ieee transactions on parallel and distributed systems vol no: 1 2015 circuit ......

Circuit Ciphertext-policy Attribute-basedHybrid Encryption with Verifiable Delegation in

Cloud ComputingJie Xu, Qiaoyan Wen, Wenmin Li and Zhengping Jin

Abstract—In the cloud, for achieving access control and keeping data confidential, the data owners could adopt attribute-basedencryption to encrypt the stored data. Users with limited computing power are however more likely to delegate the mask ofthe decryption task to the cloud servers to reduce the computing cost. As a result, attribute-based encryption with delegationemerges. Still, there are caveats and questions remaining in the previous relevant works. For instance, during the delegation,the cloud servers could tamper or replace the delegated ciphertext and respond a forged computing result with malicious intent.They may also cheat the eligible users by responding them that they are ineligible for the purpose of cost saving. Furthermore,during the encryption, the access policies may not be flexible enough as well.Since policy for general circuits enables to achieve the strongest form of access control, a construction for realizing circuitciphertext-policy attribute-based hybrid encryption with verifiable delegation has been considered in our work. In such a system,combined with verifiable computation and encrypt-then-mac mechanism, the data confidentiality, the fine-grained access controland the correctness of the delegated computing results are well guaranteed at the same time. Besides, our scheme achievessecurity against chosen-plaintext attacks under the k-multilinear Decisional Diffie-Hellman assumption. Moreover, an extensivesimulation campaign confirms the feasibility and efficiency of the proposed solution.

Index Terms—Ciphertext-policy attribute-based encryption, Circuits, Verifiable delegation, Multilinear map, Hybrid encryption.

F

1 INTRODUCTION

THE emergence of cloud computing brings a rev-olutionary innovation to the management of the

data resources. Within this computing environments,the cloud servers can offer various data services, suchas remote data storage [1] and outsourced delega-tion computation [2], [3], etc. For data storage, theservers store a large amount of shared data, whichcould be accessed by authorized users. For delegationcomputation, the servers could be used to handleand calculate numerous data according to the user’sdemands. As applications move to cloud computingplatforms, ciphertext-policy attribute-based encryp-tion (CP-ABE) [4], [5] and verifiable delegation (VD)[6], [7] are used to ensure the data confidentialityand the verifiability of delegation on dishonest cloudservers.

Taking medical data sharing as an example (see Fig.1), with the increasing volumes of medical imagesand medical records, the healthcare organizations puta large amount of data in the cloud for reducingdata storage costs and supporting medical cooper-ation. Since the cloud server may not be credible,the file cryptographic storage is an effective method

• J. Xu, Q. Wen, W. Li and Z. Jin are with the State Key Laboratoryof Networking and Switching Technology, Beijing University of Postsand Telecommunications, Beijing, 100876, China.E-mail: [email protected]

to prevent private data from being stolen or tam-pered. In the meantime, they may need to share datawith the person who satisfies some requirements. Therequirements, i.e, access policy, could be {MedicalAssociation Membership ∧ (Attending Doctor ∨ ChiefDoctor) ∧ Orthopedics}. To make such data sharing beachievable, attribute-based encryption is applicable.

Fig. 1. Medical data sharing system

There are two complementary forms of attribute-based encryption. One is key-policy attribute-basedencryption (KP-ABE) [8], [9], [10], and the otheris ciphertext-policy attribute-based encryption (CP-ABE). In a KP-ABE system, the decision of accesspolicy is made by the key distributor instead ofthe encipherer, which limits the practicability andusability for the system in practical applications. On

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS VOL NO: 1 2015

the contrary, in a CP-ABE system, each ciphertext isassociated with an access structure, and each privatekey is labeled with a set of descriptive attributes. Auser is able to decrypt a ciphertext if the key’s at-tribute set satisfies the access structure associated witha ciphertext. Apparently, this system is conceptuallycloser to traditional access control methods. On theother hand, in a ABE system, the access policy forgeneral circuits could be regarded as the strongestform of the policy expression that circuits can expressany program of fixed running time.

Delegation computing is another main service pro-vided by the cloud servers. In the above scenario, thehealthcare organizations store data files in the cloudby using CP-ABE under certain access policies. Theusers, who want to access the data files, choose notto handle the complex process of decryption locallydue to limited resources. Instead, they are most likelyto outsource part of the decryption process to thecloud server. While the untrusted cloud servers whocan translate the original ciphertext into a simpleone could learn nothing about the plaintext from thedelegation.

The work of delegation is promising but inevitablysuffers from two problems. a) The cloud server mighttamper or replace the data owner’s original ciphertextfor malicious attacks, and then respond a false trans-formed ciphertext. b) The cloud server might cheat theauthorized user for cost saving. Though the serverscould not respond a correct transformed ciphertext toan unauthorized user, he could cheat an authorizedone that he/she is not eligible.

Further, during the deployments of the storage anddelegation services, the main requirements of thisresearch are presented as follows.

1) Confidentiality (indistinguishability under selec-tive chosen plaintext attacks (IND-CPA)). With thestorage service provided by the cloud server, theoutsourced data should not be leaked even if malwareor hackers infiltrate the server. Besides, the unautho-rized users without enough attributes to satisfy theaccess policy could not access the plaintext of thedata. Furthermore, the unauthorized access from theuntrusted server who obtains an extra transformationkey should be prevented.

2) Verifiability. During the delegation computing, auser could validate whether the cloud server respondsa correct transformed ciphertext to help him/her de-crypt the ciphertext immediately and correctly. Name-ly, the cloud server could not respond a false trans-formed ciphertext or cheat the authorized user thathe/she is unauthorized.

Thus, in this paper, we will attempt to refine thedefinition of CP-ABE with verifiable delegation in thecloud to consider the data confidentiality, the fine-grained data access control and the verifiability of thedelegation. The related security definition and IND-CPA security game used in the proof are presented in

section 3.2 to depict the above attacks of the adver-saries.

1.1 Related WorkAttribute-based encryption. Sahai and Waters [11] pro-posed the notion of attribute-based encryption (ABE).In subsequent works [8], [12], they focused on policiesacross multiple authorities and the issue of what ex-pressions they could achieve. Up until recently, Sahaiand Waters [9] raised a construction for realizing KP-ABE for general circuits. Prior to this method, thestrongest form of expression is boolean formulas inABE systems, which is still a far cry from being able toexpress access control in the form of any program orcircuit. Actually, there still remain two problems. Thefirst one is their have no construction for realizing CP-ABE for general circuits, which is conceptually closerto traditional access control. The other is related tothe efficiency, since the exiting circuit ABE scheme isjust a bit encryption one. Thus, it is apparently stillremains a pivotal open problem to design an efficientcircuit CP-ABE scheme.

Hybrid encryption. Cramer and Shoup [13], [14] pro-posed the generic KEM/DEM construction for hybridencryption which can encrypt messages of arbitrarylength. Based on their ingenious work, a one-timeMAC were combined with symmetric encryption todevelop the KEM/DEM model for hybrid encryption[15], [16], [17]. Such improved model has the advan-tage of achieving higher security requirements.

ABE with Verifiable Delegation. Since the introductionof ABE, there have been advances in multiple di-rections. The application of outsourcing computation[18], [19] is one of an important direction. Green et al.[2] designed the first ABE with outsourced decryptionscheme to reduce the computation cost during decryp-tion. After that, Lai et al. [3] proposed the definition ofABE with verifiable outsourced decryption. They seekto guarantee the correctness of the original ciphertextby using a commitment. However, since the dataowner generates a commitment without any secretvalue about his identity, the untrusted server canthen forge a commitment for a message he chooses.Thus the ciphertext relating to the message is atrisk of being tampered. Further more, just modifythe commitments for the ciphertext relating to themessage is not enough. The cloud server can deceivethe user with proper permissions by responding theterminator ⊥ to cheat that he/she is not allowed toaccess to the data.

1.2 Our ContributionPrompted by the requirements in the cloud, we mod-ify the model of CP-ABE with verifiable delegationand present a concrete construction to realize circuitsciphertext-policy based hybrid encryption with veri-fiable delegation (VD-CPABE).


XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud computing 3

To keep data private and achieve fine grain ac-cess control, our starting point is a circuit key-policyattribute-based encryption proposed by Sahai andWaters [9]. We give the anti-collusion circuit CP-ABEconstruction in this paper for the reason that CP-ABE is conceptually closer to the traditional accesscontrol methods. For the main efficiency drawbacksof ABE, previous constructions provided an agilemethod to outsource the most overhead of decryptionto the cloud. However, there is no guarantee thatthe calculated result returned by the cloud is alwayscorrect. The cloud server may forge ciphertext orcheat the eligible user that he even does not havepermissions to decryption. To validate the correctness,we extend the CP-ABE ciphertext into the attribute-based ciphertext for two complementary policies andadd a MAC for each ciphertext, so that whether theuser has permissions he/she could obtain a privatelyverified key to verify the correctness of the delegationand prevent from counterfeiting of the ciphertext.Aiming at further improving the efficiency and pro-viding intuitive description of the security proof, theconception of hybrid encryption is also introduced inthis work. Besides, security of the VD-CPABE systemensures that the untrusted cloud will not be ableto learn anything about the encrypted message andforge the original ciphertext. After that, the proposedscheme is simulated in the GMP library [20]. Finally,the scheme is concluded to be practical in the cloud.

1.3 Our Techniques

Verifiable delegation (VD) is used to protect autho-rized users from being deceived during the delega-tion. The data owner encrypts his message M underaccess policy f , then computes the complement circuitf̄ , which outputs the opposite bit of the output off , and encrypts a random element R of the samelength to M under the policy f̄ . The users can thenoutsource their complex access control policy decisionand part process of decryption to the cloud. Suchextended encryption ensures that the users can obtaineither the message M or the random element R, whichavoids the scenario when the cloud server deceivesthe users that they are not satisfied to the accesspolicy, however, they meet the access policy actually.

In CP-ABE we use a hybrid variant for two reasons:one is that the circuit ABE is a bit encryption, andthe other is that the authentication of the delegatedciphertext should be guaranteed. The ciphertext of thehybrid VD-CPABE system is divided into two compo-nents: the CP-ABE for circuits f and f̄ makes up thekey encapsulation mechanism (KEM) [21] part, anda symmetric encryption plus the encrypt-then-macmechanism [22] make up the authenticated encryptionmechanism (AE) part. Each KEM encrypts a randomgroup element and then maps it via key derivationfunctions into a symmetric encryption key dk and a

one-time verified key vk. Then the random encryptionkey dk is used to encrypt the message of any length.vk and the data owner’s ID are used to verify theMAC of the ciphertext. Only when the server dosenot forge the original ciphertext and respond a correctpartial decrypted ciphertext, the user could be able toproperly validate the MAC.

For implementation, the recent work on multilinearmaps over the integers [23] is applied to simulate thescheme in the GMP library in VC 6.0. Though the op-eration time for the pairing in the multilinear map ismuch more than the one in the bilinear map, we couldachieve the strongest general circuits access policy upto now. Besides, by using verifiable delegation, theoperation time for the user is short and independentof the complexity of the circuit. For the security,we show that the IND-CPA secure KEM combineswith the IND-CCA secure authenticated (symmetric)encryption scheme yields our IND-CPA secure hybridVD-CPABE scheme.

1.4 OrganizationIn the following section, we describe some relatedmathematical problems. A formal definition of hybridVD-CPABE and its corresponding security model isgiven in section 3. In Section 4, we propose a concreteconstruction for VD-CPABE. In Section 5, we analyzethe security of the proposed scheme. Subsequently,we present a brief performance analysis. Finally, theconclusions are given in Section 7.

2 PRELIMINARY

In this section, we summarize the concepts about thesystem, the circuits and the multi-linear decisionalDiffie-Hellman assumption.

2.1 NotationIn the rest of the paper, we let Zp be a finite field withprime order p. ⊥ is a formal symbol denotes termina-tion. If X is a finite set then x← X denotes that x israndomly selected from X . If A is an algorithm thenA(x) → y denotes that y is the output by runningthe algorithm A on input x. We denote G(λ, k) as agroup generation algorithm where λ is the securityparameter and k is the number of allowed pairingoperation. As usual, a function ε: Zp → R is negligibleif for every c > 0 there is a K such that ε(k) < k−c

for all k > K.

2.2 system description and assumptionAs shown in TABLE 1, the parties in the VD-CPABEconstruction are firstly summarized.

In the system, the data owner and the users areboth registered entities and got private keys from theauthority. The authority is supposed to be the onlyparty that is fully trusted by all participants.


TABLE 1Role description

Role DescriptionAuthority Attribute key generator center

(trusted third party)Data owner Encrypting party who uploads his

encrypted data to the cloudUser Decrypting party who outsources the

most overhead computation to the cloudCloud server The party who provides storage

and outsourced computation services

Similar to the previous schemes [3], [18], the serveris supposed to be untrusted. Sound trust managementstandards as well as auditing standards could beused to establish good business relations between thecloud server and the user. According to this frame,the cloud server could be regarded as a trustworthycloud service provider. Actually, the role-based accesscontrol is proposed based on this assumption. How-ever, using this single mechanism, we will be at therisks of unknown attacks and the existing of the mali-cious system administrator, which may result in dataleakage, invalidation of access control and failure ofoutsourcing. Besides, trust management mechanismmay cause an extra workload for the auditor. Thus,it is high time to construct a practical cryptographyscheme to protect data and control access with anuntrusted server.

2.3 CircuitsIn the context, we still restrict our attention to themonotone boolean circuit with a single output gate[9]. The definition of a circuit and its evaluation areas follows.Definition 1. A single-output circuit is a 5-tuple f =(n, q, A,B,G). Here n is the number of inputs, q isthe number of gates, and n + q is the number ofwires. Let Inputs= {1, ..., n}, Wires= {1, ..., n + q},Gates= {n + 1, ..., n + q} and OutputWire= {n +q}. Then A: Gates→ Wires/OutputWires is a func-tion to identify each gate’s first incoming wire, B:Gates→ Wires/OutputWires is a function to identifyeach gate’s second incoming wire and G: Gates→{AND,OR} is a function to identify a gate as eitheran AND or OR gate. Gates have two inputs, arbitraryfunctionality and a single fan-out. Every non-inputwire is the outgoing wire of some gates. We requireA(w) < B(w) < w for all w ∈ Gates. Let depth(w)equals to the length of the shortest path to an inputwire plus 1 and if w ∈ Inputs then depth(w) = 1.

We define the evaluation of the circuit f as f(x) oninput the string x ∈ {0, 1}n, and let fw(x) be the valueof wire w on input x. Given the monotone booleancircuit f we can compute its complement circuit f̄ ,which outputs the opposite bit of the output of f . Forthe circuit f̄ , negation gates will remain only at theinput level by applying De Morgan’s rule. We will

ignore the depth of the negation gates. See Fig.2 foran illustration of a circuit f and the correspondingcomplement circuit f̄ .

AND

AND

AND

AND

AND

A

B

H

G

F

E

D

C

OR

OR

AND

A

B

E

D

C

OR

OR

AND

E

F

E

H

G

OR

OR

EOR

NOT

Fig. 2. Left: A conventional circuit f = (A∨B)∧ (C ∧D) ∧ (E ∨ F ) ∧ (G ∨ H). Right: A complement circuitcorresponding to the left circuit f̄ = (A∧B)∨ (C∨D)∨(E ∧ F ) ∨ (G ∧H)

2.4 Multilinear Map

Definition 2. (Multilinear map [9], [24]). It runs G(λ, k)and outputs k cyclic groups G⃗ = (G1, ..., Gk) of thesame prime order p. Let the elements {gi ∈ Gi}i=1,...,k

be the generators of the above groups and set g = g1.Then their exist a set of bilinear maps {eij : Gi×Gj →Gi+j |i, j ≥ 1, j + j ≤ k} (write as e for simple) thathas the following properties.

For a, b← Zp, we have e(gai , gbj) = gabi+j .

Definition 3. (k- Multilinear Decision-Diffie-Hellmanproblem). A challenger runs G(λ, k) to get a sequenceof groups G⃗ = (G1, ..., Gk) of prime order p whereeach comes with a canonical generator g = g1, g2..., gk.Then it picks s, c, c1, ..., ck ← Zp. The advantage indistinguishing the tuple (g, gs, gc1 , ..., gck , g

s∏

j∈[1,k] cj

k )from (g, gs, gc1 , ..., gck , gck) is negligible in λ.

3 OUR MODEL OF HYBRID VD-CPABEIn this section, we present the definition and se-curity model of our hybrid VD-CPABE. In such asystem, a circuit ciphertext-policy attribute-based en-cryption scheme, a symmetric encryption scheme andan encrypt-then-mac mechanism are applied to ensurethe confidentiality, the fine-grained access control andthe verifiable delegation.

3.1 Hybrid VD-CPABE

Definition 4. A hybrid VD-CPABE scheme is definedby a tuple of algorithms (Setup, Hybrid-Encrypt, Key-Gen, Transform, Verify-Decrypt). The description ofeach algorithm is as follows.• Setup(λ, n, l). Executed by the authority, this al-

gorithm takes as input a security parameter λ, thenumber of attributes n and the maximum depth lof a circuit. It outputs the public parameters PKand a master key MK which is kept secret.


• Hybrid-Encrypt(PK,M, f). This algorithm is ex-ecuted by the data owner. It could be conve-niently divided into two parts: key encapsulationmechanism (KEM) and authenticated symmetricencryption (AE).– The KEM algorithm takes as input the public

parameters PK and an access structure f forcircuit. It computes the complement circuit f̄and chooses a random string R. Then it gen-erates KM = {dkm, vkm}, KR = {dkr, vkr} andthe CP-ABE ciphertext (CKM , CKR).

– The AE algorithm takes as input a messageM , the random string R, the symmetric keyKM and KR. Then it outputs the ciphertext(CM , CR, σID,vkm(CM ||CR), σID,vkr (CM ||CR)).

The total ciphertext for our VD-CPABE scheme isthe tupleCT = (CKM , CKR, CM , CR,σID,vkm(CM ||CR), σID,vkr (CM ||CR)).

• KeyGen(MK,x ∈ {0, 1}n). The authority gener-ates private keys for the users. This algorithmtakes as input the master key MK and a bit stringx. It outputs a private key SK and a transforma-tion key TK.

• Transform(TK,CT ). Executed by the cloudservers, this algorithm takes as input thetransformation key TK and a ciphertextCT that was encrypted under f and f̄ . Itoutputs the partially decrypted ciphertextCT ′ = (CK ′

M , CM , CR, σID,vkm(CM ||CR)) orCT ′ = (CK ′

R, CM , CR, σID,vkr (CM ||CR)).• Verify-Decrypt(SK,CT ′). Executed by the users,

this algorithm takes as inputs the secret key SKand the partially decrypted ciphertext CT ′. Firstly,it verifies the validity of σ. Then it outputs themessage Mb, which satisfies that if f(x) = 1 thenMb = M and if f(x) = 0 then Mb = R.

3.2 Security Model

Since we use key encapsulation mechanism (KEM)and authenticated encryption (AE) to build our hybridVD-CPABE scheme, we describe the security defini-tion separately at first.

The confidentiality property (indistinguishability ofencryptions under selective chosen plaintext attacks(IND-CPA)) required for KEM is captured by thefollowing games against adversary A.Game.KEM• Init. The adversary gives a challenge access struc-

ture f∗, where it wishes to be challenged.• Setup. The simulator runs the Setup algorithm and

gives the public parameters PK to the adversary.• KeyGen Queries I. The adversary makes repeated

private key queries corresponding to the sets ofattributes x1, ..., xq1 . We require that ∀i ∈ q1 wehave f∗(xi) = 0.

• Encrypt. The simulator encrypts K0 under thestructure f∗, random chooses K1 from key spaceand flips a random coin b. Then the simulatorsends Kb and the ciphertext CK∗ to the adversary.

• KeyGen Queries II. The adversary makes repeat-ed private key queries corresponding to the setsof attributes xq1 , ..., xq where f∗(x) = 0.

• Guess. The adversary outputs a guess b′ of b.We define the advantage of an adversary A in thisgame is Pr[b′ = b] − 1

2 . Then a KEM scheme issecure against selective chosen plaintext attacks if theadvantage is negligible.

The confidentiality property (indistinguishability ofencryptions under selective chosen ciphertext attacks(IND-CCA)) required for AE is captured by the fol-lowing games against adversary A.Game.AE• Init. The adversary submits two equal length mes-

sages M0 and M1.• Setup. The simulator runs the Setup algorithm and

generators the symmetric key KAE .• Encrypt. The simulator flips a random coin b,

encrypts Mb under the symmetric key KAE , gener-ates the ciphertext C∗ and gives it to the adversary.

• Decrypt Queries. The adversary makes repeateddecryption queries. When the given ciphertextC ̸= C∗, the simulator will return DKAE (C) andσKAE

(C) to the adversary.• Guess. The adversary outputs a guess b′ of b.Let Pr[b′ = b] − 1

2 be the advantage of an adversaryA in this game. Using the encrypt-then-mac method,We say that an AE scheme is IND-CCA secure if theadvantage is negligible[21].

From the above, we present the security model forour scheme as follows.Game.VD-CPABE• Init. The VD-CPABE algorithm adversary submits

the challenge access structure f∗ and two equallength messages M0 and M1.

• Setup. The simulator runs the Setup algorithm andgives the public parameters PK to the adversary.

• KeyGen Queries I. The adversary makes repeatedprivate key queries corresponding to the sets ofattributes x1, ..., xq1 . We require that ∀i ∈ q1 wehave f∗(xi) = 0.

• Encrypt. The simulator encrypts K0 under thestructure f∗ by using the KEM algorithm. Thenthe simulator flips a random coin v and encryptsMv under the symmetric key K0 by using the AEalgorithm. Then the total ciphertext is given to theVD-CPABE algorithm adversary.

• KeyGen Queries II. The adversary makes repeat-ed private key queries corresponding to the setsof attributes xq1 , ..., xq where f∗(x) = 0.

• Guess. The adversary outputs a guess v′ of v.We define the advantage of an adversary A in this



game is Pr[v′ = v]− 12 .

We’ll show that if a KEM scheme is IND-CPAsecure and an AE scheme is IND-CCA secure thenour hybrid encryption scheme is IND-CPA secure insection 5.

4 OUR HYBRID VD-CPABE SCHEME

In this section, we propose a concrete circuitciphertext-policy attribute-based hybrid encryptionwith verifiable delegation scheme based on the multi-linear maps and the verifiable computing technologyunder cloud environment.

We give a brief description of the protocol in Fig.3.Authority generates private keys for the data ownerand user. The data owner encrypts his data usinghybrid encryption system, generates a privately ver-ifiable MAC for each symmetric ciphertext and thenuploads the whole ciphertext to the cloud server. Thenthe data owner could be offline. The user, who wantsto access to the data, interacts with the cloud server. Inthe figure, the dashed arrows indicate that the valueis transferred secretly, while the solid arrows indicatethat the value is transferred without a secure channel.

Using general circuits to express the access controlpolicy, we construct a monotone circuit with depthl and input size to be n. The proposed hybrid VD-CPABE scheme consists of the following probabilisticpolynomial time (PPT) algorithms.• Setup(λ, n, l). This algorithm is executed by the

authority. It takes as input a security parameterλ, the number n of input size and the maximumdepth l of a circuit. Then it runs G(λ, k = l + 1),outputs a sequence of groups G⃗ = (G1, ..., Gk) ofprime order p and their corresponding generatorsg1, ..., gk and sets g = g1. After that it chooses threeone-way hash functions H1 : Gk → {0, 1}m, H2 :Gk → Zp, H3 : {0, 1}∗ → G1, random α ∈ Zp, a ∈Zp, h11, ..., h1n, h21, ..., h2n ∈ G1 and sets y = ga.The public key PK as well as the system masterkey MK are as follows:PK = (gαk , H1,H2,H3, y, h1, ..., hn, hn+1, ..., h2n),MK = gα.

• Hybrid-Encrypt(PK, f = (n, q, A,B,GateType),M ∈ {0, 1}m)). This algorithm is executed by thedata owner. Taking the public parameters PK, adescription f of a circuit and a message M ∈{0, 1}m as input, the hybrid encryption algorithmworks as follows.1) It chooses random R ∈ {0, 1}m, s1, s2, s3 ∈ Zp

and computesC ′

M = gs1k−1, r1 = H2(gαs1k ), CM = M⊕H1(g

αs1k ),

C ′R = gs2k−1, r2 = H2(g

αs2k ), CR = R⊕H1(g

αs2k ),

σ1 = MAC.SignIDo,r1(CM ||CR), σ2 =MAC.SignIDo,r2(CM ||CR).Whereσ1 = gαs3yts3Hts3

3 (ID0)Hr1s33

(ID0||CM ||CR)and

σ2 = gαs3yts3Hts33 (ID0)H

r2s33

(ID0||CM ||CR).SetσM = {σ1, g

αs3k , gts3k−1,H

s33,k−1(IDo||CM ||CR)}

andσR = {σ2, g

αs3k , gts3k−1, H

s33,k−1(IDo||CM ||CR)}.

The partial ciphertext is(CM , C ′

M , σM , CR, C′R, σR).

Note that the value gαyt, gt and Ht3(IDo) are

the private keys for the encrypter shown in theKeyGen algorithm.

2) Given the circuit access structure f , it generatesa complement circuit f̄ using De Morgan’s rulesuch that negation gates appear only at theinput wires.Takes f for example, the encryption algorithmchooses random r1, ..., rn+q−1 ∈ Zp and letsrn+q = s1. The randomness rw is associatedwith wire w. We then describe how the circuitf shares the encryption exponent s1. We use themonotone boolean circuits given by Garg et al.[9]. The structure of the shares depends on if wis an Input wire, an OR gate, or an AND gate.The circuit descriptions are as follows.– Input wire. For w ∈ [1, n], this algorithm

chooses random zw ∈ Zp. The shares are:Cw,1 = yrw(yhw)

−zw , Cw,2 = gzw .– Gate OR. Let j = depth(w). This algorithm

choose random aw ∈ Zp. The shares are:Cw,1 = gaw , Cw,2 = g

a(rw−awrA(w))

j , Cw,3 =

ga(rw−awrB(w))

j .– Gate AND. Let j = depth(w). This algorith-

m choose random aw, bw ∈ Zp. The sharesare:Cw,1 = gaw , Cw,2 = g

a(rw−awrA(w)−bwrB(w))

j .For the OR and AND gates in circuit f̄ , thesharing methods are as the same as in f . Whennegation gates appear in the input level, settingfw(x) = x̄w, the shares of the correspondinginput wire w will be:Cw,1 = yrwh−zw

n+w, Cw,2 = gzw .Then we could utilize the circuit f̄ to share theencryption exponent s2.

The full ciphertext CT containsCM , C ′

M , CR, C′R, σ, the ciphertext of f and f̄

(C ′M , C ′

R, the ciphertext of f and f̄ are consideredas the KEM part denoted by (CKM , CKR).(CM , CR, σ) is considered as the AE part). Insummary, the total ciphertext for our VD-CPABEscheme is the tupleCT = (CKM , CKR, CM , CR, σM , σR).

• KeyGen(MK,x ∈ {0, 1}n) The authority generatesthe private key for the user. Then the user sendshis transformation key to the cloud server. Thisalgorithm takes as input the master secret keyand a description of the attribute x ∈ {0, 1}n. Itfirstly chooses a random t ∈ Zp. Then it creates



Cloud ServerData owner User

YES NO

Reject

Authority

1 2 3 11 1 21 2

Run Setup( , ) to get

( , , , , , ,..., , ,..., )

a

k n n

n,l MK = g

PK g H H H y h h h ha

l

=

3

Run KeyGen( , ) to get

, , ( )o

t t t

H ID o

MK x

K g y L g K H IDa= = =

1 1 1

2 2 2

1 2

1 2 1

1 2 2 1

1 , 2

1

,

Run Hybrid-Encrypt( , , ) toget

,

,

( ' , and the sharingfor ea

( ), ( )

( ), ( )

( ||C ), ( ||

ch wires)

( ' , and

C )

the s

o o

s s s

M k k M k

s s s

R k k R k

ID r M R ID r M R

M M

R R

C g H g C M H g

C g r H g C R H g

PK f M

MAC C MAC C

r

CK C f

CK C f

a a

a a

s s

-

-

¢ = = = Å

¢ = =

=

= Å

= =

=

haringfor each wires)

1 2{( , ),( , , , )}M R M RCT CT CT C C s s=

{ {0,1} , , , [1, ]}n

iTK x L i nK Î= Î

1 2

RunTransform( , ) toget

,as t as t

k kM R

TK CT

C Cg g¢¢ ¢ =¢=

1

2

( , , , , ), ( ) 1

( , , , ) ( ), , 0

M M R M

M R R R

CT C C C C f x

CT C C C C f x

s

s

¢ ¢ ¢¢= =

¢ ¢ ¢¢= =

2

1 2

1

2

2

( , )( ) 1, , ( )

Verify the validityof

( , )( ) 0, , ( )

Verify the validityof

R

MM M

M

RR

R

e C Kf x r H

C

e C Kf x r H

C

c c

s

c c

s

¢= = =

¢¢

¢= = =

¢¢

1

1

If ( ) 1, recover ( )

If ( ) 0, recover ( )

M M

R R

f x M H C

f x R H C

c

c

= = Å

= = Å

Run KeyGen( , ) to get

, , { , }

If 1, , If( 0) ), (t t

i i

t

i

i n i

t

H

i iK

MK x

K g y L g TK L K

x xyh K yh

a

+

= = =

= == =

Fig. 3. Our hybrid VD-CPABE scheme in the cloud

the private key asKH = gαyt, L = gt, if xi = 1 Ki = (yhi)

t , if xi = 0Ki = (yhn+i)

t , i ∈ [1, n].The transformation key is TK = {L,Ki, i ∈ [1, n]}.Note that, for the data owner IDo, the authoritygenerates his private key with the identity at-tribute ID0 asKH = gαyt, L = gt, KIDo = Ht

3(IDo).• Transform(TK,CT ). The transformation algorith-

m is executed by the cloud server. It takes asinput the transformation key TK and the originalciphertext CT . The algorithm partially decryptsthe ciphertext as follows.Taking TK with x as input, we evaluate the circuitfrom the bottom up. If f(x) = 1 we will be ableto partially decrypt the ciphertext for M and iff(x) = 0 we will be able to partially decrypt theciphertext for R. Consider the wire w at depthj, if fw(x) = 1 then the algorithm computesEw = (gj+1)

arwt and if fw(x) = 0 the algorithmdose nothing. The evaluation depends on if w isan Input wire, an OR gate, or an AND gate. Thepartial decryption algorithm is as follows.

– Input wire. For w ∈ [1, n], if xw = fw(x) = 1,the algorithm computes:Ew = e(Kw, Cw,1) · e(L,Cw,1) = e(ytht

w, gZw) ·

e(gt, garwy−zwh−zww ) = garwt

2 .When negation gates appears at the input level,fw(x) = x̄w. If fw(x) = 1, the algorithmcomputes:Ew = e(Kw, g

Zw) · e(L,Cw,1) = e(ythtn+w, g

Zw) ·e(gt, garwy−zwh−zw

n+w) = garwt2 .

– Gate OR. Let j = depth(w). If fA(w)(x) = 1, thealgorithm computes:Ew = e(EA(w), Cw,1) · e(Cw,2, L) =

e(garA(w)t

j , gaw) · e(ga(rw−awrA(w))

j , gt) = garwtj+1 .

– Gate AND. Let j = depth(w). If fA(w)(x) =fA(w)(x) = 1, the algorithm computes:Ew = e(EA(w), Cw,1) · e(EB(w), Cw,2) · e(Cw,3, L)

= e(garA(w)t

j , gaw) · e(garB(w)t

j , gbw) ·e(g


j , gt) = garwtj+1 .

If f(x) = fn+q = 1, the algorithm computesC ′′

M = (gk)as1t, otherwise, if f(x) = 0 then

f̄ = 1, the algorithm computes C ′′R = (gk)

as2t. Itfinally outputs the partially decrypted cipher-text


CT ′ = (σM , CM , CR, C′M , C ′′

M ) if f(x) = 1and CT ′ = (σR, CM , CR, C

′R, C

′′R) if f(x) = 0.

• Verify-Decrypt(SK,CT ′). The verifying and de-cryption algorithm is executed by the user. Giventhe partially decrypted ciphertext CT ′ which con-tains a signature σ and the data owner’s identityIDo, the user does as follows.1) If f(x) = 1, the user will compute χM =

e(C′M ,K)C′′

M, r1 = H2(χM ) and use the signa-

ture using IDo and verified key gr1 to checkwhethere(σ1, gk−1) = gαs3k · e(yH3(IDo), g

ts3k−1) ·

e(Hs33,k−1(IDo||CM ||CR), g

r1).Then the user will compute M = H1(χM )⊕CM .

2) If f(x) = 0, the user will compute χR =e(C′

R,K)C′′

R, r2 = H2(χR) and verifier the signature

using IDo and gr2 , then the user will computeR = H1(χR)⊕ CR.

5 SECURITY PROOF

In our proposed hybrid VD-CPABE scheme, the AEpart is implemented by a one-time symmetric-key en-cryption and the encrypt-then-mac paradigm. (C, σ) isconsidered as the IND-CCA secure AE part [8]. Thefollowing theorem shows that the KEM part is IND-CPA secure.

Suppose there exists a PPT attacker A in our KEMsystem for a circuit of depth l and inputs of length nin the selective chosen plaintext security game, we canconstruct a PPT algorithm that solves the l + 1- mul-tilinear assumption with non-negligible advantage.• Theorem 5.1. The proposed CP-ABE scheme that

constitutes the KEM part is secure in the sense ofIND-CPA for arbitrary circuits of depth k−1 underthe k-MDDH assumption.

Proof. For VD-CPABE cryptosystems, we should con-sider two types of adversaries. The adversary A1

represents a normal third party attacker against theVD-CPABE scheme. The adversary A2 represents amalicious cloud server who obtains partial private keyof the users.

Algorithm B-1 (For the adversary A1 who does notcomply with the challenge access policy)• Init. Firstly, the challenger set the group G⃗ =

(G1, ..., Gk) with an efficient multilinear map e,a generator g and an instance g, ga, gc1 , ..., gck ∈G1, T ∈ Gk. Then it flips a fair binary coin uoutside of B’s view. If u = 0. The challenger setsT = g

a∏

j∈[1,k] cj

k ; otherwise it sets T as a randomgroup element in Gk.Next, the attacker declares the challenge accesspolicy f∗.Remark. When the attacker declares the challengeaccess policy f∗, for simplicity, we will focus ourattention on the original policy f∗. Similarly, we

can prove the security of the encryption for policyf̄∗.

• Setup. Given a security parameter λ, the depth lfor the circuit and the number of attributes n, Bchooses random y1, ..., y2n ∈ Zp. For i ∈ [1, 2n], Bsets hi = g−a+vi , y = ga, gαk = gackk and sendsPK = (gαk ,H1,H2, y, h1, ..., hn, hn+1, ..., h2n) to A1.

• KeyGen Queries I. The adversary makes repeatedprivate keys corresponding to sets of attributes x ∈{0, 1}n. We require that ∀i ∈ q1 we have f∗(xi) = 0.B chooses random t = −ck + ξ and computesKH = gαyt = gaξ, L = gt = g−ck+ξ, Ki = (yhi)

t =gvi(−ck+ξ) if xi = 1.

• Encrypt. B sets gα = gack as the master key. ThenB computes the challenge ciphertext as follows.

1) B sets C ′1 = gsk−1 = g

∏j∈[1,k−1] cj+yn+q

k−1 , whereyn+q is chosen at random.

2) For the circuit f∗ = (n, q, A,B,GateType), Bcomputes the ciphertext components for eachwire w as follows.– Input wire. For w ∈ [1, n], B chooses xw at

random, sets zw = c1 and computesCw,1 = ga(c1+yw)(hw)

−c1 = gayw+vwc1

Cw,2 = gzw=gc1When xw = 0, we can see rw as a(c1 +yw) and the adversary is try to computega(c1+yw)t2 without knowing ht

w.Remark, in our practical scheme, whenxw = 0 the user needs to compute nothingfor the wire. When xw = 1, we can see rwas ayw and knowing ytht

w the adversary cancompute gaywt

2 correctly.– Gate OR. For w ∈ [n + 1, n + q − 1],

GateType(w)= OR and j = depth(w). Bchooses random yw, sets aw = cj and com-putesCw,1 = gaw = gcj

Cw,2 = ga(rw−awrA(w))

j = gayw−acjyA(w)

j

Cw,3 = ga(rw−awrB(w))

j = gayw−acjyB(w)

j

When xw = 0, we can see rw as ac1c2 · · ·cj+yw. Otherwise, we can see rw as ayw.

– Gate AND. For w ∈ [n + 1, n + q − 1],GateType(w)= AND and j = depth(w). Bchooses random yw and computes gcj . It set-s (Cw,1, Cw,2) = (gcj , g). Then it computesthe ciphertext for the gate as the followingtuples.Cw,3 = g


j =

(ga(yw−cjyA(w)−yB(w))

j , ga(yw−cjyB(w)−yA(w))

j ,

ga(yw−cjyA(w)−yB(w)−a1···aj−1)

j ).the adversary could select the appropriatetuple to compute the value garwt

j+1 . Whenxw = 0 and xAw = 0, we can see rw andaw as ac1c2 · · ·cj +yw and gcj . When xw = 0and xBw = 0, we can see rw and bw asac1c2 · · · cj + yw and gcj . Otherwise, we can



see rw as ayw.B generates the challenge ciphertext as T ·gackxn+q

k and the description of the circuitf∗. Then B sends them to A1.

• KeyGen Queries II. The adversary makes re-peated private key queries corresponding to thesets of attributes xq1 , ..., xq where f∗(x) = 0. Thechallenger responds the key queries as in phase I.

• Guess. The adversary outputs a guess b′ of b. Ifb′ = b it guesses that T is a tuple; otherwise, itguesses that it is random.

This immediately shows that the adversary A1 withnon-trivial advantage in the KEM security game willhave an identical advantage in breaking the k-MDDHassumption.

Algorithm B-2 (For the adversary A2 who is themalicious cloud server)

Though the malicious cloud server could partialdecrypt the ciphertext gastk . We’ll show that the ad-versary A2 having non-negligible advantage to dis-tinguish gαsk from a random element in Gk.• Init. Firstly, the challenger generates k-MDDH

instance as in Algorithm B-1.Next, the attacker declares the challenge partialdecrypted ciphertext gast

∗

k .• Setup. Given a security parameter λ, the depth l

for the circuit and the number of attributes n, Bchooses random y1, ..., y2n ∈ Zp. For i ∈ [1, 2n],B sets hi = gvi , Y = ga, gαk = gackk and sendsPK = (gαk ,H1,H2, Y, h1, ..., hn, hn+1, ..., h2n) to A2.

• KeyGen Queries I. The adversary makes repeatedprivate keys for any set S.B chooses random t = −ck + ξ and computesKH = gαyt = gaξ. We require that the private keyquery for t∗ have not be answered.

• Encrypt. B computes T ·gackxn+q and the challengeciphertext C∗ = g

at∗(xrn+q+∏

j∈[1,k−1] cj)

k . Then Bsends them to A2.

• KeyGen Queries II. The adversary makes repeat-ed private keys for any set S.B responds the key queries as in phase I wheret ̸= t∗.

• Guess. The adversary outputs a guess b′ of b. Ifb′ = b it guesses u′ = 0 to indicate that T is atuple; otherwise, it guesses u′ = 1 to indicate thatT is random in Gk.

We suppose the polynomial-time adversaries A1,A2 can attack this scheme with advantage εk. We willcompute the probability that the simulator B can solvethe k-MDDH problem.

When u = 0 the adversary has an advantage ε toattack this scheme that is Pr[b = b′|u = 0] = 1

2 + εk.The simulator will guess u′ = 0 if b = b′, so we havePr[u = u′|u = 0] = 1

2 + εk.When u = 1 the adversary has no advantage to

guess b. Therefore Pr[b ̸= b′|u = 1] = 12 . The simulator

will guess u′ = 1 if b ̸= b′, so we have Pr[u = u′|u =1] = 1

2 .Thus, we compute the overall advantage that the

simulator solves the k-MDDH problem isPr[u = u′] = Pr[u = 0]Pr[u = u′|u = 0] + Pr[u =

1]Pr[u = u′|u = 1] = 12 + εk

2 .• Theorem 5.2. If the KEM is CPA secure and the AE

is CCA secure then the proposed hybrid CP-ABEscheme is CPA secure.

Proof. Suppose there exist a polynomial-time adver-sary attacks the AE scheme with advantage εa and anadversary attacks the KEM scheme with advantage εk,then the advantage for the adversary, who attacks theproposed hybrid encryption, is ε < 2εk + εa.

Now we define two games to prove security. Theexperiment Exp1 is specified by our VD-CPABE gamethat interacts with the adversary in the manner de-scribed in the definition of the CPA experiment. Theexperiment Exp2 modifies the VD-CPABE algorithmthat the encryption key for the AE algorithm is chosenat random from key space rather than the legitimateone generated by the KEM algorithm.

Let A and B be the events that v′ = v appearsin Exp1 and Exp2 respectively. Then we show thatthe adversary’s views in Exp1 and Exp2 are indistin-guishable. In particular, |Pr[A]− Pr[B]| ≤ 2εk.

Consider a simulator B that interacts with an ad-versary A1 who attacks the KEM scheme by usingAA. B runs setup algorithm and gives PK to A1.A1 passes PK to AA and queries Kb to B by usingthe encryption oracle of Game.KEM. Then A1 flips acoin v and computes C = AE.EncKb

(Mv). It sendsC to B and get a KEM ciphertext CK for C. ThenA1 sends (C,CK) to AA. When AA outputs v′ = v,A1 outputs b′ = 0 to indicate that Kb is the real key.Otherwise, if v′ ̸= v, A1 outputs b′ = 1 to indicatethat Kb is a random element.It is clear by constructionthat when b = 0 the view of AA is identical to thatin Exp1 and when b = 1 the view of AA is identicalto that in Exp2. That is Pr[v′ = v|b = 0] = Pr[A] andPr[v′ = v|b = 1] = Pr[B]. Therefore,

12 (Pr[A]− Pr[B])= 1

2 (Pr[v′ = v|b = 0]− Pr[v′ = v|b = 1])

= 12 (Pr[b

′ = 0|b = 0]− Pr[b′ = 0|b = 1])= 1

2 (Pr[b′ = b|b = 0]− ( 12 −

12 Pr[b

′ = b|b = 1]))= Pr[b′ = b]− 1

2Since |Pr(b′ = b) − 1

2 | ≤ εk, we have |Pr[A] −Pr[B]| ≤ 2εk.

Next, we will show that |Pr[B]− 12 | ≤ εa.

Consider a simulator B that interacts with an adver-sary A2 who attacks the modified VD-CPABE schemeby using AA. When receives M0 and M1 from AA,A2 submits them to simulator to get a ciphertext CM

by using AE encryption algorithm. It then requests aKEM encryption query and get a ciphertext CK for C.Then A2 sends (C,CK) to AA. When AA outputs v′,A2 outputs v′. We can see that Exp2 can be perfectly


Fig. 4. Performance of our hybrid VD-CPABE scheme

TABLE 2Pairing operation time

Parameter λ = 62 λ = 80 λ = 160β = 80 β = 160 β = 200

Time 15ms 16ms 31ms

simulated and whenever AA wins, A2 wins. Hence|Pr[B]− 1

2 | ≤ εa.We define the advantage that the adversary wins in

Exp1 as ε, that is |Pr[A]− 12 | ≤ ε. Since |Pr[B]− 1

2 | ≤εa, |Pr[A]− Pr[B]| ≤ 2εk.

Then we have ε < 2εk + εa, where εk and εa areassumed negligible.

Thus, the proposed system could be applied toprotect the data’s confidentiality.

6 IMPLEMENTATION

In this section, we simulate the cryptographic opera-tions by using of the Gnu MP library [20] in vc 6.0.The experiments are performed on a computer usingthe Intel Core i5-2400 at a frequency of 3.10 GHzwith 4GB memory and Windows 7 operation system.Without considering the addition of two elementsover the integer, the hash function and exclusive-OR operations, we denote the cost of a multilinearpairing by P. λ denotes the security parameter. βdenotes the group elements size in bits. With differentparameters, the average running time of P operationin 100 times is obtained and demonstrated in TABLE2. For P operations, in order to implement in practiceefficiently, we use the optimized definition in [23].

We instantiate our hybrid VD-CPABE scheme withλ = 80 and β = 160. When we operate the encryptionand partial decryption algorithms, the input wire andthe AND gate need to garble twice and the OR gateneeds to garble triple. The algorithm for generatingMAC needs one garbling operation and other additionoperations over the integer, and the algorithm forverifying MAC needs to garble triple. Based on theabove parameter settings, the most running time tofinish our encryption and decryption algorithms areillustrated in Fig. 4.

In addition, suppose that the symmetric cipher is128-bit. The bandwidth of the transmitted ciphertext

for the data owner grows with the increase of thedepths of circuit. For the user, The bandwidth of thetransmitted ciphertext is (128 × 2 + 160 × 3)/8 =92 bytes. Obviously, for the data owner and thecloud server, the computation time grows exponen-tially with the increase of the depth of circuit. Whendepth(C) = 1, these computation are 96ms and 0ms,respectively. While the cost of computation consump-tion at the user side is just 64ms which is independentof the depth of the circuit. Thus our scheme enables toprovide an efficient method to share and protect theconfidential information between users with limitedpower and data owners with vast amount of data inthe cloud.

7 CONCLUSIONTo the best of our knowledge, we firstly present a cir-cuit ciphertext-policy attribute-based hybrid encryp-tion with verifiable delegation scheme. General cir-cuits are used to express the strongest form of accesscontrol policy. Combined verifiable computation andencrypt-then-mac mechanism with our ciphertext-policy attribute-based hybrid encryption, we coulddelegate the verifiable partial decryption paradigm tothe cloud server. In addition, the proposed scheme isproven to be secure based on k-multilinear DecisionalDiffie-Hellman assumption. On the other hand, weimplement our scheme over the integers. The costsof the computation and communication consumptionshow that the scheme is practical in the cloud com-puting. Thus, we could apply it to ensure the dataconfidentiality, the fine-grained access control and theverifiable delegation in cloud.

ACKNOWLEDGMENTSThe authors would like to thank NSFC (Grant Nos.61300181, 61272057, 61202434, 61170270, 61100203,61121061), the Fundamental Research Funds for theCentral Universities (Grant Nos. 2012RC0612, 2011Y-B01).

REFERENCES[1] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A.

Konwinski, G. Lee, D. A. Patterson, A. Rabkin, I. Stoica and M.Zaharia, ”Above the Clouds: A Berkeley View of Cloud Com-puting,” University of California, Berkeley, Technical Report,no. UCB/EECS-2009-28, 2009.



[2] M. Green, S. Hohenberger and B. Waters, ”Outsourcing theDecryption of ABE Ciphertexts,” in Proc. USENIX SecuritySymp., San Francisco, CA, USA, 2011.

[3] J. Lai, R. H. Deng, C. Guan and J. Weng, ”Attribute-BasedEncryption with Verifiable Outsourced Decryption,” in Proc.IEEE Transactions on information forensics and security, vol.8, NO. 8, pp.1343-1354, 2013.

[4] A. Lewko and B. Waters, ”Decentralizing Attribute-Based En-cryption,” in Proc. EUROCRYPT, pp.568-588, Springer-VerlagBerlin, Heidelberg, 2011.

[5] B. Waters, ”Ciphertext-Policy Attribute-Based Encryption: anExpressive, Enficient, and Provably Secure Realization,” inProc. PKC, pp.53-70, Springer-Verlag Berlin, Heidelberg, 2011.

[6] B. Parno, M. Raykova and V. Vaikuntanathan, ”Howto Delegate and Verify in Public: verifiable computationfrom attribute-based encryption,” in Proc. TCC, pp.422-439,Springer-Verlag Berlin, Heidelberg, 2012.

[7] S. Yamada, N. Attrapadung and B. Santoso, ”Verifiable Predi-cate Encryption and Applications to CCA Security and Anony-mous Predicate Authentication,” in Proc. PKC, pp.243-261,Springer-Verlag Berlin, Heidelberg, 2012.

[8] J. Han, W. Susilo, Y. Mu and J. Yan, ”Privacy-Preserving De-centralized Key-Policy Attribute-Based Encryption,” in Proc.IEEE Transactions on Parallel and Distributed Systems, 2012.

[9] S. Garg, C. Gentry, S. Halevi, A. Sahai and B. Waters,”Attribute-Based Encryption for Circuits from MultilinearMaps,” in Proc. CRYPTO, pp.479-499, Springer-Verlag Berlin,Heidelberg, 2013.

[10] S. Gorbunov, V. Vaikuntanathan and H. Wee, ”Attribute-BasedEncryption for Circuits,” in Proc. STOC, pp.545-554, ACMNew York, NY, USA, 2013.

[11] A. Sahai and B. Waters, ”Fuzzy Identity Based Encryption,”in Proc. EUROCRYPT, pp.457-473, Springer-Verlag Berlin, Hei-delberg, 2005.

[12] V. Goyal, O. Pandey, A. Sahai and B. Waters, ”Attribute-basedEncryption for Fine-grained access control of encrypted data,”in Proc. CCS, pp.89-98, ACM New York, NY, USA, 2006.

[13] R. Cramer and V. Shoup, ”A Practical Public Key Cryp-tosystem Provably Secure against Adaptive Chosen CiphertextAttack,” in Proc. CRYPTO, pp.13-25, Springer-Verlag Berlin,Heidelberg, 1998.

[14] R. Cramer and V. Shoup, ”Design and Analysis of PracticalPublic-Key Encryption Schemes Secure against Adaptive Cho-sen Ciphertext Attack,” in Proc. SIAM Journal on Computing,vol. 33, NO. 1, pp.167-226, 2004.

[15] D. Hofheinz and E. Kiltz R, ”Secure hybrid encryption fromweakened key encapsulation,” in Proc. CRYPTO, pp.553-571,Springer-Verlag Berlin, Heidelberg, 2007.

[16] M. Abe, R. Gennaro and K. Kurosawa, ”Tag-KEM/DEM:ANew Framework for Hybrid Encryption,” in Proc. CRYPTO,pp.97-130, Springer-Verlag New York, NJ, USA, 2008.

[17] K. Kurosawa and Y. Desmedt, ”A New Paradigm of HybridEncryption Scheme,” in Proc. CRYPTO, pp.426-442, Springer-Verlag Berlin, Heidelberg, 2004.

[18] J. Li, X. Huang, J. Li, X. Chen and Y. Xiang, ”Securely Out-sourcing Attribute-based Encryption with Checkability,” inProc. IEEE Transactions on Parallel and Distributed Systems,2013.

[19] J. Hur and D. K. Noh, ”Attribute-Based Access Control withEfficient Revocation in Data Outsourcing Systems,” in Proc.IEEE Transactions on Parallel and Distributed Systems, 2011.

[20] T. Granlund and the GMP development team, ”GNU MP:The GNU Multiple Precision Arithmetic Library, 5.1.1,” 2013,http://gmplib.org/.

[21] W. Nagao, Y. Manabe and Tatsuaki Okamoto, ”A UniversallyComposable Secure Channel Based on the KEM-DEM Frame-work,” in Proc. CRYPTO, pp.426-444, Springer-Verlag Berlin,Heidelberg, 2005.

[22] M. Bellare and C. Namprempre, ”Authenticated Encryption:Relations among Notions and Analysis of the Generic Compo-sition Paradigm,” in Proc. ASIACRYPT, pp.531-545, Springer-Verlag Berlin, Heidelberg, 2000.

[23] J. Coron, T. Lepoint and M. Tibouchi, ”Practical Multilin-ear Maps over the Integer,” in Proc. CRYPTO, pp.476-493,Springer-Verlag Berlin, Heidelberg, 2013.

[24] S. Garg, C. Gentry and Shai Halevi, ”Candidate MulitilinearMaps from Ideal Lattices and Applications,” in Proc. EURO-CRYPT, pp.1-17, Springer-Verlag Berlin, Heidelberg, 2013.

Jie Xu received the B.S. degree in informa-tion and computation science from QingdaoUniversity of Science and Technology, Chi-na, in 2009. She is currently working towardthe PhD degree in computer science andtechnology in Beijing University of Posts andTelecommunications. Her research interestsinclude functional encryption and cloud se-curity.

Qiaoyan Wen received the B.S. and M.S.degrees in Mathematics from Shaanxi nor-mal University, Xi’an, China, in 1981 and1984, respectively, and the Ph.D degree incryptography from Xidian University, Xi’an,China, in 1997. She is a professor of BeijingUniversity of Posts and Telecommunications.Her present research interests include cod-ing theory, cryptography, information security,internet security and applied mathematics.

Wenmin Li received the B.S. and M.S. de-grees in Mathematics and Applied Mathe-matics from Shaanxi Normal University, X-i’an, Shaanxi, China, in 2004 and 2007, re-spectively, and the Ph.D. degree in Cryp-tology from Beijing University of Posts andTelecommunications, Beijing, China, in 2012.Now she is a lecturer of Beijing Universityof Posts and Telecommunications. Her re-search interests include cryptography andinformation security.

Zhengping Jin received the BS degree inMath and Applied Math, MS degree in Ap-plied Math from Anhui Normal Universityin 2004 and in 2007 respectively, and thePh.D degree in Cryptography from BeijingUniversity of Posts and Telecommunicationsin 2010. Now he is a lecturer of Beijing U-niversity of Posts and Telecommunications.His research interests include cryptography,information security, internet security and ap-plied mathematics.


ieee transactions on parallel and distributed systems vol no: 1 2015 circuit ......

Documents