1 Introduction

In 2005, Sahai and Waters (2005) constructed a fuzzy identity-based encryption (FIBE) scheme which is generally called attribute-based encryption (ABE) scheme now. Their original intention was to add error-tolerance into the identity-based encryption (IBE) scheme. Now, it is mainly used to realize the access control in the one-to-many system. Up to now, ABE schemes have been categorized into ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). For the former type (Bethencourt et al. 2007), the access structure is related to the ciphertext and the attributes are bound up with the private key. While in the later type (Goyal et al. 2006), the attribute is related to the ciphertext and the access structure is bound up with the private key.

ABE schemes have great value in practical applications, such as access control (Pooja et al. 2017; Huang et al. 2013), cloud computing (Shankar and Singh 2018; Havisha et al. 2017), keywords search (Wang et al. 2013), social networking (Yang et al. 2017; Li et al. 2017), Internet of Things (Li et al. 2018c, b) and so on. However, the considerable overhead of encryption and decryption is becoming the critical problem that impedes its development. Fortunately, as the development of cloud computing, outsourcing the computation to the cloud server becomes realistic.

The first ABE scheme with outsourcing property was put forward by Green et al. (2011). In their scheme, receivers are able to outsource most of their decryption operations to the cloud server without leaking the corresponding plaintext. Then, using similar method, many related schemes were proposed (Lai et al. 2013; Li et al. 2014; Zhang et al. 2017; Lin et al. 2015; Liao et al. 2018). Besides outsourcing the decryption, some scholars also realized the outsourcing of encryption (Li et al. 2012; Wang et al. 2017). Li et al. (2012) constructed a CP-ABE scheme with encryption outsourcing. In their scheme, sender just needs to do some simple operations to get partial ciphertext. Then, the cloud server will do most of the encryption operations to get the other part of ciphertext by using an outsourced encryption key. However, their scheme still needs the user to do a great amount of exponentiation operations which are related to the attributes. Wang et al. (2017) put forward a verifiable outsourced ABE scheme which realizes the encryption, decryption and key generation outsourcing. But in their scheme, the large ciphertext size will cause large waste in bandwidth.

Based on Green et al.’s scheme (Green et al. 2011), Li et al. (2018a) presented a replayable chosen ciphertext attack (RCCA) secure ABE scheme which drastically reduces the user’s computation by outsourcing both the encryption and decryption to the cloud server. In their scheme, they adopt Green et al.’s method to outsource the decryption and try a new method to outsource the encryption. Assuredly, if their scheme is secure, their scheme will have great value in practical application. However, we find that their scheme is not secure even under CPA attack which is the basic security requirement of ABE scheme, though the author defined that their scheme satisfied RCCA security. We will show that the adversary could guess the right coin \(b\in \{0,1\}\) when the adversary only knows the challenge messages \(m_0, m_1\) and the challenge ciphertext \(C_b\) in the indistinguishable game.

1.1 Contributions

In this paper, we will improve the security of Li et al.’s scheme (Li et al. 2018a). Our main contributions can be described as follows.

  • We claim that Li et al.’s scheme (Li et al. 2018a) is not secure under CPA attack which is the basic security requirement of ABE scheme. Then, we show that a CPA adversary is able to break their scheme with probability 1.

  • We improve Li et al.’s scheme such that the improved scheme is CCA2 secure in the random oracle model. We give the details of security proof which is omitted in Li et al.’s scheme.

  • The comparison shows that the improvement just adds one element to the ciphertext and does not add extra calculative burden.

1.2 Organization

The major contents and structure are arranged below. We will recall some basic concepts in Sect. 2. After that, we introduce Li et al.’s outsourced ABE scheme and illustrate why their scheme is not secure under CPA attack in Sect. 3. Our improved scheme and its analysis are provided in Sect. 4. Finally, in Sect. 5, we conclude this paper.

2 Preliminaries

In this section, we will introduce some basic concepts which will be used in this paper.

2.1 Bilinear map

Boneh and Franklin (2001) introduced the bilinear map in detail. We will give a brief review about it. Pick two multiplicative cyclic groups \(G_1\) and \(G_2\), which satisfy the bilinear map \(e:G_1\times G_1\rightarrow G_2\), with prime order p. Let g be a random generator of \(G_1\). The bilinear map e must have the following properties:

  • Bilinear The equation \(e(g^a,g^b)=e(g,g)^{ab}\) holds for any \(a,b\in \mathbb {Z}_p\) and \(g\in G_1\).

  • Non-degenerate If \(g\ne 1_{G_1}\), we have \(e(g,g)\ne 1_{G_2}\), where \(1_{G_1}\) and \(1_{G_2}\) represent identity element of \(G_1\) and \(G_2\), respectively.

  • Computability For any \(g\in G_1\), e(gg) can be computed efficiently by some algorithms.

2.2 Access structure

Definition 1

(Access Structure) For all BC, if \(B\in \mathbb {A}\) and \(B\subseteq C\), we have \(C\in \mathbb {A}\), where \(\{P_1,P_2,\ldots , P_n\}\) are a series of participants. A collection \(\mathbb {A}\subseteq 2^{\{P_1,P_2,\ldots , P_n\}}\) is monotone, if it satisfies the above condition. The access structure is a non-empty set \(\mathbb {A}\subseteq 2^{\{P_1,P_2,\ldots , P_n\}}\backslash \{\emptyset \}\). We define a set as an authorized set if it is in \(\mathbb {A}\). Otherwise, it is an unauthorized set.

2.3 Linear secret-sharing scheme

Beimel (1996) gave a definition about the linear secret-sharing scheme (LSSS). The definition is described as follows.

Definition 2

(LinearSecret-SharingScheme) For a series of parties \(\mathcal {P}\), we define \(\varPi \) as a linear secret-sharing scheme, if it satisfies the following conditions:

  • All the parties’ shares comprise a vector over \(\mathbb {Z}_p\).

  • For \(\varPi \), there is a \(l\times n\) matrix A called share-generating matrix. A function \(\rho \) maps each row of A to a party. Let \(\mathbf {v} =(s, r_2, r_3,\ldots ,r_l)^T\) be a column vector, where \(r_2\), \(r_3\),\(\ldots \), \(r_l\) are randomly chosen from \(\mathbb {Z}_p\) and \(s\in \mathbb {Z}_p\) is the sharing secret. Then, the l shares of secret s are \(A\mathbf {v}\). For each party \(\rho (i)\), the share is \(\lambda _i = A_i\mathbf {v}\).

The linear secret-sharing scheme satisfies the following linear reconstruction feature. If \(\varPi \) is a LSSS scheme for access structure \(\mathbb {A} = (A,\rho )\) and \(S\in \mathbb {A}\) is an authorized set. Let \(I=\{i:\rho (i)\in S\}\) be a subset of \(\{1,2,\ldots ,l\}\). There exist constants \(\{ \omega _i \in \mathbb {Z}_p\}_{i\in I}\) enabling \(\omega A=(1,0,\ldots ,0)\). That is to say, we can recover the shared secret as \(\sum _{i\in I} \omega _i \lambda _i=s\) if \(\{\lambda _i\}\) are the valid shares of s.

2.4 Decisional q-bilinear Diffie–Hellman exponent assumption

We adopt the definition of the decisional q-bilinear Diffie–Hellman exponent (q-BDHE) problem from Waters (2011). Choose a random cyclic group \(G_1\) with prime order p. Pick two random elements \(a, s\in \mathbb {Z}_p\) and a random generator g of \(G_1\). The challenger is given \(Y=(g, g^a, g^{a^2}, \ldots , g^{a^q}, g^{a^{q+2}}, \ldots , g^{a^{2q}}, g^s)\) and \(T\in G_2\). The challenger must decide if the T is randomly chosen from \(G_2\) or \(T=e(g,g)^{a^{q+1}s}\in G_2\).

We define that a probabilistic polynomial time (PPT) algorithm can solve the decisional q-BDHE problem with advantage \(\varepsilon \) if:

$$\begin{aligned} \begin{aligned} \mathrm{Adv}_\mathcal {B}^{q-\mathrm{BDHE}}&=Pr[B(Y , T = e(g,g)^{a^{q+1}s}) = 0]\\&-Pr[B(Y , T = R) = 0]\\&\ge \varepsilon . \end{aligned} \end{aligned}$$

Definition 3

We define that the decisional q-BDHE assumption holds if there does not exist a PPT algorithm that can solve the decisional q-BDHE problem with non-negligible advantage.

2.5 System model

Our system model still follows Li et al.’s outsourced ABE model (Li et al. 2018a).

  • Setup(kU) The key generation center takes as input a security parameter k and the universal attribute set U. Then, it generates the system parameter Param and the master key MK.

  • KeyGen(ParamMKS) The key generation center takes as input the system parameter Param, the master key MK and a set \(S\subseteq U\) of attributes. It outputs the private key SK and the decryption transformation key DTK.

  • ETKGen(UParam) The user takes the universal attributes U and the system parameter Param as input, then generates a encryption transformation key ETK.

  • Encrypt The encryption algorithm is performed by two parties: the local user and the cloud server.

    • \(Local(Param, m, ETK, \mathbb {A})\) With the input of the system parameter Param, the plaintext m, the access structure \(\mathbb {A}\) and the encryption transformation key ETK, the user generates the partial ciphertext UC and the outsourcing parameter OP.

    • \(Cloud\)\((OP)\) The cloud server outputs the total ciphertext C with the input of the outsourcing parameter OP.

  • Transform(CDTK) With the input of the decryption transformation key DTK and the ciphertext C, the cloud server generates the transformed ciphertext CT.

  • Decrypt(SKCT) The user takes as input the private key SK and the transformed ciphertext CT. Then, it does some simple decryption operations to get the plaintext.

2.6 Security model

In this subsection, we will introduce two security models: (selectively) chosen plaintext attack (CPA) security model and (selectively) adaptive chosen ciphertext attack (CCA2) security model. Both in these two models, the adversary \(\mathcal {A}\) and the challenger \(\mathcal {B}\) will play an indistinguishable game.

2.6.1 CPA security model

  • Init The challenger \(\mathcal {B}\) is given the decisional q-BDHE challenge parameters. The adversary \(\mathcal {A}\) provides \(\mathcal {B}\) with a challenge access structure \(\mathbb {A}^*=(A^*, \rho ^*)\).

  • Setup\(\mathcal {B}\) runs the setup algorithm and sends the system parameter Param to the adversary.

  • Phase I The challenger answers the adversary’s queries for the private key SK and the decryption outsourced key DTK for the set S which does not satisfy the access structure \((A^*, \rho ^*)\).

  • Challenge\(\mathcal {A}\) chooses two messages \(m_0, m_1\) of the same length and sends them to the challenger \(\mathcal {B}\). Then \(\mathcal {B}\) chooses \(b\in \{0, 1\}\) randomly and encrypts \(m_b\) under \((A^*, \rho ^*)\). The ciphertext \(C_b\) is returned to \(\mathcal {A}\).

  • Phase II This stage is the same as Phase I.

  • Guess\(\mathcal {A}\) outputs its guess \(b'\in \{0,1\}\) for b.

The advantage for \(\mathcal {A}\) to win the game can be defined as:

$$\begin{aligned} \mathrm{Adv}_{\mathcal {A}}^\mathrm{CPA}=\left| Pr[b=b']-\frac{1}{2}\right| . \end{aligned}$$

2.6.2 CCA2 security model

  • Init and Setup These two algorithms are the same as they are in the CPA security model, respectively.

  • Phase I\(\mathcal {B}\) builds a blank table \(\mathcal {T}\) and answers the adversary’s repeated queries as follows:

    • Create(S) For the attribute set S, it runs the algorithm KeyGen to compute the decryption transformation key DTK and the private key SK. Finally, it stores the tuple (S, SK, DTK) into the table \(\mathcal {T}\) and sends the DTK to the adversary \(\mathcal {A}\).

    • Corrupt(S) If there is a tuple (SSKDTK) in the table \(\mathcal {T}\), \(\mathcal {B}\) will return SK to \(\mathcal {A}\) . Otherwise, it returns \(\bot \).

    • Decrypt(SC) For the adversary’s decryption queries, the challenger firstly searches the table \(\mathcal {T}\) to obtain the tuple (S, SK, DTK). If the tuple does not exist, it returns \(\bot \). Otherwise, it decrypts the ciphertext C by running the Decrypt algorithm and returns the corresponding plaintext to \(\mathcal {A}\).

  • Challenge\(\mathcal {A}\) sends two challenge messages \(m_0\), \(m_1\) of the same length to \(\mathcal {B}\). Then, \(\mathcal {B}\) flips a coin to get b and encrypts \(m_b\in \{m_0, m_1\}\) into the challenge ciphertext \(C_b\). After that, it sends \(C_b\) to \(\mathcal {A}\). In this stage, the outsourcing parameter \(OP^*\) for the challenge message can be accessed by the adversary.

  • Phase II For the adversary’s query, the challenger repeats Phase I, but refuses to decrypt \(C_b\).

  • Guess\(\mathcal {A}\) outputs its guess \(b'\) for b.

The advantage for \(\mathcal {A}\) to win the game can be defined as:

$$\begin{aligned} \mathrm{Adv}_{\mathcal {A}}^\mathrm{CCA2}=\left| Pr[b=b']-\frac{1}{2}\right| . \end{aligned}$$

3 Li et al.’s scheme

We firstly recall Li et al.’s scheme (Li et al. 2018a) before analyzing it.

3.1 Construction of their scheme

Their scheme contains six phases: Setup, KeyGen, ETKGen, Encrypt, Transform, Decrypt. The details are described as follows:

  • Setup(kU) The key generation center takes as input a secure parameter k and the universal set \(U=\{1, 2,\ldots , u\}\) of attributes. It generates two multiplicative cyclic groups \(G_1, G_2\) of prime order p, where \(G_1\) and \(G_2\) satisfy the bilinear map \(e:G_1\times G_1\rightarrow G_2\), and a hash function \(H:G_1^3 \rightarrow \mathbb {Z}_p\). Then, it picks a generator g of \(G_1\), \(\alpha , a\in \mathbb {Z}_p^*\) and \( h_1, h_2,\) ..., \(h_u\in G_1\) randomly, where \(h_1,h_2,\ldots ,h_u\) are related to the attributes. Finally, it publishes the system parameter:

    $$\begin{aligned} Param=(G_1, G_2, g, e(g, g)^\alpha , g^a, h_1, h_2,\ldots , h_u, H) \end{aligned}$$

    and keeps the master key \(MK=(\alpha ,a)\) secretly.

  • KeyGen(ParamMKS) With the input of the system parameter Param, the master key MK and a set \(S \subseteq U\) of attributes, the key generation center randomly chooses \(t, z\in \mathbb {Z}_p^*\) and computes \(K=g^\alpha g^{a t}\), \(K_0=g^t\), \(K_x=h_x^t\) for all \(x\in S\). Finally, it publishes the decryption transformation key \(DTK=(K^z, K_0^z,\)\(\{K_x^z\}_{x\in S})\) and computes the private key \(SK= z^{-1}\)(mod p).

  • ETKGen(UParam) Each user takes the universal attribute set U and the system parameter Param as input and picks a random element \(\gamma \in \mathbb {Z}_p\). Then, it outputs the encryption transformation key \(ETK=(\gamma , \{h_x^\gamma \})\), where \(x\in U\). Unlike the DTK, the ETK should be kept secretly.

  • Encrypt In this phase, the encryption results come from two parties: the local user and the cloud server.

    • Local(\(Param, m, ETK, \mathbb {A}\)): The user takes as input the system parameter Param, the plaintext \(m\in G_2\), the encryption transformation key ETK and an access structure \(\mathbb {A}=(A, \rho )\), where A is a \(l \times n\) matrix and the function \(\rho \) maps each row of matrix A to an attribute. Then, it randomly picks elements \(d, s\in \mathbb {Z}_p\) and a vector \(\mathbf {v} = (s, r_2,\dots , r_n)^T\in \mathbb {Z}_p^n\). After that, it computes the shares \(\{\lambda _i= A_i\cdot \mathbf {v}\}_{i\in \{1,\ldots ,l\}}\) of the secret s, where \(A_i\) denotes the i-th row of A. Finally, the user outputs the partial ciphertext:

      $$\begin{aligned} UC=\big (C_1=m\cdot e(g, g)^{\alpha s}, C_2=g^s, C_3=g^{sr}\big ), \end{aligned}$$

      where \(r=H(C_1, C_2, m)\). Meanwhile, the user generates the outsourcing parameter:

      $$\begin{aligned} OP=\big (\lambda _i- d, -sr-\gamma , g^{a d}\cdot h_{\rho (i)}^\gamma \big ), \end{aligned}$$

      where \(i=1,2,\dots ,l\). Then, it sends OP to the cloud server.

    • Cloud(OP): After getting the outsourcing parameter OP, the cloud server computes the other part of the ciphertext \({\{{\overline{C}}_i\}_{i\in \{1,2,\ldots ,l\}}}\), where

      $$\begin{aligned} {\overline{C}}_i = (g^a)^{\lambda _i - d}\cdot g^{a d}\cdot h_{\rho (i)}^\gamma \cdot h_{\rho (i)}^{-sr-\gamma } = g^{a \lambda _i}\cdot h_{\rho (i)}^{-sr}. \end{aligned}$$

      Finally, the full ciphertext C is composed as:

      $$\begin{aligned} C= \Big (C_1, C_2, C_3, \{{\overline{C}}_i\}_{i\in \{1,2,\ldots ,l\}}\Big ). \end{aligned}$$

  • Transform(CDTK) With the input of the ciphertext C for \(\mathbb {A}\) and DTK for an attribute set S, the cloud server defines a set \(I=\{i:\rho (i)\in S\}\). It then is able to compute \(\{\omega _i\in \mathbb {Z}_p\}_{i\in I}\) such that \(\sum _{i\in I}\omega _i\lambda _i=s\) if S satisfies \(\mathbb {A}\). Finally, it computes the transformation ciphertext:

    $$\begin{aligned} \begin{aligned} CT&=\frac{e(K^z, C_2)}{\prod _{i\in I} \big (e(K_0^z, {\overline{C}}_i)\cdot e(K_{\rho (i)}^z, C_3)\big )^{\omega _i}}\\&= e(g, g)^{\alpha sz}. \end{aligned} \end{aligned}$$

  • Decrypt(SKCT) The user uses the private key SK and the transformation ciphertext CT to compute:

    $$\begin{aligned} m=\frac{C_1}{CT^{SK}} \end{aligned}$$

    and if the result satisfies the equation:

    $$\begin{aligned} C_3=C_2^{H_1(C_1, C_2, m)}, \end{aligned}$$

    it returns the message m.

3.2 Analysis of their scheme

We now prove that the above scheme is insecure under CPA attack.

From the definition of the CPA security model, after querying and receiving some private keys, the adversary \(\mathcal {A}\) chooses two challenge messages \(m_0, m_1\) of the same length and sends them to the challenger. The challenger encrypts the message \(m_b\), where \(b\in \{0, 1\}\), then it returns the ciphertext \(C_b=(C_1, C_2, C_3, \{{\overline{C}}_i\})\) to the adversary. After receiving the challenge ciphertext \(C_b\), the adversary \(\mathcal {A}\) chooses a message from \(\{m_0\), \(m_1\}\). Suppose \(\mathcal {A}\) chooses \(m_0\). Then \(\mathcal {A}\) computes \(r'=H(C_1\), \(C_2, m_0)\) and \(C_3'=C_2^{r'}\). If \(C_3=C_3'\) holds, the adversary can determine that \(b=0\). Otherwise, it determines that \(b=1\). By this way, the adversary knows whether \(m_b\) is \(m_0\) or \(m_1\) with probability 1. That is to say, the scheme cannot satisfy the CPA security. As we know, if a scheme cannot satisfy CPA security, it cannot also satisfy RCCA security.

4 The improved scheme

Focusing on the security of Li et al.’s scheme(Li et al. 2018a), we propose the following CCA2 secure scheme.

4.1 Construction

  • Setup(kU) This phase is similar to the above scheme, except that our scheme picks two secure hash functions \(H_1: G_2\times G_1\times G_2\times \mathbb {Z}_p\rightarrow \mathbb {Z}_p\) and \(H_2: G_2\rightarrow \mathbb {Z}_p\). So, the system parameter is: \(Param=\)

    $$\begin{aligned} (G_1, G_2, g, e(g, g)^\alpha , g^a, h_1, h_2,\ldots , h_u, H_1,H_2) \end{aligned}$$

    and the master key is: \(MK=\alpha \).

  • KeyGen(ParamMKS) This phase is similar to the KeyGen phase in Li et al.’s scheme. The key generation center also chooses a random element \(z\in \mathbb {Z}_p^*\), and it computes the private key \(SK= z\) and the decryption transformation key \(DTK=\big (K^{1/z}, K_0^{1/z},\)\(\{K_x^{1/z}\}_{x\in S}\big )\).

  • ETKGen(UParam) This phase is the same as the ETKGen phase in the above scheme.

  • Encrypt This phase is interactively implemented by the cloud server and the local user.

    • Local\((Param, m, ETK, \mathbb {A})\) The input parameters are the same as the above scheme, and the message m belongs to \(\mathbb {Z}_p\). The user randomly picks elements \(W\in G_2\), \(d, s, r_2, r_3\),..., \(r_n\in \mathbb {Z}_p\) and constructs vector \(\mathbf {v} = (s, r_2,\ldots , r_n)^T\in \mathbb {Z}_p^n\). After that, it computes the shares \(\{\lambda _i= A_i\cdot \mathbf {v}\}_{i\in \{1,2,\ldots ,l\}}\) of the secret s. Finally, it outputs the user’s ciphertext: \(UC=(C_1\), \(C_2, C_3, C_4)\), where

      $$\begin{aligned} C_1= & {} W\cdot e(g,g)^{\alpha s},\\ C_2= & {} g^s,\\ C_3= & {} g^{sr},\\ C_4= & {} H_2(W)\oplus m, \end{aligned}$$

      and \(r=H_1(C_1, C_2, m, W)\). At the same time, it computes the blinding factors \((g^a)^{d}\cdot h_{\rho (i)}^\gamma \), \(-\frac{s}{r}-\gamma \) and \(\frac{\lambda _i}{r} - d\) for all \(i=1,2,\ldots ,l\) and sends the outsourcing parameter

      $$\begin{aligned} OP=\big (r, \frac{\lambda _i}{r}- d, -\frac{s}{r}-\gamma , g^{a d}\cdot h_{\rho (i)}^\gamma \big ) \end{aligned}$$

      to the cloud server.

    • \(Cloud\)\((OP)\) After receiving the outsourcing parameter OP, the cloud server can compute the other part of the ciphertext \(\{{\overline{C}}_i\}_{i\in \{1,2,\ldots ,l\}}\), where

      $$\begin{aligned} \begin{aligned} {\overline{C}}_i&= \Big ((g^a)^{\frac{\lambda _i }{r}- d}\cdot g^{a d}\cdot h_{\rho (i)}^\gamma \cdot h_{\rho (i)}^{-\frac{s}{r}-\gamma }\Big )^r\\&= g^{a \lambda _i}\cdot h_{\rho (i)}^{-s}. \end{aligned} \end{aligned}$$

      Finally, the full ciphertext is composed as:

      $$\begin{aligned} C = \Big (C_1, C_2, C_3, C_4, \{{\overline{C}}_i\}_{i\in \{1,\ldots ,l\}}\Big ). \end{aligned}$$

  • Transform(CDTK) This phase is also similar to the above scheme, but \(C_3\) in their equation is replaced by \(C_2\). That is to say the method to compute CT is:

    $$\begin{aligned} \begin{aligned} CT&=\frac{e(K^{1/z}, C_2)}{\prod _{i\in I} \big (e(K_0^{1/z}, {\overline{C}}_i)\cdot e(K_{\rho (i)}^{1/z}, C_2)\big )^{\omega _i}}\\&= e(g, g)^{{\alpha s}/z}. \end{aligned} \end{aligned}$$

  • Decrypt(SKCT) After receiving the transformed ciphertext CT, the user computes:

    $$\begin{aligned} W=\frac{C_1}{CT^{SK}}. \end{aligned}$$

    Then, it computes: \(m=H_2(W)\oplus C_4\). If the result satisfies the equation \(C_3=C_2^{H_1(C_1, C_2, m, W)}\), it returns the plaintext m.

4.2 Security analysis

We now prove that our improved scheme is CCA2 secure in the random oracle model.

Theorem

Suppose \(\mathcal {A}\) is a CCA2 attacker who can attack our improved scheme with advantage \(\varepsilon \). Then, there will be a challenger \(\mathcal {B}\) that has the same advantage to solve the decisional q-BDHE problem.

  • Init The challenger \(\mathcal {B}\) is given the decisional q-BDHE challenge parameters YT. The adversary \(\mathcal {A}\) provides a challenge access structure \(\mathbb {A}^*=(A^*, \rho ^*)\) to B, where \(A^*\) is a \(l^*\times n^*\) matrix and \(n^*\le q\). The challenger’s goal is to determine whether T is \(e(g,g)^{a^{q+1}s}\in G_2\) or is chosen from \(G_2\) randomly.

  • Setup The challenger \(\mathcal {B}\) picks \(\alpha ' \in \mathbb {Z}_p\) randomly and implicitly sets \(\alpha = \alpha ' + a^{q+1}\). In this phase, the challenger does not know the value of \(\alpha \) exactly, but it can compute: \(e(g,g)^\alpha = e(g^a, g^{a^q})e(g,g)^{\alpha '}\). And for each \(x\in U\), it randomly chooses \(z_x \in \mathbb {Z}_p\). If for one particular i, the equation \(\rho ^*(i)=x\) holds, then the challenger sets \(h_x = g^{z_x}\cdot g^{aA_{i,1}^*}\cdot g^{a^2A_{i,2}^*}\ldots g^{a^{n^*}A_{i,n^*}^*}\). Otherwise, it sets \(h_x = g^{z_x}\).

  • Phase I\(\mathcal {B}\) firstly initializes three blank tables \(\mathcal {T}_0\), \(\mathcal {T}_1\) and \(\mathcal {T}_2\). The following steps are the challenger’s answers to the adversary’s queries.

    • \(\textit{H}_1(C_1, C_2, m, W)\)\(\mathcal {B}\) searches the table \(\mathcal {T}_1\) to find if there exists a tuple \((C_1, C_2,\)mWr). If not, it picks a random element \(r\in \mathbb {Z}_p\) which is different from all the values of r in the table \(\mathcal {T}_1\). Then, it stores the tuple (\(C_1, C_2, m, W, r\)) into the table \(\mathcal {T}_1\) and returns r. Otherwise, it returns the corresponding r directly.

    • \(\textit{H}_2(W)\)\(\mathcal {B}\) searches the table \(\mathcal {T}_2\) to find if there exists a tuple \((W, \omega )\). If not, it picks a random element \(\omega \in \mathbb {Z}_p\) which is different from all the values of \(\omega \) in the table \(\mathcal {T}_2\). Then, it stores the tuple (\(W, \omega \)) into the table \(\mathcal {T}_2\) and returns \(\omega \). Otherwise, it returns the corresponding \(\omega \) directly.

    • Create(S) Because \(\mathcal {A}\) cannot ask for the private key of the attributes set S which satisfies the challenge structure \(\mathbb {A}^*\). So for the attribute set S which does not satisfy \(\mathbb {A}^*\), \(\mathcal {B}\) computes the private key as follows.

      According to the construction of the access structure, the challenger can find a vector \(\mathbf {w} = (w_1,w_2\), \(\ldots \), \(w_{n^*})^T\in \mathbb {Z}_p^{n^*}\), where \(w_1=-1\) such that \(A_i^*\cdot \mathbf {w}= 0\) for all i where \(\rho ^*(i) \in S\). Then, it randomly chooses \(r\in \mathbb {Z}_p\) and defines t as:

      $$\begin{aligned} t = r+w_1a^q+w_2a^{q-1} + \cdots +w_{n^*}a^{q-n^*+1}. \end{aligned}$$

      After that, for the set S of attributes, it computes:

      $$\begin{aligned} K_0= & {} g^r\prod _{i=1,\ldots ,n^*}(g^{a^{q+1-i}})^{w_i} = g^t,\\ K= & {} g^{\alpha '}g^{ar}\prod _{i=2,\ldots n^*}(g^{a^{q+2-i}})^{w_i} = g^\alpha g^{at}. \end{aligned}$$

      If there exist a i such that the equation \(\rho ^*(i)=x\) holds, the challenger creates \(K_x = \)

      $$\begin{aligned} \begin{aligned}&K_0^{z_x}\prod _{j=1,\ldots ,n^*}\big (g^{a^j\cdot r} \prod _{\begin{array}{c} k=1,\ldots ,n^*\\ k\ne j \end{array}}(g^{a^{q+1+j-k}})^{w_k}\big )^{A_{i,j}^*} \\&\quad =h_x^t. \end{aligned} \end{aligned}$$

      Otherwise, it computes \(K_x=K_0^{z_x}=h_x^t\). It randomly picks \(z\in \mathbb {Z}_p\) as the private key and computes the decryption transformation key: DTK= \((K^{1/z}\), \(K_0^{1/z}\), \({K_x}^{1/z})\). After that, it stores the tuple (S, SKDTK) into the table \(\mathcal {T}_0\) and sends DTK to \(\mathcal {A}\).

    • Corrupt(S) Suppose the adversary does not query the private key for a set S, where S satisfies \(\mathbb {A}^*\). The challenger firstly searches the table \(\mathcal {T}_0\) to get the tuple (S, SK, DTK). If the tuple does not exist, it returns \(\bot \). Otherwise, it returns SK.

    • Decrypt(SC) For the adversary’s decryption queries, the challenger performs the following steps.

      • It searches the table \(\mathcal {T}_1\) to get the tuples \((C_1\), \(C_2, m_i, W_i, r_i)\). If there is not such a tuple it returns \(\bot \).

      • Otherwise, for each i, it compares \(C_3\) with \(C_2^{r_i}\). If there is an i such that \(C_3=C_2^{r_i}\), it stamps the tuple \((C_1, C_2, m_i, W_i, r_i)\). We note that the i is unique because the challenger always chooses different r for \(H_1(C_1\), \(C_2, m, W)\).

      • Then, it searches the table \(\mathcal {T}_2\) to get the tuple \((W_i, \omega _i)\). If \(m_i=\omega _i\oplus C_4\), it returns \(m_i\). Otherwise, it returns \(\bot \).

  • Challenge In this phase, we will introduce how to generate the challenge ciphertext. The adversary \(\mathcal {A}\) sends two messages \(m_0, m_1\) of the same length to the challenger \(\mathcal {B}\). Then, \(\mathcal {B}\) flips a coin b and encrypts \(m_b\in \{m_0, m_1\}\). It chooses \(W\in G_2\) and \(r, \omega \in \mathbb {Z}_p\) randomly. The partial ciphertext is \(C_b=(C_1^*\), \(C_2^*, C_3^*, C_4^*)\), where

    $$\begin{aligned} \begin{aligned} C_1^*&= WTe(g^{\alpha '}, g^s), \\ C_2^*&= g^s, \\ C_3^*&= g^{sr}, \\ C_4^*&= \omega \oplus m_b. \end{aligned} \end{aligned}$$

    The challenger picks \(y_2, y_3,\ldots , y_{n^*}\in \mathbb {Z}_p\) randomly and computes:

    $$\begin{aligned} \mathbf {v} = (s, sa+y_2, sa^2+y_3,\ldots ,sa^{n^*-1}+y_{n^*})^T. \end{aligned}$$

    Then, it picks \(y, r_1, r_2,\ldots ,r_{l^*}\in \mathbb {Z}_p\) and sets \(\gamma = -\frac{s}{r}-y\), \(d_i = \frac{\lambda _i}{r}-r_i\). That is to say, \(y= -\frac{s}{r} -\gamma \) and \(r_i =\frac{\lambda _i}{r}-d_i\). For all \(i\in \{1,\ldots ,l^*\}\), it can compute:

    $$\begin{aligned} \begin{aligned} (g^a)^{d_i}\cdot h_{\rho (i)}^\gamma&=(g^a)^{\frac{\lambda _i}{r}-r_i}\cdot h_{\rho (i)}^{-\frac{s}{r}-y}\\&= (g^a)^{\frac{\lambda _i}{r}}\cdot h_{\rho (i)}^{-\frac{s}{r}}\cdot g^{-a{r_i}}\cdot h_{\rho (i)}^{-y}\\&= \Big (\big (\prod _{j=1,\ldots ,n^*}(g^a)^{A_{i,j}^*y_j}\big )\big (g^s\big )^{-z_{\rho ^*(i)}}\Big )^{\frac{1}{r}}\cdot \\&\qquad g^{-ar_i}\cdot h^{-y}. \end{aligned} \end{aligned}$$

    After that it publishes the outsourcing parameter:

    $$\begin{aligned} OP^*=\big (r, \{r_i\}, y, \{(g^a)^{d_i}\cdot h_{\rho (i)}^\gamma \}\big ) \end{aligned}$$

    and computes:

    $$\begin{aligned} \begin{aligned} \{{\overline{C}}_i^*&= \Big ((g^a)^{r_i}(g^a)^{d_i}\cdot h_{\rho (i)}^\gamma \cdot h_{\rho (i)}^y\Big )^{{r}}\\&= g^{a \lambda _i}\cdot h_{\rho (i)}^{-s}\}_{i\in \{1,\ldots ,l^*\}}. \end{aligned} \end{aligned}$$

    Finally, the challenger returns the ciphertext:

    $$\begin{aligned} C_b = \big (C_1^*, C_2^*, C_3^*, C_4^*, \{{\overline{C}}_i^*\}_{i\in \{1,\ldots ,l^*\}}\big ). \end{aligned}$$

  • Phase II This phase is similar to phase I, but \(\mathcal {A}\) cannot query for decrypting the challenge ciphertext \(C_b\).

  • Guess The adversary \(\mathcal {A}\) gives its guess \(b'\) for b. The challenger determines that T is the tuple \(e(g,g)^{a^{q+1}s}\) if \(b'=b\). Otherwise, it guesses that T is chosen randomly from \(G_2\).

Table 1 Performance comparison
Full size table

If T is the tuple \(e(g,g)^{a^{q+1}s}\), the challenger provides the adversary with a perfect attack environment. So the probability for the challenger to win the challenge is:

$$\begin{aligned} Pr[\mathcal {B}(Y, T = e(g,g)^{a^{q+1}s}) = 1] = \frac{1}{2} +\varepsilon . \end{aligned}$$

If T is randomly chosen from \(G_2\), the message \(m_b\) is hidden from the adversary completely. And the advantage for the challenger to win the game is:

$$\begin{aligned} Pr[\mathcal {B}(Y , T = R) = 1] = \frac{1}{2}. \end{aligned}$$

Accordingly, the challenger has non-negligible advantage \( \varepsilon \) to solve the decisional q-BDHE problem, because:

$$\begin{aligned} \begin{aligned} Adv_\mathcal {B}^{q-BDHE}&=Pr[B(Y , T = e(g,g)^{a^{q+1}s}) = 1]\\&-Pr[B(Y , T = R) = 1]\\&=\varepsilon . \end{aligned} \end{aligned}$$

4.3 Performance

Now, we will analyze the performance of our improved scheme. We first compare the communication cost, the computation cost, the checkability and the security among our scheme and other outsourced ABE schemes (Green et al. 2011; Lin et al. 2015; Qin et al. 2015; Wang et al. 2017; Li et al. 2018a). Because we mainly change the encryption stage of Li et al.’s scheme, the computation and communication cost will be simplified to encryption time and ciphertext size, respectively. In Green et al.’s scheme, we choose their CP-ABE scheme which satisfies RCCA security. For the encryption time, we only compare the exponentiation time which is the main operation. The details are shown in Table 1, where \(l, l_1, l_2, t_1, t_2\) denote the number of rows of matrix A, the element length of \(G_1\), the element length of \(G_2\), the exponentiation time over \(G_1\) and the exponentiation time over \(G_2\), respectively. Comparing with Li et al.’s scheme, to achieve CCA2 security, we just add one element to the ciphertext and the encryption time is the same, which means we do not increase the complexity of the ciphertext and computational burden.

In order to make the comparison more concrete, we compute the specific value of the user’s encryption time according to Liao et al.’s experimental result (Liao et al. 2017) in Table 1 of their paper. The author implemented their protocol using PBC library on a computer of Windows XP operating system with Intel Core i5-3210M (2.50 GHz) and 4 GB RAM. We provide the details for \(l=10\) in Table 2. Besides the computations in Table 1, the computation results in Table 2 also include the multiplication over \(G_1\) and \(G_2\). We find that, among these schemes, our scheme and Li et al.’s scheme perform better. Compared with Li et al.’s scheme, our scheme will not add extra computational burden while increasing security.

Table 2 The user’s encryption time comparison
Full size table

5 Conclusion

In our work, we firstly reviewed Li et al.’s scheme and proved that their scheme is insecure under CPA attack. After that, we proposed an improved scheme which is CCA2 secure in the random oracle model. Finally, by comparing with other schemes, our improved scheme did not add extra computational burden to the user while improving security.