A Verifiable and Fair Attribute-Based Proxy Re-Encryption Scheme For Data Sharing in Clouds

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
Transactions on Dependable and Secure Computing
A Verifiable and Fair Attribute-based Proxy

Re-encryption Scheme for Data Sharing in Clouds
Chunpeng Ge, Willy Susilo∗ , Joonsang Baek, Zhe Liu∗ , Jinyue Xia, and Liming Fang
1 Abstract—To manage outsourced encrypted data sharing in Therefore, attribute-based proxy re-encryption (ABPRE) was 40
2 clouds, attribute-based proxy re-encryption (ABPRE) has become used to enable direct transformation from a ciphertext to 41
3 an elegant primitive. In ABPRE, a cloud server can transform an another one. And all the cloud server needs to deal with is 42
4 original recipient’s ciphertext to a new one of a shared user’s.
5 As the transformation is computation consuming, a malicious the encrypted data and a re-encryption key. The ciphertext 43
6 cloud server may return an incorrect re-encrypted ciphertext under one policy would be transformed by re-encryption to 44
7 to save its computation resources. Moreover, a shared user a new ciphertext associate with another policy. During the 45
8 may accuse the cloud server of returning an incorrect re- transformation, the cloud server cannot reveal the underlying 46
9 encrypted ciphertext to refuse to pay the cost of using the cloud plaintext. In such a manner, the recipient with access policy P1 47
10 service. However, existing ABPRE schemes do not support a
11 mechanism to achieve verifiability and fairness. In this paper, is able to share its outsourced encrypted data with a shared user 48
12 a novel verifiable and fair attribute-based proxy re-encryption with access policy P2 . However, a main issue of ABPRE is 49
13 (VF-ABPRE) scheme is introduced to support verifiability and that the recipient cannot ensure the validity of the re-encrypted 50
14 fairness. The verifiability enables a shared user to verify whether ciphertext returned by the cloud server. Since the re-encryption 51
15 the re-encrypted ciphertext returned by the server is correct computation’s complexity is linear with the size of the access 52
16 and the fairness ensures a cloud server escape from malicious
17 accusation if it has indeed conducted the re-encryption operation policy, the computation can be very expensive. As a result, the 53
18 honestly. Additionally, we conduct a performance experiment cloud server may reuse a previously generated re-encrypted 54
19 to show the efficiency and practicality of the new VF-ABPRE ciphertext or even a random re-encrypted ciphertext to save 55
20 scheme. its computation resource [3]. Moreover, the current ABPRE 56
21 Index Terms—Attribute-based proxy re-encryption, Data shar- schemes cannot achieve the fairness property which prevents 57
22 ing, Cloud computing, Verifiability, Fairness.
the cloud server from a malicious accusation of returning 58
23 I. I NTRODUCTION an incorrect re-encrypted ciphertext if it has indeed behaved 59
honestly. 60
LOUD computing, which provides adequate storage and
24
25
26
C computation capability, has been a prevalent information
infrastructure. Instead of managing data locally, cloud services
We use the following genome data research system to
illustrate the aforementioned problem. A volunteer uploads his
61
62
personal genome data to an online genomics research center. 63

27 provide an opportunity for users outsourcing their data on
To protect the confidentiality of his genome data, the volunteer 64
28 the cloud without data management concerns. While it is so
encrypts his genome data with an access policy P1 : “California 65
29 convenient to use, data security and privacy especially access
center” AND (“Brain” OR “Neurology”) AND “Research 66
30 control on shared data become a concern since the cloud
scientist” that indicates a brain or neurology research scientist 67
31 service is usually provided by third parties [1] such as the
from California center can access the genome data. After 68
32 Amazon cloud services and Alibaba cloud. Recently, attribute-
encryption is completed, he uploads it to the cloud server. 69
33 based encryption (ABE) [2] has been adopted to support
Later, another user Alice who satisfies P1 may need to share 70
34 flexible access control on user’s credential. In a typical ABE
this genome data with her colleagues with access policy P2 : 71
35 scheme, a user’s credential and ciphertext are associate with
“Washington center” AND (“Brain” OR “Neurology”) AND 72
36 an attribute set and an access policy. The ciphertext can only
“Professor to conduct some joint research. With ABPRE, 73
37 be decrypted when the attribute set satisfies the access policy.
the cloud server can re-encrypt the original ciphertext to a 74
38 However, ABE lacks the ability of encrypted data sharing
shared user’s ciphertext. The scenario is depicted in Fig. 1. The 75
39 which is critical in the situation of collaboration needed.
concern is that the shared user cannot assure that the returned 76
∗ Co-corresponding authors. re-encrypted ciphertext is a correct re-encrypted ciphertext of 77
C. Ge is with Nanjing University of Aeronautics and Astronautics, Nanjing, the original ciphertext [3]. The cloud server may return an 78
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China,
Science and Technology on Parallel and Distributed Processing Laboratory, incorrect re-encrypted ciphertext to save its computation cost. 79
and University of Wollongong, Wollongong, Australia. gecp@nuaa.edu.cn. Incorrect genome data may lead to a disaster to the research 80
W. Susilo and J. Baek are with University of Wollongong, Wollongong, result. Another issue is that, the shared user may accuse the 81
Australia. {wsusilo, baek}@uow.edu.au.
Z. Liu is with Nanjing University of Aeronautics and Astronautics, and cloud serve of returning an incorrect re-encrypted ciphertext 82
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China. even if the re-encrypted ciphertext is correct [4]. By doing so, 83
zheliu@nuaa.edu.cn. the shared user may refuse to pay for the cloud service which 84
L. Fang is with Nanjing University of Aeronautics and Astronautics.
fangliming@nuaa.edu.cn. is a critical problem for the commercial cloud service system. 85
J. Xia is with IBM. jinyue.xia@ibm.com. At first glance, one may think this issue can be resolved 86
1545-5971 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Dalhousie University. Downloaded on June 18,2021 at 23:32:36 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2021.3076580, IEEE
as the pay-TV system [6]. In contrast, CP-ABE fits well for the 127
䌀吀 cloud sharing system as the user can appoint the access to the 128
倀㄀ recipients [5]. Following their work, the work on ABE have 129
䌀吀ᤠ addressed concerns on the efficiency [7]–[12], security [13]– 130
䌀吀爀
欀倀ⴀⴀ㸀倀
㄀㈀䌀吀ᤠ 倀㈀
[16] and anonymity [17]–[20]. 131
倀㄀倀㈀
ABPRE. In proxy re-encryption [21], [22], a ciphertext is 132
爀
欀
匀栀愀爀
攀搀
甀猀攀爀 transformed to a new one of another user’s by a proxy using 133
倀ⴀ
ⴀ㸀倀
㄀㈀
a re-encryption key. It allows a user to share its encryption 134
to others without disclosing the plaintext to the proxy. To 135
伀爀
椀最椀
渀愀氀

爀攀挀
椀瀀椀
攀渀琀 detect whether the proxy has the maliciously behaved, Ohata 136
et al. [23] presented a mechanism to verify the output of 137
Fig. 1. System model of ABPRE. the proxy. However, their scheme cannot provide a fine- 138
grained access control on encrypted data. Moreover, in their 139
scheme, the original recipient’s public key is required for the 140
87 through verifying the re-encryption if the server publishes the verification of the re-encrypted ciphertext, which also means 141
88 re-encryption key and the original ciphertext. By doing so, the shared user must identify each re-encrypted ciphertext 142
89 everyone can repeat the re-encryption operation to verify the with the original recipient. What’s important is that it lacks a 143
90 correctness of the ciphertext returned by the server. However, mechanism to protect the proxy from malicious accusation. In 144
91 such a manner is impractical as the re-encryption operation the meanwhile, Liang et al. [24] introduced this notion to the 145
92 cost is expensive, it is not suitable for a verifier to repeat attribute-based setting and thus achieves a flexible description 146
93 this computation costly work. Another trivial solution is that on the encrypted data. Following their work, many ABPRE 147
94 a shared user can reveal his private key so that the original schemes were proposed to extend the expressiveness of the 148
95 recipient can decrypt the returned re-encrypted ciphertext access policy [25]–[27] and enhance the security model [28]– 149
96 and then he can validate the plaintext is original. However, [30]. Unfortunately, none of above ABPRE works have con- 150
97 revealing private key may result in critical security issues to sidered the verifiability and the fairness properties which are 151
98 the shared user. critical for an outsourced re-encryption system. 152
99 A. Motivations C. Our contribution 153
100 Although the existing ABPRE schemes can protect data

We present a VF-ABPRE scheme, and our contributions are: 154
101 confidentiality and enable fine-grained data sharing for out-
• First, we present a formal definition of VF-ABPRE which 155
102 sourced encrypted data, they cannot provide verifiability and
103 fairness. Thus, we need a mechanism to achieve verifiability considers the verifiability and fairness of attribute-based 156
104 and fairness for ABPRE while keeping its confidentiality. encrypted data sharing in cloud computing. 157
• Then, we construct a concrete VF-ABPRE scheme and 158

105 More specifically, we need to design an ABPRE scheme that:
prove its confidentiality, verifiability and fairness. 159
106 1) enables fine-grained encrypted data sharing while keeping
• Finally, we conduct an implementation to evaluate the 160
107 the confidentiality of the underlying data;
performance of our proposed scheme to demonstrate its 161
108 2) enables the shared user to verify the correctness of the
practicality and efficiency. 162
109 re-encrypted ciphertext returned from the cloud server;
110 3) protects the cloud server to escape from a malicious accu- II. S YSTEM A RCHITECTURE AND D EFINITIONS 163
111 sation if it has returned a correct re-encrypted ciphertext.
We start with the system architecture and work flow of 164
112 Therefore, we introduce a verifiable and fair attribute-
the proposed VF-APPRE scheme. The algorithms and se- 165
113 based proxy re-encryption (VF-ABPRE) scheme for cloud
curity model are illustrated afterwords. Note that we take 166
114 computing, whereby the shared user can verify the correctness
the ciphertext-policy setting into consideration, however, our 167
115 of the re-encrypted ciphertext, and the server can protect itself
method is applicable in the key-policy setting. 168
116 from a malicious accusation.
117 B. Related work A. System architecture 169
118 ABE. In a typical ABE [2] setup, a user only can access the A verifiable and fair ciphertext-policy attribute-based proxy 170
119 plaintext from a ciphertext if his credential satisfies the access re-encryption (VF-CP-ABPRE) system includes the following 171
120 policy. According to the manner of a secret key/ciphertext entities, data owner, original recipient, a cloud server act as a 172
121 is generated, ABE is categorized into ciphertext-policy ABE proxy and shared recipients. In addition, there is an authority 173
122 (CP-ABE) [5] and key-policy ABE (KP-ABE) [6]. In CP- center that initializes the system and issues private keys for 174
123 ABE, a ciphertext is generated with an access policy and a users. 175
124 secret key is with attribute set, while KP-ABE is in contrast. • The authority center initializes the system by generating 176
125 As illustrated in [6], KP-ABE is suitable for the scenarios system parameters and issuing private keys for partici- 177
126 where the authority decides who are the authorized users, such pants. 178
179 • A user encrypts his personal data under an access policy • KeyGen(msk, S): KeyGen is also executed by the 231
180 and stores the resulting ciphertext on cloud. authority party. This step outputs the secret keys for 232
181 • The original recipient, who wants to share encrypted data participants. It takes the master key msk and an attribute 233
182 that originally sent to him with some other shared users, set S as the input, and generates the secret key sk for S. 234
183 generates a re-encryption key which will be used by • Enc(m, (A, ρ)): This step encrypts a message m with an 235
184 the cloud server to convert his ciphertext for the shared access policy (A, ρ) and generates an original ciphertext 236
185 users’. CT . 237
186 • The cloud server (e.g. AWS) stores the ciphertexts, and • ReKeyGen(sk, (A, e ρe)): This algorithm uses a private 238
187 conducts the re-encryption operations. key sk of attribute set S and an access policy (A, e ρe), 239
188 • The shared user can decrypt a re-encrypted ciphertext where R(S, (A, e ρe)) = 01 and outputs a re-encryption key 240
189 as normal. Additionally, he can verify whether the re- rk. 241
190 encrypted ciphertext is correct. If it is incorrect, he is • ReEnc(rk, CT ): A re-encryption key rk and an original 242
191 able to present a proof to show that the re-encryption is ciphertext CT are the inputs, ReEnc(rk, CT ) outputs a 243
192 an invalid one. re-encrypted ciphertext CT 0 . 244
• Decor (sk, CT ): This step is to decrypt an original cipher- 245

193 B. Threat model text CT . Inputs a secret key sk and an original ciphertext 246
194 In our treat model, we consider the following threats: CT , outputs the plaintext m if CT is a valid ciphertext 247
195 • An adversary including the cloud server without a valid or abort ⊥ otherwise. 248
196 private key may want to reveal the plaintext from a • Decre (sk, CT 0 , CT ): The Decre algorithm is leveraged 249
197 ciphertext (including the original ciphertext and the re- to decrypt a re-encrypted ciphertext CT 0 . Inputs a secret 250
198 encrypted ciphertext). This is type of attack is viewed as key sk, an original ciphertext CT and its re-encrypted 251
199 a threat to data confidentiality. ciphertext CT 0 , outputs the plaintext m if CT 0 is a valid 252
200 • A malicious may want to return an incorrect re-encrypted re-encrypted ciphertext of CT or ⊥ otherwise. 253
201 ciphertext without been detected by the shared user. This • Claim(CT, rk, CT 0 , π): The Claim algorithm is ex- 254
202 type of attack is viewed as a threat to the verifiability. ecuted between a shared user and a public verifier. 255
203 • A shared user may want to make a wrong claim to The input of the shared user and the public verifier 256
204 accuse that the cloud server has returned an incorrect re- is (CT, rk, CT 0 ). The shared user outputs a proof π 257
205 encrypted ciphertext even if the cloud server has returned to claim that CT 0 returned by the cloud server is an 258
206 a correct one. This type of attack is viewed as a threat to incorrect re-encrypted ciphertext of CT under rk. The 259
207 the fairness. public verifier verifies the claim and outputs true if the 260
claim is correct which means CT 0 is an incorrect re- 261
208 C. Linear secret sharing scheme encrypted ciphertext of CT . Otherwise, outputs f lase 262
209 A Linear secret sharing scheme (LSSS) Π is linear over a that indicates the claim is incorrect. 263
210 set of parties (over Zp ) if: In the above definition, there is the public parameter as part 264
211 • every party’s share is a vector over Zp . of the input for each algorithm and is omitted for simplicity. 265
212 • There exits an l × n matrix A, and a function ρ, where

213 ρ(j) ∈ P, j ∈ {1, · · · , l}. Denote r is the shared secret, E. Security definitions 266
214 and r2 , · · · , rn ∈ Zp are random values from Zp . Let

As illustrated in the threat model, there are three types of 267
215 µ = (r, r2 , · · · , rn ) is a column vector, then Aj · µ, j ∈
security properties which are confidentiality, verifiability and 268
216 [1, l] is l shares of r related to Π, and Aj · µ belongs to
fairness need to be considered. First, we use the semantic 269
217 ρ(j).
security of the ciphertext to describe the confidentiality. Then, 270
218 The linear reconstruction property of LSSS scheme is de- we user the verifiability and fairness game to describe the ver- 271
219 fined as follows. Suppose S is an authorized attribute set. J is ifiability and fairness respectively. In our security model, we 272
220 the set that J = {j : ρ(j) ∈ S} P ⊂ {1, · · · , l}. Then there exist adopted the selective model, which means that the adversary 273
221 constants
P {θ j }j∈J , such that j∈J θj ·Aj = (1, 0, · · · , 0), and needs to commit the challenge policy before the security game, 274
222
j∈J θ j A j · µ = r. as in [14]. 275
223 D. VF-CP-ABPRE definition Semantic security. In a VF-CP-ABPRE scheme, there are 276
two types of ciphertexts: the original ciphertext and the re- 277
224 Definition 1: A VF-CP-ABPRE scheme is composed of the encrypted ciphertext. We will user the Semantic-Or security 278
225 following steps. game to describe the semantic security of the original cipher- 279
226 • Setup(λ, U ): A trusted authority executes Setup to text, and Semantic-Re to describe the semantic security of the 280
227 initialize the system. A security parameter λ and the re-encrypted ciphertext. 281
228 attribute universe U are the input to Setup. The system’s
229 public parameter P P and master secret key msk are 1 R(S, (A, ρ)) = 0 means the attribute set S doesn’t satisfy the access
230 generated at this phase. policy (A, ρ), and R(S, (A, ρ)) = 1 means S satisfies (A, ρ).
282 Game Semantic-Or. A VF-CP-ABPRE scheme is original KeyGen(msk, S) and rk = ReKeyGen(sk, (A, e ρe)), 332
283 ciphertext semantic secure in the selective model if the advan- sends rk to A. 333
284 tage of an adversary A in the following game is negligible. During Query phase I, A cannot make the Osk (S) query 334
∗ ∗
285 • Init. The attacker A chooses (A , ρ ) as the challenge if R(S, (A∗ , ρ∗ )) = 1. 335
286 access policy. • Challenge. A chooses two plaintext (m0 , m1 ) with 336
287 • Setup. In this step, a challenger C runs the Setup to equal length and sends them to the challenger 337
288 generate P P and msk. Then, C passes public parameters C. C computes the challenge ciphertext CT 0∗ = 338
289 to A. ReEnc(Enc(mσ , (A, ρ)), rk), where σ ∈ {0, 1}, rk = 339
290 • Query phase I. A queries: ReKeyGen(S, (A∗ , ρ∗ )), R(S, (A, ρ)) = 1, and returns 340
291 1) Osk (S): A queries on attribute set S, challenger C it to A. 341
292 executes sk = KeyGen(msk, S) and returns sk to • Query phase II. A queries like in Query phase I except 342
293 A. the query Osk (S) if R(S, (A∗ , ρ∗ )) = 1; 343
294 2) Ork (S, (A,

e ρe)): A makes a re-encryption key query • Guess. A outputs its guess σ 0 . 344
295 on (S, (A, ρe)), where R(S, (A,

e e ρe)) = 0. C runs sk = Note that, as there is no limitation on the re-encryption, 345
296 KeyGen(msk, S) and rk = ReKeyGen(sk, (A, e ρe)), anyone can answer the re-encryption query by issuing a re- 346
297 returns rk to A. encryption key query first to get the relevant re-encryption 347
298 3) Ore (CT, S, (A,e ρe)): A makes a re-encryption key and then answer the re-encryption query. Hence, we omit 348
299 query on (CT, S, (A, e ρe)), C executes sk = the re-encryption query in the above game. 349
300 KeyGen(msk, S), rk = ReKeyGen(sk, (A, e ρe)) The adversary A’s advantage to win the semantic-re game
301 and CT 0 = ReEnc(CT, rk), returns CT 0 to A. is defined as
302 During Query phase I, A cannot make the following
303 queries:
Sem−Re
AdvA (λ) = |P r[σ 0 = σ] − 1/2|.
304 1) Osk (S) if R(S, (A∗ , ρ∗ )) = 1; Definition 2 (Semantic security). A VF-CP-ABPRE 350
305
e ρe)) if R(S, (A∗ , ρ∗ )) = 1 and A has
2) Ork (S, (A, scheme is semantic secure if it is Semantic-Or secure and 351
306 queried Osk (S)e where R(S, e (A,
e ρe)) = 1.
Semantic-Re secure. 352
307 • Challenge. A chooses two plaintext (m0 , m1 ) with equal 353
308 length and sends them to the challenger C. C computes the Verifiability. The verifiability of a VF-CP-ABPRE scheme 354
309 challenge ciphertext CT ∗ = Enc(mσ , (A∗ , ρ∗ )) where is captured by the following game. 355
310 σ ∈ {0, 1}, and returns it to A.
• Setup. In this step, a challenger C runs the Setup 356
311 • Query phase II. A queries like in Query phase I except:
algorithm and gets the public parameters and master 357
312 1) Osk (S) if R(S, (A∗ , ρ∗ )) = 1; secret key. Then, C passes public parameters to A. 358
313 2) Ork (S, (A, e if R(S, (A∗ , ρ∗ )) = 1 and
e ρe)) and Osk (S),
• Query phase I. A queries: 359
314 R(S,
e (A,
e ρe)) = 1.
1) Osk (S): A queries on attribute set S, challenger C 360
315 3) Ore (CT ∗ , S, (A, e if R(S, (A∗ , ρ∗ )) =
e ρe)) and Osk (S),
executes sk = KeyGen(msk, S), and sends sk to A. 361
316 1 and R(S, (A, ρe)) = 1.
e e
0
2) Ork (S, (A,e ρe)): A makes a re-encryption key query on 362
317 • Guess. A outputs its guess σ . e ρe)) = 0. C executes sk =
(S, (A, ρe)), where R(S, (A,
e 363
The adversary A’s advantage to win the semantic-or game KeyGen(msk, S) and rk = ReKeyGen(sk, (A, e ρe)), 364
is defined as sends rk to A. 365
Sem−Or
AdvA (λ) 0
= |P r[σ = σ] − 1/2|. 3) Oclaim (CT, rk, CT 0 , π): A makes a claim key query 366
on (CT, rk, CT 0 , π). The challenger C interacts with 367
318 Game Semantic-Re. A VF-CP-ABPRE scheme is re- the adversary A and outputs the result of algorithm 368
319 encrypted ciphertext semantic secure in the selective model Claim(CT, rk, CT 0 , π). 369
320 if the advantage of an adversary A in the following game is ∗

• Challenge. A chooses a message m and access policy 370
321 negligible. (A∗ , ρ∗ ) and sends them to C. C computes CT ∗ = 371
∗ ∗
322 • Init. A chooses (A , ρ ) as the challenging access policy. Enc(m∗ , (A∗ , ρ∗ )) and sends CT ∗ to A. 372
323 • Setup. In this step, a challenger C runs the Setup to • Query phase II. A queries like in Query phase I. 373
324 generate P P and msk.. Then, C passes public parameters • Guess. A outputs an attribute set S ∗ where 374
325 to A. R(S ∗ , (A∗ , ρ∗ )) = 1, and a re-encrypted 375
326 • Query phase I. A queries: ciphertext CT 0∗ . The adversary A wins if 376
327 1) Osk (S): A queries on attribute set S, challenger C Decre (S ∗ , CT ∗ , CT 0∗ ) ∈

/ {m∗ , ⊥}. 377
328 executes sk = KeyGen(msk, S), then sends sk to The adversary A’s advantage to win the verifiability security
329 A. game is defined as
330 2) Ork (S, (A,e ρe)): A makes a re-encryption key query on
e ρe)) = 0. C executes sk = V er
331 (S, (A, ρe)), where R(S, (A,
e AdvA (λ) = |P r[A wins|V er].
378 Definition 3 (Verifiability). A VF-CP-ABPRE scheme is 3) the probability of finding two values a, b such that b 6= a 426
V er
379 verifiable if for all PPT adversary A, its advantage AdvA and H(a) = H(b) is negligible; 427
380 is negligible.
D. Complex assumption 428
381
382 Fairness. The Fairness of a VF-CP-ABPRE scheme is Let (e, G, GT , g, p) is a bilinear pairing and a, r ∈ Zp , g, ∈
383 captured by the following game. G are random elements, given an instance ~v =
q q+2 2q
384 • Setup. In this step, a challenger C runs the Setup g, g r , g a , · · · , g a , g a , · · · , ga ,
385 algorithm and gets the public parameters and master q q+2 2q
386 secret key. Then, C passes public parameters to A. ∀j ∈ [1, q] g r·bj , g a/bj , · · · , g a /bj
, ga /bj
, · · · , ga /bj
,
387 • Query phase I. A queries: q
·r·bt /bj
∀j, t ∈ [1, q], t 6= j, g a·r·bt /bj , · · · , g a ,
388 1) Osk (S): A queries on attribute set S, challenger C q+1
389 executes sk = KeyGen(msk, S), and sends sk to A. it is hard to distinguish e(g, g)r·a from a random value
390 2) Ork (S, (A,
e ρe)): A makes a re-encryption key query on T ∈ GT . Formally, the advantage of a PPT algorithms B
391 (S, (A, e ρe)) = 0. C executes sk =
e ρe)), where R(S, (A, q+1
|P r[B(~v , e(g, g)r·a ) = 1] − P r[B(~v , T ) = 1]|
392 KeyGen(msk, S) and rk = ReKeyGen(sk, (A, e ρe)),
393 sends rk to A. is negligible. 429
394 3) Oclaim (CT, rk, CT 0 , π): A makes a claim key query The decisional q-parallel BDHE assumption holds if no 430
395 on (CT, rk, CT 0 , π). The challenger C interacts with polynomial probability time adversary can solve the above 431
396 the adversary A and outputs the result of algorithm problem with a non-negligible advantage. 432
397 Claim(CT, rk, CT 0 , π).

∗
E. Discrete Logarithm (DL) Assumption 433
398 • Challenge. A chooses a message m and access policy
399 (A , ρ ) and sends them to C. C computes CT ∗ =
∗ ∗ Let (e, G, GT , g, p) is a bilinear pairing, given a tuple
400 Enc(m∗ , (A∗ , ρ∗ )) and CT 0∗ = ReEnc(CT ∗ , rk ∗ ). (e, G, GT , p, g, g β ) where g ∈ G, β ∈ Zp∗ , the discrete log-
401 Then C sends CT ∗ and CT 0∗ to A. Note that, rk ∗ is arithm assumption means that the advantage of a probability
402 a re-encryption key from (A∗ , ρ∗ ) to a new access policy polynomial time (PPT) adversary A to find the integer β is
403 (A,
e ρe). negligible. Formally, the advantage of a PPT adversary A
404 • Query phase II. A queries like in Query phase I. P r[AdvDL ] = P r[A(e, G, GT , p, g, g β ) = β]
405 • Guess. A outputs a proof π and wins the game if
406 Claim(CT ∗ , CT 0∗ , π) = true. is negligible. 434
The adversary A’s advantage to win the verifiability security IV. P ROPOSED VF-CP-ABPRE C ONSTRUCTION 435
game is defined as
To begin with, we describe what challenges we are facing 436
F air and then introduce our techniques that will be used in our
AdvA (λ) = |P r[A wins|F air]. 437
VF-CP-ABPRE construction. Finally, we prove its semantic 438

407 Definition 3 (Fairness). A VF-CP-ABPRE scheme is fair if security, verifiability and fairness. 439
F air
408 for all PPT adversary A, its advantage AdvA is negligible.
A. Challenges and Our Techniques 440
409 III. P RELIMINARIES
In an ABE scheme, if a shared user needs to verify whether 441
410 A. Negligible function the re-encrypted ciphertext returned by the cloud server is a 442
411 If for ∀t > 0, there exists a xt such that f (x) < 1/xt for correct one, a straightforward way is that the original recipient 443
412 ∀x > xt , the f (x) is a negligible function. and the shared user can reveal their private key. Thus, anyone 444
can check whether the returned re-encrypted is valid. However, 445

413 B. Bilinear pairing
this violates the rule of data confidentiality. To address this, 446
414 A bilinear pairing is a tuple (e, G, GT , g, p) where we leverage the technique of commitment. In our scheme, 447
415
s t
• e(U , V ) = e(U, V )
st
for all U, V ∈ G and s, t ∈ Zp∗ , when generating the original ciphertext, a commitment of the 448
416 • e(U, V ) 6= 1, plaintext is also generated. This commitment with the re- 449
417 • e(U, V ) can be efficiently computed for all U, V ∈ G, encryption will be sent to the shared user. Thus, the shared 450
418 where G and GT are multiplicative cyclic groups with gener- user can first retrieve the plaintext by normal decryption and 451
419 ator g and order p. then check the plaintext against the commitment. In such a 452
manner, the shared user can verify the validity of the re- 453
420 C. Cryptographic Hash Function
encryption. However, this approach assumes the shared user’s 454
421 A hash function H is a cryptographic hash function, if: private key is available for the verification. The malicious 455
422 1) given a value y, the probability of finding a value x, attacker may issue an incorrect plaintext m and claim that 456
423 where H(x) = y is negligible; m is the underlying plaintext of the re-encrypted ciphertext. 457
424 2) given H(a), the probability of finding a value b where The problem is that a verifier cannot assure that m is indeed 458
425 b 6= a and H(b) = H(a) is negligible; the corresponding plaintext as no one else could make the 459
n
460 decryption except the shared user. If the shared user publishes Selects a random vector µ r, ye2 , · · · , yf
~e = (e e ) ∈ Zp . For
n
e
461 his private key, the data confidentiality will be destroyed. each row A e computes λ
e j of A, fj = µ ~e · A e j , j ∈ [1, e
l].
462 In our approach, we leverage the message-lock encryption Randomly chooses rej ∈ Zp for each j ∈ [1, e l]. Then
463 (MLE) [31] technique to prevent the shared user from reveal- computes
464 ing an unrelated m. MLE guarantees that the same plaintext
465 corresponds to the identical re-encrypted ciphertext. Thus, a rk5 = χ · e(g, g)αer , rk6 = g re,
466 plaintext m was bind with a re-encrypted ciphertext. Whenever f −re
467 a shared user returns a plaintext m, it can be publicly verified rk7,j = g aλj fρe(j)j , rk8,j = g rej ∀j ∈ [1, e
l].
468 that m is indeed the plaintext of the re-encrypted ciphertext.
Output the re-encryption as key rk = (rk0 , rk1 , rk2 , rk3 , 489
469 B. Our VF-CP-ABPRE Construction {rk4,x }x∈S , rk5 , rk6 , {rk7,j , rk8,j }j∈[1,el] , (A,
e ρe)). 490
470 • Setup(λ, U ): The authority center generates a bilin- • ReEnc(rk, CT ): On input an original ciphertext 491
471 ear pairing tuple (e, G, GT , G, p). Denote the mes- CT = ((A, ρ), C, C1 , C2 , {C3,j , C4,j }j∈[1,l] , C) and a re- 492
472 sage space as {0, 1}k . Randomly chooses α, a ∈ Zp∗ , encryption key rk = (rk0 , rk1 , rk2 , rk3 , {rk4,x }x∈S , 493
473 g, f1 , · · · , fU , φ, ϕ, Q ∈ G. The authority center also rk5 , rk6 , {rk7,j , rk8,j }j∈[1,el] , (A,
e ρe)). 494
474 chooses two cryptographic hash functions H1 : GT → If R(S, (A, ρ)) = 0, outputs ⊥. Otherwise, let J = {j :
475 {0, 1}2k , H2 : {0, 1}∗ → Zp∗ , and a message-lock ρ(j) ∈ S} ⊂ {1, · · · l}, finds elements θj ∈ Zp∗ , such that
P
476 encryption algorithm M LE. Sets msk = g α and P P = j∈J θj · Aj = (1, 0, · · · , 0). Then, computes
477 (e, G, GT , g, f1 , · · · , fU , φ, ϕ, Q, g a , e(g, g)α , H1 , H2 ,
e(rk1 , C1 ) · e(rk2 , C2 )−1
478 M LE). C00 = Q θj
.
479 Note that, the hash function H1 and H2 can be con- j∈J (e(rk3 , C3,j ) · e(rk4,ρ(j) , C4,j ))
480 structed based on the standard cryptographic hash func- 0
Sets C = C, C 0 = C, C10 = rk5 , C20 = 495
481 tions such as SHA-1. Specifically, given an element 0 0
482 x ∈ GT as the input of H1 , H1 first converts x into rk6 , C3,j = rk7,j , C4,j = rk8,j j ∈ [1, e l], 496
a string type. Then, it takes the string as input of SHA-1 C5 = rk0 . Outputs the re-encrypted ciphertext CT 0 =
0
497
483 0
484 and thus gets a fixed length output. For H2 , it first calls (C 0 , C , C00 , C10 , C20 , {C3,j
0 0
, C4,j }j∈[1,el] , C50 , (A,
e ρe)). 498
485 SHA-1 to get a fixed length string, and then converts the • Decor (sk, CT ): Inputs a secret key sk = 499
486 string into an element in Zp . (S, K1 , K2 , Kx x ∈ S) and an original ciphertext 500
• KeyGen(msk, S): Randomly choose s ∈ Zp∗ , and sets CT = ((A, ρ), C, C1 , C2 , {C3,j , C4,j }j∈[1,l] , C). Checks 501
whether R(S, (A, ρ)) = 1. If not, outputs ⊥. Otherwise, 502

sk = (S, K1 = g α g as , K2 = g s , ∀x ∈ S Kx = fxs ). let J = {j : ρ(j) P ∈ S} ⊂ {1, · · · l}, finds elements 503
• Enc(m, (A, ρ)): Let (A, ρ) is an l × n matrix and θj ∈ Zp∗ , such that j∈J θj · Aj = (1, 0, · · · , 0). Then, 504
ρ associates each row of A with an attribute in computes 505
U . Randomly choose R ∈ {0, 1}k , and computes e(K1 , C1 )

r = H2 (M LE(m||R)) with the message-lock en- Φ= Q θj
, (1)
j∈J (e(K2 , C3,j ) · e(Kρ(j) , C4,j ))
cryption algorithm M LE. Sets a random vector µ ~ =
(r, y2 , · · · , yn ) ∈ Zpn , where y2 , · · · , yn are randomly and
chosen from Zp . For each row Aj of A, computes m||R = C ⊕ H1 (Φ).
λj = µ ~ · Aj , j ∈ [1, l]. Randomly chooses rj ∈ Zp
Outputs m if C = φH2 (m) ϕH2 (R) . Otherwise, outputs ⊥. 506
for each j ∈ [1, l]. Then computes
• Decre (sk, CT 0 , CT ): On input a private key sk = (S, 507
C = (m||R) ⊕ H1 (e(g, g)αr ), C1 = g r , C2 = Qr , K1 , K2 , Kx x ∈ S), a re-encrypted ciphertext CT 0 = 508

0
aλj −r rj (C 0 , C , C00 , C10 , C20 , {C3,j
0 0
, C4,j }j∈[1,el] , C50 , (A,
e ρe)) and 509
C3,j = g fρ(j)j , C4,j = g ∀j ∈ [1, l],
an original ciphertext CT = ((A, ρ), C, C1 , C2 , {C3,j , 510
H2 (m) H2 (R)
C=φ ϕ . C4,j }j∈[1,l] , C). Checks whether R(S, (A, e ρe)) = 1. 511
If not, outputs ⊥. Otherwise, let J = {j : ρe(j) ∈ 512

487 Outputs the ciphertext as CT = ((A, ρ), C, C1 , C2 ,
S} ⊂ {1, · · · e l}, finds elements θj ∈ Zp∗ , such that 513
488 {C3,j , C4,j }j∈[1,l] , C). P
j∈J θj · Aj = (1, 0, · · · , 0). Then, computes 514
e
• ReKeyGen(sk, (A, e ρe)): On input sk = (S, K1 , K2 ,
Kx x ∈ S) and an access policy (A, e ρe), where Ae is a e(K1 , C20 )
l×ne matrix. Randomly chooses χ ∈ GT , δ ∈ Zp∗ and χ = C10 / Q 0 0 θj
, (2)
j∈J (e(K2 , C3,j ) · e(Kρe(j) , C4,j ))
e
computes
H2 (χ)
and
rk0 = e(g, g)αH2 (χ) , · Qδ ,
1
rk1 = K1 0
m||R = C 0 ⊕ H1 (C0H2 (χ) ).
H2 (χ)
rk2 = g δ , rk3 = K2 , 0
Outputs m if C = C = φH2 (m) ϕH2 (R) . Otherwise, 515
rk4,x = KxH2 (χ) ∀x ∈ S. outputs ⊥. 516
• Claim(CT, rk, CT 0 , π): On input an original ciphertext When CT 0 is a re-encrypted ciphertext, then 534
CT = ((A, ρ), C, C1 , C2 , {C3,j , C4,j }j∈[1,l] , C), a re-

encryption key rk = (rk0 , rk1 , rk2 , rk3 , {rk4,x }x∈S , e(rk1 , C1 ) · e(rk2 , C2 )−1
rk5 , rk6 , {rk7,j , rk8,j } e , (A, ρ
e e)), a re-encrypted ci- C00 = Q θj
j∈[1,l]
0 j∈J (e(rk3 , C3,j ) · e(rk4,ρ(j) , C4,j ))
phertext CT 0 = (C 0 , C , C00 , C10 , C20 , {C3,j
0 0
, C4,j }j∈[1,el] , H (χ)
e(sk1 2 · Qδ , g r ) · e(g δ , Qr )−1
0
C5 , (A, ρe)) and a proof π = (m, R) that published by a
e =Q H2 (χ) aλj −rj H (χ)
shared user. The verifier first checks whether j∈J (e(sk2 , g fρ(j) ) 2
· e(skρ(j) , g rj ))θj
 0 ? =e(g, g)αrH2 (χ) .

 C =C
? χ in equation (2) can be verified in the same way as in

C 0 = C,



equation (1). Thus,

 0 ?

 C1 = rk5 ,


1
? 0
C20 = rk6 , (3) C 0 ⊕ H1 (C0H2 (χ) )
?

0
 C3,j = rk7,j ∀j ∈ [1, l],

=[(m||R) ⊕ H1 (e(g, g)αr )] ⊕ H1 (e(g, g)αrH2 (χ)/H2 (χ) )
 e


 0 ?



 C4,j = rk8,j ∀j ∈ [1, e l], =m||R.
 0 ?
C5 = rk0 . C. Security Proof 535
517 If one of the above equations in (3) does not hold, abort Here will prove the semantic security, verifiability and 536
518 and outputs ture. fairness of our proposed VF-CP-ABPRE construction. 537
Otherwise, computes r = H2 (M LE(m||R)) and check Theorem 1. Our proposed VF-CP-ABPRE scheme is se- 538
whether mantic secure under the q-parallel BDHE assumption. 539
0 Proof : According to semantic security that is defined in 540

C = C = φH2 (m) ϕH2 (R) , (4)
Definition 1, we prove its Semantic-Or and Semantic-Re 541
C00 6= C50r . (5) security through the following two lemmas. 542
519 If (4) and (5) hold, outputs true. Otherwise, outputs Lemma 1: VF-CP-ABPRE scheme is Semantic-Or secure 543
520 f lase. under the q-parallel BDHE assumption. 544
521 Note that, equation (3) ensures that all the elements Proof : Assume a PPT adversary A can break the Semantic- 545
522 except C00 in a re-encrypted ciphertext CT 0 are cor- Or security of the proposed scheme with a non-negligible 546
523 rect. These elements are duplicated from the original probability , we can construct a simulator B that can solve 547
524 ciphertext and re-encryption key and didn’t consume the q-parallel BDHE assumption with an advantage . B 548
525 computation resources. Thus, usually, the cloud serve is given a q-parallel BDHE instance (~v , T ) as illustrate in 549
526 has no incentive to revise these elements and return subsection III-D, its goal is to decide whether T equals to 550
q+1
527 incorrect ones. Equation (4) ensures that m in the proof e(g, g)r·α or T is randomly chosen from GT . 551
528 π = (m, R) is indeed the underlying plaintext of the Initially, B maintains private key and re-encryption key lists 552
529 original ciphertext CT , and equation (5) ensures that m is which are initially empty. 553
530 not the underlying plaintext of the re-encrypted ciphertext • Listsk : stores a tuple of (S, skS ). 554
531 CT 0 , which means the part C00 is not correctly generated. • Listrk stores a tuple of (S, (A, e ρe), rk, index), where 555
532 Correctness. Next, we explain the correctness of the decryp- index ∈ {0, 1}. index = 1 indicates that rk is a correct 556
533 tion algorithm. re-encryption key, while index = 0 indicates rk is a 557
When CT is an original ciphertext, then equation (1) is as random one. 558
∗ ∗
• Init. A outputs a challenge access policy (A , ρ ), where 559
e(K1 , C1 ) ∗ ∗ ∗
A is a l × n matrix.
Φ= Q θj
560
j∈J (e(K2 , C3,j ) · e(Kρ(j) , C4,j )) • Setup. B chooses a random β, $ ∈ Zp , φ, ϕ ∈ G and sets
q
e(g α g as , g r ) e(g, g)α = e(g, g)β · e(g a , g a ), Q = g $ . This implicitly
=Q sets α = a q+1
+β for some unknown α. For each x ∈ U ,
s aλj f −rj ) · e(f s , g rj ))θj
j∈J (e(g , g ρ(j) ρ(j)
chooses a random value tx ∈ Zp . Denote X = {j :
e(g, g)αr · e(g as , g r ) ρ∗ (j) = x}, B computes
= P
λj θj
e(g s , g a ) j∈J Y ∗ 2 ∗ n∗ ∗
= e(g, g)αr . fx = g tx g aAj,1 /bj · g a Aj,2 /bj · · · g a Aj,n /bj .

j∈X
Then,
If X is an empty set, then fx = g tx . B also 561
C ⊕ H1 (Φ) chooses two cryptographic hash functions H1 , H2 , 562
and a message-lock encryption algorithm M LE. 563
=[(m||R) ⊕ H1 (e(g, g)αr )] ⊕ H1 (e(g, g)αr )
Finally, B outputs the public parameter P P = 564
=m||R. (e, G, GT , g, f1 , · · · , fU , φ, ϕ, Q, g a , e(g, g)α , H1 , H2 , M LE).
565
566 • Query phase I. A queries: • Challenge. Two plaintext (m0 , m1 ) with equal length are
1) Osk (S): A queries on attribute set S. B verifies that selected by A and then A sends them to B. B randomly
R(S, (A∗ , ρ∗ )) = 0. If not, outputs ⊥. Otherwise, B chooses σ ∈ {0, 1} and computes
first finds a vector θ~ = (θ1 , · · · , θn∗ ) such that θ1 = C = mσ · T · e(g r , g β ),
−1 and for all j where ρ∗ (j) ∈ S, then θ~ · A∗j = 0.2
C1 = g r ,
B randomly chooses s0 ∈ Zp , and computes
∗
C2 = (g r )$ = Qr .
n
s0 q+1−j ∗
Y
K2 = g (g a )θj , g s . B randomly choose y20 , · · · , yn0 ∗ ∈ Zpn −1 and 591
j=1 r1 , · · · , rl0 ∈ Zpl . For j ∈ [1, l∗ ], denote Wj as all 592
Pn∗ k 6= j and ρ∗ (k) = ρ∗ (j). B implicitly set µ ~ = 593

567 This implicitly sets s = s0 + j=1 θj · aq+1−j .
~ · A∗j ,
(r, ra + y20 , ra2 + y30 , · · · , ran−1 + yn0 ∗ ) and λj = µ 594
Then, we have
j ∈ [1, l∗ ]. 595
K1 = g α g as Then, B computes
0 Pn∗ 0
q+1
θj ·aq+2−j
= ga +β
· g as + j=1 C4,j = g −rbj g −rj , g rj ,
∗
n
a s0 q+2−j −r
C3,j =g aλj fρ∗ (j)
Y j
β
= g (g ) (g a )θj ,
j=2 r0
=fρ∗j (j) · (g r·bj )tρ∗ (j)
568 which can be easily computed.  
n∗ n∗
569 For those x ∈ S and no j such that ρ∗ (j) = x exists, Y Y i ∗
a rbj /bk Ak,i 
Y 0 ∗
570 B sets Kx = K2tx . ·  (g ) · ( (g a )yj Aj,i )

For those x ∈ S and X = {j : ρ∗ (j) = x} 6= ∅, as k∈Wj i=1 i=2
θ~ · A∗j = 0, then Query phase II. A can query as in Query phase I under the
• 596
restrictions defined in the Semantic-Or security model. 597

Kx = fxs
• Guess. A outputs a guess σ 0 . B outputs 1 that indicates 598
0 Pn∗ q+1−k q+1
s + θ ·a
T = e(g, g)r·α if σ 0 = σ. Otherwise, B outputs 0
  k
n∗ k=1 599
YY i ∗
t a A /b indicates that T is a random value in GT .
= g x g j,i j  q+1
600
j∈X i=1 Analysis. When T = e(g, g)r·a , then C = mσ · T · 601

q+1
r β r·(a +β)
 A∗j,i e(g , g ) = m · e(g, g) = m · e(g, g)αr , which 602
∗ ∗ q+1
n n
tx
Y Y i
(a /bj )/s0
Y q+1+i−k
a /bj θk 
is a perfect ciphertext. Then, P r[B(~v , e(g, g)r·a ) = 1] = 603
=K2 g · (g )  , 1/2+. When T is a random value in G , then P r[B(~v , T ) = 604
T
j∈X i=1 k=1 q+1
k6=i 1] = 1/2. Thus, |P r[B(~v , e(g, g)r·a ) = 1] − P r[B(~v , T ) = 605
571 which can also be computed by the given parameters. 1]| = |1/2 + − 1/2| = , which means that B can solve the 606
572 Thus, B simulates the private key query and adds q-parallel BDHE assumption with a non-negligible advantage 607
573 (S, skS ) to Listsk . . 608
574 2) Ork (S, (A, e ρe)): B first checks that Lemma 2: VF-CP-ABPRE scheme is Semantic-Re secure 609
under the q-parallel BDHE assumption. 610

575 – If R(S, (A∗ , ρ∗ ) = 1) and there exists an entry
Proof : Suppose a PPT adversary A can break the Semantic- 611
576 (S,
e sk e), where R(S,
S
e (A,
e ρe) = 1, in Listsk , outputs
Or security of the proposed scheme with a non-negligible 612
577 ⊥.
probability , we are able to construct a simulator B that can 613
578 – Else if R(S, (A∗ , ρ∗ ) = 1) and no such an entry
579 (S,
e sk e), where R(S, e ρe) = 1, exists in Listsk , solve the q-parallel BDHE assumption with an advantage .
e (A, 614
S B is given a q-parallel BDHE instance (~v , T ) as illustrate in 615
580 B selects a random rk and adds (S, (A, e ρe), rk, 0) to
subsection III-D, its goal is to decide whether T equals to 616
581 Listrk . Otherwise, e(g, g)r·α
q+1
or T is randomly chosen from GT . 617
582 – B first makes a query Osk (S) to get skS , and then The Initial, Setup and Query phase I are identical to that in 618
583 computes rk with skS as in the ReKeyGen algo- the Lemma 3 proof. 619
584 rithm. Finally B adds (S, (A, e ρe), rk, 1) to Listrk .
• Challenge. Two plaintext (m0 , m1 ) with equal length are 620
585 3) Ore (CT, S, (A, ρe)): If R(S, (A∗ , ρ∗ )) = 1 and ex-
e
selected by A and then A sends them to B. B first 621
586 ists an entry (S, e sk e), where R(S,
S
e (A, e ρe) = 1, in
choose an attribute set S where R(S, (A∗ , ρ∗ )) = 0, 622
587 Listsk , outputs ⊥. Otherwise, if there exists an entry and generates a private key skS and re-encryption key 623
(S, (A,e ρe), rk, sign) in Listrk , B re-encrypts CT with
588
rk = ReKeyGen(skS , (A∗ , ρ∗ )). Then B chooses (A, ρ) 624
589 rk. Otherwise, B first makes a query Ork (S, (A, e ρe)) to
where R(S, (A, ρ)) = 1 and CT = Enc(mσ , (A, ρ)) as 625
590 get rk and then re-encrypts CT with rk. in the Challenge phase in the proof of Lemma 1. Finally, 626
2 Note that, as illustrated in [5], if R(S, (A∗ , ρ∗ )) = 0, such a vector θ ~ B computes CT 0∗ = ReEnc(CT, rk), and returns CT 0∗ 627
must exists and can be found in polynomial time. to A. 628
∗ 0∗
629 • Query phase II. A can query as in Query phase I under the Finally, B can compute β = δ·(H 2 (R )−H2 (R ))
H2 (m0∗ )−H2 (m∗ ) , and returns 671
630 restrictions defined in the Semantic-Re security model. β as its answer. 672
631 • Guess. A outputs a guess σ 0 . B outputs 1 that indicates Analysis. The above simulation is perfect, the advantage 673
q+1
632 T = e(g, g)r·α if σ 0 = σ. Otherwise, B outputs 0 of B to solve the discrete logarithm assumption is identical 674
633 indicates that T is a random value in GT . to the advantage of an adversary A to win in the integrity 675
634 Analysis. When T = e(g, g) r·aq+1

, CT is a perfect cipher- 0∗ security game. 676
q+1
635 text. Then, P r[B(~v , e(g, g)r·a ) = 1] = 1/2 + . When T is 677
636 a random value in GT , then P r[B(~v , T ) = 1] = 1/2. Thus, Theorem 3. VF-CP-ABPRE scheme is fair if H1 , H2 678
637
q+1
we have |P r[B(~v , e(g, g)r·a ) = 1] − P r[B(~v , T ) = 1]| = are cryptographic hash functions, M LE is a message-lock 679
638 |1/2+−1/2| = , which means that B can solve the q-parallel encryption scheme and the discrete logarithm assumption 680
639 BDHE assumption with a non-negligible advantage . holds. 681
640 Thus, the proof of Theorem 1 is completed. Proof: Assuming an adversary A can break the fairness 682
641
game with a non-negligible advantage , then we can construct 683
a simulator to break the collision resistant property of hash 684

642 Theorem 2. VF-CP-ABPRE scheme is verifiable under the
function H2 with a probability 0 , such that 0 > −AdvM LE − 685
643 discrete logarithm assumption.
AdvDL , where AdvM LE and AdvDL denote the advantage 686
644 Proof : Suppose there is an adversary A that can break the
of an adversary breaking the M LE encryption and discrete 687
645 verifiability of the presented VF-CP-ABPRE scheme with an
logarithm assumption respectively. 688
646 negligible advantage , we can construct a simulator B, that
647 can solve the discrete logarithm problem with an advantage . • Setup. The process is as the same as the Setup in the 689
648 B is given a discrete logarithm instance (e, G, GT , p, g, g β ) as verifiability game. 690
649 in subsection III-E, its goal is to output the value β. • Query phase I. The process is as the same as in the 691
verifiability game. 692

• Setup. Simulator B sets a bilinear pairing e, G, GT , g, p
Challenge. A outputs a message m∗ and access
650
• 693
and chooses α, δ, $ ∈ Zp , f1 , · · · , fU ∈ G and
policy (A∗ , ρ∗ ). Simulator B computes CT ∗ =
651
694
a cryptographic hash function H : {0, 1}∗ →
Enc(m∗ , (A∗ , ρ∗ )), CT 0∗ = ReEnc(CT ∗ , rk ∗ ), where
652
695
Zp . B sets φ = g β , ϕ = g δ , Q = g $ .
rk ∗ is a re-encryption key from (A∗ , ρ∗ ) to a new access
653
696
654 B also chooses two cryptographic hash functions e ρe), and sends CT ∗ , CT 0∗ to A.
policy (A, 697
655 H1 , H2 , and a message-lock encryption algorithm M LE.
• Query phase II. The same as in the verifiability game. 698
656 Finally, B outputs the public parameter P P =
• Guess. A outputs a proof π = (m, R). 699
657 (e, G, GT , g, f1 , · · · , fU , φ, ϕ, Q, g a , e(g, g)α , H1 , H2 ,
658 M LE). Analysis. If A wins the game, it means 700
659 • Query phase I. When A issues Osk (S), Ork (S, (A, e ρe)) Claim(CT ∗ , CT 0∗ , π) = true. Then we have 701
0∗ ∗
660
0
and Oclaim (CT, rk, CT , π), since B knows the master r = H2 (M LE(m||R)), C = C = φH2 (m) ϕH2 (R) 702
0∗ 0∗ r 0∗ r
661 secret key α, B can generate the private key and re- and C0 6= C5 . Since C0 6= C50∗ , where 703
0∗ αH2 (χ)H2 (M LE(m∗ ||R∗ )) 0∗
662 encryption key via the KeyGen, ReKeyGen and Claim C0 = e(g, g) , C5 = e(g, g)αH2 (χ) , 704
0∗ ∗
663 algorithms, and then returns the results to A. we have (m||R) 6= (m∗ ||R∗ ). Furthermore, as C = C = 705
∗ ∗
664 • Challenge. A outputs a message m∗ and access policy φH2 (m) ϕH2 (R) , we have φH2 (m ) ϕH2 (R ) = φH2 (m) ϕH2 (R) . 706
665 (A∗ , ρ∗ ) and sends them to B. B computes the CT ∗ = Denote ϕ = φη for some unknown random value η. 707
666 Enc(m∗ , (A∗ , ρ∗ )), and sends CT ∗ to A. Then we have H2 (m∗ ) = H2 (m) or H2 (R∗ = H2 (R). 708
667 • Query phase II. The simulator B answers the queries as Otherwise, anyone can use these values to compute 709
668 in query phase I. η = (H2 (m) − H2 (m∗ ))/(H2 (R∗ ) − H2 (R)) to solve 710
669 • Output. A outputs a re-encrypted ciphertext CT 0∗ = ( the discrete logarithm assumption. Thus, the simulator B 711
0∗
670 C 0∗ , C , C00∗ , C10∗ , C20∗ , {C3,j
0∗ 0∗
, C4,j }j∈[1,el] , C50∗ , (A
e ∗ , ρe∗ )). find a collision tuple of the cryptographic hash function 712
H2 , where m 6= m∗ , H2 (m∗ ) = H2 (m), or R 6= R∗ , 713

Simulator B chooses an attribute set Se∗ where H2 (R∗ ) = H2 (R). B’s advantage to find such a collision 714
R(Se∗ , (A
e ∗ , ρe∗ )) = 1), and generates a secret key sk e∗
S tuple is − AdvM LE − AdvDL . 715
using the master secret key. Then, B decrypts CT 0∗ to get 716
the plaintext m0∗ and R0∗ . If A wins the verifiability game, Discussion: The collusion resistant property which ensures 717
0∗
which means m0∗ ∈ / {m∗ , ⊥}, then we have C = C 0∗ . B that even the cloud server collude with a shared user cannot 718
can ensure that reveal the original recipient’s private key is a basic security re- 719
0∗ quirement for ABPRE schemes. In our proposed construction, 720

C = C 0∗ H (χ)
the rk1 = K1 2 · Qδ part of the original recipient’s private 721
0∗ 0∗ ∗ ∗
⇔φH2 (m )
ϕH2 (R )
= φH2 (m ) ϕH2 (R ) key is randomized by a random value Qδ . When the cloud 722
β·H2 (m0∗ )+δ·H2 (R0∗ ) β·H2 (m∗ )+δ·H2 (R∗ ) server collude with a shared user, they can get the value of χ. 723
⇔g =g
However, they cannot recover the value of Qδ from elements 724
⇔β · (H2 (m ) − H2 (m∗ )) = δ · (H2 (R∗ ) − H2 (R0∗ )).
0∗
(g, g δ , Q) which essentially is a Diffie-Hellman assumption. 725
TABLE I
S ECURITY AND FUNCTIONALITY COMPARISON WITH [24], [26] AND [30].
Schemes Access structure Security Verifiability Fairness

[24] Ciphertext policy Semantic security # #
[26] Key policy CCA # #
[30] Ciphertext policy CCA # #
Ours Ciphertext policy Semantic security ! !
726 Thus, the original recipient’ private key part rk1 cannot be encryption phase in the ciphertext-policy setting. However the 769
727 revealed. In this manner, the proposed construction achieves scheme [26] works in the key-policy setting and the access 770
728 the collusion resistant property. policy is generated at the key generation phase. Moreover, the 771
execution time of the KeyGen and Enc linearly increases as 772

729 V. P ERFORMANCE AND E VALUATION the size access policy grows. Fig. 2(c) and 2(d) show that the 773
730 A. Security and functionality comparison re-encryption key generation time and the actual encryption 774
731 We made a comparison of the proposed scheme and time in our scheme and in scheme [30] are very close and our 775
732 schemes [24], [26], [30] in terms of access structure, security, scheme performs slightly better than scheme [26]. As shown 776
733 verifiability, and fairness. Table I summarizes that [26] works in Fig. 2(e) and 2(f), the original and re-encrypted ciphertext 777
734 in the key policy setting and [24], [30] and our construction decryption time are almost the same in the three schemes. In 778
735 work in the ciphertext policy setting. Moreover, [26] and order to present the efficiency of the verifiability and fairness 779
736 [30] achieve the CCA security, and [24] and our construction in our scheme, since only our scheme achieves the verifiability 780
737 achieve the semantic security. However, only our construction and fairness property, we compare the Claim verification time 781
738 achieves the verifiability, and fairness properties. in our scheme with the time of repeating the re-encryption 782
operation3 in [26] and [30]. The time comparison, shown in 783

739 B. Performance evaluation Fig. 2(g), demonstrates that the Claim verification time in 784
740 We conducted an implementation to evaluate the presented our scheme is much less than other schemes [26], [30] and 785
741 VF-CP-ABPRE scheme in the perspective of computation doesn’t increase even if the access policy size grows. While the 786
742 cost, and compared our proposed scheme with the key-policy execution time of repeating the re-encryption operation in [26], 787
743 attribute-based data sharing scheme [26] and the ciphertext- [30] are much higher than that in our scheme and increase 788
744 policy [30] attribute-based data sharing scheme. linearly with the access policy. This is because that in our 789
745 In our implementation, we use a Java cryptography pack- scheme, only three exponent computation in group G and three 790
746 age [32] for pairing computation which is implemented based hash function computation are needed in the Claim algorithm. 791
747 on a C library of Pairing-based cryptography [33]. We use the The computation cost of the Claim algorithm is constant and 792
748 Y 2 = X 3 +X elliptic curve (type A ) and the group order is set doesn’t increase with the size of the access policy. However, in 793
749 as 160 bit. The hash function SHA-256 is adopted as the hash order to achieve verifiability and fairness for schemes [26] and 794
750 function H1 and H2 in our scheme. The hardware specification [30], a verifier needs to repeat the ReEnc algorithm to verify 795
751 we used in this experiment is a laptop with CPU: Intel i5- whether the output of the cloud server is correct. However, the 796
752 8520U @1.60GHZ 1.80GHZ, RAM: 8G. And the laptop runs ReEnc algorithm is linear with the access policy. 797
753 on Linux Mint 18.1.

VI. C ONCLUSION 798
754 Implementation. The size of universal attribute set is set be
755 1000 in our experiments. The attribute set is set in the private This paper introduces the verifiability and fairness secu- 799
756 key generation and the access policy during the generation of rity requirements for attribute-based data sharing in clouds 800
757 the original ciphertext are sized varied from 10 to 100 with a and put forward a notion of verifiable and fair ciphertext- 801
758 step 10. During the re-encryption key generation, the shared policy attribute-based proxy re-encryption(VF-CP-ABPRE). 802
759 access policy (A,

e ρe) is also sized varied from 10 to 100 with a The scheme provides the ability for a shared user to verify the 803
760 step 10. All the access policies are set as the AND gate of the validity of the re-encrypted ciphertext. Moreover, a shared user 804
761 selected attributes. Each experiment was execute 100 times to cannot make a malicious accusation to the cloud provider if 805
762 get an accurate average execution time. the cloud has indeed returned a correct re-encrypted ciphertext. 806
763 Fig. 2 shows the execution time comparison of each al- We also have proven our VF-CP-ABPRE scheme’s semantic 807
764 gorithm in our scheme with [26], [30]. Fig. 2(a) and 2(b) security, verifiability and fairness in our security model. We 808
765 show that the our scheme’s key generation time as well as the also conducted an implementation to evaluate our proposed 809
766 one in [30] performed better than the scheme in [26]. While 3 Since only our scheme achieves the verifiability and fairness property, in
767 the encryption time in our scheme and [30] is more than that the previous schemes [26], [30] a verifier can check whether the returned re-
768 in [26]. This is because the access policy is generated in the encrypted ciphertext is correct only by repeating the re-encryption operation.
330 200
Scheme [26] Scheme [26]
300 Scheme [30] 180 Scheme [30]
270 Our scheme Our scheme
Key generation time (ms)

160
Encryption time (ms)

240 140
210
120
180
100
150
80
120
90 60
60 40
30 20
0 0
10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100
Attribute set/Access policy size Attribute set/Access policy size
(a) KeyGen algorithm computation time (b) Enc algorithm computation time
360 300
Re-encryption key generation time (ms)

330 Scheme [30] 270 Scheme [30]
300 Our scheme 240 Our scheme
Re-encryption time (ms)

270 210
240
180
210
150
180
120
150
120 90
90 60
60 30
30 0
10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100
Access policy size Access policy size
(c) ReKeyGen algorithm computation time (d) ReEnc algorithm computation time
Re-encrypted ciphertext decryption time (ms)
200 200
Original ciphertext decryption time (ms)

180 Scheme [30] 180 Scheme [30]
Our scheme 160 Our scheme
160
140
140
120
120
100
100
80
80
60
60 40
40 20
20 0
10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100
Access policy size Access policy size
(e) Original ciphertext decryption time (f) Re-encrypted ciphertext decryption time
300
Scheme [26]
270 Scheme [30]
240 Our scheme
Verification time (ms)
210
180
150
120
90
60
30
0
10 20 30 40 50 60 70 80 90 100
Access policy size
(g) Claim/Repeating re-encryption computation time
Fig. 2. Computation time of our proposed VF-CP-ABPRE scheme.
810 scheme, and compared the execution time between our scheme This work opens up many interesting research questions. 813
811 and previous schemes to demonstrate the efficiency of the One could be how to design a secure VF-CP-ABPRE scheme 814
812 proposed VF-CP-ABPRE scheme. that is adaptively secure. Another interesting problem is de- 815
816 signing a publicly verifiable CP-ABPRE scheme that supports [20] A. Kapadia, P. P. Tsang, and S. W. Smith, “Attribute-based publishing 888
817 the cloud server to generate a proof and everyone can verify with hidden credentials and hidden policies.” in NDSS, vol. 7. Citeseer, 889
2007, pp. 179–192. 890
818 the re-encrypted ciphertext efficiently without repeating the [21] M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic 891
819 re-encryption operation. proxy cryptography,” in International Conference on the Theory and 892
Applications of Cryptographic Techniques. Springer, 1998, pp. 127– 893
820 R EFERENCES 144. 894
821 [1] K. Ren, C. Wang, and Q. Wang, “Security challenges for the public [22] G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “Improved proxy 895
822 cloud,” IEEE Internet Computing, vol. 16, no. 1, pp. 69–73, 2012. re-encryption schemes with applications to secure distributed storage,” 896
823 [2] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in In- Acm Transactions on Information and System Security, vol. 9, no. 1, pp. 897
824 ternational Conference on Theory and Applications of Cryptographic 1–30, 2006. 898
825 Techniques, 2005, pp. 457–473. [23] S. Ohata, Y. Kawai, T. Matsuda, G. Hanaoka, and K. Matsuura, “Re- 899
826 [3] J. Lai, R. H. Deng, C. Guan, and J. Weng, “Attribute-based encryption encryption verifiability: How to detect malicious activities of a proxy in 900
827 with verifiable outsourced decryption,” IEEE Transactions on informa- proxy re-encryption,” in Cryptographers Track at the RSA Conference. 901
828 tion forensics and security, vol. 8, no. 8, pp. 1343–1354, 2013. Springer, 2015, pp. 410–428. 902
829 [4] H. Ma, R. Zhang, Z. Wan, Y. Lu, and S. Lin, “Verifiable and excul- [24] X. Liang, Z. Cao, H. Lin, and J. Shao, “Attribute based proxy re- 903
830 pable outsourced attribute-based encryption for access control in cloud encryption with delegating capabilities,” in International Symposium on 904
831 computing,” IEEE transactions on dependable and secure computing, Information, Computer, and Communications Security, 2009, pp. 276– 905
832 vol. 14, no. 6, pp. 679–692, 2015. 286. 906
833 [5] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute- [25] K. Liang, M. H. Au, J. K. Liu, W. Susilo, D. S. Wong, G. Yang, 907
834 based encryption,” in IEEE Symposium on Security and Privacy, 2007, Y. Yu, and A. Yang, “A secure and efficient ciphertext-policy attribute- 908
835 pp. 321–334. based proxy re-encryption for cloud data sharing,” Future Generation 909
836 [6] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based en- Computer Systems, vol. 52, pp. 95–108, 2015. 910
837 cryption for fine-grained access control of encrypted data,” in ACM [26] K. Liang and W. Susilo, “Searchable attribute-based mechanism with 911
838 Conference on Computer and Communications Security, 2006, pp. 89– efficient data sharing for secure cloud storage,” IEEE Transactions on 912
839 98. Information Forensics and Security, vol. 10, no. 9, pp. 1981–1992, 2015. 913
840 [7] K. Emura, A. Miyaji, A. Nomura, K. Omote, and M. Soshi, “A [27] C. Ge, W. Susilo, J. Wang, Z. Huang, L. Fang, and Y. Ren, “A key- 914
841 ciphertext-policy attribute-based encryption scheme with constant ci- policy attribute-based proxy re-encryption without random oracles,” The 915
842 phertext length,” in International Conference on Information Security Computer Journal, vol. 59, no. 7, pp. 970–982, 2016. 916
843 Practice and Experience. Springer, 2009, pp. 13–23. [28] K. Liang, M. H. Au, W. Susilo, D. S. Wong, G. Yang, and Y. Yu, 917
844 [8] S. Hohenberger and B. Waters, “Attribute-based encryption with fast “An adaptively cca-secure ciphertext-policy attribute-based proxy re- 918
845 decryption,” in International Workshop on Public Key Cryptography. encryption for cloud data sharing,” in International Conference on 919
846 Springer, 2013, pp. 162–179. Information Security Practice and Experience. Springer, 2014, pp. 920
847 [9] N. Attrapadung, B. Libert, and E. De Panafieu, “Expressive key-policy 448–461. 921
848 attribute-based encryption with constant-size ciphertexts,” in Interna- [29] C. Ge, W. Susilo, L. Fang, J. Wang, and Y. Shi, “A cca-secure key-policy 922
849 tional Workshop on Public Key Cryptography. Springer, 2011, pp. attribute-based proxy re-encryption in the adaptive corruption model 923
850 90–108. for dropbox data sharing system,” Designs, Codes and Cryptography, 924
851 [10] J. Herranz, F. Laguillaumie, and C. Ràfols, “Constant size ciphertexts vol. 86, no. 11, pp. 2587–2603, 2018. 925
852 in threshold attribute-based encryption,” in International Workshop on [30] C. Ge, W. Susilo, Z. Liu, J. Xia, P. Szalachowski, and F. Liming, “Secure 926
853 Public Key Cryptography. Springer, 2010, pp. 19–34. keyword search and data sharing mechanism for cloud computing,” IEEE 927
854 [11] N. Attrapadung, J. Herranz, F. Laguillaumie, B. Libert, E. De Panafieu, Transactions on Dependable and Secure Computing, 2020. 928
855 and C. Ràfols, “Attribute-based encryption schemes with constant-size [31] M. Bellare, S. Keelveedhi, and T. Ristenpart, “Message-locked encryp- 929
856 ciphertexts,” Theoretical computer science, vol. 422, pp. 15–38, 2012. tion and secure deduplication,” in Annual international conference on 930
857 [12] C. Chen, Z. Zhang, and D. Feng, “Efficient ciphertext policy the theory and applications of cryptographic techniques. Springer, 931
858 attribute-based encryption with constant-size ciphertext and constant 2013, pp. 296–312. 932
859 computation-cost,” in International Conference on Provable Security. [32] Nik-U, “Pbc package,” https://github.com/Nik-U/pbc, 2015. 933
860 Springer, 2011, pp. 84–101. [33] B. Lynn et al., “Pbc library,” Online: http://crypto.stanford.edu/pbc, 934
861 [13] A. Lewko and B. Waters, “New proof methods for attribute-based 2006. 935
862 encryption: Achieving full security through selective techniques,” in

863 Annual Cryptology Conference. Springer, 2012, pp. 180–198.
864 [14] B. Waters, “Ciphertext-policy attribute-based encryption: An expressive,
865 efficient, and provably secure realization,” Lecture Notes in Computer
866 Science, vol. 2008, pp. 321–334, 2011.
867 [15] J. Chen and H. Wee, “Semi-adaptive attribute-based encryption and
868 improved delegation for boolean formula,” in International Conference
869 on Security and Cryptography for Networks. Springer, 2014, pp. 277–
870 297.
871 [16] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, “Fully
Chunpeng Ge (M’2015) received the Ph.D degree 936
872 secure functional encryption: Attribute-based encryption and (hierarchi- in Computer Science from Nanjing University of 937
873 cal) inner product encryption,” in Annual International Conference on Aeronautics and Astronautics in 2016. He is cur- 938
874 the Theory and Applications of Cryptographic Techniques. Springer,
rently a research fellow at University of Wollongong 939
875 2010, pp. 62–91. and an associate professor at Nanjing University of 940
876 [17] T. Nishide, K. Yoneyama, and K. Ohta, “Attribute-based encryption with Aeronautics and Astronautics. His current research 941
877 partially hidden encryptor-specified access structures,” in International interests include cryptography, information security 942
878 conference on applied cryptography and network security. Springer, and privacy preserving for blockchain. His recent 943
879 2008, pp. 111–129.
work has focused on the topics of public key en- 944
880 [18] T. V. X. Phuong, G. Yang, and W. Susilo, “Hidden ciphertext policy cryption with keyword search, proxy re-encryption, 945
881 attribute-based encryption under standard assumptions,” IEEE transac- identity-based encryption. 946
882 tions on information forensics and security, vol. 11, no. 1, pp. 35–45,
883 2015.
884 [19] H. Cui, R. H. Deng, G. Wu, and J. Lai, “An efficient and expressive
885 ciphertext-policy attribute-based encryption scheme with partially hid-
886 den access structures,” in International Conference on Provable Security.
887 Springer, 2016, pp. 19–38.
947 Willy Susilo (Fellow’2021) received the Ph.D. de- Liming Fang (M’2017) received the Ph.D degree 1005
948 gree in computer science from the University of in Computer Science from Nanjing University of 1006
949 Wollongong, Australia. He is currently a Professor Aeronautics and Astronautics in 2012, and has been 1007
950 and the Head of the School of Computing and a postdoctor in the information security from City 1008
951 Information Technology and the Director of the In- University of Hong Kong. He is the associate pro- 1009
952 stitute of Cybersecurity and Cryptology, University fessor at the School of Computer Science, Nanjing 1010
953 of Wollongong. He has published over 400 research University of Aeronautics and Astronautics. Now, he 1011
954 papers in the area of cybersecurity and cryptology. is a visiting scholar of the Department of Electrical 1012
955 His main research interests include cybersecurity, and Computer Engineering New Jersey Institute of 1013
956 cryptography, and information security. He was a Technology. His current research interests include 1014
957 recipient of the Australian Research Council (ARC) cryptography and information security. His recent 1015
958 Future Fellow by the ARC and the Researcher of the Year Award by work has focused on the topics of public key encryption with keyword search, 1016
959 the University of Wollongong in 2016. He is the Editor-in-Chief of the proxy re-encryption, identity-based encryption. 1017
960 Information journal. He has served as a program committee member in dozens
961 of international conferences. He is currently serving as an Associate Editor in
962 several international journals, including the Computer Standards and Interface
963 (Elsevier) and the International Journal of Information Security (Springer). His
964 work has been cited over 16000 times in Google Scholar.
965 Joonsang Baek (M’2011) is a Senior Lecturer in

966 the School of Computer Science and Information
967 Technology and a member of the Institute of Cyber-
968 security and Cryptology, University of Wollongong,
969 Australia. He was a Research Scientist in the Insti-
970 tute for Infocomm Research, Singapore, and an As-
971 sistant Professor in the Khalifa University of Science
972 and Technology, United Arab Emirates. Joonsang
973 received his PhD from Monash University, Australia,
974 in 2004. His PhD thesis was on security analysis of
975 signcryption, and has received great attention from
976 the research community. He has published his work in numerous reputable
977 journals and conference proceedings. His current research interests are in
978 the field of applied cryptography and cybersecurity. He has also served as
979 a Program Committee Member and the Chair for a number of renowned
980 conferences on information security and cryptography.
981 Zhe Liu (SM’2016) is a professor in the College

982 of Computer Science and Technology, Nanjing Uni-
983 versity of Aeronautics and Astronautics,China. He
984 received the B.S. and M.S. degrees from Shandong
985 University, China, in 2008 and 2011, respectively,
986 and the Ph.D. degree from University of Luxem-
987 bourg, Luxembourg, in 2015. His research interests
988 include security, privacy and cryptography solutions
989 for the Internet of Things. He has co-authored over
990 80 research peer-reviewed journal and conference
991 papers. He was a recipient of the prestigious FNR
992 Awards-Outstanding Ph.D. Thesis Award in 2016, ACM CHINA SIGSAC
993 Rising Star Award in 2017 as well as DAMO Academy Young Fellow in
994 2019. He serves as program committee member in more than 60 international
995 conferences, including program chairs in INSCRYPT 2019, CRYPTOIC 2019
996 and ACM CHINA SIGSAC 2020.
997 Jinyue Xia received the Ph.D degree in Computer

998 Science from University of North Carolina at Char-
999 lotte, USA in 2017. His current research interests
1000 include data security, cryptography and information
1001 security. His recent work has focused on the topics
1002 of public key encryption with proxy re-encryption
1003 and identity-based encryption.
1004

A Verifiable and Fair Attribute-Based Proxy Re-Encryption Scheme For Data Sharing in Clouds

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Verifiable and Fair Attribute-Based Proxy Re-Encryption Scheme For Data Sharing in Clouds

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

A Verifiable and Fair Attribute-based Proxy

23 I. I NTRODUCTION an incorrect re-encrypted ciphertext if it has indeed behaved 59

personal genome data to an online genomics research center. 63

䌀吀ᤠ addressed concerns on the efficiency [7]–[12], security [13]– 130

a re-encryption key. It allows a user to share its encryption 134

to others without disclosing the plaintext to the proxy. To 135

et al. [23] presented a mechanism to verify the output of 137

grained access control on encrypted data. Moreover, in their 139

99 A. Motivations C. Our contribution 153

100 Although the existing ABPRE schemes can protect data

• Then, we construct a concrete VF-ABPRE scheme and 158

185 users’. CT . 237

192 an invalid one. re-encrypted ciphertext CT 0 . 244

• Decor (sk, CT ): This step is to decrypt an original cipher- 245

claim is correct which means CT 0 is an incorrect re- 261

212 • There exits an l × n matrix A, and a function ρ, where

214 and r2 , · · · , rn ∈ Zp are random values from Zp . Let

289 to A. ReEnc(Enc(mσ , (A, ρ)), rk), where σ ∈ {0, 1}, rk = 339

291 1) Osk (S): A queries on attribute set S, challenger C it to A. 341

293 A. the query Osk (S) if R(S, (A∗ , ρ∗ )) = 1; 343

294 2) Ork (S, (A,

295 on (S, (A, ρe)), where R(S, (A,

on (CT, rk, CT 0 , π). The challenger C interacts with 367

320 if the advantage of an adversary A in the following game is ∗

325 to A. R(S ∗ , (A∗ , ρ∗ )) = 1, and a re-encrypted 375

326 • Query phase I. A queries: ciphertext CT 0∗ . The adversary A wins if 376

327 1) Osk (S): A queries on attribute set S, challenger C Decre (S ∗ , CT ∗ , CT 0∗ ) ∈

397 Claim(CT, rk, CT 0 , π).

VF-CP-ABPRE construction. Finally, we prove its semantic 438

can check whether the returned re-encrypted is valid. However, 445

486 string into an element in Zp . (S, K1 , K2 , Kx x ∈ S) and an original ciphertext 500

whether R(S, (A, ρ)) = 1. If not, outputs ⊥. Otherwise, 502

ρ associates each row of A with an attribute in computes 505

U . Randomly choose R ∈ {0, 1}k , and computes e(K1 , C1 )

C = (m||R) ⊕ H1 (e(g, g)αr ), C1 = g r , C2 = Qr , K1 , K2 , Kx x ∈ S), a re-encrypted ciphertext CT 0 = 508

If not, outputs ⊥. Otherwise, let J = {j : ρe(j) ∈ 512

rk4,x = KxH2 (χ) ∀x ∈ S. outputs ⊥. 516

CT = ((A, ρ), C, C1 , C2 , {C3,j , C4,j }j∈[1,l] , C), a re-

whether mantic secure under the q-parallel BDHE assumption. 539

0 Proof : According to semantic security that is defined in 540

520 f lase. under the q-parallel BDHE assumption. 544

533 tion algorithm. re-encryption key, while index = 0 indicates rk is a 557

When CT is an original ciphertext, then equation (1) is as random one. 558

= e(g, g)αr . fx = g tx g aAj,1 /bj · g a Aj,2 /bj · · · g a Aj,n /bj .

j=1 r1 , · · · , rl0 ∈ Zpl . For j ∈ [1, l∗ ], denote Wj as all 592

Pn∗ k 6= j and ρ∗ (k) = ρ∗ (j). B implicitly set µ ~ = 593

570 B sets Kx = K2tx . ·  (g ) · ( (g a )yj Aj,i )

restrictions defined in the Semantic-Or security model. 597

j∈X i=1 Analysis. When T = e(g, g)r·a , then C = mσ · T · 601

573 (S, skS ) to Listsk . . 608

under the q-parallel BDHE assumption. 610

must exists and can be found in polynomial time. to A. 628

634 Analysis. When T = e(g, g) r·aq+1

639 BDHE assumption with a non-negligible advantage . holds. 681

a simulator to break the collision resistant property of hash 684

648 B is given a discrete logarithm instance (e, G, GT , p, g, g β ) as verifiability game. 690

verifiability game. 692

H2 , where m 6= m∗ , H2 (m∗ ) = H2 (m), or R 6= R∗ , 713

0∗ quirement for ABPRE schemes. In our proposed construction, 720

Schemes Access structure Security Verifiability Fairness

execution time of the KeyGen and Enc linearly increases as 772

573 (S, skS ) to Listsk . . 608

639 BDHE assumption with a non-negligible advantage . holds. 681