07087379

1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/TDSC.2015.2423669, IEEE Transactions on Dependable and Secure Computing

1

Generic and Efficient Constructions ofAttribute-Based Encryption with Verifiable

Outsourced DecryptionXianping Mao, Junzuo Lai, Qixiang Mei, Kefei Chen, Jian Weng

Abstract—Attribute-based encryption (ABE) provides a mechanism for complex access control over encrypted data. However in mostABE systems, the ciphertext size and the decryption overhead, which grow with the complexity of the access policy, are becomingcritical barriers in applications running on resource-limited devices. Outsourcing decryption of ABE ciphertexts to a powerful third partyis a considerable manner to solve this problem. Since the third party is usually believed to be untrusted, the security requirements ofABE with outsourced decryption should include privacy and verifiability. Namely, any adversary including the third party should learnnothing about the encrypted message, and the correctness of the outsourced decryption is supposed to be verified efficiently.We propose generic constructions of CPA-secure and RCCA-secure ABE systems with verifiable outsourced decryption fromCPA-secure ABE with outsourced decryption, respectively. We also instantiate our CPA-secure construction in the standard model andthen show an implementation of this instantiation. The experimental results show that, compared with the existing scheme, ourCPA-secure construction has more compact ciphertext and less computational costs. Moreover, the techniques involved in theRCCA-secure construction can be applied in generally constructing CCA-secure ABE, which we believe to be of independent interest.

Index Terms—attribute-based encryption, outsourced decryption, verifiability, RCCA

F

1 INTRODUCTION

C LOUD computing is a very fascinating computingparadigm, in which computation and storage are

moved away from terminal devices to the cloud. This newand popular paradigm brings important revolutions andmakes bold innovations for the manner in which enterprisesand individuals manage, distribute, and share content. Byoutsourcing their information technology capabilities tosome cloud service providers, cloud users may achievesignificant cost savings.

There is widespread public concern about cloud comput-ing, that is, how to ensure cloud users’ data security. Partof the outsourced data is sensitive, should be accessed byauthorized data consumers at remote locations. For instance,in a university, one of its colleges uploads its (encrypted)development projects to the university cloud, and wantsto give only the administrative personnel of the universityand the faculty of this college the privilege to access theencrypted projects. This is a very natural scenario in ourreal life when we use cloud storage systems. Cryptographictechnology is an essential manner to achieve this goal. Forexample, Attribute-Based Encryption (ABE) [1], a specialkind of powerful functional encryptions [2], contributes toaccess control over encrypted data.

• X. Mao is with the Department of Computer Science and Engineer-ing, Shanghai Jiao Tong University, Shanghai 200240, China (email:[email protected]). (Corresponding authors: J. Lai. and K. Chen.)

• J. Lai and J. Weng are with the Department of Computer Science, JinanUniversity, Guangzhou 510632, China (e-mail: [email protected];[email protected]).

• Q. Mei is with the College of Information, Guangdong Ocean University,Zhanjiang 524088, China (email:[email protected]).

• K. Chen is with the School of Science, Hangzhou Normal University,Hangzhou 310036, China (email:[email protected]).

The notion of ABE was first introduced by Sahai andWaters [1]. Depending on how to deploy the access controlpolicy, there are two different kinds of ABE systems. That is,Key-Policy Attribute-Based Encryption (KP-ABE) [3] and itsdual notion, Ciphertext-Policy Attribute-Based Encryption(CP-ABE) [4]. In a CP-ABE scheme, every ciphertext isassociated with an access policy, and every user’s privatekey is associated with a set of attributes. While in a KP-ABE scheme, ciphertexts are labeled with sets of attributesand access policies over these attributes are associated withusers’ private keys. In an ABE system, decryption operationrequires that the set of attributes should match the accesspolicy. Given its expressiveness, ABE is regarded as one ofthe most natural and important technologies for realizingdata access control in the cloud.

However, in most existing ABE schemes, one of the mainefficiency drawbacks is that the size of the ciphertext andthe decryption overhead (computational cost) grow withthe complexity of the access policy. This becomes criticalbarriers in applications running on resource-limited devices.For instance, the college adopts a pairing-based ABE schemeto encrypt its development projects and uploads the gener-ated ABE ciphertext to the university cloud. An authorizedadministrative officer of the university, who is on a businessship, wants to look up the encrypted development projectsof the college through his (resource-limited) mobile phone.He then wants to download and decrypt the ABE ciphertext.Since the ciphertext might have a large size and the pairingoperations in decryption procedure are usually expensivefor a resource-limited device, he has to wait for a long timeand sometimes even aborts the decryption procedure.

To remarkably eliminate the ciphertext size and the de-cryption overhead for users in ABE systems, a new method



2

ABE CT

Server Proxy

Client

Fig. 1: ABE system with outsourced decryption

for efficiently and securely outsourcing decryption of ABEciphertexts was put forth by Green et al. [5]. Fig. 1 illus-trates their ABE system with outsourced decryption. Moreconcretely, in their ABE system with outsourced decryption,the key generation algorithm is modified to produce twokeys for a user. The first one is a short El Gamal type secretkey, called the retrieving key rk, and it must be kept privateby the user. The second one is the corresponding transfor-mation key tk, which is shared with a proxy and can bepublicly distributed. Essentially, this key pair is generatedusing a key blinding technique [5]. When the proxy receivesa CP-ABE (resp. KP-ABE) ciphertext for an access policy(resp. attributes set) for which the attributes set (resp. accesspolicy) associated with the user satisfies, it is able to usethe transformation key to convert the ABE ciphertext into asimple and short El Gamal-style ciphertext which decryptsto the same message. After receiving this short and partially-decrypted ciphertext, the user is then able to decrypt thissimple ciphertext with one exponentiation. Based on the ex-isting ABE schemes, Green et al. proposed two ABE schemeswith outsourced decryption, which are selectively secureunder the chosen-plaintext attacks (selectively CPA-secure).Furthermore, by using the Fujisaki-Okamoto transformation[6], these two selectively CPA-secure ABE schemes withoutsourced decryption are converted into two selectivelyRCCA-secure schemes in the random oracle model.

The ABE system with outsourced decryption might runinto some problems: the ill-disposed proxy wants to savecomputing cost, the proxy is under malicious attack or othersystem malfunctions. In these situations, the data receivermight want to verify that the outsourced transformationof the (valid) normal ABE ciphertext was indeed done cor-rectly. In [5], Green et al. also informally discussed the verifi-ability of the proxy’s transformation and provided a methodto verify the correctness of the outsourcing decryption inthe random oracle model. Since the random oracle model isheuristic and a proof of security in the random oracle modeldoes not directly imply anything about the security in thereal world [7], Lai et al. managed to provide a verifiabilitymechanism which does not rely on random oracles [8]. Theyfirst refined the syntax of ABE with outsourced decryptionto allow for the verifiability of the transformations, and thenproposed a formal security notion of verifiability of ABEwith outsourced decryption. Afterwards, based on Waters’(small-universe) CP-ABE scheme [9], they constructed aconcrete CP-ABE scheme with verifiable outsourced de-cryption, which is selectively CPA-secure in the standard

model. Generally speaking, they added to the ciphertext anencryption of an extra random message and a checksumvalue, which is computed with this random message andthe actual plaintext. This checksum value plays a role ofthe commitment to the actual plaintext and is used to checkwhether the transformation is indeed done correctly.

However, the technique adopted in [8] inevitably bringson some negative side-effects. On one hand, the encryptionof an extra random message doubles the computationaloverhead of both the data sender and the proxy. On theother hand, the normal (i.e., non-transformed) ciphertextsize is twice as long as that of the underlying original ABEscheme (namely Waters’ CP-ABE scheme, used as a corebuilding block). These increases the bandwidth requirementand computational costs of resource-limited devices.

Accordingly, it is meaningful to find out a more efficientmanner to provide the verifiability of outsourced decryptionfor ABE systems with outsourced decryption, especially inthe standard model. Another interesting question is how toconstruct a RCCA-secure ABE scheme with outsourced de-cryption, which also supports the verifiability of outsourceddecryption, in the standard model.

1.1 Our Contribution

In this paper, we give affirmative responses to the twoproblems mentioned above. We shall give generic con-structions of CPA-secure and RCCA-secure ABE with ver-ifiable outsourced decryption from CPA-secure ABE withoutsourced decryption, respectively. At a very high level,both of our generic constructions have a “decrypt-then-verify” flavor. That is, after receiving a partially-decryptedciphertext transformed by a proxy, the data receiver firstdecrypts it using some simple operations and then verifiesthe correctness of the outsourced decryption.

In our CPA-secure construction, unlike the technique ofseparately encrypting an extra random message and thenusing this random message to commit to the true message in[8], our method is encrypting a message and a random valuetogether and then committing to the message by using therandom value. Our construction is generic and has smallerciphertext size and less computational costs. It also makesus obtain generic RCCA-secure construction more naturally.

To achieve RCCA-security, we first bring the proper-ties of ciphertext verifiability and delegatability in ABEsystems, proposed by Yamada et al. [10], to ABE systemswith outsourced decryption. We show that if a CPA-secureABE scheme with outsourced decryption has ciphertextverifiability or delegatability, it then can be transformedinto a RCCA-secure ABE scheme with verifiable outsourceddecryption by combining a secure encapsulation scheme, astrong one-time message authentication code and a securecommitment scheme. This is the first RCCA-secure construc-tion without relying on random oracles.

Our constructions can be also applied to selectively CPA-secure ABE systems with outsourced decryption, whichwill result in selectively CPA-secure/RCCA-secure ABEsystems with verifiable outsourced decryption. Moreover,since an ABE scheme with outsourced decryption just addstransformation procedures to a traditional ABE scheme inessence, it is a remarkable fact that the techniques involved



3

in our RCCA-secure transformation can be directly appliedin generally constructing CCA-secure ABE from CPA-secureABE, which we believe to be of independent interest.

By instantiating our generic CPA-secure constructionbased on Green et al.’s (small-universe and backwards-compatible variant of) slectively CPA-secure CP-ABE sys-tem with outsourced decryption [5] and Pedersen Com-mitment [11], we obtain a selectively CPA-secure CP-ABEsystem with verifiable outsourced decryption in the standardmodel. Note that Green et al.’s CP-ABE scheme with out-sourced decryption [5] has both ciphertext verifiability anddelegatability. By combining the Boneh-Katz encapsulationscheme [12], the CBC-MAC using AES as the underlyingblock cipher [12] and Pedersen Commitment [11], it canbe transformed into a selectively RCCA-secure ABE systemwith verifiable outsourced decryption in the standard model.

To evaluate our ABE systems with verifiable outsourceddecryption, we implemented our selectively CPA-secure CP-ABE instantiation and Lai et al.’s scheme based on Charm[13], and conducted experiments on both an ARM-basedsmartphone and an Intel-core desktop computer, whichare modeled as a resourced-limited device and a powerfulproxy, respectively. The experimental results show that,compared with Lai et al.’s system, our selectively CPA-secure system has more compact ciphertext and less com-putational costs. Another observation is that outsourcingthe decryption operations from the resource-limited smart-phone to the powerful computer can significantly reduce thecomputational costs of the smartphone.

1.2 Our Technique

At a high level, in order to construct such ABE schemes withverifiable outsourced decryption, we begin with a CPA-secure ABE scheme with outsourced decryption and adoptthe “decrypt-then-verify” paradigm.

In the generic construction of CPA-secure ABE schemewith verifiable outsourced decryption, we employ a com-mitment scheme to verify the correctness of outsourceddecryption. More concretely speaking, to encrypt a mes-sage m in some proper message space, the data senderfirst selects a random value r. Then, the data sender usesthe underlying ABE scheme with outsourced decryption toencryptm‖r to ct′ and commits tom using the value r to geta commitment cm. The final (normal) ciphertext is 〈ct′, cm〉.After receiving the partially-decrypted ciphertext pct trans-formed by a proxy using the transformation key, the datareceiver first decrypts the partially-decrypted ciphertext pctto m‖r by using the corresponding retrieving key, runs therevealing algorithm of the commitment scheme to verify thecorrectness of the transformation and then decides whetherto accept message m as the correct decryption result.

Inspired by [12] and [10], in the generic construction ofRCCA-secure ABE scheme with verifiable outsourced de-cryption, besides a commitment scheme, we also employ anencapsulation scheme and a massage authentication code.More concretely speaking, to encrypt a message m in someproper message space, the data sender first uses the encap-sulation algorithm of the underlying encapsulation schemeto generate a random value r, an encapsulation string comand a decapsulation string dec, where r can be split into

two equal-length strings r1 and r2. Here we assume thatr = r1‖r2. Then, the data sender encryptsm‖dec to generatea ciphertext component ct′ using the underlying CPA-secureABE scheme with outsourced decryption. Subsequently, thedata sender generates a message authentication code tagon the ABE ciphertext ct′ using r1 as the authenticationkey and generates a commitment cm to m using r2 asthe auxiliary information. The final (normal) ciphertext is〈com, ct′, tag, cm〉. After receiving the partially-decryptedciphertext pct transformed by a proxy using the transfor-mation key, the data receiver first decrypts the partially-decrypted ciphertext pct to m‖dec by using the retrievingkey, and then recovers r from com and dec using thedecapsulation algorithm. Lastly, the data receiver verifiesthe message authentication code and opens the commitmentto check message m. In this RCCA-secure construction, it isrequired that the underlying CPA-secure ABE scheme withoutsourced decryption should have ciphertext verifiabilityor delegatability in order to answer decryption queries.

1.3 Related Work

After Sahai and Waters’ seminal work [1], Goyal et al.[3] and Bethencourt et al. [4] proposed the first KP-ABEscheme and the first CP-ABE scheme, respectively. Thesetwo ABE schemes support any monotone access structures.Subsequently, a great number of ABE schemes have beenproposed, such as [14], [15], [16], [17], [18] and [9]. In[15], Cheung et al. presented a CP-ABE scheme which isproved to be secure in the standard model. Lewko et al.[16] proposed a fully secure CP-ABE scheme. In [9], Wa-ters proposed several very efficient CP-ABE constructions.These constructions work for any access policy that can beexpressed in terms of a linear secret sharing scheme (LSSS)matrix. Ostrovsky et al. [14] proposed a KP-ABE schemethat allows a user’s private key to be expressed in terms ofany access formula over attributes. Okamoto and Takashima[18] proposed KP-ABE and CP-ABE schemes with non-monotone access structures. A large amount of work em-ploys ABE to realize fine-grained data access control, such as[19], [20], [21] and [22]. Chase [23] proposed multi-authorityABE which allows any polynomial number of independentauthorities to monitor attributes and issue secret keys. Hisproposal uses the concepts of a trusted central authorityand global identifiers. Chow and Chase [24] (somewhat)removed the trusted central authority by using a distributedpseudorandom function. Lekwo and Waters [25] proposeda new decentralized multi-authority ABE system.

It is very necessary to speed up the decryption opera-tions of ABE systems, especially on some resource-limiteddevices. The pairing delegation techniques proposed in [26]can enable users to outsource the pairing computations toa third party. But using the pairing delegation techniquesin the decryption operations of ABE system, the drawbackthat computational cost is proportional to the size of theaccess policy still exists. To speed up the decryption of ABEsystems, there are several trade-offs in terms of efficiencyand security. The decryption algorithms in [27] and [28]require a constant number of pairing computations, whilethe security of their constructions can be proved only in theselective model. Green et al. [5] proposed a new paradigm



4

for ABE systems to reduce the decryption time for resource-limited devices with the help of a powerful third party. Be-sides outsourcing decryption of ABE systems, outsourcingof key-issuing for ABE systems is also considered in [29] and[30]. Outsourcing encryption for ABE systems is anotherconsiderable direction [31].

As we know, the third party is untrusted, one needs toverify the correctness of outsourced decryption. The tech-niques proposed in [32] and [33] can be used to outsourcedecryption in ABE systems, since they deal with outsourcingof general computation problems and provide both privacyand verifiability for the outsourcing procedure. But becauseboth their constructions are based on fully homomorphicencryption systems proposed by Gentry [34], these solutionsare far away from being practical now [35]. Lai et al. [8]provided a practical method, which is used to verify thecorrectness of outsourced decryption in their ABE system.

2 PRELIMINARIES

We begin by defining some notations that will be usedthroughout this paper. Let λ be a security parameter, whichimplies that all other quantity parameters are polynomialfunctions of λ. Denote by Z the integer and denote by Zp theset of integers modulo p. For a positive integer k, denote by[k] the set {1, . . . , k}. A function f is negligible if for everypolynomial p(·), there exists an N0 such that for all integersn > N0 it holds that f(n) < 1/p(n). For a probabilisticalgorithm A, let y ← A(x;R) denote the process of runningA on input x and inner randomness R ∈ RA and assigningy the result, where RA is the randomness space of A. Wewrite y ← A(x) for y ← A(x;R) with R chosen from RAuniformly at random. If S is a finite set, y ← S denotesthat y is chosen from S uniformly at random. The symbol ‖denotes string concatenation.

2.1 Bilinear GroupsLet G be an algorithm that takes as input a security parame-ter λ and outputs a quadruple (p,G,GT, e), where G and GTare (multiplicative) cyclic groups of prime order p such thatthe group action in G and GT can be computed efficiently.The bilinear map e : G×G→ GT fulfills the following threeproperties:

Bilinearity. For all g1, g2 ∈ G and a, b ∈ Zp, we havee(ga1 , g

b2) = e(g1, g2)ab .

Non-degeneracy. e(g1, g2) 6= 1GT , whenever g1, g2 6= 1G.Efficiency. The bilinear map e can be efficiently com-

puted.We refer to the quadruple (p,G,GT, e) as a bilinear group

and the algorithm G(1λ) as a bilinear group generator.

2.2 Commitment and EncapsulationA commitment scheme is a two-phase protocol betweentwo participants, a sender and a receiver. Here we onlyconsider so-called non-interactive commitment scheme, inwhich all the communication goes from the sender tothe receiver. A non-interactive commitment scheme CS =(InitCom,Commit,Reveal) with message spaceM, random-ness space V and commitment space D consists of thefollowing three algorithms:

InitCom(1λ) The initialization algorithm takes as input a se-curity parameter λ. It outputs the (public) commitmentparameters cp. When it is clear from the context, weomit cp in the input of the following algorithms.

Commit(m, r) The commitment algorithm takes as input amessage m ∈ M and auxiliary information r ∈ V . Itoutputs a commitment cm ∈ D.

Reveal(m, r, cm) The revealing algorithm takes as input amessage m, auxiliary information r and a commitmentcm. It outputs a bit b ∈ {0, 1} to indicate whether cm isa commitment to m, where b = 1 signifies “acceptance”and b = 0 signifies “rejection”.

The correctness of commitment scheme requires that,for all cp output by InitCom and for any message m ∈M and any auxiliary information r ∈ V , we haveReveal(m, r,Commit(m, r)) = 1.

Say a commitment scheme is secure if it satisfies two se-curity properties, namely the hiding and binding properties.Informally, the hiding property says that a commitment cmto m does not reveal any information about m, whereas thebinding property says that a commitment cm tom cannot beopened to another value m′. Here, we only require that bothhiding and binding hold computationally. We define thesetwo properties formally by two experiments Exp

HidingCS,A (λ)

and ExpBindingCS,A (λ), respectively.

Experiment ExpHidingCS,A (λ):

cp← InitCom(1λ), r ∈ Rm0,m1 ← A, β ← {0, 1}cm← Commit(mβ , r)β′ ← A(λ, cp, cm)If β = β′, then return 1,else return 0.

Experiment ExpBindingCS,A (λ):

cp← InitCom(1λ), r ∈ R, m ∈Mcm← Commit(m, r)(m′, r′)← A(λ, cp,m, r, cm)If Reveal(m′, r′, cm) = 1,

then return 1,else return 0.

The advantage of A in the experiment ExpHidingCS,A (λ) is

defined as AdvHidingCS,A (λ) = |Pr[Exp

HidingCS,A (λ)] − 1

2 |, and theadvantage of A in the experiment Exp

BindingCS,A (λ) is defined

as AdvBindingCS,A (λ) = |Pr[Exp

BindingCS,A (λ)] = 1|. A commitment

scheme is secure if both AdvHidingCS,A (λ) and Adv

BindingCS,A (λ) are

negligible (in the security parameter λ).Encapsulation [12] may be viewed as a weak variant

of commitment. An encapsulation scheme commits thesender to a random string as opposed to a message cho-sen by the sender as in the case of commitment. In termof security, it only requires binding to hold for honestly-generated encapsulations. An encapsulation scheme ES =(Init,Encap,Decap) with randomness space V , encapsula-tion string space E and decapsulation string spaceD consistsof the following three PPT algorithms:Init(1λ) On input a security parameter λ, the initialization

algorithm outputs public parameters pub.Encap(pub) On input the public parameters pub, the encap-

sulation algorithm outputs (r, com, dec), where r ∈ V ,com ∈ E and dec ∈ D. com and dec are referred to asthe encapsulation string and the decapsulation string,respectively.

Decap(pub, com, dec) On input the public parameters pub,an encapsulation string com and a decapsulation stringdec, the decapsulation algorithm outputs r ∈ V ∪ {⊥}.

The correctness of encapsulation scheme requires that,for all pub output by Init and for all (r, com, dec) output



5

by Encap(pub), we have Decap(pub, com, dec) = r. Forsimplicity, we also assume that r, com and dec have fixedlengths for any given value of the security parameter λ.

As in the case of commitment, an encapsulation schemesatisfies the security notions of binding and hiding. Sim-ilarly, both hiding and binding are required to hold onlycomputationally. Consider the following two experimentsExp

HidingES,A (λ) and Exp

BindingES,A (λ).

Experiment ExpHidingES,A (λ):

(pub)← Init(1λ)(r1, com, dec)← Encap(pub)r0 ← V , β ← {0, 1}β′ ← A(λ, pub, com, rβ)If β = β′, then return 1,else return 0.

Experiment ExpBindingES,A (λ):

(pub)← Init(1λ)(r, com, dec)← Encap(pub)dec′ ← A(λ, pub, com, dec)If Decap(pub, com, dec′) /∈ {r,⊥},

then return 1,else return 0.

The advantage of A in the experiment ExpHidingES,A (λ) is

defined as AdvHidingES,A (λ) = |Pr[Exp

HidingES,A (λ)] − 1

2 |, and theadvantage of A in the experiment Exp

BindingES,A (λ) is defined

as AdvBindingES,A (λ) = |Pr[Exp

BindingES,A (λ)] = 1|. An encapsulation

scheme is secure if both AdvHidingES,A (λ) and Adv

BindingES,A (λ) are

negligible (in the security parameter λ).

2.3 Massage Authentication Code

A message authentication code (MAC) MA = (Mac,Ver)with the message space M, the key space K and the tagspace T consists of the following two PPT algorithms [12]:Macsk(m) On input a key sk ∈ K and a message m ∈ M,

the tagging algorithm outputs a tag tag ∈ T .Versk(m, tag) On input a key sk, a message m and a tag

tag, the verification algorithm outputs a bit b ∈ {0, 1},where b = 1 signifies “acceptance” and b = 0 signifies“rejection”.

The correctness of MAC requires that for every key sk ∈K , every message m ∈M, and all tag output by Macsk(m),we have Versk(m, tag) = 1.

We consider the secuirty notion of strong one-time mes-sage authentication code. This security notion is definedusing a game between an adversary A and a challenger C.First, both A and C are given λ as input. Then, C chooses arandom key sk ∈ K and A may issue at most one taggingquery on m∗. C responds with tag∗ = Macsk(m∗). Finally,A outputs (m, tag). A wins the game if Versk(m, tag) = 1but (m, tag) 6= (m∗, tag∗). Note that A may win even ifm = m∗. The advantage of A is defined as AdvSOT

MA,A(λ) =|Pr[A wins]|. Say a message authentication code is a strongone-time message authentication code if any PPT adversaryhas at most a negligible advantage in the above game.

2.4 ABE with (Verifiable) Outsourced Decryption

Let S denote a set of attributes and let A denote an accessstructure. First we define a boolean function R which takesas input an attribute set S and an access structure A andoutputs a bit in {0, 1}. If the attributes set S satisfies theaccess structure A, the function R outputs 1, otherwiseit outputs 0. We consider two distinct varieties of ABEwith (verifiable) outsourced decryption: ciphertext-policyand key-policy. For general description, we will define

(Ikey, Ienc) as the input to the key generation and encryp-tion algorithm respectively. Hence, in a CP-ABE schemewith outsourced decryption, we have (Ikey, Ienc) = (S,A).While in a KP-ABE scheme with outsourced decryption, wehave (Ikey, Ienc) = (A,S).

In the original model defined in [5], a transformationkey tk and a corresponding retrieving key rk are createdby the master authority, and the input to the outsourcingdecryption algorithm only includes the user’s retrievingkey and the partially-decrypted ciphertext, but does notinclude the normal ciphertext. If a malicious proxy returnsto the user another valid partially-decrypted ciphertext (e.g,a partially-decrypted ciphertext the proxy once generatedhonestly), the user cannot detect this malicious behavior [8].Lai et al. [8] refined the model to achieve the verifiability.In their model, the user generates the transformation keyfrom his private key by himself. It is more flexible sincethe user can determine whenever he wants to outsourcedecryption. In addition, the input to algorithm Decryptoutincludes the normal ciphertext and the partially-decryptedciphertext. It is not difficult to see that Green et al.’s ABEschemes with outsourced decryption [5] can be transformedinto ABE schemes with outsourced decryption in Lai et al.’smodel. Here we adopt Lai el al.’s refined model. Formally, aCP-ABE (resp. KP-ABE) scheme with outsourced decryptionconsists of the following seven algorithms [8]:

Setup(1λ, U) The system setup algorithm takes as inputa security parameter λ and a description of attributeuniverse U . It outputs the public parameters paramsand a master secret key msk. In the input of all thefollowing algorithms, for convenient notation, we omitparams which is implicitly included.

KeyGen(msk, Ikey) The key generation algorithm takes asinput the master security key msk and an attribute set(resp. access structure) Ikey . It outputs a private keyskIkey

.Encrypt(m, Ienc) The encryption algorithm takes as input a

message m and an access structure (resp. attribute set)Ienc. It outputs a normal ciphertext ct.

Decrypt(skIkey, ct) The decryption algorithm takes as input

a private key skIkeyand a normal ciphertext ct. It

outputs a message m or a failure symbol ⊥.GenTKout(skIkey

) The transformation key generation algo-rithm takes as input a private key skIkey

. It outputsa transformation key tkIkey

and the corresponding re-trieving key rkIkey

.Transformout(ct, tkIkey

) The ciphertext transformation al-gorithm takes as input a ciphertext ct and a trans-formation key tkIkey

. It outputs a partially-decryptedciphertext pct.

Decryptout(ct, pct, rkIkey) The outsourcing decryption algo-

rithm takes as input a normal ciphertext ct, a partially-decrypted ciphertext pct and a retrieving key rkIkey

. Itoutputs a message m or a failure symbol ⊥.

Let (params,msk) ← Setup(1λ, U), skIkey←

KeyGen(msk, Ikey), ct ← Encryption(m, Ienc),(rkIenc

, tkIenc) ← GenTKout(skIkey

), pct ←Transformout(ct, tkIkey

). The correctness of an ABEscheme with outsourced decryption requires that, ifR(Ienc, Ikey) = 1, then both Decrypt(skIkey

, ct) and



6

Decryptout(ct, pct, rkIkey) output m. Otherwise, both

Decrypt(skIkey, ct) and Decryptout(ct, pct, rkIkey

) output afailure symbol ⊥.

We now consider the privacy requirement. That is, anyadversary including the third party should not learn any-thing about the encrypted message. In ABE with outsourceddecryption, we consider Replayable CCA (RCCA) security[5], [8], [36]. Informally, it allows modifications to a givenvalid ciphertext, but the adversary cannot change the un-derlying message in a meaningful way. The RCCA securityis formally described by a game between a challenger C andan adversary A. In the RCCA-security game, A is allowedto issue private key queries, transformation key queries,decryption queries and outsourcing decryption queries. Dueto the space limitation, we omit the formal definition of theRCCA-security game, which can be referred to [8].

Definition 1 (IND-RCCA, [8]). An ABE scheme with out-sourced decryption is said to be IND-RCCA secure, if all poly-nomial time adversaries have at most a negligible advantage inthe RCCA-security game.

We also define two weak security notions for ABE withoutsourced decryption: CPA security and selective security.An ABE scheme with outsourced decryption is said to besecure against chosen-plaintext attacks (CPA-secure) if both thedecryption oracle and the outsourcing decryption oracleare removed in the query phases. An ABE scheme withoutsourced decryption is said to be selectively secure if weadd an Init phase before Setup, where the adversary submitsthe challenge value I∗enc to the challenger.

We then consider the verifiability requirement of ABEwith outsourced decryption. Loosely speaking, an ABEscheme with outsourced decryption is an ABE scheme withverifiable outsourced decryption (or, is said to be verifiable),if the correctness of the transformation done by a proxycan be verified. Similarly, the verifiability requirement isalso formally described by a game between a challenger Cand an adversary A. We omit the formal definition of theverifiability game, which also can be referred to [8].

Definition 2 (Verifiability of Outsourced Decryption, [8]).An ABE scheme with outsourced decryption is an ABE schemewith verifiable outsourced decryption (or, is said to be verifiable)if all polynomial time adversaries have at most a negligibleadvantage in the verifiability game.

2.5 Ciphertext Verifiability and Delegatability of ABEwith Outsourced DecryptionWe consider the generic construction of RCCA-secure ABEwith verifiable outsourced decryption. In its security proof,since the underlying ABE with outsourced decryption isCPA-secure and cannot provide a decryption oracle, weneed another method to answer decryption queries. Herewe borrow the idea proposed by Yamada et al. [10] and needthe underlying ABE scheme with outsourced decryption tohave either ciphertext verifiability or delegatability.

Informally, say an ABE scheme with outsourced decryp-tion has the ciphertext verifiability property if it is possibleto verify whether a normal ciphertext will be recovered intothe same plaintext under two different decryption keys withtwo specific attributes. The formal definition is as follows.

Definition 3 (Ciphertext Verifiability). An ABE scheme withoutsourced decryption is said to have ciphertext verifiability ifthere exists a polynomial time algorithm Verify that takes as inputthe (omitted) public parameters params, a normal ciphertext ctand two distinct values Ikey, I ′key , and outputs b ∈ {0, 1,⊥}according to the following properties. Let Ienc be obtained fromparsing the ciphertext ct and (params,msk)← Setup(1λ, U).

If R(Ikey, Ienc)∧R(I ′key, Ienc) = 0, then Verify outputs ⊥.If R(Ikey, Ienc) ∧R(I ′key, Ienc) = 1, then:(Soundness) For all ct (which might be invalid) in the normal

ciphertext space,

Pr

Decrypt(skIkey , ct)

= Decrypt(skI′key

, ct):

Verify(ct, Ikey, I′key) = 1

skIkey ← KeyGen(msk, Ikey)]

skI′key← KeyGen(msk, I ′key)]

= 1.

(Completeness) For all m in the message space,

Pr[Verify(ct, Ikey, I′key) = 1: ct← Encrypt(m, Ienc)] = 1.

REMARKS. Definitions 2 and 3 define two different verifi-ability capabilities of ABE systems with outsourced decryp-tion respectively. The former depicts the capability to verifywhether the outsourced decryption done by a proxy is donecorrectly, while the latter depicts the capability to verifywhether a normal ciphertext will be recovered into the sameplaintext under two different decryption keys, which shouldsatisfy soundness and completeness defined above.

Informally, the delegatability property of ABE with out-sourced decryption is the capability to use a key for Ikeyto derive another key for I ′key , which is possible if I ′key isinferior than Ikey when considering a well-defined partialorder relation. Here we abuse notation ⊇ denoting thepartial order relation for both attribute set and access policy.

Definition 4 (Delegatability). An ABE scheme with out-sourced decryption is said to have delegatability if thereexists a polynomial time algorithm Delegate such thatthe output of Delegate(params, skIkey

, Ikey, I′key) and of

KeyGen(msk, I ′key) have the same probability distribution forall skIkey

output by KeyGen(msk, Ikey) and for all Ikey, I ′keysuch that Ikey ⊇ I ′key .

3 GENERIC CONSTRUCTIONS OF ABE WITH VER-IFIABLE OUTSOURCED DECRYPTION

In this section, we shall give generic constructions of CPA-secure and RCCA-secure ABE systems with verifiable out-sourced decryption from CPA-secure ABE system with out-sourced decryption respectively. Note that our constructionscan be also applied to selectively CPA-secure ABE systemswith outsourced decryption. And then, the resulting ABEsystems with verifiable outsourced decryption are only se-lectively CPA-secure/RCCA-secure as well.

Unlike the technique of separately encrypting an extrarandom message and then using this random message tocommit to the true message in [8], the method adopted inour CPA-secure construction is encrypting a message and arandom value together and then committing to the messageby using the random value. Our method brings significantbenefits. First, our construction is generic, and it has morecompact ciphertext and less computational costs. Second,such a generic CPA-secure construction can be transformedinto a generic RCCA-secure construction more naturally.



7

3.1 Generic CPA-Secure ConstructionNow, we give the generic construction of CPA-secure ABEwith verifiable outsourced decryption from CPA-secure ABEwith outsourced decryption. As we have said, in this con-struction, we employ a commitment scheme to verify thecorrectness of the outsourced decryption.

Let Π′ = (Setup′,KeyGen′,Encrypt′,Decrypt′,GenTK′out,Transform′out,Decrypt

′out) be an ABE scheme with out-

sourced decryption and let CS = (InitCom,Commit,Reveal)be a (non-interactive) commitment scheme. We constructan ABE scheme with verifiable outsourced decryption Π1 =(Setup,KeyGen,Encrypt,Decrypt,GenTKout,Transformout,Decryptout) as follows:Setup(1λ, U) It runs InitCom(1λ) to generate cp and runs

Setup′(1λ, U) to generate (params,msk). The publicparameters are (params, cp) and the master secret keyis msk.

KeyGen(msk, Ikey) It runs KeyGen′(msk, Ikey) to generateskIkey

. The private key is skIkey.

Encrypt(m, Ienc) To encrypt a message m under the valueIenc, it first chooses a random value r and then en-crypts the “message” m‖r. That is, it runs ct′ ←Encrypt′(m||r, Ienc). Then, it commits to m using thevalue r. That is, it runs cm ← Commit(m, r). The finalciphertext is 〈ct′, cm〉.

Decrypt(skIkey, ct) To decrypt a ciphertext ct, it first parses

ct as 〈ct′, cm〉 and then runs Decrypt′(skIkey, ct′). This

yields a “message” m‖r. If Reveal(m, r, cm) = 1 holds,it outputs m. Otherwise it outputs ⊥.

GenTKout(skIkey) It runs GenTK′out(skIkey

) to generate(tkIkey

, rkIkey). The transformation key is tkIkey

and thecorresponding retrieving key is rkIkey


) It parses the normal ciphertext ct as〈ct′, cm〉 and runs Transform′out(ct

′, tkIkey) to generate

pct. The partially-decrypted ciphertext is pct.Decryptout(ct, pct, rkIkey

) It parses the normal ciphertext ctas 〈ct′, cm〉 and runs Decrypt′out(ct

′, pct, rkIkey). This

yields a “message” m‖r. If Reveal(m, r, cm) = 1 holds,it outputs m. Otherwise, it outputs ⊥.

In the partially-decrypted ciphertext, we ignore the compo-nents that appears in the normal ciphertext. It is very ob-vious that this new ABE scheme with verifiable outsourceddecryption Π1 satisfies correctness.

3.2 Security Proofs of CPA-Secure ConstructionIn this subsection, we give the security proofs for the con-struction described above. First, we give the CPA-securityproof for the above construction as follows:

Theorem 1. Assume that the underlying ABE scheme with out-sourced decryption is (selectively) CPA-secure and the underlyingcommitment scheme is computationally hiding, then the aboveconstruction of ABE scheme with verifiable outsourced decryptionis (selectively) CPA-secure.

Proof. We assume that the equal-length challenge messageswhich the adversary submits in the challenge phase havelength l1. We also assume that the random value r used inalgorithm Encrypt has fixed length l2. The CPA security ofthe above scheme can be proved by defining the followinghybrid games:

• Game0: The original CPA-security game of ABE withverifiable outsourced decryption. Note that when theadversary submits two equal-length challenge mes-sages m0,m1 and a value I∗enc, the challenger flips arandom coin b ∈ {0, 1}, selects a random value r∗ andthen computes the challenge ciphertext componentsct′∗ and cm∗ by running ct′∗ ← Encrypt′(mb‖r∗, I∗enc)and cm∗ ← Commit(mb, r

∗), respectively.• Game1: Same as Game0 except that whenA submits two

equal-length challenge messages, the challenger sets thecomponent ct′∗ of the challenge ciphertext by runningct′∗ ← Encrypt′(0l1+l2 , I∗enc).

• Game2: Same as Game1 except that whenA submits twoequal-length challenge messages, the challenger sets thecomponent cm∗ of the challenge ciphertext by runningcm∗ ← Commit(0l1 , r∗).

We prove that based on the security of different primitives,the advantage of any PPT adversary in each game must benegligibly close to that in the previous game in the followingtwo lemmas. In the last game, since the challenge cipher-text is independent of the challenge messages chosen bythe adversary, the adversary has no advantage. Therefore,we conclude that the adversary in the original IND-CPAsecurity game (Game0) has a negligible advantage. Thiscompletes the proof of Theorem 1.

Lemma 1. If the underlying ABE scheme with outsourced de-cryption is CPA-secure, then no PPT adversary can attain a non-negligible difference in advantage between Game0 and Game1.

Proof. Suppose that there exists a PPT adversary A thatexhibits a non-negligible difference in advantage betweenGame0 and Game1, then we can build a simulator B thatattacks the underlying ABE scheme with outsourced de-cryption in the CPA-security game with a non-negligibleadvantage.

Let C be the corresponding challenger of B in the CPA se-curity game of the underlying ABE scheme with outsourceddecryption. B runs A to execute the following steps.Setup The challenger C runs (params,msk) ←

Setup′(1λ, U). The simulator B is given only thepublic parameters params and runs cp← InitCom(1λ).B then sends the public parameters (params, cp) to A.

Query Phase I When the adversary A queries the privatekey (resp. the transformation key) on Ikey , the simulatorB passes Ikey on to its own private key generationoracle (resp. transformation key generation oracle) andforwards the returned value to A.

Challenge The adversaryA submits two equal-length chal-lenge messages m0,m1 of length l1. It also submitsa value I∗enc such that R(Ikey, I

∗enc) = 0 for all Ikey

submitted to the private key generation oracle. Thesimulator B selects a random value r∗, flips a randomcoin b ∈ {0, 1} and computes cm∗ ← Commit(mb, r

∗).It then sends (M0,M1) = (mb‖r∗, 0l1+l2) and I∗enc to itsencryption oracle. The challenger C flips a random coinβ ∈ {0, 1} and runs ct′∗ ← Encrypt′(Mβ , I

∗enc). Lastly,

the simulator B is given ct′∗ and sends A the challengeciphertext 〈ct′∗, cm∗〉.

Query Phase II This phase is identical to Query Phase I.The only constraint is that A cannot request a privatekey query on Ikey which satisfies R(Ikey, I

∗enc) = 1.



8

Guess The adversary A outputs its guess b′ ∈ {0, 1}. Ifb′ = b, B outputs 0. Otherwise, it outputs 1.

It is a remarkable fact that, if the encryption query of Bis answered with an encryption of mb‖r∗ , then the viewof A is exactly as in Game0, otherwise the view of A isexactly as in Game1. Thus, if A can distinguish Game0 andGame1 with a non-negligible advantage, we can build analgorithm B that attacks the underlying CPA-secure ABEscheme with outsourced decryption with a non-negligibleadvantage. This completes the proof of Lemma 1.

Lemma 2. If the underlying commitment scheme is computation-ally hiding, then no PPT adversary can attain a non-negligibledifference in advantage between Game1 and Game2.

Proof. Suppose that there exists a PPT adversary A thatexhibits a non-negligible difference in advantage betweenGame1 and Game2, then we can build a simulator B thatattacks the hiding property of the underlying commitmentscheme with a non-negligible advantage.

Let C be the corresponding challenger of B in the hidingproperty game of the underlying commitment scheme. Bruns A to execute the following steps.Setup The challenger C runs cp ← InitCom(1λ). Given cp,B runs (params,msk)← Setup′(1λ, U) and then sendsthe public parameters (params, cp) to A.

Query Phase I Since the simulator B has the master secretkey msk, private key queries and transformation keyqueries can be answered in the natural way.

Challenge The adversaryA submits two equal-length chal-lenge messages m0,m1 of length l1. It also submitsa value I∗enc such that R(Ikey, I

∗enc) = 0 for all Ikey

submitted to the private key generation oracle. The sim-ulator B first computes ct′∗ ← Encrypt′(0l1+l2 , I∗enc).B then flips a random coin b ∈ {0, 1} and sends(M0,M1) = (mb, 0

l1) to the challenger C. C flipsa random coin β ∈ {0, 1} and computes cm∗ ←Commit(Mβ , r

∗), where r∗ is chosen from some properdomain. After receiving the commitment cm∗, B sendsA the challenge ciphertext 〈ct′∗, cm∗〉.

Query Phase II Further queries can be issued by A andthen can be answered by B in the natural way. The onlyconstraint is that A cannot request a private key queryon Ikey which satisfies R(Ikey, I

∗enc) = 1.


Obviously, if β = 0 then the view of A is exactly as inGame1, while if β = 1 then the view of A is exactly as inGame2. Thus, if A can distinguish Game1 and Game2 witha non-negligible advantage, we can build an algorithm Bthat breaks the hiding property of the underlying commit-ment scheme with a non-negligible advantage. Thus, thiscompletes the proof of Lemma 2.

Now, we give the proof of the verifiability of outsourceddecryption for the CPA-secure construction Π1 as follows:

Theorem 2. If the underlying commitment scheme is computa-tionally binding, then the above construction of ABE scheme withverifiable outsourced decryption is verifiable.

Proof. Suppose that there exists an adversary A that at-tacks the above ABE scheme with verifiable outsourced

decryption in the verifiability game with a non-negligibleadvantage, than we can build a simulator B which breaksthe binding property of the underlying commitment schemewith a non-negligible advantage. B runs A to execute thefollowing steps. Given the commitment parameters cp, Bruns (params,msk) ← Setup′(1λ) and sends the publicparameters (params, cp) to A. Since the simulator B hasthe master secret key msk, any query issued by A can beanswered in the natural way. When A submits a messagem∗ and a value I∗enc, B returns to A the challenge ciphertextct∗ = 〈ct′∗, cm∗〉 in the expected way. Further queries can beissued byA and then can be answered by B as above. Lastly,A outputs a value I∗key and a partially-decrypted ciphertextpct∗. We make a reasonable assumption that A has issued atransformation key query on I∗key (Notice that if not, B itselfcan issue such a transformation key query on I∗key). ThenB knows the quadruple (I∗key, skI∗key

, tkI∗key, rkI∗key

). A winsthe game if Decryptout(ct

∗, pct∗, rkI∗key) /∈ {m∗,⊥}.

If the adversary A wins in the above game, thenwe have that m′‖r′ ← Decrypt′out(ct

′∗, pct∗, rkI∗key) and

Reveal(m′, r′, cm∗) = 1, where m′ /∈ {m∗,⊥}. Thus, thesimulator B reveals two different messages m′ and m∗ fromthe commitment cm∗. It exactly violates the binding prop-erty of the underlying commitment scheme. This completesthe proof of Theorem 2.

3.3 Moving on to Generic RCCA-Secure ConstructionIn this subsection, we give the generic construction ofRCCA-secure ABE with verifiable outsourced decryptionfrom CPA-secure ABE with outsourced decryption. Supposethat we shall construct an ABE scheme with verifiableoutsourced decryption to work with a universe U . A set Wof dummy attributes, which is disjointed from U , is used inthe construction. The underlying CPA-secure ABE schemewith outsourced decryption is then required to work withuniverse U ∪W . A dummy attribute set Scom ⊂ W is as-sociated to an encapsulation string com of an encapsulationscheme. We assume that for all com, com ∈ {0, 1}l.

As in [10], the sets W and Scom are defined as fol-lows. If the underlying ABE with outsourced scheme is asmall universe scheme, we set W = {Pi,0, Pi,1}i∈[l]. Wethen generate dummy attribute set Scom ⊂ W by lettingScom = {Pi,comi}i∈[l], where comi is the ith bit of com. If theunderlying ABE with outsourced scheme is a large universescheme, we set W = {0, 1}l. We then generate dummyattribute set Scom ⊂W by simply letting Scom = {com}.

Let Π′ = (Setup′,KeyGen′,Encrypt′,Decrypt′,GenTK′out,Transform′out,Decrypt

′out) be an ABE scheme with

outsourced decryption which has ciphertext verifiability ordelegatability, let ES = (Init,Encap,Decap) be an encap-sulation scheme, let MA = (Mac,Ver) be a message au-thentication code, and let CS = (InitCom,Commit,Reveal)be a (non-interactive) commitment scheme. We constructan ABE scheme with verifiable outsourced decryption Π2 =(Setup,KeyGen,Encrypt,Decrypt,GenTKout,Transformout,Decryptout) as follows:Setup(λ,U) It runs InitCom(1λ) to generate cp, runs Init(λ)

to generate pub and runs Setup′(λ,U ∪W ) to generate(params,msk). The master secret key is msk and thepublic parameters are (params, pub, cp).



9

TABLE 1: How to setup I ′key , I ′enc and skt in each caseCP-ABE w/ Out. Dec. KP-ABE w/ Out. Dec.

I′keyIkey Ikey

Ikey ∪W Ikey

I′encIenc ∨A Ienc ∪ ScomIenc ∧A Ienc ∪ Scom

skt

b← Verify(ct′, Ikey , Scom)

if b = 1, skt = skIkey

else skt =⊥

b← Verify(ct′, Ikey , A)

if b = 1, skt = skIkey

else skt =⊥X = Ikey ∪WY = Ikey ∪ Scomskt ← Delegate(B,X, Y )

X = Ikey

Y = Ikey ∧Askt ← Delegate(B,X, Y )

Note. Here A = (∧P∈ScomP ) and B = skIkey. Above the dashed line

is the case that the underlying CPA-secure ABE scheme with outsourceddecryption has ciphertext verifiability, while below the dashed line isthe case that the underlying CPA-secure ABE scheme with outsourceddecryption has delegatability.

KeyGen(msk, Ikey) It sets I ′key according to Table 1 andruns KeyGen′(msk, I ′key) to generate skIkey

. The privatekey is skIkey

.Encrypt(m, Ienc) To encrypt a message m, it first sets I ′enc

according to Table 1. It then runs Encap(pub) to gen-erate (r, com, dec) and encrypts the “message” m‖decby running ct′ ← Encrypt′(m||dec, I ′enc). Next, it splitsr into two equal-length strings r1 and r2, denotedby r = r1‖r2. Lastly, it runs Macr1(ct′) to obtainan authentication code tag and runs Commit(m, r2)to generate a commitment cm. The final ciphertext isct = 〈com, ct′, tag, cm〉.

Decrypt(skIkey, ct) To decrypt a normal ciphertext ct =

〈com, ct′, tag, cm〉, it first generates an intermediatekey skt according to Table 1. If skt =⊥, it returns ⊥.Otherwise, it runs algorithm Decrypt′(skt, ct

′). If theresult is ⊥, it outputs ⊥ as well. Otherwise, this yieldsa “message” m‖dec. It then runs r ← Decap(com, dec)and parses r as r = r1‖r2. If r 6=⊥, Verr1(ct′, tag) = 1and Reveal(m, r2, cm) = 1, it outputs m. Otherwise itoutputs ⊥.

GenTKout(skIkey) It runs algorithm GenTK′out(skIkey

) togenerate (tkIkey

, rkIkey). The transformation key is

tkIkeyand the corresponding retrieving key is rkIkey


) It first parses the normal cipher-text ct as 〈com, ct′, tag, cm〉 and then runs algorithmTransform′out(ct

′, tkIkey) to generate pct. The partially-

decrypted ciphertext is pct.Decryptout(ct, pct, rkIkey

) It first parses the normal cipher-text ct as 〈com, ct′, tag, cm〉 and then runs algorithmDecrypt′out(ct

′, pct, rkIkey). If the result is ⊥, it out-

puts ⊥ as well. Otherwise, this yields a “message”m‖dec. It then runs r ← Decap(com, dec) and parsesr as r = r1‖r2. If r 6=⊥, Verr1(ct′, tag) = 1 andReveal(m, r2, cm) = 1, it outputs m. Otherwise it out-puts ⊥.

In the partially-decrypted ciphertext, we ignore the com-ponents that appears in the normal ciphertext. It is veryobvious that the proposed ABE scheme with verifiableoutsourced decryption Π2 satisfies correctness.

Now, we give the security proofs for the construction

described above. First, we give the RCCA-security proof forthe above construction as follows:

Theorem 3. Assume that the underlying ABE scheme withoutsourced decryption, which has the property of ciphertext ver-ifiability or delegatability, is (selectively) CPA-secure, the un-derlying encapsulation scheme is computationally hiding andcomputationally binding, the underlying message authenticationcode is a strong one-time message authentication code, and theunderlying commitment scheme is computationally hiding, thenthe above construction of ABE scheme with verifiable outsourceddecryption is (selectively) RCCA-secure.

The formal proof will be given in Appendix A.We then show that the above RCCA-secure construction

Π2 is verifiable as follows:

Theorem 4. If the underlying commitment scheme is computa-tionally binding, then the above construction of ABE scheme withverifiable outsourced decryption is verifiable.

The proof is extremely similar to the proof of Theorem 2.Since the simulator has the master secret key, any query canbe answered in the natural way. Finally, the simulator is ableto reveal two different messages from a commitment, whichexactly violates the binding property of the underlyingcommitment scheme. We omit the formal proof due to thespace limitation.REMARKS. As we know, an ABE scheme with outsourceddecryption just adds a transformation procedure to a tradi-tional ABE scheme in essence. So in our RCCA-secure con-struction, if we remove the component cm in the ciphertext,then the algorithms Setup, KeyGen, Encrypt and Decryptconstitute a CCA-secure ABE scheme. Hence, we obtain ageneric transformation from (selectively) CPA-secure ABEscheme to (selectively) CCA-secure ABE scheme. We omitthe proof, since it is quite similar to the proof of Theorem 3.

4 INSTANTIATION AND PERFORMANCE

In this section, we instantiate our CPA-secure constructionin the standard model and then evaluate its performancethrough implementations based on Charm. We emphasizeagain that a RCCA-secure scheme in the standard model canbe obtained by instantiating our RCCA-secure construction.

4.1 Selectively CPA-Secure InstantiationBased on Green et al.’s (small-universe and backwards-compatible variant1 of) selectively CPA-secure CP-ABEscheme with outsourced decryption, we construct a selec-tively CPA-secure CP-ABE scheme with verifiable outsourceddecryption. In this construction, we use the hybrid encryp-tion method and employ Pedersen Commitment [11]. Notethat Pedersen Commitment is computationally binding andperfectly hiding. We describe our instantiation as follows:Setup(1λ, U) On input a security parameter λ and a de-

scription of (small) attribute universe U , the systemsetup algorithm first runs G(λ) to obtain a descriptionof a bilinear group (p,G,GT, e), where G and GT are(multiplicative) cyclic groups of prime order p. It then

1. Based on Waters’ small-universe CP-ABE scheme [9] and Green etal.’s key blinding technique [5], such a variant can be easily constructed.



10

chooses a generator g of group G, picks exponentsα, a and {si}i∈U from Zp uniformly at random, andselects elements g1, g2 ∈ G uniformly at random. LetG : GT → {0, 1}∗ be a pseudorandom generator withsufficiently-long output length (e.g., constructed by firsthashing elements of GT and then using a suitablemodification of a block cipher). Let H : {0, 1}∗ → Zpbe a collision-resistant cryptographic hash function.The public parameters are published as params =(p,G,GT, e, g, g1, g2, g

a, e(g, g)α, {Ti = gsi}i∈U , G,H).The master secret key is kept as msk = α.

KeyGen(msk,S) On input the master security key mskand a set of attributes S , the key generation algorithmpicks an exponent t ∈ Zp uniformly at random, andoutputs the private key as skS = (S,K = gαgat,K0 =gt, {Ki = T ti }i∈S).

Encryption(m,A) On input a message m and an LSSS ac-cess structure A = (A, ρ), where A is an l × n ma-trix and ρ is a map from each row Ai of A to anattribute ρ(i), the encryption algorithm first choosesrandom r ∈ {0, 1}∗, and picks random exponents~v = (s, v2, . . . , vn) ∈ Znp and ri ∈ Zp for each rowAi of A. Next, it computes C = (m‖r) ⊕ G(e(g, g)αs),C0 = gs, {C1,i = gaAi~vT riρ(i)}i∈[l], {C2,i = gri}i∈[l]and cm = g

H(m)1 g

H(r)2 . Lastly, it outputs the ciphertext

ct =(A, C, C0, {C1,i}i∈[l], {C2,i}i∈[l], cm

).

Decrypt(skS , ct) the decryption algorithm takes as input aprivate key skS = (S,K,K0, {Ki}i∈S) and a ciphertextct = (A, C, C0, {C1,i}i∈[l], {C2,i}i∈[l], cm). If S does notsatisfy the access structure A, it outputs⊥. Suppose thatS satisfies A and let I ⊂ [l] be defined as I = {i : ρ(i) ∈S}. It then computes constants ωi ∈ Zp for i ∈ I suchthat

∑i∈I ωiAi = (1, 0, . . . , 0). Lastly, it computes

Z =e(C0,K)∏

i∈I(e(C1,i,K0) · e(C2,i,Kρ(i)))ωi= e(g, g)αs

and (m‖r) = C ⊕ G(Z). If gH(m)1 g

H(r)2 = cm holds, it

outputs m. Otherwise, it outputs ⊥.GenTKout(skS) On input a private key skS =

(S,K,K0, {Ki}i∈S), the transformation key generationalgorithm first chooses a random exponent z ∈ Zp.Note that z has multiplicative inverse with overwhelm-ing probability. It then sets the transformation key astkS = (S,K ′ = K1/z,K ′0 = K

1/z0 , {K ′i = K

1/zi }i∈S)

and the corresponding retrieving key as rkS = z.Transformout(ct, tkS) The ciphertext transformation algo-

rithm takes as input a normal ciphertext ct =(A, C, C0, {C1,i}i∈[l], {C2,i}i∈[l], cm

)and a transforma-

tion key tkS = (S,K ′,K ′0, {K ′i}i∈S) for S . It computesthe partially-decrypted ciphertext pct as

pct =e(C0,K

′)∏i∈I(e(C1,i,K ′0) · e(C2,i,K ′ρ(i)))

ωi= e(g, g)αs/z.

Here we ignore the components (A, C, cm) which ap-pears in the normal ciphertext.

Decryptout(ct, pct, rkS) On input a normal ciphertextct = (A, C, C0, {C1,i}i∈[l], {C2,i}i∈[l], cm), a partially-decrypted ciphertext pct = e(g, g)αs/z and a retrievingkey rkS = z for an attributes set S , the outsourcingdecryption algorithm computes (m‖r) = C ⊕ G(pctz).

If gH(m)1 g

H(r)2 = cm holds, it outputs m. Otherwise, it

outputs ⊥.It is not difficult to see that this concrete scheme satisfies thecorrectness requirement. Regarding secuirty, the underlyingCP-ABE scheme with outsourced decryption is obtained byapplying Green et al.’s key blinding technique [5] to Waters’small-universe CP-ABE scheme [9]. Since Waters’ CP-ABEscheme is selectively CPA-secure and Pedersen Commit-ment is computationally binding and perfectly hiding, thisscheme is selectively CPA-secure in the standard model andverifiable according to Theorem 1 and Theorem 2.

4.2 PerformanceWe implemented both the above selectively CPA-secureinstantiation and Lai et al.’s scheme [8] in software basedon Charm [13] (version 0.41b). As in [5], we implementedthese two schemes using a MNT224 elliptic curve, whichimplies the use of asymmetric groups equipped with apairing e of the form G1×G2 → GT. In our implementations,we also used the hybrid encryption method as in [5]. Wefirst implemented a key encapsulation mechanism (KEM)variant of Waters’ CP-ABE scheme. A symmetric sessionkey is then computed from this attribute-based KEM variantand all the messages are encrypted under this session key byusing a symmetric encryption scheme (In our experiments,we used AES encryption in CBC mode).

Our platform consists of a desktop computer and anAndroid mobile phone, which are modeled as the powerfulproxy and the resource-limited data consumer respectively.Concretely, all our benchmarks were executed on thesetwo dedicated hardware platforms, a desktop computer(equipped with a dual core Intel(R) CPU [email protected] 2.0 GB RAM) running 32-bit Archlinux (Kernel version3.17.3) and Python 3.4.2, and a Samsung Galaxy Note IIsmartphone (equipped with an ARM-based CPU Exynos-4412@1638MHz and 2.0 GB RAM) running Android OS 4.3,Scripting Layer for Android (SL4A) r5 and Python 3.

Overall, we adopted similar experimental methods asthose described in [5] and [8]. We generated access policiesin the form of (A1 and . . . and AN ), where each Ai is an at-tribute. By increasing values ofN from 1 to 100, we obtained100 different access polices. With each access policy, we thenconstructed a corresponding (normal) decryption key thatexactly containsN attributes. For accuracy, we also repeatedour experiments 100 times on the desktop computer and 30times on the smartphone for each scheme, and then took theaverage values as the experimental results.

Fig. 2 illustrates the final experimental results. The nor-mal ciphertext size in our scheme is much smaller than theone in Lai et al.’s scheme. The same situation happens tothe partially-decrypted ciphertext size. In our scheme, todecrypt a normal ciphertext with policy consisting of 100attributes, it takes almost 11 seconds on the smartphoneand takes about 3 seconds on the desktop computer. Thecomputational costs are much smaller than those in Laiet al.’s scheme. Another observation is that outsourcingdecryption from the resource-limited smartphone to thepowerful computer can significantly reduce the computa-tional costs of the smartphone. As we see, with outsourceddecryption, it only takes about 25 milliseconds to decrypt onthe smartphone device in our scheme.



11

0 20 40 60 80 100

Number of policy attributes (N)

0

10

20

30

40

Siz

e in k

byte

s

Our CPA-secure schemeLai et al.'s scheme

(a) Normal Ciphertext Size

0 20 40 60 80 100


0

0.2

0.4

0.6

0.8

1

Siz

e in k

byte

s


(b) Partially-Decrypted Ciphertext Size

0 20 40 60 80 100


0

0.5

1

1.5

2

2.5

3

3.5

Tim

e in s

eco

nds


(c) ABE Encryption Time on Intel

0 20 40 60 80 100


0

1

2

3

4

5

6

Tim

e in s

eco

nds


(d) Transformation Time on Intel

0 20 40 60 80 100


0

5

10

15

20

Tim

e in s

eco

nds

Our CPA-secure scheme on IntelOur CPA-secure scheme on ARMLai et al.'s scheme on IntelLai et al.'s scheme on ARM

(e) ABE Normal Decryption Time

0 20 40 60 80 100


0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

Tim

e in s

eco

nds

Our CPA-secure scheme on IntelOur CPA-secure scheme on ARMLai et al.'s scheme on IntelLai et al.'s scheme on ARM

(f) Final Decryption Time

Fig. 2: Simulation results of our and Lai et al.’s selectively CPA-secure systems.

5 CONCLUSION

We have presented generic constructions of CPA-secure andRCCA-secure ABE with verifiable outsourced decryptionfrom CPA-secure ABE with outsourced decryption, respec-tively. Note that the techniques involved in RCCA-secureconstruction can be applied in generally constructing CCA-secure ABE from CPA-secure ABE. We have instantiatedthe CPA-secure construction in the standard model. Also ofimportance is the fact that a RCCA-secure ABE scheme withverifiable outsourced decryption in the standard model canbe easily obtained from our generic RCCA-secure construc-tion. We have then implemented our CPA-secure instantia-tion. The experimental results show that, compared with theexisting selectively CPA-secure system, our instantiation hasmore compact ciphertext and less computational costs.

APPENDIX APROOF OF THEOREM 3Proof. Here we shall give the proof of Theorem 3 for the caseof CP-ABE with verifiable outsourced decryption (namely,Ikey = S and Ienc = A) and the underlying CP-ABEwith outsourced decryption has the property of ciphertextverifiability. The theorem for other cases can be proved ina similar way. We assume that the equal-length challengemessages which the adversary submits in the challengephase have length l1. We also assume all the values decoutput by algorithm Encap have fixed length l3.

Let r∗, com∗, dec∗ denote the values that are generatedby Encap(pub) in computing the challenge ciphertext. Sincethese values are generated independently of A’s actions,we may assume these values are generated at the outsetof the experiment. Assume that r∗ = r∗1‖r∗2 . Let Succ denote

the event that the bit b′ output by A is equal to the bitb used in constructing the challenge ciphertext. Let Validdenote the event that A at some point submits a validnormal ciphertext 〈com∗, ct′, tag, cm〉 to its decryption oroutsourcing decryption oracle. Say a ciphertext is “valid”if its decryption does not result in ⊥. Let NoBind denotethe event that A at some point submits a normal cipher-text 〈com∗, ct′, tag, cm〉 to its decryption or outsourcingdecryption oracle such that ct′ decrypts to m‖dec andDecap(pub, com∗, dec) = r′ /∈ {r∗,⊥}. Let Forge denotethe event that A at some point submits a normal ciphertext〈com∗, ct′, tag, cm〉 to its (outsourcing) decryption oraclesuch that Verr∗1 (ct′, tag) = 1. To prove this theorem, wedefine a sequence of games. Denote by Pri[·] the probabilityof a particular event occurring in Gamei.

Game0 is the original RCCA-security game of ABE withverifiable outsourced decryption. Note that when the adver-sary submits two equal-length challenge messages m0,m1

and an access structure A∗, the challenger flips a randomcoin b ∈ {0, 1}, generates another access structure A′∗ =A∗ ∨ (∧P∈Scom∗P ) according to Table 1, and then computesthe challenge ciphertext components ct′∗, tag∗ and cm∗ byrunning ct′∗ ← Encrypt′(mb‖dec∗,A′∗), tag∗ ← Macr∗1 (ct′∗)and cm∗ ← Commit(mb, r

∗2), respectively.

Game1 is same as Game0 except that on input a normalciphertext of the form 〈com∗, ct′, tag, cm〉, the decryptionoracle (or the outsourcing decryption oracle) simply out-puts ⊥. Obviously, Game1 is identical to Game0 until eventValid occurs and we also have Pr0[Valid] = Pr1[Valid] ≤Pr1[NoBind] + Pr1[Forge]. Note that this upper bound isrelaxed since event Forge also contains the situation thatalgorithm Reveal of the underlying commitment outputs0, which indicates that the ciphertext is not valid. Thus,



12

|Pr1[Succ]− Pr0[Succ]| ≤ Pr1[NoBind] + Pr1[Forge].We show that Pr1[NoBind] is negligible. Consider a sim-

ulator B which runs A to execute the following steps: given(pub, com∗, dec∗), B runs (params,msk)← Setup′(1λ, U ∪W ), cp ← InitCom(1λ) and sends the public parameters(params, pub, cp) to A. Since B has the master secret keymsk, any query issued by A can be answered in thenatural way. Specifically, on input a normal ciphertext ofthe form 〈com∗, ct′, tag, cm〉, the decryption oracle (or theoutsourcing decryption oracle) simply outputs ⊥. When Asubmits two equal-length challenge messages m0, m1 andan access structure A∗, B runs r∗ ← Decap(pub, com∗, dec∗)and returns to A the challenge ciphertext in the expectedway. Further queries with the restrictions defined in thesecurity model can be issued by A and then can be an-swered by B in the natural way. Lastly, B just ignores A’sguess. In this game, B can decrypt every query of the form〈com∗, ct′, tag, cm〉 since it has the master secret key. Ifevent NoBind occurs, there exists at least a value dec′ suchthat Decap(pub, com∗, dec′) = r′ /∈ {r∗,⊥}, which exactlyviolates the binding property of the underlying encapsula-tion scheme. Hence, Pr1[NoBind] must be negligible.

Game2 is same as Game1 except that the challenger setsthe component ct′∗ of the challenge ciphertext by runningct′∗ ← Encrypt′(0l1+l3 ,A′∗). We show that |Pr2[Succ] −Pr1[Succ]| is negligible. To see this, consider a simulatorB attacking the underlying ABE scheme with outsourceddecryption in the CPA-security game. Let C be the corre-sponding challenger of B in the CPA-security game of theABE scheme. B runs A to execute the following steps.Setup C runs (params,msk) ← Setup′(1λ, U ∪W ). Given

the public parameters params, B runs pub ← Init(λ),cp ← InitCom(1λ) and (r∗, com∗, dec∗) ← Encap(pub).Note that we can parse r∗ as r∗1‖r∗2 . Lastly, B sends thepublic parameters (params, pub, cp) to A.

Query Phase I B initializes an empty table T and an emptyset D. A can adaptively issue a polynomial number of thefollowing queries. Note that on input a normal ciphertextof the form 〈com∗, ct′, tag, cm〉, the decryption oracle (orthe outsourcing decryption oracle) simply outputs ⊥.• Private key query 〈S〉: B queries its own key generation

oracle on S to obtain a private key skS , which is givento A. Additionally, B sets D = D ∪ {S}.

• Transformation key query 〈S〉: If there exists an entry(S, tkS) in table T , B obtains this entry. Otherwise, Bqueries its own transformation key generation oracleon S to obtain tkS , and stores in the table T the entry(S, tkS). tkS is given to A as the transformation key.

• Decryption query 〈S, ct〉: When A submits (S, ct)where ct = 〈com, ct′, tag, cm〉, B first checks whetherVerify(ct,S, Scom) = 1 holds. If so, then B returns ⊥.Otherwise B queries its own private key generationoracle on Scom and is given skScom

. Lastly, it returns theoutput of Decrypt(skScom

, ct) to A.• Outsourcing decryption query 〈S, ct, ct′〉: B searches in

table T the entry (S, tkS). If such an entry does notexist, it returns the failure symbol ⊥. Otherwise, itchecks whether pct = Transformout(ct, tkS) holds. If so,B returns the failure symbol ⊥ as well. Otherwise, Bqueries the above decryption oracle on (S, ct) by itselfand returns the output to A.

Challenge A submits two l1-length challenge messagesm0,m1 and an access structure A∗. B first flips a randomcoin b ∈ {0, 1} and sends C the messages (M0,M1) =(mb‖dec∗, 0l1+l3) and A′∗. C flips a random coin β ∈{0, 1}, runs ct′∗ ← Encrypt′(Mβ ,A′∗) and sends ct′∗

to B. Lastly, B runs tag∗ ← Macr∗1 (ct′∗) and cm∗ ←Commit(mb, r

∗2), and then sendsA the challenge ciphertext

〈com∗, ct′∗, tag∗, cm∗〉.Query Phase II This phase is identical to Query Phase I,but with the restrictions defined in the security model.


It is a remarkable fact that, if the encryption query of B isanswered with an encryption of mb‖dec∗ , then the viewof A is exactly as in Game1, otherwise the view of A isexactly as in Game2. Thus, if A can distinguish Game1 andGame2 with a non-negligible advantage, we then can buildan algorithm B that attacks the underlying CPA-secure ABEscheme with outsourced decryption with a non-negligibleadvantage. That is, |Pr2[Succ]− Pr1[Succ]| is negligible.

Similarly, |Pr2[Forge]−Pr1[Forge]| is negligible. The proofis extremely similar to the above proof. The only differenceis that B runs A to completion and then checks whetherA has made any decryption query (or outsourcing decryp-tion query), in which the normal ciphertext has the form〈com∗, ct′, tag, cm〉 and Verr∗1 (ct′, tag) = 1. If so, B outputs1. Otherwise, B outputs 0.

Game3 is same as Game2 except that the challengerchooses a random value r = r1‖r2 uniformly from someproper domain, and sets the components tag∗ and cm∗ ofthe challenge ciphertext by running tag∗ ← Macr1(ct′∗)and cm∗ ← commit(mb, r2), respectively. We show that|Pr3[Succ] − Pr2[Succ]| is negligible. To see this, considera simulator B breaking the hiding property of the un-derlying encapsulation scheme. B runs A to execute thefollowing steps: first, the challenger runs pub ← Init(λ)and (r0, com

∗, dec∗) ← Encap(pub). It also selects a ran-dom value r1 from some proper domain. It then choosesa random bit β ∈ {0, 1}, and sends (pub, com∗, rβ) toB. B then runs (params,msk) ← Setup′(1λ, U ∪ W ),cp ← InitCom(1λ) and sends the public parameters(params, pub, cp) to A. Since B has the master secretkey msk, any query can be answered in the naturalway. Note that on input a normal ciphertext of the form〈com∗, ct′, tag, cm〉, the decryption oracle (or the outsourc-ing decryption oracle) simply outputs ⊥. When A submitstwo l1-length challenge messages m0,m1 and an accessstructure A∗, B flips a random coin b ∈ {0, 1} and runsct′∗ ← Encrypt′(0l1+l3 ,A′∗). It then parses rβ as rβ = r1‖r2,and runs tag∗ ← Macr1(ct′∗) and cm∗ ← Commit(mb, r2).The challenge ciphertext ct∗ = 〈com∗, ct′∗, tag∗, cm∗〉. Fur-ther queries with the restrictions defined in the securitymodel can be issued by A and then can be answered byB in the natural way. Lastly, A outputs its guess b′ ∈ {0, 1}.If b′ = b, B outputs 0, otherwise, it outputs 1. Obviously,if rβ is such that (rβ , com

∗, dec∗) was output by Init(pub)then the view of A is exactly as in Game2, while if rβ ischosen at random independently of com∗ then the viewof A is exactly as in Game3. Hence, if A can distinguishGame2 and Game3 with a non-negligible advantage, we canbuild an algorithm B that attacks the hiding property of



13

the underlying encapsulation scheme with a non-negligibleadvantage. That is, |Pr3[Succ]− Pr2[Succ]| is negligible.

Note that event Forge in Game3 is defined as before, butusing the random key r1. Similarly, |Pr3[Forge]−Pr2[Forge]|is negligible. The proof is extremely similar to the aboveproof. The only difference is that B runs A to completionand then checks whetherA has made any decryption or out-sourcing decryption query, in which the normal ciphertexthas the form 〈com∗, ct′, tag, cm〉 and Verr1(ct′, tag) = 1. Ifso, B outputs 1. Otherwise, B outputs 0.

We show that Pr3[Forge] is also negligible. In Game3, wemake a reasonable assumption that A is allowed to makeat most q decryption queries and outsourcing decryptionqueries, where q is polynomial. We also assume that thenormal ciphertext submitted in ith (outsourcing) decryptionquery is 〈comi, ct

′i, tagi, cmi〉. We construct a simulator B

breaking the underlying strong one-time message authen-tication code MA. B first selects a random index j ∈ [q]and then begins simulating Game3 for A in the natural way.If the jth (outsourcing) decryption query occurs before thechallenge phase, B halts and outputs 〈ct′j , tagj〉. Otherwise,when A submits two l1-length challenge messages m0,m1

and an access structure A∗, B flips a random coin b ∈ {0, 1}and selects r = r1‖r2 uniformly at random from someproper domain. It then runs ct′∗ ← Encrypt′(0l1+l3 ,A′∗).B submits ct′∗ to its Mac oracle and is given tag∗. It alsoruns cm∗ ← Commit(mb, r2). Next, B gives the challengeciphertext ct∗ = 〈com∗, ct′∗, tag∗, cm∗〉 to A and continuesrunning A until the jth (outsourcing) decryption queryoccurs. Then, B halts and outputs 〈ct′j , tagj〉. Note that thesuccess probability of B in outputting a valid forgery is atleast Pr3[Forge]/q. Since MA is a strong one-time messageauthentication code and q is polynomial, then Pr3[Forge] isnegligible. Hence, by using the triangle inequality principle,we obtain that Pr1[Forge] is negligible. Sequentially, weobtain that |Pr1[Succ]− Pr0[Succ]| is negligible.

Game4 is same as Game3 except that the challenger setsthe component cm∗ of the challenge ciphertext by runningcm∗ ← commit(0l1 , r2). We then have |Pr4[Succ]−Pr3[Succ]|is negligible. Due to the space limitation, we omit the proof,which is similar to the proof of Lemma 2. Moreover, in thisgame, since the challenge ciphertext is independent of thechallenge messages chosen by the adversary, the adversaryhas no advantage. That is, |Pr4[Succ]− 1/2| = 0.

Finally, by using the triangle inequality principle again,we have that |Pr0[Succ] − 1/2| is negligible. Therefore, weconclude that the adversary in the original IND-RCCAsecurity game (Game0) has a negligible advantage. Thiscompletes the proof of Theorem 3.

ACKNOWLEDGMENTS

This work is supported by the National Natural Sci-ence Foundation of China (61133014, 61272413, 61272534,61300226 and 61472165), the Guangdong Provincial Natu-ral Science Foundation (S2013040014826), the Program forNew Century Excellent Talents in University (NCET-12-0680), the Project of Science and Technology New Star ofGuangzhou Pearl Rivel, the Fok Ying Tung Education Foun-dation (131066), and the Research Fund for the DoctoralProgram of Higher Education of China (20134401110011,20134401120017).

REFERENCES

[1] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” inAdvances in Cryptology EUROCRYPT 2005, ser. Lecture Notes inComputer Science, R. Cramer, Ed. Springer Berlin Heidelberg,2005, vol. 3494, pp. 457–473.

[2] D. Boneh, A. Sahai, and B. Waters, “Functional encryption: Defini-tions and challenges,” in Theory of Cryptography, ser. Lecture Notesin Computer Science, Y. Ishai, Ed. Springer Berlin Heidelberg,2011, vol. 6597, pp. 253–273.

[3] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-basedencryption for fine-grained access control of encrypted data,” inProceedings of the 13th ACM conference on Computer and communica-tions security, ser. CCS ’06. New York, NY, USA: ACM, 2006, pp.89–98.

[4] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policyattribute-based encryption,” in Proceedings of the 2007 IEEE Sym-posium on Security and Privacy, ser. SP ’07. Washington, DC, USA:IEEE Computer Society, 2007, pp. 321–334.

[5] M. Green, S. Hohenberger, and B. Waters, “Outsourcing the de-cryption of abe ciphertexts,” in In: Proceedings of the 20th USENIXConference on Security, SEC 2011. San Francisco, CA, USA:USENIX Association, Berkeley, 2011.

[6] E. Fujisaki and T. Okamoto, “Secure integration of asymmetricand symmetric encryption schemes,” in Advances in Cryptology -CRYPTO ’99, ser. Lecture Notes in Computer Science, M. Wiener,Ed. Springer Berlin Heidelberg, 1999, vol. 1666, pp. 537–554.

[7] R. Canetti, O. Goldreich, and S. Halevi, “The random oraclemethodology, revisited (preliminary version),” in Proceedings of theThirtieth Annual ACM Symposium on Theory of Computing, ser. STOC’98. New York, NY, USA: ACM, 1998, pp. 209–218.

[8] J. Lai, R. Deng, C. Guan, and J. Weng, “Attribute-based encryp-tion with verifiable outsourced decryption,” IEEE Transactions onInformation Forensics and Security, vol. 8, no. 8, pp. 1343–1354, Aug2013.

[9] B. Waters, “Ciphertext-policy attribute-based encryption: an ex-pressive, efficient, and provably secure realization,” in Proceedingsof the 14th international conference on Practice and theory in publickey cryptography conference on Public key cryptography, ser. PKC’11.Berlin, Heidelberg: Springer-Verlag, 2011, pp. 53–70.

[10] S. Yamada, N. Attrapadung, G. Hanaoka, and N. Kunihiro,“Generic constructions for chosen-ciphertext secure attributebased encryption,” in Public Key Cryptography - PKC 2011, ser.Lecture Notes in Computer Science, D. Catalano, N. Fazio, R. Gen-naro, and A. Nicolosi, Eds. Springer Berlin Heidelberg, 2011, vol.6571, pp. 71–89.

[11] T. Pedersen, “Non-interactive and information-theoretic secureverifiable secret sharing,” in Advances in Cryptology -CRYPTO’91, ser. Lecture Notes in Computer Science, J. Feigenbaum, Ed.Springer Berlin Heidelberg, 1992, vol. 576, pp. 129–140.

[12] D. Boneh and J. Katz, “Improved efficiency for CCA-secure cryp-tosystems built using identity-based encryption,” in Topics inCryptology - CT-RSA 2005, ser. Lecture Notes in Computer Science,A. Menezes, Ed. Springer Berlin Heidelberg, 2005, vol. 3376, pp.87–103.

[13] J. A. Akinyele, C. Garman, I. Miers, M. W. Pagano, M. Rushanan,M. Green, and A. D. Rubin, “Charm: a framework for rapidlyprototyping cryptosystems,” Journal of Cryptographic Engineering,vol. 3, no. 2, pp. 111–128, 2013.

[14] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryptionwith non-monotonic access structures,” in Proceedings of the 14thACM Conference on Computer and Communications Security, ser. CCS’07. New York, NY, USA: ACM, 2007, pp. 195–203.

[15] L. Cheung, J. A. Cooley, R. Khazan, and C. Newport, “Collusion-resistant group key management using attribute-based encryp-tion,” Group-Oriented Cryptographic Protocols, p. 23, 2007.

[16] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters,“Fully secure functional encryption: attribute-based encryptionand (hierarchical) inner product encryption,” in Proceedings of the29th Annual international conference on Theory and Applications ofCryptographic Techniques, ser. EUROCRYPT’10. Berlin, Heidelberg:Springer-Verlag, 2010, pp. 62–91.

[17] S. Muller, S. Katzenbeisser, and C. Eckert, “Distributed attribute-based encryption,” in Information Security and Cryptology — ICISC2008, P. J. Lee and J. H. Cheon, Eds. Berlin, Heidelberg: Springer-Verlag, 2009, pp. 20–36.



14

[18] T. Okamoto and K. Takashima, “Fully secure functional encryptionwith general relations from the decisional linear assumption,” inProceedings of the 30th Annual Conference on Advances in Cryptology,ser. CRYPTO’10. Berlin, Heidelberg: Springer-Verlag, 2010, pp.191–208.

[19] S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based datasharing with attribute revocation,” in Proceedings of the 5th ACMSymposium on Information, Computer and Communications Security,ser. ASIACCS ’10. New York, NY, USA: ACM, 2010, pp. 261–270.

[20] J. Hur and D. K. Noh, “Attribute-based access control with ef-ficient revocation in data outsourcing systems,” Parallel and Dis-tributed Systems, IEEE Transactions on, vol. 22, no. 7, pp. 1214–1221,2011.

[21] G. Wang, Q. Liu, and J. Wu, “Hierarchical attribute-based encryp-tion for fine-grained access control in cloud storage services,” inProceedings of the 17th ACM conference on Computer and communica-tions security, ser. CCS ’10. New York, NY, USA: ACM, 2010, pp.735–737.

[22] S. Jahid, P. Mittal, and N. Borisov, “Easier: encryption-based accesscontrol in social networks with efficient revocation,” in Proceedingsof the 6th ACM Symposium on Information, Computer and Communi-cations Security, ser. ASIACCS ’11. New York, NY, USA: ACM,2011, pp. 411–415.

[23] M. Chase, “Multi-authority attribute based encryption,” in Pro-ceedings of the 4th conference on Theory of cryptography, ser. TCC’07.Berlin, Heidelberg: Springer-Verlag, 2007, pp. 515–534.

[24] M. Chase and S. S. Chow, “Improving privacy and security inmulti-authority attribute-based encryption,” in Proceedings of the16th ACM conference on Computer and communications security, ser.CCS ’09. New York, NY, USA: ACM, 2009, pp. 121–130.

[25] A. Lewko and B. Waters, “Decentralizing attribute-based encryp-tion,” in Proceedings of the 30th Annual international conferenceon Theory and applications of cryptographic techniques: advances incryptology, ser. EUROCRYPT’11. Berlin, Heidelberg: Springer-Verlag, 2011, pp. 568–588.

[26] B. G. Kang, M. S. Lee, and J. H. Park, “Efficient delegation of pair-ing computation,” Cryptology ePrint Archive, Report 2005/259,2005, http://eprint.iacr.org/.

[27] N. Attrapadung, J. Herranz, F. Laguillaumie, B. Libert,E. de Panafieu, and C. Rafols, “Attribute-based encryptionschemes with constant-size ciphertexts,” Theoretical Computer Sci-ence, vol. 422, no. 0, pp. 15 – 38, 2012.

[28] S. Hohenberger and B. Waters, “Attribute-based encryption withfast decryption,” in Public-Key Cryptography PKC 2013, ser. LectureNotes in Computer Science, K. Kurosawa and G. Hanaoka, Eds.Springer Berlin Heidelberg, 2013, vol. 7778, pp. 162–179.

[29] J. Li, X. Huang, J. Li, X. Chen, and Y. Xiang, “Securely out-sourcing attribute-based encryption with checkability,” Parallel andDistributed Systems, IEEE Transactions on, vol. 25, no. 8, pp. 2201–2210, Aug 2014.

[30] J. Li, X. Chen, J. Li, C. Jia, J. Ma, and W. Lou, “Fine-grainedaccess control system based on outsourced attribute-based encryp-tion,” in Computer Security-ESORICS 2013, ser. Lecture Notes inComputer Science, J. Crampton, S. Jajodia, and K. Mayes, Eds.Springer Berlin Heidelberg, 2013, vol. 8134, pp. 592–609.

[31] J. Li, C. Jia, J. Li, and X. Chen, “Outsourcing encryption ofattribute-based encryption with mapreduce,” in Proceedings of the14th International Conference on Information and CommunicationsSecurity, ser. ICICS’12. Berlin, Heidelberg: Springer-Verlag, 2012,pp. 191–201.

[32] R. Gennaro, C. Gentry, and B. Parno, “Non-interactive verifiablecomputing: Outsourcing computation to untrusted workers,” inAdvances in Cryptology CRYPTO 2010, ser. Lecture Notes in Com-puter Science, T. Rabin, Ed. Springer Berlin Heidelberg, 2010, vol.6223, pp. 465–482.

[33] K.-M. Chung, Y. Kalai, and S. Vadhan, “Improved delegation ofcomputation using fully homomorphic encryption,” in Advances inCryptology CRYPTO 2010, ser. Lecture Notes in Computer Science,T. Rabin, Ed. Springer Berlin Heidelberg, 2010, vol. 6223, pp.483–501.

[34] C. Gentry, “Fully homomorphic encryption using ideal lattices,” inSTOC ’09: Proceedings of the 41st annual ACM symposium on Theoryof computing. New York, NY, USA: ACM, 2009, pp. 169–178.

[35] C. Gentry and S. Halevi, “Implementing gentry’s fully-homomorphic encryption scheme,” in Proceedings of the 30th An-nual international conference on Theory and applications of crypto-

graphic techniques: advances in cryptology, ser. EUROCRYPT’11.Berlin, Heidelberg: Springer-Verlag, 2011, pp. 129–148.

[36] R. Canetti, H. Krawczyk, and J. B. Nielsen, “Relaxing chosen-ciphertext security,” in in Advances in Cryptology: CRYPTO 2003.Springer, 2003, pp. 565–582.

Xianping Mao received his M.S. degree in com-puter science and technology from China Uni-versity of Mining and Technology, China, in 2007.Currently, he is a Ph.D. candidate in Departmentof Computer Science and Engineering, Shang-hai Jiao Tong University, China. His researchinterests include cloud computing, informationsecurity and public-key cryptography.

Junzuo Lai received his Ph.D. degree in com-puter science and technology from ShanghaiJiao Tong University, China, in 2010. From Au-gust 2008 to April 2013, he was a researchfellow in Singapore Management University. Cur-rently, he is a research professor in School ofInformation Technology, Jinan University, China.His research interests include cryptography andinformation security.

Qixiang Mei received his Ph.D. degree fromSouthwest Jiaotong University, China, in 2006.From March 2009 to April 2011, he was a post-doc in State Key Laboratory of Information Secu-rity, China. Currently, he is an associate profes-sor in College of Information, Guangdong OceanUniversity, China. His research interests includeinformation security and public-key cryptogra-phy.

Kefei Chen received his Ph.D. degree from Jus-tus Liebig University Giessen, Germany, in 1994.From 1996 to 2013, he was a professor in De-partment of Computer Science and Engineering,Shanghai Jiao Tong University, China. Currently,he is a Distinguished Professor in School of Sci-ence, Hangzhou Normal university, China. Hisresearch interests include cryptography and net-work security.

Jian Weng received his Ph.D. degree in com-puter science and engineering from ShanghaiJiao Tong University, China, in 2008. From April2008 to March 2010, he was a postdoc in Schoolof Information Systems, Singapore ManagementUniversity. Currently, he is a professor and vicedean in School of Information Technology, JinanUniversity. His research interests include cryp-tography and information security.

07087379

Documents

outsourced data

secure computing1generic

university cloud

rccasecure abe systems

ourcpasecure construction

therccasecure construction

decryption overhead

cloud storage systems