A BGN Type Outsourcing the Decryption of CP-ABE Ciphertexts

Abstract

Cloud computing security is the key bottleneck that restricts its development, and access control on the result of cloud computing is a hot spot of current research. Based on the somewhat homomorphic encryption BGN and combined with Green’s scheme that proposed outsourcing the decryption of CP-ABE (Ciphertext-Policy Attribute-Based Encryption) ciphertexts, we constructed a BGN type outsourcing the decryption of CP-ABE ciphertexts. In our construction, partial decryption of ciphertexts is outsourced to the cloud, and only users whose attribute meets the access policy will get the correct decryption. And the scheme supports arbitrary homomorphic additions and one homomorphic multiplication on ciphertexts. Finally, we prove its semantic security under the subgroup decision assumption and compare it with other schemes.

1 Introduction

With the emerge of cloud computing [1], the development of information industry is moving in the fast lane. Cloud computing provides users with massive storage services and powerful computing services, which remarkably makes a contribution to economy [2,3,4,5]. However, security issues associated with cloud computing have become increasingly prominent [6]. Kaufman [7] pointed out that the security issue of cloud services was not only one of the biggest challenge of difficulties it faced, but also the problem that should be solved as soon as possible.

If the users save their sensitive data to the cloud server in plaintext, then because the cloud may copy even distort the information, but users do not know such unauthorized behavior of the cloud, which may cause immeasurable loss, the cloud will not be unconditional trusted. In order to prevent malicious leakage and illegal access to sensitive data, users can outsource their data in the encrypted form.

The traditional encryption and decryption model of cloud computing cannot achieve fine-grained access control on the results of cloud computing. In reality, we do not need everyone to gain the final results. In 1984 Shamir [8] proposed Identity-Based Encryption (IBE), in which a user’s public key was generated by a unique identifier that was related to his/her identity, and the servers did not need query the user’s public key certificate any more. Attribute-Based Encryption (ABE), proposed by Sahai and Waters [9], is seen as a promotion of IBE. In ABE system, the user’s key and the ciphertexts are associated with attribute, and only when attribute meets the access policy, the user will get the correct decryption, which succeeds in fine-grained access control on the ciphertexts. Due to such good characteristics, ABE scheme has attracted great attention of cryptographers. A large number of relevant research on ABE have emerged in recent years [10,11,12,13], and it also has been widely applied to cloud computing security algorithm [14,15,16], which becomes an important tool for data protection in cloud computing.

In this paper, based on the classic somewhat homomorphic encryption scheme BGN [17], adopting the method of [13] in which we called it outsourcing the decryption of CP-ABE ciphertexts, we propose a BGN type outsourcing the decryption of CP-ABE ciphertexts. In our scheme, partial decryption of ciphertexts is outsourced to the cloud, which greatly reduces the computing overhead of users. The user’s private key is associated with his/her attributes, and access control policy is embedded into the ciphertexts, and only the users whose attributes satisfy the access policy can decrypt the ciphertexts. Meanwhile, our scheme can operate on ciphertexts for arbitrary additions and one multiplication.

In Sect. 2, we give the preliminary knowledge of this paper. We present our construction of outsourcing and analyze the homomorphic properties of the scheme in Sect. 3. In Sects. 4 and 5, its security and performance analysis is described respectively. In the next chapter, we make a conclusion.

2 Preliminares

2.1 Bilinear Map

Let \( {\mathbb{G}} \) and \( {\mathbb{G}}_{\text{T}} \) be two multiplicative cyclic groups of prime order p. Let g be a generator of \( {\mathbb{G}} \) and \( e:{\mathbb{G}} \times {\mathbb{G}} \to {\mathbb{G}}_{\text{T}} \) be a bilinear map with the following properties:

1. 1.

   Bilinearity: for all \( u,k \in {\mathbb{G}} \) and \( a,b \in Z_{p} \), then \( e\left( {u^{a} ,k^{b} } \right) = e\left( {u,k} \right)^{ab} \).

2. 2.

   Non-degeneracy: \( e\left( {g,g} \right) \ne 1 \).

3. 3.

   Computable: the bilinear map \( e:{\mathbb{G}} \times {\mathbb{G}} \to {\mathbb{G}}_{\text{T}} \) can be computed in polynomial time.

2.2 Access Structures

Definition 1

(Access Structure [18]). Let \( \left\{ {P_{1} ,P_{2} , \cdots ,P_{n} } \right\} \) be a set of participants and let \( P = 2^{{\left\{ {P_{1} ,P_{2} , \cdots ,P_{n} } \right\}}} \). And access structure \( \Gamma \) is a non-empty subset of \( \left\{ {P_{1} ,P_{2} , \cdots ,P_{n} } \right\} \). We define its monotone property as follows: If \( A \in\Gamma \) and \( A\, \subseteq \,B \), then \( B \in\Gamma \). We call the sets in \( \Gamma \) the authorized sets, otherwise the unauthorized sets.

2.3 Linear Secret Sharing Schemes

Definition 2

(Linear Secret-Sharing Schemes (LSSS) [18]). A secret-sharing scheme \( \Pi \) over a set of participants P is called linear (over Z _p ) if

1. 1.

   The shares of the participants form a vector over Z _p .

2. 2.

   There exists a \( l \times n \) matrix M that is called the share-generating matrix for \( \Pi \). We define a function \( \rho \) that maps every row of the share-generating matrix to a related participant, i.e., for \( i = 1,2, \cdots l \), the value \( \rho (i) \) is the participant which is associated with row i. And we build a column vector \( \varvec{v} = \left( {s,y_{2} , \cdots ,y_{n} } \right) \), in which \( y_{2} , \cdots ,y_{n} \in Z_{p} \) are chosen randomly, and \( s \in Z_{p} \) is just the secret to be shared, then Mv is the vector of l shares of the secret s according to \( \Pi \). The share ( Mv ) _i belongs to participant \( \rho (i) \).

Definition 3

(Linear Reconstruction [18]). Each linear secret sharing-scheme has the linear reconstruction property: Suppose that \( \Pi \) is an LSSS for the access structure \( \Gamma \). Let \( S \in\Gamma \) be an authorized set, and let \( I \subseteq \left\{ {1,2, \ldots ,l} \right\} \) and \( I = \left\{ {i:\rho (i) \in S} \right\} \). Then, if \( \left\{ {\lambda_{i} } \right\} \) are valid shares of any secret s according to \( \Pi \), there must exist constants \( \left\{ {w_{i} \in Z_{p} } \right\}_{i \in I} \) such that .

2.4 BGN Scheme

The BGN [17] is a classic somewhat homomorphic encryption that is proposed by Boneh, Goh and Nissim, and BGN scheme supports arbitrary homomorphic additions and one homomorphic multiplication. As all know, BGN is the first somewhat homomorphic encryption after the concept of homomorphic encryption was proposed in [19], and in 2010 Gentry [20] implemented BGN on lattice. The scheme is described as follows:

KeyGen\( (\tau ) \): Given a security parameter \( \tau \in Z^{ + } \), run \( {\mathcal{G}}(\tau ) \) to obtain a tuple \( \left( {q_{1} ,q_{2} ,{\mathbb{G}},{\mathbb{G}}_{1} ,e} \right) \). Let \( n = q_{1} q_{2} \). Pick two generators \( k,u\xleftarrow{R}{\mathbb{G}} \) randomly and set \( h = u^{{q_{2} }} \). Then h is a random generator of the subgroup of \( {\mathbb{G}} \) of order \( q_{1} \). The public key is \( PK = \left( {n,{\mathbb{G}},{\mathbb{G}}_{1} ,e,k,h} \right) \) and the private key is \( SK = q_{1} \).

Encrypt\( \left( {PK,M} \right) \): The message space is described as \( m \in \left\{ {0,1, \cdots ,T} \right\} \) with \( T < q_{2} \). We use public key \( PK \) to encrypt a message m, pick a random \( r\xleftarrow{R}\left\{ {0,1, \cdots n - 1} \right\} \) and compute \( C = k^{m} h^{r} \in {\text{G}} \). Output C as the ciphertext.

Decrypt\( (SK,C) \): We use the private key \( SK = q_{1} \) to decrypt a ciphertext C, observe that \( C^{{q_{1} }} = \left( {k^{m} h^{r} } \right)^{{q_{1} }} = \left( {k^{{q_{1} }} } \right)^{m} \). To obtain m, we compute the discrete log of \( C^{{q_{1} }} \) base \( k^{{q_{1} }} \). Since \( 0 \le m \le T \) this takes expected time \( O\left( {\sqrt T } \right) \) using Pollard’s lambda [21] method.

Homomorphic properties: The BGN scheme is clearly additively homomorphic:

$$ C = C_{1} C_{2} h^{r} = k^{{m_{1} }} h^{{r_{1} }} \cdot k^{{m_{2} }} h^{{r_{2} }} \cdot h^{r} = k^{{m_{1} + m_{2} }} h^{{r_{1} + r_{2} + r}} \in {\mathbb{G}} $$

Multiplicatively homomorphic: Let \( k_{1} = e(k,k) \) and \( h_{1} = e(k,h) \), then \( k_{1} \) is of order n and \( h_{1} \) is of order \( q_{1} \). There is some (unknown) \( \beta \in Z \) such that \( h = k^{{\beta q_{2} }} \). We have:

$$ \begin{aligned} C & = e\left( {C_{1} ,C_{2} } \right)h_{1}^{r} \\ & = e\left( {k^{{m_{1} }} h^{{r_{1} }} ,k^{{m_{2} }} h^{{r_{2} }} } \right)h_{1}^{r} \\ & = k_{1}^{{m_{1} m_{2} }} h_{1}^{{m_{1} r_{2} + m_{2} r_{1} + \beta q_{2} r_{1} r_{2} + r}} \\ & = k_{1}^{{m_{1} m_{2} }} h_{1}^{{\tilde{r}}} \in {\mathbb{G}}_{1} \\ \end{aligned} $$

Where \( \tilde{r} = m_{1} r_{2} + m_{2} r_{1} + \beta q_{2} r_{1} r_{2} + r \) is distributed uniformly in \( z_{n} \). The new ciphertext \( C \in {\mathbb{G}}_{ 1} \), because there is no efficient algorithm to make \( e:{\mathbb{G}}_{1} \times {\mathbb{G}}_{1} \to {\mathbb{G}} \), the scheme can operate on ciphertexts for only one multiplication.

2.5 Outsourcing the Decryption of ABE Ciphertexts Model

Outsourcing the decryption of attribute-based encryption ciphertexts is proposed by Green, Hohenberger and Waters [13]. The difference from traditional attribute-based encryption is that a transformation algorithm is added in the new scheme, in which partial decryption is outsourced to the cloud, and clients only compute on a little data feedback by the cloud. This method that is called the outsourcing makes full use of the powerful computing ability of the cloud, which greatly improves the decryption efficiency of clients. The traditional attribute-based encryption model and outsourcing the decryption of attribute-based encryption ciphertexts model are shown in Figs. 1 and 2 respectively:

Fig. 1.

Traditional ABE model

Fig. 2.

Outsourcing the decryption of ABE ciphertexts model

In the traditional attribute-based encryption model, which is shown in Fig. 1, the clients must download all ABE ciphertexts to decrypt. Obviously the overhead of storage and computation is too much expensive. In order to solve such shortcomings, the outsourcing model shown in Fig. 2 is designed. The decryption of ABE ciphertexts will be outsourced to cloud which sends partial ciphertexts back, and the clients only need download a small amount of data and compute some simple operations, the storage and computation overhead of the procedure has remarkable reduction.

3 Our Construction

In this part, we construct a BGN type outsourcing the decryption of CP-ABE ciphertexts. Combining the BGN scheme with the idea of outsourcing decryption of attribute-based ciphertexts, we present our construction that can realize access control on the results of cloud outsourcing. Our scheme consists of the following five algorithms:

Setup\( (\lambda ,U) \): The setup algorithm takes as input a security parameter \( \lambda \) and a universe description \( U = \{ 0,1\}^{*} \). It runs \( {\mathcal{G}}(\lambda ) \) to obtain a tuple \( \left( {q_{1} ,q_{2} ,{\mathbb{G}},{\mathbb{G}}_{1} ,e} \right),{\mathbb{G}},{\mathbb{G}}_{1} \) are two groups of order \( n = q_{1} q_{2} \) and \( e:{\mathbb{G}} \times {\mathbb{G}} \to {\mathbb{G}}_{1} \) be a bilinear map. It picks two generators \( k,u\xleftarrow{R}{\mathbb{G}} \) randomly and set \( h = u^{{q_{2} }} \), then h is a random generator of the subgroup of \( {\mathbb{G}} \) of order \( q_{1} \). It then chooses two group \( {\mathbb{G}}^{{\prime }} ,{\mathbb{G}}_{\text{T}}^{{\prime }} \) of prime order p and a hash function F that maps \( \{ 0,1\}^{*} \) to \( {\mathbb{G}}^{{\prime }} \) and hash function \( H \) that maps \( {\mathbb{G}}_{\text{T}}^{{\prime }} \) to \( \left( {0,1} \right) \). Let g be a generator of \( {\mathbb{G}}^{{\prime }} \) and \( e^{{\prime }} :{\mathbb{G}}^{{\prime }} \times {\mathbb{G}}^{{\prime }} \to {\mathbb{G}}_{\text{T}}^{{\prime }} \) be a bilinear map. What’s more, it chooses exponents \( \alpha ,a \in Z_{p} \) randomly. The algorithm sets \( {\text{MSK}} = \left( {g^{\alpha } ,PK} \right) \) as the master secret key. And the public parameters is \( {\text{PK}} = \left( {n,g,k,h,e,e^{{\prime }} \left( {g,g} \right)^{\alpha } ,g^{a} ,F,H,{\mathbb{G}},{\mathbb{G}}_{1} } \right) \).

Encrypt(PK, m, ( M , ρ)): The encryption algorithm takes as input the public parameters \( PK \) and a message m to encrypt. In addition, it takes as input an LSSS access structure ( M , ρ). The function ρ associates rows of M to attributes. Let M be an \( l \times n \) matrix. The algorithm first chooses a random vector , and s is the secret to be shared. For \( i = 1,2, \cdots ,\,l \), it computes λ _i = M _i · v , in which M _i is the vector corresponding to the i th row of M . In addition, the algorithm chooses random \( R,\,r_{1} \text{,}\, \cdots \text{,}\,r_{l} \in Z_{p} \). Output the ciphertext \( CT = \)

$$ \begin{aligned} & c = k^{{mH\left( {e^{\prime}\left( {g,g} \right)^{\alpha s} } \right)}} h^{R} ,C^{{\prime }} = g^{s} \\ & \left( {C_{1} = g^{{a\lambda_{1} }} \cdot F\left( {\rho \left( 1 \right)} \right)^{{ - r_{1} }} ,D_{1} = g^{{r_{1} }} } \right) \\ & \cdots \cdots \\ & \left( {C_{l} = g^{{a\lambda_{l} }} \cdot F\left( {\rho \left( l \right)} \right)^{{ - r_{l} }} ,D_{l} = g^{{r_{l} }} } \right) \\ \end{aligned} $$

KeyGen\( ({\text{MSK,}}\,S ) \): The keygen algorithm chooses \( t^{{\prime }} \in Z_{p} \) randomly, then it takes as input \( {\text{MSK}} \) and an attribute set S to obtain \( SK^{{\prime }} \left( {PK,K^{{\prime }} = g^{\alpha } g^{{at^{{\prime }} }} ,L^{{\prime }} = g^{{t^{{\prime }}}} ,\left\{ {K_{x}^{{\prime }} = F(x)^{{t^{{\prime }} }} } \right\}_{x \in S} } \right) \). It chooses a random value \( z \in Z_{p} \). Let \( t = t^{{\prime }} /z \), it then published the transformation key \( {\text{TK}} \) as:

$$ PK,K = K^{{{\prime 1/}z}} = g^{\alpha /z} g^{at} ,L = L^{{{\prime 1/}z}} = g^{{t}} ,\left\{ {K_{x} } \right\}_{x \in S} = \left\{ {K_{x}^{{{\prime 1/}z}} } \right\}_{x \in S} $$

and the private key is \( SK = \left( {q_{1} ,z,{\text{TK}}} \right) \).

Transform\( \left( {{\text{TK,}}\,{\text{CT}}} \right) \): The transformation algorithm takes as input a transformation key \( {\text{TK}}\,{ = }\,\left( {{\text{PK,}}\,{\text{K,}}\,{\text{L,}}\,\left\{ {K_{x} } \right\}_{x \in S} } \right) \) for a set S and a ciphertext \( {\text{CT}} = \left( {c,C^{{\prime }} ,C_{1} , \cdots ,C_{l} } \right) \) for access structure ( M , ρ). If S does not satisfy the access structure, it outputs \( \bot \). Suppose that S satisfies the access structure and let \( I \subset \left\{ {1,2, \cdots ,l} \right\} \) be defined as \( I = \left\{ {i:\rho (i) \in S} \right\} \). Then, let \( \left\{ {\omega_{i} \in Z_{p} } \right\}_{i \in I} \) be a set of constants such that if \( \left\{ {\lambda_{i} } \right\} \) are valid shares of any secret s according to M , then \( \sum\nolimits_{i \in I} {\omega_{i} \lambda_{i} = s} \). The transformation algorithm calculates:

$$ \begin{aligned} Q & = e^{{\prime }} \left( {C^{{\prime }} ,K} \right)/\left( {e^{{\prime }} \left( {\prod\limits_{i \in I} {C_{i}^{{w_{i} }} ,L} } \right) \cdot \prod\limits_{i \in I} {e^{{\prime }} \left( {D_{i}^{{w_{i} }} ,K_{\rho (i)} } \right)} } \right) \\ & = e^{{\prime }} \left( {g,g} \right)^{s\alpha /z} e^{{\prime }} \left( {g,g} \right)^{sat} /\left( {\left( {\prod\limits_{i \in I} {e^{{\prime }} (g,g)^{{ta\lambda_{i} w_{i} }} } } \right)} \right) \\ & = e^{{\prime }} (g,g)^{s\alpha /z} \\ \end{aligned} $$

It outputs the partially decrypted ciphertext \( {\text{CT}}^{{\prime }} = (c,Q) \).

Decrypt\( (SK,{\text{CT}}) \): The decryption algorithm takes as input a private key \( SK = \left( {q_{1} ,z,{\text{TK}}} \right) \) and a ciphertext \( {\text{CT}} \). If the ciphertext is not partially decrypted, then the algorithm first executes transformation algorithm. If the output is \( \bot \), then this algorithm outputs \( \bot \) as well. Otherwise, it uses \( \left( {z,Q} \right) \) to obtain \( e^{{\prime }} (g,g)^{s\alpha } = Q^{z} \), then decrypts c using the partial private key \( q_{1} \), observe that \( c^{{q_{1} }} = \left( {k^{{mH\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)}} h^{R} } \right)^{{q_{1} }} = \left( {k^{{H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)q_{1} }} } \right)^{m} \), and using Pollard’s lambda method, we compute the discrete log of \( C_{{q_{1} }} \) base \( k^{{H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)q_{1} }} \) to cover m.

Our outsourcing construction is based on the BGN scheme, so it satisfies the properties of arbitrary additions and one multiplication.

1. 1.

   Additively Homomorphic: For two ciphertexts \( c_{1} = k^{{m_{1} H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)}} h^{{R_{1} }} \in {\mathbb{G}} \) and \( c_{2} = k^{{m_{2} H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)}} h^{{R_{2} }} \in {\mathbb{G}} \), we have:

$$ \begin{aligned} c^{{\prime }} & = c_{1} c_{2} h^{R} \\ & = \left( {k^{{m_{1} H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)}} h^{{R_{1} }} } \right) \cdot \left( {k^{{m_{2} H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)}} h^{{R_{2} }} } \right)h^{R} \\ & = k^{{\left( {m_{1} + m_{2} } \right)H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)}} h^{{R_{1} + R_{2} + R}} \in {\mathbb{G}} \\ \end{aligned} $$

The legal decryptor whose attribute meets the access policy can gain the value of \( e^{{\prime }} (g,g)^{s\alpha } \), then he will decrypt the ciphertexts through decryption algorithm.

1. 2.

   Multiplicatively Homomorphic: Let \( k_{1} = e(k,k) \) and \( h_{1} = e(k,h) \), then \( k_{1} \) is of order n and \( h_{1} \) is of order \( q_{1} \). There is some (unknown) \( \beta \in Z \) such that \( h = k^{{\beta q_{2} }} \). We have:

$$ \begin{aligned} c^{{\prime }} & = e\left( {c_{1} ,c_{2} } \right)h_{1}^{R} \\ & = e\left( {k^{{m_{1} H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)}} h^{{R_{1} }} ,k^{{m_{2} H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)}} h^{{R_{2} }} } \right)h_{1}^{R} \\ & = k_{1}^{{m_{1} m_{2} H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)^{2} }} h_{1}^{{R + \left( {R_{1} m_{2} + R_{2} m_{1} } \right)H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right) + \beta q_{2} R_{1} R_{2} }} \in {\mathbb{G}}_{1} \\ \end{aligned} $$

In the same way, the legal users can work out \( m_{1} m_{2} \). Since there is no efficient algorithm to make \( e:{\mathbb{G}}_{1} \times {\mathbb{G}}_{1} \to {\mathbb{G}} \), so the scheme can operate on ciphertexts for only one multiplication.

4 Security

4.1 The Subgroup Decision Problem

We define an algorithm \( {\mathcal{G}} \) such that given a parameter \( \tau \in Z^{ + } \), it outputs a tuple \( \left( {q_{1} ,q_{2} ,{\mathbb{G}},{\mathbb{G}}_{1} ,e} \right) \) in which \( {\mathbb{G}},{\mathbb{G}}_{1} \) are groups of order \( n = q_{1} q_{2} \) and \( e:{\mathbb{G}} \times {\mathbb{G}} \to {\mathbb{G}}_{1} \) is a bilinear map. On input \( \tau \), the algorithm \( {\mathcal{G}} \) will work as follows:

1. 1.

   Generate randomly two \( \tau \)-bit primes \( q_{1} ,q_{2} \) and set \( n = q_{1} q_{2} \in Z \).

2. 2.

   Generate a bilinear group \( {\mathbb{G}} \) of order n as defined above. And let g be a generator of \( {\mathbb{G}} \) and \( e:{\mathbb{G}} \times {\mathbb{G}} \to {\mathbb{G}}_{1} \) be the bilinear map.

3. 3.

   Output \( \left( {q_{1} ,q_{2} ,{\mathbb{G}},{\mathbb{G}}_{1} ,e} \right) \).

Obviously the group action in \( {\mathbb{G}},{\mathbb{G}}_{1} \) and the bilinear map are computable in polynomial time in \( \tau \). Let \( \tau \in Z^{ + } \) and let \( \left( {q_{1} ,q_{2} ,{\mathbb{G}},{\mathbb{G}}_{1} ,e} \right) \) be a tuple produced by \( {\mathcal{G}}(\tau ) \) where \( n = q_{1} q_{2} \). Consider the following problem: given \( \left( {n,{\mathbb{G}},{\mathbb{G}}_{1} ,e} \right) \) and an element \( x \in {\mathbb{G}} \), output ‘1’ if the order of x is \( q_{1} \) and output ‘0’ otherwise; i.e., decide if an element x is in a subgroup of \( {\mathbb{G}} \), without knowing the factorization of n. We call it the subgroup decision problem and define the advantage of \( {\mathcal{A}} \) in solving the subgroup decision problem \( SD{\text{-}}Adv_{{\mathcal{A}}} (\tau ) \) as:

$$ SD{\text{-}}Adv_{{\mathcal{A}}} \left( \tau \right) = \left| {\begin{array}{*{20}l} {{ \Pr }\left[ {\begin{array}{*{20}r} \hfill {{\mathcal{A}}\left( {n,{\mathbb{G}},{\mathbb{G}}_{1} ,e,x} \right) = 1:\left( {q_{1} ,q_{2} ,{\mathbb{G}},{\mathbb{G}}_{1} ,e} \right) \leftarrow {\mathcal{G}}\left( \tau \right),} \\ \hfill {n = q_{1} q_{2} ,x \leftarrow {\mathbb{G}}\quad } \\ \end{array} } \right]} \hfill \\ { - { \Pr }\left[ {\begin{array}{*{20}r} \hfill {{\mathcal{A}}\left( {n,{\mathbb{G}},{\mathbb{G}}_{1} ,e,x^{{q_{2} }} } \right) = 1:\left( {q_{1} ,q_{2} ,{\mathbb{G}},{\mathbb{G}}_{1} ,e} \right) \leftarrow {\mathcal{G}}\left( \tau \right),} \\ \hfill {n = q_{1} q_{2} ,x \leftarrow {\mathbb{G}}\quad } \\ \end{array} } \right]} \hfill \\ \end{array} } \right| $$

Definition 4

We say that \( {\mathcal{G}} \) satisfies the subgroup decision assumption if \( SD{\text{-}}Adv_{{\mathcal{A}}} (\tau ) \) is a negligible function in \( \tau \) for any polynomial time algorithm \( {\mathcal{A}} \).

Theorem 1

Our scheme is semantically secure assuming \( {\mathcal{G}} \) satisfies the subgroup decision assumption.

4.2 Proof

Suppose that a polynomial time algorithm \( {\mathcal{B}} \) breaks the semantic security of the system with advantage \( \varepsilon (\tau ) \). That’s to say, there will exist an algorithm \( {\mathcal{A}} \) that breaks the subgroup decision assumption with the same advantage. Detailed proof procedure is as follows:

1. 1.

   Algorithm \( {\mathcal{A}} \) chooses a generator \( g \in {\mathbb{G}} \) randomly, sends the public key \( \left( {n,{\mathbb{G}},{\mathbb{G}}_{1} ,e,g,x} \right) \) to algorithm \( {\mathcal{B}} \).

2. 2.

   Algorithm \( {\mathcal{B}} \) outputs two messages \( m_{0} ,m_{1} \in \left\{ {0,1, \cdots T} \right\} \) to algorithm \( {\mathcal{A}} \), and algorithm \( {\mathcal{A}} \) responds with the ciphertext \( C = g^{{m_{b} }} x^{r} \in {\mathbb{G}} \) for a random \( b\xleftarrow{R}\left\{ {0,1} \right\} \) and random \( r\xleftarrow{R}\left\{ {0,1, \cdots ,n - 1} \right\} \) to algorithm \( {\mathcal{B}} \).

3. 3.

   Algorithm \( {\mathcal{B}} \) outputs \( b^{{\prime }} \in \left\{ {0,1} \right\} \) for b as its guess. If \( b = b^{{\prime }} \) algorithm \( {\mathcal{A}} \) outputs 1 (i.e., x is uniformly distributed in a subgroup of \( {\mathbb{G}} \)); otherwise \( {\mathcal{A}} \) outputs 0 (i.e., x is uniformly distributed in \( {\mathbb{G}} \)).

It is apparent that when x is uniformly distributed in \( {\mathbb{G}} \), the challenge ciphertext C is uniform in \( {\mathbb{G}} \) and is independent of b. Thus, in this case \( \Pr \left| {b = b^{{\prime }} } \right| = 1/2 \). But then, when x is uniformly distributed in \( q_{1} \)-subgroup of \( {\mathbb{G}} \), the public key and challenge C given to \( {\mathcal{B}} \) are as in a real semantic security game. In this case, it is obvious that \( \Pr \left| {b = b^{{\prime }} } \right| > 1/2 + \varepsilon (\tau ) \) by the definition of \( {\mathcal{B}} \). It now follows that \( {\mathcal{A}} \) satisfies \( SD{\text{-}}Adv_{{\mathcal{A}}} (\tau ) > \varepsilon (\tau ) \) and hence \( {\mathcal{A}} \) breaks the subgroup decision assumption with advantage \( \varepsilon (\tau ) \) as required.

Therefore, we prove semantic security of the scheme under the subgroup decision assumption. What’s more, it’s explicit that the leakage of the attribute does not affect the security of the system. Because even if an attacker got the attribute and the random parameter z, i.e., he could gain the value of \( e^{{\prime }} (g,g)^{s\alpha } \), however he would fail in computing \( c^{{q_{1} }} = \left( {k^{{mH\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)}} h^{R} } \right)^{{q_{1} }} = \left( {k^{{H\left( {e^{{\prime }} \left( {g,g} \right)^{\alpha s} } \right)q_{1} }} } \right)^{m} \) to cover m without \( q_{1} \). On the other hand, if the attacker got nothing but \( q_{1} \), his attribute did not meet the access policy, i.e., he could not work out \( e^{{\prime }} (g,g)^{s\alpha } \), he cannot decrypt the ciphertexts as well. To sum up, only the legitimate users can cover m in our scheme.

5 Performance Analysis

Green et al. [13] presented the idea of outsourcing the decryption of attribute-based encryption ciphertexts, and Boneh et al. [17] proposed a classic somewhat homomorphic encryption. In this section, we compared our scheme with the literature [13, 17] in the following aspects: whether to support homomorphic operation, the effect of attributes leak on security, the size of ciphertext and the decryption ops. The results are shown in Tables 1 and 2.

Table 1. Comparison with Green scheme

Table 2. Comparison with BGN scheme

From Table 1, it is distinct that compared with [13], ours do support homomorphic operation on ciphertexts outsourced to the cloud. Moreover, the security is not directly determined by attributes, which means that the malicious users cannot carry out collusion attacks, our system security is based on the subgroup decision assumption.

From Table 2, \( O_{P} \) stands for the time to compute hash function \( H \), and compared with BGN scheme, although the decryption overhead increases, the ciphertext length is just the same. On the other hand, the BGN scheme fails in providing fine-grained access control, however ours achieves restricting who can get the results of homomorphic encryption through employing ABE.

6 Summary

In this article, we bring the thought of outsourcing the decryption of ABE ciphertexts into BGN scheme, and propose our BGN type outsourcing the decryption of CP-ABE ciphertexts, which is suitable for the cloud environment. By using the method of attribute-based encryption, we can solve the problem of access control on cloud computing results, and the users’ computation overhead in decryption reduces remarkably, because the process of outsourcing improves users’ decrypting efficiency. Further work is to explore the combination of outsourcing the decryption of ABE ciphertexts with the full homomorphic encryption, and to construct a more efficient and practical outsourcing scheme for the full homomorphic encryption based on the cloud.