1 Introduction

The notion of attribute-based encryption (ABE) was stemmed from fuzzy identity-based encryption (FIBE) proposed by Sahai and Waters (2005). The ABE schemes focus on the access control mechanisms. Formally, ABE schemes are divided into two catagories: key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In the KP-ABE schemes (Goyal et al. 2006; Ostrovsky et al. 2007; Lewko et al. 2010; Ma et al. 2016), the ciphertexts are associated with a set of attributes and the secret key for controlling decryption is related to the access structure. While in the CP-ABE schemes (Bethencourt et al. 2007; Bobba et al. 2009; Goyal et al. 2008; Ibraimi et al. 2009; Waters 2011), the ciphertext are associated with the access tree and the key of user is affiliated to the set of attributes.

ABE schemes enable efficient public key-based fine-grained sharing, but the practicability of ABE schemes is still restricted by high complexities of encryption and decryption. Specifically, the encryption and decryption algorithms need \({{\mathcal {O}}}(n)\) exponentiations, where n is the number of attributes in the access structure. These problems can be coherently addressed by outsourcing the computations to the cloud. Cloud computation gained overgrown popularity during current epoch (He et al. 2015; Li et al. 2016; Liu et al. 2016; Xhafa et al. 2014). To reduce the computation cost, outsourcing concept is incorporated into ABE schemes, where the core idea is to delegate the majority of the computation to the cloud server. Green et al. (2011) proposed the first practical outsourced ABE scheme that outsources the decryption process of Waters’ CP-ABE. In Green’s work, the ciphertext can be translated into a (constant-size) ELGamal ciphertext, and the scheme can be proved to be secure against replayable chosen ciphertext attacks. After that, Zhou and Huang (2012) proposed a privacy preserving CP-ABE scheme, which allows the user to outsource both encryption and decryption to cloud service providers. Based on Zhou’s ABE, Li et al. (2012) defined the notion of outsourcing encryption of ABE and improved Zhou’s ABE scheme both in security and performance with MapReduce. Lai et al. (2013) put forward an ABE scheme with verifiable outsourced decryption. Lai improved the security of Green’s scheme and achieved the first verifiable outsourced ABE scheme. In 2014, a more practical outsourcing ABE scheme was presented, which provides outsourced key generation and decryption algorithms (Li et al. 2014). Meanwhile, the presented system (Li et al. 2014) supports checkability of the outsourcing computation results. In 2015, an efficiently verifiable ABE scheme with outsourced decryption was presented (Qin et al. 2015), in which the message is encrypted by a symmetric cryptosystem for improving the scheme’s security. In the same year, Lin et al. (2015) presented a verifiable outsourcing decryption algorithm with a relatively small bandwidth. Mao et al. (2015) presented generic outsourced decryption constructions of CPA- and RCCA-secure ABE systems with checkability. Recently, Wang et al. (2016) designed a verifiable outsourcing encryption algorithm for the CP-ABE. The number of exponentiations in the encryption is reduced to a constant. However, the outsourcing method increases the ciphertext size.

The aforementioned outsourcing methods can enhance the efficiency of ABE schemes. However, most of them still need \({{\mathcal {O}}}(n)\) exponentiations for the encryption algorithms, or some of them provide an efficient outsourcing encryption at the cost of the bandwidth. Therefore, to reduce \({\mathcal {O}}(n)\) encryption exponentiations to \({\mathcal {O}}(1)\) with a small storage cost is a meaningful challenge. Thus, our aim is to provide a new outsourcing mechanism with efficient outsourcing ABE encryption and reduced bandwidth.

1.1 Contributions

In this paper, we propose an efficient outsourcing method for ABE encryption without increasing the ciphertext size. In the proposed scheme, the user computes an encryption transformation key (ETK) for the given attributes. Then, the encryption exponents are blinded by the ETK and the number of the exponential operations in the encryption can be reduced to a constant. Meanwhile, it is required that any useful information cannot be revealed to the cloud servers and the validity of messages and outsourcing results are correct. Moreover, a collision-resistance hash function is introduced to guarantee the correctness of the scheme, where the message and some ciphertext components are hashed to generate a verification component of the ciphertext. Our scheme achieves the verifiable outsourcing encryption and decryption. Furthermore, it is efficient for both the outsourcing encryption and the verification. Finally, the experiments are carried out to illustrate the efficiency of the outsourced scheme.

1.2 Organization

The rest of this paper is organized as follows. Section 2 reviews some basic definitions. In Sect. 3, our outsourced ABE scheme is proposed and the security analysis is discussed. Section 4 presents the efficiency analysis and the experimental results. Section 5 includes the concluding thoughts.

2 Preliminaries

In this section, we review some basic concepts of ABE schemes.

2.1 Bilinear maps

The background of bilinear maps will be given (Waters 2011). Let G and \(G_{T}\) be two groups of prime order p. Suppose that g is one generater of group G and \(e(\cdot ,\cdot )\) is a bilinear map that e: \(G \times G\rightarrow G_{T}\). The bilinear map e has the following properties:

  • Bilinearity \(e(g^{a}_{1},g^{b}_{2})=e(g_{1},g_{2})^{ab}\) for all \(g_{1},g_{2}\in G\) and \(a,b\in Z_{p}\);

  • Non-degeneracy \(e(g,g)\ne 1_{G_{T}}\) unless \(g=1_{G}\).

  • Computability There is an efficient algorithm to compute \(e(g_{1},g_{2})\) for \(\forall g_{1},g_{2}\in G\).

2.2 Linear secret sharing scheme

Definition 1

(Access structure) Let \({\mathcal {P}}=\{P_{1},P_{2},\ldots ,P_{n}\}\) be a set of participants in a secret sharing scheme. An access structure (Beimel 1996), usually denoted by \(\varGamma \), is a collection of all authorized subsets of \({\mathcal {P}}\), where an authorized subset is a set, in which the participants can recover the shared secret. \(\varGamma \) satisfies the monotone ascending property that \(A\in \varGamma \) and \(A\subseteq B\), then \(B\in \varGamma \). Hence, it is enough to consider the minimum access structure (indicated by \(\varGamma _{\min }\)).

Definition 2

(Linear secret sharing scheme) A linear secret sharing scheme (Beimel 1996) involves a set of participants \({\mathcal {P}}\), an access structure and a monotone Boolean function \(\phi \) that satisfies \(\phi (A)=1\) if and only if \(A\in \varGamma \). Let \(F_{p}\) is a finite field and M be a \(l\times n\) matrix, where the i’th row \(M_{i}\) is associated with party \(P_{i}\). Hence, the access structure \(\varGamma \) can be denoted by \(\varGamma (M,\phi )\). Suppose that the secret is s, then select a vector \(\mathbf {v}=(s,v_{2},\ldots ,v_{n})\in F_{p}\) and compute \(\lambda _{i}=\mathbf {v}M_{i}\) for \(i=1,\ldots ,l\) as share of \(P_{i}\). Meanwhile, there exist \(\{\omega _{i}\in F_{p}\}_{i\in I}\) such that \(\sum _{i\in I}\omega _{i}M_{i}=(1,0,\ldots ,0)\). Then, the parties of A can recover the secret by \(\sum _{i\in I}\omega _{i}\lambda _{i}=s\).

2.3 Outsourced ABE model

The proposed model is an extension of Green’s outsourced ABE model (Green et al. 2011). Besides, to realize an outsourcing encryption and the checkability, we introduce three novel steps for creating ETK, outsourcing encryption and ciphertext verification. Let \(\varGamma \) be an access structure. The outsourcing ABE model consists of the following six algorithms:

  • Setup The authority center takes the security parameter \(\lambda \) and a system attributes set U as input, then outputs the public key \(\textit{PK}\) and the master secret key \(\textit{MSK}\).

  • Key generation The authority center inputs the master secret key \(\textit{MSK}\) and a set \(S\subseteq U\) of attributes. Then, it returns a private key \(\textit{SK}\) and a decryption transformation key \(\textit{DTK}\).

  • ETK generation The user takes the set S of attributes and then computes its encryption transformation key \(\textit{ETK}\).

  • Encryption The encryption algorithm is divided into the following two stages:

    • Partial ciphertext generation: The user takes the public key \(\textit{PK}\), a message m and an access structure \(\varGamma =(M,\phi )\) as input, where the function \(\phi \) associates rows of matrix M to the attributes. Then, it outputs partial ciphertext \(C_{1}\) such that \(f(\textit{PK},C_{1},m)=1\), where the output of function f is 0 or 1.Footnote 1

    • Outsourcing parameter generation: The user inputs \(\textit{PK},\textit{ETK}\) and computes the outsourcing parameters \(\textit{OP}\).

    • Outsourcing: The cloud server takes the outsourcing parameters as input and then outputs the rest part of the ciphertext \(C_{2}\) based on the access structure. That is, the ciphertext is \(C=(C_{1},C_{2})\).

  • Transformation The cloud server takes as input the DTK and ciphertext C, then returns the transformation ciphertext \(C_{T}\) if S satisfies the access structure \(\varGamma \).

  • Decryption The user takes as input the transformation ciphertext \(C_{T}\) and decryption key \(\textit{SK}\), then returns the message m if \(f(\textit{PK},C_{1},m)=1\). Otherwise, it outputs \(\bot \).

Note that, the \(\textit{ETK}\) is kept secret by the user, while the \(\textit{DTK}\) is published by the authority center. The outsourcing step in the aforementioned model is used to outsource the encryption computation and it is performed by the user and cloud servers. At the same time, the transformation step is executed by the cloud servers, and it is actually an outsourced decryption algorithm. Furthermore, the ETK is used to blind the random value in the encryption. The interactive process in the construction can be depicted by Fig. 1.

Fig. 1
figure 1

Interaction between the users and cloud server

Full size image

2.4 Security model

For a modern cryptosystem, the security model is necessary to be built for achieving a provable secure scheme (Green et al. 2011; He et al. 2016a, b; Waters 2011). Green et al. (2011) proved that their proposed outsourced ABE scheme is secure against replayable chosen ciphertext attacks (RCCA-secure). We now recall the RCCA security model involving a simulator \(\mathcal {S}\) and an adversary \(\mathcal {A}\). In addition, based on the description in Sect.2.3, the simulator allows the adversary to get the challenged outsourcing parameter \(\textit{OP}\) in the challenge phase.

  • Setup The simulator executes the setup algorithm and sends the public key PK to the adversary.

  • Phase 1 The simulator builds an empty table T and an empty set D. The adversary makes repeated queries as below.

    • Create (S) The simulator runs the key generation algorithm for a set S of attributes to compute (\(\textit{SK},\textit{DTK}\)) and adds them into Table T as \((j,S,\textit{SK},\textit{DTK})\). Then, it sends \(\textit{DTK}\) to the adversary.

    • Corrupt (i) If ith entry is in table T, then the simulator adds S into Table D. It returns \(\textit{SK}\) to the adversary. Otherwise, it outputs \(\bot \).

    • Decrypt \((i,\textit{CT})\) If ith entry is in table T, then the simulator returns the adversary a message for \(\textit{CT}\) by using the entry \((i,S,\textit{SK},\textit{DTK})\). Otherwise, it outputs \(\bot \).

  • Challenge The adversary \(\mathcal {A}\) submits two equal-length messages \(m_{0},m_{1}\). Meanwhile, \(\mathcal {A}\) selects an access structure \(\varGamma ^{*}\) such that the set S doesn’t satisfy the access formula \(\varGamma ^{*}\). Then, the simulator filps a coin b and sends the challenge ciphertext \(\textit{CT}^{*}\) to the adversary. Meanwhile, the adversary has access to the outsourcing parameter \(\textit{OP}^{*}\) for the challenged message.

  • Phase 2 Phase 1 is repeated with the following query restrictions:

    • A corrupt query for \(S'\in \varGamma ^{*}\);

    • Decryption queries for the ciphertexts of both \(m_{0},m_{1}\).

  • Guess The simulator outputs a guess \(b^{\prime }\) of b.

The advantage of the adversary is defined as \(\hbox {Adv}^{{\mathcal {RCCA}}}_{{\mathcal {A}}}=|Pr[b^{\prime }-b]-\frac{1}{2}|\).

3 Outsourcing ABE for encryption

3.1 The proposed outsourced ABE

In this section, we present a new outsourcing encryption mechanism for the ABE schemes for a given user, in which the user generates the encryption transformation key secretly, then computes and sends outsourcing parameters to the cloud servers. In particular, the encryption transformation key is used to blind the encryption exponents, and hence, a large number of exponentiations can be outsourced to the cloud servers. Meanwhile, we adopt Green’s outsourcing decryption algorithm in our construction. Therefore, our ABE scheme offers both outsourcing encryption and decryption. Furthermore, to check the correctness of the outsourced ABE, we use a collision-resistance hash function on the given message and some components of a ciphertext. Then, in decryption phase, the user decrypts and verifies the validity of the message and outsourcing results. Now, our outsourcing ABE scheme is described as follows.

\({\mathrm {Setup}}:\) :

The setup algorithm takes a security parameter \(\lambda \) and a number of attributes \(U=\{1,2,\ldots ,|U|\}\) as input. It selects a group G of prime p, a generater g, a bilinear map e :  \(G\times G\rightarrow G_{T}\) and a hash function H :  \(G^{3}\rightarrow Z_{p}\). Afterward, it randomly chooses \(\alpha ,\beta \) as the secret key and \(h_{1},h_{2},\ldots ,h_{|U|}\) as the public key related to the attributes.

The public key is \(\textit{PK}=(G,G_{T},g,e(g,g)^{\alpha },g^{\beta },h_{1},h_{2},\ldots ,h_{|U|},H)\) and the master secret key is \(\textit{MSK}=(\alpha ,\beta )\).

\({\mathrm {Key~generation}}\) :

: The key generation algorithm inputs the public key PK, the master secret key MSK and a set \(S\subseteq U\) of attributes. Then, it selects a random number \(t,z\in Z_{p^{*}}\) and publishes the decryption transformation key \(\textit{DTK}=(K^{z},K^{z}_{0},\{K^{z}_{i}\})\) as \(K=g^{\alpha }g^{\beta t},~K_{0}=g^{t},K_{i}=h_{i}^{t}\) for \(i\in S\). After that, it outputs the private key \(\textit{SK}_{S}=z^{-1} (\hbox {mod}\,p)\).

\({\mathrm {ETK~generation}}\) :

: It takes the set of attributes S as input and randomly chooses \(x\in Z_{p}\) for the user X, then outputs X’s encryption transformation key \(\textit{ETK}=(x,h^{x}_{1},h^{x}_{2},\ldots ,h^{x}_{|S|})\). Note that, the \(\textit{DTK}\) is public, while the \(\textit{ETK}\) is secret.

\({\mathrm {Encryption}}\)::

The encryption algorithm involves a local partial encryption algorithm for user X and an outsourcing encryption algorithm for the cloud server.

  • Partial ciphertext generation: This algorithm inputs the public key \(\textit{PK}\) and a message \(m\in G_{T}\). Meanwhile, it takes an access structure \(\varGamma =(M,\phi )\) as input, where the function \(\phi \) associates rows of matrix M to the attributes. Let M be a \(l\times n\) matrix. Then, the algorithm randomly chooses elements \(s,d\in Z_{p}\), a vector \(\mathbf {v}=(s,v_{2},\ldots ,v_{n})\in Z_{p}^{n}\) and computes \(\lambda _{i}=\mathbf {v}\cdot M_{i}\) for \(i=1,\ldots ,l\) as shares of s. Meanwhile, it returns the partial ciphertext

    $$\begin{aligned} \left( C_{1}=e(g,g)^{\alpha s}\cdot m,C_{2}=g^{s},C_{3}=g^{{sr}}\right) \end{aligned}$$

    and the blinding factors \(\{(g^{\beta })^{d}\cdot h_{\phi (i)}^{x}\}\) for \(\phi (i)\in S\), where \(r=H(C_{1},C_{2},\) m).

  • Outsourcing parameter generation: It takes \(sr,x,g^{\beta },\lambda _{i},h_{\phi (i)}\) as input, then computes \(sr-x\), \(\lambda _{i}-d\) for \(i=1,\ldots ,l\). Then, it sends the outsourcing parameter \(\textit{OP}=(\lambda _{i}-d,~sr-x,~g^{\beta d}\cdot h_{\phi (i)}^{x})\) to the cloud server for \(i=1,\ldots ,l\).

  • Outsourcing: The cloud server takes as output the other part of the ciphertext as

    $$\begin{aligned} \left\{ {\bar{C}}_{i}=\left( g^{\beta }\right) ^{\lambda _{i}-d}\cdot g^{\beta d}\cdot h_{\phi (i)}^{x}\cdot h_{\phi (i)}^{{sr}-x}=g^{\beta \lambda _{i}}\cdot h_{\phi (i)}^{{sr}}\right\} . \end{aligned}$$

    Finally, the ciphertext is \(C=(C_{1},C_{2},C_{3},\{\bar{C}_{i}\})\)

    $$\begin{aligned}&C_{1}=e(g,g)^{\alpha s}\cdot m,\quad C_{2}=g^{s},\quad C_{3}=g^{{sr}},\\&\bar{C}_{i}=g^{\beta \lambda _{i}}\cdot h_{\phi (i)}^{{sr}} \end{aligned}$$

    for \(i=1,\ldots ,l\).

\({\mathrm {Transformation}}\)::

It takes a ciphertext \(C=(C_{1},C_{2},C_{3},\{\bar{C}_{i}\})\) for access structure \(\varGamma \) and the decryption transformation key \(\textit{DTK}=(K^{z},K^{z}_{0},\{K^{z}_{i}\})\) as input. Let \(I\subseteq \{1,\ldots ,l\}\) be defined as \(I=\{i:\phi (i)\in S\}\). Suppose that \(\{\omega _{i}\}\) is a set of constants such that \(\sum _{i\in I}\omega _{i}\lambda _{i}=s\). Then, it computes the transformation ciphertext \(C_{T}\) as

$$\begin{aligned} C_{T}= & {} \frac{e\left( K^{z},C_{2}\right) }{\prod _{i\in I}\left( e(K^{z}_{0},\bar{C}_{i})\cdot e\left( K^{z}_{\phi (i)},C_{3}\right) \right) ^{\omega _{i}}}\\= & {} \frac{\left[ e(g,g)^{\alpha s}e(g,g)^{\beta ts}\right] ^{z}}{\left[ e(g,g)^{\beta t \left( \sum _{i\in I}\omega _{i}\lambda _{i}\right) }\prod _{i\in I}\left( e(g,h_{\phi (i)})^{-srt\omega _{i}}e(g,h_{\phi (i)}\right) ^{srt\omega _{i}})\right] ^{z}}\\= & {} \frac{[e(g,g)^{\alpha s}e(g,g)^{\beta ts}]^{z}}{e(g,g)^{\beta t sz}}\\= & {} e(g,g)^{\alpha sz} \end{aligned}$$
\({\mathrm {Decryption}}\)::

It takes as input the private key \(\textit{SK}_{S}=z^{-1}~(\hbox {mod}~p)\) and the transformation ciphertext, then returns the message

$$\begin{aligned} m=\frac{C_{1}}{C_{T}^{\textit{SK}_{S}}} \end{aligned}$$

if the verification equation

$$\begin{aligned} C_{3}=C_{2}^{H(C_{1},C_{2},m)} \end{aligned}$$

holds.

3.2 Security

The security of the presented scheme is based on the security of Green’s outsourced ABE, and thus, our scheme achieves the RCCA security [see the proof Theorem 3.2 in Green et al. (2011)]. In particular, the Challenge in the RCCA game is a bit different since the outsourcing parameter \(\textit{OP}^{*}\) of the challenged message needs to be returned to the adversary. Let the challenged ciphertext be \(C^{*}=(C^{*}_{1},C^{*}_{2},C^{*}_{3},\bar{C}^{*}_{i})\) [(see Waters (2011)]. The simulator sets \(\textit{OP}^{*}=(r_{1},r_{2},g^{-r_{1}}\bar{C}^{*}_{i}h^{-r_{2}})\) for random chosen \(r_{1},r_{2}\in Z_{p}\). That is, it is valid if the outsourcing parameter \(\textit{OP}^{*}\) satisfies \(g^{OP^{*}_{1}}\cdot OP^{*}_{3,i} \cdot h^{\textit{OP}^{*}_{2}}=\bar{C}^{*}_{i}\).

Furthermore, due to the introduction of outsourcing encryption algorithm, it is necessary to illustrate that the cloud server fails to derive any useful information from the outsourcing parameters as \(\textit{OP}=(\lambda _{i}-d, sr-x, g^{\beta d}\cdot h_{\phi (i)}^{x})\) in our ABE construction. Observing the given \(\textit{OP}\), we need to discuss the security of the encryption transformation key x, \(\{h_{\phi (i)}^{x}\}\), encryption exponents sr, \(\{\lambda _{i}\}\) and the message m as follows:

  • Encryption transformation key security The adversary cannot factorize the blinding factor \((g^{\beta })^{d}\cdot h_{\phi (i)}^{x}\) into \((g^{\beta })^{d}\) and \(h_{\phi (i)}^{x}\) for random (dx) to the adversary. Hence, \(h_{\phi (i)}^{x}\) is secure.

  • Encryption exponents security The secret encryption exponents sr and \(\lambda _{i}\) are blinded by x and d, respectively. Thus, the outsourcing parameters \(sr-x\) and \(\lambda _{i}-d\) does not reveal the encryption exponents.

Actually, the encryption transformation key and encryption exponents are secure from an angle of the information theoretic perspective.

  • Message security The ciphertext of given scheme includes \(C=(C_{1},C_{2},C_{3},\bar{C}_{i})\) as

    $$\begin{aligned}&C_{1}=e(g,g)^{\alpha s}\cdot m,\quad C_{2}=g^{s},\quad C_{3}=g^{sr},\\&\bar{C}_{i}=g^{\beta \lambda _{i}}\cdot h_{\phi (i)}^{sr}, \end{aligned}$$

    for \(\phi (i)\in S\), where \(r=H(C_{1},C_{2},m)\). Note that, compared with the previous ABE schemes (Green et al. 2011; Lai et al. 2013; Waters 2011), our scheme adds a new ciphertext component \(C_{3}\) with the exponent \(s\cdot r\). On the one hand, the equation \(C_{3}=C_{2}^{r}\) can be used for checking the validity of the message and the outsoucring results for both encryption and decryption. On the other hand, r and sr protects the confidentiality of the message m. Actually, if the users remove \(C_{3}\) and sets \(\bar{C}_{i}=g^{\beta \lambda _{i}}\cdot h_{\phi (i)}^{s}\) like the ciphertext in Green et al. (2011), Lai et al. (2013), Waters (2011). That is, \(r=1\). Then, the outsourcing parameter will contain \(s-x\). Hence, the adversary only needs to carry a plaintext–ciphertext pair (mC), and subsequently, it derives the other messages \(m_{j}\) from the corresponding ciphertext components \(e(g,g)^{\alpha s_{j}}\cdot m_{j}\) and outsourcing parameters \(s_{j}-x\). For any j, the adversary computes \(\vartheta _{j}=(s_{j}-x)-(s_{j}-x)=s_{j}-s\), and

    $$\begin{aligned} m_{j}=\frac{e(g,g)^{\alpha s_{j}}\cdot m_{j}}{e(g,g)^{\alpha \vartheta _{j}}\cdot (e(g,g)^{\alpha s}\cdot m)\cdot m^{-1}}. \end{aligned}$$

    Therefore, r and \(C_{3}\) play a vital role for protecting the message in the outsourcing encryption.

4 Performance

In this section, we present the efficiency analysis of the proposed outsourcing ABE scheme based on an elliptic curve group G, and we implement the ABE scheme with a 256-b security parameter. In the following discussion, for convenience, we don’t distinguish the user in the encryption from the user in the decryption (in fact, the users appearing in the encryption and the decryption must be different parties).

Table 1 Communication cost in the outsourcing Enc/Dec (b)
Full size table
Table 2 Computation cost in the Enc/Dec
Full size table

First, we present the communication cost of user and cloud server in the outsourcing encryption (Dec) and decryption (Dec) in Table 1. Note that, the communication between the two parties is based on the public channels. For the outsourcing Encryption, the user sends \((\lambda _{i}-d,sr-x,g^{\beta d}\cdot h^{x}_{\phi (i)})\) to the cloud server and the cloud server returns the user \(\{\bar{C}_{i}\}\) for \(i\in S\). In the transformation phase of outsourcing Decryption, the cloud server receives the ciphertext components \((C_{2},C_{3},\{\bar{C}_{i}\})\) for \(i\in S\) and sends the transformed ciphertext \(C_{T}\) to the user.

Fig. 2
figure 2

Comparison for \(|S|=10\)

Full size image

Next, we provide the computation cost for both the user and the cloud server in Enc/Dec (Table 2). Let \(\pi _{1},\pi _{2},\pi _{3},\pi _{4},\pi _{5}\) successively denote the running times for one-time computation of bilinear map e, multiplication over G, exponential operation over G, multiplication over \(G_{T}\) and exponential operation over \(G_{T}\), respectively. In addition, the user computes its encryption transformation key in \(|S|\cdot \pi _3\) during the ETK Generation before encryption phase.

To vividly demonstrate the efficiency of the outsourced ABE, we plot the corresponding figures for the outsourcing encryption (see Figs. 2, 3, 4). In Figs. 2, 3 and 4, we compare the running time of the outsourced encryption algorithm with that of the non-outsourced encryption algorithm in ABE schemes: Fig. 2 shows the advantage of the outsourcing encryption algorithm for \(|S|=10\) with different encryption numbers; Fig. 3 shows the comparison results for one-time encryption when \(|S|=10\), \(|S|=12\) and \(|S|=14\). To provide some additional results on some small attribute sets, we plot a three-dimensional figure by comparing the outsourced ABE scheme with the non-outsourced scheme, where x-axis denotes the cardinality of attribute set, y-axis denotes the number of encryptions and z-axis is the running time. Figure 4 presents that the advantage of the outsourced version. [For the merit of the outsourcing decryption, our algorithm is based on Green’s outsourcing decryption algorithm; therefore, the readers are referred to Fig. 8 in Green et al. (2011).]

Fig. 3
figure 3

Comparison for different |S|

Full size image
Fig. 4
figure 4

Advantage of the outsourced ABE

Full size image
Table 3 Performance comparison
Full size table

Finally, we will compare our scheme with the existing outsourcing ABE schemes (Green et al. 2011; Li et al. 2014; Lin et al. 2015; Qin et al. 2015; Wang et al. 2016) from the ciphertext size, the checkability and the running time of local computation for encryption. Note that, all the comparable schemes are efficient in outsourcing decryption. Now, let L denote the length of one group. Then, the performance comparison is given in Table 3, where the multiplication and bilinear map operations are omitted. In addition, Wang’s scheme (Wang et al. 2016) cannot provide the verification for outsourcing decryption. Compared with Wang’s outsourcing ABE, our scheme has the advantage of the full checkability, the verification efficiency and lower bandwidth.

The performance analysis depicts that our outsourcing technique is a suitable contribution to be used for information security in electronic world (Islam and Khan 2014; Khan 2009; Li et al. 2013, 2014, 2015; Shen et al. 2015; Siddiqui et al. 2014).

5 Conclusions

In this paper, we present an efficient outsourced ABE scheme with checkability, where the users exploit the cloud’s strong computation resource for reducing their local computational cost. In the construction, the encryption transformation key is created by the user for the given attributes set and the decryption transformation key is generated by the authority center. More precisely, the user employs the encryption transformation key to blind the encryption exponents for reduction of \({\mathcal {O}}(n)\) exponentiations to \({\mathcal {O}}(1)\) in the encryption phase. For the security, any useful information won’t be revealed to the cloud servers from the outsourcing parameters. Furthermore, to guarantee the correctness of our scheme, we provide the verification property based on a collision-resistance hash function, that is, the user can check the validity of messages and outsourcing results. In the performance analysis, we do some experiments to illustrate the efficiency of the outsourced ABE. The secure efficient cloud computation and cloud storage techniques for improving ABE schemes will be our future directions (Ren et al. 2015; Xia et al. 2016a, b; Fu et al. 2015).