1 Introduction

The past decade has witnessed a rapid development of computing paradigm technologies. A large number of people have uploaded their various types of data, including the highly sensitive data, into third-party cloud platforms either for ease of sharing or for cost saving. Recently, the combination of cloud computing and wireless communication technologies together with mobile devices has significantly promoted the development of mobile cloud computing, which can provide users with attractive services any time and any where. Nevertheless, data security and privacy concerns have been the biggest obstacles that hamper the widespread adoption of mobile cloud computing.

To address this challenge, a promising public key primitive, attribute-based encryption (ABE), can be adopted. The concept of ABE was proposed by Sahai and Waters (2005), in which scalable and fine-grained access rights can be assigned to individual users. ABE are categorized into Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE) by Goyal et al. (2006). In a CP-ABE scheme, each user can apply for a secret key by submitting his/her attributes to the attribute authority. During the encryption phase, the data owner first specifies an access structure and then encrypts the message with respect to the access structure. A successful decryption can be done only if the attributes associated the secret key satisfy the access structure. CP-ABE is more suitable for realizing outsourced data security in cloud computing in that it puts access decisions in the hands of data owners. However, traditional CP-ABE schemes cannot be directly used in mobile cloud computing environment. In mobile cloud computing, there exists several special security and efficiency requirements. For one thing, privacy issues need more attentions because mobility promotes frequent interactions between different users. For another, mobile users are usually resource-constrained and they cannot take expensive cryptographic operations. Thirdly, concurrent registration requests of large volume of users bring forward higher requirements on the attribute authority. On the other hand, traditional attribute-based data sharing systems cannot preserver users’ attribute privacy because the sensitive access structure is sent along with ciphertexts explicitly. Besides, the key generation phase, the encryption phase and the decryption phase involve a large number of computation tasks. To the best of the authors’ knowledge, most of existing data sharing systems based on CP-ABE schemes either suffer privacy disclosure or bad efficiency.

Our contributions

The contributions of this paper can be summarized as follows.

  • Aiming to realize fine-grained data sharing in mobile cloud computing, we propose an efficient and privacy-aware attribute-based data sharing system supporting offline key generation and offline encryption. In the proposed system, the computation tasks required in the key generation process and the encryption phase are split into an offline phase and an online phase. In the offline phase, the attribute authority can finish the majority of the work to issue attribute secret keys before knowing users’ attributes. The mobile data owner does most of the computation tasks in encryption without needing the message and the access structure. Furthermore, the online phase can easily assemble the final secret key and ciphertexts once related specifications become known. In particular, the proposed scheme preserve users’ attribute privacy by hiding the attribute values specified in the access structure in ciphertexts.

  • The proposed attribute-based data sharing system is proven semantically secure in the standard model. Specifically, it is fully secure under four assumptions. Our scheme allows any monotonic access structures encoded in a linear secret sharing scheme. Performance analysis indicates that the proposed system is suitable for data sharing in mobile cloud computing.

2 Related work

Since the introduction of ABE by Sahai and Waters (2005), a plenty of researches have been done on various ABE schemes. Goyal et al. (2006) presented a KP-ABE scheme by generating the private key according to the monotonic access structures. The first CP-ABE scheme was proposed by Bethencourt et al. (2007), which is proven secure in the generic group model. Based on this scheme, Wang and Li (2013) proposed an attribute-based signature scheme. To improve the security proof, Cheung and Newport (2007) proposed another CP-ABE construction and proved its security in the standard model. The construction supports the access structures of AND gate on different attributes. In addition, applications of ABE have been studied (Zhu and Yang 2015).

Although ABE can be directly adopted to enable secure data sharing, there is an increasing need to preserve users’ attribute privacy in mobile cloud computing environment. In order to tackle this issue, anonymous ABE was introduced by Kapadia et al. (2007). Kapadia et al. (2007) realized hidden AND gate policies with positive and negative attributes, but it is not collusion-resistant. Based on the technique of hidden vector encryption, Boneh and Waters (2007) proposed a predicate encryption scheme, which can realize anonymous CP-ABE by using the opposite semantics of subset predicates. An inner product predicate encryption scheme was presented by Katz et al. (2008). Based on this predicate scheme, we can achieve hidden CP-ABE schemes. A more efficient anonymous CP-ABE scheme was constructed by Nishide et al. (2008). The security was based on the decisional bilinear Diffie–Hellman assumption and the decision linear assumption. Li et al. (2009) proposed an accountable anonymous CP-ABE scheme. To achieve full security and expressiveness, an anonymous CP-ABE scheme under new assumptions was proposed by Lai et al. (2012). Park and Chung (2014) realized attribute privacy protection by combining security policy publication service and ABE. There are many other researches on anonymous ABE (Zhang et al. 2013; Lai et al. 2011; Rao and Dutta 2015; Jung et al. 2015; Zhang et al. 2016a, 2017; Phuong et al. 2016).

To improve the efficiency of ABE, online/offline ABE schemes have recently been presented by Hohenberger and Waters (2014). The idea of online/offline was initiated by Even et al. (1996) for digital signatures. An online/offline signature scheme consists of two phases and it can efficiently enables handover authentication in wireless networks (Zhang et al. 2014). Before the message to be signed is known, the first offline phase is performed. To solve the key exposure problem, a special double-trapdoor hash family was proposed by Chen et al. (2007), and they applied the hash-sign-switch paradigm to propose a much more efficient generic online/offline signature scheme (Chen et al. 2008). The technique of online/offline encryption was introduced by Guo et al. (2008). The first fully secure online/offline predicate encryption and attribute-based encryption schemes have recently been presented by Datta et al. (2015), in which only the online/offline encryption is considered. There are many other ABE constructions, such as ABE with outsourced decryption (Green et al. 2011; Li et al. 2014; Lai et al. 2013), constant-size ABE (Zhang et al. 2016b) and full security (Lewko et al. 2010; Lewko and Waters 2012). As far as the authors’ knowledge, no ABE schemes can simultaneously support attribute privacy protection and offline key generation and encryption mechanisms.

Organization

The remaining of this work is organized as follows. We first review some preliminaries in Sect. 3. In Sect. 4, we present the system architecture and security model. The proposed privacy-aware attribute-based data sharing system is given in Sect. 5. In Sect. 6, security results and performance analysis are presented. We draw our conclusions in Sect. 7.

3 Preliminaries

In this section, we give a brief review on some cryptographic background and access structures.

3.1 Cryptographic background

Definition 1

(Composite order bilinear groups) Composite order bilinear groups are widely used in IBE and ABE systems, which are first introduced by Boneh et al. (2005). We denote by \(\mathcal {G}\) a group generator, which takes a security parameter \(\lambda\) as inputs and outputs a description of a bilinear group \(\mathbb {G}\). We define the output of \(\mathcal {G}\) as \((p_1,p_2,p_3,p_4,\mathbb {G},\mathbb {G}_T,\hat{e}),\) where \(p_1,p_2,p_3,p_4\) are distinct primes, \(\mathbb {G}\) and \(\mathbb {G}_T\) are two cyclic groups of order \(N=p_1p_2p_3p_4\), and \(\hat{e}: \mathbb {G} \times \mathbb {G} \rightarrow \mathbb {G}_{T}\) is a bilinear map satisfying:

  1. 1.

    Bilinear: \(\hat{e}(g^a, h^b)=\hat{e}(g, h)^{ab}\) for all \(a, b \in \mathbb {Z}_N\) and \(g,h\in \mathbb {G}\).

  2. 2.

    Non-degenerate: There exists \(g \in \mathbb {G}\) such that \(\hat{e}(g, g)\) has order N in \(\mathbb {G}_T\).

Assume that group operations in \(\mathbb {G}\) and \(\mathbb {G}_T\) as well as the bilinear map \(\hat{e}\) are computable in polynomial time with respect to \(\lambda\). Let \(\mathbb {G}_{p_i}\) be the subgroup of order \(p_i\) in \(\mathbb {G}\) for \(1\le i \le 4\). Note that for any \(X_i\in \mathbb {G}_{p_i}\) and \(X_j\in \mathbb {G}_{p_j}\), \(\hat{e}(X_i,X_j)=1\) holds for \(i\ne j\).

Assumption 1

Given a group generator \(\mathcal {G}\), define the following distribution:

$$\begin{aligned} (N &= p_{1} p_{2} p_{3} p_{4} ,{\mathbb{G}},{\mathbb{G}}_{T} ,\hat{e})\xleftarrow{R}{\mathcal{G}} \hfill \\ g&\xleftarrow{R}{\mathbb{G}}_{{p_{1} }} ,X_{3} \xleftarrow{R}{\mathbb{G}}_{{p_{3} }} ,X_{4} \xleftarrow{R}{\mathbb{G}}_{{p_{4} }} , \hfill \\ D& = (N,{\mathbb{G}},{\mathbb{G}}_{T} ,\hat{e},g,X_{3} ,X_{4} ), \hfill \\ T_{1}& \xleftarrow{R}{\mathbb{G}}_{{p_{1} p_{2} }} ,T_{2} \xleftarrow{R}{\mathbb{G}}_{{p_{1} }} . \hfill \\ \end{aligned}$$

The advantage of an algorithm \(\mathcal {A}\) in breaking this assumption is defined to be: \(\textsf {Adv1}_{\mathcal {G},\mathcal {A}}(\lambda )=|\text {Pr}[\mathcal {A}(D,T_1)=1]- \text {Pr}[\mathcal {A}(D,T_2)=1]|\).

Definition 2

We say that \(\mathcal {G}\) satisfies Assumption 1 if \(\textsf {Adv1}_{\mathcal {G},\mathcal {A}}(\lambda )\) is a negligible function of \(\lambda\) for any probabilistic polynomial time (PPT) algorithm \(\mathcal {A}\).

Assumption 2

Given a group generator \(\mathcal {G}\), define the following distribution:

$$\begin{aligned} (N& = p_1p_2p_3p_4,\mathbb {G},\mathbb {G}_T,\hat{e}) \xleftarrow {R} \mathcal {G}\\ g,X_1& \xleftarrow {R} \mathbb {G}_{p_1}, X_2,Y_2\xleftarrow {R} \mathbb {G}_{p_2}, X_3,Y_3\xleftarrow {R} \mathbb {G}_{p_3}, X_4\xleftarrow {R} \mathbb {G}_{p_4},\\ D & = (N,\mathbb {G},\mathbb {G}_T,\hat{e},g,X_1X_2,Y_2Y_3,X_3,X_4),\\ T_1& \xleftarrow {R} \mathbb {G}_{p_1p_2p_3}, T_2\xleftarrow {R} \mathbb {G}_{p_1p_3}. \end{aligned}$$

The advantage of an algorithm \(\mathcal {A}\) in breaking this assumption is defined to be: \(\textsf {Adv2}_{\mathcal {G},\mathcal {A}}(\lambda )=|\text {Pr}[\mathcal {A}(D,T_1)=1]- \text {Pr}[\mathcal {A}(D,T_2)=1]|\).

Definition 3

We say that \(\mathcal {G}\) satisfies Assumption 2 if \(\textsf {Adv2}_{\mathcal {G},\mathcal {A}}(\lambda )\) is a negligible function of \(\lambda\) for any PPT algorithm \(\mathcal {A}\).

Assumption 3

Given a group generator \(\mathcal {G}\), define the following distribution:

$$\begin{aligned} (N &= p_1p_2p_3p_4,\mathbb {G},\mathbb {G}_T,\hat{e}) \xleftarrow {R} \mathcal {G},\alpha ,s \xleftarrow {R} \mathbb {Z}_N\\ g& \xleftarrow {R} \mathbb {G}_{p_1}, g_2,X_2,Y_2\xleftarrow {R} \mathbb {G}_{p_2}, X_3\xleftarrow {R} \mathbb {G}_{p_3},X_4\xleftarrow {R} \mathbb {G}_{p_4},\\ D& = (N,\mathbb {G},\mathbb {G}_T,\hat{e},g,g_2,g^{\alpha }X_2,g^sY_2,X_3,X_4),\\ T_1 & = \hat{e}(g,g)^{\alpha s}, T_2\xleftarrow {R} \mathbb {G}_{T}. \end{aligned}$$

The advantage of an algorithm \(\mathcal {A}\) in breaking this assumption is defined to be: \(\textsf {Adv3}_{\mathcal {G},\mathcal {A}}(\lambda )=|\text {Pr}[\mathcal {A}(D,T_1)=1]- \text {Pr}[\mathcal {A}(D,T_2)=1]|\).

Definition 4

We say that \(\mathcal {G}\) satisfies Assumption 3 if \(\textsf {Adv3}_{\mathcal {G},\mathcal {A}}(\lambda )\) is a negligible function of \(\lambda\) for any PPT algorithm \(\mathcal {A}\).

Assumption 4

Given a group generator \(\mathcal {G}\), define the following distribution:

$$\begin{aligned} (N &= p_1p_2p_3p_4,\mathbb {G},\mathbb {G}_T,\hat{e}) \xleftarrow {R} \mathcal {G},t',r' \xleftarrow {R} \mathbb {Z}_N\\ g,h& \xleftarrow {R} \mathbb {G}_{p_1}, g_2,X_2,A_2,B_2,D_2\xleftarrow {R} \mathbb {G}_{p_2}, X_3\xleftarrow {R} \mathbb {G}_{p_3},X_4,Z,A_4,D_4\xleftarrow {R} \mathbb {G}_{p_4},\\ D & = (N,\mathbb {G},\mathbb {G}_T,\hat{e},g,g_2,g^{t'}B_2,h^{t'}Y_2,X_3,X_4,hZ,g^{r'}D_2D_4),\\ T_1 & = h^{r'}A_2A_4, T_2\xleftarrow {R} \mathbb {G}_{p_1p_2p_4}. \end{aligned}$$

The advantage of an algorithm \(\mathcal {A}\) in breaking this assumption is defined to be: \(\textsf {Adv4}_{\mathcal {G},\mathcal {A}}(\lambda )=|\text {Pr}[\mathcal {A}(D,T_1)=1]- \text {Pr}[\mathcal {A}(D,T_2)=1]|\).

Definition 5

We say that \(\mathcal {G}\) satisfies Assumption 4 if \(\textsf {Adv4}_{\mathcal {G},\mathcal {A}}(\lambda )\) is a negligible function of \(\lambda\) for any PPT algorithm \(\mathcal {A}\).

3.2 Access structures and linear secret sharing schemes

Definition 6

[Access structures (Beimel 1996)] Let \(\mathcal {U}\) be a set of parties. A collection \(\mathbb {A}\subseteq 2^{\mathcal {U}}\) is monotone if \(\forall B\in \mathbb {A}\) and \(C\in 2^{\mathcal {U}}\): if \(B\subseteq C\) then \(C\in \mathbb {A}\). An access structure (resp. monotone access structure) on \(\mathcal {U}\) is a collection (resp. monotone collection) \(\mathbb {A}\) of non-empty subsets of \(\mathcal {U}\), i.e., \(\mathbb {A}\subseteq 2^{\mathcal {U}} {\setminus} \{\emptyset \}\). The sets in \(\mathbb {A}\) are called authorized sets, otherwise, the sets are called unauthorized sets.

Definition 7

Let \(\mathcal {U}\) be the attribute universe, where each attribute includes two parts: attribute name and its values. Each attribute has multiple values. An LSSS can be used to represent an access structure \((\mathbf {A},\rho )\) on \(\mathcal {U}\), where \(\mathbf {A}\) is an \(\ell \times n\) matrix which is called the share-generating matrix and \(\rho\) maps a row of \(\mathbf {A}\) into an attribute name index. An LSSS consists of two algorithms:

  • Share \(((\mathbf {A},\rho ),s)\): This algorithm is used to share a secret value s based on \(\mathbf {A}\). Considering a vector \(v = (s, y_{2},..., y_{n})^\text {T}\), where \(s\in \mathbb {Z}_{p}\) is the secret to be shared and \(y_{2},..., y_{n}\in _R \mathbb {Z}_{p}\), then \(\lambda _x=A_x\cdot v\) is a share of the secret s which corresponding to the attribute name indexed by \(\rho (x)\).

  • Reconstruction \((\lambda _{1},...,\lambda _{\ell },(M,\rho ))\): This algorithm is used to reconstruct s from secret shares. Let S be any authorized set and \(I=\{i| \rho (i)\in S\}\subseteq \{1, 2, ..., \ell \}\). Then there exists coefficients \(\{\omega _{i}\}_{i\in I}\) such that \(\sum _{i\in I}\omega _{i} A_{i}=(1,0,...,0)\), thus we have \(\sum _{i\in I}\omega _{i} \lambda _{i}=s\).

We say that \(I\subseteq \{1,2,\ldots ,\ell \}\) satisfies \((\mathbf {A},\rho )\) if there exists constants \(\{\omega _{i}\}_{i\in I}\) such that \(\sum _{i\in I}\omega _{i} A_{i}=(1,0,...,0)\). A subset I of \(\{1,2,\ldots ,\ell \}\) is said to be a minimum authorized set of \((\mathbf {A},\rho )\) if I satisfies \((\mathbf {A},\rho )\) and any \(I'\subset I\) does not satisfy \((\mathbf {A},\rho )\). We define \(\mathbf {I}_{\mathbf {A},\rho }\) as the set of subsets of \(\{1,2,\ldots ,\ell \}\) that are minimum authorized sets of \((\mathbf {A},\rho )\).

Suppose a user has a secret key associated with a set of attribute name indexes \(I_S\) and the corresponding attribute value set is \(S=(s_1,s_2,\ldots ,s_n)\). We use \(\mathbb {A}=(\mathbf {A},\rho ,T)\) to represent the adopted access structure, where \(T=(t_{\rho (1)},t_{\rho (2)},\ldots ,t_{\rho (n)})\) is the attribute value set specified by \((\mathbf {A},\rho )\). We also say that S matches \(\mathbb {A}\) if there exist an \(I\subseteq \{1,2,\ldots ,\ell \}\) satisfying \((\mathbf {A},\rho )\), \(I\subseteq \{i|\rho (i)\in I_S\}\) and \(s_{\rho (i)}=t_{\rho (i)}\) for each \(i\in I\).

4 System architecture and security model

In this section, we first describe the system architecture of data sharing in mobile cloud computing. Then we give the specification of an anonymous CP-ABE scheme with online/offline key generation and online/offline encryption mechanisms. Finally, we give a formalized security model.

4.1 System architecture

As shown in Fig. 1, the system architecture of data sharing in mobile cloud computing consists of four entities: attribute authority, mobile cloud service provider, data owner, and data user. The attribute authority is a key entity who generates system public parameters and master keys. In particular, it manages users in the system and is fully trusted. The process of key generation is split into an offline phase and an online phase. Most of computation is accomplished in the offline phase. A data owner aims to safely store his/her data on the cloud for fine-grained sharing. Before the data is specified, the data owner can generate offline ciphertexts. When the data becomes known, the data owner can calculate final ciphertexts online without significantly draining the battery. The mobile cloud service provider is in charge of saving the ciphertext data of data owners and it consists of a lot of cloud storage servers. A data user is an entity who has an attribute secret key and intends to access data stored on the cloud.

Fig. 1
figure 1

System architecture of data sharing in mobile cloud computing

Full size image

Before giving the formalized security model, we first lay out the definition of anonymous CP-ABE scheme with online/offline key generation and online/offline encryption mechanisms.

4.2 Definition of anonymous CP-ABE with offline key generation and offline encryption

An anonymous CP-ABE scheme with online/offline key generation and online/offline encryption mechanisms consists of six algorithms as below:

  • Setup (\(1^\lambda\)) \(\rightarrow (PK,MK)\): The setup algorithm takes as inputs the security parameter \(\lambda\), and it outputs the system public key PK and the master key MK.

  • Offline.KeyGen(PKMK) \(\rightarrow SK_\text {off}\): The offline key generation algorithm takes as inputs the system public key PK and the master key MK. It outputs \(SK_\text {off}\) as an offline key.

  • Online.KeyGen \((PK,SK_\text {off},S)\) \(\rightarrow SK_S\): Upon receiving an attribute set S, the online key generation algorithm takes as inputs the system public key PK and an offline key \(SK_\text {off}\). It generates \(SK_S\) as the secret key associated with S.

  • Offline.Enc (PK) \(\rightarrow CT_\text {off}\): The offline encryption algorithm takes as input the system public key PK, and it generates an offline ciphertext \(CT_\text {off}\).

  • Online.AnonEnc \((PK,CT_\text {off},M,\mathbb {A})\) \(\rightarrow CT_{\mathbb {A}}\): To encrypt a message M with the access structure \(\mathbb {A}\), the online anonymous encryption algorithm generates the final ciphertext \(CT_{\mathbb {A}}\) based on the system public key PK and an offline ciphertext \(CT_\text {off}\). It’s noted that the values of attributes in \(\mathbb {A}\) cannot be explicitly included in \(CT_{\mathbb {A}}\) considering the requirement of anonymity.

  • AnonDec \((PK,SK_S,CT_{\mathbb {A}})\) \(\rightarrow M\) or \(\bot\): The anonymous decryption algorithm takes as inputs the system public key PK, a secret key \(SK_S\) with respect to S and a ciphertext \(CT_{\mathbb {A}}\) associated with \(\mathbb {A}\) which is hidden in \(CT_{\mathbb {A}}\). If S matches \(\mathbb {A}\), it outputs the potential message M, and it outputs \(\bot\) otherwise.

In the following, we define the indistinguishability against chosen access structure and chosen plaintext attacks in anonymous CP-ABE supporting offline key generation and offline encryption.

4.3 Security model

The formal security model is defined by a game between an adversary \(\mathcal {A}\) and a challenger \(\mathcal {B}\).

Setup: The challenger \(\mathcal {B}\) runs \((PK,MK)\leftarrow \mathbf {Setup} (1^\lambda )\). It gives the system public key PK to \(\mathcal {A}\) and keeps MK secret.

Phase 1: The adversary \(\mathcal {A}\) issues a polynomially bounded number of queries to the following key generation oracle.

  • \(\mathcal {O}_{KeyGen}\): The adversary \(\mathcal {A}\) submits an attribute set S. The challenger \(\mathcal {B}\) runs \(SK_\text {off} \leftarrow \mathbf {Offline.KeyGen} (PK,MK)\) and \(SK_S \leftarrow \mathbf {Online.KeyGen} (PK,SK_\text {off},S)\), then gives \(\mathcal {A}\) the secret key \(SK_S\) for S.

Challenge: Once \(\mathcal {A}\) decides that Phase 1 is over, it submits to \(\mathcal {B}\) two messages \(M_0\), \(M_1\) of equal length and two access structures \(\mathbb {A}^*_1=(\mathbf {A}^*,\rho ^*,T_0)\), \(\mathbb {A}^*_2=(\mathbf {A}^*,\rho ^*,T_1)\) with the restriction that \(\mathbb {A}^*_1\) and \(\mathbb {A}^*_2\) cannot be satisfied by any of the queried attribute sets in Phase 1. \(\mathcal {B}\) flips a random coin \(b \in \{0,1\}\), and encrypts \(M_b\) under \(\mathbb {A}\) by running \(CT_\text {off} \leftarrow \mathbf {Offline.Enc} (PK)\) and \(CT_{\mathbb {A}_b^*} \leftarrow \mathbf {Online.AnonEnc} (PK,CT_\text {off},M_b,\mathbb {A}^*_b)\). Then it sends \(CT_{\mathbb {A}_b^*}\) to \(\mathcal {A}\).

Phase 2: The same as Phase 1 with the restriction that \(\mathbb {A}^*_1\) and \(\mathbb {A}^*_2\) cannot be satisfied by any of the queried attribute sets.

Guess: The adversary \(\mathcal {A}\) outputs a guess bit \(b' \in \{0,1\}\) and wins the game if \(b'=b\). The advantage of an adversary \(\mathcal {A}\) in the above game is defined as \(\left| Pr [\,b'=b\,]-\frac{1}{2}\right|\), where the probability is taken over the random bits used by \(\mathcal {A}\) and \(\mathcal {B}\).

Definition 8

An anonymous CP-ABE scheme supporting offline key generation and offline encryption is semantically secure if all PPT adversaries have at most a negligible advantage in this security game.

5 Efficient and privacy-aware attribute-based data sharing in mobile cloud computing

5.1 The proposed data sharing system

5.1.1 System initialization

In the initialization phase, the attribute authority generates system public parameters and master keys by performing the following setup algorithm.

Setup \((1^\lambda )\): The setup algorithm first generates \((p_1,p_2,p_3,p_4,\mathbb {G},\mathbb {G}_T,\hat{e})\) with \(\mathbb {G}=\mathbb {G}_{p_1} \times \mathbb {G}_{p_2} \times \mathbb {G}_{p_3} \times \mathbb {G}_{p_4},\) where \(p_1,p_2,p_3,p_4\) are distinct primes, \(\mathbb {G}\) and \(\mathbb {G}_T\) are cyclic groups of order \(N=p_1p_2p_3p_4,\) and \(\hat{e}: \mathbb {G} \times \mathbb {G} \rightarrow \mathbb {G}_{T}\) is a bilinear map. The attribute universe is \(\mathcal {U}=\{1,2,\ldots ,U\}\subseteq \mathbb {Z}_N.\) Then it uniformly chooses \(\alpha ,a,a_1,a_2,\ldots ,a_n\in _R \mathbb {Z}_N,\) \(g,h\in _R \mathbb {G}_{p_1}\), \(X_3\in _R \mathbb {G}_{p_3}\), \(Z,X_4\in _R \mathbb {G}_{p_4}\) and computes \(Y=\hat{e}(g,g)^\alpha ,H=hZ\). The system public parameters are published as

$$\begin{aligned} {PK}=( N,g,g^a,\{a_i\}_{1\le i\le U},Y,H,X_4), \end{aligned}$$

and the master key is \({MK}=(\alpha ,h,X_3).\)

5.1.2 Registration preparation phase

Before knowing an attribute set from users, the attribute authority generates an offline secret key based on the following algorithm, which is a preparation of the online key generation.

Offline.KeyGen(PKMK): The offline key generation algorithm uniformly chooses \(t,\hat{s}_1,\hat{s}_2,\ldots ,\hat{s}_U\in _R \mathbb {Z}_N\) and \(R,R',R_1,R_2,\ldots ,R_U\in _R \mathbb {G}_{p_3}\). It computes \(u_i=g^{a_i},\) for \(1\le i\le U\), and outputs the offline secret key \(SK_\text {off}=(K,K',\{\hat{s}_i,K_i\}_{1\le i\le U})\), where

$$\begin{aligned} K=g^{\alpha }g^{at}R,\,K'=g^tR',\,K_i=(u_i^t)^{\hat{s}_i}h^tR_i. \end{aligned}$$

5.1.3 New user registration

Upon receiving an attribute set \(S=(s_1,s_2,\ldots ,s_n)\) from a user, the attribute authority performs the following online key generation algorithm for the user registration.

Online.KeyGen \((PK,SK_\text {off},S)\): Based on \(SK_\text {off}=(S,K,K',\{\hat{s}_i,K_i\}_{1\le i\le U})\), the online key generation algorithm outputs \(SK_S=(S,K,K',\{L_i,K_i\}_{i\in I_S})\) as the final secret key associated with S, where \(I_S\subseteq \{1,2,\ldots ,U\}\) is the attribute name index set corresponding to the attribute value set S, \(|I_S|=n\) and \(L_i=s_i-\hat{s}_i\). Without loss of generality, it is supposed that the i-th attribute name in S has attribute value \(s_i\) for simplicity of description.

5.1.4 Data sharing preparation

Before specifying an access structure, the data owner generates an offline ciphertext based on the following algorithm, which is a preparation of the online data sharing phase.

Offline.Enc (PK) The offline encryption algorithm chooses \(s,s'\in _R \mathbb {Z}_N\) and \(\hat{t}_k\in _R \mathbb {Z}_N\) for \(1\le k \le U.\) It also uniformly chooses \(\hat{\lambda }'_x,\hat{\lambda }_x,r'_x,r_x\in _R \mathbb {Z}_N\) and \(Z_{0,x},Z'_{0,x},Z_{1,x},Z'_{1,x}\in _R\mathbb {G}_{p_4}\), for \(1\le x \le U\). Then it calculates \(u_k=g^{a_k}\) for \(k\in \{1,2,\ldots ,U\}\) and sets the offline ciphertext as

$$\begin{aligned} CT_\text {off}=\left( \{\hat{t}_k\}_{1\le k\le U},s',\tilde{C}_0,\bar{C}_0,\{\hat{\lambda }'_x,C_{0,x,k},D_{0,x}\}_{1\le x\le U,1\le k\le U},s,\hat{C}_1,\bar{C}_1,\{\hat{\lambda }_x,C_{1,x,k},D_{1,x}\}_{1\le x\le U,1\le k\le U}\right) , \end{aligned}$$

where

$$\begin{aligned} \tilde{C}_0=Y^{s'},\bar{C}_0=g^{s'},C_{0,x,k}=g^{a\hat{\lambda }'_x}(u_k^{\hat{t}_k}H)^{-r'_x}Z_{0,x},D_{0,x}=g^{r'_x}Z'_{0,x}, \end{aligned}$$
$$\begin{aligned} \hat{C}_1=Y^s,\bar{C}_1=g^s,C_{1,x,k}=g^{a\hat{\lambda }_x}(u_k^{\hat{t}_k}H)^{-r_x}Z_{1,x},D_{1,x}=g^{r_x}Z'_{1,x}. \end{aligned}$$

5.1.5 Privacy-aware data sharing

When the access structure is specified, the data owner chooses an offline ciphertext \(CT_\text {off}\) and generates final online ciphertexts for online privacy-aware and fine-grained data sharing. Specifically, to encrypt a message \(M\in \mathbb {G}_T\) under an access structure \(\mathbb {A}=(\mathbf {A},\rho ,T)\), where \(\mathbf {A}\) is an \(\ell \times m\) matrix, \(\rho\) is a map from each row \(A_x\) of \(\mathbf {A}\) to an attribute name index in \(\{1,2,\ldots ,U\}\), and \(T=(t_{\rho (1)},t_{\rho (2)},\ldots ,t_{\rho (\ell )})\in \mathbb {Z}_N^\ell\), the data owner performs the following algorithm. Similar to the scheme due to Lai et al. (2012), each attribute name can only be used once in an access structure. Therefore, \(\ell \le U\).

Online.AnonEnc \((PK,CT_\text {off},M,\mathbb {A})\): The online anonymous encryption algorithm chooses \(v'_i,v_i\in _R \mathbb {Z}_N\), for \(i\in \{2,3,\ldots ,m\},\) and sets \(v'=(s',v_2',\ldots ,v_m')\) and \(v=(s,v_2,\ldots ,v_m)\). Then, it computes \(\lambda '_x=\mathbf {A}_x\cdot v,'\) \(\lambda _x=\mathbf {A}_x\cdot v,\) \(F_{0,x}=\lambda '_x-\hat{\lambda }'_x,\) \(F_{1,x}=\lambda _x-\hat{\lambda }_x,\) \(E_{\rho (x)}=t_{\rho (x)}-\hat{t}_{\rho (x)}\), for \(1\le x\le \ell\). Finally, it sets the final ciphertext as

$$\begin{aligned} CT_{\mathbb {A}}=((\mathbf {A},\rho ),\{E_{\rho (x)}\}_{1\le x\le \ell },\tilde{C}_0,\bar{C}_0,\{F_{0,x},C_{0,x},D_{0,x}\}_{1\le x\le \ell },\tilde{C}_1,\bar{C}_1,\{F_{1,x},C_{1,x},D_{1,x}\}_{1\le x\le \ell }), \end{aligned}$$

where \(\tilde{C}_1=\hat{C}_1\cdot M,\) \(C_{0,x}=C_{0,x,\rho (x)}\) and \(C_{1,x}=C_{1,x,\rho (x)}\) for \(1\le x\le \ell .\)

5.1.6 Privacy-aware data access

A data user downloads a ciphertext \(CT_{\mathbb {A}}\) from the mobile cloud service provider, and performs the following privacy-aware decryption algorithm based on his/her secret key \(SK_S\) to recover the corresponding data.

AnonDec \((PK,SK_S,CT_{\mathbb {A}}):\) Let \(CT_{\mathbb {A}}=((\mathbf {A},\rho ),\{E_{\rho (x)}\}_{1\le x\le \ell },\tilde{C}_0,\bar{C}_0,\{F_{0,x},C_{0,x},D_{0,x}\}_{1\le x\le \ell },\) \(\tilde{C}_1,\bar{C}_1,\{F_{1,x},C_{1,x},D_{1,x}\}_{1\le x\le \ell })\), \(SK_S=(S,K,K',\{L_i,K_i\}_{i\in I_S})\) and \(S=(s_1,s_2,\) \(\ldots ,s_n)\). The anonymous decryption algorithm first calculates \(\mathbf {I}_{\mathbf {A},\rho }\) from \((\mathbf {A},\rho )\), where \(\mathbf {I}_{\mathbf {A},\rho }\) denotes the set of minimum subsets of \(\{1,2,\ldots ,\ell \}\) that satisfies \((\mathbf {A},\rho )\). Then it checks if there exists an \(I\in \mathbf {I}_{\mathbf {A},\rho }\) that satisfies

$$\begin{aligned} \tilde{C}_0=\frac{\hat{e}(\bar{C}_0,K)}{\prod _{i\in I}\left( \hat{e}(C_{0,i}\cdot (g^a)^{F_{0,i}}\cdot D_{0,i}^{-a_{\rho (i)}E_{\rho (i)}},K')\hat{e}(D_{0,i},K_{\rho (i)}\cdot (K')^{a_{\rho (i)}L_{\rho (i)}})\right) ^{\omega _i}}, \end{aligned}$$
(1)

where \(I\subseteq \{i|\rho (i)\in I_S\}\) and \(\sum _{i\in I}\omega _iA_i=(1,0,\ldots ,0)\) for some constants \(\{\omega _i\}_{i\in I}\). If no such I exists, it outputs \(\bot\) to indicate that S does not satisfy the hidden access structure \(\mathbb {A}\). Otherwise, it returns \(M=\frac{\tilde{C}_1}{E}\), where

$$\begin{aligned} E=\frac{\hat{e}(\bar{C}_1,K)}{\prod _{i\in I}\left( \hat{e}(C_{1,i}\cdot (g^a)^{F_{1,i}}\cdot D_{1,i}^{-a_{\rho (i)}E_{\rho (i)}},K')\hat{e}(D_{1,i},K_{\rho (i)}\cdot (K')^{a_{\rho (i)}L_{\rho (i)}})\right) ^{\omega _i}}. \end{aligned}$$
(2)

5.2 Consistency of the proposed data sharing system

The proposed data sharing system is correct. Obviously, we only need to show the correctness of Eq. (1) and \(M=\frac{\tilde{C}_1}{E}\) based on Eq. (2). On one hand, if and only if \(s_{\rho (i)}=t_{\rho (i)}\) for \(i\in I\), we have

$$\begin{aligned} &\frac{\hat{e}(\bar{C}_0,K)}{\prod _{i\in I}\left( \hat{e}(C_{0,i}\cdot (g^a)^{F_{0,i}}\cdot D_{0,i}^{-a_{\rho (i)}E_{\rho (i)}},K')\hat{e}(D_{0,i},K_{\rho (i)}\cdot (K')^{a_{\rho (i)}L_{\rho (i)}})\right) ^{\omega _i}} \\ & \quad = \frac{\hat{e}(\bar{C}_0,K)}{\prod _{i\in I}\left( \hat{e}((g^{a\hat{\lambda }'_i}(u_{\rho (i)}^{\hat{t}_{\rho (i)}}H)^{-r'_i}Z_{0,i})\cdot (g^a)^{\lambda '_i-\hat{\lambda }'_i}\cdot (g^{r'_i}Z'_{0,i})^{-a_{\rho (i)}(t_{\rho (i)}-\hat{t}_{\rho (i)})},g^tR') \hat{e}(g^{r'_i}Z'_{0,i},((u_{\rho (i)}^t)^{\hat{s}_{\rho (i)}}h^tR_{\rho (i)})\cdot (g^tR')^{a_{\rho (i)}(s_{\rho (i)}-\hat{s}_{\rho (i)})})\right) ^{\omega _i}} \\ & \quad =\frac{\hat{e}(\bar{C}_0,K)}{\prod _{i\in I}\left( \hat{e}(g^{a\lambda '_i}(u_{\rho (i)}^{t_{\rho (i)}}H)^{-r'_i}Z_{0,i} (Z'_{0,i})^{-a_{\rho (i)}(t_{\rho (i)}-\hat{t}_{\rho (i)})},g^tR') \hat{e}(g^{r'_i}Z'_{0,i},(u_{\rho (i)}^t)^{s_{\rho (i)}}h^tR_{\rho (i)} (R')^{a_{\rho (i)}(s_{\rho (i)}-\hat{s}_{\rho (i)})})\right) ^{\omega _i}} \\ & \quad = \frac{\hat{e}(\bar{C}_0,K)}{\prod _{i\in I}\left( \hat{e}(g^{a\lambda '_i}(u_{\rho (i)}^{t_{\rho (i)}}h)^{-r'_i},g^t) \hat{e}(g^{r'_i},(u_{\rho (i)}^t)^{s_{\rho (i)}}h^t)\right) ^{\omega _i}} \\ & \quad = \frac{\hat{e}(g^{s'},g^{\alpha }g^{at}R)}{\prod _{i\in I}\left( \hat{e}(g^{a\lambda '_i},g^t)\right) ^{\omega _i}} \\ & \quad = \frac{\hat{e}(g^{s'},g^{\alpha }g^{at})}{\left( \hat{e}(g^{a},g^t)\right) ^{\sum _{i\in I}\omega _i\lambda '_i}} \\ & \quad = \hat{e}(g,g)^{\alpha s'}=Y^{s'}=\tilde{C}_0. \\ \end{aligned}$$

Therefore, Eq. (1) holds. On the other hand,

$$\begin{aligned}&\frac{\hat{e}(\bar{C}_1,K)}{\prod _{i\in I}\left( \hat{e}(C_{1,i}\cdot (g^a)^{F_{1,i}}\cdot D_{1,i}^{-a_{\rho (i)}E_{\rho (i)}},K')\hat{e}(D_{1,i},K_{\rho (i)}\cdot (K')^{a_{\rho (i)}L_{\rho (i)}})\right) ^{\omega _i}} \\ & \quad = \frac{\hat{e}(\bar{C}_1,K)}{\prod _{i\in I}\left( \hat{e}((g^{a\hat{\lambda }_i}(u_{\rho (i)}^{\hat{t}_{\rho (i)}}H)^{-r_i}Z_{1,i})\cdot (g^a)^{\lambda _i-\hat{\lambda }_i}\cdot (g^{r_i}Z'_{1,i})^{-a_{\rho (i)}(t_{\rho (i)}-\hat{t}_{\rho (i)})},g^tR') \hat{e}(g^{r_i}Z'_{1,i},((u_{\rho (i)}^t)^{\hat{s}_{\rho (i)}}h^tR_{\rho (i)})\cdot (g^tR')^{a_{\rho (i)}(s_{\rho (i)}-\hat{s}_{\rho (i)})})\right) ^{\omega _i}} \\ & \quad = \frac{\hat{e}(\bar{C}_1,K)}{\prod _{i\in I}\left( \hat{e}(g^{a\lambda _i}(u_{\rho (i)}^{t_{\rho (i)}}H)^{-r_i}Z_{1,i} (Z'_{1,i})^{-a_{\rho (i)}(t_{\rho (i)}-\hat{t}_{\rho (i)})},g^tR') \hat{e}(g^{r_i}Z'_{1,i},(u_{\rho (i)}^t)^{s_{\rho (i)}}h^tR_{\rho (i)} (R')^{a_{\rho (i)}(s_{\rho (i)}-\hat{s}_{\rho (i)})})\right) ^{\omega _i}} \\ & \quad = \frac{\hat{e}(\bar{C}_1,K)}{\prod _{i\in I}\left( \hat{e}(g^{a\lambda _i}(u_{\rho (i)}^{t_{\rho (i)}}h)^{-r_i},g^t) \hat{e}(g^{r_i}Z'_{1,i},(u_{\rho (i)}^t)^{s_{\rho (i)}}h^t\right) ^{\omega _i}} \\ & \quad = \frac{\hat{e}(g^{s},g^{\alpha }g^{at}R)}{\prod _{i\in I}\left( \hat{e}(g^{a\lambda _i},g^t)\right) ^{\omega _i}} \\ & \quad = \frac{\hat{e}(g^{s},g^{\alpha }g^{at})}{\left( \hat{e}(g^{a},g^t)\right) ^{\sum _{i\in I}\omega _i\lambda _i}} \\ & \quad = \hat{e}(g,g)^{\alpha s}=Y^{s}, \\ \end{aligned}$$

and hence \(\frac{\tilde{C}_1}{E}=\frac{\hat{C}_1\cdot M}{E}=\frac{Y^s\cdot M}{Y^s}=M\) based on Eq. (2).

6 Analysis of the proposed system

6.1 Security analysis

Theorem 1

If assumptions 1, 2, 3 and 4 hold, then the proposed privacy-aware attribute-based data sharing system supporting offline key generation and offline encryption is secure.

Proof

Because the proposed attribute-based data sharing system is based on an anonymous CP-ABE scheme supporting offline key generation and offline encryption, we just need to show the security of the proposed anonymous CP-ABE scheme. The proposed anonymous CP-ABE scheme \(\Pi =(\textsf {Setup},\textsf {Offline.KeyGen},\) \(\textsf {Online.KeyGen},\) \(\textsf {Offline.Enc},\textsf {Online.AnonEnc},\textsf {AnonDec})\) is an improved version of the scheme due to Lai et al. (2012), denoted by \(\Pi _o=(\textsf {Setup}_o,\textsf {KeyGen}_o,\textsf {Encrypt}_o,\) \(\textsf {Decrypt}_o)\). Because the scheme \(\Pi _o\) is secure under Assumptions 1, 2, 3 and 4, if we can reduce the security of \(\Pi\) to that of \(\Pi _o\), then the proposed scheme is secure in the proposed security model under Assumptions 1, 2, 3 and 4. Suppose there exists a PPT attacker \(\mathcal {A}\) with a non-negligible advantage \(\epsilon\) in the proposed security game against \(\Pi\). We show how to design a PPT simulator \(\mathcal {B}\), which can break the security of \(\Pi _o\) with an advantage \(\epsilon\).

Setup: It is noted that, in the security analysis of \(\Pi _o\), the challenger of \(\Pi _o\) randomly chooses \(a_i\in \mathbb {Z}_N\) to generate the pubic parameter \(u_i=g^{a_i}\) for each \(1\le i\le U\). Therefore, it is feasible to replace the public parameter \(u_i\) in \(\Pi _o\) with \(a_i\) and \(g^{a_i}\) is used for computation, which is same as our proposed scheme. Hence, we suppose the challenger \(\mathcal {B}\) receives public parameters \({PK}=( N,g,g^a,\{a_i\}_{1\le i\le U},Y,H,X_4)\) from the challenger of \(\Pi _o\). Then, \(\mathcal {B}\) sends PK to \(\mathcal {A}\).

Phase 1: \(\mathcal {A}\) makes key generation queries.

  • \(\mathcal {O}_{KeyGen}\)(S): \(\mathcal {A}\) submits an attribute set S to \(\mathcal {B}\). \(\mathcal {B}\) just passes S to the challenger of \(\Pi _o\) and obtains the secret key \(SK_o=(S,K,K',\{K_i^o\}_{i\in I_S})\). Then, \(\mathcal {B}\) chooses \(L_i\in _R \mathbb {Z}_N\), computes \(K_i=K_i^o\cdot (K')^{-a_iL_i}\) and gives \(\mathcal {A}\) the secret key \(SK_S=(S,K,K',\{L_i,K_i\}_{i\in I_S})\).

Challenge: The adversary \(\mathcal {A}\) submits to \(\mathcal {B}\) two messages \(M_0\), \(M_1\) of equal length and two access structures \(\mathbb {A}^*_0=(\mathbf {A}^*,\rho ^*,T_0)\), \(\mathbb {A}^*_1=(\mathbf {A}^*,\rho ^*,T_1)\) with the restriction that \(\mathbb {A}^*_0\) and \(\mathbb {A}^*_1\) cannot be satisfied by any of the queried attribute sets. \(\mathcal {B}\) sends them to the \(\Pi _o\) challenger and receives a challenge ciphertext \(CT^*_o=((\mathbf {A}^*,\rho ^*),\tilde{C}_0,\bar{C}_0,\{C_{0,x}^o,D_{0,x}\}_{1\le x\le \ell ^*},\) \(\tilde{C}_1,\bar{C}_1,\{C_{1,x}^o,D_{1,x}\}_{1\le x\le \ell ^*})\), which is the \(\Pi _o\) ciphertext of the message \(M_b\) with \(b\in _R\{0,1\}\) chosen by the challenger of \(\Pi _o\). It then chooses \(\{E_{\rho (x)},F_{0,x},\) \(F_{1,x}\in _R \mathbb {Z}_N\}_{1\le x\le \ell ^*}\), and sets

$$\begin{aligned} CT_{\mathbb {A}^*_b}=((\mathbf {A}^*,\rho ^*),\{E_{\rho (x)}\}_{1\le x\le \ell ^*},\tilde{C}_0,\bar{C}_0,\{F_{0,x},C_{0,x},D_{0,x}\}_{1\le x\le \ell ^*},\tilde{C}_1,\bar{C}_1,\{F_{1,x},C_{1,x},D_{1,x}\}_{1\le x\le \ell ^*}), \end{aligned}$$

where \(C_{0,x}=C_{0,x}^o\cdot (g^a)^{-F_{0,x}}\cdot D_{0,x}^{a_{\rho (x)}E_{\rho (x)}}\) and \(C_{1,x}=C_{1,x}^o\cdot (g^a)^{-F_{1,x}}\cdot D_{1,x}^{a_{\rho (x)}E_{\rho (x)}}\). Obviously, \(CT_{\mathbb {A}^*_b}\) is a challenge ciphertext of \(\Pi\), and \(\mathcal {B}\) just sends it to \(\mathcal {A}\).

Phase 2: The same as Phase 1 with the restriction that \(\mathbb {A}^*_1\) and \(\mathbb {A}^*_2\) cannot be satisfied by any of the queried attribute sets.

Guess: Finally, the adversary \(\mathcal {A}\) outputs a guess bit \(b_{\mathcal {A}}\in \{0,1\}\). The challenger \(\mathcal {B}\) just sets its guess bit as \(b_{\mathcal {B}}=b_{\mathcal {A}}\). Therefore, if \(\mathcal {A}\) can break the proposed scheme with an advantage \(\epsilon\), then \(\mathcal {B}\) breaks the scheme \(\Pi _o\) with the same probability. \(\square\)

6.2 Performance analysis

In the proposed scheme, we realize offline computation in anonymous CP-ABE for the first time. It easily follows that only n subtraction operations \(\mathbf {A}\) in arithmetic are needed for the attribute authority to generate a secret key in the online phase, where n means the number of attributes in the attribute set. In the online encryption phase, a data owner only needs to perform multiplication operations \(\mathbf {M}\) in arithmetic determined by \(k=\ell \cdot m\), where \(\ell\) and m are respectively the number of rows and columns in the matrix of the access structure. In the offline encryption phase, the data owner does not know the message and access structure. The final ciphertext generated in the online phase does not explicitly include the attribute values specified in the access structure. Accordingly, the proposed scheme can preserve users’ attribute privacy. Similar to the anonymous CP-ABE scheme due to Lai et al. (2012), our scheme is proven fully secure in the standard model and it supports any monotonic access structures. The comparisons of the proposed scheme with some typical CP-ABE schemes are shown in Table 1, where \(\mathbf {E}\) represents an exponentiation operation in groups and N is the number of attribute values in the scheme due to Nishide et al. (2008).

Table 1 Comparisons of typical CP-ABE schemes
Full size table

7 Conclusion

We propose a privacy-aware attribute-based data sharing system supporting online/offline key generation and online/offline encryption. The proposed system is proven fully secure in the standard model. Because the attribute values of access structures are hidden in ciphertexts, our system can protect users’ attribute privacy. The offline mechanism ensures that the attribute authority can provide better registration services and the system is suitable for resource-limited data owners in mobile cloud computing.