Outsourcing decryption algorithm of Verifiable transformed ciphertext for data sharing

Abstract

Mobile cloud computing is a very attractive service paradigm that outsources users' data computing and storage from mobile devices to cloud data centers. To protect data privacy, users often encrypt their data to ensure data sharing securely before data outsourcing. However, the bilinear and power operations involved in the encryption and decryption computation make it impossible for mobile devices with weak computational power and network transmission capability to correctly obtain decryption results. To this end, this paper proposes an outsourcing decryption algorithm of verifiable transformed ciphertext. First, the algorithm uses the key blinding technique to divide the user's private key into two parts, i.e., the authorization key and the decryption secret key. Then, the cloud data center performs the outsourcing decryption operation of the encrypted data to achieve partial decryption of the encrypted data after obtaining the authorization key and the user's outsourced decryption request. The verifiable random function is used to prevent the semi-trusted cloud data center from not performing the outsourcing decryption operation as required so that the verifiability of the outsourcing decryption is satisfied. Finally, the algorithm uses the authorization period to control the final decryption of the authorized user. Theoretical and experimental analyses show that the proposed algorithm reduces the computational overhead of ciphertext decryption while ensuring the verifiability of outsourcing decryption.

1. Introduction

Cloud computing has gained widespread support and adoption as an emerging service model that provides users with powerful computing and storage, among other capabilities. It brings many benefits for geographically dispersed users to share data and significantly reduces the cost of local storage management and maintenance. For mobile devices with limited computing resources (e.g., cell phones), enterprises or individuals can outsource intensively and complexly computing operations to a cloud service provider, thereby increasing local computing efficiency. However, although cloud service providers (CSP) bring convenience to users, they also bring a series of security issues and challenges [1-3].

When an enterprise or individual stores its data (especially sensitive data) directly in the cloud in plaintext, it loses direct control over his data. To ensure the privacy and security of outsourcing sensitive data, the most common method to ensure data confidentiality is currently to encrypt the outsourced data and then upload the ciphertext to the cloud service provider so that the cloud service provider is unable to access and obtain any valuable information from the outsourced data [4]. However, the sharing of encrypted data also poses some difficulties among users. When an enterprise or an individual wants to share the encrypted data or files with other users, the users cannot decrypt these encrypted data directly after downloading the ciphertext. Shamir et al. [5] first proposed identity-based encryption (IBE) scheme in 1984 which can securely implement the function of access control, where IBE is a cryptosystem which allows a user to generate its public key using some unique information about the identity of the user (e.g. a user's name). In this case, a sender can access to the public parameters of the system to encrypt a message using the text-value of the receiver's name as a key, and the receiver can obtain its decryption key from a central authority. Therefore, users can use this scheme to encrypt data, which can not only ensure the security of data but also realize the data sharing with other users.

However, most of the identity-based encryption schemes are constructed based on elliptic curve bilinear groups, which involve more bilinear pairing and power operations, resulting in less efficient decryption algorithms. When users execute the decryption algorithm, the computation of decryption grows linearly with the number of users. To this end, this paper proposes an outsourcing decryption scheme of verifiable transformed ciphertext (VTC-OD). The main contributions of this paper are listed below.

1) Considering that users of mobile devices with insufficient computing power need to consume huge computing overhead in performing the decryption, and that cloud service providers have strong computing power, users can perform partial decryption operations at the cloud service provider side with the powerful computing power and obtain the partial decrypted ciphertext, who only need to do a simple decryption operation to get the plaintext.

2) Since cloud service providers are not fully trustworthy, they may not perform the outsourced decryption request required by the users due to "laziness" to save computing resources or for some benefit, and try to falsify the outsourced decryption result resulting in the users not getting the correct and valid plaintext. Therefore, it is especially important to verify the correctness of the outsourced decryption operation and decrypted ciphertext.

3) Theoretical and experimental analyses are performed. We implement a system prototype and analyze the experimental evaluation, which shows the efficiency of our algorithm.

The rest of this paper is organized as follows. Section 2 summarizes the related work in this paper. Section 3 describes the cloud data sharing system model and presents the current problems. Section 4 proposes an outsourcing decryption scheme of verifiable transformed ciphertext. Section 5 analyzes the security and rationality of this algorithm. Section 6 illustrates the performance of the proposed algorithm in theoretical analysis and experimental simulation. Finally, Section 7 concludes the work and suggests future directions.

2. Related Work

To ensure the security of data and solve the problem that users of mobile devices with insufficient computing power need to consume huge computational overhead and long decryption time to perform decryption, this paper focuses on outsourcing decryption.

Many research scholars have proposed large amounts of outsourcing decryption schemes [6-27]. In 2011, Green et al. [6] introduced the first outsourced decryption in attribute-based encryption systems by outsourcing the complex decryption operations to CSP, and the basic idea of this scheme is to blind the user's private key, and then outsource the large number of power and bilinear pairing operations involved in the decryption process to CSP for performing, thus effectively reducing the computational overhead of decryption. Subsequently, attribute-based encryption (ABE) schemes supporting outsourced encryption were proposed in the literature [14-15], where ABE is a cryptosystem which enables fine grained access control of encrypted data using authorization policies. In this case, the secret key of a user and the ciphertext is dependent upon attributes (e.g. its email address, or the kind of subscription it has), and the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext. Since CSP are usually semi-trustworthy, to verify the correctness of the outsourced decryption results returned by CSP, Lai et al. [7] formally introduced the concept of verifiability and proposed an ABE scheme for verifiable outsourced decryption in 2013. After this, verifiable outsourced decryption algorithms were further investigated in the literature [8-10], where Ma and Zhang et al. [8] proposed verifiable and exempt attribute encryption, Lin and Zhang et al. [9] revisited the relationship between attribute-based encryption and verifiable outsourced decryption, and Zhang and Chen et al. [10] proposed a fog computing with outsourcing capability and access control scheme for attribute updating.

Moreover, the identity-based encryption has also been extended to the cryptosystem of proxy re-encryption (PRE) for allowing third parties (proxies) to alter a ciphertext which has been encrypted for one party and then it may be decrypted by another. Green et al. [28] proposed identity-based proxy re-encryption (IB-PRE), which uses the user's unique identity information as the public key, and is characterized by unidirectionality, non-transmissibility, and non-interactivity. Subsequently, many identity-based proxy re-encryption schemes have been proposed [29-31], which combine proxy re-encryption and identity-based encryption, and are more convenient in practical application scenarios. Ge et al. [29] proposed the revocable identity-based proxy re-encryption (RIB-BPRE) scheme, which dynamically shares the encrypted data by updating re-encryption keys and generating re-encrypted ciphertexts. Xu et al. [30] proposed the conditional identity-based broadcast proxy re-encryption (CIBPRE) scheme, which combines the ideas of conditional control and broadcasting, the re-encryption keys and ciphertexts have constant size. Kim et al. [31] proposed a broadcast proxy re-encryption (BPRE) scheme, which combines broadcast encryption and proxy re-encryption, is used for the redistribution of data uploaded on the cloud to multiple users.

However, these works do not address the authorization period of outsourced decryption, which can result in outsourced decryption ciphertexts that have passed the authorization period remaining valid. Therefore, it needs to develop a secure and verifiable outsourced decryption scheme based on the authorization period.

3. System Model and Problem Description

3.1 System Model

In the cloud storage, encrypted data sharing system model is shown in Fig. 1 and consists of four main entities: content provider (CP), users, key generation center (KGC), and cloud service provider (CSP).

Fig. 1. System model

1) Cloud service provider: CSP is to provide CP with a storage service for storing outsourced data or files and a computing service for transforming stored data. That is, the CSP can transform the data stored by the CP from IBE ciphertext to identity-based broadcast encryption (IBBE) ciphertext and then send it to the user for accessing the ciphertext.

2) Content provider: to protect data privacy, the CP can process the data using the IBE encryption mechanism and then outsource the encrypted data to the CSP. If the CP wishes to share the data with the users, an authorization token is generated and sent to the CSP.

3) Users: users access the data through CSP, get the encrypted data, and decrypt the ciphertext with their private keys.

4) Key generation center: KGC is a trusted participant responsible for responding to registration requests, and generates system parameters and private keys.

The encrypted data sharing model in the cloud storage consists of six main polynomial time algorithms, i.e., Setup, Keygen, Encrypt, Authorize, Transform, Decrypt, which are composed of the following process.

1) Setup (1^𝜆, 𝑚) → (𝑚𝑠𝑘, 𝑝𝑝). This algorithm is executed by KGC. It inputs the security parameters 1^𝜆 and 𝑚, outputs system parameters 𝑝𝑝 and the master key msk, where 𝑚 denotes the maximum number of authorized users. The system parameters are public and the master key is kept secret by KGC.

2) Register (𝑝𝑝, 𝑚𝑠𝑘, ID) → 𝑠𝑘_ID. This algorithm is executed by KGC. It inputs the system parameters 𝑝𝑝, the master key 𝑚𝑠𝑘, user identity ID ∈ {0, 1}^∗, and outputs the user's private key 𝑠𝑘_ID which is sent to the user over a secure channel.

3) Encrypt (𝑝𝑝, 𝑀, ID) → CT_ID. This algorithm is executed by CP. It inputs the system parameters 𝑝𝑝, the plaintext 𝑀, CP’s identity ID, and outputs a ciphertext CT_ID in IBE format which is uploaded to CSP.

4) Authorize(𝑝𝑝, 𝑠𝑘_ID, 𝑆) → TK_ID→𝑆. This algorithm is executed by CP. It inputs the system parameters 𝑝𝑝, the private key of CP 𝑠𝑘_IDcp, the set of authorized users 𝑆 = {ID_i}ⁿ_i=1, and outputs authorization token TK_ID→𝑆 that is sent to CSP over a secure channel.

5) Transform (𝑝𝑝, TK_ID→𝑆, CT_ID) → CT_𝑆. This algorithm is executed by CSP. It inputs the system parameters 𝑝𝑝, the authorization token TK_ID→𝑆, and a ciphertext CT_ID in IBE format, and outputs a transformed ciphertext CT_𝑆 in IBBE format.

6) Decrypt (𝑝𝑝, 𝑠𝑘_ID′ , CT_ID/CT_𝑆 ) → (𝑀/⊥). This algorithm is executed by the user. It inputs the system parameters 𝑝𝑝, the private key 𝑠𝑘_ID′ and a ciphertext CT_ID or CT_𝑆. For the ciphertext CT_ID, if ID′ = ID, CP executes the algorithm and outputs a plaintext message 𝑀, otherwise outputs error flag ⊥. For ciphertext CT_𝑆, if ID ∈ 𝑆, users execute the algorithm and output a plaintext message 𝑀, otherwise output error flag ⊥.

3.2 Threat Model

Definition 1. Authorization period. The authorization period is the period between the start time and the end time when the users are authorized. Users are granted access to data in the shared system within the limits of the authorization period (e.g., the data service period purchased by the user). During the authorization period assigned by the system, users can access and decrypt the shared data in the system. Once the authorization period expires, users will no longer be able to access and decrypt the shared data, especially the data that was accessed and decrypted during the authorization period.

This paper assumes that CP and KGC are reliable, while users and CSP are semi-trustworthy, i.e., they will follow data sharing protocols "in good faith", but there may be some malicious behavior. Therefore，the following attacks are considered:

1) Unauthorized ciphertext decryption attack. Unauthorized users and semi-trusted CSP may try to decrypt part of the decrypted ciphertext transformed by the CSP without the private key by means of spoofing, eavesdropping, brute force cracking, etc.

2) Forgery attack. To charge users more and save computational resources, a semi-trusted CSP may directly return randomly decrypted packets that look similar to the real ones (e.g., strings of the same length) without performing the packet decryption.

3) Repudiation attack. Even if the CSP returns the correct result, the user may make a false statement to accuse the CSP of returning an incorrect outsourced decrypted ciphertext in order to avoid paying for resource consumption.

3.3 Problem Description and Design Objective

As analyzed in the above threat model, the new problems facing outsourced data sharing in this paper are as follows: 1) When decryption is performed by mobile devices, the decryption time is too long due to its limited computing power; 2) A semi-trusted CSP may not perform the outsourced decryption as requested by the user, but directly return a forged decryption result to the user in order to make more profit; 3) The user falsely claims that the CSP has returned the wrong decryption result for its benefit when the CSP returns the correct decryption result.

Based on the above problems, the design objectives of the proposed algorithm are as follows: 1) Shortening the decryption time of ciphertext; 2) Privacy-protected outsourced decryption; 3) Verifiability of outsourcing decryption.

3.4 Security Model

The security model guarantees that unauthorized attackers and malicious CSP cannot obtain any valuable information from the ciphertext. The traditional security definition for resisting adaptable selective ciphertext attack (CCA) [32] is to disallow changing any bits of the ciphertext, which is contrary to the ciphertext compression property of outsourced decryption. Therefore, it adopts the replayable chosen-ciphertext attack (RCCA) security, which allows the modification of a given legitimate ciphertext but not the underlying plaintext information.

Definition 2. RCCA security. A scheme is RCCA safe if the attacker 𝒜 can win the following game in probabilistic polynomial time by a negligible advantage Adv^RCCA_{Our, 𝒜}.

In this paper, a game between the challenger 𝒞 and the attacker 𝒜 is designed, and the game proceeds as follows.

1) Setup phase. The challenger 𝒞 runs the algorithm Setup(1^𝜆, 𝑚) to generate the system parameters 𝑝𝑝 and the master key 𝑚𝑠𝑘, and sends 𝑝𝑝 to the attacker 𝒜.

2) Query phase 1. The challenger 𝒞 first initializes an empty table 𝑇 and an empty data set 𝐷. The attacker 𝒜 can repeat the following queries to the challenger 𝒞.

①Private key query 𝒬_SK(ID_i): the attacker 𝒜 submits the identity ID_i to the challenger 𝒞 for private key query, if ID_i ≠ ID_cp* , the challenger 𝒞 runs the algorithm KeyGen (𝑝𝑝, 𝑚𝑠𝑘, ID_i, [t_IDi ,t′_IDi ]) to generate the private key SK_IDi and sends it to 𝒜.

②Authorization key query \(\begin{align}\mathcal{Q}_{\widetilde{S K}}\end{align}\) (ID_i): 𝒜 makes a mobile user's authorization key query to the challenger 𝒞. The challenger 𝒞 first searches the information corresponding to the identity ID_i in table 𝑇. If it finds the tuple (ID_i, SK_IDi, \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) , \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\) ), it returns the authorization key \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) to the attacker 𝒜. Otherwise, the challenger 𝒞 runs KeyGen() to obtain the private key SK_IDi corresponding to the identity ID_i , runs AuthKeyGen(SK_IDi, [t_IDi, t′_IDi ]) → \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) for the mobile user, adds the table 𝑇 into the tuple (ID_i, SK_IDi , \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) , \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\) ), and finally the challenger 𝒞 sends (\(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) , \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\) ) to 𝒜. It assumes that an attacker will not issue an authorization key query for the same identity ID_i if it has already issued a private key query for the same identity. Since anyone can obtain a license key \(\begin{align}\mathcal{\widetilde{S K}}_{ID_l}\end{align}\) by running the mobile user's license key generation algorithm using that user's private key, the assumptions are reasonable.

③User's final decryption query 𝒬_Dec(ID_i): 𝒜 submits (ID_i, CT_S|𝜔, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) to 𝒞 for the user's final decryption query. 𝒞 first searches for the tuple (ID_i, SK_IDi, \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\) , \(\begin{align}\widetilde{\tau}\end{align}\) , \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), CT_F) in table 𝑇. If it finds the corresponding tuple about the identity ID_i tuple, the decryption algorithm UsersDec(𝑝𝑝, SK_IDi , \(\begin{align}\mathcal{\widetilde{p k}}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\) \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), CT_F) is executed and the decryption result is returned to 𝒜. If the corresponding tuple is not found, the challenger 𝒞 outputs ⊥.

3) Challenge phase. The attacker 𝒜 submits two challenge plaintexts (𝑀₀, 𝑀₁) to the challenger 𝒞. The challenger 𝒞 runs KeyEncrypt (𝑝𝑝, ID_cp, 𝑀_𝑏, 𝜔) to generate the challenge ciphertext CT*_cp|𝜔 and sends CT*_cp|𝜔 to the attacker 𝒜, where 𝑏 is chosen randomly at {0,1}.

4) Query phase 2. After receiving the challenge ciphertext, 𝒜 continues to initiate the private key query, the authorization key query, and the user's final decryption query as in query phase 1. The restriction of this phase query is that 𝒜 has never queried the private key of ID_cp^*and cannot be any 𝑆 at the same time querying 𝒬_Dec(ID_i) and 𝒬_sk(ID_i). That is if the decryption result of 𝒜 in the final decryption query is 𝑀₀ or 𝑀₁, then 𝒞 outputs ⊥ to 𝒜.

5) Guessing phase. The attacker 𝒜 outputs a guess value 𝑏′ ∈ {0,1}. If 𝑏′ = 𝑏, then the attacker 𝒜 wins. The advantage of the attacker 𝒜 win in the game is defined as

\(\begin{align}A d v_{\text {Our },{ }_{\mathcal{A}}}^{R C C A}=\left|\operatorname{Pr}\left[b^{\prime}=b\right]-\frac{1}{2}\right|\end{align}\).

4. Design of VTC-OD Scheme

4.1 Scheme Overview

Mobile cloud computing is a very attractive service paradigm in which data computation and storage are moved from mobile devices to the cloud. Mobile users with insufficient computing power can hardly afford the huge overhead of decryption computation due to the processor performance and battery capacity so that they outsource all decryption computation to CSP. However CSP may return incorrect decryption results to save computing resources. Since most current IBE encryption schemes are constructed based on elliptic curve or bilinear groups, more bilinear pairing and power operations are involved in the algorithm. Among them, in the phase of data decryption, the computation volume of authorized users performing decryption operations grows linearly with the number of authorized users |𝑆|. Since the computational outsourcing can effectively reduce the computational load of the mobile device, it is applied to improve the real-time computing efficiency. In addition, this paper mainly studies from the user's perspective since the user is only involved in the decryption phase. Therefore, the decryption outsourcing solution for cloud data sharing becomes an urgent need. Thus, an outsourcing decryption of verifiable transformed ciphertext scheme is proposed to alleviate the time-consuming problem of decryption in mobile devices, which mainly consists of four algorithms, i.e., AuthKeyGen, ProxyDec, Verify, UsersDec, as shown in Fig. 2.

Fig. 2. Outsourcing decryption of verifiable transformed ciphertext

1) AuthKeyGen(SK_IDi ,[t_IDi, t'_IDi]) → \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) . User inputs the private key SK_IDi , the start time t_IDi of the authorized private key , and the end time t'_IDi of the authorized private key, and it outputs the authorized key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) = (\(\begin{align}{\widetilde{s k_1}}\end{align}\) , \(\begin{align}{\widetilde{s k_2}}\end{align}\) 𝜎_IDi , 𝑇_𝑖).

2) ProxyDec(CT_s|𝜔, \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) ) → \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\). CSP inputs the transformed ciphertext CT_s|𝜔 = ( 𝐶′₁, 𝐶′_2, 𝐶′_3, 𝐶′_4, 𝐶′_5, 𝐶′₆) and the user's authorized private key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) = (\(\begin{align}{\widetilde{s k_1}}\end{align}\), \(\begin{align}{\widetilde{s k_2}}\end{align}\) 𝜎_IDi , 𝑇_𝑖), and it outputs the partially decrypted ciphertext of the transformed ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\)=  (\(\begin{align}{\widetilde{s k_1}}\end{align}\), \(\begin{align}{\widetilde{s k_2}}\end{align}\) 𝜎_IDi , 𝑇_𝑖).

3) Verify(𝑝𝑝, pk_𝜎, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) → (1/0). User inputs the system public parameter 𝑝𝑝, the signed public key pk_𝜎 of the CSP and the partially decrypted ciphertext returned by the CSP \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), and outputs 1 correctly and 0 otherwise.

4) UsersDec (𝑝𝑝, SK_IDi, \(\begin{align}\widetilde{p k}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\), \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , CT_F) → (𝐹/⊥). The authorized users inputs the system parameters 𝑝𝑝, the user's private key SK_IDi, the decryption parameters \(\begin{align}\widetilde{p k}\end{align}\) and \(\begin{align}\widetilde{\tau}\end{align}\) returned by the CSP, the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , the data ciphertext CT_F, and outputs the plaintext message 𝐹 or the error flag ⊥.

To facilitate the description of the proposed algorithm, the definition of the symbols used in this paper is given in Table 1.

Table 1. Symbol definition

4.2 Generation of authorized keys

Since the existing IBE schemes whose decryption requires complex power and bilinear pairing operations, it takes a lot of time for mobile users with limited computing power to decrypt, and users who have expired the authorization period can still decrypt outsourced decrypted ciphertexts on CSP that have been accessed during the authorization period. The basic idea is that the mobile user outsources most of his complex decryption computation operations to the CSP without revealing his private key and data privacy. Therefore, the user sends the generated authorization key to the CSP by running the authorized key generation algorithm AuthKeyGen to blind the private key in order not to reveal the private key.

AuthKeyGen(SK_IDi, [t_IDi, t'_IDi]) → \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) . The process is executed by the user. It is based on the private key SK_IDi entered by the user, the start time of the authorized private key t_IDi and the end time of the authorized private key t'_IDi, and outputs authorized key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) = (\(\begin{align}{\widetilde{s k}}_{1}\end{align}\) , \(\begin{align}{\widetilde{s k}}_{2}\end{align}\) , 𝜎_𝐼𝐷𝑖 , 𝑇_𝑖). The specific calculation procedure is as follows:

First, the user generates the authorized key using his private key. The algorithm randomly selects a random number 𝜃 ∈ ℤ^∗_𝑞 and makes \(\begin{align}{\widetilde{p k}}\end{align}\) = 𝜃, and performs a mask operation on the user's private key SK_IDi = (𝑠𝑘₁, 𝑠𝑘₂, 𝜎_𝐼𝐷𝑖) to generate the authorized key. The authorized key is calculated by

\(\begin{align}{\widetilde{SK}_{ID_l}}=\left\{\begin{array}{l}\widetilde{s k_1}=s k_{1}=g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}} ; \\ \widetilde{s k_2}=s k_{2}{ }^{\widetilde{p k}}=\left(y_{\left\{t_{I D_{i}},\right.}, t_{I D_{i}}^{\prime}\right\}^{r_{i} \cdot \widetilde{p k}}=h^{r_{i} \cdot \widetilde{p k} \cdot a^{t_{I D_{i}}} b^{z-t_{I D_{i}}^{\prime}}};\\ \sigma_{I D_{i}}=g^{\frac{1}{\beta+H_{1}\left(t_{I D_{i}}^{\prime}\right)}} ;\\ \\ T_{i}=\left[t_{I D_{i}}, t_{I D_{i}}^{\prime}\right].\end{array}\right.\end{align}\)       (1)

Second, the user initiates an authorization decryption operation request to the CSP. The user sends the authorized key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) output by the algorithm to the CSP.

Finally, after the CSP accepts the request, the user sends the authorized key to the CSP and stores the decryption parameters \(\begin{align}{\widetilde{p k}}\end{align}\) locally.

4.3 Partial decryption of transformed ciphertext

CSP can provide outsourcing decryption service for the user because of its powerful computing power. When CSP receives the authorized key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) of the user’s decryption request, he gets the current time 𝑡_𝑥 and then runs the partial decryption algorithm ProxyDec to perform partial decryption of transformed ciphertext for the user and sends the partially decrypted ciphertext to the user.

ProxyDec(CT_s|𝜔, \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) ) → \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) . The process is performed by CSP. It inputs the transformed ciphertext CT_s|𝜔 = (𝐶′₁, 𝐶′_2, 𝐶′_3, 𝐶′_4, 𝐶′_5, 𝐶′₆) , the user's authorized private key \(\begin{align}{\widetilde{S K}}_{ID_l}\end{align}\) = (\(\begin{align}{\widetilde{s k}}_{1}\end{align}\) , \(\begin{align}{\widetilde{s k}}_{2}\end{align}\) , 𝜎_𝐼𝐷𝑖 , 𝑇_𝑖), and outputs partial decryption of the transformed ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) = (\(\begin{align}{\widetilde{D K}}_{ID_l}\end{align}\) , 𝜑). The specific calculation procedure is as follows:

First, the CSP determines whether the end time of the authorized user 𝑇_𝑖 = [t_IDi, t'_IDi] has been forged or tampered with based on t'_IDi in the user's authorized private key. The verification formula is

\(\begin{align}e\left(g^{H_{1}\left(t_{I D_{i}}^{\prime}\right)} \cdot g^{\beta}, g^{\frac{1}{\beta+H_{1}\left(t_{I D_{i}}^{\prime}\right)}}\right) \stackrel{?}{=} e(g, g)\end{align}\).       (2)

If Formula (2) does not hold, CSP returns the error flag ⊥ and marks the identity of this authorized user as a revoked user. Otherwise, the CSP marks the authorized user as revoked based on \(\begin{align}\widetilde{s k_{2}}=\left(y_{\left\{t_{I D_{i}},\right.}, t_{I D_{i}}^{\prime}\right)^{r_{i} \cdot \widetilde{p k}}=h^{r_{i}} \cdot \widetilde{p k} \cdot a^{t_{I D_{i}} \cdot b^{z-t_{I D_{i}}}}\end{align}\), which further determines whether the authorization period of this user has expired or not. Applying Formula (1), if the multidimensional range derivative function is not computable to output the error flag ⊥, it indicates that 𝑡_𝑥 ≤ t_IDi or t_x ≥ t'_IDi , i.e., the authorization period of the user's private key has expired. In this case, the CSP terminates the partial decryption operation. If the multidimensional range derivation function is computable, it indicates that t_IDi ≤ 𝑡_𝑥 and t'_IDi ≥ 𝑡_𝑥 , i.e., the authorization period of the user's private key has not expired. The multidimensional range derivation function is specifically computed by

\(\begin{align}F_{x}=F_{t_{I D_{i}} \leq t_{x}, t_{I D_{i}}^{\prime}}^{\prime} \geq t_{x}\left(y_{\left\{t_{I D_{i}},\right.} t_{I D_{i}}^{\prime}\right\}^{r_{i} \cdot \widetilde{p k}}=\left(y_{\left\{t_{x}, t_{x}\right\}}\right)^{r_{i} \cdot \widetilde{p k}}\end{align}\) .      (3)

After calculating the 𝐹_𝑥, it is combined with formulas (4)-(6) to calculate

\(\begin{align}\varphi=\frac{C_{5}^{\prime}}{F_{x}}=\frac{h^{r_{j} \cdot a^{t_{c}} \cdot b^{z-t_{c}}}}{h^{r_{i} \cdot \widetilde{p k} \cdot a^{t_{x}} \cdot b^{z-t_{x}}}}\end{align}\).       (4)

From formula (4), it shows that the calculation of 𝜑 is different from the calculation of 𝜀 in the decryption step. The decryption operation was previously considered to be performed by the user on his local machine. However, considering the limited computing power of the users of mobile devices, some decryption operations on the user side need to be handed over to the CSP. The decryption operations are performed on the user's local machine.

Second, CSP calculates 𝑠𝑘₁ = \(\begin{align}g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}}\end{align}\) based on the user's authorization key by

\(\begin{align}\tilde{B}=\left(e\left(C_{1}^{\prime}, h^{\rho_{i, S}(\alpha)}\right) \cdot e\left(s k_{1}, C_{2}^{\prime}\right)\right)^{\frac{1}{\Pi_{j=1, j \neq i}^{S} H_{1}\left(I D_{j}\right)}}\end{align}\) (5)

where 𝜌_𝑖,𝑆(𝛼) = \(\begin{align}\frac{1}{\alpha} \cdot\left(\prod_{j=1, j \neq i}^{s}\left(\alpha+H_{1}\left(I D_{j}\right)\right)-\prod_{j=1, j \neq i}^{s} H_{1}\left(I D_{j}\right)\right)\end{align}\) . Substituting 𝐶′₁ = 𝑔₁^−𝑟′ and 𝐶′₂ = ℎ^𝑟′⋅^{𝜫𝒏_𝒋=𝟏 (𝛼+𝐻₁(ID_j))} into formula (5), it uses polynomial interpolation to calculate

\(\begin{align}\tilde{B}=\left(e\left(g^{\alpha \cdot\left(-r^{\prime}\right)}, h^{\rho_{i, S}(\alpha)}\right) \cdot e\left(g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}}, h^{r^{\prime} \cdot \Pi_{j=1}^{n}\left(\alpha+H_{1}\left(I D_{j}\right)\right)}\right)\right)^{\frac{1}{\Pi_{j=1, j \neq i}^{S} H_{1}\left(I D_{j}\right)}}=e(g, h)^{r^{\prime}}\end{align}\)       (6)

After obtaining \(\begin{align}\tilde{B}\end{align}\) , it substitutes \(\tilde{B}\) into 𝐶′₃ = 𝐻₂(𝑒(𝑔, ℎ)^𝑟′ ) ∙ ℎ^𝑠 , and yields 𝐶′₃ = 𝐻₂(𝑒(𝑔, ℎ)^𝑟′ ) ∙ ℎ^𝑠. From ℎ^𝑠 it can be calculated by

\(\begin{align}\widetilde{D K_{I D_{l}}}=\frac{C_{6}^{\prime}}{e\left(h^{s}, C_{4}^{\prime}\right)}\end{align}\)       (7)

Substituting 𝐶′₄ = (𝑢 ∙ 𝜇^𝜔) ^{𝑟⋅(𝛼+𝐻₁(ID_cp))} and 𝐶′₆ = 𝑀 ⋅ 𝑒 (𝑔, ℎ^{𝑎𝑡𝑐∙𝑏𝑧−𝑡𝑐} ) ^𝑟𝑗 ∙ 𝑒( ℎ^𝑟∙𝑠, (𝑢 ∙ 𝜇^𝜔)^{(𝛼+𝐻₁((ID_cp))}) into formula (7), it has

\(\begin{align}\widetilde{D K_{I D_{l}}}=\frac{C_{6}^{\prime}}{e\left(h^{s}, C_{4}^{\prime}\right)}=M \cdot e\left(g, h^{a^{t_{c} \cdot b^{z-t_{c}}}}\right)^{r_{j}}\end{align}\)       (8)

After computing \(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\), CSP applies the evidence generation algorithm Prove(𝑝𝑝, 𝑠𝑘_𝜎, 𝑥) for the verifiable random function, and randomly selects a random number 𝛿 ∈ ℤ^∗_𝑞 such that 𝑥 = \(\begin{align}\delta \| \widetilde{D K_{I D_{l}}}\end{align}\) . Let the signature key pair of CSP be (pk_𝜎, 𝑠𝑘_𝜎) = (𝛾, 𝑔^𝛾₂) . Applying verifiable random functions (VRF) [33-34], the VRF evidence generation algorithm outputs 𝑃 = (𝑥, 𝑦, π), where 𝑦 = \(\begin{align}\mathrm{e}\left(g_{2}, g_{2}\right)^{\frac{1}{H_{1}(x)+\gamma}}\end{align}\) is the VRF function value, π = \(\begin{align}g_2{\frac{1}{H_{1}(x)+\gamma}}\\\end{align}\) is the evidence.

Applying formulas (4) and (8) and 𝑃, CSP calculates the partially decrypted ciphertext by

\(\begin{align}\widetilde{C T_{S \mid \omega}}=\left(\widetilde{D K_{I D_{l}}}, \varphi, x, y, \pi\right)\end{align}\)       (9)

Finally, the CSP sends the partial decryption result of the computed transformed ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) to the user.

4.4 Verification of partial decryption of transformed ciphertext

Although CSP can provide users with powerful decryption outsourcing computing services, CSP may not execute the outsourced decryption requests initiated by users, and try to falsify the outsourced decryption results to return to users. Therefore, the user needs to verify the correctness of the decrypted ciphertext sent by the CSP before performing the decryption operation. When the user obtains the partially decrypted ciphertext returned by the CSP \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), he uses the signed public key pk_𝜎 of the CSP to verify the correctness of the partially decrypted ciphertext.

Verify(𝑝𝑝, pk_𝜎, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) → (1/0). The process is performed by the user. It inputs the system public parameter 𝑝𝑝, the signed public key pk_𝜎 of the CSP and the partially decrypted ciphertext returned by the CSP \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) = (\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) , 𝜑, 𝑥, 𝑦, π), and outputs 1 which means the partially decrypted ciphertext is correct, and outputs 0 which means CSP returns the wrong outsourced decryption result. The specific calculation process is as follows:

First, when the user obtains the partially decrypted ciphertext returned by the CSP, he applies the CSP's public key pk_𝜎 to initiate a verification request on the partially decrypted ciphertext returned by the CSP.

Second, the user runs the decryption verification algorithm Verify(𝑝𝑝, pk_𝜎, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) of the transformed ciphertext to judge the result returned by CSP, and the verification formula is

\(\begin{align}\left\{\begin{array}{l}y \stackrel{?}{=} e\left(g_{2}, \pi\right) \\ e\left(g_{2}{ }^{H_{1}(x)} \cdot p k_{\sigma}, \pi\right) \stackrel{?}{=} e\left(g_{2}, g_{2}\right) .\end{array}\right.\end{align}\)       (10)

If formula (10) does not hold, the algorithm outputs 0 and the user terminates the decryption operation. If the algorithm outputs 1, it indicates that the partially decrypted ciphertext returned by the CSP is correct, i.e., the verifiability of the outsourced decryption is achieved.

Finally, if the user gets an output value of 1 from the verification algorithm, the final decryption algorithm can be executed.

4.5 Final decryption of transformed ciphertext

After the user receives the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) from the CSP, he downloads \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) and the data ciphertext CT_F to the local area, and decrypts the data. The user does it with the assistance of the CSP to connect to the network and get the timestamp 𝑡_𝑦 of the decryption request from the CSP, then runs the final decryption algorithm UsersDec(𝑝𝑝, SK_IDi , \(\begin{align}\widetilde{pk}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\) , \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , CT_F) for the transformation ciphertext. Eventually, the transformed ciphertext is decrypted to obtain the plaintext.

1) Getting timestamp

First, the CSP makes a judgment according to formula (1). If the multidimensional range derivative function is not computable to output the error flag ⊥, it indicates that the time 𝑡_𝑦 of the user's decryption request is not within the user's authorized time range [𝑡_𝑥, 𝑡′_𝐼𝐷𝑖 ], and the algorithm terminates the decryption operation. If the multidimensional range derivation function is computable, it indicates that the time 𝑡_𝑦 of the user's decryption request is within the user's authorized time range [𝑡_𝑥, 𝑡′_𝐼𝐷𝑖], i.e., the authorization period of the user's private key has not expired. Its calculation formula is

\(\begin{align}F_{y}=F_{t_{x} \leq t_{y}, t_{I D_{i}}^{\prime} \geq t_{y}} F_{x}=h^{\widetilde{p k} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}}\end{align}\).       (11)

Next, after deriving 𝐹_𝑦 according to formulas (5)-(11), it is combined with formula (3) to calculate

\(\begin{align}\tilde{\varphi}=\frac{F_{x}}{F_{y}}=\frac{h^{r_{i}} \cdot \tilde{p k} \cdot a^{t_{x}} \cdot b^{z-t_{x}}}{h^{\widetilde{p k} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}}}\end{align}\).       (12)

Finally, the CSP returns the time-dependent parameter \(\begin{align}\tilde{\tau}=\left(t_{y}, \tilde{\varphi}\right)\end{align}\) to this user.

2) Final decryption of the transformed ciphertext

The final decryption algorithmUsersDec is run to obtain the plaintext when the user gets the time-related parameter \(\begin{align}\widetilde{\tau}\end{align}\) of the decryption request from the CSP.

UsersDec(𝑝𝑝, SK_IDi , \(\begin{align}\widetilde{pk}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\), \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , CT_F) → (𝐹/⊥) . The authorized users execute the algorithm. It inputs the system parameters 𝑝𝑝, the user's private key SK_IDi , the decryption parameters \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) and 𝜏̃ returned by the CSP, the partially decrypted ciphertext \(\begin{align}\widetilde{p k}\end{align}\) and the data ciphertext CT_F, and outputs the plaintext 𝐹 or the error flag ⊥. The specific computation process is as follows:

First, the algorithm calculates the timestamps 𝑡_𝑦 and 𝑠𝑘₂ = ℎ^{𝑟_𝑖∙𝑎𝑡𝐼𝐷_𝑖∙𝑏 𝑧−𝑡′𝐼𝐷_𝑖} for the user’s decryption request by

\(\begin{align}\widetilde{F_{y}}=F_{t_{I D_{i}} \leq t_{y}, t_{I D_{i}}^{\prime} \geq t_{y}}\left(y_{\left\{t_{I D_{i}}, t_{\left.I D_{i}\right\}}^{\prime}\right\}}\right)^{r_{i}}=h^{r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}}=\left(y_{\left\{t_{y}, t_{y}\right\}}\right)^{r_{i}}\end{align}\)       (13)

Second, from formulas (5)-(13) and 𝜏̃, 𝜑 returned by CSP, the user's \(\begin{align}\widetilde{p k}\end{align}\) = 𝜃 can be calculated by

\(\begin{align}\widetilde{A=} \varphi \cdot \widetilde{F_{y}}{ }^{\widetilde{p_{k}}} \cdot \tilde{\varphi}=h^{r_{j} \cdot a^{t_{c} \cdot} \cdot b^{z-t_{c}}}\end{align}\).       (14)

From formula (14), the construction of \(\begin{align}\widetilde{A}\end{align}\) nsures that only legitimate users within the authorization period can eventually decrypt the transformed ciphertext, and malicious CSP or illegal users cannot access and decrypt it.

Finally, applying \(\begin{align}\widetilde{p k}\end{align}\) = 𝜃, CT_F, \(\begin{align}\widetilde{A}\end{align}\) and \(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\), it can obtain the plaintext by

\(\begin{align}\frac{C T_{F}}{\widetilde{D K_{I D_{l}}} \cdot \mathrm{e}(g, \tilde{A})^{-1}}=\frac{F \cdot M}{M \cdot e\left(g, h^{a^{t} c \cdot b^{z-t_{c}}}\right)^{r_{j}} \cdot e\left(g, h^{r_{j} \cdot a^{t^{c}} \cdot b^{z-t_{c}}}\right)^{-1}}=F\end{align}\).

The algorithm finally returns the output plaintext 𝐹 to this user.

5. Security analysis

5.1 Correctness of ciphertext

Ciphertext correctness means that when a user sends the authorization key \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) to the CSP, CSP correctly executes the partial decryption algorithm of the transformed ciphertext and correctly generates the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) so that the user who has not been exceeded the authorization period can correctly decrypt the ciphertext and obtain the original plaintext with his private key.

Lemma 2. Given the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) correctly executed by the CSP, any authorized user within the authorization period, i.e., ID_𝑖 ∈ 𝑆 and 𝜔 = 𝜔′ , can use the private key SK_IDi provided by KGC and 𝜏̃ returned by CSP to perform the final decryption of the transformed ciphertext and obtain the originally shared plaintext 𝐹.

Proof: for the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) which is correctly transformed by the CSP, any user under the condition that ID_𝑖 ∈ 𝑆 and 𝜔 = 𝜔′ can perform the decryption algorithm by entering his private key SK_IDi and 𝜏̃ returned by the CSP.

First, the algorithm uses 𝑠𝑘₂ in the private key to compute

Second, applying \(\begin{align}\widetilde{F_{y}}, \widetilde{\varphi}=\frac{h^{r_{i}} \cdot \widetilde{p_{k}} \cdot a^{t_{x}} \cdot b^{z-t_{x}}}{h^{\widetilde{p k} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}}}\end{align}\) and \(\begin{align}\varphi=\frac{h^{r_{j} \cdot a^{t^{c}} \cdot \cdot b^{z-t_{c}}}}{h^{r_{i} \cdot \theta \cdot a^{t_{x} \cdot b^{z-t_{x}}}}}\end{align}\), it has

\(\begin{align}\tilde{A}=\varphi \cdot \widetilde{F}_{y}{ }^{\widetilde{p k}} \cdot \tilde{\varphi}=\frac{h^{r_{j} \cdot a^{t_{c}} \cdot b^{z-t_{c}}}}{h^{r_{i}} \widetilde{p_{k} \cdot} \cdot a^{t_{x} \cdot b^{z-t_{X}}}} \cdot h^{{\widetilde{p k}} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}} \cdot \frac{h^{r_{i}} \cdot \widetilde{p k} \cdot a^{t_{x} \cdot b^{z-t_{x}}}}{h^{\widetilde{p k}} \cdot r_{i} \cdot a^{t_{y}} \cdot b^{z-t_{y}}} = h^{{r_{j}} \cdot a^{t_{c} \cdot b^{z-t_{c}}}}\end{align}\)

Finally, the plaintext 𝐹 can be obtained applying \(\begin{align}\widetilde{p k}\end{align}\) = 𝜃, CT_F, \(\begin{align}\widetilde{A}\end{align}\) and \(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) by

\(\begin{align}Left=\frac{C T_{F}}{\widetilde{D K_{I D_{l}}} \cdot \mathrm{e}(g, \tilde{A})^{-1}} = \frac {F \cdot M} {M \cdot e\left(g, h^{a^{t_{c}} \cdot b^{z-t_{c}}}\right)^{r_{j}} \cdot e\left(g, h^{r_{j} \cdot a^{t^{t}} \cdot b^{z-t_{c}}}\right)^{-1}} =Right\end{align}\)

So when ID_i ∈ 𝑆, it has UserDec(𝑝𝑝, SK_IDi , \(\begin{align}\widetilde{p k}\end{align}\),  \(\begin{align}\widetilde{\tau}\end{align}\) , \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) , CT_F) = 𝐹.

From the above proof process, it is obvious that the partially decrypted ciphertext which is correctly transformed by the CSP can be decrypted by the authorized unexpired user with the private key to obtain the original plaintext.

5.2 Proof of security

5.2.1 Resisting unauthorized ciphertext decryption attacks

Unauthorized ciphertext decryption attack refers to the possibility that unauthorized users and semi-trusted CSP may try to decrypt partially decrypted ciphertexts without private keys by means of spoofing, eavesdropping, brute force cracking, etc.

Assume that the attacker 𝒜 can breach the proposed scheme in this paper with a negligible advantage Adv^RCCA_{Our, 𝒜} in probabilistic polynomial time. It can construct an algorithm ℬ simulating the interaction between the challenger 𝒞 and the attacker 𝒜. The specific RCCA secure instance is described as follows.

1) Setup phase: given the system security parameter 𝜆 and the maximum number of receivers 𝑚 allowed in encryption. It first runs the algorithm Setup(1^𝜆, 𝑚) to obtain the group-related parameters (𝑞, 𝔾, 𝔾_𝑇, 𝑒), where 𝔾 and 𝔾_𝑇 are multiplicative cyclic groups of order prime 𝑞, 𝑒: 𝔾 × 𝔾 → 𝔾_𝑇 is a bilinear map, and 𝑔 and ℎ are two generating elements of the group 𝔾. Then it chooses the two hash functions 𝐻₁: {0, 1}^∗ → ℤ^∗_𝑞 and 𝐻₂: 𝔾_𝑇 → 𝔾, several random numbers (𝛼, 𝛽, 𝛾, 𝑣) ∈ ℤ^∗_𝑞 , computes 𝑢 ∙ 𝜇 = ℎ^𝛾,(𝑢 ∙ 𝜇)^𝛼 = ℎ^𝛼𝛾, pk_sign = 𝑔^𝛽, and sets the maximum number 𝑚 = 𝑛 of data users allowed to access the same data. Finally, the algorithm outputs the master key 𝑚𝑠𝑘 = 𝛼 and the system public parameters 𝑝𝑝 = (𝑞, 𝔾, 𝔾_𝑇, 𝑒(𝑔, ℎ), 𝑔₁, pk_sign, 𝑢, 𝑢^𝛼, ℎ, ℎ^𝛼, ℎ^𝛼2 , … , ℎ^𝛼𝑛 , 𝐻₁, 𝐻₂).

2) Query phase 1: The attacker 𝒜 can repeat the following query to the challenger 𝒞.

①Private key query 𝒬_SK(ID_i): the attacker 𝒜 initiates a private key query request. First,𝒜 sends ℬ the identity ID_i that asks for the. If ID_i = ID*, ℬ returns the invalid flag ⊥; otherwise, ℬ queries the identity ID_i in table 𝑇 to process as follows. If (ID_i, SK_IDi) exists, then ℬ returns the private key SK_IDi and its corresponding authorization period [t_IDi, t'_IDi] to the attacker 𝒜. Otherwise, ℬ applies the identity and authorization period [t_IDi, t'_IDi] of the attacker 𝒜 to compute SK_IDi = (𝑠𝑘₁ = \(\begin{align}g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}}\end{align}\) , 𝑠𝑘₂= ℎ^{𝑟_𝑖∙𝑎𝑡_{𝐼𝐷𝑖∙𝑏}𝑧−𝑡′_𝐼𝐷𝑖} , 𝜎_𝐼𝐷𝑖 = \(\begin{align}g^{\frac{1}{\beta+H_{1}\left(t_{I D_{i}}^{\prime}\right)}}\end{align}\) and return it to the attacker 𝒜, while recording (ID_i, 𝑤_𝑖, SK_IDi) in Table 𝑇₁.

②Authorization key query: The attacker 𝒜 makes a user authorization key query to the challenger 𝒞. The challenger 𝒞 first searches the information corresponding to the identity ID_i in table 𝑇. If it finds the tuple (ID_i, \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\), \(\begin{align}\widetilde{p k}\end{align}\) ), then it directly returns the authorization key \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) to the attacker𝒜. Otherwise, the challenger 𝒞 runs the private key generation algorithm to obtain the private key SK_IDi corresponding to the identity ID_i, and then runs the user authorization key generation algorithm AuthKeyGen(SK_IDi, [t_IDi, t'_IDi]) to compute \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) = (𝑠𝑘₁ = \(\begin{align}g^{\frac{1}{\alpha+H_{1}\left(I D_{i}\right)}}\end{align}\) ,  \(\begin{align}\widetilde{s k_{2}} = sk_2^{\widetilde{p k}} = h^{{r_{i}} \widetilde{p k} \cdot a^{t_{I D}} i \cdot b^{z-t_{I D_{i}}^{\prime}}}\end{align}\) , \(\begin{align}\sigma_{I D_{i}}=g^{\frac{1}{\beta+H_{1}\left(t_{I D_{i}}^{\prime}\right)}}\end{align}\), T_i = [t_IDi, t'_IDi]) and add the tuple (ID_i, \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) , \(\begin{align}\widetilde{p k}\end{align}\)) to the table 𝑇. Finally, 𝒞 sends (\(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\), \(\begin{align}\widetilde{p k}\end{align}\)) to 𝒜.

③Partial decryption query 𝒬_CSP(ID_i): the attacker 𝒜 submits the authorization key and ciphertext CT_S|𝜔 corresponding to the identity ID_i to the challenger 𝒞 for decryption query. The challenger 𝒞 first runs the private key generation algorithm to generate the private key \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) corresponding to the identity ID_i . Then it executes the decryption algorithm ProxyDec(CT_S|𝜔, \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) ) to compute the partially decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) = (\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) = 𝑀 ⋅ 𝑒(𝑔, ℎ^{𝑎𝑡𝑐∙𝑏𝑧−𝑡𝑐} )^𝑟𝑗 , \(\begin{align}\varphi=\frac{h^{r_{j} \cdot a^{t_{c}} \cdot \cdot b^{z-t_{c}}}}{h^{r_{i} \cdot \widetilde{p^{\prime}} \cdot a^{t^{t}} x \cdot b^{z-t_{x}}}}\end{align}\), and finally returns \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) to the attacker 𝒜.

④Final decryption query 𝒬_Dec(ID_i): the attacker 𝒜 submits (ID_i, CT_S|𝜔, \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\) ) to the challenger 𝒞 for the final decryption query of the authorized user. The challenger 𝒞 first searches for the tuple (ID_i, SK_IDi , \(\begin{align}\widetilde{p k}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\), \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), CT_F)in table 𝑇. If it finds the corresponding tuple about identity ID_i , it executes the authorized user decryption algorithm UserDec(𝑝𝑝, SK_IDi , \(\begin{align}\widetilde{p k}\end{align}\), \(\begin{align}\widetilde{\tau}\end{align}\), \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\), CT_F) to compute \(\begin{align}\widetilde{F_{y}}\end{align}\)= (𝑦_{{𝑡𝑦,𝑡𝑦}})^𝑟𝑖 and \(\begin{align}\widetilde{A}\end{align}\) = ℎ^{𝑟𝑗⋅𝑎𝑡𝑐∙𝑏𝑧−𝑡𝑐} and returns the decryption result to the attacker 𝒜. If the corresponding tuple is not found, the challenger 𝒞 outputs ⊥.

3) Challenge phase. The attacker 𝒜 submits two challenge plaintexts (𝑀₀, 𝑀₁) to the challenger 𝒞 .The challenger 𝒞 first runs KeyEncrypt(𝑝𝑝, 𝐼𝐷_cp, 𝑀_𝑏, 𝜔) to generate the original ciphertext CT^*_cp|𝜔 , where 𝑏 is chosen randomly at {0,1}, then runs Trans(𝑝𝑝, 𝑇𝑘_{cp→𝑆|𝜔}, CT_cp|𝜔, 𝑡_𝑐) to convert the ciphertext CT^*_cp|𝜔 to CT^*_S|𝜔 using the authorization token 𝑇𝑘_{cp→𝑆|𝜔} , and finally runs ProxyDec(CT_S|𝜔, \(\begin{align}\widetilde{S K_{I D_{l}}}\end{align}\) ) to compute a partially transformed decrypted ciphertext \(\begin{align}\widetilde{C T_{S \mid \omega}}\end{align}\)= (\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) = 𝑀 ⋅ 𝑒(𝑔, ℎ^{𝑎𝑡𝑐∙𝑏𝑧−𝑡𝑐} )^𝑟𝑗, \(\begin{align}\varphi=\frac{h^{r_{j} \cdot a^{t^{c}} \cdot \cdot b^{z-t_{c}}}}{h^{r_{i} \cdot \theta \cdot a^{t_{x} \cdot b^{z-t_{x}}}}}\end{align}\) and send it to the attacker𝒜 as a challenge.

4) Query phase 2. In addition to the restrictions described in the RCCA game, the attacker 𝒜 continues with the queries in query phase 1.

5) Guessing phase. The attacker 𝒜 outputs a guess 𝑏′ ∈ {0,1}, and if 𝑏′ = 𝑏, then the attacker 𝒜 wins.

Probabilistic analysis: if the attacker 𝒜 can break the security of RCCA in the above RCCA security game with negligible probability \(\begin{align}\left|\operatorname{Pr}\left[b^{\prime}=b\right]-\frac{1}{2}\right|\end{align}\) of the VTC-OD scheme, the security of RCCA can be breached. But the above probability depends on the random number 𝑏′ used by the attacker 𝒜 and the challenger 𝒞, and the probability of the random number 𝑏′ is \(\begin{align}\frac{1}{2}\end{align}\) and non-negligible, so the security of RCCA cannot be breached, i.e., it can resist unauthorized access attacks.

5.2.2 Resisting forgery and repudiation attacks

The forgery attack means that a semi-trusted CSP may return a random outsourced decryption message without actually performing the outsourced decryption. The repudiation attack means that even if the CSP returns the correct result, the user makes a false statement to accuse the CSP of returning an incorrect outsourced decryption result to evade outsourcing decryption fee.

Referring to the verifiable random function VRF has the binding property, the value 𝑦𝑦 of the VRF function in the verification auxiliary message 𝑝 returned by the CSP can be used to achieve verifiability of the outsourced decryption. In the process of CSP executing the partial decryption, the CSP uses the signed private key sk_𝜎 to compute the VRF evidence 𝜋 on the combination 𝛿||\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) . If the CSP incorrectly performs the outsourced decryption, it sends an incorrectly transformed outsourced decryption ciphertext to the authorized user, i.e., \(\begin{align}{\widetilde{C T_{S \mid \omega}}}^{*}\end{align}\) ≠ \(\begin{align}{\widetilde{C T_{S \mid \omega}}}\end{align}\) . In this case, the authentication algorithm of the VRF results in that formula (9) does not hold, i.e., 𝑦 ≠ e(𝑔₂, π) and e(𝑔₂^{𝐻₁(𝑥)} ∙ pk_𝜎, π) ≠ e(𝑔₂, 𝑔₂), and the authorized user will recover a different combination from the outsourced decrypted ciphertext, i.e.𝛿^∗||\(\begin{align}\widetilde{D K_{I D_{l}}}^{*}\end{align}\) ≠ 𝛿||\(\begin{align}\widetilde{D K_{I D_{l}}}\end{align}\) . Because, the VRF binding ensures that for different inputs 𝑥, the VRF function value 𝑦 is different. Therefore, 𝑦 does not match 𝑥 and the outsourced decryption is incorrect.

If the authorized user accuses the CSP of returning an incorrect outsourced decryption ciphertext, he needs to forge an evidence π. Similarly, the CSP executes the verification algorithm of the VRF function. If it outputs 0, formula (9) does not hold, i.e., 𝑦 ≠ e(𝑔₂, π) and e(𝑔₂ ^{𝐻₁(𝑥)} ∙ pk_𝜎, π) ≠ e(𝑔₂, 𝑔₂), and the authorized user lies. Therefore, the algorithm can resist the forgery attack of CSP and the repudiation attack of authorized users.

6. Performance analysis

6.1 Theoretical analysis

In this section, Table 2 gives a comparison of the computational overhead of decryption between the scheme VTC-OD in this paper and the attribute-based outsourced decryption scheme FA-ABE [3] and the revocable identity-based broadcast proxy re-encryption scheme RIB-BPRE [29]. Both the proposed scheme and the compared schemes dynamically share encrypted data by updating the re-encrypted key and generating a re-encrypted ciphertext, and both of the above compared schemes are representative of their respective fields. The exponential operations and bilinear pairing calculations are mainly considered in the computational overhead. The hash function is omitted here since it is much smaller than the operation of bilinear pairing and exponential in the group. In the table, |𝑺| denotes the total number of authorized user identity sets 𝑺, |𝑰| denotes the number of attributes that satisfy the access policy, 𝒕_𝒆 denotes the time spent to perform one exponential operation, and 𝒕_𝒑 denotes the time spent to perform one bilinear pairing operation.

Table 2. Comparison of the computational overhead

As can be seen from Table 2, the proposed scheme needs to perform the exponential operation in group 𝔾 twice in the user authorization key generation phase. In the partial decryption phase of CSP, the computation overhead of scheme FA-ABE grows linearly with the number of attributes of the access policy, and the computation overhead of RIB-BPRE is 0 because it does not implement outsourced decryption, and the computation overhead of VTC-OD grows linearly with the authorized users |S|. In the verification phase, VTC-OD performs one more bilinear pairing operation than FA-ABE, and the overhead of RIB-BPRE is 0 because the verifiability is not implemented. In the final user decryption phase, the cost of RIB-BPRE is linearly related to the authorized users |𝑺|, and VTC-OD performs one less exponential operation than FA-ABE, and its computational overhead is slightly smaller.

6.2 Experimental analysis

To further compare the performance of the proposed algorithm, we choose the experimental environment of CSP with AliCloud shared standard (1 core 2G) ECS and universal (4 core 16G) ECS, operating system Ubuntu 20.04 64-bit, and the experimental environment of user with Xiaomi Mi MIX2 cell phone (Snapdragon 835). The elliptic curve chosen for the experiment is Type A(y^{^}2=x^{^}3+x), so q is a 160-bit prime, 𝔾 element has a size of 256 bits. JPBC library is used in the experiments to implement the proposed and compared schemes. Run 20 times for each experimental to obtain the average execution time as the final experimental data, set the maximum of the authorized users 𝑚 = 100, and vary |S| from 20 to 100. Considering that this paper focuses on outsourcing decryption, only the decryption algorithms are compared here to analyze the performance experimentally.

1) Computational overhead on the user side

The computational overhead at the user side refers to the execution time of the three-step operations of the mobile user to perform the authorized key generation, the partial transformed ciphertext decryption verification, and the final transformed ciphertext decryption.

The execution time of authorization key generation AuthKeyGen(. ) is shown in Fig. 3. The overhead of both RIB-BPRE and FA-ABE is 0 since they do not execute this operation. The overhead of VTC-OD is greater and independent of the number of authorized users |S| since the mobile user blinds his private key in this stage, and he is independent of the other users. The execution time of the partial decryption verification Verify(. ) is shown in Fig. 4. The computational overhead of RIB-BPRE is 0 since it does not perform the verification process on the transformed ciphertext of CSP. The computational overhead of VTC-OD is slightly larger than that of FA-ABE since VTC-OD performs one more bilinear pairing operation when verifying the partially decrypted ciphertext returned by CSP.

Fig. 3. Time of the authorization key generation

Fig. 4. Time of partial decryption verification

The execution time of the final decryption UsersDec(.) is shown in Fig. 5. The cost of VTC-OD is independent of the number of authorized users and is less than that of FA-ABE, since it performs one less exponential operation when users perform the final decryption of the transformed ciphertext. Moreover, the overhead of VTC-OD is also lower than that of RIB-BPRE, since VTC-OD outsources the mobile user’s complex bilinear pairing operations and exponential operations to the CSP so that the mobile user only performs a small part of the decryption computation, which greatly reduces the computation overhead of the mobile user.

Fig. 5. Time of the final decryption

2) Computational overhead on the CSP side

The computation overhead of the CSP is the time that the CSP calculates the decryption timestamp parameter or performs the partial decryption of the transformed ciphertext based on the decryption request from the mobile user. For the transformation ciphertext partial decryption ProxyDec(. ), CSPs with different performance execute the experiments, and the results are shown in Fig. 6 (a) and (b), respectively.

Fig. 6. Partial decryption time of transformed ciphertext

When using a 1-core 2G ECS, it can be seen in Fig. 6 (a) that the computation overhead of FA-ABE is much larger than that of RIB-BPRE and VTC-OD, since the computation overhead of CSP for FA-ABE is positively related to the number of attributes of access policy when computing both exponential and bilinear pairing operations. However, the computation overhead of CSP for VTC-OD is slightly larger than that of RIB-BPRE, since VTC-OD outsources part of the user’s decryption to CSP for calculation, and performs more operations than RIB-BPRE. In addition, the computation overhead of FA-ABE grows rapidly with the number of attributes of the access policy. Also, the overhead of RIB-BPRE and VTC-OD grows linearly with the number of authorized users, but its growth is slow.

By comparing Fig. 6 (a) and (b), it can be seen that when using a 4-core 16G ECS, the execution time of CSP for FA-ABE, RIB-BPRE and VTC-OD is approximately 30ms, 10ms, and 41ms lower than that of using a 1-core 2G ECS, respectively. The reason is that CSP equipped with better performance has faster computation speed and shorter outsourced decryption time.

3) Total computational overhead of decryption

The total computation overhead of decryption refers to the sum of the time consumed by the user and the CSP in the decryption, and contains four algorithms: the generation algorithm of the authorized key, the partial decryption algorithm of the transformed ciphertext, the verification algorithm of the partial decryption of the transformed ciphertext, and the final decryption of the transformed ciphertext. Thus, CSPs with different performance execute the experiments, and the results are shown in Fig. 7 (a) and (b), respectively.

Fig. 7. Total computational time of decryption

When using a 1-core 2G ECS, it can be seen in Fig. 7 (a) that the total computation time of VTC-OD is smaller than that of RIB-BPRE since the user of VTC-OD outsources the complex bilinear pairing and power operations to the computationally powerful CSP, which reduces the user’s computation overhead and makes the total decryption overhead slightly smaller. In addition, the total computation time of FA-ABE grows linearly and rapidly with the number of attributes, but that of RIB-BPRE and VTC-OD grows slowly with the number of authorized users and remains the same. The reason is that although both FA-ABE and VTC-OD implement outsourced decryption, the computation overhead at the CSP side for FA-ABE increases significantly with the number of attributes.

By comparing Fig. 7 (a) and (b), it can be seen that when using a 4-core 16G ECS, the execution time of CSP for FA-ABE, RIB-BPRE and VTC-OD is about 30ms, 8ms and 28ms less than that of using a 1-core 2G ECS, and the total decryption time of VTC-OD is the smallest. Thus, it can be concluded that VTC-OD reduces the decryption time of mobile devices with limited computing power, since the CSP with better performance has more computational power and performs outsourced decryption faster.

In summary, the proposed algorithm achieves both the outsourced decryption function and the verifiable function of the mobile user for the partially decrypted ciphertext returned by the CSP. Moreover, the proposed algorithm can decrypt the ciphertext without revealing it to the CSP. Also, it can be seen that the decryption computation overhead at the mobile user side is reduced by outsourcing the complex decryption computation to the CSP.

7. Conclusion

To address the problem that mobile devices with limited computational power take too long to decrypt the shared ciphertext, an outsourcing decryption scheme of verifiable transformed ciphertext is proposed to reduce the computational overhead of the user's decryption. In this scheme, users with limited computing power can generate the authorized key by executing the authorized key generation algorithm, and then initiate the outsourced decryption request of the transformed ciphertext to the CSP and outsource the large number of bilinear and exponential operations involved in the decryption process to the CSP. CSP performs the partial decryption of the transformed ciphertext and sends the partially decrypted ciphertext to the user for decryption, and at the same time, the verifiable random function is used to prevent the semi-trusted CSP from returning the random outsourced decrypted ciphertext directly without performing the outsourced decryption to achieve the verifiability of the outsourced decryption. In the future, we will add a comparison of the amount of computation reduced by partial decryption.