Keywords

1 Introduction

For some sensitive data sharing issues (including their personal files, health records, e-mails, etc.) that users store in the cloud, since cloud server loyalty cannot be ensured, access control is generally stored and implemented in encrypted form. Traditional cryptographic algorithms are difficult to implement flexible sharing with multiple users. The attribute-based encryption (ABE) system can solve this problem better. It is an important technical means for data security sharing in cloud computing.

With the popularity of mobile devices and the rapid development of 5G networks, the mobile cloud computing model has been recognized and appreciated by more and more people. Mobile Cloud Computing (MCC) is the combination of cloud computing, mobile computing and wireless networks to bring rich computational resources to mobile users, net-work operators, as well as cloud computing providers [1]. The combination of mobile network and cloud computing gives people the freedom to the greatest extent. It enables cloud computing to be greatly expanded in application scope. Users can get rid of the limitations of time and space and enjoy cloud-based powerful computing, storage, and software service capabilities more conveniently. At present, well-known domestic and foreign enterprises have successively provided mobile cloud computing services, such as Ali “Apsara Mobile” weighs in 2017, Apple’s “MobileMe” service, and Microsoft “Live Mesh”.

The typical ABE scheme cannot apply to the actual application of mobile cloud directly, mainly because of efficiency. Most of the proposed schemes are based on the bilinear mapping. The overhead of large bilinear pairings and group power operations is very high, and the amount of computing in the encryption and decryption phases is proportional to the size of the attribute set or the size of the access structure. Secondly, in the actual application scenario, different authorities manage the different attributes of the user, so the ABE scheme expanded from a single authority to a multi-authority has higher computational complexity and management complexity. In addition, in order to improve the security of the scheme, scholars have improved the scheme that can achieve selective security by using the composite order bilinear group and the dual system encryption technology. The improved scheme proves that the adaptive security is satisfied, but the same group operation in the new method is 1–2 orders of magnitude slower than the prime group in the number order group, and it does not meet the actual security requirements. Therefore, research on flexible and practical attribute-based encryption schemes based on the improvement of security performance has important application value for data security sharing in mobile cloud environment.

In this paper, a decentralized multi-authority architecture is adopted. To make use of the semi-trusted features of the cloud server, we divide the encryption and decryption into two phases. The cloud server participates in the partial encryption, decryption, and revocation, and reduces the computational overhead of the user. We use the mapping idea to map attributes and group elements in a one-to-one mapping. Any string can be added as an attribute into the system, which is more in line with the actual application scenario. Finally, it is proved that the proposed scheme is static secure under the random oracle model and is suitable for data security sharing in mobile cloud environment.

2 Related Work

In 2005, Sahai and Waters [5] expanded the concept of IBE, and they put forward the concept of attribute encryption for the first time. Since then, Goyal et al. [6] defines two forms of ABE based on the location of the access strategy in the scheme: key policy attribute-based encryption (KP-ABE) and ciphertext policy attribute-based encryption (CP-ABE). We put forward a CP-ABE scheme that is more suitable for solving the problem of data security sharing in cloud environment, in which access policies can be defined simultaneously when data owners encrypt plaintext.

Cheung et al. [7] proposed a CP-ABE scheme based on the AND access structure. Then, Goyal et al. [8] proposed a CP-ABE scheme based on the access tree structure. Waters [9] has published a CP-ABE scheme based on the linear secret sharing schemes (LSSS) access structure to achieve stronger expressive and higher efficiency. But the essence of the ABE efficiency problem is that when using bilinear mapping technology to build a scheme, the complex function is realized by some modular exponentiation or bilinear pairing, so it is difficult to achieve a breakthrough in the calculation efficiency in the construction of the scheme. Therefore, scholars naturally think of outsourcing complex computing and use powerful computing power to solve the problem. Early research on outsourcing computing is mainly around a single type of computing, until 2011, Green et al. [10] introduced the outsourcing idea into the ABE, greatly alleviated the decryption burden of the end users, and also provided a new possibility for the development of the attribute-based encryption in the mobile cloud computing.

Since the mobile cloud computing is proposed in 2010, the problem of attribute-based data security sharing has been paid much attention by scholars, but the attribute-based encryption schemes for mobile cloud environment are still very few. Until 2014, Hohenberger et al. [11] introduced a method of reducing the computational complexity of encryption operations in ABE schemes by precomputing and proposed an online/ offline ABE scheme. It can be used to solve the problem of data sharing in the cloud computing environment due to the above method that reduce the computing overhead of users online effectively, so it is especially suitable for the setting of user low end equipment in mobile cloud.

In order to solve the problem that the property can not only be managed by a single authority in the actual environment, the scholars have deeply studied the multi-authority attribute-based encryption (MA-ABE) scheme, which mainly focuses on how to reduce the security threats brought by the corruption of the central authority and how to ensure that the authorities do not affect the independent operation of each other. In 2011, Lewko and Waters et al. [12] proposed a MA-ABE scheme that did not need a CA and each authority even not knowing each other and implemented a decentralizing attribute-based encryption (DABE). In 2015, Vijay et al. [13] proposed a CP-ABE scheme in the mobile cloud environment with attribute revocation. This scheme takes into account that the ABE scheme of a single authority cannot solve the different attribute issues of the multi-authority management user in the real application scenario and supports multiple attribute authority to work simultaneously. In 2016, Li et al. [14] proposed a lightweight data sharing scheme in the mobile cloud environment. By changing the access control tree structure, most of the computation was handed over to the external proxy server and the revocation function was realized. In 2017, Lyu et al. [15] adopted an anonymous key release protocol to achieve privacy protection, in addition to online/offline technology and outsourced decryption. Zhao et al. [16] proposed a mobile cloud CP-ABE scheme that verifiable outsourced computing, verified by two kinds of hash functions, and De [17] proposed a scheme for fast encryption and decryption in mobile cloud environment, which could realize the decentralization of attributes. Li et al. [18] uses dual factor identity authentication mechanism to realize anonymous authentication to users and proposes a multi authority CP-ABE scheme without CA in mobile cloud environment.

In terms of security, in 2010, Lewko et al. [19] improved the CP-ABE structure by using multiple order bilinear groups and dual system encryption technology to make the scheme change from the security based on the selection attribute set attack model to the higher security level of adaptive security from the same period, but the performance of the scheme was greatly sacrificed. In 2015, the Rouselakis of the Waters team proposed a static security [20] model to adapt to the setting of multi authority institutions, which would be more consistent with data sharing in the multi authority scenario, and a considerable degree of recognition in the industry.

In summarizing the above work, the paper finds that the design (composite order and prime order) of the adaptive security solution needs to sacrifice the performance of the solution to a certain extent, and it is not suitable for data sharing under the mobile cloud environment. Since the attributes of the user in the CP-ABE are associated with the decryption key, and the attributes are distributed in a fragmented manner, each attribute should correspond to a different permission (in a single organization scenario, the private key request is independent and complete). In this paper, the static security model proposed by Rouselakis and Waters is applied to the setting of multi-authority. At the same time, for the computational complexity caused by the multi-authority setting, this paper uses the pre-computing of the encryption phase and partial outsourcing in the decryption phase, making the scheme more suitable for mobile devices, so that users can get better application experience.

3 Preliminaries

This section will introduce the relevant basic knowledge and data sharing model of the proposed mobile cloud environment attribute-based encryption scheme and give the complexity assumption and the security model based on the scheme.

A. Linear Secret Sharing Schemes (LSSS)

Let \( p \) be a prime and \( U \) the attribute universe.

A secret-sharing scheme \( \Pi \) with domain of secrets \( {\mathbf{\mathbb{Z}}}_{p} \) realizing access structures on \( U \) is linear over \( {\mathbf{\mathbb{Z}}}_{p} \) if

  1. (1)

    The shares for each party form a vector over \( {\mathbf{\mathbb{Z}}}_{p} \)

  2. (2)

    There exists a matrix \( A \) with rows \( \ell \) and \( n \) columns called the share-generating matrix for \( \Pi \). For all \( i = 1, \ldots ,\ell \), the row of \( A \) is labeled by a party \( \rho (i) \) (\( \rho (i) \) represents the participants marked by the \( A \) line \( i \)). When we consider the column vector \( \varvec{v} = (s,y_{2} , \ldots ,y_{n} ) \in {\mathbf{\mathbb{Z}}}_{p} \), where \( s \in {\mathbf{\mathbb{Z}}}_{p} \) is the secret to be shared, and \( y_{2} , \ldots ,y_{n} \in {\mathbf{\mathbb{Z}}}_{p} \) are randomly chosen, then \( A\varvec{v} \) is the vector of \( \ell \) shares of the secret \( s \) according to \( \Pi \). The \( i^{th} \) share \( (A\varvec{v})_{i} \) belongs to party \( \rho (i) \).

It is shown in [21] that every linear secret-sharing scheme according to the above definition also enjoys the linear reconstruction property, defined as follows. Suppose that \( \Pi \) is an LSSS for the access structure. Let \( S \in A \) be any authorized set and let \( I \subseteq \left\{ {1,2, \ldots ,l} \right\} \) be defined as \( I = \left\{ {i:\rho (i) \in S} \right\} \). Then there exist constants \( \left\{ {\omega_{i} \in {\mathbf{\mathbb{Z}}}_{p} } \right\}_{i \in I} \) such that, if \( \left\{ {\lambda_{i} } \right\} \) are valid shares of any secret \( s \) according to \( \Pi \), then \( \sum\limits_{i \in I} {\omega_{i} \lambda_{i} } = s \). There is no such constant for unauthorized sets.

B. Complexity Assumption

For our security proof we will use a q-type assumption on prime order bilinear groups. It is a slightly modified version of the q-Decisional Parallel Bilinear Diffie-Hellman Exponent Assumption [20]. We will be referring to our assumption as q-DPBDHE2 for short. The assumption is defined as follows:

Choose a bilinear group \( G \) of order \( p \) according to the security parameter κ, which admits a non-degenerate bilinear mapping \( e:G \times G \to G_{T} \). Pick \( a,s,b_{1} ,b_{2} , \ldots ,b_{q} \in {\mathbf{\mathbb{Z}}}_{p}^{ * } \). Let

$$ D = \left( {\begin{array}{*{20}l} {p,g,G,e,g^{s} ,\{ g^{{a^{i} }} \}_{i \in [2q],i \ne q + 1} ,\{ g^{{b_{j} a^{i} }} \}_{(i,j) \in [2q,q],i \ne q + 1} ,} \hfill \\ {\{ g^{{{s \mathord{\left/ {\vphantom {s {b_{i} }}} \right. \kern-0pt} {b_{i} }}}} \}_{i \in [q]} ,\{ g^{{{{sa^{i} b_{j} } \mathord{\left/ {\vphantom {{sa^{i} b_{j} } {b_{j'} }}} \right. \kern-0pt} {b_{j'} }}}} \}_{(i,j,j') \in [q + 1,q,q],j \ne j'} } \hfill \\ \end{array} } \right) $$
(1)

The assumption states that no polynomial-time distinguisher can distinguish the distribution \( e(g,g)^{{sa^{q + 1} }} \) from the distribution \( R \) (\( R \) is randomly chosen from \( G \))with more than negligible advantage.

C. Security Model

  1. (1)

    The static security model we define is a security game between the challenger and the attacker, and the difference between the adaptive model is that the attacker must specify the attack object and the query content immediately after receiving the public parameters, then send it to the challenger and change it after the game is over. In the same way as the adaptive model, the static security model allows an attacker to ask the user’s private key and some decryption ciphertext stored in the cloud many times, that is to say, the attacker can decrypt the ciphertext by asking the outsourced decryption key to get some decryption ciphertext. In addition, we allow an attacker to participate in encryption by generating some authoritative authority to generate authoritative public key. On the basis of resisting the cloud server attack, the model increases the conspiracy attack against multiple legitimate users through the inquiry of the private key and can be described by the Games in the following stages. The symbolic correspondence is shown in Table 1.

    Table 1. Symbol corresponding list
    Full size table

Global Setup: The global initialization algorithm in the challenger’s operation plan and send the public parameters \( {\text{GP}} \) to the attacker.

Attacker’s Queries: The attacker first came from the authority \( V \) select a part of the authority \( C(C \subseteq V) \), then generate and send \( \{ {\text{PK}}_{\beta } \}_{\beta \in C} \) to the challenger, Then the attacker responds with:

  • Select authorized \( m \) users \( \{ {\text{GID}}_{i} \}_{i = 1}^{m} \) to inquire about their public and private key.

  • Select some non-corrupt authorities \( N(N \subseteq V) \) to ask their public key.

  • Select \( n \) users \( \{ S_{i} ,{\text{GID}}_{i} \}_{i = 1}^{n} \) to ask its outsourcing decryption key. \( S_{i} \subseteq U \) is the attribute set of user \( i \). Required \( T(S_{i} ) \cap C = \varnothing \) means the attributes owned by the users are authorized by the uncorrupted authority. In addition, requiring \( n > m \) is that the attacker can not only query the user’s outsourcing decryption key in the \( m \) authorized users, but also ask other users for the corresponding outsourced decryption key.

  • Two messages \( m_{0} ,m_{1} \) of equal length, and a challenge access structure \( (A,\rho ) \) encoded in a suitable form. We require that for every \( i(1 \le i \le n) \) the set \( S_{i} \cup S_{C} \) is an unauthorized set of the access structure \( (A,\rho ) \).

Challenger’s Replies: The challenger flips a random coin \( b \in \{ 0,1\} \) and replies with:

  • The secret keys of users \( \{ {\text{GID}}_{i} \}_{i = 1}^{m} \): \( \{ {\text{userPK}}_{{{\text{GID}}_{i} }} ,{\text{key}}\}_{i = 1}^{m} \)

  • The public keys of authorities \( N \subseteq V \): \( \{ {\text{PK}}_{\beta } \}_{\beta \in N} \)

  • The secret keys of cloud serve provider: \( \{ {\text{SK}}_{\text{Out}} \}_{i = 1}^{n} \)

  • The challenge ciphertext \( {\text{CT*}} \)

Guess: The attacker outputs a guess \( b^{{\prime }} \in \{ 0,1\} \).

Definition 1.

We say that an attacker statically breaks the scheme if it has a non-negligible advantage in correctly guessing the bit b in the above security game.

When the game does not contain a class queries, the security model is converted to attack only against cloud servers.

  1. (2)

    We propose a revocable security model for collusion attacks of multiple revocation users, regardless of whether their attributes satisfy the access policy. Therefore, an opponent can ask multiple private keys to revoke the user. In this article, it is assumed that the revocation user cannot conspire with the cloud server and the authority, so the enemy cannot ask for the private key of the cloud server corresponding to the cancellation of the user, nor the public key of the authority. At the same time, in order to ensure that the enemy can obtain partial decryption ciphertext from the unrevoked user, the model allows the enemy to access the private key of the cloud server that corresponds to the unrevoked user. The game description between the adversary and the challenger is basically the same as the static security model. During the enquiry phase, the opponent inquired the challenger as follows:

    • Select a part of the revocation of the users \( \{ {\text{GID}}_{i} \}_{i = 1}^{m} \) to inquire about their public and private key.

    • Select some non-corrupt authorities \( N(N \subseteq V) \) to ask their public key.

    • Select \( n \) users \( \{ S_{i} ,{\text{GID}}_{i} \}_{i = m}^{n} \) to ask its outsourcing decryption key.

    • Two messages \( m_{0} ,m_{1} \) of equal length, and a challenge access structure \( (A,\rho ) \) encoded in a suitable form. Ask them the challenge ciphertext.

Definition 2.

We say that the scheme is revocable if the attacker has a non-negligible advantage in correctly guessing the bit b in the above security game.

D. Data Sharing Model

The data sharing model in the mobile cloud environment contains four entities: the data owner (DO), the cloud service provider (CSP), the data user i.e. mobile user (DU), and attribute authority (AA). Among them, the data owner DO draws up the access structure according to the security policy, then encrypts the data according to the access structure, and then uploads the encrypted result, that is, the ciphertext associated with the access policy to the cloud end; any user can freely access and obtain the ciphertext files on the cloud service, when and only as the user DU The attributes that are available can only be decrypted when they satisfy the access policy of ciphertext. The attribute authority AA generates a private key for the cloud service provider according to the user’s permissions, and the user DU generates the private key for himself. Only when the cloud server decrypts the original ciphertext with its own private key, can the user decrypt the ciphertext. When the user is revoked, the cloud server simply removes the user’s corresponding private key of the cloud server. The shared framework is shown in Fig. 1.

Fig. 1.
figure 1

Data sharing model in MCC

Full size image

Cloud service provider CSP is generally considered honest and curious, with powerful storage and computing power, but only used for storing ciphertext, partially deciphering, and assisting revocation, and cannot get any information about the data or key from it; DU does not need to over consider its own hardware and software conditions and can be configured by different configurations. The device can access the CSP to obtain its authorized resources.

The DO and DU here mainly refer to users of low-end devices, such as mobile phones, vehicle systems, and high-end devices such as PC.

4 Our Scheme

Taking into account the actual application requirements and cloud data sharing mechanism research, we use functions \( T \) mapping attributes \( i \in U \) to \( i \)’s authority \( \beta \in V \). That is, the existence of a full shot \( \delta \) can correspond to the row \( x \) of a matrix and an authority \( \beta \) \( (\delta (x) = T(\rho (x)) \to \beta ) \). In addition, we introduce pre-computing outsourcing operation before the scheme encryption, and divide the mobile cloud attribute-based security sharing into four aspects, namely, initialization, user registration, data encryption and data access. Our scheme is constructed as follows:

A. Initialization

\( {\text{GlobalSetup(}}\lambda )\to {\text{GP}} \). The global setup algorithm takes as input the security parameter \( \lambda \), chooses a suitable bilinear group \( G \) of prime order \( p \) with generator \( g \). It also chooses a function \( H \) mapping \( {\text{GID}} \), \( {\text{GID}} \in G \). Another function \( F \) mapping strings, interpreted as attributes, to elements of \( G \). Both of these functions will be modeled as random oracles in the security proof. Finally, it defines \( U \), \( V \), and \( T \). The global parameters are \( {\text{GP}} = \left\{ {p,G,g,H,F,U,V,T} \right\} \). \( {\text{GP}} \) as the common input parameter of the remaining seven algorithms, for the sake of conciseness, the following algorithms will no longer be mentioned.

\( {\text{AuthoritySetup(GID}}_{\beta } )\to \{ {\text{PK}}_{\beta } ,{\text{SK}}_{\beta } \} \) The authority run setup algorithm independently, input \( {\text{GID}}_{\beta } (\beta \in V) \) chooses two random exponents \( \alpha_{\beta } ,y_{\beta } \in {\mathbf{\mathbb{Z}}}_{p}^{ * } \) and publishes \( {\text{PK}}_{\beta } = \{ e(g,g)^{{\alpha_{\beta } }} ,g^{{y_{\beta } }} \} \) as its public key. It keeps \( {\text{SK}}_{\beta } = \{ \alpha_{\beta } ,y_{\beta } \} \) as its secret key.

B. User Registration

When new users access the system, users need to request private keys to the attribute authority. The private key is generated by the execution \( {\text{KeyGen}}_{\text{Out}} \) algorithm by the authority corresponding to each attribute of the user attribute set \( S \).

\( {\text{KeyGen}}_{\text{user}} ( {\text{GID}}_{i} ) \to \{ {\text{userPK}}_{i} ,{\text{key}}\} \) First, this algorithm is run on the mobile device, that is, the user part of the key generation algorithm in the classic scheme, which is completed by the user, input \( {\text{GID}}_{i} (i \in U) \), and output the public and private key pairs of the user \( \{ {\text{userPK}}_{i} ,{\text{key}}\} \). Chooses a random \( z \in {\mathbf{\mathbb{Z}}}_{p}^{*} \), using its own \( {\text{GID}}_{i} \) computing the user’s public key \( {\text{userPK}}_{{{\text{GID}}_{i} }} = \{ g^{z} ,H({\text{GID}}_{i} )^{z} \} \) and publish it. The relevant authority operates the outsourcing decryption server key generation algorithm for cloud service provider CSP:

$$ {\text{KeyGen}}_{\text{Out}} ( {\text{GID}}_{i} ,{\text{userPK}}_{i} ,S,\{ {\text{SK}}_{j} \} ) \to {\text{SK}}_{\text{Out}} $$

For example, user \( {\text{GID}}_{i} \) input \( {\text{userPK}}_{i} \), \( S \) and the private key set \( \{ {\text{SK}}_{\beta } \} \) of the relevant authority (i.e. \( \forall i \in S,T(i) = \beta \)), output the decryption key for the user \( {\text{GID}}_{i} \), and add the attribute based data sharing system.

For \( \forall i \in S \), if \( T(i) = \beta \), Then the authorized \( \beta \) mechanism chooses the random element \( t_{i} \in {\mathbf{\mathbb{Z}}}_{p}^{*} \) and calculation: \( K_{i,1} = g^{{z\alpha_{i} }} H({\text{GID}})^{{zy_{i} }} F(i)^{{t_{i} }} \), \( K_{i,2} = g^{{t_{i} }} \), outputs the secret key: \( {\text{SK}}_{S} = \{ S,K_{i,1} ,K_{i,2} \}_{i \in S} \). The user secrecy the private key \( {\text{key}} = {1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z} \) and calculate: \( K_{i,1}^{{\prime }} = K_{i,1}^{{{1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}}} \), \( K_{i,2}^{{\prime }} = K_{i,2}^{{{1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}}} \), output cloud server decryption key: \( {\text{SK}}_{\text{Out}} = \{ S,K_{i,1}^{{\prime }} ,K_{i,2}^{{\prime }} \}_{i \in S} \), added \( \{ {\text{GID,SK}}_{\text{Out}} \} \) to the cloud server key list \( {\text{Klist}} \).

C. Data Encryption

When the mobile device is idle, run the algorithm \( {\text{Pre}}_{\text{Enc}} (\{ {\text{PK}}_{\beta } \} ) \to {\text{IC}} \), enter a public key set \( \{ {\text{PK}}_{\beta } \} \) of authoritative authorities based on user-defined access policies. Output the intermediate ciphertext \( {\text{IC}} \), it can be uploaded to the cloud storage server. Mainly in the formal encryption before, for each attribute \( i \) in \( U \), complete pre-calculation at first, for the encryption provides the calculation results. The attribute \( i \), random selection \( \lambda_{i}^{{\prime }} ,\omega_{i}^{{\prime }} ,r_{i} \in {\mathbf{\mathbb{Z}}}_{p}^{*} \), and calculation:\( {\text{IC}}_{i,1} = {\text{e}}(g,g)^{{\lambda_{i}^{{\prime }} }} e(g,g)^{{\alpha_{i} r_{i} }} \), \( {\text{IC}}_{i,2} = g^{{ - r_{i} }} \), \( {\text{IC}}_{i,3} = g^{{y_{i} r_{i} }} g^{{\omega_{i}^{{\prime }} }} \), \( {\text{IC}}_{i,4} = F(i)^{{r_{i} }} \). The encrypted person can choose to upload the middle ciphertext \( {\text{IC}} = \{ {\text{IC}}_{i,1} ,{\text{IC}}_{i,2} ,{\text{IC}}_{i,3} ,{\text{IC}}_{i,4} \}_{i \in U} \) to the CSP outsourced storage server to save the storage resources of the device.

The temporary key \( {\text{TK}} = \{ \lambda_{i}^{{\prime }} ,\omega_{i}^{{\prime }} \}_{i \in U} \) is stored locally.

When mobile users need to share secret data, run \( {\text{Encrypt(IC}},M,(A,\rho )) \to {\text{CT}} \). This algorithm can also skip precomputation and encrypt plaintext directly. Input messages, access policies, intermediate ciphertext and temporary keys in turn. Then random selection \( s,y_{2} , \ldots ,y_{n} ,z_{2} , \ldots ,z_{n} \in {\mathbf{\mathbb{Z}}}_{p}^{ * } \), order vector \( \varvec{v} = (s,y_{2} , \ldots ,y_{n} )^{T} \), \( \varvec{w} = (0,z_{2} , \ldots ,z_{n} )^{T} \), for all \( x \in [\ell ] \) calculations \( \lambda_{x} = (A\varvec{v})_{x} \), \( \omega_{x} = (A\varvec{w})_{x} \). Due to \( \delta (x) = T(\rho (x)) \to \beta \), it can be mapped \( x \in [\ell ] \) to authority \( \beta \).

Computing ciphertext: \( C_{0} = Me(g,g)^{s} \), among them \( C_{x,j} = {\text{IC}}_{\rho (x),j} \left| {j \in \{ {\mathbf{\mathbb{Z}}}_{p}^{*} \left| {1 \le j \le 4} \right\} } \right. \), \( C_{x,5} = \lambda_{x} - \lambda_{\rho (x)}^{{\prime }} \), \( C_{x,6} = \omega_{x} - \omega_{\rho (x)}^{{\prime }} \), Output ciphertext: \( {\text{CT}} = ((A,\rho ),C_{0} ,\{ C_{x,j} \}_{{x \in [\ell ],j \in \{ {\mathbf{\mathbb{Z}}}_{p}^{*} \left| {1 \le j \le 6} \right.\} }} ) \). The above operations can also be precomputed by the data owner when the official data is encrypted, and then the encryption is completed. This design draws on the idea of online/offline, making full use of the idle time and cloud storage capacity of the user side, providing some calculation results for the formal encryption phase and alleviating the encryption pressure to a certain extent.

D. Data Access

DU downloads ciphertext from CSP. If the ciphertext is legal, the mobile terminal uses the private key to complete the decryption.

When the cloud server receives the access request, it first depends \( {\text{userPK}}_{\text{GID}} \) on the terminal. Find the corresponding cloud server decryption key \( {\text{SK}}_{\text{Out}} = \{ S,K_{i,1}^{{\prime }} ,K_{i,2}^{{\prime }} \}_{i \in S} \) in the cloud server key list \( {\text{Klist}} \).Then run \( {\text{Out}}_{\text{Dec}} ( {\text{SK}}_{\text{Out}} , {\text{userPK}}_{i} ,{\text{CT}}) \to {\text{CT}}^{{\prime }} \) to partial decryption. When the end user’s associated attribute set \( S \) in the key of the outsourcing decryption server does not satisfy the access policy \( (A,\rho ) \) in the ciphertext, decryption fails. Otherwise, for \( I = \{ x:\rho (x) \in S\} \subseteq \{ 1,2, \ldots ,\ell \} \), the decryption server compute \( \{ c_{x} \in {\mathbf{\mathbb{Z}}}_{p} \} \) to satisfied \( \sum\limits_{x \in I} {c_{x} } A_{x} = (1,0, \ldots ,0) \), and finally sent the partially decrypted ciphertext \( {\text{CT}}^{{\prime }} = (C_{0} ,C_{{{\text{part}}1}} ,C_{{{\text{part}}2}} ) \) to DU. Among them:

$$ C_{part1} = \prod\limits_{x \in I} {\{ C_{x,1} \cdot e(g,g)^{{C_{x,5} }} e(K_{\delta (x),1}^{{\prime }} ,C_{x,2} )e(K_{\delta (x),2}^{{\prime }} ,C_{x,4} )\}^{{c_{x} }} } $$
(2)
$$ C_{{{\text{part}}2}} = \prod\limits_{x \in I} {\{ e(H({\text{GID}})^{z} ,C_{x,3} \cdot g^{{C_{x,6} }} )\}^{{c_{x} }} } $$
(3)

After receiving the encrypted ciphertext from the cloud server part, the end user runs the algorithm \( {\text{Decrypt()}} \), uses the reserved user’s private key \( {\text{key}} = {1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z} \) to complete the remaining decryption operation, calculates \( C_{{{\text{part}}1}} \cdot C_{{{\text{part}}2}}^{{{1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}}} = e(g,g)^{s} \) and finally returns: \( M = \frac{{C_{0} }}{{C_{{{\text{part}}1}} \cdot C_{{{\text{part}}2}}^{{{1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}}} }} \).

\( {\text{Revoke}}({\text{GID,KT}}) \) The user revoked. Enter the user identity and key list, find and delete the array in the list \( \{ {\text{GID,SK}}_{\text{Out}} ) \), update the list \( {\text{KT}} = {\text{KT}}\backslash \{ {\text{GID,SK}}_{\text{Out}} ) \).

5 Analysis

A. Correctness

  1. (1)

    Outsourcing decryption process: when the attribute set \( S \) satisfies the access policy \( (A,\rho ) \), \( I = \{ x:\rho (x) \in S\} \subseteq \{ 1,2, \ldots ,\ell \} \), there is the constant \( \{ c_{x} \in {\mathbf{\mathbb{Z}}}_{p} \} \) satisfies \( \sum\limits_{x \in I} {\lambda_{x} } c_{x} = s \) and \( \sum\limits_{x \in I} {\omega_{x} } c_{x} = 0 \). The following results are as follows:

    $$ \begin{aligned} & C_{{{\text{part}}1}} \\ & = \prod\limits_{x \in I} {\{ C_{x,1} \cdot e(g,g)^{{C_{x,5} }} e(K_{\delta (x),1}^{{\prime }} ,C_{x,2} )e(K_{\delta (x),2}^{{\prime }} ,C_{x,4} )\}^{{c_{x} }} } \\ & = \prod\limits_{x \in I} {\begin{array}{*{20}l} {\{ {\text{e}}(g,g)^{{\lambda '_{\rho (x)} }} {\text{e}}(g,g)^{{\alpha_{\rho (x)} r_{\rho (x)} }} e(g,g)^{{(\lambda_{x} - \lambda '_{\rho (x)} )}} e((g^{{z\alpha_{\rho (x)} }} H({\text{GID}})^{{zy_{\rho (x)} }} F(\rho (x))^{{t_{\rho (x)} }} )^{{{1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}}} ,} \hfill \\ {g^{{ - r_{\rho (x)} }} )e((g^{{t_{\rho (x)} }} )^{{{1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}}} ,F(\rho (x))^{{r_{\rho (x)} }} )\}^{{c_{x} }} } \hfill \\ \end{array} } \\ & = \prod\limits_{x \in I} {\begin{array}{*{20}l} {\{ e(g,g)^{{\alpha_{\rho (x)} r_{\rho (x)} }} e(g,g)^{{\lambda_{x} }} e((g,g)^{{ - \alpha_{\rho (x)} r_{\rho (x)} }} {\text{e}}(H({\text{GID}}),} \hfill \\ {g)^{{ - y_{\rho (x)} r_{\rho (x)} }} e(F(\rho (x)),g)^{{{{ - r_{\rho (x)} t_{\rho (x)} } \mathord{\left/ {\vphantom {{ - r_{\rho (x)} t_{\rho (x)} } z}} \right. \kern-0pt} z}}} e((g,F(\rho (x)))^{{{{r_{\rho (x)} t_{\rho (x)} } \mathord{\left/ {\vphantom {{r_{\rho (x)} t_{\rho (x)} } z}} \right. \kern-0pt} z}}} \}^{{c_{x} }} } \hfill \\ \end{array} } \\ & = \prod\limits_{x \in I} {\{ e(g,g)^{{\lambda_{x} }} {\text{e}}(H({\text{GID}}),g)^{{ - y_{\rho (x)} r_{\rho (x)} }} \}^{{c_{x} }} } \\ & = e(g,g)^{{\sum\limits_{x \in I} {\lambda_{x} c_{x} } }} e(H({\text{GID}}),g)^{{ - \sum\limits_{x \in I} {y_{\rho (x)} r_{\rho (x)} c_{x} } }} \\ & = e(g,g)^{s} e(H({\text{GID}}),g)^{{ - \sum\limits_{x \in I} {y_{\rho (x)} r_{\rho (x)} c_{x} } }} \\ \end{aligned} $$
    (4)
    $$ \begin{aligned} & C_{part2} \\ & = \prod\limits_{x \in I} {\{ e(H({\text{GID}})^{z} ,C_{x,3} \cdot g^{{C_{x,6} }} )\}^{{c_{x} }} } \\ & = \prod\limits_{x \in I} {\{ e(H({\text{GID}})^{z} ,g^{{y_{\rho (x)} r_{\rho (x)} }} g^{{\omega '_{\rho (x)} }} \cdot g^{{(\omega_{x} - \omega '_{\rho (x)} )}} )\}^{{c_{x} }} } \\ & = \prod\limits_{x \in I} \{ e(H({\text{GID}})^{z} ,g^{{y_{\rho (x)} r_{\rho (x)} }} g^{{\omega_{x} }} )\}^{{c_{x} }} \\ & = \prod\limits_{x \in I} \{ e(H({\text{GID}}),g)^{{z \cdot y_{\rho (x)} r_{\rho (x)} }} e(H({\text{GID}}),g)^{{z \cdot \omega_{x} }} \}^{{c_{x} }} \\ & = e(H({\text{GID}}),g)^{{z\sum\limits_{x \in I} {y_{\rho (x)} r_{\rho (x)} c_{x} } }} e(H({\text{GID}}),g)^{{z\sum\limits_{x \in I} {\omega_{x} c_{x} } }} \\ & = e(H({\text{GID}}),g)^{{z\sum\limits_{x \in I} {y_{\rho (x)} r_{\rho (x)} c_{x} } }} \\ \end{aligned} $$
    (5)
  2. (2)

    The mobile device completes the final decryption:

    $$ \begin{aligned} & C_{part1} \cdot C_{part2}^{{{1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}}} \\ & = \{ e(g,g)^{s} e(H({\text{GID}}),g)^{{ - \sum\limits_{x \in I} {y_{\rho (x)} r_{\rho (x)} c_{x} } }} \} (e(H({\text{GID}}),g)^{{z\sum\limits_{x \in I} {y_{\rho (x)} r_{\rho (x)} c_{x} } }} )^{{{1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}}} \\ & = e(g,g)^{s} \frac{{C_{0} }}{{C_{part1} \cdot C_{part2}^{{{1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}}} }} = \frac{{Me(g,g)^{s} }}{{e(g,g)^{s} }} = M \\ \end{aligned} $$
    (6)

B. Security

  1. (1)

    Static Security

Lemma 1.

assumes that the Rouselakis-Waters (RW) scheme [20] is static security, then the decentralizing multi authority CP-ABE scheme for the mobile cloud computing is also static security.

Proof.

Assuming that the attacker cannot ignore the advantage of the probability polynomial time breaking this scheme, it is proved that we can construct a probability polynomial time algorithm \( \Phi \) to break the RW scheme,

\( \Phi \) runs algorithm of Global Setup: output and send the public parameters \( {\text{GP}} \) to the attacker.

Attacker’s Queries: The attacker first came from the authority \( V \) select a part of the agency \( C(C \subseteq V) \), then generate and send its public key \( \{ {\text{PK}}_{\beta } \}_{\beta \in C} \) to the \( \Phi \), Then ask \( \Phi \) as follows:

  • Select \( m \) authorized users \( \{ {\text{GID}}_{i} \}_{i = 1}^{m} \) to inquire about their public and private key.

  • Select some non-corrupt authorities \( N(N \subseteq V) \) to ask their public key.

  • Select \( n \) users \( \{ S_{i} ,{\text{GID}}_{i} \}_{i = 1}^{n} \) to ask its outsourcing decryption key. \( S_{i} \subseteq U \) is the attribute set of the user \( i \). Required \( T(S_{i} ) \cap C = \varnothing \) means the attributes owned by the users are authorized by the uncorrupted authority. In addition, the requirement \( n > m \) is that the attacker can not only query the user’s outsourcing decryption key in the \( m \) authorized users, but also ask other users for the corresponding outsourced decryption key.

  • Two messages \( m_{0} ,m_{1} \) of equal length, and a challenge access structure \( (A,\rho ) \) encoded in a suitable form. We require that for every \( i(1 \le i \le n) \) the set \( S_{i} \cup S_{C} \) is an unauthorized set of the access structure \( (A,\rho ) \).

Challenger’s Replies: \( \Phi \) send \( \{ {\text{PK}}_{\beta } \}_{\beta \in C} \) to the challenger and inquire about the corresponding public key of \( N \subseteq V \) in the RW scheme, also do the corresponding private key and the challenge ciphertext of \( \{ S_{i} ,{\text{GID}}_{i} \}_{i = 1}^{m} \). The challenger turns back \( \{ {\text{SK}}_{{S_{i} ,{\text{GID}}_{i} }} = (g^{{\alpha_{\beta } }} H({\text{GID}}_{i} )^{{y_{\beta } }} F(j)^{{t_{j} }} ,g^{{t_{j} }} )_{{j \in S_{i} }} \}_{i = 1}^{m} \), The public keys \( \{ {\text{PK}}_{\beta } \}_{\beta \in N} \) of authorities \( N \subseteq V \) and the challenge ciphertext \( {\text{CT*}} \). First, \( \Phi \) calculate the user’s private key in this scheme: for \( 1 \le i \le m \), chooses the random element \( z \in {\mathbf{\mathbb{Z}}}_{p}^{*} \), calculate \( {\text{userPK}}_{{{\text{GID}}_{i} }} = \{ g^{z} ,H({\text{GID}}_{i} )^{z} \} \) and \( {\text{key}}_{{{\text{GID}}_{i} }} = \{ {1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}\}_{i} \), then discuss the corresponding outsourced decryption key for \( \{ S_{i} ,{\text{GID}}_{i} \}_{i = 1}^{n} \), as shown below:

  • for \( 1 \le i \le m \), \( j \in S_{i} \),

    $$ K_{{j,1,{\text{GID}}_{i} }} = (g^{{\alpha_{\beta } }} H({\text{GID}}_{i} )^{{y_{\beta } }} F(j)^{{t_{j} }} )^{{z_{i} }} = g^{{\alpha_{\beta } z_{i} }} H({\text{GID}}_{i} )^{{y_{\beta } z_{i} }} F(j)^{{t_{j} z_{i} }} $$
    (7)
    $$ K_{{j,2,{\text{GID}}_{i} }} = (F(j)^{{t_{j} }} )^{{z_{i} }} = F(j)^{{t_{j} z_{i} }} $$
    (8)

    Order

    $$ {\text{SK}}_{{{\text{Out,GID}}_{i} }} = \{ S_{i} ,K_{{i,1,{\text{GID}}_{i} }}^{{z_{i} }} ,K_{{i,2,{\text{GID}}_{i} }}^{{z_{i} }} \}_{{j \in S_{i} }} $$
    (9)

  • for \( m \le i \le n \), chooses the random element \( g_{j} \in G \), \( k_{j} \in {\mathbf{\mathbb{Z}}}_{p}^{*} \), calculate \( K_{{j,1,{\text{GID}}_{i} }} = g_{j} F(j)^{{k_{j} }} g_{j} \), \( K_{{j,2,{\text{GID}}_{i} }} = F(j)^{{k_{j} }} \), order \( {\text{SK}}_{{{\text{Out,GID}}_{i} }} = \{ S_{i} ,K_{{i,1,{\text{GID}}_{i} }}^{{z_{i} }} ,K_{{i,2,{\text{GID}}_{i} }}^{{z_{i} }} \}_{{j \in S_{i} }} \). Notice the \( g^{{\alpha_{\beta } }} H({\text{GID}}_{i} )^{{y_{\beta } }} \) is an element of group \( G \), and \( G \) is a cyclic group, and there is an unknown element \( z_{i} \in {\mathbf{\mathbb{Z}}}_{p}^{*} \), s. t. \( g_{j} = (g^{{\alpha_{\beta } }} H({\text{GID}}_{i} )^{{y_{\beta } }} )^{{z_{i} }} = g^{{\alpha_{\beta } z_{i} }} H({\text{GID}}_{i} )^{{y_{\beta } z_{i} }} \). So, \( K_{{j,1,{\text{GID}}_{i} }} = g_{j} F(j)^{{k_{j} }} = g^{{\alpha_{\beta } z_{i} }} H({\text{GID}}_{i} )^{{y_{\beta } z_{i} }} F(j)^{{k_{j} }} \), \( K_{{j,2,{\text{GID}}_{i} }} = F(j)^{{k_{j} }} \), is a uniform distribution of the outsourced decryption key.

  • \( \Phi \) send the above results to attacker.

Guess: The attacker outputs a guess \( b^{{\prime }} \in \{ 0,1\} \) with \( \Phi \) at the same time.

The above distribution is truly indistinguishable from the attacker. Therefore, if the attacker can break this scheme with non-negligible advantage, he can also break the RW scheme with non-negligible advantage.

Lemma 2.

Given that the q-DPBDHE2 assumption holds, the RW scheme is statically safe under the random oracle model.

Proof:

The document [20] has given a detailed proof. For reasons of space, it will not be repeated here.

Theorem 1.

Assuming that the q-DPBDHE2 assumption holds, the scheme in this paper is statically secure under the random oracle model.

Proof:

Lemmas 1 and 2 can be obtained directly.

  1. (2)

    Revocable Security Certificate

The idea of this section is similar to that of Lemma 1. First of all, the following lemmas are proved.

Lemma 3.

Assuming that the Rouselakis-Waters (RW) scheme [20] is static and secure, the no-centric multi-agency CP-ABE scheme proposed in this paper supports user revocation.

Proof:

Assumptions For the proposed scheme of this paper, there is a polynomial-time opponent A who can win the revocable game in Sect. 3 with the advantage \( \varepsilon \), then a simulator B can be constructed to defeat the RW scheme with the advantage \( \varepsilon \). Let C be the challenger to interact with B in the RW scheme.

Same as static security certificate, Challenger C sends the public parameter GP in the RW scheme to simulator B. B sends the GP as an open parameter of the scheme to adversary A.

Adversary A asks B about the uncorrupted authority’s public key, part of the user’s public/private key pair, and the corresponding cloud server private key and challenge cipher text.

Challenger’s Replies: Simulator B queries the public key and challenge ciphertext of the noncorrupted institution in the RW solution. C returns to B, then B performs the following operations.

  • for \( 1 \le i \le m \), chooses the random element \( z \in S_{i} \),

    $$ K_{{j,1,{\text{GID}}_{i} }} = (g^{{\alpha_{\beta } }} H({\text{GID}}_{i} )^{{y_{\beta } }} F(j)^{{t_{j} }} )^{{z_{i} }} = g^{{\alpha_{\beta } z_{i} }} H({\text{GID}}_{i} )^{{y_{\beta } z_{i} }} F(j)^{{t_{j} z_{i} }} $$
    (10)
    $$ K_{{j,2,{\text{GID}}_{i} }} = (F(j)^{{t_{j} }} )^{{z_{i} }} = F(j)^{{t_{j} z_{i} }} $$
    (11)

    order

    $$ {\text{SK}}_{{{\text{Out,GID}}_{i} }} = \{ S_{i} ,K_{{i,1,{\text{GID}}_{i} }}^{{z_{i} }} ,K_{{i,2,{\text{GID}}_{i} }}^{{z_{i} }} \}_{{j \in S_{i} }} $$
    (12)

  • for \( 1 \le i \le m \), chooses the random element \( z \in {\mathbf{\mathbb{Z}}}_{p}^{*} \), calculate \( {\text{userPK}}_{{{\text{GID}}_{i} }} = \{ g^{z} ,H({\text{GID}}_{i} )^{z} \} \) and \( {\text{key}}_{{{\text{GID}}_{i} }} = \{ {1 \mathord{\left/ {\vphantom {1 z}} \right. \kern-0pt} z}\}_{i} \).

  • for \( m \le i \le n \), \( j \in S_{i} \) chooses the random element \( g_{j} \in G \), \( k_{j} \in {\mathbf{\mathbb{Z}}}_{p}^{*} \), calculate

    \( K_{{j,1,{\text{GID}}_{i} }} = g_{j} F(j)^{{k_{j} }} g_{j} \), \( K_{{j,2,{\text{GID}}_{i} }} = F(j)^{{k_{j} }} \), order

    $$ {\text{SK}}_{{{\text{Out,GID}}_{i} }} = \{ S_{i} ,K_{{i,1,{\text{GID}}_{i} }}^{{z_{i} }} ,K_{{i,2,{\text{GID}}_{i} }}^{{z_{i} }} \}_{{j \in S_{i} }} . $$
    (13)

    Notice the \( g^{{\alpha_{\beta } }} H({\text{GID}}_{i} )^{{y_{\beta } }} \) is an element of group \( G \), and \( G \) is a cyclic group, there is an unknown element \( z_{i} \in {\mathbf{\mathbb{Z}}}_{p}^{*} \), s. t.

    $$ g_{j} = (g^{{\alpha_{\beta } }} H({\text{GID}}_{i} )^{{y_{\beta } }} )^{{z_{i} }} = g^{{\alpha_{\beta } z_{i} }} H({\text{GID}}_{i} )^{{y_{\beta } z_{i} }} . $$
    (14)

    So, \( K_{{j,1,{\text{GID}}_{i} }} = g_{j} F(j)^{{k_{j} }} = g^{{\alpha_{\beta } z_{i} }} H({\text{GID}}_{i} )^{{y_{\beta } z_{i} }} F(j)^{{k_{j} }} \), \( K_{{j,2,{\text{GID}}_{i} }} = F(j)^{{k_{j} }} \), is a uniform distribution of the outsourced decryption key.

  • B send the above results to A.

Guess: A outputs a guess \( b^{{\prime }} \in \{ 0,1\} \) with B at the same time.

Theorem 2.

Assuming that the q-DPBDHE2 hypothesis holds, the scheme in this paper supports user revocation under the random oracle model.

Proof can be obtained directly from Lemmas 2 and 3.

C. Performance Comparison Analysis

This section mainly compares and analyzes the performance of the proposed scheme and related schemes, Table 2 shows the performance comparison results for each scheme. We mainly performed functional analysis and comparison with the current attribute-based encryption schemes proposed for mobile cloud environments.

Table 2. Performance comparison of attribute-based encryption schemes proposed in this paper and mobile cloud environment
Full size table

Except that the scheme [16] is a single authority establishment, other programs are multi-authority institutions. By comparison, it can be seen that scholars choose the bilinear group of prime number order to construct the scheme because the same group operation is 1–2 orders of magnitude faster than the order group in the prime order group, which is more suitable for the mobile cloud environment.

Since the biggest difference between a mobile cloud environment and an ordinary cloud environment is the device performance of a user terminal, most schemes consider adopting technical means at the encryption and decryption stages to migrate the amount of computation that should have been completed by the user terminal to a third party and encrypt the information. Files are securely stored to the cloud. Schemes [13, 14] all require a central authority to certify their identities. This does not prevent the central organization from corrupting the entire encryption process. The central authority must interact with each authority to exchange information. The communication costs brought about by this cannot be ignored either. The [15, 17, 18] are similar to the schemes proposed in this paper, but our scheme is static secure and is superior to the plaintext security of the above scheme.

Our scheme draws on the mapping idea in [22] and uses functions \( F:U \to G \) to map the attribute space to group \( G \). [22] was proposed in cloud computing environment and did not consider precomputing, Table 3 gives the performance comparison results of our scheme and the scheme proposed by [22]. The advantage of this is that the number of attributes in the system is not limited, and any string in group \( G \) can be used as a new one in the later period. That is, our scheme is to support large attribute universe. There is no need to specify the number of attributes to be used when the system is established. In addition, this scheme maps the user identifier \( GID \) to \( G \) through the function \( H \), so that the user and organization that have the unique identifier can achieve complete decentralization, thereby resisting the collusion attack between the user and the organization.

Table 3. Performance comparison of our scheme and [22]
Full size table

In addition, the solution of this paper is also superior to the multi-authority scheme proposed in the current cloud environment in terms of user costs and is more suitable for the requirements of the user’s low-end and configuration equipment.

6 Conclusion

At present, the research of mobile cloud data security sharing mechanism is still at the initial stage, and there is no secure, effective and thorough trusted deletion scheme.

The scheme proposed in this paper adopts attribute-based encryption technology, which utilizes pre-computation and outsourcing decryption, effectively reduces the computational overhead of the client, satisfies the large attribute domain, supports revocation, and has no central setting, which is more in line with practical application requirements. Finally, the security of the scheme is proved under the random oracle model. Compared with related schemes, our method can effectively reduce the overhead of mobile devices and is suitable for data security sharing in mobile cloud environments.