Flexible Access Control over Privacy-Preserving Cloud Data Processing

Abstract

Cloud computing provides an efficient and convenient platform for cloud users to store, process, and control their data (such as cybersecurity education-related data). Cloud overcomes the bottlenecks of resource-constrained devices and greatly releases storage and computing burdens on users. However, due to the lack of full trust in cloud service providers, cloud users generally prefer to outsource their sensitive data in an encrypted form, which seriously complicates data processing, analysis, as well as access control. Homomorphic encryption (HE) as a single key system cannot flexibly control data sharing and access after encrypted data processing. How to realize various computations over encrypted data in an efficient way and at the same time flexibly control the access to data processing results has been an important challenging issue. In this chapter, we propose a privacy-preserving data processing system to support several basic operations over outsourced encrypted data under the cooperation of a data service provider (DSP) and a computation party (CP). In addition, attribute-based encryption (ABE) is also applied to support flexible access control of processing results of encrypted data. Our schemes provide an efficient measure for secure data analytics to preserve the privacy of sensitive course data, e.g., course feedback, survey inputs, examination statistical data, exercises about security-related data for intrusion/malware detection and integrated personal data processing, etc. All of them can be applied into the education of cybersecurity.

1 Introduction

Cloud computing has been widely adopted in various application domains owing to its specific advantages, which enables cloud users to store their data and perform various computations on the data without incurring a high cost. It even becomes the “lifeline” of many institutes or organizations. With the advent of Internet of Things, enormous amounts of data are produced and outsourced to the cloud for storage and analysis. Data analysis helps to gain insights on related entities in a physical world, which can provide tremendous value for various applications in multifarious domains, e.g., medical [1], cybersecurity education [2], and business [3]. However, the cloud may not be fully trusted by cloud users since it may reveal or disclose the data outsourced by the cloud users or the processed results of these data, which may seriously undermine user privacy. For example, to train the future generation or employees with cybersecurity skills, the customized cybersecurity exercises will be more suitable if more related information are collected and analyzed. But they may be reluctant to offer too much data (such as work culture, associated threats) due to privacy concern. Therefore, it has great significance to protect sensitive data and data processing results from being leaked to any unauthorized parties. A standard solution is to encrypt the data before uploading. However, data encryption introduces several challenges as described below.

First, encryption seriously restricts the computations/analysis over the outsourced data in the cloud. With traditional encryption algorithms (such as AES), it is impossible for the cloud to process the encrypted data directly. Some existing efforts adopted partially homomorphic encryption (PHE) to solve the problem, but they are limited only to multiplication and addition operations on encrypted data [4, 5], which are not sufficient to satisfy user demands in many applications. More operations, such as comparison and equality test, are required in practical applications [6, 7]. This requests further study on privacy-preserving computations. The basic operations can be widely applied to realize complex and useful applications, e.g., privacy-preserving classifications in machine learning [8], trust evaluation in Internet of Things [9], and medical analysis in e-health [10]. Obviously, the more basic computations available over encrypted data, the more support on complete and complex functions and algorithms. To realize arbitrary computations over ciphertext, schemes based on fully homomorphic encryption (FHE) were designed [11,12,13]; however, most FHE-based schemes suffer from huge computation overhead and high storage cost, which make them impractical for real-world deployment and wide usage.

Second, secure multi-user access control over processed results also needs to be supported [14]. Both existing PHE and FHE are single-user systems, which inherently lack support for multi-user access to the processing results of encrypted data. The scheme based on PHE in [15] supports distribution of addition operation results through an interactive protocol between two servers, but the protocol must be executed for each data request, thus is inefficient. Attribute-based encryption (ABE) is an effective tool to support fine-grained access control and multi-user access and has been applied in many application scenarios [16,17,18]. However, to our knowledge, there is no effort in the literature on fine-grained access control over the results of encrypted data computation. Previous work [19] aims to solve this problem by combining homomorphic encryption and proxy re-encryption, but it only supports one requester access at one time. In case multiple users want to access the same result, it needs to execute the designed scheme for each requester, which obviously incurs high communication and computation costs.

In this chapter, we propose a novel system in order to overcome the challenges as described above. It supports multiple basic computations over encrypted data and realizes flexible access control over the processing results by employing PHE and ABE, which can be easily extended and implemented to cybersecurity education. We present a family of protocols to efficiently realize several basic computations over encrypted data. Then, we extend the system with maximum, minimum, and division computations over integers. We propose to combine the ciphertext of ABE with homomorphism to realize a fine-grained access control of the processing results.

2 Related Work

With the development of cloud computing, cybersecurity education becomes critical because the traditional cybersecurity cannot guarantee the security of organizations due to the sophisticated networks, while it also becomes flexible by taking advantage of educational testbeds and framework. The cloud users (such as students and engineers) can be greatly benefited through cybersecurity education and get trained with enough technical skills. However, the risk of revealing personal data makes it urgent to enhance data security and user privacy.

2.1 Secure Data Processing Based on SMC

Secure multi-party computation (SMC) enables computations over multi-user outsourced data without revealing each input. It lays a technical foundation for many problems, such as database query, intrusion detection, and data mining with privacy preservation [9]. Several Schemes [20, 21] based on the popular SMC construction Sharemind [22] were proposed to achieve various secure computations. But the product of N pieces of data needs about 3^N multiplications of 32-bit numbers under the cooperation of three involved servers in Sharemind, which obviously cannot adapt to big data processing.

2.2 Secure Data Processing Based on Homomorphic Encryption

FHE Schemes [11,12,13] are designed to realize arbitrary computations over encrypted data. Due to their high computation overhead, some extended Schemes [23, 24] are proposed to improve efficiency. However, their computation and storage costs are still not satisfactory for practical applications [25, 26]. PHE can only support limited computations, but it is more efficient and practical than FHE and has been widely used in various applications. Some Schemes [4, 5] can only support addition and multiplication over a limited number of data inputs. In [4], decryption requires solving the problem of discrete logarithm, which seriously restricts the length and the number of data inputs. The multi-party computation framework proposed in [5] achieves addition and multiplication by following the idea of secret sharing. Similar to the SMC-based scheme in [21], it is unable to support the multiplication of a large number of data inputs. Liu et al. [6] proposed a framework for efficient outsourced data calculations with privacy preservation.

2.3 Secure Data Access Control

Cloud storage enables cloud users to upload their data to the cloud for storage and further sharing. However, it leads to a new problem that the cloud users lose full control over their data. Proxy re-encryption can also be adopted to manage data sharing in cloud [27, 28]. But it cannot support fine-grained access control on homomorphic computation result. Role-based access control (RBAC) can provide partial flexibility based on one level policy, which ensures that only the user with specified role can access the data. But, these constructions [29, 30] based on RBAC cannot support flexible access policies with various attribute structures.

ABE [31, 32] has been widely applied in cloud storage management for achieving fine-grained access control [33,34,35]. Furthermore, trust-based Schemes [16,17,18] simplify the attributes involved in ABE and take into consideration only trust levels. These schemes highly reduce the computation cost. But, only one entity is in charge of the access control, which makes this entity obviously knows the results.

2.4 Secure Division Based on Arithmetic Transformations

Katzenbeisser et al. [36] chose a tuple (ρ _x, σ _x, τ _x) to represent a value x ∈ D _l, which belongs to a certain interval D _l = [−l; +l] with l > 0, where ρ _x = 1, σ _x encodes the sign of the value x and τ _x indicates the absolute of the value. The division result can be computed by basic operations on corresponding element through function \( \mathrm{LDIV}\left(\left[\overline{x}\right],\left[\overline{y}\right]\right)=\left(\left[{\rho}_x\right],\left[{\sigma}_x\right]\left[{\sigma}_x\right],\left[{\tau}_x\right]{\left[{\tau}_y\right]}^{-1}\left[{\tau}_{C^2}\right]\right) \). Though the representation of numbers can support secure computations on non-integers, its division result is an approximation with bounded relative error, and encoding increases the overhead of data preprocessing.

To overcome this issue and get an accurate result, Dahl et al. [37] performed a Taylor expansion on the reciprocal of a denominator to transform the division computation over encrypted data into multiplication and addition over encrypted data. The implementation of several sub-protocols brings high computational overhead. Also, the frequent interactions bring high communication overhead.

Veugen [38] presented three protocols based on a client-server model where the client has encrypted data [x] and the server has the corresponding decryption key K. In order to improve the precision of data analysis, Catrina and Saxena [39] attempted to approximately get a division result over two floating point numbers by applying the Goldschmidt method [40]. But this scheme cannot support division computations over encrypted input data. To overcome this issue, Ugwuoke et al. [41] proposed a division protocol to support encrypted floating point numbers based on homomorphic encryption. However, both of the above schemes use fixed rounds of iterative computations to guarantee fixed precise of results, which results in high computational overhead.

2.5 Secure Division Based on Secure Bit Decomposition Protocol (SBD)

The modulo value operation limits the length of the data in division computation. In order to protect the confidentiality of both the divisor and the dividend, some studies use the secure bit decomposition protocol [42] to realize secure division [6, 20]. After data providers upload their encrypted data, the cloud first decomposes encrypted data as binary string and then executes division to get a quotient and a remainder by operating secure bit shift. But the bit decomposition protocol is generally very complicated, thus hard to be deployed.

2.6 Cybersecurity Education

With the development of cloud computing, the information system of organizations or schools becomes large-scale and complicated, which makes it difficult to deploy defensive mechanisms and suffers from undetected cyber-attacks [43]. Cybersecurity education aims to train IT-related employee or the future generation with technical skills. To customize specified cybersecurity exercises and enhance entities’ security knowledge [44], a lot of data (such as work environment and threats) should be provided, which may breach privacy.

However, currently most researches [45,46,47] focus on the design and implementation of frameworks for cybersecurity exercises and testbeds. The STEAM framework [46] inserts the Arts into cybersecurity education, while the EDU Range framework [45] eliminates the dependence on virtual machine or private cloud replaced by public cloud-based framework. Frank et al. [47] introduced life cycle into testbed design. Abir et al. [48] pointed out that universities and industries lack communications about training courses and curriculum, which leads to that students do not gain adequate knowledges required by the specific workplace. To solve this issue, the cooperative education was designed to enhance the involvement of students and industry and enrich their work skills [49]. Rakesh et al. [50] discussed about the significance of security analytics and shared their educational experiences. But all work above ignored the privacy issues and do not provide a secure and privacy-preserving way to share data and customize courses.

3 System Model

Our proposed system mainly comprises five types of entities as shown in Fig. 1:

Fig. 1

A system model

Data service provider (DSP) is served by the cloud, which stores user data, provides some computation service, and controls user access.

Computation party (CP) fulfills partial computations and control access. It can be any party (a company or a university) who wants to train its employee or students with cybersecurity skills. There may exist multiple CPs for different applications. Herein, we simplify our design by considering only one CP in this chapter.

Data providers (DPs) are the data collectors or producers that encrypt data and store them in the DSP.

Data requesters (DRs) are the data consumers that acquire the result of data processing in a specific context.

Authority is fully trusted, which is responsible for system parameter generation and ABE key issue.

4 Preliminaries

For a better understanding of the scheme designs, please refer to previous work [51,52,53] for the detailed notation tables.

4.1 Additive Homomorphic Encryption

Paillier’s cryptosystem [54] is one of the most important additive homomorphic encryption. Suppose we have N pieces of encrypted data under same key pk, which can be presented as [m _i]_pk (i = 1, 2, …, N). Additive homomorphic encryption satisfies this equation,\( {D}_{sk}\left({\prod}_{i=1}^N{\left[{m}_i\right]}_{pk}\right)={\sum}_{i=1}^N{m}_i \), where D _sk() is the homomorphic decryption algorithm with secret key sk.

4.2 Key-Policy Attribute-Based Encryption (KP-ABE)

In KP-ABE, ciphertexts are generated based on some descriptive attributes, while decryption keys are associated with policies. For more details about KP-ABE, refer to [32]. Notably, ciphertext-policy attribute-based encryption (CP-ABE) [31] can also be applied to implement our scheme.

4.3 Homomorphic Re-Encryption Scheme (HRES)

We revise the Scheme [55] (named as EDD) and design the HRES to provide two-level decryption and achieve secure data processing. The complete version of HRES is introduced in work [19].

4.4 Data Processing Procedure

Step 1 (System Setup @ All Entities): Authority calls the algorithm KeyGen and Setup ^ABE(λ, U) to complete the setup of HRES and ABE.

Step 2 (Data Upload @ DPs): DPs encrypt their personal data before uploading it to the DSP. It directly recalls EncTK to encrypt data m _i (unless otherwise specified, \( \left|{m}_i\right|<\mathcal{L}(n)/4 \)):

$$ \left[{m}_i\right]=\left({T}_i,{T}_i^{\prime}\right)=\left\{\left(1+{m}_i\ast n\right)\ast {PK}^{r_i},{g}^{r_i}\right\}\mathit{\operatorname{mod}}\ {n}^2 $$

Step 3 (Data Preparation @ DSP): Upon receiving the data from DPs, the DSP needs to do some analyses over the encrypted data. It provides a data packet and ABE ciphertext for access control to the CP. In addition, CP chooses a random partial key ck ₁ for access control, which will be used in Step 5.

Step 4 (Data Process @ CP): Upon receiving the preprocessing results from DSP, CP chooses another random partial key ck ₂ to obtain the preprocessing result \( {\left[\hat{m}\right]}_{pk_{ck_2}} \) or \( {\left[\hat{f}\right]}_{pk_{ck_2}} \). Regarding access control, CP encrypts ck ₂ using ABE to get \( {CK}_2^{\prime }={Enc}^{ABE}\left({ck}_2,\gamma, {PK}^{\prime}\right) \) and forwards it to DSP.

Step 5 (Additional Process @ DSP): The DSP needs to remove the mask from ciphertext \( {\left[\hat{m}\right]}_{pk_{ck_2}} \) or \( {\left[\hat{f}\right]}_{ck_2} \) to obtain processed ciphertext \( {\left[m\right]}_{pk_{ck}} \) or \( {\left[f\right]}_{pk_{ck}} \) where pk _ck = g ^ck and ck = ck ₁ck ₂.

Regarding access control, the DSP encrypts ck ₁using ABE under the same policy to get \( {CK}_1^{\prime } \) and further gets CK ^′ through the homomorphism of ABE:\( {CK}^{\prime }={CK}_1^{\prime}\ast {CK}_2^{\prime }={Enc}^{ABE}\left({ck}_1\ast {ck}_2,\gamma, {PK}^{\prime}\right) \). Finally, the DSP keeps \( {\left[m\right]}_{pk_{ck}} \) or \( {\left[f\right]}_{pk_{ck}} \) and CK ^′ for user access.

Step 6 (Data Access @ DR): If the DR satisfies the access policy, Authority issues a secret key SK ^′ to the DR. Hence, the DR can decrypt CK ^′ to get ck and further obtain m or f.

5 Detailed Data Processing

System setup and data collection are the same as those in part 4. Thus, we do not introduce the details in this part; we mainly focus on the steps from 3 to 6 in each basic operation.

5.1 Addition

This function aims to obtain the sum of all raw data, \( m={\sum}_{i=1}^N{m}_i \), which can be accomplished by multiplying all ciphertexts. Note that the number of the data in Addition affects the length of the provided data. If we want to get the sum result of N pieces of data, it should guarantee that m _i < n/N.

Step 3 (Data Preparation @ DSP): Due to additive homomorphism, the DSP can directly multiply encrypted data one by one as follows:\( \left[m\right]=\left(T,{T}^{\prime}\right)={\prod}_{i=1}^N\left[{m}_i\right]=\left({\prod}_{i=1}^N{T}_i,{\prod}_{i=1}^N{T_i}^{\prime}\right) \). To realize group access control, it chooses a random number r ₁ and the first partial key ck ₁ and then computes as follows:

1. 1.

   Compute c ₁ = ck ₁ ⁻¹ mod n ².

2. 2.

   Mask ciphertext: \( \left[{c}_1\left(m+{r}_1\right)\right]=\left(\overset{\sim }{T},\overset{\sim }{T^{\prime }}\right)=\left\{{\left(T\left(1+{r}_1\ast n\right)\right)}^{c_1},{\left({T}^{\prime}\right)}^{c_1}\right\} \).

3. 3.

   Call PDec1 to partially decrypt it:\( {\left[{c}_1\left(m+{r}_1\right)\right]}_{pk_{CP}}=\left(\hat{T},\hat{T^{\prime }}\right)=\left\{\overset{\sim }{T},{\left(\overset{\sim }{T\prime}\right)}^a\right\} \).

Then DSP sends \( {\left[{c}_1\left(m+{r}_1\right)\right]}_{pk_{CP}} \) to the CP.

Step 4 (Data Process @ CP): The CP calls the algorithm PDec2 with sk _CP to decrypt the encrypted data and obtain c ₁(m + r ₁). Then the CP chooses the second partial key ck ₂ and a random number r to encrypt data as follows, \( {\left[{c}_1\left(m+{r}_1\right)\right]}_{pk_{ck_2}}=\left\{\left(1+{c}_1\left(m+{r}_1\right)n\right){g}^{ck_2\ast r},{g}^r\right\} \),where \( {pk}_{ck_2}={g}^{ck_2} \). The CP encrypts ck ₂ to obtain \( {CK}_2^{\prime } \) and then forwards \( {\left[\hat{m}\right]}_{pk_{ck}} \) and \( {CK}_2^{\prime } \) back to the DSP.

Step 5 (Additional Process @ DSP): The DSP computes to obtain the final processed data with ck ₁ and r ₁, \( {\left[m\right]}_{pk_{ck}}=\left({\overline{T}}^{ck_1}\left(1-{r}_1n\right),{\overline{T}}^{\prime}\right)=\left\{\left(1+m\ast n\right){g}^{ck_1\ast {ck}_2\ast r},{g}^r\right\} \), where \( {pk}_{ck}={g}^{ck_1\ast {ck}_2} \) and ck = ck ₁ck ₂. It encrypts ck ₁ using ABE and gets \( {CK}^{\prime }={CK}_1^{\prime}\ast {CK}_2^{\prime }={Enc}^{ABE}\left({ck}_1\ast {ck}_2,\gamma, {PK}^{\prime}\right) \).

5.2 Subtraction

This function aims to obtain the subtraction of some data \( \left(m{=}{\sum}_{i=1}^W{m}_i{-}{\sum}_{i=\mathrm{W}}^N{m}_i\right) \) with encrypted data [m _i] (i = 1, …, N). It can be accomplished by negating the subtracted terms (by raising to the power of (n − 1)) and then following the procedure of Addition.

Step 3 (Data Preparation @ DSP): The DSP first computes \( \left[{\sum}_{i=1}^W{m}_i\right]={\prod}_{i=1}^W\left[{m}_i\right] \) and \( \left[{\sum}_{i=W+1}^N{m}_i\right]{=}{\prod}_{i=W+1}^N\left[{m}_i\right] \). It further calculates \( \left[-{\sum}_{i=W+1}^N{m}_i\right] ={\left(\left[{\sum}_{i=W+1}^N{m}_i\right]\right)}^{n-1} \) and multiplies them to obtain: \( \left[m\right]{=} \left[\left({\sum}_{i=1}^W{m}_i{-}{\sum}_{i=W+1}^N{m}_i\right)\right]=\left[{\sum}_{i=1}^W{m}_i\right]\ast \left[-{\sum}_{i=W+1}^N{m}_i\right] \). Then the subsequent process is the same to that in Addition. Due to length and simplicity reasons, we skip its details.

5.3 Multiplication

This function aims to obtain the product of all raw data (\( m={\prod}_{i=1}^N{m}_i\Big) \). For ease of presentation, we describe the details with two pieces of data ([m ₁], [m ₂]). Note that if we need to get the product of N pieces of data, it must be guaranteed that \( \mathcal{L}\left({m}_i\right)<\mathcal{L}(n)/(2N) \).

Step 3 (Data Preparation @ DSP): First, the DSP chooses a random partial key ck ₁ and a random number c ₁ and sets another one as c ₂ = (ck ₁c ₁)⁻¹ mod n.

To conceal each raw data from the CP, the DSP does one exponentiation and one decryption with its own secret key by calling PDec1:

1. 1.

   \( \left[{c}_1\ast {m}_1\right]=\left\{{T_1}^{c_1},{\left({T}_1^{\prime}\right)}^{c_1}\right\} \); \( {\left[{c}_1\ast {m}_1\right]}_{pk_{CP}}=\left({T_1}^{(1)},{T}_1{\prime}^{(1)}\right)=\left\{{T_1}^{c_1},{\left({T}_1^{\prime}\right)}^{c_1\ast a}\right\} \)

2. 2.

   \( \left[{c}_2\ast {m}_2\right]=\left\{{T_2}^{c_2},{\left({T}_2\prime \right)}^{c_2}\right\} \); \( {\left[{c}_2\ast {m}_2\right]}_{pk_{CP}}=\left({T_2}^{(1)},{T}_2{\prime}^{(1)}\right)=\left\{{T_2}^{c_2},{\left({T}_2\prime \right)}^{c_2\ast a}\right\} \).

The data packet sent to the CP is {\( {\left[{c}_1\ast {m}_1\right]}_{pk_{CP}},{\left[{c}_2\ast {m}_2\right]}_{pk_{CP}} \).

Step 4 (Data Process @ CP): Upon receiving the data packet from the DSP, the CP uses the algorithm PDec2 to decrypt the data:c ₁ ∗ m ₁ = T ₁ ⁽¹⁾/(T ₁′⁽¹⁾)^b, c ₂ ∗ m ₂ = T ₂ ⁽¹⁾/(T ₂′⁽¹⁾)^b.

It then chooses ck ₂ and a random number r and encrypts c ₁ ∗ m ₁ ∗ c ₂ ∗ m ₂ and ck ₂ as follows:

\( {\left[\hat{m}\right]}_{pk_{ck_2}}={\left[{c}_1{c}_2m\right]}_{pk_{ck_2}}=\left\{\left(1+{c}_1{m}_1{c}_2{m}_2\ast n\right){g}^{ck_2\ast r},{g}^r\right\} \); \( {CK}_2^{\prime }={Enc}^{ABE}\left({ck}_2,\gamma, {PK}^{\prime}\right) \).

Finally, the CP forwards \( {\left[\hat{m}\right]}_{pk_{ck_2}} \) and \( {CK}_2^{\prime } \) to the DSP.

Step 5 (Additional Process @ DSP): The DSP further processes the data packet with ck ₁ and gets ciphertext as follows:\( {\left[m\right]}_{pk_{ck}}=\left\{{\overline{T}}^{ck_1},{\overline{T}}^{\prime}\right\} \);\( {CK}^{\prime }={CK}_2^{\prime}\ast {Enc}^{ABE}\left({ck}_1,\gamma, {PK}^{\prime}\right) \).

5.4 Sign Acquisition

We assume that \( \mathcal{L}(m)<\mathcal{L}(n)/4 \) and BIG is the largest raw data of m. Then the raw data is in the scope [−BIG, BIG]. Sign Acquisition can be achieved by masking the original ciphertext with random numbers of limited length and then checking the length of the masked data to further determine the real length of original data. Here, the DR targets to obtain the final sign indicator f from [m ₁].

Step 3 (Data Preparation @ DSP): The DSP chooses three random numbers R (\( \mathcal{L}(R)<\mathcal{L}(n)/4\Big) \), c ₁, and ck ₁. It first encrypts “1” and then computes as follows:

1. 1.

   [1] = {(1 + n) ∗ PK ^r′, g ^r′};[2 ∗ m ₁ + 1] = (T, T ^′) = [m ₁]² ∗ [1].

2. 2.

   Then it flips a coin s. If s =  − 1, it computes:

   $$ \left({T_1}^{(1)},{T}_1{\prime}^{(1)}\right)=\left\{{T}^{n-R}, {\left({T}^{\prime}\right)}^{a\ast \left(n-R\right)}\right\}=\left[-R\ast \left(2\ast {m}_1+1\right)\right] $$

   Otherwise, if (s = 1), it calls PDec1 and computes:

   $$ \left({T_1}^{(1)},{T}_1{\prime}^{(1)}\right)=\left\{{T}^R,T{\prime}^{a\ast R}\right\}=\left[R\ast \left(2\ast {m}_1+1\right)\right] $$
3. 3.

   The DSP Computes c ₂ = (ck ₁)⁻¹ mod n and s ^′ = c ₁ ∗ c ₂ ∗ s mod n.

The data packet sent to the CP is {(T ₁ ⁽¹⁾, T ₁ ^′(1)), s ^′}.

Step 4 (Data Process @ CP): Upon receiving the data packet from the DSP, the CP decrypts (T ₁ ⁽¹⁾, T ₁′⁽¹⁾) with PDec2 to obtain raw data m ^′ = R ∗ (2 ∗ m ₁ + 1) mod n if s = 1 or m ^′ = R ∗ (2 ∗ m ₁ + 1) mod n if s =  − 1. The CP compares \( \mathcal{L}\left({m}^{\prime}\right) \) with \( \mathcal{L}(n)/2 \). If \( \mathcal{L}\left({m}^{\prime}\right)<\mathcal{L}(n)/2 \), it sets u = 1; otherwise, u =  − 1.

The CP chooses a random number r and a second partial key ck ₂ and further computes as follows:\( {\left[\hat{f}\right]}_{pk_{ck_2}}=\left(\overline{T},{\overline{T}}^{\prime}\right)=\left\{\left(1+{s}^{\prime }u\ast n\right){g}^{ck_2\ast r},{g}^r\right\} \). Encrypt ck ₂ using ABE: \( {CK}_2^{\prime }={Enc}^{ABE}\left({ck}_2,\gamma, {PK}^{\prime}\right) \).

Finally, the CP forwards \( {\left[\hat{f}\right]}_{pk_{ck_2}} \) to DSP.

Step 5 (Additional Process @ DSP): The DSP further processes the data packet as follows:

Compute c ₃ = c ₁ ⁻¹ mod n;\( {\left[f\right]}_{pk_{ck}}=\left\{{\overline{T}}^{ck_1\ast {c}_3},{\left({\overline{T}}^{\prime}\right)}^{c_3}\right\} \);\( {CK}^{\prime }= {Enc}^{ABE}\left({ck}_1,\right.\\ \left.\gamma, {PK}^{\prime}\right)\ast {CK}_2^{\prime } \).

Step 6 (Data Access @ DR): The DR satisfying the access policy in ABE can decrypt CK ^′ to obtain ck and further decrypts \( {\left[f\right]}_{pk_{ck}} \) to obtain f. Note: if f = 1, m ₁ ≥ 0; otherwise, m ₁ < 0.

5.5 Absolute

We assume that \( \mathcal{L}(m)<\mathcal{L}(n)/4 \) and that BIG is the largest raw data of m. Then the raw data is in the scope [−BIG, BIG]. Here, given ciphertext [m ₁], DR wants to get the absolute value ∣m ₁∣.

Step 3 (Data Preparation @ DSP): The DSP chooses three random numbers R where \( \mathcal{L}(R)<\mathcal{L}(n)/4 \), c ₁, and c ₂ and chooses the first partial key ck ₁. It first encrypts “1” and computes as follows:

1. 1.

   [1] = {(1 + n) ∗ PK ^r′, g ^r′};[2 ∗ m ₁ + 1] = (T, T ^′) = [m ₁]² ∗ [1].

2. 2.

   Then it flips a coin s. If s =  − 1, (T ₁ ⁽¹⁾, T ₁′⁽¹⁾) = [−R ∗ (2 ∗ m ₁ + 1)].

   Otherwise, it calls PDec1 and computes (T ₁ ⁽¹⁾, T ₁′⁽¹⁾) = [R ∗ (2 ∗ m ₁ + 1)].

3. 3.

   Compute \( \left[{c}_1{m}_1\right]={\left[{m}_1\right]}^{c_1} \), and call PDec1 to obtain \( {\left[{c}_1{m}_1\right]}_{pk_{CP}} \).

4. 4.

   The DSP sets c ₃ = (ck ₁)⁻¹ mod n and s ^′ = c ₂ ∗ c ₃ ∗ s mod n.

The data packet sent to the CP is {\( \left({T_1}^{(1)},{T_1}^{\prime (1)}\right),{s}^{\prime },{\left[{c}_1{m}_1\right]}_{pk_{CP}} \)}.

Step 4 (Data Process @ CP): Upon receiving the data packet from DSP, the CP decrypts (T ₁ ⁽¹⁾, T ₁′⁽¹⁾) and \( {\left[{c}_1{m}_1\right]}_{pk_{CP}} \)with PDec2 to obtain raw data: m ^′ = (−1)^s + 1 ∗ R ∗ (2 ∗ m ₁ + 1) mod n and c ₁m ₁, respectively. CP compares \( \mathcal{L}\left({m}^{\prime}\right) \) with \( \mathcal{L}(n)/2 \). If \( \mathcal{L}\left({m}^{\prime}\right)<\mathcal{L}(n)/2 \), it sets u = 1; otherwise, u =  − 1. Then CP chooses r and the second partial key ck ₂ and further computes as follows:\( {\left[{c}_1{m}_1{s}^{\prime }u\right]}_{pk_{ck_2}}=\left(\overline{T},{\overline{T}}^{\prime}\right) \). Encrypt ck ₂with ABE: \( {CK}_2^{\prime }={Enc}^{ABE}\left({ck}_2,\gamma, {PK}^{\prime}\right) \). Finally, the CP forwards \( {\left[{c}_1{m}_1{s}^{\prime }u\right]}_{pk_{ck_2}} \) and \( {CK}_2^{\prime } \) to DSP.

Step 5 (Additional Process @ DSP): The DSP further processes the data packet as follows:

1. 1.

   Set c ₄ = (c ₁)⁻¹ mod n and c ₅ = (c ₂)⁻¹ mod n.

   $$ {\left[ su\ast {m}_1\right]}_{pk_{ck}}=\left\{{\overline{T}}^{ck_1\ast {c}_4\ast {c}_5},{{\overline{T}}^{\prime}}^{c_4\ast {c}_5}\right\};{CK}^{\prime }={Enc}^{ABE}\left({ck}_1,\gamma, {PK}^{\prime}\right)\ast {CK}_2^{\prime } $$

Step 6 (Data Access @ DR): The DR that satisfies the access policy in ABE can decrypt CK ^′ to obtain ck. The DSP sends the data packet \( {\left[ su\ast {m}_1\right]}_{pk_{ck}} \) to the DR in a secure way. Then the DR can decrypt it to obtain su ∗ m ₁. Note: if m ₁ ≥ 0, su = 1; otherwise, su =  − 1. Hence, su ∗ m is the absolute of data m.

5.6 Comparison

Comparison can be simply accomplished by checking the sign of the difference value of two data by calling Sign Acquisition. For ease of presentation, m ₁ − m ₂ is denoted as m _1 − 2.

\( \left[{m}_1\right]=\left({T}_1,{T_1}^{\hbox{'}}\right)=\left\{\left(1+{m}_1\ast n\right)\ast {PK}^{r_1},{g}^{r_1}\right\};\left[{m}_2\right]=\left({T}_2,{T_2}^{\hbox{'}}\right)=\left\{\left(1+{m}_2\ast n\right)\ast {PK}^{r_2},{g}^{r_2}\right\} \)

Step 3 (Data Preparation @ DSP): DSP first computes to get the subtraction of encrypted data:

$$ \left(T,{T}^{\prime}\right)=\left\{{T}_1\ast {\left({T}_2\right)}^{n-1},{T_1}^{\prime}\ast {\left({T}_2\prime \right)}^{n-1}\right\}=\left[\left({m}_1-{m}_2\right)\right]. $$

The following steps are the same as those in Sign Acquisition, which are skipped for the reason of chapter length limitation. Through the cooperation of the DSP and the CP, the DR finally gets the sign of m _1 − 2 = m ₁ − m ₂. DR can obtain the comparison result. If m _1 − 2 ≥ 0, m ₁ ≥ m ₂; otherwise, m ₁ < m ₂.

5.7 Equality Test

Equality test needs to check the signs of both difference value and negative difference value of original two data by calling Comparison twice. DR wants to know whether m ₁ is equal to m ₂ or not from encrypted data ([m ₁], [m ₂]). The DSP and CP directly interact with each other in two parallel computations of Comparison.

They compare m ₁ and m ₂ in two forms: 1) m _1 − 2 = m ₁ − m ₂ and 2) m _2 − 1 = m ₂ − m ₁. Through the operations in Comparison, DSP can get two results \( {\left[{f}_1\right]}_{pk_{ck}} \) and \( {\left[{f}_2\right]}_{pk_{ck}} \), respectively. Then the DSP can obtain \( {\left[f\right]}_{pk_{ck}}={\left[{f}_1+{f}_2\right]}_{pk_{ck}}={\left[{f}_1\right]}_{pk_{ck}}\ast {\left[{f}_2\right]}_{pk_{ck}} \). Finally, DR that satisfies the access policy in ABE can decrypt CK ^′ to obtain ck. DSP sends the data packet \( {\left[f\right]}_{pk_{ck}} \) to the DR in a secure way. Then the DR can further decrypt \( {\left[f\right]}_{pk_{ck}} \) to obtain f. Note: if f = 2, m ₁ = m ₂; otherwise, m ₁ ≠ m ₂.

5.8 Maximum and Minimum

5.8.1 Two-to-One (T2O)

This scheme aims to obtain the max and min values from two encrypted data for a data requester.

Step 3 (@ DSP): First, the DSP randomly selects some numbers R ₁, R ₂, and R ₃where \( \mathcal{L}\left({R}_1\right)<\mathcal{L}(n)/4 \) and then executes the following operations: here, m _  = m ₁ − m ₂ and m ₊ = m ₁ + m ₂.

1. 1.

   [1] = {(1 + n) ∗ PK ^r′, g ^r′};[m ₋] = [m ₁ − m ₂] = [m ₁] ∗ [m ₂]^n − 1

2. 2.

   \( \left[{R}_2\ast {m}_{+}+{R}_3\right]={\left(\left[{m}_1+{m}_2\right]\right)}^{R_2}\ast \left[{R}_3\right] \);\( \left[{R}_2{m}_{-}\right]=\left({T}_{-},{T}_{-}^{\prime}\right)={\left[{m}_1-{m}_2\right]}^{R_2} \)

   $$ \left[2\ast {m}_{-}+1\right]=\left(T,{T}^{\prime}\right)=\left\{\left(1+\left(2\ast {m}_{-}+1\right)\ast n\right)\ast {PK}^{r^{\prime }+2\ast {r}_1},{g}^{r^{\prime }+2\ast {r}_1}\right\} $$

Then it flips a coin s. If s =  − 1, then compute\( \left({T_1}^{(1)},{T}_1{\prime}^{(1)}\right)=\left\{{T}^{n-{R}_1},{\left({T}^{\prime}\right)}^{a\ast \left(n-{R}_1\right)}\right\}={\left[-{R}_1\ast \left(2\ast {m}_{-}+1\right)\right]}_{pk_{CP}} \) and\( \left({T}_2,{T}_2^{\prime}\right)={\left[-{R}_2{m}_{-}\right]}_{pk_{CP}}\\ =\left\{{T_{-}}^{n-{R}_1},{\left({T}_{-}^{\prime}\right)}^{a\ast \left(n-{R}_1\right)}\right\} \). Otherwise, if (s = 1), it calls PDec1 and computes \( \left({T_1}^{(1)},{T}_1{\prime}^{(1)}\right)=\left\{{T}^{R_1},T{\prime}^{a\ast {R}_1}\right\}={\left[{R}_1\ast \left(2\ast {m}_{-}+1\right)\right]}_{pk_{CP}} \) and \( \left({T}_2,{T}_2^{\prime}\right)={\left[{R}_2{m}_{-}\right]}_{pk_{CP}}=\left\{{T}_{-},{\left({T}_{-}^{\prime}\right)}^a\right\} \). It further calls PDec1 on [R ₂ ∗ m ₊ + R ₃] to get \( {\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{CP}} \). Finally, it forwards CP the data packet {\( \left({T_1}^{(1)},{T_1}^{\prime (1)}\right),\\ {\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{CP}},\left({T}_2,{T}_2^{\prime}\right) \)}.

Step 4 (@ CP): CP further processes the data packet from the DSP. It first decrypts (T ₁ ⁽¹⁾, T ₁′⁽¹⁾) and \( \left({T}_2,{T}_2^{\prime}\right) \)with PDec2 to obtain raw data \( \hat{m}={R}_1\ast \left(2\ast {m}_{-}+1\right)\ \mathit{\operatorname{mod}}\ n \),\( \hat{m_{-}}=\left({R}_2{m}_{-}\right)\ \mathit{\operatorname{mod}}\ n \) if s = 1 or \( \hat{m}=-{R}_1\ast \left(2\ast {m}_{-}+1\right) \operatorname {mod}\ n \),\( \hat{m_{-}}=\left(-{R}_2{m}_{-}\right)\operatorname{mod}\ n \) if s =  − 1.

Then CP needs to compare \( \mathcal{L}\left(\hat{m}\right) \) with \( \mathcal{L}(n)/2 \). If \( \mathcal{L}\left(\hat{m}\right)<\mathcal{L}(n)/2 \), it sets u = 1; otherwise, u =  − 1. The CP further encrypts the raw data \( u\ast \hat{m_{-}} \) with the public key of the targeted DR as \( {\left[u\ast \hat{m_{-}}\right]}_{pk_{DR}}=\left(\overline{T},{\overline{T}}^{\prime}\right)=\left\{\left(1+u\hat{m_{-}}\ast n\right){pk_{DR}}^r,{g}^r\right\} \).

Decrypt \( {\left[{R}_2\ast {m}_{+}{+}{R}_3\right]}_{pk_{CP}} \) and then encrypt it with pk _DR to get \( {\left[{R}_2\ast {m}_{+}{+}{R}_3\right]}_{pk_{DR}} \). Finally, the CP forwards the data packet to DSP: {\( {\left[u\ast \hat{m_{-}}\right]}_{pk_{DR}},{\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{DR}} \)}.

Step 5 (@ DSP): The DSP first removes the mask R ₃ by computing \( {\left[{R}_2{m}_{+}\right]}_{pk_{DR}}={\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{DR}}\ast {\left[-{R}_3\right]}_{pk_{DR}} \). Then it can get the max and min with r = (2R ₂)⁻¹ mod n:

\( {\left[\mathit{\max}\right]}_{pk_{DR}}={\left({\left[u\ast \hat{m_{-}}\right]}_{pk_{DR}}\ast {\left[{R}_2{m}_{+}\right]}_{pk_{DR}}\right)}^r \);\( \\ \hspace*{14pt}{\left[\mathit{\min}\right]}_{pk_{DR}}={\left({{\left[u\ast \hat{m_{-}}\right]}_{pk_{DR}}}^{n-1} \ast {\left[{R}_2{m}_{+}\right]}_{pk_{DR}}\right)}^r \).

Step 6 (@ DR): The DR with the corresponding secret key can decrypt the ciphertext (\( {\left[\mathit{\max}\right]}_{pk_{DR}} \) and \( {\left[\mathit{\min}\right]}_{pk_{DR}} \)) to obtain the maximum and minimum values.

5.8.2 Multiple-to-One (M2O)

Given an example of n pieces of ciphertexts ([m ₁],[m ₂],⋯[m _i],⋯[m _n]), this scheme can get the maximum and minimum results \( {\left[\mathit{\max}\right]}_{pk_{DR}} \) and \( {\left[\mathit{\min}\right]}_{pk_{DR}} \) for the targeted data requester DR. Note that the T2O can provide the maximum and minimum values from ciphertext [m ₁] and [m ₂] for DR. If we use the PK to replace the public key of DR (pk _DR) in T2O, we can get the ciphertext [max] and [min] through parallel processing. Herein, we take maximum computation as an example, which has the same procedure as minimum computation.

In order to get the final maximum from more than two ciphertext, we need to execute several rounds of the T2O scheme. The computation follows a tree structure. It divides the data into many groups and each group has two pieces of data. Then T2O is executed over every group with PK to get the ciphertext [max]. Until the last two pieces of data in the last layer, DSP and CP execute T2O with pk _DR to get the final ciphertext \( {\left[\mathit{\max}\right]}_{pk_{DR}} \).

5.8.3 Two-to-Multiple (T2M)

Given two ciphertext [m ₁] and [m ₂], this scheme can provide the sorting results \( {\left[\mathit{\max}\right]}_{pk_{ck}} \) and \( {\left[\mathit{\min}\right]}_{pk_{ck}} \), which indicates the ciphertext of max and the min results under the public key pk _ck.

Step 3 (@ DSP): DSP randomly selects four numbers, R ₁, R ₂, R ₃, ck ₁, which satisfies R ₁ = R ₂ ∗ ck ₁ mod n ² and \( \mathcal{L}\left({R}_1\right)<\mathcal{L}(n)/4 \) and then preprocesses the data from DPs as follows:

1. 1.

   [1] = {(1 + n) ∗ PK ^r′, g ^r′};[m ₋] = [m ₁ − m ₂] = [m ₁] ∗ [m ₂]^n − 1

2. 2.

   \( \left[{R}_2{m}_{+}+{R}_3\right]={\left[{m}_1+{m}_2\right]}^{R_2}\ast \left[{R}_3\right] \);\( \left[{R}_2{m}_{-}\right]=\left({T}_{-},{T}_{-}^{\prime}\right)={\left[{m}_1-{m}_2\right]}^{R_2} \)

   $$ \left[2\ast {m}_{-}+1\right]=\left(T,{T}^{\prime}\right)=\left\{\left(1+\left(2\ast {m}_{-}+1\right)\ast n\right)\ast {PK}^{r^{\prime }+2\ast {r}_1},{g}^{r^{\prime }+2\ast {r}_1}\right\} $$

The DSP calls PDec1 to decrypt [R ₂ ∗ m ₊ + R ₃] to get \( {\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{CP}} \). Then, it further flips a coin s. If s =  − 1, it computes \( \left({T_1}^{(1)},{T}_1{\prime}^{(1)}\right)=\left\{{T}^{n-{R}_1},{\left({T}^{\prime}\right)}^{a\ast \left(n-{R}_1\right)}\right\}={\left[-{R}_1\ast \left(2\ast {m}_{-}+1\right)\right]}_{pk_{CP}},\left({T}_2,{T}_2^{\prime}\right)={\left[-{R}_2{m}_{-}\right]}_{pk_{CP}}=\left\{{T_{-}}^{n-{R}_1},{\left({T}_{-}^{\prime}\right)}^{a\ast \left(n-{R}_1\right)}\right\} \). Otherwise if (s = 1), it directly calls PDec1 to compute \( \left({T_1}^{(1)},{T}_1{\prime}^{(1)}\right)=\left\{{T}^{R_1},T{\prime}^{a\ast {R}_1}\right\}={\left[{R}_1\ast \left(2\ast {m}_{-}+1\right)\right]}_{pk_{CP}},\left({T}_2,{T}_2^{\prime}\right)={\left[{R}_2{m}_{-}\right]}_{pk_{CP}}=\left\{{T}_{-},{\left({T}_{-}^{\prime}\right)}^a\right\} \). Then it sends CP the data packet {\( \left({T_1}^{(1)},{T_1}^{\prime (1)}\right),\\ \left({T}_2,{T}_2^{\prime}\right),{\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{CP}} \)}.

Step 4 (@ CP): The CP calls PDec2 to decrypt (T ₁ ⁽¹⁾, T ₁′⁽¹⁾) and \( \left({T}_2,{T}_2^{\prime}\right) \)from DSP to obtain raw data m ^′ = R ₁ ∗ (2 ∗ m ₋ + 1) mod n,\( \hat{m_{-}}=\left({R}_2{m}_{-}\right)\ \mathit{\operatorname{mod}}\ n \) if s = 1 or m ^′ =  − R ₁ ∗ (2 ∗ m ₋ + 1) mod n,\( \hat{m_{-}}=\left(-{R}_2{m}_{-}\right)\ \mathit{\operatorname{mod}}\ n \) if s =  − 1.

The CP checks the sign of m ^′ by comparing \( \mathcal{L}\left({m}^{\prime}\right) \) with \( \mathcal{L}(n)/2 \). If \( \mathcal{L}\left({m}^{\prime}\right)<\mathcal{L}(n)/2 \), it sets u = 1; otherwise, u =  − 1. And it further encrypts the raw data \( u\ast \hat{m_{-}} \) with a randomly chosen key pair (\( {ck}_2,{pk}_{ck_2}={g}^{ck_2}\Big) \): \( {\left[u\ast \hat{m_{-}}\right]}_{pk_{ck_2}}=\left(\overline{T},{\overline{T}}^{\prime}\right)=\left\{\left(1+u\hat{m_{-}}\ast n\right){g}^{ck_2\ast r},{g}^r\right\} \).

Decrypt \( {\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{CP}} \) to get R ₂ ∗ m ₊ + R ₃ and re-encrypt it as \( {\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{ck_2}} \). Moreover, it needs to encrypt ck ₂ with ABE to get \( {CK}_1^{\prime }={Enc}^{ABE}\left({ck}_2,\gamma, {PK}^{\prime}\right) \). Finally, the CP forwards the data packet to DSP: {\( {\left[u\ast \hat{m_{-}}\ \right]}_{pk_{ck_2}},{\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{ck_2}},{CK}_1^{\prime } \)}.

Step 5 (@ DSP): First, the DSP sets {T, T ^′}=\( {\left[{R}_2\ast {m}_{+}+{R}_3\right]}_{pk_{ck_2}} \) and then computes \( {\left[{R}_2\ast {m}_{+}\right]}_{pk_{ck_2}}=\left\{T\ast \left(1-{R}_3\ast n\right),{T}^{\prime}\right\}. \) The DSP computes r = (2R ₁)⁻¹ mod n and finally obtains the encrypted max and min: \( {\left[\mathit{\max}\right]}_{pk_{ck}}={\left({\left({\left[u\ast \hat{m_{-}}\right]}_{pk_{ck_2}}\ast {\left[{R}_2\ast {m}_{+}\right]}_{pk_{ck_2}}\right)}^{1,{ck}_1}\right)}^r;{\left[\mathit{\min}\right]}_{pk_{ck}}={\left({\left({\left({\left[u\ast \hat{m_{-}}\right]}_{pk_{ck_2}}\right)}^{n-1}\ast {\left[{R}_2\ast {m}_{+}\right]}_{pk_{ck_2}}\right)}^{1,{ck}_1}\right)}^r \).

The DSP calls HE ^ABE to obtain \( CK={CK}_1^{\prime}\ast {Enc}^{ABE}\left({ck}_2,\gamma, P{K}^{\prime}\right)={Enc}^{ABE}\left({ck}_1\ast {ck}_2,\gamma, P{K}^{\prime}\right) \).

Step 6 (@ DR): The DR can access the computation results if it satisfies the access policy.

5.8.4 Multiple-to-Multiple (M2M)

DSP and CP invoke the T2M rather than the T2O to obtain the final result \( {\left[{\mathit{\max}}_{\left\lfloor lb(n)\right\rfloor, 1}\right]}_{pk_{ck}} \). Owing to chapter length limitation, we skip the details of above process.

5.9 Division

Scheme 1

Scheme 1 can provide the ciphertext of division result \( {\left[\left\lfloor {m}_1/{m}_2\right\rfloor \right]}_{pk_{DR}} \) as shown in Fig. 2.

Fig. 2

The procedure of division computation for a targeted data requester

Step 3 (Data Preparation @ DSP): DSP first chooses two random numbers r ₁, r ₂, where L(r _i) < L(n)/4. Then, it processes data to conceal each raw data from CP, as described below:

1. 1.

   \( \left[{m}_1{r}_1\right]=\left\{{T_1}^{r_1},{\left({T}_1^{\prime}\right)}^{r_1}\right\}={\left[{m}_1\right]}^{r_1} \), \( \left[{m}_2{r}_1\right]=\left\{{T_2}^{r_1},{\left({T}_2^{\prime}\right)}^{r_1}\right\}={\left[{m}_2\right]}^{r_1} \).

2. 2.

   \( \left[{m}_2{r}_1{r}_2\right]={\left[{m}_2{r}_1\right]}^{r_2}={\left[{m}_2\right]}^{r_1{r}_2}=\left\{{T_2}^{r_1{r}_2},{\left({T}_2^{\prime}\right)}^{r_1{r}_2}\right\}\\ \); [m ₁r ₁ + m ₂r ₁r ₂] = [m ₁r ₁] ∗ [m ₂r ₁r ₂].

3. 3.

   \( {\left[{m}_2{r}_1\right]}_{pk_{CP}} \)=\( \left\{{T_2}^{r_1},{\left({T}_2^{\prime}\right)}^{r_1\ast {sk}_{DSP}}\right\}=\left\{\left(1+{r}_1\ast {m}_2\ast n\right){PK}^{r\ast {r}_1},{g}^{r\ast a\ast {r}_1}\right\} \).

$$ {\left[{m}_1{r}_1+{m}_2{r}_1{r}_2\right]}_{pk_{CP}}={\left\{{T_1}^{r_1}{T_2}^{r_1{r}_2},{\left({T}_2^{\prime}\right)}^{r_1}{\left({T}_2^{\prime}\right)}^{r_1{r}_2}\right\}}^a. $$

Next, DSP sends the data packet \( \left({\left[{m}_2{r}_1\right]}_{pk_{CP}},{\left[{m}_1{r}_1+{m}_2{r}_1{r}_2\right]}_{pk_{CP}}\right) \) to CP.

Step 4 (Data Process @ CP): Upon receiving the data packet from DSP, CP calls PDec2 to decrypt the packet. Then, CP performs division operations on plaintexts and encrypts the computational result with pk _DR.

1. 1.

   \( {m}_2{r}_1={T_2}^{r_1}/{\left({\left({T}_2^{\prime}\right)}^{r_1\ast a}\right)}^b\mathit{\operatorname{mod}}\ n \); \( {m}_1{r}_1+{m}_2{r}_1{r}_2\\ ={T_1}^{r_1}{T_2}^{r_1{r}_2}/{\left({\left({T}_2^{\prime}\right)}^{r_1}{\left({T}_2^{\prime}\right)}^{r_1{r}_2}\right)}^{a\ast b}\ \mathit{\operatorname{mod}}\ n \).

2. 2.

   \( \left({m}_1{r}_1+{m}_2{r}_1{r}_2\right)/{m}_2{r}_1=\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2 \); \( {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right]}_{pk_{DR}}\\ =\left\{\left(1+\left(\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right)\ast n\right){pk}_{DR}^r,{g}^r\right\} \).

The data sent to DSP is the ciphertext \( {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right]}_{pk_{DR}} \). We use \( \left\lfloor \frac{m_1}{m_2}\right\rfloor \) to represent the quotient.

Step 5 (Additional Process @ DSP): DSP encrypts the random number r ₂ as \( {\left[{r}_2\right]}_{pk_{DR}} \) and computes \( {\left({\left[{r}_2\right]}_{pk_{DR}}\right)}^{n-1} \). Then, DSP removes the mask from the ciphertext as below.

$$ {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right]}_{pk_{DR}}\ast {\left({\left[{r}_2\right]}_{pk_{DR}}\right)}^{n-1}={\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right]}_{pk_{DR}}\ast \left({\left[-{r}_2\right]}_{pk_{DR}}\right)\\ ={\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{DR}}. $$

Step 6 (Data Access @ DR): Upon receiving the final ciphertext from DSP, the targeted DR can call \( Dec\left({\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{DR}},{sk}_{DR}\right) \) to get the final quotient of the division.

5.9.1 Scheme 2

We design Scheme 2 to enable flexible access control over computational results as shown in Fig. 3.

Fig. 3

The procedure of division computation with flexible access control

Step 3 (Data Preparation @ DSP): DSP chooses two random numbers r ₁ and r ₂ where L(r _i) < L(n)/4 and preprocesses data to mask raw data as follows, which is the same as Scheme 1.

1. 1.

   \( \left[{m}_1{r}_1\right]=\left\{{T_1}^{r_1},{\left({T}_1^{\prime}\right)}^{r_1}\right\}={\left[{m}_1\right]}^{r_1} \), \( \left[{m}_2{r}_1\right]=\left\{{T_2}^{r_1},{\left({T}_2^{\prime}\right)}^{r_1}\right\}={\left[{m}_2\right]}^{r_1} \).

2. 2.

   \( \left[{m}_2{r}_1{r}_2\right]={\left[{m}_2\right]}^{r_1{r}_2}=\left\{{T_2}^{r_1{r}_2},{\left({T}_2^{\prime}\right)}^{r_1{r}_2}\right\} \);[m ₁r ₁ + m ₂r ₁r ₂] = [m ₁r ₁] ∗ [m ₂r ₁r ₂].

3. 3.

   \( {\left[{m}_2{r}_1\right]}_{pk_{CP}} \)=\( \left\{{T_2}^{r_1},{\left({T}_2^{\prime}\right)}^{r_1\ast {sk}_{DSP}}\right\}=\left\{\left(1+{r}_1\ast {m}_2\ast n\right){PK}^{r\ast {r}_1},{g}^{r\ast a\ast {r}_1}\right\} \).

$$ {\left[{m}_1{r}_1+{m}_2{r}_1{r}_2\right]}_{PK_{CP}}={\left\{{T_1}^{r_1}{T_2}^{r_1{r}_2},{\left({T}_2^{\prime}\right)}^{r_1}{\left({T}_2^{\prime}\right)}^{r_1{r}_2}\right\}}^a. $$

Similarly, DSP sends the data packet \( \left({\left[{m}_2{r}_1\right]}_{pk_{CP}},{\left[{m}_1{r}_1+{m}_2{r}_1{r}_2\right]}_{pk_{CP}}\right) \) to CP.

Step 4 (Data Process @ CP): CP calls PDec2(∗,  sk _CP) to decrypt received data from DSP to get m ₂r ₁ and m ₁r ₁ + m ₂r ₁r ₂, and then performs division operations on plaintexts with perturbations, as well as encrypts the computational result by calling Enc(∗, pk _CP).

1. 1.

   \( \left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2=\left({m}_1{r}_1+{m}_2{r}_1{r}_2\right)/{m}_2{r}_1 \), where \( \left\lfloor \frac{m_1}{m_2}\right\rfloor \) is quotient and remainder is ignored.

2. 2.

   CP sends the data \( {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right]}_{pk_{CP}}=\left\{\left(1+\left(\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right)\ast n\right){pk}_{CP}^r,{g}^r\right\} \) to DSP.

Step 5 (Data Reprocess @ DSP): DSP chooses a partial key ck ₁ and sets a random number as c ₁ = (ck ₁)⁻¹ mod n. DSP removes the mask from the ciphertext and performs the following computations:

\( {\left[\left|\frac{m_1}{m_2}\right|{+}{r}_2\right]}_{pk_{CP}}\ast {\left({\left[{r}_2\right]}_{pk_{CP}}\right)}^{n-1}{=}{\left[\left|\frac{m_1}{m_2}\right|\right]}_{pk_{CP}};{\left[{c}_1\left|\frac{m_1}{m_2}\right|\right]}_{pk_{CP}}={\left({\left[\left|\frac{m_1}{m_2}\right|\right]}_{pk_{CP}}\right)}^{c_1}\\ =\left\{\tilde{T},{\tilde{T}}^{\hbox{'}}\right\} \)

The data sent to CP is \( {\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{CP}} \).

Step 6 (Data Reprocess @ CP): CP first calls PDec2(∗,  sk _CP) to decrypt the received data. Then, it chooses a partial key ck ₂ to generate a key pair \( \left({ck}_2,{pk}_{ck_2}={g}^{ck_2}\right) \) and calls \( Enc\left(\ast, {pk}_{ck_2}\right) \) to encrypt the data:\( {c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor =\overset{\sim }{T}/{\left({\overset{\sim }{T}}^{\prime}\right)}^b\mathit{\operatorname{mod}}\ n \);\( {\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck_2}}=\left\{\left(1+\left({c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right)\ast n\right){pk}_{ck_2}^r,{g}^r\right\}=\left\{\overline{T},{\overline{T}}^{\prime}\right\} \).

In addition, CP calls Enc ^ABE to encrypt ck ₂:\( {CK}_2={Enc}^{ABE}\left({ck}_2,\mathcal{T},{PK}^{\prime}\right) \). Furthermore, the ABE key CK ₂ is sent to DSP along with the ciphertext \( {\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck_2}} \).

Step 7 (Additional Process @ DSP): DSP operates partial modular computation on received ciphertext with its partial key ck ₁ and performs ABE algorithms to obtain encrypted access keys.

$$ {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck}}={\left({\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck_2}}\right)}^{1,{ck}_1}=\left\{{\overline{T}}^{ck_1},{\overline{T}}^{\prime}\right\}\\=\left\{\left(1+{ck}_1 {c}_1\ast \left\lfloor \frac{m_1}{m_2}\right\rfloor n\right){g}^{ck_1 \ast {ck}_2 r},{g}^r\right\}=\left\{\left(1+\left\lfloor\frac{m_1}{m_2}\right\rfloor\ast n\right){g}^{ck\ast r},{g}^r\right\},\\ \mathrm{where}{pk}_{ck}={\left({pk}_{ck_2}\right)}^{ck_1}={\left({pk}_{ck_1}\right)}^{ck_2}.$$

1. 1.

   Calling Enc ^ABE to encrypt ck ₁: \( {CK}_1={Enc}^{ABE}\left({ck}_2,\mathcal{T},{PK}^{\prime}\right) \).

2. 2.

   ABE homomorphic computation: \( CK={CK}_1\ast {CK}_2={Enc}^{ABE}\left({ck}_1\ast {ck}_2,\mathcal{T},\right.\\\left.{PK}^{\prime}\right) \).

Finally, DSP keeps \( {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck}} \) and CK for user access.

Step 8 (Data Access @ DRs): Upon receiving the computational results and CK from DSP, the DRs who satisfy the access policy can obtain a secret key SK ^′ from the authority. Thus, the DRs can decrypt CK to get ck by calling Dec ^ABE and get the final quotient by calling \( Dec\left({\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck}}, ck\right) \).

5.10 Division and Rest

5.10.1 Scheme 3

To support accurate division computation, we design Scheme 3 to further calculate remainder based on Scheme 1. We omit the same first three steps as in Scheme 1 and introduce the additional part as below.

Step 4 (Data Process @ CP): Upon receiving the data packet from DSP, CP first calls PDec2(∗, sk _CP) to obtain masked plaintext and performs the following computations:

\( \left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2=\left({m}_1{r}_1+{m}_2{r}_1{r}_2\right)/{m}_2{r}_1 \);\( R{r}_1=\left({m}_1{r}_1+{m}_2{r}_1{r}_2\right)-{m}_2{r}_1\ast \left(\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right) \).

Then, CP calls Enc(∗, pk _DR) to encrypt the above computational result as \( \left\{{\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right]}_{pk_{DR}},{\left[R{r}_1\right]}_{pk_{DR}}\right\} \) and sends the data packet to DSP.

Step 5 (Data Additional Process @ DSP): DSP removes the mask from received ciphertext to get encrypted quotient and remainder as follows:

\( {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{DR}}={\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right]}_{pk_{DR}}\ast {\left({\left[{r}_2\right]}_{pk_{DR}}\right)}^{n-1};{\left[R\right]}_{pk_{DR}}={\left({\left[R{r}_1\right]}_{pk_{DR}}\right)}^{{r_1}^{-1}} \).

Step 6 (Data Access @ DR): Upon receiving the computational results from DSP, the targeted DR can decrypt two ciphertext \( {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{DR}} \) and \( {\left[R\right]}_{pk_{DR}} \) to get the final quotient and remainder by calling Dec(∗, sk _DR).

5.10.2 Scheme 4

Similarly, Scheme 4 is proposed by adding the computations of remainder based on Scheme 2. We introduce its details below by omitting the same first three steps as in Scheme 2.

Step 4 (Data Process @ CP): Upon receiving data packet from DSP, CP first calls PDec2(∗, sk _CP) to obtain two messages m ₂r ₁ and (m ₁r ₁ + m ₂r ₁r ₂). Then, it performs basic computations to get \( \left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2 \) and Rr ₁. Furthermore, CP calls Enc(∗, pk _CP) to encrypt the computational result and sends the encrypted data packet \( \left\{{\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right]}_{pk_{CP}},{\left[R{r}_1\right]}_{pk_{CP}}\right\} \) to DSP.

Step 5 (Data Reprocess @ DSP): DSP first chooses a partial key ck ₁ and sets a random number as c ₁ = (ck ₁)⁻¹ mod n. Then, it removes the mask from received ciphertext and conceals the data by performing the following computations:

1. 1.

   \( {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor +{r}_2\right]}_{pk_{CP}}\ast {\left({\left[{r}_2\right]}_{pk_{CP}}\right)}^{n-1}={\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{CP}} \);\( {\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{CP}}={\left({\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{CP}}\right)}^{c_1} \).

2. 2.

   \( {\left({\left[R{r}_1\right]}_{pk_{CP}}\right)}^{{r_1}^{-1}}={\left[R\right]}_{pk_{CP}} \);\( {\left[{c}_1R\right]}_{pk_{CP}}={\left({\left[R\right]}_{pk_{CP}}\right)}^{c_1}=\left\{\hat{T},{\hat{T}}^{\prime}\right\} \).

Next, the data packet {\( {\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{CP}},{\left[{c}_1R\right]}_{pk_{CP}} \)} is sent to CP.

Step 6 (Data Reprocess @ CP): With received data packet, CP first performs PDec2(∗, sk _CP) on encrypted data. Then, it chooses a partial key ck ₂ to generate a key pair \( \left({ck}_2,{pk}_{ck_2}={g}^{ck_2}\right) \) and calls \( Enc\left(\ast, {pk}_{ck_2}\right) \) to encrypt the masked data. Detailed processes are described below:

$$ {\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{CP}}\overset{\boldsymbol{PDec}\mathbf{2}\left(\ast, {sk}_{CP}\right)}{\to }{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \overset{Enc\left(\ast, {pk}_{ck_2}\right)}{\to }{\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck_2}}. $$

$$ {\left[{c}_1R\right]}_{pk_{CP}}\overset{\boldsymbol{PDec}\mathbf{2}\left(\ast, \kern0.75em {sk}_{CP}\right)}{\to }{c}_1R\overset{Enc\left(\ast, {pk}_{ck_2}\right)}{\to }{\left[{c}_1R\right]}_{pk_{ck_2}}. $$

In addition, CP calls ABE encryption algorithm to encrypt ck ₂:\( {CK}_2={Enc}^{ABE}\left({ck}_2,\mathcal{T},{PK}^{\prime}\right) \).

The data packet {\( {\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck_2}},{\left[{c}_1R\right]}_{pk_{ck_2}} \), CK ₂} is sent to DSP.

Step 7 (Additional Process @ DSP): Upon receiving the data packet, DSP performs the following operations:

1. 1.

   \( {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck}}={\left({\left[{c}_1\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck_2}}\right)}^{1,{ck}_1} \);\( {\left[R\right]}_{pk_{ck}}={\left({\left[{c}_1R\right]}_{pk_{ck_2}}\right)}^{1,{ck}_1}. \)

2. 2.

   Using Enc ^ABE to encrypt ck ₁: \( {CK}_1={Enc}^{ABE}\left({ck}_2,\mathcal{T},{PK}^{\prime}\right) \).

3. 3.

   Homomorphism of ABE: \( CK={CK}_1\ast {CK}_2={Enc}^{ABE}\left({ck}_1\ast {ck}_2,\mathcal{T},{PK}^{\prime}\right) \).

DSP keeps the encrypted data packet \( \left\{{\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck}},{\left[R\right]}_{pk_{ck}}\right\} \) and ABE key CK for user access.

Step 8 (Data Access @ DR): The DRs that satisfy the access policy can obtain a secret key SK ^′ from the authority, which can be used to get ck by calling Dec ^ABE(PK ^′, SK ^′, CK). Then DRs decrypt the received ciphertext \( {\left[\left\lfloor \frac{m_1}{m_2}\right\rfloor \right]}_{pk_{ck}} \)and \( {\left[R\right]}_{pk_{ck}} \) obtained from DSP to get the quotient and remainder.

6 Applications in Cybersecurity Education

Privacy-preserving data processing with ABE guarantees data security and user privacy. In the field of cybersecurity education, privacy-sensitive data are generated and issued, e.g., course feedback, survey inputs, security-related data for intrusion/malware detection provided by different parties for course exercises, multi-party sensitive data processing, etc. By analyzing these data in a privacy-preserving way, we can judge teaching performance, support further course improvement, offer essential course practice to allow students to deeply understand cybersecurity theories and technologies, etc. Herein, our schemes offer an efficient and privacy-preserving measure to conduct data analysis, which provides a good practice for students to understand homophonic encryption and its usage. Some concrete examples are listed below:

6.1 Privacy-Preserving Data Analysis

The feedbacks and opinions of all students and faculties are essential to improve course quality. Our schemes can be adopted for data collection and dispel privacy concerns. It can be used in the following two scenarios:

Teaching Performance Evaluation: Our schemes can collect, process, and analyze the student ratings in a privacy-preserving way, especially in online courses. With our schemes, students are encouraged to provide their feedback or survey inputs honestly. Furthermore, the students can select preferred courses by comparing different course evaluation results and personal study expectation.

Preparing and Rating Examination Questions: The design goal of flexible data sharing and access control in our schemes would be a key point for remote cooperation among experts or teachers.

Teachers can prepare examination questions cooperatively in a privacy-preserving and flexible way. Our schemes can protect the content of examination papers and enable the teachers to get the feedback of other teachers to assess the rationality of papers. Moreover, they can also be applied to exchange the statistics of examination results from students and complete remote rating through cooperation. This kind of online cooperation can greatly improve education efficiency.

6.2 Cybersecurity Experimental Platform

Apart from the above, our schemes can be integrated to build up an experimental platform for cybersecurity education. It will help students gain a deep insight into privacy and security of outsourced data processing.

Cybersecurity Course Exercises: Our schemes offer a good experimental platform to conduct cybersecurity experiments with regard to secure data analytics for flexible and fine-grained access control over the processing results. For example, a number of students can collect sensitive security-related data from different sources and perform secure processing on those data at an untrusted party, and then different students get the processing results without knowing other inputs. For another example, students can provide their own mobile phone apps’ usage data to process in a secure way with our schemes in order to know the trust and popularity of the apps without disclosing their personal app usage information. Through these experimental exercises, the students can get deep insight on encrypted data processing and flexible access control over processing results.

7 Conclusion

With the development and widely deployment of information systems, cybersecurity education becomes popular and significant. In order to gain customized courses, some private information are offered but may erode their privacy. In this chapter, we proposed an efficient and secure system to achieve privacy-preserving data processing with ABE-based flexible access control. It can support several operations and achieve fine-grained access control without the need of fully trusted cloud servers, which can be deployed in cybersecurity education framework. We also illustrate a number of applications of our system for the purpose of cybersecurity education.