Large universe attribute based encryption enabled secured data access control for cloud storage with computation outsourcing

Abstract

Cloud data access control is a very important issue especially when data are outsourced into a third-party cloud server. Recently, some researchers are working to enhance the trust level of cloud users by developing the secured access control to store the data into a third-party server. CP-ABE (Ciphertext-Policy Attribute-Based Encryption) is a very fruitful technology for such situation providing a capability of encrypted data access control. The existing mechanisms for outsourced data access control are mostly centralized, where a single key distribution center works as attribute authority and generates attributes along with corresponding keys for all users. In some cases, multiple key distribution centers used to generate user attributes along with user secret keys to make the system decentralized. However, all such mechanisms are based on small universe CP-ABE, where attribute set need to define in the initial setup phase and therefore public parameters and ciphertext size are increased linearly with attribute numbers in the system. As the attribute numbers in an access control system in the cloud should not be defined initially or if new attribute required to add time to time in the system and the existing attribute may be required to revoke form the system, then small universe enabled CP-ABE is not scalable and efficient compared to large universe system. In a large universe system, initially the size of parameters is large but it makes the size of ciphertext short in the system. In the paper, we proposed an access control scheme using large universe CP-ABE with user revocation and to make more efficient using decryption computation outsourcing into the cloud. The proposed system helps efficiently decrypt the data using a lightweight device. We have analyzed the security, scalability, and performance of our proposed scheme with existing approaches with respect to communication and computation cost.

Keywords

Access control cloud computing data outsourcing collision resistance forward security backward security attribute revocation

ï»¿

1. Introduction

Cloud computing provides highly reliable and scalable storage services to store a large amount of data over it. Storing data into the cloud reduced the cost and maintenance burden but controlled by the third party. However, it is not possible to fully trust the third party server because people not only have to store the general information but also need to store their confidential and sensitive data like company policy, financial records, physical health, defense secret, etc. The only probable solution to store such data into a third-party server by using the encrypted form, which can ensure confidentiality over unauthorized users. If the server is dishonest to overlook inside context and compromises with the other unauthorized personals, it will be harmful to the data owner also. Therefore, it is very important to develop efficient outsourced data access control for the cloud storage to share encrypted data among authorized users only. Public key cryptosystem can provide a fruitful solution in this issue [1] based on cloud architecture and its natures. Several approaches based on public key cryptosystem has been proposed to overcome this issue. However, it is found that Attribute-Based Encryption (ABE) [1] under public key cryptography is the most suitable methodology for such an environment where the data owner can define the access policy on outsourced encrypted data. Sahai et al. [2] introduced the first Attribute-Based Encryption. It has two types based on access policy associated with either key or with ciphertext namely Key Policy Attribute-Based Encryption (KP-ABE) and Ciphertext Policy Attribute-Based Encryption (CP-ABE). In KP-ABE [3], access policy associated with key and attributes is labeled with ciphertext. In CP-ABE [4], attributes are labeled with keys and access policy is associated with ciphertext. The data users can decrypt the encrypted text only when user’s attributes fulfill the access policy defined by the data owner. CP-ABE has extended scope for access control in cloud environment compared to KP-ABE [1] because, in KP-ABE, the data owner can control only those users whose attributes are associated with keys, whereas the data owner can control the users by define and enforced access policy on attribute sets in CP-ABE. Again based on construction ABE cryptosystem can be classified into two ways. First one is called small universe ABE [10, 15], where attributes are enumerated at setup phase and attributes space is bounded polynomially in the security parameter. The second one is called large universe [11], where attributes are not enumerated at the setup phase and size of attributes space exponentially large and also any string can be considered an attribute.

If the small universe CP-ABE used for the development of data access control in the cloud environment, the construction will not accept complete versatility to choose any access structure and attributes if once attributes enumerated in public parameter. The attribute numbers are fixed in the global system setup phase and public parameters are linearly increase with the attributes numbers [1, 5]. Due to the dynamic nature of cloud users, any time the data owner can change the access structure or the attributes set for generation of encrypted text. Therefore, small universe CP-ABE leads two restrictions as if attribute size is very small then the system might be required to re-build by adding more attributes and re-encrypt all data. On the other side, if the attribute size is very large then public parameters might be unnecessarily large which can make the system inefficient. Moreover, in large universe CP-ABE, the size of the ciphertext is short compared to small universe CP-ABE. There are numbers of approaches for access control using attribute based on small universe constructions explored in [14, 16, 17, 18, 19, 20, 21]. However, there are very few attempts for large universe attribute-based encryption. Lewko et al. [6] suggested first a large universe KP-ABE mechanism based on composite order of bilinear group under the standard model. Later on, Rouselakis et al. [11] suggested first large universe CP-ABE mechanism using prime order bilinear group and shown statically secure under the standard model. Other works also are done in [12, 13] to improve the works of Rouselakis et al.’s large universe CP-ABE scheme. However, exiting large universe CP-ABE has some drawback like inefficiency with respect to the size of ciphertext, user revocation and efficient decryption process. Moreover, no existing large attribute CP-ABE support attribute revocation, which is a very important feature for the access control mechanism.

Rather than large universe property, there are some other characteristics involved in an access control scheme which makes a system efficient and secured. Collision resistance property defines a system is secured under a circumstance that a group of users with the corrupted adversary, combining their secret should not break the access control scheme. A property called decentralization which can make more reliable a system over a centralized system by adding a multi-authority setting. Attribute revocation of a system helps dynamically control the end users when a new user come under the system and some users exit the system. To efficiently decrypt the data we can outsource the decryption computation to a powerful server, that helps an authorized user to decrypt using a lightweight device.

In Table 1, we explained the details of functionality comparison of our proposed method with other existing methods. This is a comprehensive analysis of different functions such as large universe properties, collision resistance, multi-authority set up, decryption outsourcing and attribute revocation, etc. The symbol, “ $\surd$ ” denotes the availability of the corresponding characteristics and $\times$ represents the not availability. Here TG represents the threshold gate and MBF represents a monotone Boolean function.

Table 1
Comprehensive functionality analysis

Functionality	[14]	[11]	[16]	[17]	[18]	[19]	[20]	[21]	[22]	Ours
Collusion resistance	$\times$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$
Encryption predicate	MBF	MBF	TG	TG	MBF	TG	TG	TG	MBF	MBF
Large universe	$\times$	$\surd$	$\times$	$\times$	$\times$	$\times$	$\times$	$\times$	$\times$	$\surd$
Multi-authority	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\times$	$\times$	$\times$	$\surd$	$\surd$
Decryption outsourcing	$\surd$	$\times$	$\times$	$\times$	$\surd$	$\surd$	$\surd$	$\surd$	$\times$	$\surd$
Attribute revocation	$\surd$	$\times$	$\surd$	$\times$	$\times$	$\times$	$\surd$	$\times$	$\surd$	$\surd$

In this paper, we have concentrated on large universal multi-authority CP-ABE to develop more practically with dynamic user revocation and also make it computationally efficient by outsourcing the partial decryption to cloud server. We have used efficient Rouselakis et al.’s [11] large universe CP-ABE scheme as it is more suitable to scale up the dynamic user compare to other small universe schemes. We have used Green et al. [9] scheme for computation outsourcing into a third-party server. The key contributions, we have in this article are:

•

We proposed a new secured access control mechanism for cloud data outsourcing, named Large Universe Outsourced Data Access Control (LU-ODAC), using large universe CP-ABE (multi-authority) based on Rouselakis et al. [11] Scheme, which supports in addition computation outsource and dynamic user accessibility with attribute revocation.

•

We have used secured computation outsource for decryption operation into the cloud in our proposed system to reduce the cost of computation. The decryption operation is multiple usable operations and we make it compatible to lightweight user devices.

•

To compare and analyze of our proposed scheme with existing competing approaches, we have done theoretically analysis of security and performance of computation overhead and communication overhead.

•

We have also simulated our proposed scheme in python based tool Charmcrypto and shown the performance of our scheme based on outsourced computation.

The organization of this article follows by literature review in Section 2, mathematical preliminaries and model description in Section 3, construction of proposed system in Section 4, security analysis of the proposed system with security in standard model 5, Experimentation and performance of various operations in Section 6. At last, we give conclusion in the Section 7.

2. Literature review

Sahai et al. [2] introduced the first Attribute-Based Encryption. Different types of attribute-based encryption: KP-ABE [3, 4] and CP-ABE [5, 6, 11, 22] explored in the previous section. However, most of them are small universe based system in construction. To overcome the problems of small universe, Lewko et al. [6, 11] suggested a large universe KP-ABE mechanism based on composite order of bilinear group under the standard model. However, this technique is less efficient due to the composite order group compare to prime order bilinear group. Later on, using dual vector space [10] in a bilinear pairing of prime order reconstruct large universe KP-ABE in the standard model, which is more efficient compared to the previous version. However, due to the large vector size still, their scheme still faces significant inefficiency overhead. Rouselakis et al. [11] suggested first large universe CP-ABE mechanism using prime order bilinear group and shown statically secure under the standard model. Later on, other works also are done in [13] to improve the works of Rouselakis et al.’s large universe CP-ABE scheme. The schemes in [12, 13] based on large universe CP-ABE, but more decryption cost and improper attribute revocation process. Therefore, the existing large universe CP-ABE has still some drawback like inefficiency with respect to the size of ciphertext, decryption operation and user access right control with respect to forward and backward security. An access control scheme required an efficient user revocation process to dynamically handle the user in the system. All the above schemes satisfy the policy level user revocation, where the data owner needs to re-encrypt the message to revoke users. Moreover, those schemes cannot help to revoke a user where the same attribute assigned to the other users.

Chase et al. [7] suggested a scheme in small universe CP-ABE to efficiently revoke a user under same attribute which holds other users also. In 2011, Green et al. [9] suggested a scheme to reduce the overhead of user decryption. In ABE, the user needs to compute a number of exponential and pairing operation, that incurs computation overhead on decryptor. This scheme ensures message confidentiality by computing outsource. However, this scheme is based on a small universe attribute-based encryption, where linearly increase the public parameters on consideration of new attributes in the system. Finally, developing an efficient large universe attribute-based access control for data outsourcing with dynamic attribute revocation, constant size ciphertext still an open challenge.

3. Preliminaries

3.1 Bilinear pairings

.

Let $\mathbb{G}$ and $\mathbb{G}_{T}$ are the two multiplicative cyclic group & their order $q$ is a prime number. A bilinear pairing $e:\mathbb{G}\times\mathbb{G}\rightarrow\mathbb{G}_{T}$ fulfills the properties as follows:

•
$e(x^{m},y^{n})=e(x,y)^{mn}$ ; $x,y\in_{R}\mathbb{G}$ & $m,n\in_{R}\mathbb{Z}_{q}$ , where $\mathbb{Z}_{q}=\{0,1,2,\ldots,q-1\}$ ;
•
Non-degenerate: $e(g_{1},g_{2})\neq 1$ , $g_{1}$ and $g_{2}$ are generator of $\mathbb{G}$ ;
•
Computable: Efficient procedure to compute $e(g_{1},g_{2}),\forall(g_{1},g_{2})\in\mathbb{G}\times\mathbb{G}$ .

We represent the bilinear pairing parameters shortly as $\Sigma:=(q,\mathbb{G},\mathbb{G}_{T},e)$ for friendly handling inside this paper and used only the properties of bilinear pairing for encryption and decryption.
3.2 Complexity assumptions

We have used q-PDBDHE [6] for security assumption of our scheme as follows:

q-PDBDHE: Let a group $\mathbb{G}$ with prime order $q$ . Let $b,s,f_{1},\ldots,f_{q}\in\mathbb{Z}_{p}$ be chosen randomly and $g$ is a generator of $\mathbb{G}$ . If an Adversary, $\mathscr{A}$ is given

$\displaystyle\mathscr{D}=g,g^{s},g^{b},\ldots g^{(b^{q})},g^{(b^{q+2})},\ldots% ,g^{(b^{2q})},$ $\displaystyle\forall_{1\leqslant i\leqslant q}:g^{s\cdot b_{i}},g^{b/f_{i}},% \ldots,g^{(b^{q}/f_{i})},g^{(b^{q+2}/f_{i})},\ldots,g^{(b^{2q/f_{i})}},$ (1) $\displaystyle\forall_{1\leqslant i,j\in q;i\neq j}:g^{b\cdot s\cdot f_{j}/f_{i% }},\ldots,g^{(b^{q}\cdot s\cdot f_{j}/f_{i})}$

then, it is very hard to differentiate $e(g,g)^{b^{q+1}s}\in_{R}\mathbb{G}_{T}$ , which is an element randomly chosen from $\mathbb{G}_{T}$ . There may be an algorithm $\mathscr{B}$ that gives $z\in\{0,1\}$ with advantage $\varepsilon$ for solving q-PDBDHE in $\mathbb{G}$ if

$\displaystyle|Pr[\mathscr{B}(\mathscr{D},T=e(g,g)^{b^{q+1}s})=0]-Pr[\mathscr{B% }(\mathscr{D},T=R)=0]|\geqslant\varepsilon$ (2)

.

The q-PDBDHE assumption holds if no such polynomial time methodology has non-negligible gain to solve the q-PDBDHE problem.

3.3 Access structures

.

Access Structures:[15]Let $\mathscr{U}$ be the universe of attributes. Consider a collection of non-empty attribute set $\mathbb{M}$ , i.e. $\mathbb{M}\subseteq 2^{\mathscr{U}}\setminus\{\}$ called as an access structure on $\mathscr{U}$ . The sets which are in $\mathbb{M}$ called the authorized sets and the sets which are not in $\mathbb{M}$ called the unauthorized sets.

In addition, an access structure $\mathbb{M}$ , if $\forall X,Y\in\mathbb{M}$ : if $X\in\mathbb{M}$ and $X\subseteq Y$ , then $Y\in\mathbb{M}$ is called monotone access structure.

3.4 Linear secret-sharing scheme

.

Let $\mathscr{U}$ be the universe of attributes. For an access structure $\mathbb{M}$ , a secret-sharing scheme $\Pi_{\mathbb{M}}$ over $\mathscr{U}$ is called linear (in $\mathbb{Z}_{p}$ ) if $\Pi_{\mathbb{M}}$ fulfills the following algorithms, where $A$ , a share-generating matrix for $\Pi_{\mathbb{M}}$ of size $l\times n$ and row labeling function, $\rho:[l]\rightarrow I_{\mathscr{U}}$ maps every row matrix $\mathbb{A}$ with attribute value in $\mathbb{M}$ . The symbol $I_{\mathscr{U}}$ is the index set of $\mathscr{U}$ .

Distribute $(\mathbb{A},\rho,\phi)$ . It considers a secret $\phi\in\mathbb{Z}_{p}$ which is to be shared, row labeling function $\rho$ and the share-generating matrix $\mathbb{A}$ as inputs. It selects $s_{2},s_{3},\ldots,s_{n}\in_{R}\mathbb{Z}_{p}$ and sets $\vec{v}=(\phi,s_{2},s_{3},\ldots,s_{k})\in\mathbb{Z}^{n}_{p}$ . It generate a set $\{\vec{\mathbb{M}}_{i}\cdot\vec{v}:i\in[l]\}$ of $l$ shares, where $\{\vec{A}_{i}\in\mathbb{Z}^{n}_{p}\}$ is the $i$ th row of the matrix $\mathbb{A}$ . The share $\lambda_{\rho(i)}=\vec{\mathbb{M}}_{i}\cdot\vec{v}$ belongs to an attribute value $\rho(i)$ .

Reconstruct $(\mathbb{M},\rho,\textit{Attr})$ . It consider $(\mathbb{M},\rho)$ and attributes $\textit{Attr}\in\mathbb{M}$ as inputs. Let $I=i\in[l]:\rho(i)\in I_{\textit{Attr}}$ , where $I_{\textit{Attr}}$ denotes the index set of attribute set Attr. It produces a set ${\omega_{i}:i\in I}$ of secret reconstruction constants such that $\Sigma_{i\in I}\omega_{i}\lambda_{\rho(i)}=\phi$ , if $\{\lambda_{\rho(i)}:i\in I\}$ is a valid set of shares of the secret $\phi$ as per $\Pi_{\mathbb{M}}$ .

The objective vector (1, 0, …, 0), which is categorized the access structures i.e., a set $\textit{Attr}\in\mathbb{M}$ are indexed by each row of $\mathbb{A}$ , where vector (1, 0, …, 0) is the span of matrix $\mathbb{A}$ linearly.

3.5 Assumptions

We have considered the assumptions for our proposed method as follows:

•
The cloud server is considered as honest to deliver the services but curious, which means that it can be interested in the assessment of user content, but will execute correctly the assigned task and will not modify.
•
Security is not possible without any trusted entity. We assumed global setup authority (GSA) as a trusted party, but it is will not decrypt any ciphertext.
•
We assumed every KDC as semi-trusted and also be corrupted by an adversary.
•
All communication between users/clouds are secured by SSH protocol.

We have considered q-Parallel Decisional Bilinear Diffie-Hellman Exponent (q-PDBDHE) Assumption to defined security problem in our system.
3.6 System description

Figure 1 shows the system where five different entities are involved. The entities are global setup authority (GA), key distribution centers (KDCs) as attribute authority, Data Owner (DO), Data Users (DU), Cloud Server (CS).

Figure 1.

Scheme architecture.

Global authority setup: The global setup authority (GA) generates public parameters globally for the whole system. It can register a new user providing user global identity and a new key distribution center also providing the KDC’s identity. It is responsible for providing descriptions of attribute universe, user universe, and KDC universe. However, the global setup authority is not accountable for any attribute supervision like decryption key generation corresponding to attributes for each individual user, user revocation, attribute revocation and also not assign any attribute key which may use for encryption.

Key distribution centers: There are multiple KDCs scattered in different parts of the world which are work as attribute authority. Every KDC is independent and responsible for assigning attributes in its domain to users based on their role or identity. Every KDC has full control on an assigned attribute which is used in access structure and also generate public keys and decryption keys for each attribute under their control. All KDC also plays a role to send attribute public keys which are generated by that KDC to global setup authority for broadcasting and decryption key to the data user associated with the corresponding attribute.

Cloud server: The cloud server plays a role to store the encrypted text and provide all users if anyone asked for that ciphertext. It is a semi-trusted third party server, which must update the ciphertext components associated with specific attributes only when an authorized key distribution center asked for it. The authorization of each KDC can be check from the description of authority universe of the global setup authority. It must compute correctly the outsourced computation.

User: The user entity is considered for two types of users. First one is data owner (DO), which is liable for encrypt the data to share with multiple unknown users based on their attributes. The data owner can decide an access policy over the required attributes and encrypt the data with that access policy. For big data, the data owner can divide the data into multiple blocks and each block encrypts by symmetric key encryption. The content key can be labeled with access policy for encryption. Another type of user is called a data user (DU). The data users can ask any ciphertext from the cloud but decryption of that ciphertext can do only the attributes satisfy the access policy.

3.7 Our scheme framework

The framework for our large universe CP-ABE enable outsourced data access control with efficient revocation consist of following seven probabilistic polynomial algorithms: GASetup, KDCs setup, DecKeygen, KeyUpdate, Encryption, Decryption, CTUpdate.

GASetup $(1^{\lambda})\rightarrow(\mathscr{PP})$ . A global setup authority runs this algorithm to provide global parameters for the whole process. It takes a security parameter $i^{\lambda}$ as input and produced the public parameters $\mathscr{PP}$ . The definition of user’s identity $\mathscr{ID}$ , attributes universe $S$ and set of KDCs ( $U_{\theta}$ ) are defined by global setup authority. But it is not generating any user decryption Keys and attributes key for the encryption and decryption process.

KDCSetup $(\mathscr{PP},{S_{\theta}})\rightarrow({SK}_{\theta},PK_{\theta},\{PK_{a_{% \theta}}\})$ . Each KDC $\theta\in U_{\theta}$ runs this algorithm by considering a set of attributes $S_{a}\in S$ and public parameters $\mathscr{PP}$ as input and produces its own public key $PK_{\theta}$ , secret key $SK_{\theta}$ and attribute public keys $\{PK_{a_{\theta}}\}$ .

SKeyGen $(\mathscr{PP},{SK}_{\theta},S_{a},ID)\rightarrow{SK}_{ID,{a}}$ . Each KDC $\theta\in U_{\theta}$ runs this algorithm. It takes a specific user identity $I D$ from universe of user identity $ID\in\mathscr{ID}$ , the secret key ${SK}_{\theta}$ and the attribute $a\in S_{\theta}$ . It outputs a user secret key ${SK}_{ID,a}$ for user identity-attribute pair $(ID,a)$ .

KeyTransform $(\{SK_{ID,a}/SK^{\prime}_{ID,a}\},z)\rightarrow T_{ID,a}$ . Each individual data user runs this algorithm. where a user can transform its own secret key or updated secret key with the help of a chosen random number $z\in\mathbb{Z}^{*}_{P}$ to a token key $T_{ID,a}$ .

Encrypt $(\mathscr{PP},(\mathbb{A},\rho),m,\{PK_{\theta}\},\{PK_{\theta_{a}}\})% \rightarrow CT$ . Data owner runs this algorithm with public parameters $\mathscr{PP}$ , a set of KDC public keys and attribute public keys of relevant KDCs and attributes taking as a input and generate encrypted text $C T$ to store in third party cloud.

PartialDecrypt $(\mathscr{PP},CT^{\prime},T_{ID,a})\rightarrow CT_{pd}$ . The cloud server runs this algorithm. It uses as inputs the ciphertext $CT^{\prime}$ , user token key $T_{ID,a}$ , & public parameters. It generates the temporary decrypted message $CT_{pd}$ .

FinalDecrypt $(CT_{pd})\rightarrow m$ or $\perp$ . The data user runs this algorithm. It takes as inputs the partially decrypted ciphertext $CT_{pd}$ , It outputs the message $m$ if the user attributes satisfy the access structure otherwise it generate $\perp$ .

UKeyGen $({SK}_{ID,a},PK_{\theta_{a}})\rightarrow(PK^{\prime}_{\theta_{a}}SK^{\prime}_{% ID,a},\textit{UCT}_{a})$ . This is an optional algorithm run by each $\theta$ KDC at the time of attribute $(a)$ revocation from a user $I D$ . It takes revoke attribute public Key $PK_{\theta_{a}}$ and decryption keys of non-revoked users ${SK}_{ID,a}$ and generates new public attribute key $PK^{\prime}_{\theta_{a}}$ , new secret key for non-revoked user $SK^{\prime}_{ID,a}$ and updated component of cipher text $\textit{UCT}_{a}$ . This algorithm only run for non-revoked users $(ID^{\prime}s\in\mathscr{ID})$ except revoked user if the same attribute hold by revoked and non-revoked users.

CTUpdate $(CT,\textit{UCT}_{a})\rightarrow(CT^{\prime})$ . This algorithm is also optional and run by cloud server on the request of authorized KDC. It takes the previous ciphertext with $\textit{UCT}_{a}$ and produced new ciphertext.

.

A large universe CP-ABE with multi-authority scheme enables outsourced data access control if it takes a number of algorithms used like system setup, KDC Setup, SKeyGen, KeyTransform, Encryption, Partial decryption, full decryption, UKeyUpdate and CTupdate to secretly encryption and decryption of message under an access structure.

3.8 Security model

To describe the security requirement of our large universe outsourced data access control with revocation, we followed a game between Challenger $\mathscr{C}$ and Adversary $\mathscr{A}$ similar to [11] for message confidentiality. It permits adversary $\mathscr{A}$ to query of secret key $q_{\textit{SKG}}$ for corrupted KDCs and their updated keys.

.

We can say that our LU-ODAC scheme ${\prod}_{\textit{LU-ODAC}}$ is $(\sqcup,q_{\textit{SKG}},q_{\textit{ENC}},q_{\textit{DEC}},q_{\textit{USK}},\varepsilon)$ -IND-sE-CCA secured if for any PPT adversary $\mathscr{A}$ running in time at most $\sqcup$ that produces at most $q_{\textit{SKG}}$ SKeyGen queries, $q_{\textit{ENC}}$ Encrypt queries, $q_{\textit{DEC}}$ Decrypt queries, $q_{\textit{USK}}$ update key query, the $\mathscr{A}$ ’s advantage, denoted as $\textit{Adv}^{\textit{IND-sE-CCA}}_{\mathscr{A}}$ , is at most $\varepsilon$ for the game shown below.

Initial setup. Let $S_{\theta}$ be the set of KDCs. The public parameters are generated by running GASetup. $\mathscr{A}$ define a corrupted set of KDCs as $S^{\prime}_{\theta}\in S_{\theta}$ .

Setup. $\mathscr{C}$ obtain $(\mathscr{PP},{S_{\theta}})\rightarrow(SK_{\theta},PK_{\theta},\{\vartheta_{% \theta},PK_{a_{\theta}}\})$ and send $(PK_{\theta},\{PK_{a_{\theta}}\})$ to $\mathscr{A}$ for un-corrupted KDCs. $\mathscr{A}$ received secret keys $SK^{\prime}_{\theta},$ also for corrupted KDCs $S^{\prime}_{\theta}\in S_{\theta}$ .

Query Phase 1. $\mathscr{A}$ makes adaptive queries (a polynomial number) on succeeding oracles that are submitted by $\mathscr{C}$ .

•
SKeyGen oracle $\mathscr{O}^{\textit{SKG}}(ID,S_{a})$ : $\mathscr{A}$ submits a set $S_{A}$ of attributes, corrupted user identity $I D$ and gets back the Secret Key ${SK}_{ID,{\theta}}$ for corrupted user $I D$ .
•
KeyTransform oracle $\mathscr{O}^{KT}(SK_{ID,a},z)$ . Each corrupted user provides its own transform secret key with the help of a chosen random number $z\in\mathbb{Z}^{}_{P}$ to a token key $T_{ID,a}$ and shared with adversary $\mathscr{A}$ .
•
Encrypt oracle $\mathscr{O}^{\textit{ENC}}((\mathbb{A},\rho),m,\{PK_{\theta_{i}}\}_{i\in I_{A}})$ : $\mathscr{A}$ submits a message $m$ Encryption Predicate $(\mathbb{A},\rho)$ , public attribute key generated by KDCs $\{PK_{\theta_{i}}\}_{i\in I_{A}})$ , and return the cipher text $C T$ .
•
Dccrypt oracle $\mathscr{O}^{\textit{DEC}}(CT,ID,\{SK_{ID,\theta_{i}}\})$ : $\mathscr{A}$ puts a cipher text $C T$ , user identity $I D$ , decryption attribute set $S_{a}$ to generate output of Decrypt $(CT,ID,\{SK_{ID,\theta_{i}}\})$ as return.
•
SKUpdate oracle $\mathscr{O}^{\textit{USK}}(SK_{ID,\theta},\textit{UKS}_{a^{\prime}_{\theta}})$ : $\mathscr{A}$ submits previous secret key of user $(SK_{ID,\theta}$ , revoked attributed updated part $\textit{UKS}_{a^{\prime}_{\theta}}$ and get back SKUpadte $(SK_{ID,\theta}^{\prime})$ .

Challenge Phase. $\mathscr{A}$ submits two same length of different messages $m_{0}$ , $m_{1}$ & the challenge access structure $(\mathbb{A}^{},\rho^{})$ . After that $\mathscr{C}$ chooses an attribute set $S_{a}^{}$ from the corrupted KDCs such that $V\cup V_{ID}\neq(1,0,\ldots,0)$ , where $V$ denoted the subset of rows of $\mathbb{A}^{}$ labeled by attributes of corrupted KDCs and $V_{ID}$ denoted the subset of rows of $\mathbb{A}^{}$ labeled by attributes of Adversary $\mathscr{A}$ queried. Then $\mathscr{C}$ picks $j\xleftarrow{R}\{0,1\}$ and return the challenge ciphertext $CT^{}\leftarrow\textit{Encrypt}(\mathscr{PP},(\mathbb{A}^{},\rho^{}),m^{}_% {j},\{PK^{}_{\theta_{i}}\}_{i\in I_{A}})$ to $\mathscr{A}$ .

Query Phase 2. $\mathscr{A}$ can do similar processes as Query phase 1 more queries except the Decryption queries $\mathscr{O}^{\textit{DEC}}(CT,ID$ , $\{SK^{}_{ID,\theta_{i}}\})$ where challenge ciphertext can be decrypt. In the other words, $\mathscr{A}$ can not be able to query the secret key $(SK^{}_{ID,\theta^{\prime}})$ from secret key $(SK^{}_{ID,\theta})$ .

Guess*. $\mathscr{A}$ produces a guess bit $j^{\prime}\in\{0,1\}$ and won the game, if $j^{\prime}=j$ . In this game, $\mathscr{A}$ ’s advantage can be defined as $\textit{Adv}^{\textit{IND-sE-CCA}}_{\mathscr{A}}|Pr[j^{\prime}=j]-\frac{1}{2}|$ .
4. Proposed large universe outsourced data access control

Here, we represent a large universe CP-ABE based data access control supporting efficient attribute revocation for data outsource in the cloud. In this construction, we used Rouselakis-Waters [11] large universe construction and extended this techniques to combine attribute revocation. For attribute revocation, we have consider a version key for each of the attribute and introduced two new optional algorithms (considered only for an attribute revocation from a revoked users) update key generation and cipher text update. We also used partial decryption for computation outsourcing [9] to cloud server to reduce the computation cost for data users.

4.1 Details constructions of LU-ODAC

GASetup $(1^{\lambda})$ . Let the binary parameters $\Sigma$ defined in Subsection 3.1 used for pairing setup. Global authority chooses a hash function $H$ mapping the user identity $ID\in\mathscr{ID}$ to the elements of $\mathbb{G}$ . It also choose another cryptographic hash function $F:\{0,1\}^{*}\rightarrow\mathbb{G}$ for attribute mapping. It also define the description all attribute universe $S$ , key distribution center $U_{\theta}$ and user universe $\mathscr{ID}$ for public parameters. Finally the parameters will be

$\displaystyle\mathscr{PP}=\{p,\mathbb{G},e,\mathbb{G}_{T},g,F,H,\mathscr{ID},U% ,U_{\theta}\}$ (3)

KDCSetup $(\mathscr{PP},\theta,{S_{\theta}})$ . The key distribution center, $\theta\in U_{\theta}$ chooses two random values $\alpha_{\theta},\beta_{\theta}\in_{R}\mathbb{Z}_{p}$ as KDC’s secret Keys and generate KDC’s public key $\{e(g,g)^{\alpha_{\theta}},g^{\beta_{\theta}}\}$ . It also chooses $v_{a}$ version key for the attribute $a\in S_{\theta}$ controlled by KDC, $\theta$ . Then, the secret key for the KDC will be

$\displaystyle SK_{\theta}=\{\alpha_{\theta},\beta_{\theta},\{v_{a}\}_{a\in S_{% \theta}}\}$ (4)

The public key of KDC and attribute keys of belongs to KDC, $\theta$ will be

$\displaystyle PK_{\theta}=\{e(g,g)^{\alpha_{\theta}},g^{\beta_{\theta}}\}$ (5) $\displaystyle PK_{a_{\theta}}=\{F(a)^{v_{a}}\}_{a\in S_{\theta}}.$ (6)

where $v_{a}$ works as version key of the attribute $a$ in user revocation.

SKeyGen $(\mathscr{PP},{SK}_{\theta},S_{\theta},ID)$ . It takes a specific user identity $I D$ from universe of user identity $ID\in\mathscr{ID}$ , the secret key ${SK}_{\theta}$ and the attribute $a\in S_{\theta}$ . The key distribution center produces the secret key for data user $I D$ corresponding to attribute $a$ using its own secret key and global public parameters. It chooses a random value $t\in\mathbb{Z}_{p}$ to compute the secret key for data user and attribute pair. The secret key $SK_{ID,a}$ will be

$\displaystyle SK_{ID,a}=\{K_{ID,a},K^{\prime}_{ID,a}\}$ (7)

where,

$\displaystyle K_{ID,a}=\{g^{\alpha_{\theta}}H(ID)^{\beta_{\theta}}F(a)^{{v_{a}% }t}\}$ $\displaystyle K^{\prime}_{ID,a}=\{g^{t}\}$

Here, ${a\in S_{\theta}}$ be the attribute controlled by KDC, $\theta$ .

KeyTransform $(\{SK_{ID,a}/SK^{\prime}_{ID,a}\},z)\rightarrow T_{ID,a}$ . Each individual data user run this algorithm, where a user can transform its own secret key or updated secret key with the help of a chosen random number $z\in\mathbb{Z}^{*}_{P}$ to a token key $T_{ID,a}$ .

$\displaystyle T_{ID,a}=\left\{(SK_{ID,a})^{\frac{1}{z}},H(ID)^{\frac{1}{z}}\right\}$ (8)

where $(SK_{ID,a})^{\frac{1}{z}}=(K_{ID,a})^{\frac{1}{z}},(K^{\prime}_{ID,a})^{\frac{% 1}{z}}$ .

Encrypt $(\mathscr{PP},(\mathbb{A},\rho),m,\{PK_{\theta}\}_{\theta\in U_{\theta}},\{PK_% {\theta_{a}}\}_{\theta_{a}\in S})\rightarrow CT$ . Data owner run this algorithm with public parameters $\mathscr{PP}$ , the message $m$ , a set of KDC public keys and attribute public keys of relevant KDCs and access structure $(\mathbb{A},\rho)$ with $\mathbb{A}\in\mathbb{Z}^{l\times n}_{p}$ , where $l$ be the row size of Matrix $\mathbb{A}$ and $n$ be the vector size of that matrix consider as inputs and generate encrypted text $C T$ to store in third party cloud. If the data size is large, then data are divided into multiple block and each block encrypted by symmetric key encryption and the key component consider the message content for the encrypt algorithm. The function $\delta$ defined as $\delta:[l]\rightarrow U_{\theta}$ and the consider $\delta(x)=T(\rho(x))$ (where T can be define as publicly computable function $T:\mathscr{U}\rightarrow U_{\theta}$ ) for mapping of row of the matrix to relevant KDC. Data owner first creates two vectors $\vec{v}=(s,v_{2},\ldots,v_{n})^{T}$ and $\vec{w}=(0,w_{1},\ldots,w_{n})^{T}$ , where $s,v_{2},\ldots,v_{n},w_{1},\ldots,w_{n}\in_{R}\mathbb{Z}_{p}$ . Now we consider the share $\lambda_{i}$ (where $\lambda_{i}=(\mathbb{A}_{i},\vec{v})$ ) of $s$ corresponding to $i^{\text{th}}$ row of matrix $\mathbb{A}$ . Similarly, we again consider the share $w_{i}$ (where $w_{i}=(\mathbb{A}_{i},\vec{w})$ ) of 0 (zero) corresponding to $i^{\text{th}}$ row of matrix $\mathbb{A}$ . Now, the algorithm chooses a random number for each row of the matrix i.e. $r_{i}\in_{R}\mathbb{Z}_{p}$ and computes the following:

$\displaystyle C_{0}=me(g,g)^{s},$ $\displaystyle C_{1,i}=e(g,g)^{\lambda_{i}}e(g,g)^{\alpha_{\delta(i)}r_{i}};i% \in[l],$ $\displaystyle C_{2,i}=g^{r_{i}};i\in[l],$ $\displaystyle C_{3,i}=g^{\beta_{\delta(i)}r_{i}}g^{w_{i}};i\in[l],$ $\displaystyle C_{4,i}=F(\rho(i))^{v_{\rho(i)}r_{i}};i\in[l].$

The final cipher text will be

$\displaystyle CT=C_{0},\{C_{1,i},C_{2,i},C_{3,i},C_{4,i}\}_{i\in[l]}$ (9)

PartialDecrypt $(\mathscr{PP},(\mathbb{A},\rho),CT,T_{ID,a})\rightarrow CT_{pd}$ . The cloud server runs this algorithm. It uses the ciphertext $C T$ (if ciphertext is updated then, $CT^{\prime}$ need to consider), user token key $T_{ID,a}$ , and public parameters as inputs. It outputs the partial decrypted cipher text $CT_{pd}$ . It first computes for each row of $i\in[l]$ ,

$\displaystyle CT^{1}_{pd}=C_{1,i};$ $\displaystyle CT^{2}_{pd}=\frac{e\left(H(ID)^{\frac{1}{z}},C_{3,i}\right).e% \left(C_{4,i},{K^{\prime}_{ID,\rho(i)}}^{\frac{1}{z}}\right)}{e\left(C_{2,i},{% K_{ID,\rho(i)}}^{\frac{1}{z}}\right)}=e(g,g)^{-\frac{\alpha_{\delta(i)}r_{i}}{% z}}e(H(ID),g)^{\frac{w_{i}}{z}}$

After that partial cipher text calculated as

$\displaystyle CT_{pd}=\{C_{0},CT^{1}_{pd},CT^{2}_{pd}\}.$ (10)

FinalDecrypt $(CT_{pd})\rightarrow m$ or $\perp$ . The data user runs this algorithm. It takes as input the partially decrypted ciphertext $CT_{pd}$ . It produces the message $m$ if the attributes of user satisfy the access structure otherwise it produces $\perp$ . First, It computes by using own secret value $z$ as

$\displaystyle\Delta={CT^{1}_{pd}}\cdot(CT^{2}_{pd})^{z}=\prod_{i\in[l]}e(g,g)^% {\lambda_{i}}e(H(ID),g)^{w_{i}}$ (11)

Then it calculates constants $c_{i}\in\mathbb{Z}_{p}$ such that $\sum_{i}c_{i}\mathbb{A}_{i}=(1,0,\ldots,0)$ and compute

$\displaystyle\prod_{i}(e(g,g)^{\lambda_{i}}e(H(ID),g)^{w_{i}})^{c_{i}}=e(g,g)^% {s}$ (12)

where, $\lambda_{i}c_{i}=s$ and $w_{i}c_{i}=0$ , because $\lambda_{i}$ is share of $s$ and $w_{i}$ , share of 0 of matrix $\mathbb{A}_{i}$ . Then, message can be calculate as,

$\displaystyle m=C_{0}/e(g,g)^{s}$ (13)

4.2 Attribute revocation

Any user drop from the access of any specific attribute then it is called attribute revocation. To do so, the corresponding KDC update the keys of attribute public key and non-revoked user’s secret key and sent a request the all non-revoked user & also cloud server to update the following:

UKeyGen $(v_{a},{SK}_{ID,a})\rightarrow(PK^{\prime}_{\theta_{a}}SK^{\prime}_{ID,a},UCT_% {a})$ . This is an update key generation algorithm used only at the time of attribute revocation takes place. This optional algorithm is run by KDC, $\theta$ of revoked attribute $a$ . version key $v_{a}$ and decryption keys of non-revoked users ${SK}_{ID,a}$ and generates new public attribute key $PK^{\prime}_{\theta_{a}}$ , new secret key for non-revoked user $SK^{\prime}_{ID,a}$ and updated component of cipher text $\textit{UCT}_{a}$ . The component $PK^{\prime}_{\theta_{a}}$ will send for publish globally if any new data owner used that attribute for encryption. The component $\textit{UCT}_{a}$ send to cloud server for update the ciphertext if any encrypted text used this attribute. The part $SK^{\prime}_{ID,a}$ to be update, $v_{u}$ send to only non-revoked user related to this attribute. The authorized KDC first chooses a new version key $v^{\prime}_{a}$ and compute $v_{u}=v^{\prime}_{a}/v_{a}$ and keep as updated version key for the attribute $a$ and send for the computation as follows:

$\displaystyle PK^{\prime}_{\theta_{a}}=PK_{\theta_{a}}^{v_{u}}$ (14) $\displaystyle SK^{\prime}_{ID,a}=g^{\alpha_{\theta}}H(ID)^{\beta_{\theta}}X^{t% {v_{u}}},g^{t}$ (15) $\displaystyle\textit{UCT}_{a}=v_{u}$ (16)

CTUpdate $(CT,\textit{UCT}_{a})\rightarrow(CT^{\prime})$ . This algorithm is also optional and run by cloud server on request of authorized KDC. It takes previous ciphertext with $\textit{UCT}_{a}$ and produced new cipher text if any attribute revoked from the system for a user. After attribute revocation the new ciphertext will be

$\displaystyle CT^{\prime}=C_{0},\{C_{1,i},C_{2,i},C_{3,i},C_{4,i}=(C_{4,i})^{v% _{u}}\}_{i\in[l]}.$ (17)

Updating of ciphertext component just provides updated ciphertext with same access policy but it is not disclose any information on encrypted message.

4.3 Correctness

To show the correctness of decryption of our scheme, we have consider the following major components and their working as follows:

From the Eq. (10), we can have

$\displaystyle CT^{1}_{pd}=\prod_{i\in[l]}C_{1,i}=\prod_{i\in[l]}e(g,g)^{% \lambda_{i}}e(g,g)^{\alpha_{\delta(i)}r_{i}}$ (18)

and

$\displaystyle CT^{2}_{pd}=\prod_{i\in[l]}\frac{e\left(H(ID)^{\frac{1}{z}},C_{3% ,i}\right).e\left(C_{4,i},{K^{\prime}_{ID,\rho(i)}}^{\frac{1}{z}}\right)}{e% \left(C_{2,i},{K_{ID,\rho(i)}}^{\frac{1}{z}}\right)}=\prod_{i\in[l]}\frac{e% \left(H(ID)^{\frac{1}{z}},g^{\beta_{\delta(i)}r_{i}}g^{w_{i}}\right).e\left(F(% \rho(i))^{v_{\rho(i)}r_{i}},g^{\frac{t}{z}}\right)}{e\left(g^{r_{i}},{g^{\frac% {\alpha_{\delta(i)}}{z}}H(ID)^{\frac{\beta_{\delta(i)}}{z}}F(\rho(i))^{\frac{v% _{\rho(i)}t}{z}}}\right)}=\prod_{i\in[l]}\frac{e(H(ID),g)^{\frac{\beta_{\delta% (i)}r_{i}}{z}}.e(H(ID),g)^{\frac{w_{i}}{z}}.e(F(\rho(i)),g)^{\frac{v_{\rho(i)}% r_{i}t}{z}}}{e(g,g)^{\frac{\alpha_{\delta(i)}r_{i}}{z}}.e(H(ID),g)^{\frac{% \beta_{\delta(i)}r_{i}}{z}}.e(F(\rho(i)),g)^{\frac{v_{\rho(i)}r_{i}t}{z}}}=% \prod_{i\in[l]}e(g,g)^{-\frac{\alpha_{\delta(i)}r_{i}}{z}}e(H(ID),g)^{\frac{w_% {i}}{z}}$ (19)

After that the Eq. (11) provides as

$\displaystyle\Delta={CT^{1}_{pd}}\cdot(CT^{2}_{pd})^{z}=\prod_{i\in[l]}e(g,g)^% {\lambda_{i}}.e(g,g)^{\alpha_{\delta(i)}r_{i}}.e(g,g)^{-\alpha_{\delta(i)}r_{i% }}.e(H(ID),g)^{w_{i}}=\prod_{i\in[l]}e(g,g)^{\lambda_{i}}e(H(ID),g)^{w_{i}}$ (20)

The value of $\Delta$ will provide $e(g,g)^{s}$ if attributes consider from assigned access structure $\mathbb{A}$ with exponent constant number $c_{i}$ . Finally it gives message if attributes are satisfy access structure.

5. Security analysis of proposed system

The proposed scheme will be meaningless if message confidentiality does not achieve from the scheme. We have also analyzed of forward and backward security along with collision resistance of our proposed scheme in this section.

5.1 Data confidentiality

Before outsourcing of data resources, the data owner needs to ensure the confidentiality of data against the curious cloud server and non-legitimate users. We followed the procedure of proof similar in [6]. It is achieved for our scheme as follows:

.

Suppose $H$ and $F$ are two collusion resistant the hash function and one time symmetric key $\Pi_{SE}$ is semantically secure. Let the challenge access structure has at most $q$ numbers of column in labeled matrix. If any adversary $\mathscr{A}$ is able to break under a standard model the security $(\mathscr{T},q_{\textit{SKG}},q_{TK},q_{\textit{ENC}},q_{\textit{DEC}},q_{% \textit{USK}},\varepsilon)$ -IND-sE-CCA of our LUODAC mechanism, then an algorithm $\mathscr{B}$ must be exist there which can solve q-parallel BDHE problem with the advantage $\varepsilon^{\prime}=\varepsilon-\frac{q_{\textit{DEC}}}{p}$ in time $\mathscr{T}^{\prime}=\mathscr{T}+O(|S|+q^{2}(q_{\textit{SKG}}+q_{TK}+q_{% \textit{DEC}}))\cdot\mathscr{T}^{e}+O(q_{\textit{DEC}})\cdot\mathscr{T}^{p}+(q% _{\textit{ENC}})\cdot\mathscr{T}^{se}+(q_{\textit{DEC}})\cdot\mathscr{T}^{de}$ , where $\mathscr{T}^{e}$ denotes exponential time, $\mathscr{T}^{p}$ denotes pairing time, $\mathscr{T}^{se}$ denotes SE-Encrypt time and $\mathscr{T}^{de}$ denotes SE-Decrypt time.

Proof..

We say that our LU-ODAC scheme ${\prod}_{\textit{LU-ODAC}}$ is $(\mathscr{T},q_{\textit{SKG}},q_{TK},q_{\textit{ENC}},q_{\textit{DEC}},q_{% \textit{USK}},\varepsilon)$ -IND-sE-CCA secure if any PPT adversary $\mathscr{A}$ takes at most $\mathscr{T}$ running time with at most $q_{\textit{SKG}}$ SKeyGen queries, $q_{TK}$ transformation Key queries, $q_{\textit{ENC}}$ Encrypt queries, $q_{\textit{DEC}}$ Decrypt queries, $q_{\textit{USK}}$ update key queries, then the adversary $\mathscr{A}$ ’s advantage is denoted by $Adv^{\textit{IND-sE-CCA}}_{\mathscr{A}}$ is at most $\varepsilon$ in the game given bellow:

Initial setup. Suppose, $\mathscr{A}$ chooses a challenge matrix $\mathbb{A}^{*}$ with the dimension of $l^{*}\times n^{*}$ with security parameter in Initial setup Phase. Let $S_{\theta}$ be the set of KDCs. $\mathscr{A}$ define a corrupted set of KDCs as $S^{\prime}_{\theta}\in S_{\theta}$ .

Setup. Simulator $\mathscr{B}$ first run GAsetup and KDCsetup algorithm and gives the value $g$ to $\mathscr{A}$ . Simulator $\mathscr{B}$ chooses randomly $\alpha^{*}_{\theta},\beta_{\theta}\in\mathbb{Z}_{p}$ for the uncorrupted KDCs $\theta\in S_{\theta}-S^{\prime}_{\theta}$ and implicitly sets $\alpha_{\theta}=\alpha^{*}_{\theta}+b^{q+1}$ by letting $e(g,g)^{\alpha_{\theta}}=e(g^{b},g^{b^{q}})e(g,g)^{\alpha^{*}}$ . To consider $F(a)$ if define before then call as it is otherwise to define choose a random number $d_{a}$ by simulator $\mathscr{B}$ where $\rho^{*}(i)=a$ , $a\in S$ denote set of row indices $i$ . Similarly, hash function $H(ID)$ can be defined. Then the simulator $\mathscr{B}$ formulate the oracle from the Eq. (3) as

$\displaystyle F(a)=g^{d_{a}}\prod_{i\in S}g^{b^{2}\mathbb{A}^{*}_{i},1/f_{i}}% \cdot g^{b^{3}\mathbb{A}^{*}_{i},2/f_{i}}\ldots g^{b^{n^{*}+1}\mathbb{A}^{*}_{% i},n/f_{i}}$ (21)

and

$\displaystyle H(ID_{i})=g^{h^{\prime}}\cdot(g^{a})^{d_{i,2}}\cdot(g^{a^{2}})^{% d_{i,3}}\ldots(g^{a^{n^{\prime}-1}})^{d_{i,n^{\prime}}}$ (22)

If $S=\emptyset$ , then $F(a)=g^{d_{a}}$ . The simulator also chooses $\beta_{\theta},v_{\theta}\in\mathbb{Z}_{p}$ randomly and generated public key uncorrupted KDCs as

$\displaystyle PK_{\theta}=(e(g,g)^{\alpha_{\theta}},g^{\beta_{\theta}})$ (23)

and public attribute keys on random choosing of version key $v_{a_{\theta}}\in\mathbb{Z}_{p}$ as

$\displaystyle PK_{a_{\theta}}=\left(g^{v_{a_{\theta}}+d_{a_{\theta}}}\prod_{i% \in S}g^{b^{2}\mathbb{A}^{*}_{i},1/f_{i}}\cdot g^{b^{3}\mathbb{A}^{*}_{i},2/f_% {i}}\ldots g^{b^{n+1}\mathbb{A}^{*}_{i},n/f_{i}}\right)^{v_{a}}$ (24)

The simulator also send user identity $I D$ to the adversary $\mathscr{A}$ .

Query Phase 1. Definition of LSSS confirms that there exists a vector. The simulator define a vector $\vec{\omega}=(\omega_{1},\ldots,\omega_{n^{*}})\in\mathbb{Z}^{n^{*}}_{p}$ such that $\omega_{1}=-1$ and for all $i$ , where $\rho^{*}(i)\in S_{\theta}$ . We have that $\vec{\omega}\cdot\mathbb{A}^{*}_{i}=0$ . Since $S_{\theta}$ does not satisfy $\mathbb{A}^{*}$ . Then adversary $\mathscr{A}$ makes adaptive queries (a polynomial number) on subsequent oracles that are submitted by $\mathscr{C}$ as follows.

SKeyGen oracle $\mathscr{O}^{\textit{SKG}}(ID,S^{\prime}_{a})$ : The simulator initiates by implicitly defining $t_{ID,\theta}$ as

$\displaystyle K_{ID_{i},a}=r+\omega_{1}b^{q-1}+\omega_{2}b^{q-2}+\ldots+\omega% _{n}b^{q-n^{*}}.$ (25)

Simulator calculate for corrupted KDC a set $S_{A^{\prime}}$ of attributes, and sent back the Secret Key ${SK^{*}}_{ID,{\theta}}$ as

$\displaystyle K^{*}_{ID_{i},a}=b^{\alpha^{*}_{\theta}}g^{b\cdot u_{2}}\prod_{i% =1,\ldots,n^{*}}\left(g^{b^{q+1-i}}\right)^{\omega_{i}}$ (26) $\displaystyle X=g^{r}\prod_{i=1,\ldots,n^{*}}\left(g^{b^{q+1-i}}\right)^{% \omega_{i}}$ (27)

Let $\chi$ be the collection of all $i$ such that $\rho^{*}(i)=\chi$ . Then, the simulator $\mathscr{B}$ generates $K^{*}_{ID,a_{\theta}}$ in this case as follows.

$\displaystyle K^{*}_{ID,a_{\theta}}=g^{u_{2}\beta_{\theta}\cdot t_{ID,\theta}}% {H(a_{\theta})}^{\beta_{\theta}(\gamma_{\theta}+u_{2})}$ (28) $\displaystyle\prod_{i\in X}\prod_{j=1,\ldots,n^{*}}\left(g^{(b^{j}/f_{i})r}% \prod_{\binom{k=1,\ldots,n^{*}}{k\neq j}}{\left(g^{b^{q+1+j-k}/f_{i}}\right)}^% {\omega_{k}}\right)^{\mathbb{A}^{*}_{i,j}}$

KeyTransformation oracle $\mathscr{O}^{TK}(SK_{ID,a_{\theta}},\textit{UKS}_{a^{\prime}_{\theta}})$ : Corrupted user provide the transform key for the Adversary $\mathscr{A}$ as

$\displaystyle T_{ID,a}=\left\{(SK_{ID,a})^{\frac{1}{z}},H(ID)^{\frac{1}{z}}% \right\}.$ (29)

SKUpdate oracle $\mathscr{O}^{\textit{USK}}(SK_{ID,\theta},\textit{UKS}_{a^{\prime}_{\theta}})$ : $\mathscr{A}$ submits previous secret key of user ( $SK_{ID,\theta}$ , revoked attributed updated part $\textit{UKS}_{a^{\prime}_{\theta}}$ and get back SKUpadte $(SK_{ID,\theta}^{\prime})$ with the help of corrupted KDCs.

Challenge Phase. Adversary $\mathscr{A}$ uses here encrypt oracle. At first, adversary $\mathscr{A}$ sends two same length different messages $m_{0}$ , $m_{1}$ and the challenge access structure $(\mathbb{A}^{*},\rho^{*})$ . Then $\mathscr{C}$ chooses an attribute set $S_{a}^{*}$ from the corrupted KDCs such that $V\cup V_{ID}\neq(1,0,\ldots,0)$ , where $V$ denoted the subset of rows of $\mathbb{A}^{*}$ labeled by attributes of corrupted KDCs and $V_{ID}$ denoted the subset of rows of $\mathbb{A}^{*}$ labeled by attributes of Adversary $\mathscr{A}$ queried. Then $\mathscr{C}$ picks $j\xleftarrow{R}\{0,1\}$ and return the challenge cipher-text $CT^{*}\leftarrow\textit{Encrypt}(\mathscr{PP},(\mathbb{A}^{*},\rho^{*}),m^{*}_% {j},\{PK^{*}_{\theta}\}_{i\in I_{A}})$ to $\mathscr{A}$ .

Query Phase 2. $\mathscr{A}$ can do similar processes like Query phase 1 for more queries except the Dccryption query $\mathscr{O}^{\textit{DEC}}(CT*,ID,\{SK^{*}_{ID,\theta_{i}}\})$ where challenge cipher-text can be decrypt. In the other words, $\mathscr{A}$ cannot be able to query the secret key $(SK^{*}_{ID,\theta^{\prime}})$ from secret key $(SK^{*}_{ID,\theta})$ .

Guess. $\mathscr{A}$ produces a guess bit $j^{\prime}\in\{0,1\}$ and wins the game if $j^{\prime}=j$ . ∎

5.2 Collusion resistance

.

LU-ODAC scheme is secure against collision attack, even if Adversary corrupt some KDCs also.

Proof..

Our system hold each user’s unique identity $I D$ and KDC identity $\theta$ generated by GA. All the user secret key is issued by different KDCs against of unique $I D$ . Each KDC $\theta$ chooses a random number $t$ corresponding to each $I D$ and used for generating the secret key for the user. Due to random number $t$ inside the secret key, it is distinguishable the component of secret key among the users even if same attributes generated by different KDCs. The users cannot decrypt the cipher-text colluding and combining their attributes if they are illegal to access the cipher text. In case of some KDCs corrupted by Adversary and apply to achieve the attribute forge attack, which is also not permissible in our system. For example, An adversary $\mathscr{A}$ does not hold an attribute $a_{\theta^{\prime}}$ from the corrupted KDC $\theta^{\prime}$ attempt to forge that attribute from another users say $ID^{\prime}$ , which are holding attribute $a_{\theta^{\prime}}$ from other KDC $\theta^{\prime}$ , then the adversary can calculate like $K_{a_{\theta^{\prime}},\mathscr{A}}=(K_{a_{\theta^{\prime}},ID^{\prime}})^{RK_% {\mathscr{A}}/RK_{ID^{\prime}}}$ . The adversary will not be success to apply this attack because we have used a component in user secret key as Eq. (7) $K_{ID,a}=\{g^{\alpha_{\theta}}H(ID)^{\beta_{\theta}}{F(a)^{v_{a}}}^{t}\},K^{% \prime}_{ID,a}=\{g^{t}\}.$ ∎

5.3 Security on user accessibility

.

Our LU-ODAC scheme ensures forward secrecy against the revoked user.

Proof..

Our LU-ODAC scheme support forward security in two different ways. First, if the data owner wants policy level revocation, the data need to re-encrypt with the new policy, where the revoked user’s attribute eliminated. If the policy level revocation applied a group of users eliminate and some new user comes under the policy. In this process, data owner need to run encryption algorithm with consideration of new user attributes. Secondly, attribute level revocation can be applied for forward security. Here, after attribute revocation operation, the KDCs can update the attribute public key by changing the version key of revoked attribute and publish for a new user. The secret key can be updated with new version key for all existing non-revoked user. In this case, the cloud server also needs to update the cipher-text with revoked attribute’s updated public key. The non-revoked users still can decrypt the updated cipher-text using their current secret key. For the newly join users, they already have their secret key with the updated attribute can decrypt the cipher-text if access policy satisfy. Thus the forward security ensures by our proposed scheme. ∎

.

Our LU-ODAC scheme ensures backward secrecy against the revoked user.

Proof..

Each revoked attribute, the KDC updated the secret key for all non-revoked data users corresponding to that attribute except the revoked data user. Then the revoked user cannot update their secret key with the help of non-revoked user because each of the secret keys holds user identity, collision resistant hash function of attribute and the random number $t$ generated by KDC. So, revoked user cannot generate the updated secret key with the help of the non-revoked user. If the revoked data user can corrupt some of the KDCs and also use non-revoked user’s help to update own secret key, then also revoked user cannot calculate the value of $t$ which is used as $K_{ID,a}=\{g^{\alpha_{\theta}}H(ID)^{\beta_{\theta}}{F(a)^{v_{a}}}^{t}\}$ . Therefore, using non revoked user secret key directly revoked used cannot decrypt the expected cipher-text. Thus, backward security of our scheme is guaranteed. ∎

6. Experiment and performance analysis

6.1 Implementation and simulation result

To show the more practicality, we simulated our system using Python based scripting tools Charm-Crypto [23]. Charm Crypto is a framework to simulate modern cryptosystem, which is similar to theoretical implementations. It binds with PBC library for efficient group operations. Charm-Crypto also provides predefined linear secret sharing scheme (LSSS) routines to use, which is very useful to implement attribute-based systems. Charm-Crypto provided several predefined elliptic curves based on bilinear pairing group i.e. three “MNT” asymmetric EC groups and two super-singular (SS) symmetric EC groups. Some of the utilized EC groups are “SS512” provides 80 bits in security level, “MNT201” provides 90 bits in security level, “MNT224” and “SS1024” provides 100 and 120 bits in security level respectively. We have tested our proposed scheme on Intel ${}^{\@setsize{\scriptsize}{9.5pt}{\viiipt}{\@viiipt}\textregistered}$ $\textit{Core}^{\text{TM}}$ i3-5005M CPU @ 2.00 GHz $\times$ 2 with 4.0 GB RAM running Ubuntu 16.04 LTS and Python 3.5. We have use elliptic curve “SS512” under the symmetric pairing for developing our LU-ODAC scheme. The computation cost for exponential operation on $\mathbb{G}$ and $\mathbb{G}_{T}$ are 0.7 and 0.2 ms and for the pairing operation is 2.9 ms. We have use average of 10 simulation results for finding the computation cost.

Figure 2.

Simulation result of our proposed LU-ODAC scheme.

In the Fig. 2, we have shown the computation time from various operations like KDC Setup, Secret Key generation, encryption, decryption, attribute revocation, decryption outsourcing, etc. From the sub Fig. 2a and c, we can see that secret key generation and encryption time linearly increase with attribute numbers. These algorithms show the influence of the attribute number used in the system.

The sub Fig. 2b shows the comparison Secret key generation and secret key update, where to update the secret key takes less time to compare to secret key generation because only one component needs to change in this algorithm which makes efficient our scheme for the secret key update. However, the secret key update also effects linearly with attribute numbers to be updated in our system.

The sub Fig. 2d shows the computation time for encryption and re-encryption processes of our scheme, where re-encryptions are not required computation overhead for multiple times. The reason behind this is some components only required to modify when re-encryption happens.

The sub Fig. 2e shows constant user computation on user decryption and sub Fig. 2f explain the comparison between partial decryption which is outsourced and user constant time decryption.

In case of sub Fig. 2g, we have shown the comparison secret key generation, Key transformation and also Key update and total time need for secret key operation. The last sub Fig. 2h shows the total time required for the entire attribute revocation. We considered here secret key update and ciphertext update for user revocation from the system and take linearly less computation for the whole process.

6.2 Performance analysis

In the Table 2, we have shown the notation with their description to explain the performance analysis for this section. We have listed consequently storage overhead, computation complexity and communication cost through in tabular format.

Table 2
Notations for performance analysis

Notations	Meaning
$\|g\|/\|g_{t}\|/\|p\|$	Element size in $\mathbb{G}$ , $\mathbb{G}_{T}$ and $\mathbb{Z}_{p}$ respectively
$n_{u}$	Users in the systems
$n_{o}$	Data owners in the systems
$n_{\theta}$	KDCs in the system
$n_{a}$	Attributes in the system
$n_{r}$	Revoked attributes in the system
$n_{a,id}$	Attributes holds by the user $i d$
$n_{\theta,a}$	Attributes associated with the $\textit{KDC}_{\theta}$
$n_{l}$	Attributes involved in access policy $\mathbb{A}$
$n_{c}$	Cipher-texts (re-encrypted) stored in cloud server
$n_{c,r}$	Cipher-text components associated with the revoked attribute
$t_{p}/t_{e}/t_{h}$	Time for one pairing, exponential and Hashing operation respectively

6.2.1 Storage overhead

The performance of storage cost defines the memory requirement of different parameters for participating entities. We have done the comparison of our proposed LU-ODAC scheme with several presented schemes to show the performance of our scheme. The comparison shown in the Table 3.

Table 3
Storage overhead

KDC	Data owner	Data user	Cloud server	Ref
$(n_{\theta,a}+3)\|p\|$	$n_{\theta}((n_{\theta,a}+2)\|g\|+\|g_{t}\|)$	$n_{o}(n_{\theta}+n_{a,id})\|g\|$	$(3n_{l}+2)\|g\|+\|g_{t}\|$	[14]
$2n_{\theta,a}\|p\|$	$\|p\|+\|g\|+n_{\theta}n_{\theta,a}(\|g\|+\|g_{t}\|)$	$n_{a,id}\|g\|$	$n_{l}(2\|g\|+\|g_{t}\|)+\|g_{t}\|$	[17]
$(n_{\theta,a}+2)\|p\|$	$2(\|p\|+\|g\|+n_{\theta}(n_{\theta,a}+1)(\|g\|+\|g_{t}\|)$	$(n_{a,id}+1)\|g\|+$	$(2n_{l}+1)\|g\|+\|g_{t}\|$	[16]
		$n_{\theta}\log(n_{u}+1)\|p\|$
$(2n_{\theta,a}+2)\|p\|$	$(1+n_{l})\|g\|+\|g_{t}\|+(2+2n_{l})\|p\|$	$(n_{\theta,id}+1)\|g\|+\|p\|$	$(2n_{l})\|g\|+n_{\theta}(2n_{l}+2)\|g\|+\|g_{t}\|$	[18]
$(n_{\theta,a}+2)\|p\|$	$(3+2n_{l})\|g\|+\|g_{t}\|$	$(2n_{\theta}+2n_{a,id})\|g\|$	$(5n_{l}+3)\|g\|+\|g_{t}\|$	[20]
$(2n_{\theta,a}+1)\|p\|$	$(3+n_{l})\|g\|+\|g_{t}\|$	$(3n_{\theta}+n_{a,id})\|g\|$	$(3n_{l}+1)\|g\|+n_{\theta}(\|g\|+\|g_{t}\|)$	[21]
$2n_{\theta}\|p\|$	$2n_{\theta}\|g\|+(n_{a})\|g_{t}\|$	$(2n_{\theta}+n_{a,id})\|g\|$	$(2n_{\theta}+2)\|g\|+\|g_{t}\|$	Ours

Key distribution center: In our scheme storage overhead mainly depends on attribute information (version key, attribute identity), KDC’s secret keys used to generate public key and user secret keys & also user’s information to generate user’s secret key etc. All existing scheme required storage of attribute information with public attribute key for the data owner. This is linear with respect to attribute numbers generated by KDCs. Table 3 shows comparison of storage overhead with respect to KDC, data owner, data user and cloud server. In [14, 16, 18, 19, 20] incur more storage overhead over key distribution center compare to our scheme and [17] where [19, 20] are single KDC setup and rest are multiple KDC setup.

Data owner: The storage overhead for the data owner mainly depends on public parameters generated by different KDCs which are used to encrypt the message. The schemes [17, 18, 19] has not support attribute revocation, so the storage for attribute revocation was not consider for those scheme it the data owner initiate user revocation. To update the user these schemes [17, 18, 19] used re-encryption of ciphertext and therefore it operation increased more storage overhead on user. However, in [14, 16, 20] and our scheme, we used attribute revocation. Therefore, attribute revocation properties incurs some more storage for user update. In Table 3, we have shown the comparison storage overhead of data owner for different existing schemes with our scheme.

Data user: The user’s secret key generated by each KDCs incurs storage for data users for our scheme. The schemes [19, 20] support only single KDC setup. Therefore, secret key defined by the key distribution center incur linear storage overhead with the number of attributes. To decrypt the ciphertext in [19, 20] cloud server or fog devices partially compute decryption processes. The scheme [17] and our scheme incur same storage overhead on secret key store and cipher text decryption and also used multiple key distribution centers. These processes incur linearly increased storage with the number of attributes. We have shown the storage overhead of our scheme and other existing schemes in the Table 3.

Cloud server: The size of the cipher text mainly responsible for storage overhead on cloud server. The comparison of existing schemes and our methods for storing the cipher text in cloud are shown in the above mention table.

6.2.2 Computation overhead

Table 4
Computation overhead

KDC setup	SKeyGen	Encryption	Decryption	Ref.
$O(n_{\theta})t_{e}+O(1)t_{p}$	$O(n_{a,id})t_{e}$	$O(n_{l}+n_{\theta})t_{e}$	$O(n_{l})t_{e}+O(n_{\theta}+n_{l})t_{p}$	[14]
$O(1)t_{e}$	$O(n_{a,id})t_{e}$	$O(n_{l}+n_{\theta})t_{e}$	$O(n_{d})t_{e}+O(n_{d})t_{p}$	[16]
$O(n_{\theta})t_{e}$	$O(n_{a,id})t_{e}$	$O(n_{l})t_{e}$	$O(n_{d})t_{e}+O(n_{d})t_{p}$	[17]
$O(n_{\theta})t_{e}$	$O(n_{a,id})t_{e}$	$O(n_{l}+n_{\theta})t_{e}$	$O(n_{d})t_{e}+O(n_{d})t_{p}$	[18]
$O(1)t_{e}$	$O(n_{a,id})t_{e}$	$O(n_{l})t_{e}$	$O(n_{d})t_{e}+O(n_{d})t_{p}$	[19]
$O(1)t_{e}$	$O(n_{a,id})t_{e}$	$O(n_{l})t_{e}$	$O(n_{d})t_{e}+O(n_{d}+n_{l})t_{p}$	[20]
$O(1)t_{e}$	$O(n_{a,id})t_{e}$	$O(n_{l})t_{e}$	$O(n_{d})t_{e}+O(n_{d})t_{p}$	Ours

Table 5

Communication overhead

CSP decrypt	User decrypt	Key update	CTUpdate	Ref.
$O(n_{d})t_{e}+O(n_{d}+n_{l})t_{p}$	$O(1)t_{e}$	$O(n_{r})t_{e}$	$O(n_{r})t_{e}$	[14]
$O(n_{d})t_{e}+O(n_{d})t_{p}$	$O(1)t_{e}$	$O(n_{r})t_{e}$	$O(n_{c})t_{e}$	[16]
$O(n_{d})t_{e}+O(n_{d})t_{p}$	$O(1)t_{e}$	–	–	[18]
$O(n_{d})t_{e}+O(n_{d})t_{p}$	$O(1)t_{e}$	$O(n_{r})t_{e}$	$O(n_{r})t_{e}$	[19]
$O(n_{d})t_{e}+O(n_{d}+n_{l})t_{p}$	$O(1)t_{e}$	$O(n_{r})t_{e}$	$O(n_{r})t_{e}$	[20]
$O(n_{d})t_{e}+O(n_{d})t_{p}$	$O(1)t_{e}$	$O(n_{r})t_{e}$	$O(n_{r})t_{e}$	Ours

The computation cost for various operation such as key distribution center setup, secret key generation, key transformation, encryption, decryption, secret key update and ciphertext update. The comparison of different schemes and our scheme for different operation, we have shown in the Tables 4 and 5. Key distribution center mainly responsible to generate the public keys of its own and public key for attributes. It also plays a role to generate the secret key, updated secret key and the key to ciphertext update. The computation cost changes with the operation used in the system. In the Table 4, our scheme has same computation cost asymptotically with [17, 19, 20], where [19, 20] have single authority set up. However the scheme take more computation cost for [14, 16, 18] compare to our scheme. The computation cost for all existing schemes with our scheme have all most similar, but there is some difference in a number of key components inside the secret key. The encryption and decryption cost comparison shown in the Tables 4 and 5. In [14, 20] takes more computation cost comparing to our scheme. For decryption, we have used partial decryption using cloud server and final decryption done by the user who has to satisfy the access structure. In [17], there was no such partial decryption to reduce computation cost for decryption. Moreover, in our scheme, we have not used re-encryption of the whole ciphertext when attribute revokes from the system. There are some components updated with the help of responsible key distribution center in ciphertext computed by the cloud server. Therefore, more efficiency achieves when the attribute revoked from the system.

6.2.3 Communication cost

The communication costs of our LU-ODAC scheme mainly incur when user revocation takes plays. To update the attribute list or revoke an attribute from the system, the related key distribution center needs to communicate with the user, who holds the secret key with the revoked attribute and also the cloud server for update the ciphertext. The communication cost in between KDC and user is $n_{a_{\theta}}|p|$ , where $n_{a_{\theta}}$ indicate number of a changed attribute in the system. The communication cost in between KDC and cloud server for changing the ciphertext component is $|p|$ . Our scheme shows similar communication cost with [14] but the schemes [18, 19, 20] takes more communication cost because there are used frog devices to compute extra burden of encryption and decryption computation.

6.2.4 Scalability

Our system, LU-ODAC supports the scalability for joining new users and revoking of existing users as the scheme supported properly the forward and backward security shown above. It is not required in our system that the trusted certified authority support for access control in attribute level, but trusted certified authority required to support for access control in user level such as user registration. When an attribute is revoked from a data user for a specific data decryption, the other attributes are not affected for the revoked user and therefore remaining attributes can use to decrypt the other data. In our system, an attribute may assign to multiple users by a key distribution center, KDC. For a new user, KDC can assigned secret key $K_{ID,a}=\{g^{\alpha_{\theta}}H(ID)^{\beta_{\theta}}{F(a)^{v_{a}}}^{t}\}$ , which is based on current version key, $v_{a_{\theta}}$ . When an attribute revoked for a data user, $I D$ then the version key changed to $v^{\prime}_{a}$ for the non-revoked data users of the attribute $a\in S_{\theta}$ . Due to the revoked attribute from the user (version key update), the user cannot decrypt the encrypted text even the access policy $(\mathbb{A},\rho)$ match with the claimed policy. Therefore, our system LU-ODAC maintains the high scalability for the dynamic user in the system.

7. Conclusion

A large universe attribute-based encryption makes an access control scheme more scalable and reliable in terms of user accessibility. In this work, we have proposed an access control scheme for cloud data storage providing access right from the data owner hand. The properties of a large universe, multi-authority, computation outsourcing, attribute revocation, etc. are supported by our proposed system. As the decryption process is multiple usable operations, we reduced computation cost by using outsourcing computation. The expressive discussion of security and performance analysis makes our scheme more useful. Our scheme is more applicable to the end user even on lightweight device for decryption operation.

Footnotes

Authors’ Bios

Somen Debnath received his B.E. degree from National Institute of Technology, Agartala, India in Computer Science & Engineering. He received his M.Tech. degree in Computer Science & Engineering from Tripura University, India. He is pursuing his research activities in Information Technology at North Eastern Hill University, Shillong, India. His research interests include Information Security, Distributed Computing, Cloud Computing. He is working as Assistant Professor in Information Technology Department of Mizoram University, India.

Bubu Bhuyan was born in India. He received his M.Tech (IT) degree from Tezpur University, India. He also received PhD degree from Jadavpur University, India. Currently, he is working as an Associate Professor in the Department of Information Technology at North Eastern Hill University, Shillong, India. His research interests include Information Security, Cryptography and Cloud security. He has published many articles in reputed International Journals and Proceedings.

References

Debnath

and Bhuyan

, Efficient and scalable outsourced data access control with user revocation in the cloud: A comprehensive study, Multiagent and Grid Systems 14(14) (2018), 383–401.

Sahai

and Waters

, Fuzzy identity-based encryption, in: Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 2005, pp. 457–473.

Goyal

Pandey

Sahai

and Waters

, Attribute-based encryption for fine-grained access control of encrypted data, in: Proceedings of the 13th ACM Conference on Computer and Communications Security, ACM, 2006, pp. 89–98.

Cheung

and Newport

, Provably secure ciphertext policy abe, in: Proceedings of the 14th ACM Conference on Computer and Communications Security, ACM, 2007, pp. 456–465.

Ning

Cao

Dong

Wei

and Lin

, Large universe ciphertext-policy attribute-based encryption with white-box traceability, in: European Symposium on Research in Computer Security, Springer, 2014, pp. 55–72.

Waters

, Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization, in: International Workshop on Public Key Cryptography, Springer, 2011, pp. 53–70.

Melissa

, Multi-authority attribute based encryption, in: Theory of Cryptography Conference, Springer, 2007, pp. 515–534.

Xiong

and Liu

, Large universe decentralized key policy attribute based encryption, Security and Communication Networks 8(3) (2015), 501–509.

Green

Hohenberger

and Waters

, Outsourcing the decryption of ABE ciphertexts, In USENIX Security Symposium 2011(3) (2011, August).

10.

Lewko

Okamoto

Sahai

Takashima

and Waters

, Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption, in: Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 2010, pp. 62–91.

11.

Rouselakis

and Waters

, Efficient statically-secure large-universe multi-authority attribute-based encryption, in: International Conference on Financial Cryptography and Data Security, Springer, 2015, pp. 315–332.

12.

Nie

and Li

, Large universe attribute based access control with efficient decryption in cloud storage system, Journal of Systems and Software 135 (2018), 157–164.

13.

Liu

and Wong

D.S.

, Practical attribute-based encryption: traitor tracing, revocation and large universe, The Computer Journal 59(7) (2016), 983–1004.

14.

Yang

Jia

Ren

Zhang

and Xie

, Dac-macs: Effective data access control for multiauthority cloud storage systems, IEEE Transactions on Information Forensics and Security 8(11) (2013), 1790–1801.

15.

Debnath

Sahana

S.C.

and Bhuyan

, A distributed fine-grained access control mechanism for cloud data outsourcing, Science & Technology Journal 3(2) (2015), 78–85.

16.

Liu

Xiong

and Chen

, Secure, efficient and revocable multi-authority access control system in cloud storage, Computers & Security 59 (2016), 45–59.

17.

Yang

Jia

and Ren

, Secure and verifiable policy update outsourcing for big data access control in the cloud, IEEE Trans. Parallel Distrib. Syst. 26(12) (2015), 3461–3470.

18.

Fan

Wang

and Yang

, A secure and verifiable outsourced access control scheme in fog-cloud computing, Sensors 17(7) (2017), 1695.

19.

Huang

Yang

and Wang

, Secure data access control with ciphertext update and computation outsourcing in fog computing for internet of things, IEEE Access 5 (2017), 12941–12950.

20.

Zhang

Chen

Liu

J.K.

Liang

and Liu

, An efficient access control scheme with outsourcing capability and attribute update for fog computing, Future Generation Computer Systems 78 (2018), 753–762.

21.

Zuo

Shao

Wei

Xie

and Ji

, Cca-secure abe with outsourced decryption for fog computing, Future Generation Computer Systems 78 (2018), 730–738.

22.

Debnath

and Bhuyan

, An Expressive Access Control Mechanism with user Revocation for Cloud Data Outsourcing, in: Proceedings of the International Conference on Electrical, Electronics, Computers, Communication & Computing, IEEE, Vol. 3, 2018, pp. 250–256.

23.

Akinyele

J.A.

Garman

Miers

Pagano

M.W.

Rushanan

Green

and Rubin

A.D.

, Charm: a framework for rapidly prototyping cryptosystems, Journal of Cryptographic Engineering 3(2) (2013), 111–128.

KDC	Data owner	Data user	Cloud server	Ref
$(n_{\theta,a}+3)\|p\|$	$n_{\theta}((n_{\theta,a}+2)\|g\|+\|g_{t}\|)$	$n_{o}(n_{\theta}+n_{a,id})\|g\|$	$(3n_{l}+2)\|g\|+\|g_{t}\|$	[14]
$2n_{\theta,a}\|p\|$	$\|p\|+\|g\|+n_{\theta}n_{\theta,a}(\|g\|+\|g_{t}\|)$	$n_{a,id}\|g\|$	$n_{l}(2\|g\|+\|g_{t}\|)+\|g_{t}\|$	[17]
$(n_{\theta,a}+2)\|p\|$	$2(\|p\|+\|g\|+n_{\theta}(n_{\theta,a}+1)(\|g\|+\|g_{t}\|)$	$(n_{a,id}+1)\|g\|+$	$(2n_{l}+1)\|g\|+\|g_{t}\|$	[16]
		$n_{\theta}\log(n_{u}+1)\|p\|$
$(2n_{\theta,a}+2)\|p\|$	$(1+n_{l})\|g\|+\|g_{t}\|+(2+2n_{l})\|p\|$	$(n_{\theta,id}+1)\|g\|+\|p\|$	$(2n_{l})\|g\|+n_{\theta}(2n_{l}+2)\|g\|+\|g_{t}\|$	[18]
$(n_{\theta,a}+2)\|p\|$	$(3+2n_{l})\|g\|+\|g_{t}\|$	$(2n_{\theta}+2n_{a,id})\|g\|$	$(5n_{l}+3)\|g\|+\|g_{t}\|$	[20]
$(2n_{\theta,a}+1)\|p\|$	$(3+n_{l})\|g\|+\|g_{t}\|$	$(3n_{\theta}+n_{a,id})\|g\|$	$(3n_{l}+1)\|g\|+n_{\theta}(\|g\|+\|g_{t}\|)$	[21]
$2n_{\theta}\|p\|$	$2n_{\theta}\|g\|+(n_{a})\|g_{t}\|$	$(2n_{\theta}+n_{a,id})\|g\|$	$(2n_{\theta}+2)\|g\|+\|g_{t}\|$	Ours

Large universe attribute based encryption enabled secured data access control for cloud storage with computation outsourcing

Abstract

Keywords

1. Introduction

Table 1 Comprehensive functionality analysis

3. Preliminaries

3.1 Bilinear pairings

.

.

.

3.4 Linear secret-sharing scheme

.

3.5 Assumptions

.

3.8 Security model

.

4.1 Details constructions of LU-ODAC

5.1 Data confidentiality

.

Proof..

.

Proof..

5.3 Security on user accessibility

.

Proof..

.

Proof..

6. Experiment and performance analysis

6.1 Implementation and simulation result

Table 2 Notations for performance analysis

Table 3 Storage overhead

Table 4 Computation overhead

6.2.4 Scalability

7. Conclusion

Footnotes

Authors’ Bios

References

Table 1
Comprehensive functionality analysis

Table 2
Notations for performance analysis

Table 3
Storage overhead

Table 4
Computation overhead