Privacy preserved secured outsourced cloud data access control scheme with efficient multi-authority attribute based signcryption

Abstract

Privacy preserved outsourced data access control is a hard task under the control of thirdâ€“party storage server. To overcome obstacles in the third party based scenario, Attribute-based signcryption system with bilinear pairing tool is one of the most suitable methods in cloud. It maintains the basic features of security like, authenticity, confidentiality, public verifiability, owner privacy, etc. Although, this method has some challenges like a centralized authority used for user secret key generation for de-signcryption operation, and lack in competent attribute revocation. To overcome the issues, we have proposed a scheme of attribute revocable privacy preserved outsourced based data access control mechanism using Attribute-based signcryption. The proposed method allows multi-authorities for assigning both attribute and secret keys for users along with trusted certified authority, which provides security parameters. The analysis of the proposed method shows less computation cost in decryption and authentication verification. The almost same performance and efficiency is found while comparing with the existing schemes after adding new features.

Keywords

Signcryption cloud computing data outsourcing public verifiablity owner privacy attribute revocation

ï»¿

1. Introduction

Data outsourcing is a viable option for storing huge organizational data persistently. Cloud data outsourcing relieves the data owner from setting up of their own storage server, network, and other infrastructures. The organization is allowed to request data storage from the cloud according to their present requirement and thereby minimize storage cost. The cloud data outsourcing also facilitates the growing need for data storage requirement as the organization scales up its operations [1]. In spite of the several benefits of cloud data outsourcing, many organizations are wary of outsourcing their organizational data into the cloud. This is due to the fact that the security of outsourced data is handled by the third-party cloud administrator [2]. The security concern of data owners for outsourcing data in the cloud may be reduced by putting in place, proper access control policy from the data owners’ side. Outsourcing of sensitive data, such as finance, defence, health records etc., to the third party cloud server arise privacy issue along with data security [3]. It is necessary to have a robust and reliable procedure which offers data confidentiality, authenticity, public verifiability, etc. without negotiating the data owner privacy for secured outsourced data access control. Recently, some researchers have explored the possibility of privacy preserved access control schemes [4, 5] to protect the stored data in cloud.

To overcome above issues of security and privacy in cloud, Attribute-Based Signature (ABS) [6] and Attribute-Based Encryption (ABE) [7] are the most promising security tools due to scalable and reliable features. ABS provides an opportunity to digitally sign a message without disclosing the identity of a signer and ABE provides the facility to develop an access control on encrypted data with message confidentiality. It is mentioned that Attribute-Based Signcryption (ABSC) [8], a logical combination of ABE and ABS, has a significant scope [3] to design privacy preserved outsourced data access control. There are several numbers of ABE and ABS schemes available based on structural view (Ciphertext policy based ABE, Key Policy based ABE), security assumptions (CDHE, DBHE, Sub-group), decentralized property, used policy structures, etc. explained in [2]. However, a few numbers of signcryption schemes explored till now which can provide authenticity and confidentiality under a single scheme using several feature alike attribute based encryption. We have prepared here a comparative study of signcryption schemes which are more suitable to design Outsourced data access control under third party storage server. At first, signcryption scheme addressed by Zheng et al. [8] combing of encryption and signature scheme together where the attribute-based concept was not present. The signcryption schemes addressed in [9, 10, 11, 12, 19] using the attribute-based process and those schemes are known as ABSC. It has an ability of public verifiability where any intermediate parties able to verify the validity of a message (even encrypted) without knowledge of user secret key and underlying content.

The problem of designing a multi-authority data access control scheme based on CP-ABSC with de-signcryption outsourcing capabilities and attribute revocation for cloud data outsourcing has received very little attention so far, although some schemes based on Multi-Authority ABE and ABS for cloud storage setting have been proposed, as in [4, 5, 10, 12]. Since the verification and decryption both have to be performed on the user side cloud data outsourcing, the number of pairing operations evaluated on the user side is proportional to the sum of the required attributes, i.e. not much acceptable for data outsourcing. In this article, we have proposed an efficient scheme extending the scheme of Rao et al. [4] with multi-authority set-up, outsource de-signcryption and attribute revocation. Our main contributions are as follows.

•
We propose a privacy preserved access control scheme for data outsourcing in cloud based on extension of Rao et al. [4] scheme. The proposed scheme supports computation outsourcing, multi authority setup and attribute revocation to make the system as reliable and efficient.
•
We analyze security of the proposed scheme to show that is achieves the remarkable security and privacy requirements.
•
We present the performance of competent existing attribute-based signcryption schemes with the proposed scheme based on the size of signing key, encryption key, cipher-text and signcryption and de-signcryption on the basis of computation cost as well.

The organization of this article followed by Section 2 as literature survey. In Section 3, we have explained the system description with system framework, security requirement with security notion, etc. The details construction of proposed privacy preserved secured data access control in Section 5. Security analysis of the proposed system is discussed in Section 6. Section 7 represents a comparative analysis of performance and functionalities of the proposed scheme. The summary of the paper explained in Section 8.
2. Literature review

Table 1
Comparison on features of several existing ABSC scheme

Features/functionalities	Emura et al. [12]	Wei et al. [10]	Pandit et al. [9]	Liu et al. [5]	Rao et al. [4]
Security assumptions	dBDHE, c(h)DHE	dBDHE, cDHE	Decisional sub	dBDHE, generic	dBDHE, cDHE
			group	group
Multi-authority	No	No	No	No	No
Structural policy type	CP	KP	SCP	CP	CP
Encryption policy structure	AND-gate	TP	MSP	MSP	MSP
Signing policy structure	MSP	TP	MSP	MSP	MSP
User authentication	No	No	Yes	Yes	Yes
Public verifiability	No	No	Yes	No	Yes
Computation outsourcing	No	No	No	No	No
Attribute revocation	No	No	No	No	No

CP: Cipher-text Policy; KP: Key Policy; SCP: Signcryption-Policy; MSP: Monotone Spam Program; TP: Threshold Policy; d(Hm)BDHE: decisional (hashed modified) bilinear Diffie-Hellman Exponent; c(m)DHE: computational (modified) Diffie-Hellman Exponent.

In 2010, Gagne et al. [11] initiated a formal study of an attribute-based signcryption scheme with threshold policies extending the concept of Zheng et al. [8]. They used Fuzzy identity-based encryption for encryption and threshold ABS for a signature scheme and also shown secured under selective predicate model. Later on, Emura et al. [12] explained a dynamic attribute-based singcryption with monotone access structure policy for the sender. This system supports AND-gate wildcard for a receiver and secured under the selective model. However, both models did not support signer privacy and unforgeability properties. Wang et al. [13] discussed a scheme in signcryption-policy based on monotone access tree. The functionality such as confidentiality and unforgeability were proven in adaptive-predicates models for this scheme. The unforgeability was proven by the random oracle model and confidentiality was proven by a generic group model, where the de-signcrypt mechanism is inaccessible to the adversary. A combined public-key scheme in attribute-based setting proposed by Chen et al. [14] where they used Water’s [7] CP-ABE scheme and Maji’s [6] ABS scheme to construct identical public parameters and key distribution. Chen et al. [14] used selectively joint security model in their combined scheme. Security assumption for this scheme is a monotone span program for both signer and receiver policy. In this scheme, the authors proved public verifiability and signer privacy as well as confidentiality and unforgeability under selective-predicate models. Wei et al. [10] proposed a traceable attribute-based signcryption scheme. They assumed as security parameters the decisional BDHE for signing and computational DHE for encryption. It provides confidentiality, and unforgeability under selectively predicate models. However, the property of signer privacy does not maintain by the scheme. Pandit et al. [9] addressed an attribute-based signcryption which supports confidentiality, signer privacy, strong unforgeability, etc. This scheme is selectively secured under adaptive-predicates security model. In 2015, Liu et al. [5] addressed a scheme named as CP-ABSC, a method based on Water’s CP-ABE [7] and Maji’s ABS [6]. They claimed that their scheme satisfies the message confidentiality against of distinguishable cipher-texts under adaptive chosen cipher-text attack. However, their structures are not supported by any of the standard signcryption techniques such as a logical mixture of signing and encryption, Sign-then-Encrypt (StE) and Encrypt-then-Sign. Moreover, it is not supported public verifiability as per their claimed. In 2017, Rao et al. [4] showed a scheme based on key policy maintaining the constant cipher-text encryption. They used MSP for both sender and receiver policy structure. Their scheme maintained signer privacy, confidentiality and also unforgeability which were proven by selective-predicate models. However, this scheme was a centralized system where all attributes for signing and encryption managed by a single authority. Moreover, this scheme did not provide sufficient attribute revocation process.

In Table 1, we have shown the comparison of several Attribute Based Signcryption schemes with the used functionality and characteristics. As prior characteristics, we have considered the security assumption or the hard problem based on which the data access control scheme need to implemented, encryption policy structure, signing policy structure, multi-authority setup, attribute revocation, computation outsourcing, signer privacy, public verifiability, security proof like confidentiality, Unforgeability, etc. The attribute based signcryption scheme in [4] is not supported multi authority setup along with attribute revocation but they have proven that their scheme is more efficient with respect to computation cost compare to other approaches in the table. There is a lack of reliability in terms of access revocation among existing and newly added users.

3. Preliminaries

3.1 Bilinear pairings

(Bilinear Pairings).

Let $\mathbb{G}$ and $\mathbb{G}_{T}$ are the two multiplicative cyclic group and their order $q$ is a prime number. A bilinear pairing $e:\mathbb{G}\times\mathbb{G}\rightarrow\mathbb{G}_{T}$ fulfills the properties as follows.

•
$e(x^{m},y^{n})=e(x,y)^{mn}$ ; $x,y\in_{R}\mathbb{G}$ and $m,n\in_{R}\mathbb{Z}_{q}$ , where $\mathbb{Z}_{q}=\{0,1,2,\ldots,q-1\}$ ;
•
Non-degenerate: $e(g_{1},g_{2})\neq 1$ , $g_{1}$ and $g_{2}$ are generator of $\mathbb{G}$ ;
•
Computable: Efficient procedure to compute $e(g_{1},g_{2}),\forall(g_{1},g_{2})\in\mathbb{G}\times\mathbb{G}$ .

We represent the bilinear pairing parameters shortly as $\Sigma:=(q,\mathbb{G},\mathbb{G}_{T},e)$ for friendly handling inside this paper and used only the properties of bilinear pairing for encryption and decryption.
3.2 Complexity assumptions

We have used q-PDBDHE [3] for security assumption of our scheme as follows.

Let a group $\mathbb{G}$ with prime order $q$ . Let $b,s,f_{1},\ldots,f_{q}\in\mathbb{Z}_{p}$ be chosen randomly and $g$ is a generator of $\mathbb{G}$ . If an Adversary, $\mathcal{A}$ is given

$\displaystyle\mathcal{D}=g,g^{s},g^{b},\ldots g^{(b^{q})},g^{(b^{q+2})},\ldots% ,g^{(b^{2q})},$ $\displaystyle\forall_{1\leqslant i\leqslant q}:g^{s\cdot b_{i}},g^{b/f_{i}},% \ldots,g^{(b^{q}/f_{i})},g^{(b^{q+2}/f_{i})},\ldots,g^{(b^{2q/f_{i})}},$ (1) $\displaystyle\forall_{1\leqslant i,j\in q;i\neq j}:g^{b\cdot s\cdot f_{j}/f_{i% }},\ldots,g^{(b^{q}\cdot s\cdot f_{j}/f_{i})}$

then, it is very hard to differentiate $e(g,g)^{b^{q+1}s}\in_{R}\mathbb{G}_{T}$ , which is an element randomly chosen from $\mathbb{G}_{T}$ . There may be an algorithm $\mathcal{B}$ that gives $z\in\{0,1\}$ with advantage $\epsilon$ for solving q-PDBDHE in $\mathbb{G}$ if

$\displaystyle|Pr[\mathcal{B}(\mathcal{D},T=e(g,g)^{b^{q+1}s})=0]-Pr[\mathcal{B% }(\mathcal{D},T=R)=0]|\geqslant\epsilon$ (2)

(q-PDBDHE).

The q-PDBDHE assumption holds if no such polynomial time methodology has non-negligible gain to solve the q-PDBDHE problem.

3.3 Access structures

(Access Structures [15]).

Let $\mathcal{U}$ be the universe of attributes. Consider a collection of non-empty attribute set $\mathbb{M}$ , i.e. $\mathbb{M}\subseteq 2^{\mathcal{U}}\setminus\{\}$ called as an access structure on $\mathcal{U}$ . The sets which are in $\mathbb{M}$ called the authorized sets and the sets which are not in $\mathbb{M}$ called the unauthorized sets.

In addition, an access structure $\mathbb{M}$ , if $\forall X,Y\in\mathbb{M}:$ if $X\in\mathbb{M}$ and $X\subseteq Y$ , then $Y\in\mathbb{M}$ is called monotone access structure.

3.4 Linear secret-sharing scheme

(LSSS [15]).

Let $\mathcal{U}$ be the universe of attributes. For an access structure $\mathbb{M}$ , a secret-sharing scheme $\Pi_{\mathbb{M}}$ over $\mathcal{U}$ is called linear (in $\mathbb{Z}_{p}$ ) if $\Pi_{\mathbb{M}}$ fulfills the following algorithms, where $A$ , a share-generating matrix for $\Pi_{\mathbb{M}}$ of size $l\times n$ and row labeling function, $\rho:[l]\rightarrow I_{\mathcal{U}}$ maps every row matrix $\mathbb{A}$ with attribute value in $\mathbb{M}$ . The symbol $I_{\mathcal{U}}$ is the index set of $\mathcal{U}$ .

Distribute $(\mathbb{A},\rho,\phi)$ . It considers a secret $\phi\in\mathbb{Z}_{p}$ which is to be shared, row labeling function $\rho$ and the share-generating matrix $\mathbb{A}$ as inputs. It selects $s_{2},s_{3},\ldots,s_{n}\in_{R}\mathbb{Z}_{p}$ and sets $\vec{v}=(\phi,s_{2},s_{3},\ldots,s_{k})\in\mathbb{Z}^{n}_{p}$ . It generate a set $\{\vec{\mathbb{M}}_{i}\cdot\vec{v}:i\in[l]\}$ of $l$ shares, where $\{\vec{A}_{i}\in\mathbb{Z}^{n}_{p}\}$ is the $i$ th row of the matrix $\mathbb{A}$ . The share $\lambda_{\rho(i)}=\vec{\mathbb{M}}_{i}\cdot\vec{v}$ belongs to an attribute value $\rho(i)$ .

Reconstruct $(\mathbb{M},\rho,\textit{Attr})$ . It considers $(\mathbb{M},\rho)$ and attributes $Attr\in\mathbb{M}$ as inputs. Let $I=i\in[l]:\linebreak\rho(i)\in I_{\textit{Attr}}$ , where $I_{\textit{Attr}}$ denotes the index set of attribute set Attr. It produces a set ${\omega_{i}:i\in I}$ of secret reconstruction constants such that $\Sigma_{i\in I}\omega_{i}\lambda_{\rho(i)}=\phi$ , if $\{\lambda_{\rho(i)}:i\in I\}$ is a valid set of shares of the secret $\phi$ as per $\Pi_{\mathbb{M}}$ .

The objective vector $(1,0,\ldots,0)$ , which is categorized the access structures i.e., a set $\textit{Attr}\in\mathbb{M}$ are indexed by each row of $\mathbb{A}$ , where vector $(1,0,\ldots,0)$ is the span of matrix $\mathbb{A}$ linearly.

3.5 Ciphertext Policy-Attribute Based Signcryption (CP-ABSC)

It is contained with the following subsequent algorithms:

•
TCASetup $(1^{k})$ . A trusted certified authority takes the security parameter $1^{k}$ and generates global public parameters $\mathcal{PP}$ through this algorithm. The $\mathcal{PP}$ has included multiple key distribution centers $\mathcal{KDC}$ as attribute authority, attribute universe $\mathcal{U}$ , users $\mathcal{UID}$ , and the message space $\mathcal{M}$ to encrypt. The attributes which have taken for signing are not the same with encryption/decryption attributes.
•
KDCSetup $(\mathcal{PP})$ : It produces secret keys and public keys pair $\{SK_{\theta},PK_{\theta}\}$ as outputs by each Key distribution center, $\theta$ based on the inputs of public parameters $\mathcal{PP}$ .
•
SKGen $(\mathcal{PP},PK_{\theta},SK_{\theta},PK_{id},A_{s},A_{d})$ : This algorithm considers $\mathcal{PP}$ , secret keys and public keys pair $\{PK_{\theta},SK_{\theta}\}$ of key distribution center $\textit{KDC}_{\theta}$ , public key of a user $PK_{id}$ , and an attribute set $A_{s}$ as inputs and produces the output of signing and decryption keys $\{SK^{s}_{ID,\theta},SK^{d}_{ID,\theta}\}$ for each user.
•
Signcrypt $(\mathcal{PP},\mathcal{M},\{SK^{s}_{id,j}\}_{j\in I_{\theta}},{\chi}_{s},{\chi% }_{e})$ : The signcryptor runs it with the inputs of $\mathcal{PP}$ , a plain-text $m\in\mathcal{M}$ , signing secret key $\{SK^{s}_{id,j}\}_{j\in I_{\theta}}$ , where $I_{\theta}$ is a set of involved authorities with encryption and signing predicates { $\chi_{e},\chi_{s}$ }. It produces ciphertext $CT_{\chi_{e}}$ as output of this algorithm. Note that $\chi_{s}(A_{s})=1$ .
•
Designcrypt $(\mathcal{PP},CT_{\chi_{e}},PK_{id},\{{SK}^{d}_{id,j}\}_{j\in I_{\theta}})$ : This algorithm uses $\mathcal{PP}$ , cipher-text $CT_{\chi_{e}}$ , public key of de-signcryptor user $id\in\mathcal{UID}$ with set of decryption key $\{{SK}^{d}_{id,j}\}_{j\in I_{\theta}}$ as inputs. It produces correct message as output when $\chi_{e}(A_{d})=1$ and the cipher-text $CT_{\chi_{e}}$ have a valid signature. Otherwise, it returns the dummy message $\bot$ .

In brief,

$\displaystyle{\prod}_{\textit{CP-ABSC}}:=\left[\begin{array}[]{lcl}(\mathcal{% PP})&\leftarrow&\text{TCASetup}(1^{k})\\ \{SK_{\theta},PK_{\theta},PK_{\theta,id}\}&\leftarrow&\text{KDCSetup}(\mathcal% {PP}),\\ \{SK^{s}_{id,\theta},SK^{d}_{id,\theta}\}&\leftarrow&\text{SKGen}(\mathcal{PP}% ,PK_{\theta},SK_{\theta},PK_{id},A_{s},A_{d}),\\ CT_{\chi_{e}}&\leftarrow&\text{Signcrypt}(\mathcal{PP},\mathcal{M},\{SK^{s}_{% id,j}\}_{j\in I_{\theta}},{\chi}_{s},{\chi}_{e}),\\ m\text{ or }\bot&=&\text{De-signcrypt}(\mathcal{PP},CT_{\chi_{e}},PK_{id},\{{% SK}^{d}_{id,j}\})\\ \end{array}\right]$

.

${\prod}_{\textit{CP-ABSC}}$ is correct if for all signing attribute sets $A_{s}$ and decryption attribute set $A_{d}$ , all claim-predicates ${\chi}_{s}$ and ${\chi}_{e}$ such that ${\chi}_{e}(A_{d})=1={\chi}_{s}(A_{s})$ , all $m\in\mathcal{M}$ , all $(\mathcal{PP})\leftarrow\linebreak\text{TCASetup}(1^{k})$ , all KDC’s key $\{SK_{\theta},PK_{\theta},PK_{\theta,id}\}\leftarrow\text{KDCSetup}(\mathcal{% PP})$ all user secret keys $\{SK^{s}_{id,\theta},\linebreak SK^{d}_{id,\theta}\}\leftarrow\text{SKGen}(% \mathcal{PP}$ , $PK_{\theta},SK_{\theta},PK_{id},A_{s},A_{d})$ , all signcryptions $CT_{\chi_{e}}\leftarrow\text{Signcrypt}(\mathcal{PP},\mathcal{M}\linebreak\{SK% ^{s}_{id,j}\}_{j\in I_{\theta}},{\chi}_{s},{\chi}_{e})$ , it is always true that $\text{De-signcrypt}(\mathcal{PP},CT_{\chi_{e}},PK_{id},\{{SK}^{d}_{id,j}\}_{j% \in I_{\theta}})=m$ .
3.6 Security notions

Following [4, 14], we have defined here the security requirement of CP-ABSC scheme, which includes data confidentiality, signcryptor privacy, cipher-text unforgeability. IND-sEP-CCA2 and EUF-sSP-CMA security model is used to define the security notation of data confidentiality and unforgeability respectively. EUF-sSP-CMA denotes selective signing policy and adaptive chosen message attack and IND-sEP-CCA2 as in-distinguishability of cipher-texts under selective encryption policy and adaptive chosen cipher-text attack.

3.6.1 Data confidentiality

Data confidentiality of a cryptographic scheme is able to visualised as playing a game between an Adversary $\mathcal{A}$ and a Challenger $\mathcal{C}$ , as follows.

Init Phase At first, $\mathcal{C}$ identifies the universe of attributes $\mathcal{U}$ for both signing and encryption procedure. Then, $\mathcal{A}$ creates the challenge cipher-text by submitting an encryption policy $\chi^{\ast}_{e}$ based on encryption attributes during the challenge phase.

Setup Phase $\mathcal{C}$ acquires $(\mathcal{PP})\leftarrow\textit{Setup}(1^{k})$ to generate public parameters $\mathcal{PP}$ and sends to $\mathcal{A}$ .

Query Phase 1 $\mathcal{A}$ requests adaptively number of queries to the succeeding oracles from the $\mathcal{C}$ .

•
Secretkey oracle $\mathcal{O}^{sk}(S^{\prime},\theta_{k},id)$ : $\mathcal{A}$ puts a set of attributes $S^{\prime}=A^{\prime}_{s}\bigcup A^{\prime}_{d}$ to the KDC $\theta_{k}$ for signing attributes and decryption attributes such that decryption attributes should not satisfy access structure $\chi^{\prime}_{d}$ combined with the key obtains from the corrupted KDC. Challenger $\mathcal{C}$ runs the Secretkey oracle and return back to $\mathcal{A}$ .
•
Signcryption oracle $\mathcal{O}^{SC}(m,\chi_{s},\chi_{e})$ : Again, $\mathcal{A}$ puts a signing predicate $\chi_{s}$ and encryption predicate $\chi_{e}$ with a message $m\in M$ . Challenger $\mathcal{C}$ picks a signing attribute set $A_{s}$ such that $\chi_{s}(A_{s})=1$ , computes the signing key $SK_{A_{s}}\leftarrow\textit{Secretkey oracle}(PP,A_{s})$ and returns back the cipher-text $CT_{\chi_{e}}\leftarrow\textit{Signcryption}(PK,m,SK_{A_{s}},\chi_{s},\chi_{e})$ to $\mathcal{A}$ .
•
De-signcryption oracle $O^{DS}(CT_{\chi_{e}},A_{d},\chi_{s})$ : $\mathcal{A}$ puts a decryption attribute set $A_{d}$ and a signing predicate $\chi_{s}$ with the ciphertext $CT_{\chi_{e}}$ . Then, Challenger $\mathcal{C}$ computes the decryption key $SK_{A_{d}}\leftarrow\textit{De-signcryption}(PK,SK_{A_{d}},A_{d})$ and returns back the De-signcryption $(PK,CT_{\chi_{e}}$ , $\chi_{s},SK_{A_{d}})$ to Adversary $\mathcal{A}$ as output.

Challenge Phase: Now, in this phase $\mathcal{A}$ selects $m^{}_{0},m^{}_{1}$ as two same length messages and $\chi^{}_{s}$ as a signing predicate. Then, $\mathcal{C}$ selects $A^{}_{s}$ as an attribute set for signing such that $\chi^{}_{s}(A^{}_{s})=1$ and generates $SK_{A^{}_{s}}\leftarrow\textit{Secretkey}(PK,SK_{A_{s}},A^{}_{s})$ , choices $i\leftarrow(0,1)$ . Challenger $\mathcal{C}$ returns challenge cipher-text $CT^{}_{\chi^{}_{s}}\leftarrow\textit{Signcryption}$ $(PK,m^{}_{i},SK_{A^{}_{s}}$ , $\chi^{}_{s},\chi^{}_{e})$ for $\mathcal{A}$ .

Query Phase 2 Adversary $\mathcal{A}$ can similarly makes more queries like Query Phase 1 except for the decryption attribute set $A_{d}$ such that $\chi^{}_{e}(A_{d})=1$ , the de-signcryption queries $\mathcal{O}^{DS}(CT^{}_{\chi_{e}},A_{d},\chi^{}_{s})$ .

Guess Phase Adversary $\mathcal{A}$ yields a guess bit $\acute{i}\in\{0,1\}$ and if $\acute{i}=i$ occurs, then $\mathcal{A}$ wins this game.

Finally, the advantage of $\mathcal{A}$ can be defined to be $\textit{Adv}^{\textit{IND-sEP-CCA2}}_{\mathcal{A}}:=|\textit{Prob}[\acute{i}=i% ]-\frac{1}{2}|$ from this game.

.

The scheme ${\prod}_{\textit{CP-ABSC}}$ is called $(t,\textit{qSK},\textit{qSC},\textit{qDS},\epsilon)$ -IND-sEP-CCA2 secure if for any PPT Adversary $\mathcal{A}$ can run at most time $t$ where adversary $\mathcal{A}$ makes at most queries on qSK Secret keys, qSC Signcryption and qDS De-signcryption with at most $\epsilon$ advantage. If $\mathcal{A}$ ’s advantage, denoted as $Adv^{\textit{IND-sEP-CCA}}_{\mathcal{A}}$ , then

$\displaystyle\textit{Adv}^{\textit{IND-sEP-CCA}}_{\mathcal{A}}:=\left|\textit{% Prob}[\acute{i}=i]-\frac{1}{2}\right|.$ (3)
3.6.2 Cipher-text Unforgeability

Cipher-text Unforgeability of a cryptographic scheme can be finalized by playing a game in between an Adversary $\mathcal{A}$ and a Challenger $\mathcal{C}$ as follows.

Init Phase Initially, $\mathcal{C}$ identifies the space of $\mathcal{U}$ for signing attributes. Then, $\mathcal{A}$ puts a signing policy ${\chi}^{\ast}_{s}$ to forge the cipher-text over selected signing attributes.

Setup Phase $\mathcal{C}$ obtains $(\mathcal{PP})\leftarrow\textit{Setup}(1^{k})$ and sends $\mathcal{PP}$ to $\mathcal{A}$ .

Query Phase 1 $\mathcal{A}$ requests adaptively queries on the subsequent oracles from $\mathcal{C}$ .

•
SecretKey oracle $\mathcal{O}^{sk}(S^{\prime},\theta_{k},id)$ : $\mathcal{A}$ submits a set of attributes $S^{\prime}=A^{\prime}_{s}\bigcup A^{\prime}_{d}$ to the KDC $\theta_{k}$ for signing attributes and decryption attributes such that decryption attributes should not satisfy access structure $\chi^{\prime}_{d}$ combined with the key obtains from the corrupted KDC. $\mathcal{C}$ runs the SKGen and return back to $\mathcal{A}$ .
•
Signcryption oracle $\mathcal{O}^{SC}(m,\chi_{s},\chi_{e}$ ): $\mathcal{A}$ puts a signing predicate $\chi_{s}$ , a message $m\in M$ , and encryption policy $\chi_{e}$ . $\mathcal{C}$ selects a signing attribute set $A_{s}$ such that $\chi_{s}(A_{s})=1$ , computes the signing key $SK_{A_{s}}\leftarrow\textit{SKGen}(PP,A_{s})$ and returns the cipher text $CT_{\chi_{e}}\leftarrow\textit{Signcryption}(PK,m,SK_{A_{s}},\chi_{s},% \linebreak\chi_{e})$ to $\mathcal{A}$ .
•
De-signcryption oracle $O^{DS}(CT_{\chi_{e}},A_{d},\chi_{s})$ : $\mathcal{A}$ submits a cipher-text $CT_{\chi_{e}}$ , a decryption attribute set $A_{d}$ and a signing predicate $\chi_{s}$ . Then, $\mathcal{C}$ computes the decryption key $SK_{A_{d}}\leftarrow$ De-signcryption $(PK,MK,A_{d})$ and returns the output of De-signcryption $(PK,CT_{\chi_{e}},\chi_{s},SK_{A_{d}})$ to $\mathcal{A}$ .

Forgery Phase: For the selective signing structure $\chi^{}_{s}$ , Adversary $\mathcal{A}$ produces a forgery cipher-text $CT^{}_{\chi^{}_{e}}$ $\mathcal{A}$ wins the game if De-signcryption $(PK,CT^{}_{\chi^{}_{e}},\chi^{}_{s},SK_{A^{}_{d}})=m^{}\neq\bot$ , where $\chi^{}_{e}(A^{}_{d})=1$ and using the tuple $(m^{},\chi^{}_{s},\chi^{*}_{e})$ , if $\mathcal{A}$ doed not queried to signcryption oracle.

The advantage of $\mathcal{A}$ in this game can be defined as

$\displaystyle\textit{Adv}^{\textit{EUF-sSP-CMA}}_{\mathcal{A}}:=\text{Prob}[% \mathcal{A}\text{ wins}].$ (4)

.

The ${\prod}_{\textit{CP-ABSC}}$ is $(t,\textit{qSK},\textit{qSC},\textit{qDS},\epsilon)$ -EUF-sSP-CMA secure under a game in between $\mathcal{C}$ and $\mathcal{A}$ , if for any PPT adversary $\mathcal{A}$ running in time at most $\mathfrak{T}$ that makes at most qSK secret key queries, qSC Signcryption queries and qDS De-signcryption queries, then $\mathcal{A}$ ’s advantage is at most $\epsilon$ .
3.6.3 Signcryptor privacy

It ensures that one cannot guess from a signed message, the used set of attributes of a signer. This security notion is formally defined by a game between $\mathcal{C}$ and $\mathcal{A}$ .

.

The CP-ABSC scheme ${\prod}_{\textit{CP-ABSC}}$ satisfies data owner privacy if for all PPT adversaries $\mathcal{A}$ ,

$\displaystyle\textit{Prob}\left[\check{i}=i\quad:\begin{array}[]{l}(\mathcal{% PP})\leftarrow\textit{KDCSetup}(1^{k})\\ (A^{(1)}_{s},A^{(2)}_{s},m,\chi_{s},\chi_{e})\leftarrow\mathcal{A}(\mathcal{PP% });\chi_{s}(A^{(1)}_{s})=1=\chi_{s}(A^{(2)}_{s})\\ i\xleftarrow{R}\{1,2\}\\ {CT}^{(i)}_{\chi_{e}}\leftarrow\textit{Signcryption}(\mathcal{PP},m,SK_{A^{(i)% _{s}}},\chi_{s},\chi_{e})\\ \check{i}\leftarrow\mathcal{A}(\mathcal{PP},{CT}^{(i)}_{\chi_{e}})\\ \end{array}\right]=\frac{1}{2}$ (5)

4. Proposed Signcryption based Outsourced Data Access Control (SBODAC) scheme

Based on Attribute Based Signcryption, we have proposed Signcryption based Outsourced Data Access Control (SBODAC), an efficient data access control scheme for outsourced data in cloud. We have minimized cost of de-signcryption operation with computation outsourcing and introduced attribute revocation to manage dynamic users.

4.1 Scheme description

Figure 1.

System architecture.

We have shown the working process of our proposed model in Fig. 1 consisting of five different types of entities, viz, the global trusted certify authority (TCA) to generate common parameters for the other entities, cloud server to store the signcrypted data, multiple key distribution centers (KDCs) as attribute authority to generate the keys for signing and decryption keys for each of the user. In this system, TCA registers all the KDCs and users (signcryptors and de-signcryptors). Each attributes authority as a KDC assigns attribute public keys corresponding to users, who are associated with those attributes. The signcryptor encrypts the data using signing and encryption key and store into the cloud. Finally, the de-signcryptors verify the signature to access data from the cloud and if they succeed, then based on decryption key decrypt the cipher-text using partially decryption outsourcing. A corrupted user or a KDC administrator with others is not able to e-signcrypt the correct message from this system. Each KDC initiates the cipher-text update without hampering the data signer by attribute revocation process. The communications among TCA, KDCs, users and cloud server performed by secure shell (SSH) protocol. The detailed functionality of each entity is shown in the Table 2.

Table 2

Descriptions of involved entities

Entity	Role description
TCA	Generates public parameters for the whole system. It also register both user and key distribution centers as attribute authority.
KDCs	Assigns to each user secret key corresponding to attributes that hold by a registered user. It issues, updates, and revokes an attribute to dynamically manage the users.
Server	Stores signcrypted data generated by data owner in to cloud and provides on user demand. It checks the signer validity and partially decrypt the cipher-text for the valid data users. It updates timely on authority request for attributes revocation.
Owner	Access policies on a set of user attributes, signcrypts the content under the policies. It outsources signcrypted data in cloud.
User	Able to verify the signature and decrypt the signcrypted content if he holds the sufficient attributes to match the access policy.

We have shown the whole working process of our proposed scheme in Fig. 2 for more clarity.

Figure 2.

Workflow of the proposed scheme.

4.2 Threat assumptions

•
Let TCA be fully trusted and key distribution centers will provide the correct user secret key on query.
•
The cloud server is semi-trusted but will provide cipher-text on demand. The key distribution center should not collude with the user to access data. However, it can be corrupted for the user information to provide an adversary.
•
A user or attacker can be corrupted and collude each other (even cloud server) with user information for signing or decrypt.

4.3 Security requirement

•
Confidentiality: Unauthorized users should be prevented from access to original data. The user who has no sufficient attributes which are listed at signcryption time is known as unauthorized user.
•
Data Owner Privacy: The owner who has sensitive information to share with specific persons without disclosing his identity. Owner identity must be protected from the storage server and other users.
•
Public verifiability: The data owner who is signcrypted the data should be valid user and also publicly verifiable.
•
Unforgeability: A user who does not have the privilege to signcrypt the data need to prevent to signcrypt any data.
•
Forward and Backward Security: A newly joined user should able to access the system properly. The revoked user should prevent to access the system.
•
Collision Resistance: A group of authorized users inside the system combining their secret must not retrieve an another user’s secret.

4.4 Notations

We have described few multiple used declaration in the Table 3 for our proposed Scheme. Mostly single used declarations are defined in place of location.

Table 3
Notations for our scheme description

Declaration	Meaning
$\mathcal{PP}$	Public Parameters
$\mathcal{A},\mathcal{B},\mathcal{C}$	Under a Probabilistic interactive machine to model the PPT adversaries
	$\mathcal{A}$ represents an attacker, $\mathcal{B}$ denotes the simulator, and $\mathcal{C}$ represents a challenger
$k$	Security Parameter
$\vec{M}_{i}$	$i$ -th row of the LSSS matrix $M$
$\alpha_{\theta}$ , $\beta_{\theta}$ , $\vartheta_{\theta}$	Secretly chosen random values by authority
$A_{d}$ , $A_{s}$	Decryption Attribute Set, Signing Attribute Set
$SK_{id}$	Secret key of $id^{\text{th}}$ user
$\bar{S}K^{s_{2}}_{\theta,id}$	Updated Signing Key component
$\bar{S}K^{d_{2}}_{\theta,id}$	Updated Decryption Key component
$\mathcal{O}^{sk}$	Secretkey oracle
$\mathcal{O}^{SC}$ , $\mathcal{O}^{DS}$	Signcryption oracle, De-signcryption oracle
$\chi_{s},\chi_{d}$	Signing access structure, Encryption access structure
$\mathbb{Z}^{l\times n}_{p}$	Set of matrices of size $l\times n$ with elements in $\mathbb{Z}_{p}$
$CT_{\chi_{d}}$	Signcrypted cipher-text
$UKC_{x}$	Revoked Updated Key
$UCT_{x}$	Updated component of ciphertext

4.5 Our system framework

The system framework is consisting of the following algorithms in brief:

•
TCASetup1 $(1^{k})\rightarrow(\mathcal{PP}$ ): It runs by TCA. It takes security parameter $(1^{k})$ as input and produces public parameters as outputs. It registers key distribution center and user to manage user attributes and assign security in the system.
•
UserReg $(\mathcal{PP})\rightarrow\{SK_{id},PK_{id}\}$ : It runs by each registered user in the system. It takes public parameters as inputs and generates user secret key and user public key as outputs.
•
KDCSetup $(\mathcal{PP},PK_{id})\rightarrow\{SK_{\theta},PK_{\theta},PK^{\prime}_{\theta% ,id}\}$ Each KDC $\theta$ runs this algorithm. It takes public parameters $\mathcal{PP}$ , user public key $PK_{id}$ as inputs and computes its own public key, secret key and also the public user key corresponding to each user for outputs.
•
TCAKeyGen $(\mathcal{PP},PK_{\theta},PK^{\prime}_{\theta,id})\rightarrow\{PK_{\theta,id}\}$ : It runs by TCA to generate KDC- user pair public keys. It takes own public parameters, user public key, KDC’s public key as inputs and outputs a KDC-user pair public key for that KDC.
•
UserSKGen $(\mathcal{PP},SK_{\theta},PK_{\theta})\rightarrow(SK^{s}_{\theta,id},SK^{d}_{% \theta,id})$ : Each KDC runs this algorithm. Here, the inputs are public parameters $\mathcal{PP}$ , KDC-user pair public keys which generate by TCA under control of itself. The outputs are user signing and decryption keys $\{SK^{s}_{\theta,id},SK^{d}_{\theta,id}\}$ .
•
Signcryption $(\mathcal{PP},m,PK_{id},\{PK_{\theta}\}_{\theta\in\mathcal{KDC}},\chi_{s},\chi% _{d})\rightarrow CT_{\chi_{d}}$ : Signcryptor runs this algorithm. It inputs the message to be signcrypted, signing access structure, encryption access structure, public parameters and owner signing secret key. It outputs signcrypted cipher-text.
•
De-signcryption $(\mathcal{PP},CT_{\chi_{d}},\chi_{s},SK_{id},\{SK^{d}_{\theta,id}\}_{\theta\in% \mathcal{KDC}})\rightarrow m\text{ or }\bot$ : Each data user runs this algorithm with the help of cloud server. The inputs are signcrypted text, signing access policy and user decryption secret key. It outputs are original message without knowing signer identity it the decryption access structure match with encryption policy.
•
Attribute Revocation: Attribute revocation works here like a similar way with the previously proposed schemes. There are three steps involved as follows.

–
GenUpdateKey: $(PK_{id},SK_{\theta},CT_{\chi_{e}})\rightarrow\{UK^{s}_{id,a^{\prime}},UK^{d}_% {id,a^{\prime}}\},\{UK^{s}_{CT},UK^{d}_{CT}\}$ . It runs by corresponding attribute authority center. The inputs are new attribute version key, cipher-text components where the attribute revoked and outputs update key contents of user and cloud.
–
UpdateSecretKey: $(SK^{s_{2}}_{\theta,id},SK^{d_{2}}_{\theta,id})\rightarrow(\bar{SK}^{s_{2}}_{% \theta,id},\bar{SK}^{d_{2}}_{\theta,id})$ . It runs by Non-revoked users. It takes update key as inputs and produces updated user secret keys for signing and decryption.
–
UpdateCiphertext: $(CT_{\chi_{d}},\{UK^{s}_{CT},UK^{d}_{CT}\})\rightarrow CT^{\prime}_{\chi_{d}}$ . It runs by cloud server. It takes update cipher-text signing key and decryption key as inputs and output updated signcrypted cipher-text.

5. Detailed Construction of Signcryption based Outsourced Data Access Control (SBODAC)

To develop our proposed scheme, we have used similar analytical model of Rao et al. [4] where ABSC model used to develop a case study on Physical Health Records. However, this scheme is a centralized system, where a single trusted authority issues all the secret keys for signing and encryption. For our proposed scheme, we have made it decentralized mode based on Chease et al. [17]. We have used large universe attribute based encryption process as [15]. To incorporate the revocation method, we have used Green et al. [18] revocation scheme. We have also incorporated outsourcing operation for de-signcryption operation to reduce to computation cost for data users. The details construction of our proposed scheme explained using the following phases.

Phase-1 TCASetup $(1^{k})$ : Considering the security parameter $1^{k}$ , TCA initialize the system and produces the public parameters $\mathcal{PP}$ . It formulates a binary pair $e:\mathbb{G}\times\mathbb{G}\rightarrow\mathbb{G}_{T}$ where $\mathbb{G}$ and $\mathbb{G}_{T}$ be the multiplicative group with prime order $p$ . Let $g_{1}$ and $g_{2}$ be the random generators of $\mathbb{G}$ . Three collision resistance hash functions $H_{x}:\mathbb{G}\rightarrow\mathbb{Z}^{*}_{p},H_{y}:\{0,1\}^{*}\rightarrow\{0,% 1\}^{l}$ and $H_{z}:\{0,1\}^{*}\rightarrow\mathbb{Z}^{*}_{p}$ have chosen randomly. To produce the public parameters $\mathcal{PP}$ , TCA follows the following steps.

•
It selects $(\eta_{1},\eta_{2},\{a_{0},a_{1},\ldots,a_{l}\})\in_{R}\mathbb{G}$ .
•
For each attribute $a\in\mathcal{U}$ , it samples $h_{a}\in_{R}\mathbb{G}$ .
•
It registers all the users and key distribution center providing unique user identity $id\in\mathcal{UID}$ and $\theta\in\mathcal{KDC}$ respectively.
•
For each user, it also chooses randomly two values $s_{id}$ and $d_{id}$ and send to respective user $g_{1}^{s_{id}}$ and $g_{1}^{d_{id}}$ .

Finally, it publishes the public parameter as

$\displaystyle\mathcal{PP}=\{\mathbb{G},\mathbb{G}_{T},e,p,g_{1},g_{2},H_{x},H_% {y},H_{z},\eta_{1},\eta_{2},\{a_{0},a_{1},\ldots,a_{l}\},\{h_{a}\}_{a\in% \mathcal{U}},\mathcal{UID},\mathcal{KDC}\}.$ (6)

Phase-2 UserReg $(\mathcal{PP})$ : After receiving user’s unique identity $i d$ and corresponding signing and attribute value $g_{1}^{s_{id}}$ and $g_{1}^{d_{id}}$ from the TCA, Each user randomly selects a value $z_{id}$ and calculates a value $g_{1}^{z_{id}}$ using public parameter $\mathcal{PP}$ . The $i d$ user’s secret and public key are as follows.

$\displaystyle SK_{id}=\{z\in_{R}\mathbb{Z}_{p}\}$ (7) $\displaystyle PK_{id}=\{g_{1}^{s_{id}},g_{1}^{d_{id}},g_{1}^{z_{id}},g_{2}^{z_% {id}},\{h_{a}^{s_{id}}\}_{a\in\mathcal{S}}\}.$ (8)

Phase-3 KDCSetup $(\mathcal{PP},PK_{id})$ : Each KDC $\theta$ runs this algorithm. It initialize itself using public parameters and computes its own public key and also the public keys corresponding to each user. Each KDC randomly chooses $\{\alpha_{\theta},\beta_{\theta},\gamma_{\theta}\}\in_{R}\mathbb{Z}_{p}$ . Let $\mathcal{S}$ set of attributes controlled by KDC $\theta$ . Now, it also randomly picks a version key $V_{a}$ for each attributes. Finally, it generates the followings:

$\displaystyle SK_{\theta}=\{\alpha_{\theta},\beta_{\theta},\gamma_{\theta},\{V% _{a}\}_{a\in\mathcal{S}}\}.$ (9) $\displaystyle PK_{\theta}=\left\{PK^{1}_{\theta}=e(g_{1},g_{1})^{\alpha_{% \theta}},PK^{2}_{\theta}=g_{1}^{V_{a}},PK^{3}_{\theta}=g_{1}^{\frac{\alpha_{% \theta}}{\beta_{\theta}}},PK^{4}_{\theta}=g_{2}^{\frac{1}{\beta_{\theta}}},PK^% {5}_{\theta}=g_{2}^{\frac{1}{\gamma_{\theta}}}\right\}$ (10) $\displaystyle PK^{\prime}_{\theta,id}=\left\{g_{1}^{\frac{\alpha_{\theta}}{z_{% id}\cdot\gamma_{\theta}}}\right\}$ (11)

Each KDC sends $PK^{\prime}_{\theta,id}$ to the corresponding user $i d$ and $PK_{\theta}$ to TCA to calculate the public key pair $PK_{\theta,id}$ among user $id\in\mathcal{UID}$ and KDC $\theta\in\mathcal{KDC}$ .

Phase-4 TCAKeyGen $(\mathcal{PP},PK_{\theta},PK^{\prime}_{\theta,id})$ : In this stage, using the public keys of each KDC, TCA calculates a pair of KDC and user public key as

$\displaystyle PK_{\theta,id}=\left\{PK^{1}_{\theta,id}=PK^{3}_{\theta}\cdot(PK% ^{4}_{\theta})^{s_{id}},PK^{2}_{\theta,id}=PK^{\prime}_{\theta,id}\cdot(PK^{5}% _{\theta})^{d_{id}}\right\}$ (12)

where,

$\displaystyle PK^{1}_{\theta,id}=PK^{3}_{\theta}\cdot(PK^{4}_{\theta})^{s_{id}% }=g_{1}^{\frac{\alpha_{\theta}}{\beta_{\theta}}}g_{2}^{\frac{s_{id}}{\beta_{% \theta}}}$ $\displaystyle PK^{2}_{\theta,id}=PK^{\prime}_{\theta,id}\cdot(PK^{5}_{\theta})% ^{d_{id}}=g_{1}^{\frac{\alpha_{\theta}}{z_{id}\cdot\gamma_{\theta}}}g_{2}^{% \frac{d_{id}}{\gamma_{\theta}}}$

Phase-5 UserSKGen $(\mathcal{PP},SK_{\theta},PK_{\theta},\mathcal{U})$ : Each KDC runs this algorithm to generate the user signing secret key and user decryption secret key as follows.

User signing secret key

$\displaystyle SK^{s}_{\theta,id}=\left\{SK^{s_{1}}_{\theta,id}=(PK^{1}_{\theta% ,id})^{\beta_{\theta}}=g_{1}^{\alpha_{\theta}}g_{2}^{s_{id}},SK^{s_{2}}_{% \theta,id}=(g_{1}^{s_{id}})^{V_{a}}\right\}$ (13)

User decryption secret key

$\displaystyle SK^{d}_{\theta,id}=\left\{SK^{d_{1}}_{\theta,id}=(PK^{2}_{\theta% ,id})^{\gamma_{\theta}}=g_{1}^{\frac{\alpha_{\theta}}{z_{id}}}g_{2}^{d_{id}},% SK^{d_{2}}_{\theta,id}=(g_{1}^{d_{id}})^{V_{a}}\right\}$ (14)

Phase-6 Signcryption $(\mathcal{PP},m,PK_{id},\{PK_{\theta}\}_{\theta\in\mathcal{KDC}},\chi_{s},\chi% _{d})$ : When the data owner wants to store the signcrypted data into cloud then he formulates an signing access structure $\chi_{s}$ , where $\chi_{s}(A_{s})=1$ and encryption access structure $\chi_{d}$ . Signing access structure preserves the signer privacy. This algorithm takes as inputs the public parameters $\mathcal{PP}$ , input message $m\in\{0,1^{}\}$ , a signing keys for the signing attribute set $A_{s}$ , encryption access structure $\chi_{d}$ and signing access structure $\chi_{s}$ where $\chi_{s}(A_{s})=1$ . Assume that $\chi_{s}:=(M_{s},\rho_{s})$ and $\chi_{d}:=(M_{d},\rho_{d})$ , where $M_{s}$ (resp. $M_{d}$ ) is an $l_{s}\times n_{s}$ (resp. $l_{d}\times n_{d}$ ) matrix with row labeling function $\rho_{s}:[l_{s}]\rightarrow U$ (resp. $\rho_{d}:[l_{d}]\rightarrow U)$ . Let $\vec{M}^{(i)}_{s}$ (resp. $\vec{M}^{(i)}_{s}$ ) be the $i^{\text{th}}$ row of the matrix $M_{s}$ (resp. $M_{d}$ ). Then, the signcryptor computes the following:

•
Since $\chi_{s}(A_{s})=1$ , a signcryptor considers a vector $\vec{c}:=(c_{1},c_{2},\ldots,c_{l_{s}})\in\mathbb{Z}^{l_{s}}_{p}$ such that $c.M_{s}=1_{n_{s}}$ , i.e., $\sum_{i\in[l_{s}]}c_{i}.\vec{M}^{(i)}_{s}=\vec{1}_{n_{s}}$ , and $c_{i}=0$ for all $i$ where $\rho_{s}(i)\notin A_{s}$ .
•
Similarly, it considers an another vector $\vec{e}:=(e_{1},e_{2},\ldots,e_{l_{s}})\xleftarrow{R}\mathbb{Z}^{ls}_{p}$ , such that $\sum_{i\in[l_{s}]}e_{i}.\vec{M}^{(i)}_{s}=\vec{1}_{n_{s}}$ .
•
The signer re-randomizes the signing key by choosing randomly $s^{\prime}_{id}\in_{R}\mathbb{Z}^{}_{P}$ and generates $\breve{SK}^{s_{1}}_{\theta,id}=SK^{s_{1}}_{\theta,id}\cdot g_{2}^{s^{\prime}_{% id}}$ , and $\breve{SK}^{s_{2}}_{\theta,id}=SK^{s_{2}}_{\theta,id}\cdot g_{1}^{s^{\prime}_{% id}}$ .
•
Now, it randomly picks $\xi\in_{R}\mathbb{Z}_{p}$ and $\{\lambda_{1},\lambda_{2},\ldots,\lambda_{l_{d}}\}\in\mathbb{Z}_{p}$ , such that $\vec{\lambda}_{i}:=(\xi,\varsigma_{2},\ldots,\varsigma_{n_{d}})$ , where $(\varsigma_{2},\ldots,\varsigma_{n_{d}})\in_{R}\mathbb{Z}_{p}$ . It also picks randomly $(r_{1},r_{2},\ldots,r_{l_{d}})\in\mathbb{Z}_{p}$ and current time $t t$ , computes the followings:

$\displaystyle C_{0}=m\cdot\prod_{k\in{I^{d}_{\theta}}}e(g_{1},g_{2})^{\xi},$ (15) $\displaystyle C_{1}=g_{1}^{\xi},\pi=H_{x}(C_{1}),$ (16) $\displaystyle C_{2}=(\eta_{1}{\eta_{2}}^{\pi})^{\xi},$ (17) $\displaystyle C_{3,i}=\left\{g_{2}^{\lambda_{i}}(PK^{2}_{\rho_{d(i)}})^{-r_{i}% }\right\}_{i\in[l_{d}]},$ (18) $\displaystyle C_{4,i}=\left\{g_{1}^{r_{i}}\right\}_{i\in[l_{d}]},$ (19) $\displaystyle S_{1,i}=\left\{g_{1}^{e_{i}}\cdot(g_{1}^{s^{\prime}_{id}})^{c_{i% }}\right\}_{i\in[l_{s}]},$ (20) $\displaystyle H_{y}\left(\prod_{i\in[l_{s}]}S_{1,i},tt,\chi_{s},\chi_{d}\right% )=(j_{1},j_{2},\ldots,j_{l})\in\{0,1\}^{l},$ (21) $\displaystyle H_{z}(C_{0},C_{1},C_{2},\chi_{d},\chi_{s})=\sigma$ (22) $\displaystyle S_{2}=\prod_{k\in[I_{\theta}]}\breve{SK}^{s_{1}}_{\rho_{s}(k),id% }\left(\prod_{i\in[l_{s}]}\left(\breve{SK}^{s_{2}}_{\rho_{s}(i),id}h^{s_{id}+s% ^{\prime}_{id}}_{\rho_{s}(i)}\right)^{c_{i}}\left(PK^{2}_{\rho_{s}(i)}h_{\rho_% {s}(i)}\right)^{e_{i}}\right)$ (23) $\displaystyle\quad\left(a_{0}\prod_{i\in[l]}a^{j_{i}}_{i}\right)^{\xi}C_{2}^{\sigma}$
•
Finally, the cipher-text is

$\displaystyle CT_{\chi_{d}}:=[\chi_{e},C_{0},C_{1},\{C_{3,i},C_{4,i}\}_{i\in[l% _{d}]},\{S_{1,i}\}_{i\in[l_{s}]},S_{2},tt].$ (24)

Now, the data owner uploads the data file $\mathcal{D}:=(CT_{\chi_{d}},\chi_{s})$ to the cloud server.

Phase-7 De-signcryption $(\mathcal{PP},CT_{\chi_{d}},\chi_{s},SK_{id},\{SK^{d}_{\theta,id}\}_{\theta\in% \mathcal{KDC}})$ : If the cipher-text contains the signing predicate really then any party can verify the cipher-text and if a data user has privilege to access the encrypted data, the user can decrypt the original message $m$ . When a user intends to access the original message, the user can request from the cloud server. The public verifiability and user decryption process as follows.

•
Signature verification:

–
At first, the algorithm checks the current time $tt^{\prime}$ . If $|tt^{\prime}-tt|>tt_{T}$ (pre-define threshold time) or $\chi_{s}(A_{d})\neq 1$ , then the algorithm deny de-signcryption.
–
It chooses $(\nu_{2},\ldots,\nu_{n_{s}})\xleftarrow{R}\mathbb{Z}_{p}$ and computes $\omega_{i}:=(1,\nu_{2},\ldots,\nu_{n_{s}})\cdot M^{(i)}_{s}$ , where $i\in[l_{s}]$ .
–
It computes $H_{x}(C_{1})=\pi$ , $H_{y}\left(\prod_{i\in[l_{s}]}S_{1,i},tt,\chi_{s},\chi_{d}\right)=(j_{1},j_{2}% ,\ldots,j_{l})$ , and also $H_{z}(C_{0},C_{1},\linebreak C_{2},\chi_{d},\chi_{s})=\sigma$ .
–
Now validity of the cipher-text $CT_{\chi_{d}}$ can be checked

$\displaystyle\prod_{k\in I_{KDC}}\nabla_{k}\lx@stackrel{{\scriptstyle?}}{{=}}% \frac{e(S_{2},g_{1})}{\begin{array}[]{c}e\left(a_{0}\prod_{i\in[l]}a_{i}^{j_{i% }},C_{1}\right)\cdot e((\eta_{1}\eta_{2}^{\pi})^{\sigma},C_{1})\\ \cdot\prod_{i\in[l_{s}]}\left(e\left(PK^{2}_{\rho_{s}(i)}h_{\rho_{s}(i)}g_{2}^% {\omega_{i}N_{\theta}},S_{1,i}\right)\right)\\ \end{array}}.$ (25)
–
Here, $N_{\theta}=|I_{\textit{KDC}}|$ . Now, if it is invalid, return $\bot$ , otherwise, proceed for decryption.

•
Partial outsourced decryption:

–
As $\chi_{d}(A_{d})=1$ , compute a vector $c^{\prime}:=(c^{\prime}_{1},c^{\prime}_{2},\ldots,c^{\prime}_{l_{d}})\in% \mathbb{Z}^{l_{d}}_{p}$ such that $\vec{c^{\prime}}\cdot M_{d}=\vec{1}_{n_{d}}$ , that is, $\sum_{i\in[l_{d}]}c^{\prime}_{i}M^{(i)}_{d}=\vec{1}_{n_{d}}$ , and $c^{\prime}_{i}=0$ for all $i$ where $\rho_{d(i)}\notin A_{d}$ .
–
Recover $CT_{pd}$ from

$\displaystyle CT_{pd}=\frac{\prod_{k\in I_{\theta}}e\left(SK^{d_{1}}_{k,id},C_% {1}\right)}{\prod_{k\in I^{d}_{\theta}}\prod_{{i\in I_{\theta_{k}}}}\left[e% \left(g_{1}^{d_{id}},C_{3,i}PK^{2}_{\rho_{d}(i)}\right)\cdot e\left(C_{4,i},SK% ^{d_{2}}_{k,id}\right)\right]^{c^{\prime}_{i}N_{\theta}}}$ (26)

where $I_{\theta_{k}}=i:\rho_{d}(i)\in\theta_{k}$ . Finally it sends $\{C_{0},CT_{pd}\}$ to the requested user.

•
Full decryption:

–
At last, the valid user can retrieve the correct message as

$\displaystyle m=\frac{C_{0}}{(CT_{pd})^{z_{id}}}$ (27)

Phase-8 Attribute Revocation: When an attribute revoke from a user, the corresponding KDC need to update the attribute version key. Let an attribute $a$ revoke by $\textit{KDC}_{\theta}$ from a user, then it chooses a new version key $V^{\prime}_{a}\in\mathbb{Z}_{p}$ . As two different set of attributes user for encryption and signing, the revoked attribute may be belongs to either signing attribute or encryption attributes. The revocation process is as follows.

•
GenUpdateKey: $(PK_{id},SK_{\theta},CT_{\chi_{e}})\rightarrow(\{UK^{s}_{id,a^{\prime}},UK^{d}% _{id,a^{\prime}}\},\{UK^{s}_{CT},UK^{d}_{CT}\})$ . Corresponding KDC updates its own public attribute key $\bar{PK}^{2}_{\theta}=g_{1}^{V^{\prime}_{a}}$ and announces in public. It computes updated key for non-revoked user as

$\displaystyle\left\{UK^{s}_{id,a^{\prime}}=g_{1}^{s_{id}(V^{\prime}_{a}-V_{a})% },UK^{d}_{id,a^{\prime}}=g_{1}^{d_{id}(V^{\prime}_{a}-V_{a})}\right\}$ (28)

The $\textit{KDC}_{\theta}$ related to revoked attribute queries $C_{4,i}$ or $S_{1,i}$ cipher-text components (where $\rho_{d}(i)=a$ or $\rho_{s}(i)=a$ ) from the cipher-text. It generates update key for the cipher text as

$\displaystyle\left\{UK^{s}_{CT}=S_{1,i}^{(V^{\prime}_{a}-V_{a})}\text{ or }UK^% {d}_{CT}=C_{4,i}^{(V^{\prime}_{a}-V_{a})}\right\}$ (29)

$\textit{KDC}_{\theta}$ sends $\{UK^{s}_{id,a^{\prime}},UK^{d}_{id,a^{\prime}}\}$ to the non-revoked users to update user secret key and $\{UK^{s}_{CT},\linebreak UK^{d}_{CT}\}$ to the cloud server to update the cipher-text.
•
UpdateSecretKey: $(SK^{s_{2}}_{\theta,id},SK^{d_{2}}_{\theta,id})\rightarrow(\bar{SK}^{s_{2}}_{% \theta,id},\bar{SK}^{d_{2}}_{\theta,id})$ The non-revoked users update the signing secret key as

$\displaystyle\bar{SK}^{s_{2}}_{\theta,id}={SK}^{s_{2}}_{\theta,id}\cdot UK^{s}% _{id,a^{\prime}}$ (30)

Or update their encryption secret key as

$\displaystyle\bar{SK}^{d_{2}}_{\theta,id}={SK}^{d_{2}}_{\theta,id}\cdot UK^{d}% _{id,a^{\prime}}$ (31)
•
UpdateCiphertext: $(CT_{\chi_{d}},\{UK^{s}_{CT},UK^{d}_{CT}\})\rightarrow CT^{\prime}_{\chi_{d}}$ . If the signing attribute is revoked, the cloud server recalculates the cipher-text component as

$\displaystyle S^{\prime}_{2,i}=S_{2,i}\cdot UK^{s}_{CT}$ (32)

If the encryption attribute is revoked, the cloud server recalculates the cipher-text component as

$\displaystyle C^{\prime}_{4,i}=C_{4,i}\cdot UK^{d}_{CT_{i}}\cdot(\bar{PK}^{2}_% {\rho(i)})^{-r^{\prime}_{i}}$ (33)

where $r^{\prime}_{i}$ randomly chosen value by cloud server for the revoked attribute.

5.1 Correctness of the system

We are considering the whole de-signcryption process to check the system correctness. If $|\bar{tt}-tt|\leqslant tt_{Th}$ and $\chi_{d}(A_{d})=1$ , the data user can verify the cipher-text and recover the message correctly as explained subsequently. Here, $t t$ denotes the time fixed initially, $\bar{tt}$ denotes current time, and $tt_{Th}$ denotes threshold time.

We have $\sum_{i\in[l_{s}]}c_{i}\cdot\vec{M}^{(i)}_{s}=\vec{1}_{n_{s}}$ , $\sum_{i\in[l_{s}]}e_{i}\cdot\vec{M}^{(i)}_{s}=\vec{0}_{n_{s}}$ and $\sum_{i\in[l_{d}]}\acute{c}_{i}\cdot\vec{M}^{(i)}_{s}=\vec{1}_{n_{d}}$ in the de-signcryption process.

Considering the a component $S_{2}$ from Eq. (24), we can derive as

$\displaystyle S_{2}=\prod_{k\in[I_{\theta}]}\breve{SK}^{s_{1}}_{\rho_{s}(k),id% }\left(\prod_{i\in[l_{s}]}\left(\breve{SK}^{s_{2}}_{\rho_{s}(i),id}h^{s^{% \prime\prime}_{id}+s^{\prime}_{id}}_{\rho_{s}(i)}\right)^{c_{i}}\left(PK^{2}_{% \rho_{s}(i)}h_{\rho_{s}(i)}\right)^{e_{i}}\right)\left(a_{0}\prod_{i\in[l]}a^{% j_{i}}_{i}\right)^{\xi}C_{2}^{\sigma}=\prod_{k\in[I_{\theta}]}g_{1}^{\alpha_{k% }}g_{2}^{s^{\prime\prime}_{id}N_{\theta}}\left(\prod_{i\in[l_{s}]}\left(g_{1}^% {s^{\prime\prime}_{id}V_{\rho(i)}}h^{s^{\prime\prime}_{id}}_{\rho_{s}(i)}% \right)^{c_{i}}\left(g_{1}^{V_{\rho(i)}}h_{\rho_{s}(i)}\right)^{e_{i}}\right)% \left(a_{0}\prod_{i\in[l]}a^{j_{i}}_{i}\right)^{\xi}C_{2}^{\sigma}=\prod_{k\in% [I_{\theta}]}g_{1}^{\alpha_{k}}g_{2}^{s^{\prime\prime}_{id}N_{\theta}}\left(% \prod_{i\in[l_{s}]}\left(g_{1}^{s^{\prime\prime}_{id}V_{\rho(i)}}h^{s^{\prime% \prime}_{id}}_{\rho_{s}(i)}\right)^{c_{i}s^{\prime\prime}_{id}+e_{i}}\right)% \left(a_{0}\prod_{i\in[l]}a^{j_{i}}_{i}\right)^{\xi}(\eta_{1}{\eta_{2}}^{\pi})% ^{\sigma\xi}$

where $s^{\prime\prime}_{id}=s_{id}+s^{\prime}_{id}$ .

We can compute from cipher text component in Eq. (24)

$\displaystyle S_{1,i}=\left\{g_{1}^{e_{i}}\cdot(g_{1}^{s^{\prime}_{id}})^{c_{i% }}\right\}_{i\in[l_{s}]}=g_{1}^{c_{i}s^{\prime\prime}_{id}+e_{i}}.$ (34) $\displaystyle\sum_{i\in[l_{s}]}(c_{i}s^{\prime\prime}_{id}+e_{i})\cdot\omega_{% i}=\sum(s^{\prime\prime}_{id}\cdot c_{i}+e_{i})\cdot(1,\nu_{2},\ldots,\nu_{n_{% s}})\cdot M^{(i)}_{s}=(s^{\prime\prime}_{id},s^{\prime\prime}_{id}\nu_{2}% \ldots,s^{\prime\prime}_{id}\nu_{n_{s}})\cdot\sum_{i\in[l_{s}]}c_{i}\cdot M^{(% i)}_{s}+(1,\nu_{2},\ldots,\nu_{n_{s}})\cdot\sum_{i\in[l_{s}]}e_{i}\dot{M}^{(i)% }_{s}=(s^{\prime\prime}_{id},s^{\prime\prime}_{id}\nu_{2}\ldots,s^{\prime% \prime}_{id}\nu_{n_{s}})\cdot(1,0,\ldots,0)+(1,\nu_{2},\ldots,\nu_{n_{s}})% \cdot(0,0,\ldots 0)=s^{\prime\prime}_{id}$

Now, Eq. (25) is

$\displaystyle\frac{e(S_{2},g_{1})}{e\left(a_{0}\prod_{i\in[l]}a_{i}^{j_{i}},C_% {1}\right)\cdot e((\eta_{1}\eta_{2}^{\pi})^{\sigma},C_{1})\cdot\prod_{i\in[l_{% s}]}\left(e\left(PK^{2}_{\rho_{s}(i)}h_{\rho_{s}(i)}g_{2}^{\omega_{i}N_{\theta% }},S_{1,i}\right)\right)}=\frac{e\left(\prod_{k\in[I_{\theta}]}g_{1}^{\alpha_{% k}}g_{2}^{s^{\prime\prime}_{id}N_{\theta}}\left(\prod_{i\in[l_{s}]}\left(g_{1}% ^{s^{\prime\prime}_{id}V_{\rho(i)}}h^{s^{\prime\prime}_{id}}_{\rho_{s}(i)}% \right)^{c_{i}s^{\prime\prime}_{id}+e_{i}}\right)\left(a_{0}\prod_{i\in[l]}a^{% j_{i}}_{i}\right)^{\xi}(\eta_{1}{\eta_{2}}^{\pi})^{\sigma\xi},g_{1}\right)}{e% \left(a_{0}\prod_{i\in[l]}a_{i}^{j_{i}},g_{1}^{\xi}\right)\cdot e\left((\eta_{% 1}\eta_{2}^{\pi})^{\sigma},g_{1}^{\xi}\right)\cdot\prod_{i\in[l_{s}]}\left(g_{% 1}^{V_{\rho(i)}}h_{\rho_{s}(i)}g_{2}^{\omega_{i}N_{\theta}},g_{1}^{c_{i}s^{% \prime\prime}_{id}+e_{i}}\right)}=\frac{e\left(\prod_{k\in[I_{\theta}]}g_{1}^{% \alpha_{k}}g_{2}^{s^{\prime\prime}_{id}N_{\theta}},g_{1}\right)}{\left(e(g_{1}% ,g_{2})^{s^{\prime\prime}_{id}}\right)^{N_{\theta}}}=\prod_{k\in[I_{\theta}]}e% (g_{1},g_{1})^{\alpha_{k}}=\prod_{k\in I_{\theta}}\nabla_{k}$

To show the correctness of the decryption, we demonstrate as follows. For $\chi_{e}(A_{d})=1$ , implies

$\displaystyle\sum_{i\in[l_{d}]}c^{\prime}_{i}\cdot(\vec{\lambda}\cdot M^{(i)}_% {d})=\vec{\lambda}\cdot\sum_{i\in[l_{e}]}c^{\prime}_{i}\cdot M^{(i)}_{d}=\vec{% \lambda}\cdot\vec{1}_{n_{d}}=(\xi,\nu_{2},\ldots,\nu_{n_{s}})\cdot(1,0,\ldots 0% )=\xi$

The Eq. (26) can be derived as

$\displaystyle CT_{pd}=\frac{\prod_{k\in I_{\theta}}e\left(SK^{d_{1}}_{k,id},C_% {1}\right)}{\prod_{k\in I^{d}_{\textit{KDC}}}\prod_{{i\in I_{\theta_{k}}}}% \left[e\left(g_{1}^{d_{id}},C_{3,i}PK^{2}_{\rho_{d}(i)}\right)\cdot e\left(C_{% 4,i},SK^{d_{2}}_{k,id}\right)\right]^{c^{\prime}_{i}N_{\theta}}}=\frac{\prod_{% k\in I_{\theta}}e\left(g_{1}^{\frac{\alpha_{k}}{z_{id}}}g_{2}^{d_{id}},g_{1}^{% \xi}\right)}{\prod_{k\in I^{d}_{\textit{KDC}}}\prod_{{i\in I_{\theta_{k}}}}% \left[e\left(g_{1}^{d_{id}},g_{2}^{\lambda_{i}}g_{1}^{-r_{i}V_{\rho(i)}}\right% )\cdot e\left(g_{1}^{r_{i}},g_{1}^{V_{\rho(i)}}\right)\right]^{c^{\prime}_{i}N% _{\theta}}}=\frac{\prod_{k\in I_{\theta}}e\left(g_{1}^{\frac{\alpha_{k}}{z_{id% }}}g_{2}^{d_{id}},g_{1}^{\xi}\right)}{\prod_{k\in I^{d}_{\textit{KDC}}}\prod_{% {i\in I_{\theta_{k}}}}\left[e\left(g_{1}^{d_{id}},g_{2}^{\lambda_{i}}\right)% \right]^{c^{\prime}_{i}N_{\theta}}}=\frac{\prod_{k\in I_{\theta}}e\left(g_{1}^% {\frac{\alpha_{k}}{z_{id}}}g_{2}^{d_{id}},g_{1}^{\xi}\right)}{e(g_{1},g_{2})^{% d_{id}\xi N_{\theta}}}=\prod_{k\in I_{\theta}}e(g_{1},g_{1})^{\frac{\xi\cdot% \alpha_{k}}{z_{id}}}$

Therefore, the final message from Eq. (24),

$\displaystyle\frac{C_{0}}{(CT_{pd})^{z_{id}}}=\frac{m\cdot\prod_{k\in{I_{% \theta}}}e(g_{1},g_{2})^{\xi\cdot\alpha_{k}}}{\prod_{k\in I_{\theta}}e(g_{1},g% _{1})^{\frac{\xi\cdot\alpha_{k}\cdot{z_{id}}}{z_{id}}}\cdot}=m$

6. Security analysis

In this section, the security proof of the proposed scheme is being analysed. The involved security features of our scheme are message confidentiality, data owner privacy, cipher-text unforgeability, collision resistance, forward security, backward security, etc.

6.1 Message confidentiality

.

If the security of Rao’s [4] is secure than our proposed scheme is secured as we have the same security properties.

Proof..

If $\mathcal{A}$ can break our proposed our scheme, there will be an algorithm $\mathcal{B}$ . The q-BDHE problem with challenge instance $\epsilon$ is given to algorithm $\mathcal{B}$ . The Challenger $\mathcal{C}$ runs $1^{\lambda}\rightarrow(e,p,g_{1},g_{2},\mathbb{G},\mathbb{G}_{T})$ and choose a random bit $p$ .

Setup Phase $\mathcal{C}$ acquires $(\mathcal{PP})\leftarrow\textit{Setup}(1^{k})$ to generate public parameters $\mathcal{PP}=\{\mathbb{G},\mathbb{G}_{T},e,p,g_{1},g_{2},$ $H_{x},H_{y},H_{z},\eta_{1},\eta_{2},\{a_{0},a_{1},\ldots,a_{l}\},\{h_{a}\}_{a% \in\mathcal{U}}\}$ and then sends to $\mathcal{A}$ .

Query Phase 1 $\mathcal{A}$ requests adaptively queries on the succeeding oracles from the $\mathcal{C}$ .

•
Secretkey oracle $\mathcal{O}^{sk}(S^{\prime},\theta_{k},id)$ : $\mathcal{A}$ submits a set of attributes $S^{\prime}=A^{\prime}_{s}\bigcup A^{\prime}_{d}$ to the KDC $\theta_{k}$ for signing attributes and decryption attributes such that decryption attributes should not satisfy access structure $\chi^{\prime}_{d}$ combined with the key obtains from the corrupted KDC. $\mathcal{C}$ runs the SKGen in Eqs (13) and (14) as

$\displaystyle SK^{s}_{\theta,id}=\left\{SK^{s_{1}}_{\theta,id}=(PK^{1}_{\theta% ,id})^{\beta_{\theta}}=g_{1}^{\alpha_{\theta}}g_{2}^{s_{id}},\quad SK^{s_{2}}_% {\theta,id}=(g_{1}^{s_{id}})^{V_{a}}\right\}$ $\displaystyle SK^{d}_{\theta,id}=\left\{SK^{d_{1}}_{\theta,id}=(PK^{2}_{\theta% ,id})^{\gamma_{\theta}}=g_{1}^{\frac{\alpha_{\theta}}{z_{id}}}g_{2}^{d_{id}},% \quad SK^{d_{2}}_{\theta,id}=(g_{1}^{d_{id}})^{V_{a}}\right\}$

and return back to $\mathcal{A}$ .
•
Signcryption oracle $\mathcal{O}^{SC}(m,\chi_{s},\chi_{e}$ ): $\mathcal{A}$ uses a signing policy $\chi_{s}$ , a message $m\in M$ , and also encryption policy $\chi_{e}$ . $\mathcal{C}$ chooses a signing attribute set $A_{s}$ such that $\chi_{s}(A_{s})=1$ , computes the signing key $SK_{A_{s}}\leftarrow\textit{SKGen}(PP,A_{s})$ and sends the cipher text $CT_{\chi_{e}}\leftarrow\textit{Signcryption}(PK,\linebreak m,SK_{A_{s}},\chi_{% s},\chi_{e})$ to the adversary $\mathcal{A}$ .

The generated cipher-text in Eq. (24)

$\displaystyle CT^{(p)}_{\chi_{e}}:=\{\chi_{e},C_{0},C_{1},\{C_{3,i},C_{4,i}\}_% {i\in[l_{d}]},\{S_{1,i}\}_{i\in[l_{s}]},S_{2},tt.\}$
•
De-signcryption oracle $O^{DS}(CT_{\chi_{e}},A_{d},\chi_{s})$ : $\mathcal{A}$ puts a cipher-text $CT_{\chi_{e}}$ with a signing policy $\chi_{s}$ , and a decryption attribute set $A_{d}$ . Then, Challenger $\mathcal{C}$ generates the decryption key using $SK_{A_{d}}\leftarrow$ De-signcryption $(PK,MK,A_{d})$ and sends as the outcomes of De-signcryption $(PK,CT_{\chi_{e}},\chi_{s},SK_{A_{d}})$ to the adversary $\mathcal{A}$ .

$\mathcal{A}$ can be checked the validity of the cipher-text $CT_{\chi_{d}}$ using by Eq. (25)

$\displaystyle\prod_{k\in I_{KDC}}\nabla_{k}\lx@stackrel{{\scriptstyle?}}{{=}}% \frac{e(S_{2},g_{1})}{e\left(a_{0}\prod_{i\in[l]}a_{i}^{j_{i}},C_{1}\right)% \cdot e((\eta_{1}\eta_{2}^{\pi})^{\sigma},C_{1})\cdot\prod_{i\in[l_{s}]}\left(% e\left(PK^{2}_{\rho_{s}(i)}h_{\rho_{s}(i)}g_{2}^{\omega_{i}N_{\theta}},S_{1,i}% \right)\right)}$

and the decryption done through Eq. (26) as

$\displaystyle CT_{pd}=\frac{\prod_{k\in I_{\theta}}e(SK^{d_{1}}_{k,id},C_{1})}% {\prod_{k\in I^{d}_{\theta}}\prod_{{i\in I_{\theta_{k}}}}\left[e\left(g_{1}^{d% _{id}},C_{3,i}PK^{2}_{\rho_{d}(i)}\right)\cdot e\left(C_{4,i},SK^{d_{2}}_{k,id% }\right)\right]^{c^{\prime}_{i}N_{\theta}}}$

and using Eq. (27)

$\displaystyle m=\frac{C_{0}}{(CT_{pd})^{z_{id}}}$

Challenge Phase: Now, in this phase $\mathcal{A}$ selects $m^{}_{0},m^{}_{1}$ as two same length messages and $\chi^{}_{s}$ as a signing predicate. Then, $\mathcal{C}$ selects $A^{}_{s}$ as an attribute set for signing such that $\chi^{}_{s}(A^{}_{s})=1$ and generates $SK_{A^{}_{s}}\leftarrow\textit{Secretkey}(PK,SK_{A_{s}},A^{}_{s})$ , choices $i\leftarrow(0,1)$ . Challenger $\mathcal{C}$ returns challenge cipher-text $CT^{}_{\chi^{}_{s}}\leftarrow\textit{Signcryption}$ $(PK,m^{}_{i},SK_{A^{}_{s}},\chi^{}_{s},\chi^{}_{e})$ for $\mathcal{A}$ .

Query Phase 2 Adversary $\mathcal{A}$ can similarly makes more queries like Query Phase 1 except for the decryption attribute set $A_{d}$ such that $\chi^{}_{e}(A_{d})=1$ , the de-signcryption queries $\mathcal{O}^{DS}(CT^{}_{\chi_{e}},A_{d},\chi^{}_{s})$ .

Guess Phase Adversary $\mathcal{A}$ yields a guess bit $\acute{i}\in\{0,1\}$ and if $\acute{i}=i$ occurs, then $\mathcal{A}$ wins this game.

Finally, the advantage of $\mathcal{A}$ can be defined to be $\textit{Adv}^{\textit{IND-sEP-CCA2}}_{\mathcal{A}}:=|\textit{Prob}[\acute{i}=i% ]-\frac{1}{2}|$ from this game.

Therefore, the confidentiality of message is ensured in the proposed scheme. ∎
6.2 Signcrypted-text unforgeability

.

We say that the CP-ABSC scheme ${\prod}_{\textit{CP-ABSC}}$ is $(t,\textit{qSK},\textit{qSC},\textit{qDS},\epsilon)$ -EUF-sSP-CMA secure if for any PPT adversary $\mathcal{A}$ running in time at most $\mathfrak{T}$ that makes at most qSK as secret key queries, qSC as Signcryption queries and qDS as De-signcryption queries, then the advantage $\textit{Adv}^{\textit{EUF-sSP-CMA}}_{\mathcal{A}}$ of $\mathcal{A}$ in the security game is at most $\epsilon$ .

Proof..

In initial phase $\mathcal{C}$ specifies the space of attributes $\mathcal{U}$ . Then, $\mathcal{A}$ puts a signing policy ${\chi}^{\ast}_{s}$ over signing attributes which will be used later to forge a cipher-text.

In Setup phase $\mathcal{C}$ obtains $(\mathcal{PP})\leftarrow\textit{Setup}(1^{k})$ and sends the public parameters $\mathcal{PP}=\{\mathbb{G},\mathbb{G}_{T},e,p,g_{1},\linebreak g_{2},H_{x},H_{y% },H_{z},\eta_{1},\eta_{2},\{a_{0},a_{1},\ldots,a_{l}\},\{h_{a}\}_{a\in\mathcal% {U}}\}.$ to $\mathcal{A}$ .

Query Phase 1 $\mathcal{A}$ issues adaptively queries to the subsequent oracles from the Challenger $\mathcal{C}$ .

•
Secretkey oracle $\mathcal{O}^{sk}(S^{\prime},\theta_{k},id)$ : $\mathcal{A}$ submits a set of attributes $S^{\prime}=A^{\prime}_{s}\bigcup A^{\prime}_{d}$ to the KDC $\theta_{k}$ for signing attributes and decryption attributes such that decryption attributes should not satisfy access structure $\chi^{\prime}_{d}$ combined with the key obtains from the corrupted KDC. $\mathcal{C}$ runs the SKGen in Eqs (13) and (14) as

$\displaystyle SK^{s}_{\theta,id}=\left\{SK^{s_{1}}_{\theta,id}=(PK^{1}_{\theta% ,id})^{\beta_{\theta}}=g_{1}^{\alpha_{\theta}}g_{2}^{s_{id}},SK^{s_{2}}_{% \theta,id}=(g_{1}^{s_{id}})^{V_{a}}\right\}$ $\displaystyle SK^{d}_{\theta,id}=\left\{SK^{d_{1}}_{\theta,id}=(PK^{2}_{\theta% ,id})^{\gamma_{\theta}}=g_{1}^{\frac{\alpha_{\theta}}{z_{id}}}g_{2}^{d_{id}},% SK^{d_{2}}_{\theta,id}=(g_{1}^{d_{id}})^{V_{a}}\right\}$

and return back to $\mathcal{A}$ .
•
Signcryption oracle $\mathcal{O}^{SC}(m,\chi_{s},\chi_{e}$ ): A submits a message $m\in M$ , signing predicate $\chi_{s}$ and encryption predicate $\chi_{e}$ . $\mathcal{C}$ selects a signing attribute set $A_{s}$ such that $\chi_{s}(A_{s})=1$ , computes the signing key $SK_{A_{s}}\leftarrow\textit{SKGen}(PP,A_{s})$ and returns the cipher text $CT_{\chi_{e}}\leftarrow\textit{Signcryption}(PK,m,\linebreak SK_{A_{s}},\chi_{% s},\chi_{e})$ to $\mathcal{A}$ . The generated cipher-text

$\displaystyle CT^{(p)}_{\chi_{e}}:=\{\chi_{e},C_{0},C_{1},\{C_{3,i},C_{4,i}\}_% {i\in[l_{d}]},\{S_{1,i}\}_{i\in[l_{s}]},S_{2},tt.\}$
•
De-signcryption oracle $O^{DS}(CT_{\chi_{e}},A_{d},\chi_{s})$ : $\mathcal{A}$ submits a cipher-text $CT_{\chi_{e}}$ , a decryption attribute set $A_{d}$ and a signing predicate $\chi_{s}$ . Then, $\mathcal{C}$ computes the decryption key $SK_{A_{d}}\leftarrow$ De-signcryption $(PK,MK,A_{d})$ and returns the output of De-signcryption $(PK,CT_{\chi_{e}}$ , $\chi_{s},SK_{A_{d}})$ to $\mathcal{A}$ . The validity of the cipher-text $CT_{\chi_{d}}$ can be checked by Eq. (25)

$\displaystyle\prod_{k\in I_{\textit{KDC}}}\nabla_{k}\lx@stackrel{{\scriptstyle% ?}}{{=}}\frac{e(S_{2},g_{1})}{e\left(a_{0}\prod_{i\in[l]}a_{i}^{j_{i}},C_{1}% \right)\cdot e((\eta_{1}\eta_{2}^{\pi})^{\sigma},C_{1})\cdot\prod_{i\in[l_{s}]% }\left(e\left(PK^{2}_{\rho_{s}(i)}h_{\rho_{s}(i)}g_{2}^{\omega_{i}N_{\theta}},% S_{1,i}\right)\right)}$

and the decryption done through Eq. (26)

$\displaystyle CT_{pd}=\frac{\prod_{k\in I_{\theta}}e\left(SK^{d_{1}}_{k,id},C_% {1}\right)}{\prod_{k\in I^{d}_{\theta}}\prod_{{i\in I_{\theta_{k}}}}\left[e% \left(g_{1}^{d_{id}},C_{3,i}PK^{2}_{\rho_{d}(i)}\right)\cdot e\left(C_{4,i},SK% ^{d_{2}}_{k,id}\right)\right]^{c^{\prime}_{i}N_{\theta}}}$

and using Eq. (27)

$\displaystyle m=\frac{C_{0}}{(CT_{pd})^{z_{id}}}$

Forgery Phase For the selective signing structure $\chi^{}_{s}$ , Adversary $\mathcal{A}$ produces a forgery cipher-text $CT^{}_{\chi^{}_{e}}\mathcal{A}$ wins the game if De-signcryption $(PK,CT^{}_{\chi^{}_{e}},\chi^{}_{s},SK_{A^{}_{d}})=m^{}\neq\bot$ , where $\chi^{}_{e}(A^{}_{d})=1$ and using the tuple $(m^{},\chi^{}_{s},\chi^{*}_{e})$ , if $\mathcal{A}$ doed not queried to signcryption oracle.

The advantage $\textit{Adv}^{\textit{EUF-sSP-CMA}}_{\mathcal{A}}$ of $\mathcal{A}$ in this game is negligible. Therefore, an Adversary cannot forged any sign in our proposed scheme. ∎
6.3 Data owner privacy

.

Our scheme ensures the data owner’s privacy.

Proof..

A Challenger $\mathcal{C}$ sends $\mathcal{PP},PK_{\theta},PK_{\theta,id},SK_{\theta,id}$ to Adversary $\mathcal{A}$ . Then adversary $\mathcal{A}$ chooses to signing attribute sets $(A^{(1)}_{s},A^{(2)}_{s})$ such that $\chi_{s}(A^{(1)}_{s})=1=\chi_{s}(A^{(2)}_{s})$ . The Challenger $\mathcal{C}$ randomly chooses a bit $p\xleftarrow{R}\{1,0\}$ and generates the cipher-text by ${CT}^{(p)}_{\chi_{e}}\leftarrow\textit{Signcryption}(\mathcal{PP},m,SK_{A^{(p)% _{s}}},\chi_{s},\linebreak\chi_{e})$ using the Adversary’s secret keys for $SK^{1}_{A^{(p)_{s}}}$ and $SK^{2}_{A^{(p)_{s}}}$ . Challenger $\mathcal{C}$ signcrypt and make the cipher-text such a way for both secret keys of Adversary same cipher text

$\displaystyle CT^{(p)}_{\chi_{e}}:=\{\chi_{e},C_{0},C_{1},\{C_{3,i},C_{4,i}\}_% {i\in[l_{d}]},\{S_{1,i}\}_{i\in[l_{s}]},S_{2},tt.\}$

and ask to Adversary $\mathcal{A}$ to find which key is used. Therefore, Adversary $\mathcal{A}$ can randomly guess $p^{\prime}$ and the advantage is at most $\frac{1}{2}$ . Thus, data owner privacy exists in our proposed scheme. ∎

6.4 Collusion resistance

We consider two random elements $d_{id},s_{id}$ for each user which is taken by TCA and sends to each user as $g_{1}^{d_{id}},g^{s_{id}}_{1}$ , so it is difficult to learn or compute by a user or KDC. Except TCA other entities such as user, KDC, cloud server are blind about the random values of $d_{id},s_{id}$ . In addition, $d_{id},s_{id}$ tied with the signcryption and de-signcryption algorithm and users signing secret key and decryption secret key cannot be combined.

.

The proposed SBODAC is collusion resistant.

Proof..

It is guaranteed that any adversaries or cloud server with the other users combining their information cannot sign a message unauthorized way. If an adversary builds a forgery sign to break the proposed system, the adversaries are also able to break the q-PBDHE assumption mention in theorem 3.2. Therefore, the colluding users with the cloud server cannot sign any data as well as decrypt any ciphertext. ∎

6.5 Revocation security

In the proposed system, the revocation process has done based on the update of user secret keys and signcrypted text in both cases signature and encryption process. If any attribute revoked from a user, corresponding KDC center will take initiative to update of user secret keys as $\textit{dUK}_{x}=g^{d_{id}(V^{\prime}_{a}-V_{a})},\textit{sUK}_{x}=g^{s_{id}(V% ^{\prime}_{a}-V_{a})}$ and send to non-revoked users who are holding that attribute. All the user assigned two user secret values $d_{id},s_{id}$ at the time of registration by the TCA. The associative $\textit{KDC}_{\theta}$ with an attribute used a secret version key for each of the attributes, therefore a revoked user cannot retrieve any information even with the non-revoked users and corrupt KDC.

.

Our SBODAC scheme provides the backward and forward revocation security.

Proof..

Backward Security: As the attribute version key changed from the public key of KDC $\theta_{k}$ as well as the secret key of non-revoked users, the revoked user cannot update their secret key. This is because of the non-revoked user associated with the new version key of attribute $V^{\prime}_{a}$ . Now a revoked user cannot forgery the sign if there exists $i$ such that $\rho_{s}(i)=a$ . The revoke user only can generate signature component $S_{2}$ which is associated with old version key $V_{a}$ . However, the corresponding verify algorithm of forged user sign will now work as attribute public key updated into new version key $V^{\prime}_{a}$ .

Similarly, for decryption the required cipher-text also updated to $CT_{\textit{new}}$ where associated components are changed as $C_{2,i}=g_{2}^{\lambda_{i}}PK_{\rho e(i)}^{(r^{\prime}_{i}+r^{\prime\prime}_{i% })}$ and $C_{4,i}=g_{1}^{r^{\prime}_{i}+r^{\prime\prime}_{i}}$ . It is hard for the revoked user to cancel $\textit{cUK}_{i}$ and $g^{r^{\prime\prime}_{i}}$ since they are associated with the values $(V^{\prime}_{a},V_{a})$ which are secretly chosen by $\theta_{k}$ and $r^{\prime\prime}_{i}$ randomly picked by cloud server. Thus, the revoked cannot succeed to reverse back from $CT_{\textit{old}}$ to $CT_{\textit{new}}$ .

Forward Security: After attribute revocation cipher text is updated as $CT_{\textit{new}}$ where we have $C_{2,i}=g_{1}^{\lambda_{i}}PK_{\rho_{e}(i)}^{-}{r_{e}}$ for i such that $\rho_{e}(i)=a$ . No user cannot change their secret keys due to blindness of the old and new attribute version keys $V^{\prime}_{a},V_{a}$ which is chosen randomly by by corresponding $\theta_{k}$ . Another random element $r_{i}$ also used in the signcryption algorithm picked by cloud server.

The newly joined user easily sign the plain-text here as he gets updated version key-based secret key generated by the corresponding KDC $\theta_{k}$ . Thus, to satisfy the signing structure, the Verify algorithm holds the new user’s signing attributes. Similarly, for the decryption, the newly joined user already has update key using which he can decrypt if his attribute satisfies the decryption access structure. ∎

7. Performance analysis

We compare our proposed scheme with competent existence approaches under various features. The computation cost, communication cost, revocation cost are analysed and simulated.

7.1 Analysis of characteristics

Although many existing schemes on cloud data storage [4, 9, 5, 14, 16], only ABSC based schemes are analysed with the features like, multi-authority setup, collision resistance, large universe properties, confidentiality, privacy, attribute re-vocation, and computing outsourcing.

Table 4
Comparison on characteristics with our scheme

Supported features	Chen scheme [14]	Liu scheme [5]	Rao scheme [4]	Pandit scheme [9]	Deng scheme [16]	Ours scheme
Multi-authority setup	$\times$	$\times$	$\times$	$\times$	$\times$	$\checkmark$
Collusion resistance	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$
Large universe property	$\times$	$\times$	$\checkmark$	$\times$	$\times$	$\checkmark$
Signcryptor privacy	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$
Message confidentiality	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$
Public verifiability	$\times$	$\times$	$\checkmark$	$\checkmark$	$\checkmark$	$\checkmark$
Attribute revocation	$\times$	$\times$	$\times$	$\times$	$\times$	$\checkmark$
Computation outsourcing	$\times$	$\times$	$\times$	$\times$	$\times$	$\checkmark$

In Table 4, the capability to succeed the corresponding index denoted by $\checkmark$ , and $\times$ represents the opposite meaning. From the Table 4, it is clear that almost all the schemes support message confidentiality, signer privacy, and collision resistance, etc. However, decentralization or multi-authority, attribute revocation, outsource decryption, etc. are not supported by those schemes. In our proposed scheme, we have enumerated all the above features together in a single scheme.

7.2 Computation and communication cost

Computation and communication cost are other necessary parameter due to limited resources. Necessary for a security scheme to compute the performance with respect to computation and communication cost due to limited computation resources. We numerically analysis the performance of our proposed scheme based on secret signing and decryption key size, signcryption and de-signcryption process from the user site. Another analysis, Revocation cost is calculated which is missing in other listed schemes. The list of notations used in this sub section is given Table 5.

Table 5
Notations for performance analysis

Notations	Meaning
$\|g\|/\|g_{T}\|/\|p\|$	Element size in $\mathbb{G}$ / $\mathbb{G}_{T}$ / $\mathbb{Z}_{p}$
$t_{p}/t_{e}$	Time for one pairing/exponential
$\omega_{s}$	Number of column in signing MSP matrix
$\phi_{e}(\phi_{s})$	Number of encryption(signing) attributes required in de-signcryption
$n_{s}(n_{d})$	Number of attributes in a user signing key (decryption key)

There are a number of schemes already existing for attribute-based signcryption. Transmission and communication cost need to be measured for each of the schemes for identifying the efficiency of the scheme. The consideration of ABSC scheme for outsourced cloud data access control required to satisfy some functionality which might not hold all the existing schemes, that can be possible to ensure form characteristic analysis and performance analysis. In this section, we analyze different parameters of existing attribute-based signcryption mechanism to evaluate the performance and compare with our proposed scheme.

Table 6

Storage overhead for secret key and cipher-text

Scheme	Size of secret key	Size of the cipher-text
Chen scheme [14]	$(\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$(4+\phi_{e}+2\phi_{s})\|g\|$
Pandit scheme [9]	$(2\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$(2\phi_{s}+2\phi_{e}+4)\|g\|$
Liu scheme [5]	$(\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$\|g_{T}\|+(\phi_{s}+n_{s}+\phi_{e}+5)\|g\|$
Rao scheme [4]	$(\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$(\phi_{s}+\phi_{e}+4)\|g\|$
Deng scheme [16]	$(\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$(\phi_{s}+\phi_{e}+4)\|g\|+2\phi_{e}\|p\|$
Our scheme	$(\|n_{s}\|+\|n_{e}\|+2)\|g\|$	$\|g_{T}\|+(\phi_{s}+\phi_{e})\|g\|+2\phi_{e}\|p\|$

Table 6 shows the storage overhead incurred by each user to store the user secret key. Similarly, the generated cipher-text which supposed to store in the cloud also calculated in this table. The computation of storage requirements is similar to the previous schemes.

In Table 7 we explained about computation cost of signcryption and de-signcryption algorithms for competent similar existing approaches. As the de-signcryption operation computed partially by outsourcing into the cloud, therefore this operation divided into two parts. The first part is outsourced de-signcryption and the second part is user de-signcryption. To compute the computation cost of signcryption and de-signcryption, we have considered the number of exponential operations and pairing operation used in the algorithm.

Table 7

Communication cost

Scheme	Signcryption cost		De-signcryption cost		User decryption (user side)
	Exponential	Pair	Exponential	Pair
Chen scheme [14]	$(4n_{s}+2n_{e}+5)$	1	$(2n_{s}+\phi_{e}+3)$	$(2n_{s}+2\phi_{e}+4)$	$(2+2n_{e})\|p\|+n_{e}\|g_{T}\|$
Pandit scheme [9]	$(4n_{s}+4n_{e}+7)$	2	$(2n_{s}+2\phi_{e}+5)$	$(2n_{s}+2\phi_{e}+6)$	$2n_{e}\|p\|+n_{e}\|g_{T}\|$
Liu scheme [5]	$(2n_{s}w_{s}+3n_{s}+2n_{e}+3)$	–	$(2n_{s}w_{s}+w_{s}\phi_{e})$	$(n_{s}w_{s}+w_{s}+2\phi_{e}+4)$	$2n_{e}\|p\|+n_{e}\|g_{T}\|$
Rao scheme [4]	$(4n_{s}+2n_{e}+6)$	–	$(n_{s}+2\phi_{e}+2)$	$(n_{s}+5)$	$2\|p\|+(4n_{e}+4n^{2}_{e})\|g_{T}\|$
Deng scheme [16]	$(4n_{s}+2n_{e}+6)$	–	$(n_{s}+2\phi_{e}+2)$	$(n_{s}+7)$	$\|g_{T}\|$
Our scheme	$(2n_{s}+3n_{e}+7)$	–	$(2n_{s}+2\phi_{e}+2)$	$(n_{s}+6)$	$\|g_{T}\|$

7.3 Revocation cost

To revoke an attribute, the KDC incurs storage overhead related to revoked attributes in our scheme. Associate KDC of revoked attribute changes the version key of the revoked attribute and generates the update key component for non-revoked user. Similarly, for the corresponding cipher-text components (such as if revoked attribute from the signature then signature component or if revoked attribute from the encryption component then encryption component) need to change associate KDC. The associated KDC generates update cipher text component for the cloud server. This process incurs very less storage overhead on the associated KDC, non-revoked signer user, non-revoked decryption user and cloud server.

7.4 Simulation

We simulated the proposed SBODAC scheme using Pairing-based Cryptography (PBC) library version 0.5.14 and GMP 5.1.6 linked with Charm tools [20]. The system is Ubuntu 16.04 LTS, 4GB RAM and 2.6 GHz processor clock speed. To consider an elliptic curve group, we used $y^{2}=x^{3}+x$ over a 512-bit finite field, which provides 160-bit type EC group. On the above set up shows that the computation time for an exponential operation in $\mathbb{G}$ is 0.7 ms and $\mathbb{G}_{T}=$ 0.2 ms. Similarly for the pairing above set up takes an operation time of 2.9 ms. We have shown a graphical comparison of our scheme with competent schemes based on 10 simulation trials value.

Figure 3.

Comparison of our scheme with competent schemes.

In Fig. 3 shows the graph representation of computation time for the two important operation that signcryption and de-signcryption. In the Fig. 3a shows that our proposed scheme perform well for the signcryption operation compare to the schemes in [14, 5, 9, 16]. However, our proposed scheme takes more computation cost compare to the scheme [4]. This is happened due to multi-authority setup and attribute revocation properties which are not available in [4].

In Fig. 3b shows our proposed scheme incurs very nominal cost due to use of computation outsourcing. Due to the properties of computation outsourcing, our scheme and [16] are providing same result whereas other schemes in [14, 5, 9] shown more computation cost.

8. Conclusion

In a third-party storage server providing privacy preserved outsourced data access control is a promising need for developing more trust on Cloud Computing. We proposed SBODAC scheme to securely outsourcing data in the cloud, where both owner privacy and data security are considered together. Anonymous user is able to authenticate themselves without disclosing their identity to store data in the cloud and also possible to control that data access among the authorized users. The proposed scheme provides data confidentiality, signer privacy, and public verification and attribute revocation together with a strong cryptographic guarantee. The proposed work is also able to apply with data owner privacy and security development in recent technologies like, frog computing, IoT security, grid computing, big data security, social network security etc. It will also be prominent to use under lightweight devices by the decryptor due to use of computation outsourcing in de-signcryption operation.

Footnotes

Author’s Bios

	Somen Debnath received Bachelor of Engineering degree from National Institute of Technology, Agartala, India and Master of Technology degree from Tripura University, India in Computer Science and Engineering. He received Ph.D. in Information Technology at North Eastern Hill University, Shillong, India. His research interests include Information Security, Cloud Computing, Distributed System. He is currently working as Assistant Professor in Information Technology Department of Mizoram University, India. He has published many articles in reputed International Journals and Proceedings.
	Bubu Bhuyan was born in India. He received his Master of Technology in Information Technology degree from Tezpur University, India. He also received his Ph.D. degree from Jadavpur University, India. Currently, he is working as an Associate Professor in the Department of Information Technology at North Eastern Hill University, Shillong, India. His research interests include Information Security, Cryptography and Cloud security. He has published many articles in reputed International Journals and Proceedings.
	Anish Kumar Saha received Bachelor of Engineering from National Institute of Technology, Agartala, India, Master of Technology Degree from Tripura University, India and Ph.D. in Computer Science and Engineering from National Institute of Technology Arunachal Pradesh, India. He is currently working as Assistant Professor in the department of Computer Science and Engineering in National Institute of Technology Silchar, India. His research interests in Networking and Quantum Computing. He has published many articles in reputed International Journals and Proceedings.

References

Ruj

Stojmenovic

and Nayak

, Decentralized access control with anonymous authentication of data stored in clouds, IEEE Transactions on Parallel and Distributed Systems 25(2) (2014), 384–394.

Debnath

and Bhuyan

, Efficient and scalable outsourced data access control with user revocation in cloud: a comprehensive study, Multiagent and Grid Systems 14(4) (2018), 383–401.

Debnath

Nunsanga

M.V.L.

and Bhuyan

, Study and scope of signcryption for cloud data access control, in: Advances in Computer, Communication and Control, Springer, 2019, pp. 113–126.

Rao

Y.S.

, A secure and efficient ciphertext-policy attribute-based signcryption for personal health records sharing in cloud computing, Future Generation Computer Systems 67 (2017), 133–151.

Liu

Huang

and Liu

J.K.

, Secure sharing of personal health records in cloud computing: ciphertext-policy attribute-based signcryption, Future Generation Computer Systems 52 (2015), 67–76.

Maji

H.K.

Prabhakaran

and Rosulek

, Attribute-based signatures, in: Cryptographers Track at the RSA Conference, Springer, 2011, pp. 376–392.

Lewko

and Waters

, Decentralizing attribute-based encryption, in: Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 2011, pp. 568–588.

Zheng

, Digital signcryption or how to achieve cost (signature & encryption) cost (signature)

+

cost (encryption), in: Annual International Cryptology Conference, Springer, 1997, pp. 165–179.

Pandit

Pandey

S.K.

and Barua

, Attribute-based signcryption: Signer privacy, strong unforgeability and ind-cca2 security in adaptive-predicates attack, in: International Conference on Provable Security, Springer, 2014, pp. 274–290.

10.

Wei

and Liu

, Traceable attribute-based signcryption, Security and Communication Networks 7(12) (2014), 2302–2317.

11.

Gagn’e

Narayan

and Safavi-Naini

, Threshold attribute-based signcryption, in: International Conference on Security and Cryptography for Networks, Springer, 2010, pp. 154–171.

12.

Emura

Miyaji

and Rahman

M.S.

, Dynamic attribute-based signcryption without random oracles, International Journal of Applied Cryptography 2(3) (2012), 199–211.

13.

Wang

and Huang

, Attribute-based signcryption with ciphertext-policy and claimpredicate mechanism, in: Computational Intelligence and Security (CIS), 2011 Seventh International Conference on, IEEE, 2011, pp. 905–909.

14.

Chen

Lim

H.W.

Zhang

and Feng

, Combined public-key schemes: the case of abe and abs, in: International Conference on Provable Security, Springer, 2012, pp. 53–69.

15.

Debnath

and Bhuyan

, Large universe attribute based encryption enabled secured data access control for cloud storage with computation outsourcing, Multiagent and Grid Systems 15(2) (2019), 99–119.

16.

Deng

Wang

Peng

Xiong

Geng

and Qin

, Ciphertext-policy attributebased signcryption with verifiable outsourced designcryption for sharing personal health records, IEEE Access 6 (2018), 39473–39486.

17.

Chase

, Multi-authority attribute based encryption, in: Theory of Cryptography Conference, Springer, Berlin, Heidelberg, 2007, pp. 515–534.

18.

Green

Hohenberger

and Waters

, Outsourcing the decryption of abe ciphertexts, in: USENIX Security Symposium, Vol. 3, August 2011, pp. 2011.

19.

Tan

Fan

Zhu

Xiao

and Cheng

, Secure data access control for fog computing based on multi-authority attribute-based signcryption with computation outsourcing and attribute revocation, Sensors 18(5) (2018), 1609.

20.

Akinyele

Garman

Miers

et al., Charm: a framework for rapidly prototyping cryptosystems, Journal of Cryptographic Engineering 3(2) (2013), 111–128.

Scheme	Size of secret key	Size of the cipher-text
Chen scheme [14]	$(\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$(4+\phi_{e}+2\phi_{s})\|g\|$
Pandit scheme [9]	$(2\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$(2\phi_{s}+2\phi_{e}+4)\|g\|$
Liu scheme [5]	$(\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$\|g_{T}\|+(\phi_{s}+n_{s}+\phi_{e}+5)\|g\|$
Rao scheme [4]	$(\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$(\phi_{s}+\phi_{e}+4)\|g\|$
Deng scheme [16]	$(\|n_{s}\|+\|n_{e}\|+4)\|g\|$	$(\phi_{s}+\phi_{e}+4)\|g\|+2\phi_{e}\|p\|$
Our scheme	$(\|n_{s}\|+\|n_{e}\|+2)\|g\|$	$\|g_{T}\|+(\phi_{s}+\phi_{e})\|g\|+2\phi_{e}\|p\|$

Privacy preserved secured outsourced cloud data access control scheme with efficient multi-authority attribute based signcryption

Abstract

Keywords

1. Introduction

Table 1 Comparison on features of several existing ABSC scheme

3.1 Bilinear pairings

(Bilinear Pairings).

(q-PDBDHE).

(Access Structures [15]).

3.4 Linear secret-sharing scheme

(LSSS [15]).

3.5 Ciphertext Policy-Attribute Based Signcryption (CP-ABSC)

.

3.6.1 Data confidentiality

.

.

.

4.1 Scheme description

Table 3 Notations for our scheme description

6.1 Message confidentiality

.

Proof..

.

Proof..

.

Proof..

6.4 Collusion resistance

.

Proof..

6.5 Revocation security

.

Proof..

7. Performance analysis

7.1 Analysis of characteristics

Table 4 Comparison on characteristics with our scheme

Table 5 Notations for performance analysis

7.4 Simulation

Footnotes

Author’s Bios

References

Table 1
Comparison on features of several existing ABSC scheme

Table 3
Notations for our scheme description

Table 4
Comparison on characteristics with our scheme

Table 5
Notations for performance analysis