A new verifiable outsourced ciphertext-policy attribute based encryption for big data privacy and access control in cloud

Abstract

The foremost security concerns for big data in the cloud are privacy and access control. Ciphertext-policy attribute based encryption (CP-ABE) is an effective cryptographic solution for above concerns, but the existing CP-ABE schemes are not suitable for big data in the cloud as they require huge computation time for encryption and decryption process. In this paper, we propose a new verifiable outsourced CP-ABE for big data privacy and access control in the cloud. Our scheme reduces the computational overhead of encryption and decryption by outsourcing the heavy computations to the proxy server. Our scheme also verifies the correctness of the data along with the outsourcing computations. Further, our scheme limits the data access for a set of users instead of providing an infinite number of times data access, which is essentially required for commercial applications. In security analysis, we prove that our scheme is secure against chosen plain-text attack, collusion and proxy attacks. Performance analysis proves that our scheme is efficient.

1 Introduction

Due to the increased use of internet technology and digitization, the data has become a significant factor for the organizational growth. This lead to the advent of a new paradigm called the big data. The main characteristics of big data are volume, which refers to the huge size of data, the variety which refers to the data that may be structured, unstructured, or semi-structured and veracity which refers to the data that is generated in a rapid manner, so data could be collected and processed rapidly (Khan et al. 2014). The traditional database system like RDBMS do not support to storage and processing of big data due to huge volume and variety. So, the organizations require more investments in buying huge computing infrastructures, scalable storages, networking, distributed databases, platforms, frameworks and softwares, etc., but the cloud computing provides all the required facilities as pay-per-use model. It also reduces the infrastructure maintenance, software update, and management costs at local premises (Voorsluys et al. 2011). Hence, the cloud is an effective platform to store and process the big data.

Although cloud provides lots of benefits, the organizations are not moving big data to the cloud because of the security and privacy challenges (Takabi et al. 2010; Gupta et al. 2016) in the cloud. The foremost important security issues are disclosing of sensitive data to unauthorized users by the cloud and unauthorized users data access. Hence, an encryption is required to protect the sensitive information and also giving access rights only to authorized users for accessing the data.

CP-ABE scheme is a promising solution for data privacy along with fine-grained access control in cloud environment. In CP-ABE, the data owner encrypts the data with defined access structure or policy and stores it into the cloud. The data users can access the data only if their attributes satisfy the access structure in the cipher-text. Many CP-ABE schemes are in the literature (Bethencourt et al. 2007; Cheung and Newport 2007; Waters 2011; Deng et al. 2014; Zhang et al. 2016, 2017b; Jiang et al. 2017; Li et al. 2017b, 2018a, b), but directly applying these schemes for big data privacy and access control in cloud is a computationally intensive task because they suffered with huge encryption and decryption computation costs due to cipher-text size and requirement of exorbitant pairing operations respectively.

In order to reduce the computational overhead, the heavy encryption and decryption computations are outsourced to the cloud server (Ma et al. 2013; Xiang and Tang 2015; Ye et al. 2018) or to the proxy server (Kumar et al. 2018). Many outsourced CP-ABE schemes were proposed. Green et al. (2011) proposed CP-ABE scheme with outsourced decryption and Zhang et al. (2017a) proposed CP-ABE scheme with outsourced encryption and decryption computations, but these scheme have not checked the correctness of outsourced computations. Verifiable outsourced decryption in CP-ABE schemes were proposed (Qin et al. 2015; Lin et al. 2015; Mao et al. 2016; Li et al. 2017a; Wang et al. 2017b), but these schemes suffered with encryption computational overhead. Later, CP-ABE with verifiable outsourced encryption and decryption schemes were proposed (Ma et al. 2015; Wang et al. 2017a; Li et al. 2018c), but again these schemes are also not suitable for big data due to huge communication and computation overhead.

Moreover, all of the above schemes provide access control in an all or none fashion, that is the authorized users can access the data at any number of times, or no access is given to unauthorized users. Any commercial application such as accessing course tutorial samples, software trial download, application user interface experience, audio and video access, etc. may require restricted data access permission, such as two times access or three times access, etc. Hence, it is required to design a verifiable outsourced CP-ABE scheme that requires less communication and computation overhead along with a flexible access control (limited data access for the set of users) for big data.

In this paper, we propose a new verifiable outsourced CP-ABE (NVO-CP-ABE) for big data privacy and access control in the cloud with the following salient features.

1. 1.

   In our scheme, all the inflated computations of encryption and decryption are outsourced to a proxy server to reduce the computation overhead.

2. 2.

   Our scheme also reduces the data user’s storage overhead by storing user’s secret key in the proxy server without compromising the security.

3. 3.

   Our scheme verifies the correctness of the encrypted message and also verifies the correctness of outsourced encryption and decryption computations.

4. 4.

   Our scheme provides an option to restrict the set of authorized user’s data access with fixed number of times instead of unlimited access which makes it convenient to use this scheme in the commercial applications.

5. 5.

   Our scheme is secure against chosen plain-text attack (CPA), user collusion attack, proxy malfunction attack, and proxy-user collusion attack.

6. 6.

   Our scheme achieves better efficiency when compared to other existing outsourced CP-ABE schemes in the literature.

The rest of the paper is structured as follows. Section 2 gives the related work in the literature. In Sect. 3, we introduce the mathematical preliminaries, definitions and security model associated with NVO-CP-ABE scheme. The NVO-CP-ABE model is discussed in Sect. 4. Section 5 describes the NVO-CP-ABE construction in detail. Sections 6 and  7 explains the security and performance analysis respectively, and the work ends with a conclusion in Sect. 8.

2 Related works

Attribute based encryption was introduced by Sahai and Waters (2005). There are two variations in attribute based encryption such as key-policy attribute based encryption (KP-ABE) and CP-ABE. Goyal et al. (2006) first introduced KP-ABE with an access tree as access structure. In KP-ABE, the data is encrypted with set of descriptive attributes and the user can decrypt the data only if the access structure of the user secret key satisfies the set of attributes in the cipher-text. Bethencourt et al. (2007) first introduced CP-ABE scheme with tree access structure. When compared to KP-ABE, the CP-ABE is more appropriate to provide access control because the data owner has the control over the data. CP-ABE schemes with different access structures were proposed. CP-ABE scheme with AND access structure was proposed by Cheung and Newport (2007), Linear Secret Sharing Scheme (LSSS) matrix access structure was proposed by Waters (2011), Ordered Binary Decision Diagram (OBDD) access structure was proposed by Li et al. (2017b). Generally, CP-ABE schemes suffered with huge encryption and decryption computational overhead.

Outsourcing heavy encryption and decryption computation tasks to the cloud server or to the proxy server is one of the efficient solution to reduce the computational overhead. De and Ruj (2015) proposed the decentralized access control in the cloud with fast encryption and outsourced decryption, but there was no mechanism to verify the correctness of the outsourced decryption computations in this scheme. Zhang et al. (2017a) proposed fully outsourced attribute based encryption scheme in which major computation task such as key generation, encryption and decryption are outsourced to the cloud server. Though the partial computations of different algorithms are based on untrusted cloud sever, there is no mechanism to verify whether the cloud server computed correct results or not. Moreover, they generated the cipher-text from two outsourcing intermediate cipher-text, even though this improves the hardness of security, but it lacks its efficiency in computation and communication.

Qin et al. (2015) proposed symmetric key encryption based verifiable outsourced decryption CP-ABE scheme in which the hash function is used to verify the message correctness and decryption computation correctness. Lin et al. (2015) proposed the verifiable outsourced decryption for both key-policy and cipher-text policy context. Mao et al. (2016) proposed the generic verifiable outsourced decryption CP-ABE construction in which they proved the security in both chosen plain-text attack and chosen cipher-text attack. Li et al. (2017a) proposed a fully verifiable outsourced decryption for CP-ABE scheme, but this scheme suffered with heavy computation overhead because of some extra random message added to generate cipher-text to map with the unauthorized users. Wang et al. (2017b) proposed multi-authority based verifiable outsourced decryption for cloud access control. In all of the above schemes, the authorized data user can access the data any number of times, but some commercial applications require limited data access. Ning et al. (2018) proposed auditable outsourced attribute based encryption with sigma-time access for authorized users in cloud computing. This scheme only verifies the outsourced computation, but not the correctness of message.

All the above outsourced decryption schemes focus only on reducing data users higher decryption overhead with verification, but does not focus on data owners higher encryption computational overhead. Ma et al. (2015) proposed CP-ABE for access control in the cloud which supports verifiable and exculpable outsourcing encryption and decryption computation. Xiong and Sun (2017) proved Ma et al. (2015) scheme failing to provide the verifiable property for outsourced encryption, and concluded that outsourcing encryption with verification is a challenging open issue. Wang et al. (2017a) proposed the CP-ABE with outsourced and verifiable computation for key generation, encryption and decryption. However, this scheme suffered with large cipher-text size and could not verify the correctness of outsourced decryption. Li et al. (2018c) proposed the fuzzy encryption with efficient verifiable outsourced attribute based encryption in which the heavy computation task of encryption and decryption is outsourced to cloud. In this scheme, the authors verified the correctness of the message and outsourced computation using a hash function. All the above outsourced CP-ABE schemes are not specially designed for big data in the cloud.

3 Preliminaries

Here, we give all the mathematical preliminaries, definitions and security model associated with NVO-CP-ABE scheme. More precisely, the bilinear pairing, Decisional Bilinear Diffie–Hellman assumption, Shamir secret sharing, access structure, CP-ABE framework, and security model are presented.

3.1 Bilinear pairing

Definition 1

A bilinear mapping function over additive cyclic group \(G_{s}\) and multiplicative cyclic group \(G_{t}\) of prime order p is defined as \(G_{s} \times G_{s} \rightarrow G_{t}\), which satisfies the below properties.

1. 1.

   Bilinearity For \(\mathfrak {g} \in G_{s}, a,b \in Z_{p}\), \(\varrho (\mathfrak {g}^a,\mathfrak {g}^b)\) = \(\varrho (\mathfrak {g},\mathfrak {g})^{ab}\) where \(\mathfrak {g}\) be the generator of group \(G_{s}\).

2. 2.

   Non-degeneracy \(\varrho (\mathfrak {g},\mathfrak {g}) \ne 1\)

3. 3.

   Computability There exists an efficient algorithm to compute \(\varrho (\mathfrak {g},\mathfrak {g})\).

3.2 Decisional bilinear Diffie–Hellman (DBDH) assumption

Definition 2

Let \(G_{s}\) and \(G_{t}\) are group of prime order p. Let \(\mathfrak {g}\) be the generator of group \(G_{s}\) and a, b, c \(\in Z_{p}\). We define the DBDH problem as follows: For the given input \(\mathfrak {g}\), \(\mathfrak {g}^a\), \(\mathfrak {g}^b\), \(\mathfrak {g}^c \in G_{s}\), the adversary must distinguish a valid tuple \(\varrho (\mathfrak {g},\mathfrak {g})^{abc} \in G_{t}\) from the random element \(R \in G_{t}\). An algorithm \(\mathfrak {B}\) that outputs \(\sigma \in \{0, 1\}\) has advantage \(\epsilon\) in solving the DBDH problem in \(G_{s}\) if:

$$\begin{aligned} |Pr[\mathfrak {B}(\mathfrak {g}, \mathfrak {g}^a, \mathfrak {g}^b, \mathfrak {g}^c, \varrho (\mathfrak {g},\mathfrak {g})^{abc} = 0]&- \\ \quad Pr[\mathfrak {B}(\mathfrak {g}, \mathfrak {g}^a, \mathfrak {g}^b, \mathfrak {g}^c, R = 0]| \ge \epsilon .&\end{aligned}$$

Definition 3

The DBDH assumption holds if no probabilistic polynomial time algorithm has a non-negligible advantage in solving DBDH problem.

3.3 Shamir secret sharing

Shamir secret sharing (Shamir 1979) is a cryptographic technique designed by Adi Shamir, which helps us to protect the secret value. The basic idea of this technique is to divide the secret into different pieces and give it to N-number of participants. Out of N-number of participants, K-number of participants combine together to reconstruct the secret. The secret share generation steps are as follows.

1. 1.

   Choose the secret value S.

2. 2.

   Choose K−1 random coefficients and generate the polynomial f of K − 1 degree. Let \(f(x) = S + f_{1}x^1 + \cdots + f_{K-1}x^{K-1}\), where f(0) = S.

3. 3.

   Compute and give the shares f(x) to parties where x = 1 to N

The share reconstruction is possible only if K-participants combine their shares to obtain the secret using the Lagrange interpolation formula. The formula is as follows.

$$\begin{aligned} f(x)& = \sum _{j=1}^{k} f_{j}(x) \\ f_{j}(x) &=\, y_{j} \times \prod _{i=1, i \ne j}^k \frac{x - x_{i}}{x_{j} - x_{i}} \end{aligned}$$

In CP-ABE, the participants role is taken by the attributes. In our scheme, we use Shamir secret sharing technique for providing access control.

3.4 Access structure

Definition 4

Let \({P_{1},P_{2},\ldots ,P_{n}}\) be a set of parties. A collection \(\mathbb {A} \subseteq 2^{P_{1},P_{2},\ldots ,P_{n}}\) is monotone if \(\forall B,C\) : if \(B \in \mathbb {A}\) and \(B \subseteq C\), then \(C \in \mathbb {A}\). An access structure (monotone access structure) is a collection (monotone collection) \(\mathbb {A}\) of non-empty subsets of \({P_{1},P_{2},\ldots ,P_{n}}\), that is \(\mathbb {A} \subseteq 2^{P_{1},P_{2},\ldots ,P_{n}} \backslash \{\phi \}\). The sets in \(\mathbb {A}\) are called the authorized sets, and the sets that are not in \(\mathbb {A}\) are called the unauthorized sets.

In CP-ABE context, the role of the parties is taken by the attributes. Thus, the access structure \(\mathbb {A}\) will contain the authorized sets of attributes.

3.4.1 Access tree

We employ the access tree as an access structure in the proposed work which consists of a set of nodes in which all the attributes are stored in leaf-nodes and the threshold gates (AND, OR) are stored in the non-leaf nodes. All the child nodes are assigned an integer number serially starting from 1 to \(cn_{x}\). Let \(cn_{x}\) be the number of children for the node x. Let \(t_{x}\) be the threshold value of the node x. The threshold value should be between 1 and \(cn_{x}\). For OR gate, it is one and for AND gate it is \(cn_{x}\). We define few functions which helps us to facilitate working with access tree. The parent(x) function gives the parent node of the node x. The index(x) function returns the integer number assigned to the node x and att(x) function gives us the attribute name of the node x.

Definition 5

Satisfying an access tree Let T be an access tree with root r. \(T_{x}\) denotes the subtree of T rooted at the node x. Hence T is the same as \(T_{r}\). If a set of attributes \(\delta\) satisfies the access tree \(T_{x}\), then it denotes \(T_{x}(\delta )\) = 1. We compute \(T_{x}(\delta )\) recursively as follows. If x is a non-leaf node, evaluate \(T_{x}^{'}(\delta )\) for all children \(x^{'}\) of node x. \(T_{x}(\delta )\) returns 1 if and only if at least \(t_{x}\) children return 1. If x is a leaf node, then \(T_{x}(\delta )\) returns 1 if and only if att(x) \(\in \delta\).

3.5 CP-ABE framework

The CP-ABE framework consists of four algorithms such as Setup, Encrypt, KeyGen and Decrypt.

• Setup This algorithm takes the security parameter d as input and outputs the public key PK and master secret key MSK.

• Encrypt This algorithm takes the public key PK, the message M and the access structure \(\tau\) as inputs and outputs the ciphertext C.

• KeyGen The set of user attributes \(\delta\), the master secret key MSK are the inputs for this algorithm and it outputs the user secret key S.

• Decrypt This algorithm returns message M or \(\perp\). It returns M if the user attributes satisfies the access structure otherwise it returns \(\perp\). It takes the input of public key PK, ciphertext C and user secret key S.

3.6 Security model

In security model, we define the following security game between challenger and adversary to prove the security of our scheme against chosen plain-text attack. This game captures the indistinguishability of messages and the collusion-resistance of user secret keys. There are six steps involved in the game as listed below:

Initializing game The adversary sends the challenge access structure to the challenger and requests for public key.

Setup phase The challenger generates the public key, master secret key using SystemSetup algorithm and sends the public key to the adversary.

Query phase 1 The adversary sends the set of attributes to the challenger and requests for the secret key. The challenger generates the secret key and sends the same to the adversary.

Challenge The adversary sends two equal size messages \(M_{0}\) and \(M_{1}\) to the challenger and requests for the cipher-text. The challenger receives both the messages and encrypts one message based on the random bit value \(\sigma \in \{0, 1\}\).The challenger then returns the cipher-text to adversary.

Query phase 2 The adversary may request the different queries similar to the query phase 1 and the challenger also responses back for the queries to adversary as same like in query phase 1.

Guess The adversary submits the guess \(\sigma '\) for \(\sigma\) whether it is 0 or 1. The adversary wins the game if the guess \(\sigma '\) is equal to \(\sigma\). The probabilistic advantage of adversary winning the game is Pr [\(\sigma\) = \(\sigma '\)] − \(\frac{1}{2}\).

Definition 6

The proposed NVO-CP-ABE scheme is said to be secure against CPA if no probabilistic polynomial time adversaries have non-negligible advantage in the above game.

4 NVO-CP-ABE system model

In this section, we present the NVO-CP-ABE system model, framework, security threats, and objectives of the proposed work.

4.1 System model

The proposed NVO-CP-ABE system consists of six entities such as cloud server, proxy server, trusted authority, data owner, data users, and third party auditor as shown in Fig. 1.

Fig. 1

Architecture of our NVO-CP-ABE scheme

Cloud server (CS) The cloud server has a large volume of storage capacity, and provides the storage as the service to the data owner to store the data and gives the data access to the proxy server. The CS is untrusted in our scheme.

Proxy server (PS) The semi-trusted proxy server performs the outsourced encryption and outsourced decryption computations for data owner and data users respectively. PS stores the user secret key and it also verifies the user data access limit before performing the outsourced decryption computations.

Trusted authority (TA) The trusted authority performs the following tasks (1) generates the public parameter such as public key and master secret key (2) registers the new user, that is generates user id and assigns the number of permissible data access (3) generates the user global secret key and user secret key.

Data owner (DO) The fully trusted data owner defines the access structure and generates the part of cipher-text. After generating the cipher-text, DO uploads the cipher-text into the CS.

Data users (DU) The data users can decrypt the data only if their attributes satisfies the access structure and data access limit is within the permissible access limit. The data users are untrusted in our scheme.

Third party auditor (TPA) The fully trusted TPA verifies the correctness of the message, outsourced encryption and decryption computations.

In our system model, TA initially generates the public key, master secret key and sends the public key to data owner to encrypt the message. After getting the public key, DO defines the access structure, and requests the intermediate cipher-text (outsource the heavy encryption computations) to PS. Once PS has generated the intermediate cipher-text, it sends to DO. DO sends the intermediate cipher-text to TPA for outsourced computation verification, and simultaneously, DO computes the other part of the cipher-text. If TPA sends the success response, then DO assembles the cipher-text and uploads the data in to the cloud. In order to preserve the data privacy, DO encrypts the data before storing it into the cloud.

Whenever, the DU wants to access the data, DU requests partially decrypted cipher-text from PS. PS first checks the corresponding user data access limit, if it is within the limit then it computes partially decrypted cipher-text and sends to the DU. After receiving the partially decrypted cipher-text, DU verifies the correctness of outsourced decryption and encrypted data with the help of TPA. TPA returns the exact key to DU if the encrypted data is not modified, outsourced decryption computations are correct, and the user attributes satisfies the access structure in the cipher-text. Finally, DU decrypts the data successfully.

4.2 Framework

The different algorithms involved in the NVO-CP-ABE scheme are defined as follows:

SystemSetup(d) \(\rightarrow\)(PK, MSK): TA executes this algorithm, and it takes the security parameter d as input and produces the public key (PK) and master secret key (MSK) as an output.

UserSetup(UL)\(\rightarrow\)(UID, UL): TA executes this algorithm with the input of user list and it outputs the UID and UL.

Encrypt_Preproc(\(\tau\)) \(\rightarrow\) (s_v, \(sh\_v_{x}):\) DO executes this algorithm. It takes the access tree (\(\tau\)) as input and it outputs the secret value (\({s\_v}\)) and share value (\(sh\_v_{x}\)) of all the attributes in the access tree.

Encrypt_outsource (\(PK, {s\_v},sh\_v_{x},\tau )\rightarrow ICT:\) The proxy server executes this algorithm. It takes the input of public key (PK), secret value (s_v), share value of each attributes in the access tree (\(sh\_v_{x}\)), access tree (\(\tau\)) and it returns the intermediate cipher-text (ICT).

Encrypt_owner(\(\tau\), PK, M, ICT) \(\rightarrow\) C: The DO performs this algorithm. It takes the input of an access tree (\(\tau\)), public key (PK), message (M), an intermediate cipher-text (ICT) and it returns the cipher-text (C).

Verify_outsource_enc(\(sh\_v_{x}\), PK, ICT) \(\rightarrow\) flag (1 or 0): The TPA verifies whether the intermediate cipher-text (ICT) is correct or not by using the share value of each attributes (\(sh\_v_{x}\)), public key (PK) and intermediate cipher-text (ICT) as inputs. If the outsourced computation is correct, then it returns the flag = 1, otherwise flag = 0.

KeyGeneration(UID, MSK, UL, \(\delta\)) \(\rightarrow\)(S, UGSK) or \(\perp\): First, TA checks if the user is a registered user or not. If registered user, then TA generates user global secret key (UGSK) and the secret key (S) for the given input of user id (UID), master secret key (MSK), user list (UL), set of user’s attributes (\(\delta\)). It returns S and UGSK for registered users otherwise it returns \(\perp\).

Decrypt_outsource(UL, C, S) \(\rightarrow\)(PDCT,\(E_{key}(M)\), CT3, VK) or \(\perp\): The proxy server executes this algorithm using user list (UL), cipher-text (C), user secret key (S) and produces the output which consist of partially decrypted cipher-text (PDCT), encrypted data (\(E_{Key}(M)\)), cipher-text component (CT3), and verification key (VK) or it returns \(\perp\) when the user data access limit exceeds.

Verify_outsource_dec(PDCT,\(E_{key}(M)\), CT3, VK, UGSK)\(\rightarrow\)Key or 0: This algorithm is executed by the TPA with the input of partial decrypted cipher-text (PCT), cipher-text parameter (CT3), encrypted message (\(E_{key}(M)\)), verification key (VK), and user global secret key (UGSK). It returns decryption Key or 0.

Decryption_user(flag)\(\rightarrow\) (M or \(\perp\)): The data user executes this algorithm. It takes the input of outsourced decryption verification flag and outputs the message M or \(\perp\).

4.3 Security threats

Here, we define the threats that breaches the security of our NVO-CP-ABE scheme.

1. 1.

   Chosen plain-text attack The adversary trying to reveal entire or part of the data by getting cipher-text for his/her arbitrary plain-text.

2. 2.

   User collusion attack The two unauthorized data users combine their secret key component and try to access the data.

3. 3.

   Proxy server attack The proxy server could skip or not perform computation properly during outsourced encryption and decryption that causes the entire scheme to fail, and also tries to access the plain text using the cipher-text and stored user secret key.

4. 4.

   Proxy server and unauthorized user collusion attack The unauthorized users can combine with proxy server and try to access the plain-text.

4.4 Objectives

The main purpose of the proposed scheme is to develop a new verifiable outsourced CP-ABE scheme for big data access control in the cloud with the following objectives.

Privacy Protect the personal or sensitive data from unauthorized users in the cloud.

Access control Allow only authorized users to access the data.

Limited data access Our scheme is flexible to allow the authorized users to access the data at any number of times or restrict the data access with fixed number of times, which improves the usability of this scheme in commercial applications.

Security Provide the security against chosen plain-text attack, user collusion attack, proxy malfunction attack, and proxy-user collusion attack.

Efficiency Reduce the computation overhead of encryption and decryption process by outsourcing heavy computations to the proxy server and also improve the efficiency of the outsourced encryption and decryption computation algorithms by designing short cipher-text and less number of pairing operations required.

Correctness Verify the correctness of the message and the outsourced encryption and decryption computations.

5 Construction of NVO-CP-ABE scheme

In this section, we present the algorithmic construction of our NVO-CP-ABE scheme. NVO-CP-ABE scheme consists of four different phases such as setup, data encryption, key generation, and data decryption. The detailed algorithmic construction of these phases is explained below.

5.1 Setup phase

The main purpose of this phase is to generate the public parameters and the user registration. This phase consists of two algorithms such as SystemSetup, and UserSetup.

5.1.1 SystemSetup

SystemSetup algorithm is used to generate the public parameters. Let U be the universal attribute set. Let UL be the user list in the system. Let \(G_{s}\) be additive cyclic group of prime order p and \(G_{t}\) be the multiplicative cyclic group of prime order p. Let \(\mathfrak {g}\) be the generator of group \(G_{s}\). Let \(\varrho : G_{s} \times G_{s} \rightarrow G_{t}\), which denotes the bilinear map. Now, TA generates the public key and master secret key with the following steps.

1. 1.

   Initialize UL = \(\perp\)

2. 2.

   Select random value \(\alpha\) from \(Z_{p}\).

3. 3.

   Choose random value ’\(t_{j}\)’ for each attributes in U from \(Z_{p}\), and compute \(T_{j} = \mathfrak {g}^{t_{j}}\), j = 1 to n; n is number of attributes in U.

4. 4.

   Compute Y = \(\varrho (\mathfrak {g},\mathfrak {g})^\alpha\)

5. 5.

   Return PK = (\(\mathfrak g\), Y, \(T_{j}\): j=1, 2, ..., n), MSK = (\(\alpha\), (t1, t2, t3, ..., tn ))

5.1.2 UserSetup

Whenever the user joins the system, UserSetup algorithm is used to register the users and set the permissible number of data access for the users.

1. 1.

   Generates unique identification number (UID) from \(Z_{p}\)

2. 2.

   Assign the maximum number of data access limit to acccnt. If the user is permitted to access any number of times without limit then assign acccnt = \(-1\)

3. 3.

   Add UID and acccnt in UL

4. 4.

   Return UID and UL

At the end, the TA sends the UID to the user.

5.2 Data encryption phase

In this phase, we explain how the cipher-text is generated and uploaded into the cloud. There are four algorithms involved in this encryption phase such as Encrypt_Preproc, Encrypt_outsource, Encrypt_owner, and Verify_outsource_enc.

5.2.1 Encrypt_Preproc

The purpose of this algorithm is to find the secret share value for each attributes in the access tree which is used to provide the access control. The data owner first defines the access structure (\(\tau\)) and gives it as the input to this algorithm. It returns \(s\_v\), \(sh\_v_{x}\) as output. The steps involved in the algorithm are as follows:

1. 1.

   Choose a random number s_v from \(Z_{p}\)

2. 2.

   Lets r0 be the root node of access tree and \(r_{x}\) be the threshold value of the node x. Perform the following steps for each node of the access tree starting from the root node. if x = r0 then

   1. (a)

      Polynomial \(q_{r0}\) is chosen randomly with the degree \(r_{r0}-1\) and \(q_{r0}(0) = s\_v\)

   2. (b)

      The secret s_v is divided into a number of shares according to the number of child nodes available for root node r0. Find out the shares \(s\_v_{y}\) for each child node using secret sharing scheme \(s\_v_{y} = q_{r0}(index(y))\), y denotes the child node attributes of r0.

   else

   1. (a)

      Polynomial \(q_{x}\) with the degree \(r_{x}-1\) is chosen randomly for every child node.

   2. (b)

      Check if x is a leaf node or not, if found to be a leaf node then compute \(q_{x}(0)\) as \(q_{x}(0) = s\_v_{x} = q_{parents(x)}(index(x))\).

   3. (c)

      For all non leaf nodes x, again \(s\_v_{x}\) is further divided into shares \(s\_v_{y}\) using secret sharing scheme and assign it to each child node. \(s\_v_{y} = q_{x}(index(y))\).

3. 3.

   Let LN denotes all the available leaf nodes in the access tree and for each leaf node x in LN, \(sh\_v_{x} = s\_v_{x}\)

4. 4.

   Return (s_v, \(\forall x \in LN: sh\_v_{x}\))

The DO sends s_v and \(\forall x \in LN: sh\_v_{x}\) to proxy server to compute the intermediate cipher-text.

5.2.2 Encrypt_outsource

After receiving the share values and PK from DO, the PS generates the part of cipher-text with the following steps.

1. 1.

   Compute CT1 = \(\mathfrak {g}^{s\_v}\)

2. 2.

   Let LN denote all the available leaf nodes in the access tree, and for each leaf node j in LN, Compute \(CT_{j} = T_{j}^{sh\_v_{j}} = \mathfrak g^{t_{j}{q_{j}(0)}}\)

3. 3.

   Returns ICT = (CT1, \(\forall j \in LN:CT_{j}\))

Then proxy server sends the intermediate cipher-text ICT to the data owner.

5.2.3 Encrypt_owner

Once receiving the intermediate cipher-text ICT from proxy, the data owner sends the request to TPA for checking the correctness of proxy computations. Simultaneously, DO generates part of cipher-text and verification key (VK) for the message and decryption outsourcing computations using the collusion-resistance hash function. The following are the steps involved in generating the complete cipher-text.

1. 1.

   Choose random number t \(\in Z_{p}\)

2. 2.

   Compute CT2 = \(\mathfrak g^t\)

3. 3.

   Choose random number key\(\in Z_{p}\)

4. 4.

   Compute CT3 = \((key).Y^t\) = key.\(\varrho (\mathfrak {g},\mathfrak {g})^{\alpha t}\)

5. 5.

   Encrypt the data using symmetric key encryption algorithm \(E_{key}(M)\)

6. 6.

   Compute VK = H(Key, \(E_{key}(M)\)), where H is the collusion-resistance hash function.

7. 7.

   Return C = (\(\tau , E_{key}(M)\), CT1, \(\forall j \in LN: CT_{j}\), CT2, CT3, VK)

After generating cipher-text and receiving the TPA verification flag, the DO uploads the C into the cloud server if the TPA returns flag = 1.

5.2.4 Verify_outsource_enc

Once receiving the verification request from DO, TPA verifies the correctness of proxy computations. If proxy outsourced encryption is correct, then it returns flag = 1, otherwise it returns the flag = 0. This algorithm takes the input \(sh\_v_{x}\), PK, ICT and performs the following verification step.

\(\varrho (\mathfrak g, CT_{j})\) = \(\varrho (\mathfrak g^{sh\_v_{j}}, T_{j})\)\(\forall j \in LN\)

\(\varrho (\mathfrak g, \mathfrak g^{t_{j}.q_{j}(0)})\) = \(\varrho (\mathfrak g^{ q_{j}(0)},\mathfrak g^{t_{j}})\)\(\forall j \in LN\)

\(\varrho (\mathfrak g, \mathfrak g) ^{t_{j}.q_{j}(0)}\) = \(\varrho (\mathfrak g,\mathfrak g)^{t_{j}.q_{j}(0)}\)\(\forall j \in LN\)

5.3 User key generation phase

In this phase, the TA generates user secret key and user global secret key for all registered users of the system using KeyGeneration algorithm.

KeyGeneration The trusted authority generates the S and UGSK for every user as follows with the inputs of UID, MSK, UL, and the set of user’s attributes \(\delta\).

1. 1.

   If UID \(\in\) UL, then performs the following otherwise return S = \(\perp\)

2. 2.

   Choose random number k from \(Z_{p}\) and assigns UGSK = k

3. 3.

   Choose random number \(\gamma\)\(\in\)\(Z_{p}\).

4. 4.

   Compute SK1 = \(\mathfrak {g}^{(\alpha +\gamma )UGSK}\)

5. 5.

   Compute SK2 = \(\mathfrak {g}^\gamma\)

6. 6.

   For each attribute \(a_{j}\) in \(\delta\), compute \(SK_{j}\) = \(\mathfrak {g}^{\frac{\gamma }{t_{j}}}\)

7. 7.

   Return S = (SK1, SK2, \(SK_{j}\)), UGSK

After generating the secret key, TA sends the UGSK to the user and stores the secret key (S) in the proxy server. Even though the user secret key is stored in the proxy server, the PS is not able to decrypt the data because without UGSK it is not possible to decrypt the data successfully.

5.4 Data decryption phase

In this phase, we explain how the DU decrypts the data from cipher-text. This decryption phase consists of three algorithms such as Decyprt_outsource, Verify_outsource_dec, Decrypt_user.

5.4.1 Decrypt_outsource

Whenever the user wants to access the data, the user sends the request to the proxy server for partial decrypted cipher-text. The proxy receives the cipher-text and UL from CS and first verifies whether the user data access limit is exceeded or not. If the limit is not exceeded then it computes and sends the PDCT to the user using secret key (S) which is available with PS itself.

First it reads the acccnt value from UL. If acccnt = \(-1\) or acccnt > 0 then it proceeds the following steps to compute PDCT or else it returns \(\perp\), that means the user data access limit is exceeded.

1. 1.

   acccnt = acccnt − 1 and update the acccnt value in the UL.

2. 2.

   Let’s us find out the secret share value of all the nodes in the access tree. For each leaf nodes \(x \in LN\), LN denotes the available leaf nodes in the access tree. Let \(a_{j}\) be the attribute related with leaf node x. If \(a_{j} \notin \delta\), then it returns \(\perp\), otherwise computes \(SV_{x}\).

   $$\begin{aligned} SV_{x}&= \varrho (SK_{j},CT_{j}) = \varrho (\mathfrak g^{\frac{\gamma }{t_{j}}},\mathfrak g^{q_{x}(0) t_{j}}) \nonumber \\&= \varrho (\mathfrak g, \mathfrak g)^{\frac{\gamma }{t_{j}} q_{x}(0) t_{j}} = \varrho (\mathfrak g, \mathfrak g)^{\gamma q_{x}(0)}&\end{aligned}$$
3. 3.

   Perform this step from top to bottom in the access tree. For each non-leaf nodes in the access tree, compute the share values using Lagrange interpolation formula. Let \(\rho\) denote the all the child nodes of non-leaf node x and \(\delta _{x}\) be the attributes of \(\rho\). If all child nodes share value of node x is \(\perp\), then \(SV_{x} = \, \perp\), otherwise compute \(SV_{x}\). Let i = index(\(\rho\)) and \(\delta ^{'}_{x})\) = index(\(\rho\)):\(\rho\)\(\in\)\(\delta _{x}\)

   $$\begin{aligned} SV_{x}= & {} \prod _{\rho \in \delta _{x}} (SV_{\rho })^{\triangle _{i,\delta ^{'}_{x}}(0)} \nonumber \\= & {} \prod _{\rho \in \delta _{x}} (\varrho (\mathfrak g, \mathfrak g)^{\gamma q_{\rho }(0)}) ^{\triangle _{i,\delta ^{'}_{x}}(0)} \nonumber \\= & {} \prod _{\rho \in \delta _{x}} (\varrho (\mathfrak g, \mathfrak g)^{\gamma q_{parent(\rho )}(index(\rho ))}) ^{\triangle _{i,\delta ^{'}_{x}}(0)} \nonumber \\= & {} \prod _{\rho \in \delta _{x}} \varrho (\mathfrak g, \mathfrak \ g)^{\gamma q_{\rho }(i) \triangle _{i,\delta ^{'}_{x}}(0)} \nonumber \\= \, & \varrho (\mathfrak g, \mathfrak g)^{\gamma q_{x}(0)} \end{aligned}$$
4. 4.

   Let A = \(SV_{r0} = \varrho (\mathfrak g, \mathfrak g)^{\gamma q_{r0}(0)} = \varrho (\mathfrak g, \mathfrak g)^{\gamma s}\)

5. 5.

   Compute B;

   $$\begin{aligned}&B = \varrho (SK2,CT1) = \varrho (\mathfrak g ^\gamma , \mathfrak g ^s) = \varrho (\mathfrak g, \mathfrak g)^{\gamma s}&\end{aligned}$$
6. 6.

   Compute C;

   $$\begin{aligned} C= & {} \, \varrho (SK1,CT2) = \, \varrho (\mathfrak g ^{(\alpha +\gamma )UGSK}, \mathfrak g ^t) \nonumber \\= & {} \, \varrho (\mathfrak g, \mathfrak g)^{(\alpha +\gamma )UGSK.t} \nonumber \\= & {} \, \varrho (\mathfrak g, \mathfrak g)^{\alpha t UGSK} . \varrho (\mathfrak g, \mathfrak g)^{\gamma t UGSK} \end{aligned}$$
7. 7.

   Compute D;

   $$\begin{aligned}&D = \varrho (SK2,CT2) = \varrho (\mathfrak g ^\gamma , \mathfrak g ^t) = \varrho (\mathfrak g, \mathfrak g)^{\gamma t}&\end{aligned}$$
8. 8.

   Compute PDCT1

   $$PDCT1 = \frac{A}{B} \times D = \frac{{\varrho ({\mathfrak{g}},{\mathfrak{g}})^{{\gamma s}} }}{{\varrho ({\mathfrak{g}},{\mathfrak{g}})^{{\gamma s}} }} \times \varrho ({\mathfrak{g}},{\mathfrak{g}})^{{\gamma t}} = \varrho ({\mathfrak{g}},{\mathfrak{g}})^{{\gamma t}}$$
9. 9.

   Returns PDCT = (PDCT1, PDCT2=C), CT3, VK, \(E_{\textit{k}ey}(M).\)

5.4.2 Verify_outsource_dec

Once the DU receives PDCT from PS, the DU sends the PDCT, CT3, VK, \(E_{key}(M)\), UGSK as input to TPA for verifying the correctness of the message and proxy computations. The TPA checks the correctness using the Verify_outsource_dec algorithm, and it returns decryption Key if the message and outsource computations are correct, otherwise it returns 0 to the DU. If it returns 0, it denotes any one of the following (1) the encrypted message or data may be altered (2) outsourced decryption computation by PS is wrong (3) the DU’s attributes are not satisfying the access structure in the cipher-text i.e. unauthorized user.The following are the verification steps:

1. 1.

   Compute Key

   $$\begin{aligned} \textit{Key}&= CT3 / ((PDCT2) ^{1/UGSK}/PDCT1) \\&= CT3 / \frac{(\varrho (\mathfrak g, \mathfrak g)^{\alpha t UGSK}.\varrho (\mathfrak g, \mathfrak g)^{\gamma t UGSK})^{1/UGSK}}{\varrho (\mathfrak g, \mathfrak g)^{\gamma t}} \\&= \textit{key}.\varrho (\mathfrak {g},\mathfrak {g})^{\alpha t} / \varrho (\mathfrak g, \mathfrak g)^{\alpha t}&\end{aligned}$$
2. 2.

   Compute the hash value VK1 = H(Key, \(E_{key}(M)\))

3. 3.

   If VK = VK1, then returns Key, otherwise returns 0.

5.4.3 Decrypt_user

After getting the verification status from TPA, the DU performs the following:

1. 1.

   if TPA returns Key, then

   1. (a)

      perform symmetric decryption \(D_{key}(E_{key}(M))\)

   2. (b)

      return M

2. 2.

   if TPA returns 0, then return \(\perp\)

In case, Decrypt_outsource algorithm returns \(\perp\), then Decrypt_user algorithm returns \(\perp\), which means the data access limit of the user is exceeded.

6 Security analysis

In security analysis, we prove that NVO-CP-ABE scheme is secure against the attacks that mentioned in the Sect. 4.3.

Theorem 1

NVO-CP-ABE scheme is selectively secure against CPA. The polynomial-time adversary (\(\mathcal {A}\)) cannot selectively break our NVO-CP-ABE scheme in the security game mentioned in the Sect.  3.6 if DBDH assumption holds.

Proof

In the proof, we have reduced security of the chosen plain-text attack into the DBDH assumption. It implies that if DBDH problem is solved, then the adversary can breach this scheme successfully. Construct the simulator (\(\chi\)) which performs the challenger (\(\varsigma\)) task. If \(\mathcal {A}\) wins this selectively CPA secure game with a non-negligible advantage \(\epsilon\), then \(\chi\) can solve the DBDH assumptions in \(\frac{\epsilon }{2}\). The challenger creates a basic setup to play the game. Let \(G_{s}\) be additive cyclic group of prime order p and \(G_{t}\) be the multiplicative cyclic group of prime order p. Let \(\mathfrak {g}\) be the generator of \(G_{s}\). The bilinear mapping function defined as \(\varrho : G_{s} \times G_{s} \rightarrow G_{t}\) and pick a, b, c \(\in Z_{p}\) as random values. The \(\varsigma\) tosses the coin \(\sigma \in\) {0, 1} and defines \(\mathfrak {Z} = \varrho (\mathfrak {g},\mathfrak {g})^{abc}\) when \(\sigma\) = 0, otherwise defines \(\mathfrak {Z} = \mathfrak {R}\), and let \(\mathfrak {R}\) be the random value from \(G_{t}\). Now the \(\varsigma\) gives the basic setup to the simulator and the responsibility to play the game. The challenge given to the simulator is \((\mathfrak {g}, A, B, C, \mathfrak {Z}) = (\mathfrak {g}, \mathfrak {g}^a, \mathfrak {g}^b, \mathfrak {g}^c, \mathfrak {Z})\). Now the challenger for adversary is simulator, the simulator starts playing the game with the adversary.

Initializing game The \(\mathcal {A}\) selects the defy access structure \(\tau ^*\) and gives the same to \(\chi\).

Setup phase In this phase, the simulator generates public parameters such as public key and master secret key and sends the PK to \(\mathcal {A}\). For generating PK, the simulator randomly chooses \(\kappa \in Z_{p}\) and let \(\alpha = ab+\kappa\). Then, it computes \(Y =\varrho (\mathfrak {g},\mathfrak {g})^{{\alpha}} =\varrho (\mathfrak {g},\mathfrak {g})^{{\mathfrak {ab}}+\kappa } =\varrho (\mathfrak {g},\mathfrak {g})^{\mathfrak {ab}}.\varrho (\mathfrak {g},\mathfrak {g})^{ {\kappa }}\).

Next it computes \(T_{j}\), by choosing a random number \(t_{j} \in Z_{p}\) for all attributes \(a_{j}\) in U.

$$\begin{aligned} T_{j} = {\left\{ \begin{array}{ll} \mathfrak {g}^{b/t_{j}} = B^{1/t_{j}}, \quad {\text {if}} \, a_{j} \notin \tau ^* \\ \mathfrak {g}^{t_{j}}, \quad {\text {if}} \, a_{j} \in \tau ^* \end{array}\right. } \end{aligned}$$

Now the simulator sends the PK= (\(\mathfrak {g}\), Y, \(T_{j}\): j=1, 2, ..., n) similar to the original scheme to the adversary.

Query phase 1 In this phase, the adversary requests the simulator for the secret key for set of attributes \(\delta ^{*} = \{a_{j} | a_{j} \in U\}\) with the constraint \(a_{j} \notin \tau ^*\). First, select a random number and compute the as same as in the KeyGeneration algorithm. Choose the random number \(\gamma ' \in Z_{p}\) and compute the secret key as per the algorithm.

Compute \(SK1^{*}= \mathfrak {g}^{(\kappa +\gamma 'b)UGSK} = \mathfrak {g}^{(\alpha - ab+\gamma 'b)UGSK} = \mathfrak {g}^{(\alpha +\gamma 'b-ab)UGSK} = \mathfrak {g}^{(\alpha +(\gamma 'b-ab))UGSK}.\) Thus \(\gamma\) = \(\gamma 'b-ab\).

Compute \(SK2^{*}= \mathfrak {g}^{\gamma } = \mathfrak {g}^{\gamma 'b-ab}\)

Compute \(SK_{j}^{*}= \mathfrak {g}^{\frac{\gamma}{t_{j}}} = \mathfrak {g}^{\frac{\gamma 'b-ab \times t_{j}}{b}} = \mathfrak {g}^{\frac{(\gamma '-a)b \times t_{j}}{b}} = \mathfrak {g}^{\gamma ' t_{j}-a t_{j}} = A^{-t_{j}}.\mathfrak {g}^{\gamma ' t_{j}}\).

After generating the secret key \(S^{*}=(SK1^{*}, SK2^{*}, SK_{j}^{*})\), UGSK, the simulator sends it to \(\mathcal {A}.\)

Challenge Adversary submits two identical size messages \(M_{0}\) and \(M_{1}\) to the simulator. The \(\chi\) tosses a binary coin (\(\sigma\)), and encrypts the message based on the value \(\sigma\). First, execute the Encrypt_Preproc algorithm to compute the secret share values for each attributes in the access tree and get the ICT = (CT1, \(\forall j \in LN:CT_{j}\)) value by executing the Encrypt_outsource algorithm. The cipher-text is computed as below. Choose a random number \(c \in Z_{p}\). Choose a random symmetric encryption key, \(key \in Z_{p}\) and encrypt the data using the key \(E_{key}(M_{\sigma })\).

\(CT2^{*} = \mathfrak {g}^ c\)

\(CT3^{*}=key.\varrho (\mathfrak {g},\mathfrak {g})^{\alpha .c}\)=\(key. \varrho (\mathfrak {g},\mathfrak {g})^{(ab+\kappa ).c}\) = \(key. \varrho (\mathfrak {g},\mathfrak {g})^{abc}.\)\(\varrho (\mathfrak {g},\mathfrak {g})^{\kappa .c}\)= \(key. \mathfrak {Z}. \varrho (\mathfrak {g},\mathfrak {g})^{\kappa .c}\).

Send the challenge cipher-text \(C^{*}\)=(\(\tau ^*\), \(E_{key}(M_{\sigma })\), \(CT1^*\), \(CT2^*\), \(CT3^*\), \(\forall j \in LN: {CT_{j}}^{*})\) to the adversary.

Query phase 2 Adversary may ask the secret key repeatedly same as in query phase 1 with same constraints. The simulator also does the same as in query phase 1 whenever there is a request from adversary.

Guess Adversary submits the guess \(\sigma ' \in \{0, 1\}\) to the simulator for \(\sigma\). If \(\sigma =\sigma '\) then simulator outputs that \(\sigma\) = 0, so \(\mathfrak {Z} = \varrho (\mathfrak {g},\mathfrak {g})^{abc}\) which is a well-founded cipher-text. Hence, the advantage of adversary is \(Pr [\sigma = \sigma ' | \mathfrak {Z} = \varrho (\mathfrak {g},\mathfrak {g})^{abc}] = \frac{1}{2} + \epsilon\), otherwise the simulator outputs that \(\sigma = 1\), so \(\mathfrak {Z} = \mathfrak {R}\), which is mapped to random. So the disadvantage of the adversary which is not to get information is \(Pr [\sigma \ne \sigma '| \mathfrak {Z} = \mathfrak {R}] = \frac{1}{2}\).

Henceforth, on the whole advantage of the simulator to solve the DBDH assumption is \(\frac{1}{2} (Pr [\sigma = \sigma ' | \sigma = 0] + \frac{1}{2} Pr [\sigma \ne \sigma ' | \sigma = 1]) - \frac{1}{2}= \frac{\epsilon }{2}\), thus NVO-CP-ABE scheme is secure against chosen plain-text attack.

Theorem 2

NVO-CP-ABE scheme is free from user collusion attack.

Proof

In our scheme, the secret key S = (SK1, SK2, \(SK_{j}\)) is stored in the proxy server and the USGK alone is given to the DU. Whenever the user wants to access the data, the user first sends the request to PS for PDCT. The PS computes PDCT using C = (\(\tau , E_{key}(M)\), CT1, CT2, CT3, \(\forall j \in LN: CT_{j}\)), S and sends it to the DU. That means, the user won’t have a chance to hold or store their secret key, so it is not possible to share the secret key component with other users. Thus NVO-CP-ABE scheme is free from user collusion attack.

Theorem 3

NVO-CP-ABE scheme is secure against proxy malfunction and attack.

Proof

In our scheme, the semi-trusted proxy server is involved in three major tasks such as performing partial encryption task, partial decryption task and storing the user secret key on behalf of data users. Following are the three possible malfunctions and attacks that might be caused by a PS.

Case 1 Malfunction during partial encryption computation: While executing Encrypt_outsource algorithm by the PS, the PS may give the intermediate cipher-text to DO without computing all the steps. If that happens, then, it is not possible to reconstruct the exact secret value during decryption even for the authorized users, which means no one can access the data. To secure the system and to identify the malfunction of PS, DO verifies whether PS computed intermediate cipher-text ICT = (CT1, \(\forall j \in LN:CT_{j}\)) is correct or not with the help of TPA using Verify_outsource_enc algorithm. Thus, our scheme NVO-CP-ABE is secure from malfunction of PS during outsourcing encryption computation.

Case 2 Malfunction during partial decryption computation: While executing Decrypt_outsource algorithm by the PS, the PS may avoid or skip some pairing computations and gives the incorrect partially decrypted cipher-text to DU. This affects the smooth functioning of the system by restricting the data access even for the authorized users. To secure the system and to find out the malfunction of PS, DU verifies whether PS computed PDCT=(PDCT1, PDCT2) is correct or not with the help of TPA using Verify_outsource_dec algorithm. If Verify_outsource_dec algorithm returns the value zero means that PS has performed some malfunction. Thus our scheme NVO-CP-ABE is secure from malfunction of PS during outsourcing decryption computation.

Case 3 Proxy attack - PS tries to access the data: The entire user secret key is stored in PS, so PS may try to decrypt with the help of stored user’s secret key. But PS is not able to decrypt the cipher-text because it requires UGSK, but UGSK is only available with the user. Even if PS is trying to obtain plain-text without UGSK, PS will not exactly get \(\varrho (\mathfrak {g},\mathfrak {g})^{\alpha t}\) value. Without \(\varrho (\mathfrak {g},\mathfrak {g})^{\alpha t}\), it unable to obtain the key. Thus our scheme is secure against proxy server attack.

Theorem 4

NVO-CP-ABE scheme is secure against proxy and unauthorized user collusion attack.

Proof

In our scheme, the secret key and UGSK is generated for every registered user. The secret key is stored in the proxy server and UGSK is given to the user. Suppose, if the unauthorized user tries to collude with proxy server to access the data, then proxy server may give the authorized user’s partially decrypted cipher-text to unauthorized user. Eventhough the unauthorized user gets the PDCT of authorized users still it is not possible for it to access the data because the decryption requires Key. The exact Key can be obtained only when the UGSK is bound within the PDCT and UGSK of the user is same. But in this case, PDCT binds with authorized user UGSK which is not same as the unauthorized user UGSK, so unauthorized users is not able to obtain the exact Key. Thus our scheme NVO-CP-ABE is secure against proxy and unauthorized user collusion attack.

Theorem 5

NVO-CP-ABE scheme is to ensure the message correctness property.

Proof

In our scheme, the DO generates the verification key VK = H(Key, \(E_{key}(M)\)) using collusion resistance function to verify the correctness of the message and outsourced decryption computations. The DU verifies the correctness of the message and proxy computed decryption with the help of TPA. The TPA finds the hash value VK1= H(Key, \(E_{key}(M)\)) for the obtained key and encrypted message received from proxy server. If the computed hash value (VK1) is same as VK, then we conclude that the message is not modified and the proxy computation is also correct, otherwise we assume that the message is modified or proxy computation is wrong. Thus our scheme ensures the message correctness.

7 Performance analysis

In performance analysis, we evaluate the performance of NVO-CP-ABE scheme theoretically as well as experimentally. The different notations used in performance analysis are listed in Table 1.

Table 1 Notations used in performance analysis

7.1 Theoretical analysis

In theoretical analysis, we compare NVO-CP-ABE scheme with other existing schemes with respect to features, storage overheads, communication overheads, and computation overheads.

7.1.1 Feature analysis

In feature analysis, we compare the functionality of different outsourced CP-ABE schemes (Lin et al. 2015; Mao et al. 2016; Ning et al. 2018; Wang et al. 2017a) in the literature with NVO-CP-ABE scheme and it is tabulated in Table 2. We can see that Lin et al. (2015) and Mao et al. (2016) schemes outsources only the decryption computations and verifies the outsourced decryption computations. In addition, Ning et al. (2018) scheme achieves limited data access. Wang et al. (2017a) scheme achieves verifiable outsourced encryption and decryption, but this scheme is not verifying the correctness of the outsourced decryption computations and is not supporting the limited access. Our scheme achieves the verifiable outsourced encryption and decryption along with the limited data access for a set of users altogether.

Table 2 Features comparison

7.1.2 Storage overhead

Here, we consider the storage overheads of data owner and data user only. The storage overhead of DO and DU depends on the size of the public key and secret key respectively, because the data owner needs a public key for generating cipher-text and the data users needs a secret key for decrypting the cipher-text. The Table 3 gives the comparative study of storage required for DO and DU of NVO-CP-ABE scheme with existing schemes.

It is clearly noted from Table 3 that the storage overhead of DU in our scheme is highly reduced than other schemes, because the user global secret key is only stored with DU and the secret key is stored with PS. The storage overhead of the DO is also relatively better than all schemes expect Ning et al. (2018), but Ning et al. (2018) scheme suffers with DU’s high storage overhead and high DO’s computation overhead.

Table 3 Storage overhead comparison

7.1.3 Communication overhead

Table 4 compares the communication overhead of our scheme and other existing schemes. The major communication overhead happens when uploading cipher-text into the cloud, sending secret key for outsourced computations and receiving the cipher-text as an input to the decryption function. Table 4 shows that the communication overhead of our scheme between DO and CS is less than other schemes because of short cipher-text. In addition, the communication cost of our scheme between DU and PS is highly reduced because there is no secret key communication between DU and PS in our scheme.

Table 4 Communication overhead comparison

7.1.4 Computation overhead

In the computation overhead analysis, we compute the number of pairing and exponentiation operations required for owner encryption, outsourced encryption and decryption, user decryption are tabulated in Table 5. As shown in Table 5, during encryption phase, the DO in our scheme requires only 2 exponentiation operations which is less than Lin et al. (2015), Mao et al. (2016), Ning et al. (2018) and Wang et al. (2017a) schemes and the computation cost of outsourced encryption is \((n_{\tau }+1)t_{e}\) which is better than Wang et al. (2017a) scheme because our scheme requires less number of exponentiation operations. During the decryption phase, no exponentiation and pairing operations are required for DU in our scheme and the computation cost of outsourced decryption is \((n_{\delta }+3)t_{p}+n_{nl}t_{e}\) which is less than Lin et al. (2015), Mao et al. (2016), Ning et al. (2018) and Wang et al. (2017a) schemes because our scheme require less number of pairing operations. Thus, NVO-CP-ABE scheme need less computation time when compared to other schemes.

Table 5 Computation overhead comparison

7.2 Experimental analysis

Fig. 2

Secret key size comparison

Fig. 3

Cipher-text size comparison

In experimental analysis, we compare the efficiency of our scheme with Wang et al. (2017a) scheme. We implement both schemes using JetBrains PyCharm tool with charm framework (Akinyele et al. 2013). We use 512-bit base field SS512 elliptic curve from pairing based charm crypto-0.42 library and executed on an Intel core i7 processor @ 2.50 GHz, 16 GB RAM running on a windows 8 operating system and python 3.2. The results are obtained from an average of ten executions for each algorithm. The experimental results for secret key size, cipher-text size, computation time of owner encryption, proxy performed encryption and decryption, and user decryption are obtained and plotted as graphs. Figure 2 shows the growth of secret key size against number of user attributes, and Fig. 3 shows the relation between cipher-text size with respect to the number of attributes in the access policy. From Figs. 2 and 3, it is clearly observed that NVO-CP-ABE scheme has short secret key and short cipher-text than Wang et al. (2017a) scheme, which implies that NVO-CP-ABE scheme requires less communication overhead. Figure 4 shows the computation time of owner encryption against a number of attributes in the access policy. Figure 5 demonstrates the computation time of outsourced encryption against a number of attributes in access policy. Figures 4 and 5 clearly shows that computation cost of encryption phase is less than Wang et al. (2017a) scheme because of cipher-text size. The computation time of user decryption against number of user attributes is illustrated in Fig. 6. Figure 7 shows the computation time of outsourced decryption against number of user attributes. From Figs. 6 and 7, it is noted that our scheme requires less decryption phase cost than Wang et al. (2017a) scheme because of less number of pairing operations required. Thus our scheme requires less computation time in all algorithms than Wang et al. (2017a) scheme.

Fig. 4

Encryption computation time by data owner

Fig. 5

Encryption computation time by proxy

Fig. 6

Decryption computation time by data user

Fig. 7

Decryption computation time by proxy

8 Conclusion

Aiming to provide privacy and flexible access control for big data in cloud, we propose NVO-CP-ABE scheme. The NVO-CP-ABE scheme improves the computational efficiency of CP-ABE scheme for big data by outsourcing encryption and decryption computations to the proxy server. In addition, NVO-CP-ABE scheme checks the correctness of the encrypted message along with outsourced computations and supports limited data access for a set of users. The NVO-CP-ABE scheme is proved secure against CPA in the standard model, user collusion attack, and proxy attack. Theoretical analysis and experimental results show that the NVO-CP-ABE scheme is efficient in all aspects than existing schemes. Hence, NVO-CP-ABE scheme is more appropriate for big data privacy and access control in the cloud. In our future work, we will extent this work with revocation to provide the effective access control.