1 Introduction

In 2005, Sahai and Waters (2005) first introduced the concept of attribute-based encryption (ABE). It is an extension of identity-based encryption in which the “identity” of users are dependent upon their attributes (e.g., Shandong Normal University, male, teacher). In such a system, the decryption is correct only if the set of attributes of the user key matches the access policy of the ciphertext. Then, Goyal et al. (2006) give the formal definition of ABE system, and divide this concept into two types: ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). In CP-ABE, ciphertexts are associated with access policies and keys are associated with sets of attributes, while in KP-ABE, keys are associated with access policies and ciphertexts are associated with sets of attributes.

In 2007, the first CP-ABE scheme was proposed in the random oracle model by Bethencourt et al. (2007). Then Cheung and Newport (2007) proposed an “AND-gate” CP-ABE scheme without random oracle (the access policies only support “AND-gate”). In 2008, Waters (2008) proposed the first expressive CP-ABE using linear secret-sharing schemes (LSSS) as access policies and proved security in the selective model. Until 2010, Lewko proposed the first fully secure ABE schemes in Lewko et al. (2010), using the dual-system encryption method. In the current ABE systems, access policies are typically expressed by LSSS, which makes keys and ciphertexts have rich structure.

1.1 Motivation and contribution

The main challenge in employing ABE systems in the real network environment is that the complex functionality of ABE may cause an enormous computational cost. This large expense may impact several networking applications, especially for mobile networks.

In this paper, we aim to minimize the local computation for CP-ABE and introduce a new method to construct the outsourced CP-ABE. Our outsourced CP-ABE includes four types of service providers for outsourcing tasks, i.e., outsourcing key generation server provider (OKGSP), outsourcing encryption server provider (OESP), outsourcing decryption server provider (ODSP) and outsourcing verification server provider (OVSP). To improve the computational efficiency, KGC can outsource part of the calculation tasks of key generation to OKGSP, encryptor can outsource part of the calculation tasks of encryption to OESP and decryptor can outsource part of the calculation tasks of decryption to ODSP. In addition, all entities can verify the correctness of the outsourcing calculation by calling the outsourcing verification server provider. It is useful for mobile devices to save local resources. Then, we proposed a specific outsourced CP-ABE scheme and proved its security in the standard model. In our new outsourced CP-ABE scheme, the local computation of each stage is constant, and users can verify the correctness of the outsourcing results efficiently. Finally, we introduced how to deploy our outsourced CP-ABE scheme in cloud computing environment and introduced a specific application in secure cloud storage system.

1.2 Related work

To reduce the local computation cost, the natural idea is to deliver most of computational tasks outside. In actual fact, theoretical computer science community has paid attention to the problem that how to outsource different kinds of expensive computations securely (Atallah et al. 2001; Atallah and Li 2005; Benjamin and Atallah 2008; Chen et al. 2012). Recently, Chen et al. presented efficient algorithms for secure outsourcing of modular exponentiations (Chen et al. 2014), linear equations (Chen et al. 2015a) and bilinear pairings (Chen et al. 2015b). However, we note that though kinds of expensive computations can be securely outsourced, they are difficult to be used directly to construct the provably secure outsourced CP-ABE.

To reduce the local load of ABE, Green et al. (2011) provided a novel method for outsourcing the decryption of ABE, while Li et al. (2012) presented a novel ABE scheme, which could outsource both encrypting computation and decrypting computation to MapReduce cloud securely. Then, Lai et al. (2013) proposed a verifiable outsourced ABE scheme, which allows to verify the correctness of decryption. Their scheme appends additional information with the ciphertexts and uses this information for verification. In 2014, Li et al. (2014) presented a new outsourced ABE scheme, which allows to outsource key generating computation and enables checkability on returned results from cloud. Recently, Wang et al. (2015) proposed an adaptively secure outsourced CP-ABE scheme in the standard model; however, they only considered the outsourcing needs of the decryption and did not verify the outsourcing results.

Furthermore, because of the flexibility of ABE, it is more and more widely used in various network environments, such as cloud computing (Zhangjie et al. 2015b; Ren et al. 2015; Zhangjie et al. 2015a), social networking (Shen et al. 2015a), web of things (Shen et al. 2015b; He et al. 2015, 2016b), access control system (He et al. 2016a), authentication system (Huang et al. 2014, 2015), and so on.

1.3 Organization

We introduce the preliminaries in Sect. 2 and provide the relevant definitions for outsourced ABE in Sect. 3. In Sect. 4 and Sect. 5, we construct a specific outsourced CP-ABE scheme and give the security proof, respectively. Then, we introduce how to deploy our outsourced CP-ABE scheme in cloud computing environment in Sect. 6. Finally, we give the conclusion in Sect. 7.

2 Preliminaries

2.1 Composite order bilinear group

The concept of composite order bilinear group was first introduced by Boneh et al. (2005).

\(\mathcal {G}(\lambda )\rightarrow (N,{G},{G}_T,e)\): \(\mathcal {G}\) is a group generation algorithm. It takes a security parameter \(\lambda \) as input and outputs a description of bilinear cyclic group with order N, where \(N = \prod _1^np_i\) is a product of n distinct primes, and \(e:{{{G}}^{2}}\rightarrow {{{G}}_{T}}\) is map such that:

  • (Bilinear) \(\forall g,h\in {G}\), \(a,b\in {{Z}_{N}}\), \(e({{g}^{a}},{{h}^{b}})=e{{(g,h)}^{ab}}\).

  • (Non-degenerate) \(\exists g\in {G}\) such that e(gg) has order N in \({{{G}}_{T}}\).

  • (Computable) The group operations in G and \({{{G}}_{T}}\) and the map e are computable in polynomial time with respect to \(\lambda \).

  • (Orthogonal) If \(f_i\in {{G}_{{{p}_{i}}}}\) and \(f_j\in {{G}_{{{p}_{j}}}}\) for \(i\ne j\), then \(e(f_i, f_j)\) is the identity element in \({{G}_{T}}\).

In this paper, we set \(n=3\), i.e., \(N=p_1p_2p_3\). For any non-empty set \(Z\subseteq \{1, 2, 3\}\), there is a corresponding subgroup of G of order \(\prod _{i\in Z}p_i\). Let \(G_Z\) denote this subgroup.

2.2 Complexity assumption

Assumption 1

Lewko and Waters (2012) Let \(Z_0\), \(Z_1\), \(Z_2\),..., \(Z_k\) denote a collection of non-empty subsets of \(\{1, 2, 3\}\) where each \(Z_i\) for \(i\ge 2\) satisfies either \(Z_0\bigcap Z_i\ne \varnothing \ne Z_1\bigcap Z_i\) or \(Z_0\bigcap Z_i=\varnothing =Z_1\bigcap Z_i\). We define the following distribution:

$$\begin{aligned}&{} \mathbf G :=(N={{p}_{1}}{{p}_{2}}{{p}_{3}},G,{{G}_{T}},e)\overset{R}{\leftarrow }\mathcal {G},\\&{{g}_{Z_2}}\overset{R}{\leftarrow }{{G}_{{Z_2}}},\ldots , {{g}_{Z_k}}\overset{R}{\leftarrow }{{G}_{{Z_k}}},\\&D:=(\mathbf G ,{{g}_{Z_2}},\ldots ,{{g}_{Z_k}}),\\&T_0\overset{R}{\leftarrow }{{G}_{Z_0}}, T_1\overset{R}{\leftarrow }{{G}_{Z_1}} \end{aligned}$$

Fixing the collection of sets \(Z_0\),..., \(Z_k\), the advantage of an algorithm \(\mathcal {A}\) in breaking this assumption is defined to be:

$$\begin{aligned} {\hbox {Adv}}^{1}_{\mathcal {G}\mathsf {,}\mathcal {A}}(\lambda ):=|Pr [\mathcal {A}(D,{{T}_{0}})=1]-Pr [\mathcal {A}(D,{{T}_{1}})=1]|. \end{aligned}$$

If \({\hbox {Adv}}^{1}_{\mathcal {G}\mathsf {,}\mathcal {A}}(\lambda )\) is a negligible function, we say that \(\mathcal {G}\) satisfies Assumption 1.

Assumption 2

Lewko and Waters (2010), Lewko et al. (2010), Lewko and Waters (2012) We define the following distribution:

$$\begin{aligned}&{} \mathbf G :=(N={{p}_{1}}{{p}_{2}}{{p}_{3}},G,{{G}_{T}},e)\overset{R}{\leftarrow }\mathcal {G},\\&{{g}_{1}}\overset{R}{\leftarrow }{{G}_{{{p}_{1}}}}, {{g}_{2},{X}_{2},{Y}_{2}}\overset{R}{\leftarrow }{{G}_{{{p}_{2}}}}, {{g}_{3}}\overset{R}{\leftarrow }{{G}_{{{p}_{3}}}},\\&\alpha , s\overset{R}{\leftarrow } \mathbb {Z}_N\\&D:=(\mathbf G ,{{g}_{1}},{{g}_{2}},{{g}_{3}},g_1^{\alpha }X_2, g_1^sY_2),\\&T_0=e(g_1,g_1)^{\alpha s}, T_1\overset{R}{\leftarrow }{{G}_{T}} \end{aligned}$$

The advantage of an algorithm \(\mathcal {A}\) in breaking this assumption is defined to be:

$$\begin{aligned} {\hbox {Adv}}^{2}_{\mathcal {G}\mathsf {,}\mathcal {A}}(\lambda ):=|Pr [\mathcal {A}(D,{{T}_{0}})=1]-Pr [\mathcal {A}(D,{{T}_{1}})=1]|. \end{aligned}$$

If \({\hbox {Adv}}^{2}_{\mathcal {G}\mathsf {,}\mathcal {A}}(\lambda )\) is a negligible function, we say that \(\mathcal {G}\) satisfies Assumption 2.

3 Definition of outsourced ABE

3.1 Algorithms

In an outsourced ABE system, there are seven types of entities, namely key generation center (KGC), encryptor, decryptor, outsourcing key generation server provider (OKGSP), outsourcing encryption service provider (OESP), outsourcing decryption service provider (ODSP), outsourcing decryption service provider (ODSP), and outsourcing verification service provider (OVSP). They interact as in Fig. 1 and run the following seven algorithms:

Fig. 1
figure 1

Outsourced ABE System

Full size image

  • Setup \((\lambda , \mathcal {U})\rightarrow \) PP, MSK The setup algorithm takes security parameter \(\lambda \) and attribute universe \(\mathcal {U}\) as input and outputs public parameters PP and master secret key MSK. PP may be widely distributed, while MSK is known only to key generation center (KGC).

  • Outsourcing-KeyGen-PreProc(PP, MSK) \(\rightarrow \) MSK \(_O\), MSK \(_L\) The outsourcing key generation preprocessing algorithm is run by key generation center (KGC); it takes the public parameters PP and the master secret key MSK as input. It outputs an outsourcing master secret key MSK \(_O\) and a local master secret key MSK \(_L\). Then, it delegates the MSK \(_O\) to its outsourcing key generation server provider (OKGSP) and keeps MSK \(_L\) locally.

  • Outsourcing-KeyGen(PP, MSK \(_O\), \(I_{key})\rightarrow \) IK \(_{I_{key}}\) The outsourcing key generation algorithm is run by outsourcing key generation service provider (OKGSP); it takes the PP, MSK \(_O\), and an attribute set (resp. access structure) \(I_{key}\) as input. It outputs an intermediate key IK \(_{I_{key}}\) and sends IK \(_{I_{key}}\) to KGC.

  • KeyGen(PP, MSK \(_L\), IK \(_{I_{key}})\rightarrow \) SK \(_{I_{key}}\) The key generation algorithm is run by key generation center (KGC); it takes the public parameters PP, the local master secret key MSK \(_L\), the intermediate key IK \(_{I_{key}}\) as input, and outputs a user secret key SK \(_{I_{key}}\) for attribute set (resp. access structure) \(I_{key}\).

  • Outsourcing-Encryption-PreProc(PP) \(\rightarrow \) EP \(_O\), EP \(_L\) The outsourcing encryption preprocessing algorithm is run by encryptor; it takes as input the public parameters PP and outputs an outsourcing encryption parameters EP \(_O\) and a local encryption parameters EP \(_L\). The encryptor keeps EP \(_L\) locally and delegates the EP \(_O\) to its outsourcing encryption service provider (OESP).

  • Outsourcing-Encryption(PP, EP \(_O, I_{enc})\rightarrow \) IC \(_{I_{enc}}\) The outsourcing encryption algorithm is run by OESP; it takes as input the public parameters PP, the outsourcing encryption parameters EP \(_O\), and an access structure (resp. attribute set) \(I_{enc}\). It outputs an intermediate ciphertext IC \(_{I_{enc}}\).

  • Encryption(PP, EP \(_L\), IC \(_{I_{enc}}, m)\rightarrow \) CT \(_{I_{enc}}\) The encryption algorithm is run by encryptor; it takes as input the public parameters PP, the local encryption parameters EP \(_L\), the intermediate ciphertext IC \(_{I_{enc}}\) and a message m. It outputs the ciphertext CT \(_{I_{enc}}\).

  • Outsourcing-Decryption-PreProc(SK) \(\rightarrow \) (SK \(_O\), SK \(_L\)) The outsourcing decryption preprocessing algorithm is run by decryptor; it takes its secret key SK as input and outputs an outsourcing secret key SK \(_O\) and a local secret key SK \(_L\). The decryption user keeps SK \(_L\) locally and delegates the SK \(_O\) to its outsourcing decryption service provider (ODSP).

  • Outsourcing-Decryption(SK \(_O\), CT)\(\rightarrow CT'\) The outsourcing decryption algorithm is run by ODSP; it takes as input an outsourcing secret key SK \(_O\) for attribute set (resp. access structure) \(I_{key}\) and a ciphertext CT that was encrypted under access structure (resp. attribute set) \(I_{enc}\). It outputs the partially decrypted ciphertext \(CT'\) if \(f(I_{enc},I_{key})=1\) and the error symbol \(\bot \) otherwise.

  • Decryption(\(CT'\), SK \(_L\))\(\rightarrow \) m The decryption algorithm is run by decryptor; it takes SK \(_L\) for \(I_{key}\) and \(CT'\) for \(I_{enc}\) as input. It outputs the original message m if \(f(I_{enc},I_{key})=1\) and the error symbol \(\bot \) otherwise.

  • Outsourcing-Verification The outsourcing verification algorithm is run by outsourcing verification service provider (OVSP) and provides verification services to confirm whether the outsourcing is correct. It contains two sub-algorithms:

    • Outsourcing-KeyGen-Verification(PP, MSK \(_O\), IK \(_{I_{key}}\)) \(\rightarrow \) \(b\in \{0,1\}\) It takes the public parameters PP, an outsourcing master secret key MSK \(_O\) and a intermediate key IK \(_{I_{key}}\) as input. It outputs 1 if IK \(_{I_{key}}\) is correctly calculated by OKGSP using MSK \(_O\) and 0 otherwise.

    • Outsourcing-Encryption-Verification(PP, EP \(_O\), IC \(_{I_{enc}}\)) \(\rightarrow \) \(b\in \{0,1\}\) It takes the public parameters PP, an outsourcing encryption parameters EP \(_O\) and a intermediate ciphertext IC \(_{I_{enc}}\) as input. It outputs 1 if IC \(_{I_{enc}}\) is correctly calculated by OESP using EP \(_O\) and 0 otherwise.

    Note, in decryption phase, the outsourcing verification service is not used, because the decryptor can verify the correctness of the outsourcing calculation by the plaintext m easily.

3.2 Security model

The security experiment OABE-Exp\(_{\mathcal {A},\Pi }(\lambda , \mathcal {U})\) for outsourced ABE scheme \(\Pi \), adversary \(\mathcal {A}\), parameter \(\lambda \) and attribute universe \(\mathcal {U}\) is defined as follow:

Initial The challenger runs the setup algorithm to obtain PP and MSK. Then, it runs the Outsourcing-KeyGen-PreProc algorithm on (PP, MSK) to obtain MSK \(_O\) and MSK \(_L\). It gives PP and MSK \(_O\) to the adversary.

Note: In real-world situations, we allow the adversary to corrupt OKGSP, so that the adversary can obtain the MSK \(_O\) in this experiment.

Phase 1 The challenger sets two integer counters \(\zeta , \xi = 0\), two empty tables \(\mathcal {T}_1\), \(\mathcal {T}_2\), and an empty set \(\mathcal {D}\). The adversary can make the following queries repeatedly:

  • Create(\(I_{key}\)) The challenger sets \(\zeta := \zeta + 1\). It runs Outsourcing-KeyGen algorithm on \(I_{key}\) to obtain IK \(_{I_{key}}\), runs KeyGen algorithm on IK \(_{I_{key}}\) to obtain SK \(_{I_{key}}\) and runs Outsourcing-Decryption-PreProc algorithm on SK \(_{I_{key}}\) to obtain SK \(_{I_{key},O}\) and SK \(_{I_{key},L}\). Then, it stores in table \(\mathcal {T}_1\) the entry (\(\zeta \), \(I_{key}\), IK \(_{I_{key}}\), SK \(_{I_{key}}\), SK \(_{I_{key},O}\), SK \(_{I_{key},L}\)), and gives (\(\zeta \), \(I_{key}\), IK \(_{I_{key}}\), SK \(_{I_{key},O}\)) to adversary. Note: In real-world situations, we allow the adversary to corrupt OKGSP and ODSP, so that the adversary can obtain the IK \(_{I_{key}}\) and SK \(_{I_{key},O}\) in this experiment.

  • Corrupt(i) If the ith entry exists in table \(\mathcal {T}_1\), the challenger gets the entry (i, \(I_{key}\), IK \(_{I_{key}}\), SK \(_{I_{key}}\), SK \(_{I_{key},O}\), SK \(_{I_{key},L}\)), sets \(\mathcal {D} := \mathcal {D} \cup \{I_{key}\}\) and returns the key set (i, SK \(_{I_{key}}\), SK \(_{I_{key},L}\)) to the adversary, else it returns \(\bot \).

  • Outsourcing-Encryption(\(I_{enc}\)) The challenger sets \(\xi := \xi + 1\). It runs Outsourcing-Encryption-PreProc algorithm to obtain EP \(_O\) and EP \(_L\) and runs Outsourcing-Encryption algorithm on (EP \(_O\), \(I_{enc}\)) to obtain IC \(_{I_{enc}}\). Then, it stores in table \(\mathcal {T}_2\) the entry (\(\xi \), \(I_{enc}\), EP \(_O\), EP \(_L\), IC \(_{I_{enc}}\)) and gives (\(\xi \), \(I_{enc}\), EP \(_O\), \(IC_{I_{enc}}\)) to adversary. Note: In real-world situations, we allow the adversary to corrupt OESP, so that the adversary can obtain the EP \(_O\) and IC in this experiment.

Challenge The adversary provides two messages \(m^*_0\) and \(m^*_1\) with equal length, an index j of \(\mathcal {T}_2\). If there exists a \(j^{th}\) entry (j, \(I^*_{enc}\), EP \(_O\), EP \(_L\), \(IC_{I^*_{enc}}\)) in table \(\mathcal {T}_2\), and for all \(I_{key} \in \mathcal {D}\), \(f(I_{enc}^*, I_{key})\ne 1\), the challenger chooses a random bit b and encrypts the message \(m^*_b\) under (\(I_{enc}^*\), EP \(_L\), IC \(_{I^*_{enc}}\)). The ciphertext CT \(^*\) is returned to the adversary. Otherwise, it returns \(\bot \).

Phase 2 Just like Phase 1, except that the adversary cannot obtain the suitable keys for the challenge ciphertext. That is, the adversary cannot issue any Corrupt queries that would added \(I_{key}\) which satisfies \(f(I_{enc}^*, I_{key})= 1\) to \(\mathcal {D}\).

Guess The adversary outputs a guess \(b'\) of b. The output of the experiment is 1 if and only if \(b = b'\).

Definition 1

An outsourced ABE scheme is secure if for all probabilistic polynomial-time adversaries \(\mathcal {A}\), there exists a negligible function negl such that:

$$\begin{aligned} \text {Pr}[\text {OABE-Exp}_{\mathcal {A},\Pi }(\lambda , \mathcal {U})=1]\le \frac{1}{2}+negl(\lambda ). \end{aligned}$$

4 Outsourced CP-ABE scheme

4.1 Construction

In this section, we proposed a specific outsourced CP-ABE scheme. In our construction, we will use linear secret-sharing schemes (LSSS) to express the access structure. This technology is proposed by Beimel (1996) and widely used in ABE scheme, such as Waters (2011), Lewko and Waters (2012) etc. The proposed scheme consists of the following 12 algorithms:

Setup \((\lambda , \mathcal {U})\rightarrow \) PP, MSK The setup algorithm chooses a bilinear group G of order \(N=p_1p_2p_3\) (3 distinct primes). We let \(G_{p_i}\) denote the subgroup of order \(p_i\) in G. It then chooses random exponents \(\alpha , a, \kappa \in \mathbb {Z}_N\), a random group element \(g_1\in G_{p_1}\) and a random group element \(g_3\in G_{p_1}\). For each attribute \(i\in \mathcal {U}\), it chooses a random value \(h_i\in \mathbb {Z}_N\). In addition, we assume that the maximum number of rows of the matrix in any LSSS access structure is bounded by L. The public parameters PP contain \(\{N, g=g_1, g^a, g^\kappa , e(g, g)^\alpha , \{H_i=g^{h_i}\}_{i\in \mathcal {U}}, g_3, L\}\). The master secret key MSK additionally contains \(\alpha \).

Outsourcing-KeyGen-PreProc(PPMSK) \(\rightarrow \) MSK \(_O\), MSK \(_L\) The outsourcing key generation preprocessing algorithm is run by KGC. It chooses \(\alpha _0\in \mathbb {Z}_N\) randomly, and outputs

$$\begin{aligned} {MSK}_O=g^{\alpha _0}, {MSK}_L=g^{\alpha -\alpha _0}. \end{aligned}$$

Outsourcing-KeyGen(PP, MSK \(_O, S\subseteq \mathcal {U})\rightarrow \) IK \(_S\) Here S is an attribute set. The outsourcing key generation algorithm is run by OKGSP. It chooses random exponents \(t\in \mathbb {Z}_N\), random elements R, \(R'\), \(R''\), \(\{R_i\}_{i\in S}\) \(\in G_{p_3}\), and calculates

$$\begin{aligned}&K_O=g^{\alpha _0}g^{at}R, K_O'=g^tR',\\&\{K'_{O,i}=H_i^tR_i\}_{i\in S}. \end{aligned}$$

Then, it outputs \(IK_S=(S, K_O, K_O', \{K_{O,i}\}_{i\in S})\).

Outsourcing-KeyGen-Verification(PP, MSK \(_O\), IK \(_{S})\rightarrow b\in \{0,1\}\) The outsourcing key generation verification algorithm is run by OVSP, when OVSP received a verification request from the KGC. It verifies the following equation:

$$\begin{aligned}&e(K_O,g)\mathop {=}\limits ^{?}e({MSK}_O,g)e(K_O',g^a);\\&e(K_O',H_i)\mathop {=}\limits ^{?}e(K'_{O,i},g) \ \ \ \ \forall i\in S. \end{aligned}$$

It outputs \(b=1\) if all of the above equations are satisfied, and \(b=0\) otherwise.

KeyGen(PP, MSK \(_L\), IK \(_S)\rightarrow \) SK \(_S\) The key generation algorithm is run by KGC. It chooses \(u\in \mathbb {Z}_N\) and \(\tilde{R}\), \(\tilde{R}'\), \(\tilde{R}''\), \(\{\tilde{R}_i\}_{i\in S}\) \(\in G_{p_3}\) randomly, and calculates

$$\begin{aligned}&K=g^{\alpha -\alpha _0}K_Og^{\kappa \cdot u}\tilde{R}, K'=K_O'\tilde{R}', K''=g^u\tilde{R}'',\\&\{K_{i}=K_{O,i}\tilde{R}_i\}_{i\in S}. \end{aligned}$$

Then, it outputs SK \(_S=(S, K, K', K'', \{K_{i}\}_{i\in S})\).

Outsourcing-Encryption-PreProc(PP)\(\rightarrow \) EP \(_O\), EP \(_L\) The outsourcing encryption preprocessing algorithm is run by encryptor. For \(\forall j\in [1,L]\), it chooses random exponent \(\lambda _j'\in \mathbb {Z}_N\), and calculates ep \(_j=(g^a)^{\lambda _j'}\).

Then, it outputs EP \(_O=\{ep_j\}_{j\in [1,L]}\), EP \(_L=\{\lambda _j'\}_{j\in [1,L]}\).

Table 1 Comparison of local computation
Full size table

Outsourcing-Encryption(PP, EP \(_O, \mathbb {A}=(\mathbf {M},\rho ))\rightarrow \) IC Here \((\mathbf {M},\rho )\) is an access structure, where \(\mathbf {M}\) is an \(l\times n\) matrix, and \(\rho \) is a function, associates rows of \(\mathbf {M}\) to attributes. The outsourcing encryption algorithm is run by OESP. For \(\forall j\in [1,l]\), it chooses random exponent \(r_j\in \mathbb {Z}_N\), and calculates

$$\begin{aligned} {IC}_{j,1}=(g^a)^{\lambda _j'}H_{\rho (j)}^{-r_j}, {IC}_{j,2}=g^{r_j}. \end{aligned}$$

Then, it outputs IC \(=((\mathbf {M},\rho ), \{{IC}_{j,1}, {IC}_{j,2}\}_{j\in [1,l]})\).

Outsourcing-Encryption-Verification(PP, EP \(_O\), IC) \(\rightarrow \) \(b'\in \{0,1\}\) The outsourcing encryption verification algorithm is run by OVSP, when OVSP received a verification request from the encryptor. It verifies the following equation:

$$\begin{aligned} e(IC_{j,1},g)e(IC_{j,2}, H_{\rho (j)})\mathop {=}\limits ^{?}e({ep}_j,g) \ \ \ \ \forall j\in [1,l]. \end{aligned}$$

It outputs \(b'=1\) if all of the above equations are satisfied, and \(b'=0\) otherwise.

Encryption(PP, m, EP \(_L\), IC)\(\rightarrow \) CT The encryption algorithm chooses random exponents \(x, s, v_2,\ldots , v_n\in \mathbb {Z}_N\), and sets \(\mathbf v\mathbf =(s, v_2,\ldots , v_n)\), then calculates

$$\begin{aligned}&(\lambda _1,\ldots , \lambda _l)=\mathbf {M}\cdot \mathbf v\mathbf ,\\&C_0=m\cdot e(g,g)^{\alpha \cdot s}, C_1=g^s, C_2=(g^{\kappa })^s,\\&\{C_{j,1}=(g^a)^xIC_{j,1},C_{j,2}=IC_{j,2}, \\&\quad C_{j,3}=\lambda _j-\lambda '_j-x\}_{j\in [1,l]}. \end{aligned}$$

It outputs

$$\begin{aligned} {CT}=((\mathbf {M},\rho ), C_0, C_1, C_2, \{C_{j,1}, C_{j,2}, C_{j,3}\}_{j\in [1,l]}). \end{aligned}$$

Outsourcing-Decryption-PreProc(SK) \(\rightarrow \) (SK \(_O\), SK \(_L\)) The outsourcing decryption preprocessing algorithm chooses random exponent \(\alpha _U\in \mathbb {Z}_N\) and calculates \(\bar{K}=K\cdot g^{\alpha _U}\). Then, it outputs

$$\begin{aligned} {SK}_L=g^{\alpha _U}, SK_O=(S, \bar{K}, K', K'', \{K_{i}\}_{i\in S}). \end{aligned}$$

Outsourcing-Decryption(SK \(_O\), CT)\(\rightarrow CT'\) If S does not satisfy the access structure \((\mathbf {M},\rho )\), then the algorithm issues an error message. Otherwise, it computes constants \(\omega _j\in \mathbb {Z}_N\) such that \(\Sigma _{\rho (j)\in S}\omega _j \cdot \mathbf {M}_j=(1,0,\ldots ,0)\), where \(\mathbf {M}_j\) is the jth row of \(\mathbf {M}\). Then it calculates and outputs

$$\begin{aligned} {\begin{matrix} {CT}'&{}={\frac{e(C_1, \bar{K})e(C_2, K'')^{-1}}{\prod _{\rho (j)\in S}(e(C_{j,1},K')e(g^{a\cdot C_{j,3}},K')e(C_{j,2},K_{\rho (j)}))^{\omega _j}}}\\ &{}=e(g,g)^{(\alpha +\alpha _U)\cdot s} \end{matrix}} \end{aligned}$$

Decryption(\(CT'\), SK \(_L\))\(\rightarrow \) m The decryption algorithm calculates and outputs

$$\begin{aligned} m=\frac{C_0\cdot e(C_1, {SK}_L)}{CT'}. \end{aligned}$$

4.2 Comparison

In Table 1, we give the comparison of local computation, where E expresses exponentiation and P expresses pairing. The local computation of our scheme is constant at every stage.

5 Security

In this section, we use the dual-system encryption technique (Waters 2009; Lewko et al. 2010; Lewko and Waters 2012) to prove the adaptive security of our scheme.

At the beginning, we will introduce the definitions of semi-functional keys and semi-functional ciphertexts:

Semi-functional keys Based on the normal key (K, \(K'\), \(K''\), \(\{K_i\}_{i\in S}\)), we choose random elements \(W,W''\in G_{p_2}\), the semi-functional key is defined as:

$$\begin{aligned} SK^{semi}=(S,KW,K',K''W'',\{K_i\}_{i\in S}). \end{aligned}$$

The outsourcing secret key SK \(_O^{semi}\) is semi-functional, if it is created using a semi-functional key SK \(^{semi}\).

Semi-functional ciphertexts Based on the normal ciphertext \(((\mathbf {M},\rho ),C_0, C, C',\{C_{j,1},C_{j,2},C_{j,3}\}_{j\in [1,l]})\), we randomly choose \(a', \kappa ', s'\in \mathbb {Z}_N\), \(\mathbf {w}\in \mathbb {Z}^n_N\), \(\eta '_{\rho (j)},\gamma '_j\in \mathbb {Z}_N\) for each \(j\in [l]\), where \(s'\) is the first entry of vector \(\mathbf {w}\). The semi-functional ciphertext CT \(^{semi}\) is defined as:

$$\begin{aligned} ((\mathbf {M},\rho ),C_0, Cg_2^{s'}, C'g_2^{s'\kappa '}, \{C_{j,1}g_2^{a'\mathbf {M}_j\cdot \mathbf {w}},C_{j,2},C_{j,3}\}_{j\in [1,l]}). \end{aligned}$$

Then, we will employ the hybrid argument method. The security game Game \(_{real}\) is defined in Sect. 3.2. We suppose that the attacker would make Q create key queries. For \(k\in [0,Q]\), the kth game Game \(_k\) is defined as follow.

Game \(_k\) In this game, the intermediate ciphertext and ciphertext are semi-functional, as are the first k keys in \(\mathcal {T}_1\), and the other keys are normal.

In this hybrid argument, Game \(_{real}\) will be translated to Game \(_0\), then to Game \(_1\), next to Game \(_2\),..., finally to Game \(_Q\). Then, Game \(_Q\) will be translated to Game \(_{final}\), in which the ciphertext is a semi-functional encryption of a random message. That is to say, any attacker has no advantage in this game.

Lemma 1

Under Assumption 1, no PPT attacker has non-negligible advantage in distinguishing Game \(_{real}\) and Game \(_0\).

Proof

Suppose there is a PPT attacker \(\mathcal {A}\), who has non-negligible advantage in distinguishing Game \(_{real}\) and Game \(_0\). We can construct a PPT algorithm \(\mathcal {B}\) to break Assumption 1. We set \(Z_0 := \{1\}\), \(Z_1 := \{1,2\}\), \(Z_2 := \{1\}\), \(Z_3 := \{3\}\), and give \(g_1\), \(g_3\), T to \(\mathcal {B}\), where \(g_1\in G_{p_1}\), \(g_3\in G_{p_3}\), T is either a random element of \(G_{p_1}\) or a random element of \(G_{p_1p_2}\).

Initial We assume that the maximum number of rows of the matrix in any LSSS access structure is bounded by L. \(\mathcal {B}\) chooses \(\alpha , \alpha _0, a, \kappa , \{h_i\}_{i\in \mathcal {U}}\in \mathbb {Z}_N\) randomly, and sets PP = \((N,g=g_1,g^a=g_1^a,g^{\kappa }=g_1^{\kappa },e(g,g)^{\alpha }=e(g_1,g_1)^{\alpha },\{H_i=g_1^{h_i}\}_{i\in \mathcal {U}}, g_3, L)\), MSK \(_O=g^{\alpha _0}\). PP and MSK \(_O\) are given to \(\mathcal {A}\). Note, \(\mathcal {B}\) has the MSK \(=\alpha \) and MSK \(_L=g^{\alpha -\alpha _0}\).

Phase 1&2 \(\mathcal {B}\) sets two integer counters \(\zeta , \xi = 0\), two empty tables \(\mathcal {T}_1\), \(\mathcal {T}_2\), and an empty set \(\mathcal {D}\). \(\mathcal {A}\) can make the following queries to \(\mathcal {B}\) repeatedly:

  • Create (S) \(\mathcal {B}\) can response \(\mathcal {A}\)’s query on attribute set S by running Outsourcing-KeyGen, KeyGen and Outsourcing-Decryption-PreProc algorithms, because it has MSK, MSK \(_O\) and MSK \(_L\).

  • Corrupt (k) When \(\mathcal {A}\) make a corrupt query on index k, \(\mathcal {B}\) sets \(\mathcal {D}=\mathcal {D}\cup \{S_k\}\), and gives (SK \(_{S_k,L}\), SK \(_{S_k})\) to \(\mathcal {A}\), if exists a kth entry (k, \(S_k\), IK \(_{S_k}\), SK \(_{S_k}\), SK \(_{S_k,O}\), SK \(_{S_k,L}\)) in table \(\mathcal {T}_1\), and outputs \(\bot \) otherwise.

  • Outsourcing-Encryption (\(\mathbb {A}\)) \(\mathcal {B}\) can response this query by running Outsourcing-Encryption-PreProc and Outsourcing-Encryption algorithm.

Challenge \(\mathcal {A}\) submits two messages \(m^*_0\), \(m^*_1\) with equal length, and an index j of \(\mathcal {T}_2\). If there exists a \(j^{th}\) entry (j, \(\mathbb {A}^*=(\mathbf {M}^*,\rho ^*)\), \(EP_O=\{(g^a)^{\lambda _j'}\}_{j\in [1,L]}\), \(EP_L=\{\lambda _j'\}_{j\in [1,L]}\), \(\{(g^a)^{\lambda _j'}H_{\rho ^*(j)}^{-r_j}, g^{r_j}\}_{j\in [1,l]}\)) in table \(\mathcal {T}_2\), and for all \(S \in \mathcal {D}\), \(S\notin \mathbb {A}^*\), \(\mathcal {B}\) chooses \(b\in \{0,1\}\) randomly, and encrypts \(m_b\) as follows. It chooses vector \(\tilde{\mathbf {v}}\in \mathbb {Z}_N^n\) randomly, except the first entry is 1, and computes the ciphertext as:

$$\begin{aligned}&C_0=m_be(g_1,T)^{\alpha },\quad C=T,C'=T^{\kappa },\\&C_{j,1}=T^{a\mathbf {M}^*_j\cdot \tilde{\mathbf {v}}}(g^a)^{\lambda _j'}H_{\rho ^*(j)}^{-r_j},C_{j,2}=g^{r_j},C_{j,3}=-\lambda _j'\ \ \forall j. \end{aligned}$$

Note, \(\mathcal {B}\) implicitly sets \(g^s\) equal to the \(G_{p_1}\) part of T, and \(\mathbf {v} = s\tilde{\mathbf {v}}\). If \(T\in G_{p_1}\), the ciphertext is normal, and \(\mathcal {B}\) simulates \(Game_{real}\) with \(\mathcal {A}\) properly. If \(T\in G_{p_1p_2}\), the ciphertext is semi-functional, \(\mathcal {B}\) simulates \(Game_0\) with \(\mathcal {A}\) properly. Therefore, if \(\mathcal {A}\) has non-negligible advantage in distinguishing Game \(_{real}\) and Game \(_0\), \(\mathcal {B}\) can use this advantage to break Assumption 1. \(\Box \)

Lemma 2

Under Assumption 1, no PPT attacker has non-negligible advantage in distinguishing Game \(_{k-1}\) and Game \(_k\).

Proof

Suppose there is a PPT attacker \(\mathcal {A}\), who has non-negligible advantage in distinguishing \(Game_{k-1}\) and \(Game_k\) for some \(k\in [1,Q]\). We can construct a PPT algorithm \(\mathcal {B}\) to break Assumption 1. We set \(Z_0 := \{1,3\}\), \(Z_1 := \{1,2,3\}\), \(Z_2 := \{1\}g\), \(Z_3 := \{3\}\), \(Z_4 := \{1,2\}\), \(Z_5 := \{2,3\}\), and give \(g_1\), \(g_3\), \(X_1X_2\), \(Y_2Y_3\), T to \(\mathcal {B}\) as input, where \(g_1, X_1\in G_{p_1}\), \(X_2,Y_2\in G_{p_2}\), \(g_3,Y_3\in G_{p_3}\), and T is either a random element of \(G_{p_1p_2}\) or a random element of \(G_{p_1p_2p_3}\).

Initial We assume that the maximum number of rows of the matrix in any LSSS access structure is bounded by L. \(\mathcal {B}\) chooses \(\alpha , \alpha _0, a, \kappa , \{h_i\}_{i\in \mathcal {U}}\in \mathbb {Z}_N\) randomly, and sets PP = \((N,g=g_1,g^a=g_1^a,g^{\kappa }=g_1^{\kappa },e(g,g)^{\alpha }=e(g_1,g_1)^{\alpha },\{H_i=g_1^{h_i}\}_{i\in \mathcal {U}}, g_3, L)\), MSK \(_O=g^{\alpha _0}\). PP and MSK \(_O\) are given to \(\mathcal {A}\). Note, \(\mathcal {B}\) has the MSK \(=\alpha \) and MSK \(_L=g^{\alpha -\alpha _0}\).

Phase 1&2 \(\mathcal {B}\) sets two integer counters \(\zeta , \xi = 0\), two empty tables \(\mathcal {T}_1\), \(\mathcal {T}_2\), and an empty set \(\mathcal {D}\). \(\mathcal {A}\) can make the following queries to \(\mathcal {B}\) repeatedly:

  • Create (S) For the first \(k-1\) queries, \(\mathcal {B}\) uses the Outsourcing-KeyGen and KeyGen algorithms to generate a normal key SK \(_S=\{K, K', K'', \{K_i\}_{i\in S}\}\), and chooses \(\tau , \tau '\in \mathbb {Z}_N\) randomly. The semi-functional is formed as:

    $$\begin{aligned} {SK}_S^{semi}=(K(Y_2Y_3)^{\tau }, K', K''(Y_2Y_3)^{\tau '},\{K_i\}_{i\in S}) \end{aligned}$$

    Then, it uses the Outsourcing-Decryption-PreProc algorithm on \(SK_S^{semi}\) to obtain corresponding outsourcing secret key. Note, SK \(_S^{semi}\) is distributed properly, as \(Y_2^{\tau }\) and \(Y_2^{\tau '}\) are distributed as uniformly random elements of \(G_{p_2}\).

  • Corrupt (k) When \(\mathcal {A}\) make a corrupt query on index k, \(\mathcal {B}\) sets \(\mathcal {D}=\mathcal {D}\cup \{S_k\}\), and gives (SK \(_{S_k,L}\), SK \(_{S_k})\) to \(\mathcal {A}\), if exists a kth entry (k, \(S_k\), IK \(_{S_k}\), SK \(_{S_k}\), SK \(_{S_k,O}\), SK \(_{S_k,L}\)) in table \(\mathcal {T}_1\), and outputs \(\bot \) otherwise.

  • Outsourcing-Encryption (\(\mathbb {A}\)) \(\mathcal {B}\) can response this query by running Outsourcing-Encryption-PreProc and Outsourcing-Encryption algorithm.

Challenge \(\mathcal {A}\) submits two messages \(m^*_0\), \(m^*_1\) with equal length, an index j of \(\mathcal {T}_2\). If there exists a jth entry (j, \(\mathbb {A}^*=(\mathbf {M}^*,\rho ^*)\), EP \(_O=\{(g^a)^{\lambda _j'}\}_{j\in [1,L]}\), EP \(_L=\{\lambda _j'\}_{j\in [1,L]}\), \(\{(g^a)^{\lambda _j'}H_{\rho ^*(j)}^{-r_j}, g^{r_j}\}_{j\in [1,l]}\)) in table \(\mathcal {T}_2\), and for all \(S \in \mathcal {D}\), \(S\notin \mathbb {A}^*\), \(\mathcal {B}\) chooses \(b\in \{0,1\}\) randomly, and encrypts \(m_b\) as follows. It chooses a random vector \(\tilde{v}\in \mathbb {Z}_N^n\), in which the first entry is 1. This means that \(g^s=X_1\) and \(\mathbf {v}=s\tilde{\mathbf {v}}\). It computes the ciphertext as:

$$\begin{aligned}&C_0=M_be(g_1,X_1X_2)^{\alpha },\quad C=X_1X_2,\quad C'=(X_1X_2)^{\kappa },\\&C_{j,1}=(X_1X_2)^{a\mathbf {M}^*_j\cdot \tilde{\mathbf {v}}}(g^a)^{\lambda _j'}H_{\rho ^*(j)}^{-r_j},\\&C_{j,2}=g^{r_j}, C_{j,3}=-\lambda _j'\ \ j\in [1,l]. \end{aligned}$$

Note, this means that \(g_2^{s'}=X_2\), \(\kappa '=\kappa \) modulo \(p_2\), and \(a'=a\) modulo \(p_2\). The semi-functional ciphertexts are properly distributed.

For the kth create key query on S, \(\mathcal {B}\) chooses \(t\in \mathbb {Z}_N\), and \(R, R', R'', \{R_i\} \in G_{p_3}\) randomly. It sets:

$$\begin{aligned}&K=(g_1^{\alpha +at}T^\kappa )R,\\&K' =g^{t}R',K''={TR}'', \{K_i=H_i^{t}R_i\}_{i\in S}. \end{aligned}$$

If \(T\in G_{p_1p_3}\), K is a normal key. If \(T\in G_{p_1p_2p_3}\), K is a semi-functional key. Thus, when \(T\in G_{p_1p_3}\), \(\mathcal {B}\) simulates Game \(_{k-1}\), and when \(T\in G_{p_1p_2p_3}\), B simulates Game \(_k\). Therefore, if \(\mathcal {A}\) has non-negligible advantage in distinguishing Game \(_{k-1}\) and Game \(_k\), \(\mathcal {B}\) can use this advantage to break Assumption 1. \(\Box \)

Lemma 3

Under Assumption 2, no PPT attacker has non-negligible advantage in distinguishing Game \(_Q\) and Game \(_{final}\).

Proof

Suppose there is a PPT attacker \(\mathcal {A}\), who has non-negligible advantage in distinguishing \(Game_Q\) and \(Game_{final}\). We can construct a PPT algorithm \(\mathcal {B}\) to break Assumption 2. We give \(g_1\), \(g_2\), \(g_3\), \(g_1^{\alpha }X_2\), \(g_1^sY_2\), T to \(\mathcal {B}\) as input, where T is either \(e(g_1, g_1)^{\alpha s}\) or a random element of \(G_T\).

Initial We assume that the maximum number of rows of the matrix in any LSSS access structure is bounded by L. \(\mathcal {B}\) chooses \(\alpha , \alpha _0, a, \kappa , \{h_i\}\in \mathbb {Z}_N\) randomly, sets \(PP=(N, g=g_1, g^a=g_1^a, g^{\kappa }=g_1^{\kappa }\), \(e(g,g)^{\alpha }=e(g_1,g_1)^{\alpha }\), \(\{H_i=g_1^{h_i}\}_{i\in \mathcal {U}}, L)\), and sets \(MSK_O=g^{\alpha _0}\). It gives PP and \(MSK_O\) to \(\mathcal {A}\). Note, \(\mathcal {B}\) knows MSK \(=\alpha \) and MSK \(_L=g^{\alpha -\alpha _0}\).

Phase 1&2 \(\mathcal {B}\) sets two integer counters \(\zeta , \xi = 0\), two empty tables \(\mathcal {T}_1\), \(\mathcal {T}_2\), and an empty set \(\mathcal {D}\). \(\mathcal {A}\) can make the following queries to \(\mathcal {B}\) repeatedly:

  • Create (S) \(\mathcal {B}\) chooses \(t,u,\gamma ,\gamma '\in \mathbb {Z}_N\), and R, \(R'\), \(R''\), \(\{R_i\}_{i\in S}\) \(\in G_{p_3}\) randomly, and formed SK \(_S^{semi}\) as:

    $$\begin{aligned}&K=(g_1^{\alpha }X_2)g_1^{(at+\kappa u)}Rg_2^{\gamma },K'=g_1^tR', K''=g_1^uR''g_2^{\gamma '},\\&\{K_i=H_i^tR_i\}_{i\in S} \end{aligned}$$

    Then, it uses the Outsourcing-Decryption-PreProc algorithm on SK \(_S^{semi}\) to obtain corresponding outsourcing secret key.

  • Corrupt (k) When \(\mathcal {A}\) make a corrupt query on index k, \(\mathcal {B}\) sets \(\mathcal {D}=\mathcal {D}\cup \{S_k\}\), and gives (SK \(_{S_k,L}\), SK \(_{S_k})\) to \(\mathcal {A}\), if exists a kth entry (k, \(S_k\), IK \(_{S_k}\), SK \(_{S_k}\), SK \(_{S_k,O}\), SK \(_{S_k,L}\)) in table \(\mathcal {T}_1\), and outputs \(\bot \) otherwise.

  • Outsourcing-Encryption (\(\mathbb {A}\)) \(\mathcal {B}\) can response this query by running Outsourcing-Encryption-PreProc and Outsourcing-Encryption algorithm.

Challenge \(\mathcal {A}\) submits two messages \(m^*_0\), \(m^*_1\) with equal length, an index j of \(\mathcal {T}_2\). If there exists a jth entry (j, \(\mathbb {A}^*=(\mathbf {M}^*,\rho ^*)\), EP \(_O=\{(g^a)^{\lambda _j'}\}_{j\in [1,L]}\), EP \(_L=\{\lambda _j'\}_{j\in [1,L]}\), \(\{(g^a)^{\lambda _j'}H_{\rho ^*(j)}^{-r_j}, g^{r_j}\}_{j\in [1,l]}\)) in table \(\mathcal {T}_2\), and for all \(S \in \mathcal {D}\), \(S\notin \mathbb {A}^*\), \(\mathcal {B}\) chooses \(b\in \{0,1\}\) randomly, and encrypts \(m_b\) as follows. It chooses a random vector \(\tilde{v}\in \mathbb {Z}_N^n\), in which the first entry is 1. This means that \(v = s\tilde{\mathbf {v}}\). It produces the ciphertext as:

$$\begin{aligned}&C_0=m_bT,\quad C=g_1^sY_2,\quad C'=(g_1^sY_2)^{\kappa },\\&C_{j,1}=(g_1^sY_2)^{a\mathbf {M}^*_j\cdot \tilde{\mathbf {v}}}(g^a)^{\lambda _j'}H_{\rho ^*(j)}^{-r_j},\\&C_{j,2}= g^{r_j}, C_{j,3}=-\lambda _j'\ \ \forall j. \end{aligned}$$

If \(T = e(g_1,g_1)^{\alpha s}\), this is a semi-functional ciphertext of \(m_b\), and \(\mathcal {B}\) simulates \(Game_Q\). If T is a random element of \(G_T\), this is a semi-functional ciphertext of a random message, and \(\mathcal {B}\) simulates Game \(_{final}\). Therefore, if \(\mathcal {A}\) has non-negligible advantage in distinguishing Game \(_{Q}\) and Game \(_{final}\), \(\mathcal {B}\) can use this advantage to break Assumption 2. \(\square \)

Theorem 1

Under Assumptions 1 and  2, the outsourced CP-ABE scheme is secure.

If Assumptions 1 and  2 hold, Lemmas 1– 3 show that Game \(_{real}\) is indistinguishable from Game \(_{final}\), in which b is hidden from \(\mathcal {A}\). Terefore, \(\mathcal {A}\) have no advantage to break Game \(_{real}\).

6 Outsourced CP-ABE in cloud computing environment

In this section, we introduce how to deploy our outsourced CP-ABE scheme in cloud computing environment and introduce a specific application for secure cloud storage system.

6.1 Deployment

There are three phases in the running of the outsourced CP-ABE scheme, i.e., key generation phase, encryption phase and decryption phase.

  • Key generation phase In this phase, KGC issues private keys to users. To calculate the private key effectively, KGC calls the outsourcing key generation service, which is provided by OKGSP-cloud, to share calculation tasks. After receiving the outsourcing results, KGC calls the outsourcing verification service, which is provided by OVSP\(_\text {KG}\)-cloud, to verify the correctness of the calculation. The details are as follows (Fig. 2):

Fig. 2
figure 2

Key generation phase

Full size image
  1. 1.

    KGC runs the Outsourcing-KeyGen-PreProc algorithm to obtain (MSK \(_O\), MSK \(_L\)) and delegates the MSK \(_O\) to OKGSP-cloud, which provide the outsourcing key generation service.

  2. 2.

    After KGC receives a key generation request from some user on attributes set S, it submits this request to OKGSP-cloud.

  3. 3.

    According to the request on attribute set S from KGC, OKGSP-cloud runs Outsourcing-KeyGen to obtain an intermediate key IK \(_S\), and returns the IK \(_S\) to KGC.

  4. 4.

    After receiving IK \(_S\) from OKGSP-cloud, KGC submits (MSK \(_O\), IK \(_S\)) to OVSP\(_\text {KG}\)-cloud to verify the correctness of outsourcing calculation.

  5. 5.

    The OVSP\(_\text {KG}\)-cloud runs Outsourcing-KeyGen-Verification algorithm on (MSK \(_O\), IK \(_S\)) and returns a boolean value to KGC.

  6. 6.

    If IK \(_S\) is correct, KGC runs KeyGen algorithm on (MSK \(_L\), IK \(_S)\) and returns the secret key SK \(_S\) to user.

  • Encryption phase In encryption phase, the encryptor calls the outsourcing encryption service, which is provided by OESP-cloud, to share calculation tasks. After receiving the outsourcing results, encryptor calls the outsourcing verification service, which is provided by OVSP\(_\text {E}\)-cloud, to verify the correctness of the calculation. The details are as follows (Fig. 3):

Fig. 3
figure 3

Encryption phase

Full size image
  1. 1.

    The encryptor runs Outsourcing-Encryption-PreProc algorithm to obtain (EP \(_O\), EP \(_L\)) and delegates the EP \(_O\) to OESP-cloud, which provide the outsourcing encryption service.

  2. 2.

    When encryptor needs to encrypt a message on some access structure \(\mathbb {A}\), it submits \(\mathbb {A}\) to OESP-cloud.

  3. 3.

    OESP-cloud runs Outsourcing-Encryption to obtain an intermediate ciphertext IC and returns the IC to the encryptor.

  4. 4.

    After receiving IC from OESP-cloud, the encryptor submits (EP \(_O\), IC) to OVSP\(_\text {E}\)-cloud to verify the correctness of outsourcing calculation.

  5. 5.

    The OVSP\(_\text {E}\)-cloud runs Outsourcing-Encryption-Verification algorithm on (EP \(_O\), IC) and returns a boolean value to the encryptor.

  6. 6.

    If IC is correct, the encryptor runs Encryption algorithm on (EP \(_L\), IC) and sends the ciphertexts CT to the decryptor.

Fig. 4
figure 4

Decryption phase

Full size image

  • Decryption phase In decryption phase, the decryptor calls the outsourcing decryption service, which is provided by ODSP-cloud, to share calculation tasks. After receiving the outsourcing results, decryptor calls the outsourcing verification service, which is provided by OVSP\(_\text {D}\)-cloud, to verify the correctness of the calculation. The details are as follows (Fig. 4):

  1. 1.

    The decryptor runs Outsourcing-Decryption-PreProc algorithm to obtain (SK \(_O\), SK \(_L\)) and delegates the SK \(_O\) to ODSP-cloud, which provide the outsourcing encryption service.

  2. 2.

    When decryptor needs to decrypt a ciphertext CT, it submits CT to ODSP-cloud.

  3. 3.

    OESP-cloud runs Outsourcing-Decryption to obtain a partially decrypted ciphertext \({CT}'\) and returns the \({CT}'\) to the decryptor.

  4. 4.

    The decryptor runs Decryption algorithm on (SK \(_L\), \(CT'\)) to obtain plaintext m.

6.2 Application in secure cloud storage system

In this section, we constructed a new data access control scheme for cloud storage systems using our outsourced CP-ABE scheme. Figure 5 shows the architecture of secure cloud storage system, which consists of the following system entities:

Fig. 5
figure 5

Secure cloud storage system

Full size image

  • KGC Its task is to authenticate the user’s attributes and to issue corresponding keys for users.

  • Data owner Data owner can share the data in the cloud storage server for specific users.

  • Cloud storage server It is a semi-trusted server. It can provide storage space for data owners and allow legitimate users to access data.

  • User In this system, each user has a set of attribute keys corresponding to their attributes and can access the cloud storage services.

Running of the data access control scheme for cloud storage contains three phases, i.e., key generation phase, encryption phase and decryption phase. They are as described in Sect. 6.1, except that, at the end of encryption phase, data owner stores the ciphertext on the storage cloud.

7 Conclusion

In this paper, we introduced the verifiable outsourced CP-ABE system. In this system, KGC, encryptor and decryptor, are able to outsource their computing tasks to the corresponding service providers, respectively, to improve the computational efficiency, and they are also able to verify the correctness of outsourcing calculation efficiently by using the corresponding outsourcing verification services. Then, we proposed a specific outsourced CP-ABE scheme and prove its adaptive security in the standard model. Finally, we introduced how to deploy our outsourced CP-ABE scheme in cloud computing environment and introduced a specific application for secure cloud storage system.