number of bilinear and exponential operations involved in the decryption process to the CSP. CSP performs the partial decryption of the transformed ciphertext and sends the partially decrypted ciphertext to the user for decryption, and at the same time, the verifiable random function is used to prevent the semi-trusted CSP from returning the random outsourced decrypted ciphertext directly without performing the outsourced decryption to achieve the verifiability of the outsourced decryption. In the future, we will add a comparison of the amount of computation reduced by partial decryption.
References
- Jingwei Li, Chunfu Jia, Jin Li, and Xiaofeng Chen, "Outsourcing encryption of attribute-based encryption with mapreduce," in Proc. of International Conference on Information and Communications Security, pp. 191-201, October 29-31, 2012.
- Zhibin Zhou, and Dijiang Huang, "Efficient and secure data storage operations for mobile cloud computing," in Proc. of 2012 8th international conference on network and service management (cnsm) and 2012 workshop on systems virtualiztion management (svm), pp. 37-45, October 22-26 2012.
- Ti Wang, Hui Ma, Yongbin Zhou, Rui Zhang, and Zishuai Song, "Fully accountable data sharing for pay-as-you-go cloud scenes," IEEE Transactions on Dependable and Secure Computing, vol.18, no.4, pp. 2005-2016, 1 July-Aug. 2021. https://doi.org/10.1109/TDSC.2019.2947579
- Chunpeng Ge, Willy Susilo, Joonsang Baek, Zhe Liu, Jinyue Xia, and Liming Fang, "A Verifiable and Fair Attribute-Based Proxy Re-Encryption Scheme for Data Sharing in Clouds," IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 5, pp. 2907-2919, 1 Sept.-Oct. 2022. https://doi.org/10.1109/TDSC.2021.3076580
- Shamir Adi, "Identity-based cryptosystems and signature schemes," Advances in Cryptology: Proceedings of CRYPTO 84 4, pp. 47-53, 1985.
- Green Matthew, Susan Hohenberger, and Brent Waters, "Outsourcing the Decryption of ABE Ciphertexts," in Proc. of 20th USENIX Security Symposium, August 10-12, 2011.
- Junzuo Lai, Robert H. Deng, Chaowen Guan, and Jian Weng, "Attribute-Based Encryption with Verifiable Outsourced Decryption," IEEE Transactions on Information Forensics and Security, vol. 8, no. 8, pp. 1343-1354, Aug. 2013. https://doi.org/10.1109/TIFS.2013.2271848
- Hui Ma, Rui Zhang, Zhiguo Wan, Yao Lu, and Suqing Lin, "Verifiable and Exculpable Outsourced Attribute-Based Encryption for Access Control in Cloud Computing," IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 6, pp. 679-692, Nov.-Dec. 2017. https://doi.org/10.1109/TDSC.2015.2499755
- Suqing Lin, Rui Zhang, Hui Ma, and Mingsheng Wang, "Revisiting Attribute-Based Encryption with Verifiable Outsourced Decryption," IEEE Transactions on Information Forensics and Security, vol. 10, no. 10, pp. 2119-2130, Oct. 2015. https://doi.org/10.1109/TIFS.2015.2449264
- Peng Zhang, Zehong Chen, Joseph K. Liu, Kaitai Liang, and Hongwei Liu, "An efficient access control scheme with outsourcing capability and attribute update for fog computing," Future Generation Computer Systems, vol.78, no. 2, pp. 753-762, January, 2018. https://doi.org/10.1016/j.future.2016.12.015
- Zechao Liu, Zoe L. Jiang, Xuan Wang, and S.M. Yiu, "Practical attribute-based encryption: Outsourcing decryption, attribute revocation and policy updating," Journal of Network and Computer Applications, vol.108, pp. 112-123, 15 April 2018. https://doi.org/10.1016/j.jnca.2018.01.016
- Chaosheng Feng, Keping Yu, Moayad Aloqaily, Mamoun Alazab, Zhihan Lv, and Shahid Mumtaz, "Attribute-Based Encryption with Parallel Outsourced Decryption for Edge Intelligent IoV," IEEE Transactions on Vehicular Technology, vol. 69, no. 11, pp. 13784-13795, Nov. 2020. https://doi.org/10.1109/TVT.2020.3027568
- Jiguo Li, Yao Wang, Yichen Zhang, and Jinguang Han, "Full Verifiability for Outsourced Decryption in Attribute Based Encryption," IEEE Transactions on Services Computing, vol. 13, no. 3, pp. 478-487, 1 May-June 2020. https://doi.org/10.1109/TSC.2017.2710190
- Zhiyuan Zhao, Jianhua Wang, Kaiyong Xu, and Songhui Guo, "Fully Outsourced Attribute-Based Encryption with Verifiability for Cloud Storage," Journal of Computer Research and Development, vol. 56, no. 2, pp. 442-452, February, 2019.
- Qi Li, Hongbo Zhu, Zuobin Ying, and Tao Zhang, "Traceable Ciphertext-Policy Attribute-Based Encryption with Verifiable Outsourced Decryption in eHealth Cloud," Wireless Communications and Mobile Computing, Jun, 2018.
- Yongjian Liao, Ganglin Zhang, and Hongjie Chen, "Cost-Efficient Outsourced Decryption of Attribute-Based Encryption Schemes for Both Users and Cloud Server in Green Cloud Computing," IEEE Access, vol. 8, pp. 20862-20869, 2020. https://doi.org/10.1109/ACCESS.2020.2969223
- Huaqun Wang, Debiao He, and Jinguang Han, "VOD-ADAC: Anonymous Distributed Fine-Grained Access Control Protocol with Verifiable Outsourced Decryption in Public Cloud," IEEE Transactions on Services Computing, vol. 13, no. 3, pp. 572-583, 1 May-June 2020. https://doi.org/10.1109/TSC.2017.2687459
- Jiguo Li, Fengjie Sha, Yichen Zhang, Xinyi Huang, and Jian Shen, "Verifiable Outsourced Decryption of Attribute-Based Encryption with Constant Ciphertext Length," Security and Communication Networks, Jan, 2017.
- Hong Zhong, Jie Cui, Wenlong Zhu, and Yan Xu, "Efficient and Verifiable Muti-authority Attribute-Based Encryption Scheme," Journal of Software, vol.29, no.7, pp.2006-2017, 2018.
- Zheng, Hui, Jun Shao, Guiyi Wei, Li Hu, Bianjing Pan, Kai Liu, and Xiaohang Mao, "Attribute-based encryption with publicly verifiable outsourced decryption," in Proc. of International Conference on Network and System Security, pp. 552-566, December, 2019.
- Cui Hui, Zhiguo Wan, Xinlei Wei, Surya Nepal, and Xun Yi, "Pay as You Decrypt: Decryption Outsourcing for Functional Encryption Using Blockchain," IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3227-3238, 2020. https://doi.org/10.1109/TIFS.2020.2973864
- Zhishuo Zhang, Wei Zhang, and Zhiguang Qin, "Fully constant-size CP-ABE with privacy-preserving outsourced decryption for lightweight devices in cloud-assisted IoT," Security and Communication Networks, 2021.
- Zechao Liu, Zoe L. Jiang, Xuan Wang, Xinyi Huang, Siu-Ming Yiu, and Kunihiko Sadakane, "Offline/online attribute-based encryption with verifiable outsourced decryption," Concurrency and Computation: Practice and Experience, vol.29, no.7, 2017.
- Jing Li, Zhitao Guan, Xiaojiang Du, Zijian Zhang, and Jun Wu, "An efficient encryption scheme with verifiable outsourced decryption in mobile cloud computing," in Proc. of 2017 IEEE International Conference on Communications (ICC), pp. 1-6, May, 2017.
- Yaqian Kang, and Zhenhua Liu, "A Fully Secure Verifiable and Outsourced Decryption Ranked Searchable Encryption Scheme Supporting Synonym Query," in Proc. of 2017 IEEE Second International Conference on Data Science in Cyberspace (DSC), pp. 223-231, Jun, 2017.
- Zhidan Li, Wenmin Li, Zhengping Jin, Hua Zhang, and Qiaoyan Wen, "An Efficient ABE Scheme with Verifiable Outsourced Encryption and Decryption," IEEE Access, vol. 7, pp. 29023-29037, 2019. https://doi.org/10.1109/ACCESS.2018.2890565
- Zhijie Wang, Dijiang Huang, Yan Zhu, Bing Li, and Chun-Jen Chung, "Efficient Attribute-Based Comparable Data Access Control," IEEE Transactions on Computers, vol. 64, no. 12, pp. 3430-3443, 1 Dec. 2015. https://doi.org/10.1109/TC.2015.2401033
- Matthew Green and Giuseppe Ateniese, "Identity-based proxy re-encryption," in Proc. of International conference on Applied Cryptography and Network Security, pp. 288-306, June 5-8, 2007.
- Chunpeng Ge,Zhe Liu,Jinyue Xia,Liming Fang, "Revocable identity-based broadcast proxy re-encryption for data sharing in clouds," IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 3, pp. 1214-1226, 2021. https://doi.org/10.1109/TDSC.2019.2899300
- Peng Xu, Jiao Tengfei, Qianhong Wu, Wei Wang, Hai Jin, "Conditional identity-based broadcast proxy re-encryption and its application to cloud email, " IEEE Transactions on Computers, vol. 65, no.1, pp. 66-79, 2016. https://doi.org/10.1109/TC.2015.2417544
- Won-Bin Kim, Su-Hyun Kim, Daehee Seo, and Im-Yeong Lee, "Broadcast proxy reencryption based on certificateless public key cryptography for secure data sharing," Wireless Communications and Mobile Computing, vol. 2021, pp. 1-16, 2021.
- Boneh Dan, and Xavier Boyen, "Efficient selective-ID secure identity-based encryption without random oracles," in Proc. of International conference on the theory and applications of cryptographic techniques, pp. 223-238, 2004.
- Micali Silvio, Michael Rabin, and Salil Vadhan, "Verifiable random functions," in Proc. of 40th Annual Symposium on Foundations of Computer Science, pp. 120-130, October, 1999.
- Bitansky Nir, "Verifiable random functions from non-interactive witness-indistinguishable proofs," Journal of Cryptology, vol. 33, no. 2, pp. 459-493, 2020. https://doi.org/10.1007/s00145-019-09331-1