International Journal of Engineering Trends and Technology (IJETT) – Volume 12 Number 9 - Jun 2014
Concrete Attribute-Based Encryption Scheme
with Verifiable Outsourced Decryption
Charan1, K Dinesh Kumar2 , D Arun Kumar Reddy3
1
1,2,3
P.G Scholar, 2Assistant Professor, 3Associate Professor
CSE, Sir Vishveshwariah institute of science and technology, Madanapalle, India
Abstract:
As more sensitive data is shared and stored by third-party sites on the internet, there will be a need to encrypt data
stored at these sites. One drawback of encrypting data is that it can be selectively shared only at a coarse-grained level. Attribute
based encryption is a public-key-based one-to-many encryption that allows users to encrypt and decrypt data based on user
attributes. A promising application of ABE is flexible access control of encrypted data stored in the cloud using access policies
and ascribed attributes associated with private keys and ciphertexts. This functionality comes at a cost. In typical implementation,
the size of the ciphertext is proportional to the number of attributes associated with it and the decryption time is proportional to
the number of attributes used during decryption. Specially, many practical ABE implementations require one pairing operation
per attribute used during decryption. One of the main efficiency drawbacks of the existing ABE schemes is that decryption
involves expensive pairing operations and the number of such operations grows with the complexity of the access policy.
Recently green et al. proposed an ABE system with outsourced decryption that largely eliminates the decryption overhead for
users. tn such a system a user provides an untrusted server, say a cloud to translate any ABE ciphertext satisfied by that user’s
attributes or access policy into a simple ciphertext and it only incurs a small computational overhead for the users to recover the
plaintext from the transformed ciphertext. Security of an ABE system with outsourced decryption ensures that an adversary will
not be able to learn anything about the encrypted message; however it does not guarantee the correctness of the transformation
done by the cloud. In this paper we consider a new requirement of ABE with outsourced decryption: verifiability. Informally,
verifiability guarantees that a user can effectively check if the transformation is done correctly. We prove that our new scheme is
both secure and verifiable without relying on random oracles. Finally, we show an implementation scheme and result of
performance measurements, which indicates a significant reduction on computing resources imposed on users.
Keywords: Attribute-based encryption, outsourced decryption, verifiability.
I.
Introduction
There is a trend for sensitive user data to be
stored by third parties on the internet. For
example personal email, data and personal
preferences are stored on web portal sites such as
google and yahoo. The attack correlation center,
dshield.org, presents aggregated views of attacks
on the internet, but stores intrusion reports
individually submitted by users. Given the
variety, amount and the importance of
information stored at these sites, there is cause
for concern that personal data will be
compromised. In distributed settings with
untrusted servers, such as the cloud many
applications need mechanisms for complex
ISSN: 2231-5381
access control over encrypted data, sahai and
waters[1] addressed this issue by introducing the
notion of attribute based encryption. ABE is a
new public key based one-to-many encryption
that enables access control over encrypted data
using access policies and ascribed attributes
associated with private keys and cipher texts the
cryptosystem of sahai and waters allowed for
decryption when at least k attributes overlapped
between a ciphertext and a private key. While
this primitive was shown to be useful for errortolerant encryption with biometrics the lack of
expressebility seems to limit its applicability to
larger systems. There are two kinds of ABE
schemes: key-policy ABE(KP-ABE) [2]-[7] and
http://www.ijettjournal.org
Page 421
International Journal of Engineering Trends and Technology (IJETT) – Volume 12 Number 9 - Jun 2014
ciphertext-policy ABE (CP-ABE) [8], [9], [5],
[6]. In a CP-ABE scheme, every ciphertext is
associated with an access policy on attributes and
every user’s private key is associated with a set
of attributes. A user is able to decrypt a
ciphertext only if the set of attributes associated
with the user’s private key satisfies the access
policy associated with the ciphertext. In a KPABE scheme, the roles of an attribute set and an
access policy are swapped from what we
described for CP-ABE: attributes sets are used to
annotate the ciphertexts and access policies over
these attributes are associated with user’s private
keys. One of the main efficiency drawbacks of
the most existing ABE schemes is that
decryption is expensive for resource-limited
devices due to pairing operations and the number
of pairing operations required to decrypt a
ciphertext grows with the complexity of the
access policy. At the cost of security only proven
in a weak model there exist several expressive
ABE schemes[10], [11] where the decryption
algorithm only requires a constant number of
pairing computations. Green et al[12] proposed
a remedy to this problem by introducing the
notion of ABE with outsourced decryption,
which largely eliminates the decryption overhead
for users. Based on existing ABE schemes Green
et al [12] also presented concrete ABE schemes
with outsourced decryption. tn these schemes a
user provides an untrusted server, say a proxy
operated by a cloud service provider, with a
transformation key TK that allows the latter to
translate any ABE ciphertext CT satisfied by that
user’s attributes or access policy into a simple
ciphertext CT and it only incurs a small overhead
for the user to recover the plaintext form the
transformed ciphertext CT. the security property
of the ABE scheme with outsourced decryption
guarantees that an adversary be not able to learn
anything about the encrypted message; however
the scheme provides no guarantee on the
correctness of the transformation done by the
cloud server.
ISSN: 2231-5381
Fig: ABE system with outsourced decryption.
Consider a cloud based electronic medical
record system in which patients medical records
are protected using ABE schemes with
outsourced decryption and are stored in the
cloud. Inorder to efficiently access patients
medical records on her mobile phone a doctor
generates and delegates a transformation key to a
proxy in the cloud for outsourced decryption.
Given a transformed ciphertext from the
proxy, the doctor can read a patient’s medical
record by just performing a simple step of
computation. If no verification of the correctness
of the transformation is guaranteed, however the
system might run into the following two
problems: 1) for the purpose of saving
computing cost, the proxy could return a medical
record transformed previously for the same
doctor; 2) due to system malfunction or
malicious attack, the proxy could send the
medical record of another patient or a file of the
correct form but carrying wrong information.
The consequence of treating the patient based on
incorrect information could be very serious or
even catastrophic.
The above observation motivates us to study
ABE with verifiable outsourced decryption in
this paper.
Our contributions
In green et al. [12] provided the verifiability
of the cloud’s transformation and provided a
method to check the correctness of the
transformation. However the authors did not
formally define verifiability.
http://www.ijettjournal.org
Page 422
International Journal of Engineering Trends and Technology (IJETT) – Volume 12 Number 9 - Jun 2014
In this paper we first modify the original
model of ABE with outsourced decryption in
[12] to allow for verifiability of the
transformations. After describing the formal
definition of verifiability, we propose a new
ABE model and based on this new model
construct a concrete ABE scheme with verifiable
outsourced decryption. Our scheme does not rely
on random oracles
access policy the user will recover the message.
If not he cannot it
The rest of the paper we only focus on CP-ABE
with verifiable outsourced decryption. The same
approach applies to KP-ABE with verifiable
outsourced decryption which will omit here in
order to keep the paper compact.
In the subsection we review some closely
related works including non interactive verifiable
computation, pairing delegation and proxy
reencryption.
To access the performance of our ABE scheme
with verifiability outsourced decryption we
implement the CP-ABE scheme with verifiable
outsourced decryption and conduct experiments
on both an ARM-based mobile device and Intelcore personal computer to model a mobile user
and a proxy respectively.
Literature Survey
In cloud environments if a data owner wants
to share data with users he will encrypt data and
then upload to cloud storage service. Through
the encryption the cloud cannot know the
information of the encrypted data. Besides to
avoid the unauthorized user accessing the
encrypted data in the cloud, a data owner uses
encryption scheme for access control of
encrypted data. In existing schemes many
encryption schemes can achieve and provide
security assure data confidentiality and prevent
collusion attack scheme. One of the attributebased encryption scheme. according to the access
policy two types of these schemes can be
classified the key-policy and ciphertext-policy
attribute-based encryption schemes. The keypolicy attribute-based encryption scheme is that
the access policy is attached to the user’s private
key and a set of descriptive attributes is in the
encrypted data. If a set of attributes satisfies the
ISSN: 2231-5381
The
ciphertext-policy
attribute-based
scheme is that the access policy is associated to
the encrypted data, and a set of descriptive
attributes is in the user’s private key. If a set
attribute satisfies the access policy, the user can
decipher the encrypted data.
Non-interactive Verifiable Computation: Noninteractive verifiable computation[19], [20]
enables a computationally weak client to
outsource the computation of a function to one or
more workers. The workers return the result of
the function evaluation as well as a noninteractive proof that the computation of the
function was carried out correctly. Since these
schemes [19], [20] deal with outsourcing of
general computation problems and preserve the
privacy of input data, they can be used to
outsource decryption in ABE systems. However
the schemes proposed in [19], [20] use Gentry’s
fully homomorphic encryption system[21] as a
building block, thus the overhead in these
schemes is currently too large to be practical
[22]. Parno et al. [23] establish an important
connection between verifiable computation and
ABE. They show how to construct a verifiable
computation scheme with public delegation and
public verifiability from any ABE scheme and
how to construct a multifunction verifiable
computation scheme form the ABE scheme with
outsourced decryption presented in [12].
Goldwasser et al. [24] propose a succinct
functional encryption scheme, one can obtain a
delegation scheme with is both publicly
verifiable and secret, in the sense that the prover
does not learn anything about input or output of
the function being delegated. All these schemes
[19], [20], [23], [24] focus on delegating general
http://www.ijettjournal.org
Page 423
International Journal of Engineering Trends and Technology (IJETT) – Volume 12 Number 9 - Jun 2014
functions and are not sufficiently efficient for the
problem at hand.
of attributes S. it chooses a random
value z€ Z*P. Then
it sets the
transformation key as TKS= (S, K’=K1/z,
K’0= K01/z, K’i=Ki1/z) and the retrieving
key as RKS=z. note that with
overwhelming probability z has
multiplicative inverse.
Pairing Delegation: pairing delegation [25], [26]
enables a client to outsource the computation of
pairings to another entity. However the schemes
proposed in [25], [26] still require the client to
compute multiple exponentiations in the target
group for every pairing it outsources.
Most importantly when using pairing
delegation in the decryption of ABE ciphertexts
the amount of computation of the client is still
proportional to the size of the access policy.
Tsang et al. [27] consider batch pairing
delegation. However the scheme proposed in
[27] can only handle batch delegation for
pairings in which one of the points is a constant
and it still requires the client to compute a
pairing.
Proxy Reencryption: in ABE with outsourced
decryption a user provides the cloud with a
transformation key that allows the cloud to
translate an ABE ciphertext on message m into a
simple ciphertext on the same m, without
learning anything about m. this is reminiscent
allows a proxy using a reencryption key to
transform an encryption of m. we emphasize that
in the model of proxy reencryption, verifiability
of the proxy’s transformation cannot be
achieved.
Proposed CP-ABE scheme
outsourced Decryption
with verifiable
For the national purposes in the below we
denote the above CP-ABE scheme as Basic CPABE. Based on Basic CP-ABE we present a CPABE scheme with verifiable outsourced
decryption. The Setup, KeyGen, Encrypt and
Decrypt algorithms operate exactly as in Basic
CP-ABE. We describe the Reencryption
algorithms:

GenTKout(PK, SKS) this algorithm takes
as input the public parameters PK and a
private key SKS= (S,K, K0, Ki) for a set
ISSN: 2231-5381

Tranformout(PK, CT, TKS) This
algorithm takes as input parameters PK,
a ciphertext CT=(A= (A, ρ), C, C1, C1’,
C1,I D1,I, C2, C2’, C2,I, D2,i) for an access
structure A=(A,ρ), and a transformation
key TKS= (S, K’, K’0, Ki’) for a set of
attributes S. it then computes:
T1’=
e(C1’, K’)
(Πi€I(e(C1,I, K0’). E(K’ρ(i), D1, i))wi)
=
e(g,g)αs/z e(g,g)ats/z
(Πi€I e(g,g)atAi.v.wi/z)
= e(g,g)αs/z,
T2’=
e(C2’, K’)
(Πi€I(e(C2,I, K0’). e(K’ρ(i), D2, i))wi)
=
e(g,g)αs’/z e(g,g)ats’/z
(Πi€I e(g,g)atAi.v’.wi/z)
= e(g,g)αs’/z,
and outputs the transformed ciphertext as CT’=(T^=
C^, T1= C1, T1’, T2= C2, T2’).

Decryptout(PK, CT, CT’, RKS) this algorithm
takes as input the public parameters PK, a
ciphertext CT= (A=(A,ρ), C^, C1, C1’, C1,I,
D1,I, C2, C2’, C2,I, D2,i), a transformed
ciphertext CT’=(T, T1, T1’, T2, T2’) and a
retrieving key RKS=z for a set of attributes
S. If T^≠C^ or T1≠C1 or T2≠C2 it outputs┴.
Then it computes M= T1/T1’z and M=
T2/T2’z. if T^=uH(M)vH(M)d, it outputs the
message M; otherwise it outputs ┴.
http://www.ijettjournal.org
Page 424
International Journal of Engineering Trends and Technology (IJETT) – Volume 12 Number 9 - Jun 2014
Security Model for CP-ABE:
Setup: The challenger runs the Setup algorithm and
gives the public parameters, PK to the adversary.
generation algorithm requires two exponentiations for
every attribute given to the user, and the private key
consists of two group elements for every attribute.
Performance Measurements:
Phase 1:The adversary makes repeated private keys
corresponding to sets of attributes S1,…..,Sq1.
Challenge: The adversary submits two equal length
messages M0 and M1. In addition the adversary gives
a challenge access structure A* such that none of the
sets S1,…..,Sq1 from phase 1 satisfy the access
structure. The challenger flips a random coin b, and
encrypts Mb under A*. the ciphertext CT* is given to
the adversary.
Phase 2: phase 1 is repeated with the restriction that
none of sets of attributes Sq1+1,……,Sq satisfy the
access structure corresponding to the challenge.
Guess: the adversary outputs a guess b1 of b.
The advantage of an adversary A in this
game is defined as Pr[b1=b]-1/2. We note that the
model can easily be extended to handle chosenciphertext attacks by allowing for decryption queries
in Phase 1 and Phase 2.
Security intuition: As in previous attribute-based
encryption schemes the main challenge in designing
our scheme was to prevent against attacks from
colluding users. Like the scheme of Sahai and Waters
[24] our solution randomizes users private keys such
that they cannot be combined; however in our
solution the secret sharing must be embedded into the
ciphertext instead to the private keys. Inorder to
decrypt an attacker clearly must recover e(g,g)αs.
Inorder to do this the attacker must pair C from the
ciphertext with the D component from some user’s
private key. This will reduced in the desired value
e(g,g)αs, but blinded by some value e(g,g)rs.
Efficiency: The efficiencies of the key generation
and encryption algorithms are both fairly
straightforward. The encryption algorithm will
require two exponentiations for each leaf in the
ciphertext’s access tree. The ciphertext size will
include two group elements for each leaf. The key
ISSN: 2231-5381
We now provide some information on the
performance achieved by cpabe toolkit. As expected
cpabe-keygen runs in time precisely linear in the
number of attributes associated with the key it is
issuing. The running time of cpabe-enc is also almost
perfectly linear with respect to the number of leaf
nodes in the access policy. The performance of
cpabe-dec is somewhat more interesting. It is slightly
more difficult to measure in the absence of a precise
application, since the decryption time can depend
significantly on the particular access trees and set of
attributes involved.
In summary cpabe-keygen and cpabe-enc
run in a predictable amount of time based on the
number of attributes in a key or leaves in a policy
tree.
Conclusion:
In this paper we considered a new
requirement of ABE with outsourced decryption:
efficiency, verifiability. We proposed Concrete ABE
scheme with verifiable outsourced decryption and
proved it is secure and verifiable. As scheme
substantially reduced the computation time required
for resource limited devices to recover plaintexts.
REFERENCES
[1] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in
Proc. EUROCRYPT, 2005, pp. 457–473.
[2] V.Goyal, O. Pandey,A. Sahai, and B.Waters, “Attribute-based
encryption for fine-grained access control of encrypted data,” in
Proc. ACM Conf. Computer and Communications Security, 2006,
pp. 89–98.
[3] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based
encryption with non-monotonic access structures,” in Proc. ACM
Conf. Computer
and Communications Security, 2007, pp. 195–203.
[4] B. Waters, “Ciphertext-policy attribute-based encryption: An
expressive, efficient, and provably secure realization,” in Proc.
Public Key Cryptography, 2011, pp. 53–70.
[5] A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B.
Waters, “Fully secure functional encryption: Attribute-based
encryption and (hierarchical) inner product encryption,” in Proc.
EUROCRYPT, 2010, pp. 62–91.
http://www.ijettjournal.org
Page 425
International Journal of Engineering Trends and Technology (IJETT) – Volume 12 Number 9 - Jun 2014
[6] T. Okamoto and K. Takashima, “Fully secure functional
encryption with general relations from the decisional linear
assumption,” in Proc. CRYPTO, 2010, pp. 191–208.
[7] A. B. Lewko and B. Waters, “Unbounded HIBE and attributebased encryption,” in Proc. EUROCRYPT, 2011, pp. 547–567.
[8] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy
attributebased encryption,” in Proc. IEEE Symp. Security and
Privacy, 2007, pp. 321–334.
[9] L. Cheung and C. C. Newport, “Provably secure ciphertext
policy ABE,” in Proc. ACM Conf. Computer and Communications
Security, 2007, pp. 456–465.
[10] N. Attrapadung, J. Herranz, F. Laguillaumie, B. Libert, E. de
Panafieu, and C. Ràfols, “Attribute-based encryption schemes with
constant-size ciphertexts,” Theor. Comput. Sci., vol. 422, pp. 15–
38, 2012.
[11] S. Hohenberger and B. Waters, “Attribute-based encryption
with fast decryption,” in Proc. Public Key Cryptography, 2013, pp.
162–179.
[12] M. Green, S. Hohenberger, and B.Waters, “Outsourcing the
decryption of ABE ciphertexts,” in Proc. USENIX Security Symp.,
San Francisco, CA, USA, 2011.
[13] M. Bellare and P. Rogaway, “Random oracles are practical: A
paradigm for designing efficient protocols,” in Proc. ACM Conf.
Computer and Communications Security, 1993, pp. 62–73.
[14] R. Canetti, O. Goldreich, and S. Halevi, “The random oracle
methodology, revisited (preliminary version),” in Proc. STOC,
1998, pp. 209–218.
[15] J. B. Nielsen, “Separating random oracle proofs from
complexity theoretic proofs: The non-committing encryption
case,” in Proc. CRYPTO, 2002, pp. 111–126.
[16] S. Goldwasser and Y. T. Kalai, “On the (in)security of the
fiat-shamir paradigm,” in Proc. FOCS, 2003, pp. 102–113.
[17] M. Bellare, A. Boldyreva, and A. Palacio, “An uninstantiable
randomoracle- model scheme for a hybrid-encryption problem,” in
Proc. EUROCRYPT,
2004, pp. 171–188.
[18] M. Green, A. Akinyele, and M. Rushanan, Libfenc: The
Functional Encryption Library.
[19] R. Gennaro, C. Gentry, and B. Parno, “Non-interactive
verifiable computing: Outsourcing computation to untrusted
workers,” in Proc. CRYPTO, 2010, pp. 465–482.
[20] K.-M. Chung, Y. T. Kalai, and S. P. Vadhan, “Improved
delegation of computation using fully homomorphic encryption,”
in Proc. CRYPTO, 2010, pp. 483–501.
[21] C. Gentry, “Fully homomorphic encryption using ideal
lattices,” in Proc. STOC, 2009, pp. 169–178.
[22] C. Gentry and S. Halevi, “Implementing gentry’s fullyhomomorphic encryption scheme,” in Proc. EUROCRYPT, 2011,
pp. 129–148.
[23] B. Parno, M. Raykova, and V. Vaikuntanathan, “How to
delegate and verify in public: Verifiable computation from
attribute-based encryption,” in Proc. TCC, 2012, pp. 422–439.
[24] S. Goldwasser, Y. T. Kalai, R. A. Popa, V. Vaikuntanathan,
and N. Zeldovich, “Succinct functional encryption and
applications: Reusable garbled circuits and beyond,” IACR
Cryptology ePrint Archive, vol. 2012, p. 733, 2012.
[25] B. Chevallier-Mames, J.-S. Coron, N. McCullagh, D.
Naccache, and M. Scott, “Secure delegation of elliptic-curve
pairing,” in Proc.CARDIS, 2010, pp. 24–35.
[26] B. G. Kang, M. S. Lee, and J. H. Park, “Efficient delegation of
pairing computation,” IACR Cryptology ePrint Archive, vol. 2005,
p. 259, 2005.
[27] P. P. Tsang, S. S. M. Chow, and S. W. Smith, “Batch pairing
delegation,” in Proc. IWSEC, 2007, pp. 74–90.
[28] M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols
and atomic proxy cryptography,” in Proc. EUROCRYPT, 1998, pp.
127–144.
ISSN: 2231-5381
[29] G. Ateniese, K. Fu, M. Green, and S. Hohenberger,
“Improved proxy re-encryption schemes with applications to
secure distributed storage,”in Proc. NDSS, San Diego, CA, USA,
2005.
[30] A. Beimel, “Secure Schemes for Secret Sharing and Key
Distribution,” Ph.D. dissertation, Israel Inst. of Technology,
Technion City, Haifa, Israel, 1996.
[31] A. B. Lewko and B. Waters, “Decentralizing attribute-based
encryption,” in Proc. EUROCRYPT, 2011, pp. 568–588.
[32] R. Canetti, H. Krawczyk, and J. B. Nielsen, “Relaxing
chosen-ciphertext security,” in Proc. CRYPTO, 2003, pp. 565–582.
[33] T. Okamoto and K. Takashima, “Fully secure unbounded
inner-product and attribute-based encryption,” in Proc.
ASIACRYPT, 2012, pp. 349–366.
[34] B. Lynn, The Stanford Pairing Based Crypto Library.
[35] S. Chatterjee and A.Menezes, “On cryptographic protocols
employing asymmetric pairings—The role of revisited,”Discrete
Appl.Math., vol. 159, no. 13, pp. 1311–1322, 2011.
[36] S. D. Galbraith,K.G. Paterson, and N. P. Smart, “Pairings for
cryptographers,” Discrete Appl. Math., vol. 156, no. 16, pp. 3113–
3121, 2008.
[37] N. P. Smart and F. Vercauteren, “On computable
isomorphisms in efficient asymmetric pairing-based systems,”
Discrete Appl. Math., vol. 155, no. 4, pp. 538–547, 2007.
Charan kumar is an P.G scholor in the
Department of Computer science & engineering,
Sir Vishveshwariah Institute of Science and
Technology, Madanapalli.
K. Dinesh Kumar is an assistant professor in the
Department of Computer science & engineering,
Sir Vishveshwariah Institute of Science and
Technology, Madanapalli.
D. Arun Kumar Reddy is an assistant professor in
the Department of Computer science &
engineering, Sir Vishveshwariah Institute of
Science and Technology, Madanapalli.
http://www.ijettjournal.org
Page 426