1

Securely Outsourcing Attribute-basedEncryption with Checkability

Jin Li, Xinyi Huang, Jingwei Li, Xiaofeng Chen, and Yang Xiang Senior Member, IEEE

Abstract—Attribute-Based Encryption (ABE) is a promising cryptographic primitive which significantly enhances the versatility ofaccess control mechanisms. Due to the high expressiveness of ABE policies, the computational complexities of ABE key-issuingand decryption are getting prohibitively high. Despite that the existing Outsourced ABE solutions are able to offload some intensivecomputing tasks to a third party, the verifiability of results returned from the third party has yet to be addressed. Aiming at tacklingthe challenge above, we propose a new Secure Outsourced ABE system, which supports both secure outsourced key-issuing anddecryption. Our new method offloads all access policy and attribute related operations in the key-issuing process or decryption to a KeyGeneration Service Provider (KGSP) and a Decryption Service Provider (DSP), respectively, leaving only a constant number of simpleoperations for the attribute authority and eligible users to perform locally. In addition, for the first time, we propose an outsourced ABEconstruction which provides checkability of the outsourced computation results in an efficient way. Extensive security and performanceanalysis show that the proposed schemes are proven secure and practical.

Index Terms—Attribute-based encryption, access control, outsourcing computation, key issuing, checkability

F

1 INTRODUCTIONAs a novel public key primitive, attribute-based en-cryption (ABE) [1] has attracted much attention in theresearch community. For the first time, ABE enablesefficient public key-based fine-grained sharing. In ABEsystem, users’ private keys and ciphertexts are labeledwith sets of descriptive attributes and access policies re-spectively, and a particular key can decrypt a particularciphertext only if associated attributes and policy arematched. Until now, there are two kinds of ABE havingbeen proposed: key-policy attribute-based encryption(KP-ABE) and ciphertext-policy attribute-based encryp-tion (CP-ABE). In KP-ABE, the access policy is assignedin private key, whereas, in CP-ABE, it is specified inciphertext.

Recently, as the development of cloud computing [2],users’ concerns about data security are the main obsta-cles that impedes cloud computing from wide adoption.These concerns are originated from the fact that sensitivedata resides in public cloud, which is maintained andoperated by untrusted cloud service provider (CSP). ABEprovides a secure way that allows data owner to shareoutsourced data on untrusted storage server insteadof trusted server with specified group of users. Thisadvantage makes the methodology appealing in cloud

• Jin Li is with the School of Computer Science, Guangzhou University,China, e-mail: lijin@gzhu.edu.cn.

• Xinyi Huang is with the School of Mathematics and Computer Science,Fujian Normal University, China, e-mail: xyhuang81@gmail.com.

• Jingwei Li is with the College of Information Technical Science, NankaiUniversity, China, e-mail: lijw@mail.nankai.edu.cn.

• Xiaofeng Chen is with the State Key Laboratory of IntegratedService Networks (ISN), Xidian University, Xi’an, China, e-mail:xfchen@xidian.edu.cn.

• Yang Xiang is with the School of Information Technology, Deakin Univer-sity, Australia, e-mail: yang@deakin.edu.au.

storage that requires secure access control for a largenumber of users belonging to different organizations.

Nevertheless, one of the main efficiency drawbacks ofABE is that the computational cost during decryptionphase grows with the complexity of the access formula.Thus, before widely deployed, there is an increasingneed to improve the efficiency of ABE. To address thisproblem, outsourced ABE, which provides a way tooutsource intensive computing task during decryptionto server without revealing data or private keys, wasintroduced [3][4]. It has a wide range of applications.For example, in the mobile cloud computing consistingof mobile devices or sensors as information collectionnodes, user terminal (e.g. mobile device) has limitedcomputation ability to independently complete basic en-cryption or decryption to protect sensitive data residingin public cloud. Outsourced ABE allows user to performheavy decryption through “borrowing” the computa-tion resources from service provider. Therefore, in thisparadigm, the computation/storage intensive tasks canbe performed even by resource-constrained users.

Beyond the heavy decryption outsourced, we observethat the attribute authority has to deal with a lot ofheavy computation in a scalable system. More precisely,the attribute authority has to issue private keys to allusers, but yet generation of private key typically requireslarge modular exponentiation computation, which growslinearly with the complexity of the predicate formula.When a large number of users call for their private keys,it may overload the attribute authority. Moreover, keymanagement mechanism, key revocation in particular, isnecessary in a secure and scalable ABE system. In mostof existing ABE schemes, the revocation of any singleprivate key requires key-update at attribute authorityfor the remaining unrevoked keys which share common

2

attributes with the one to be revoked. All of these heavytasks centralized at authority side would make it anefficiency bottleneck in the access control system.

1.1 Contribution

Aiming at eliminating the most overhead computationat both the attribute authority and the user sides, wepropose an outsourced ABE scheme not only supportingoutsourced decryption but also enabling delegating keygeneration. In this construction, we introduce a trivialpolicy controlled by a default attribute and use an ANDgate connecting the trivial policy and user’s policy.During key-issuing, attribute authority can outsourcecomputation through delegating the task of generatingpartial private key for user’s policy to a key generationservice provider (KGSP) to reduce local overhead. More-over, the outsourced decryption is realized by utilizingthe idea of key blinding. More precisely, user can sendthe blinded private key to a decryption service provider(DSP) to perform partial decryption and do the completedecryption at local. Following our technique, constantefficiency is achieved at both attribute authority and usersides.

In addition, we observe that the service provider maybe selfish in order to save its computation or band-width, which may cause results returned incorrectly. Inorder to deal with this problem, we consider to realizecheckability on results returned from both KGSP andDSP, and provide a security and functionality enhancedconstruction, which is provable secure under the recentformulized refereed delegation of computation (RDoC)model. Out technique is to make a secret sharing onthe outsourcing key for KGSP and let k parallel KGSPsutilize their individual share to generate partial privatekeys. After that an additional key combination phaseis performed at authority side to avoid malicious col-laboration between at most k − 1 KGSPs and users.Moreover, we use the idea of “ringer” [5] and appendingredundancy to fight against the dishonest actions ofKGSPs and DSP. As far as we know, this is the first timeconsidering the checkability of outsourced ABE.

1.2 Related Work

The notion of ABE, which was introduced as fuzzyidentity-based encryption in [1], was firstly dealt withby Goyal et al. [6]. Two different and complementarynotions of ABE were defined in [6]: KP-ABE and CP-ABE. A construction of KP-ABE was provided in thesame paper [6], while the first CP-APE constructionsupporting tree-based structure in generic group modelis presented by Bethencourt et al. [7]. Accordingly, sev-eral constructions supporting for any kinds of accessstructures were provided [8][9] for practical applications[10][11]. Concerning revocation of ABE, a delegatablerevocation is proposed in [12] to achieve scalable andfine-grained access control.

To reduce the load at local, it always desires to de-liver expensive computational tasks outside. Actually,the problem that how to securely outsource differentkinds of expensive computations has drew considerableattention from theoretical computer science community.Atallah et al. [13] presented a framework for secureoutsourcing of scientific computations such as matrixmultiplication and quadrature. Nevertheless, the solu-tion used the disguise technique and thus leaded toleakage of private information. Atallah and Li [14] in-vestigated the problem of computing the edit distancebetween two sequences and presented an efficient pro-tocol to securely outsource sequence comparison withtwo servers. Furthermore, Benjamin and Atallah [15]addressed the problem of secure outsourcing for widelyapplicable linear algebraic computations. Nevertheless,the proposed protocols required the expensive opera-tions of homomorphic encryption. Atallah and Frikken[16] further studied this problem and gave improvedprotocols based on the so-called weak secret hidingassumption. Recently, Wang et al. [17] presented efficientmechanisms for secure outsourcing of linear program-ming computation.

We note that though several schemes have been in-troduced to securely outsource kinds of expensive com-putations, they are not suitable for reliving ABE com-putational overhead of exponentiation at user side. Toachieve this goal, the traditional approach is to utilizeserver-aided techniques [18][19][20]. However, previouswork are oriented to accelerating the speed of exponen-tiation using untrusted servers. Directly utilizing thesetechniques in ABE will not work efficiently. Another ap-proach might be to leverage recent general outsourcingtechnique or delegating computation [21][22][23][24][25]based on fully homomorphic encryption or interactiveproof system. However, Gentry [25] has shown thateven for weak security parameters on “bootstrapping”operation of the homomorphic encryption, it would takeat least 30 seconds on a high performance machine.Therefore, even if the privacy of the input and outputcan be preserved by utilizing these general techniques,the computational overhead is still huge and impractical.

Another several related work similar to us are [4][26][3][27]. In [3], a novel paradigm for outsourcingthe decryption of ABE is provided while in [4][26] theauthors presented the ABE schemes which allow tosecurely outsource both decryption and encryption tothird party service providers. Compared with our work,the two lack of the consideration on the eliminating theoverhead computation at attribute authority. Addition-ally, we consider a security and functionality enhancedconstruction enabling checkability on returned results.Recently Lai et al. [28] proposed a concrete constructionfor ABE with verifiable decryption, which achieves ver-ifiability without random oracles. Their work appendsa redundancy with ciphertext and uses this redundancyfor correctness checking. We emphasize that comparedwith our scheme their construction does not consider

3

Acronym Description

AA attribute authorityKGSP key generation service providerDSP decryption service providerSSP storage service provider

TABLE 1Notations Used in This Paper

to offload the overhead computation at authority byoutsourcing key-issuing.

1.3 Organization

This paper is organized as follows. In Section 2 wedescribe some preliminaries. In Section 3, we presentthe system model and security definition. The proposedconstruction and its security analysis are presented inSection 4. In Section 5, we consider a both security andfunctionality enhanced construction under RDoC model.The performance analysis for the schemes are given inSection 6. Finally, we draw conclusion in Section 7.

2 PRELIMINARY

In this section, we define the notations used in this paperand review some cryptographic background.

2.1 Notations

The notations used in this paper are listed in TABLE 1.

2.2 Cryptographic Background

In this paper, we use the bilinear pairings on ellipticcurves. We now give a brief review on the propertyof pairing and the candidate hard problem that will beused.

Definition 1 (Bilinear Map): Let G,GT be cyclic groupsof prime order q, writing the group action multiplica-tively. g is a generator of G. Let e : G × G → GT be amap with the following properties:• Bilinearity: e(ga1 , gb2) = e(g1, g2)ab for all g1, g2 ∈ G,

and a, b ∈R Zq ;• Non-degeneracy: There exists g1, g2 ∈ G such thate(g1, g2) 6= 1, in other words, the map does not sendall pairs in G×G to the identity in GT ;

• Computability: There is an efficient algorithm to com-pute e(g1, g2) for all g1, g2 ∈ G.

Definition 2 (DBDH Problem): The decision BilinearDiffie-Hellman (DBDH) problem is that, given g, gx, gy ,gz ∈ G for unknown values x, y, z ∈R Zq , and T ∈R GT ,to decide if T = e(g, g)xyz .

We say that the (t, ε)-DBDH assumption holds in Gif no t-time algorithm has probability at least 1

2 + ε insolving the DBDH problem for non-negligible ε.

Fig. 1. System Model for Outsourced ABE Scheme

3 SYSTEM MODEL AND SECURITY DEFINI-TION

3.1 System Model

We present the system model for outsourced ABEscheme in Fig. 1. Compared with the model for typicalABE, a KGSP and a DSP are additionally involved.• KGSP is to perform aided key-issuing computation

to relieve AA load in a scale system when a largenumber of users make requests on private key gen-eration and key-update.

• DSP is to complete delegated expensive operationsto overcome the disadvantage that the decryptionphase in typical ABE requires a large number ofoverload operations at U.

Following the custom in [3], we denote (Ienc, Ikey) asthe input to encryption and key generation. In CP-ABEscheme, (Ienc, Ikey) = (A, ω) while that is (ω,A) in KP-ABE, where ω and A are attribute set and access struc-ture, respectively. Then, based on the proposed systemmodel, we provide algorithm definitions as follows.• Setup(λ) : The setup algorithm takes as input – a

security parameter λ. It outputs a public key PKand a master key MK.

• KeyGeninit(Ikey,MK) : For each user’s private keyrequest, the initialization algorithm for delegatedkey generation takes as input – an access policy (orattribute set) Ikey and the master key MK. It outputsthe key pair (OKKGSP, OKAA).

• KeyGenout(Ikey, OKKGSP) : The delegated key gener-ation algorithm takes as input – the access structure(or attribute set) Ikey and the key OKKGSP for KGSP.It outputs a partial transformation key TKKGSP.

• KeyGenin(Ikey, OKAA) : The inside key generationalgorithm takes as input – the access structure (orattribute set) Ikey and the key OKAA for attributeauthority. It outputs another partial transformationkey TKAA.

• KeyBlind(TK) : The transformation key blindingalgorithm takes as input – the transformation keyTK = (TKKGSP, TKAA). It outputs a private keySK and a blinded transformation key T̃K.

• Encrypt(M, Ienc) : The encryption algorithm takes asinput – a message M and an attribute set (or access

4

Fig. 2. Adversary Model for Outsourced ABE Scheme

structure) Ienc to be encrypted with. It outputs theciphertext CT .

• Decryptout(CT, T̃K) : The delegated decryption al-gorithm takes as input – a ciphertext CT which wasassumed to be encrypted under the attribute set (oraccess structure) Ienc and the blinded transformationkey T̃K for access structure (or attribute set) Ikey. Itoutputs the partially decrypted ciphertext CTpart ifγ(Ikey, Ienc) = 1, otherwise outputs ⊥, where γ(·, ·)is a predicate predefined.

• Decrypt(CTpart, SK) : The decryption algorithmtakes as input – the partially decrypted ciphertextCTpart and the private key SK. It outputs the orig-inal message M .

3.2 Security DefinitionIn this work, we assume that all the entities exceptAA are “honest-but-curious”. More precisely, they willfollow our proposed protocol but try to find out asmuch private information as possible based on theirpossessions. The adversary model described in Fig. 2is considered. More precisely, since KGSP and U re-spectively owns the knowledge of OKKGSP for KGSPand user’s private key, they are considered as activeattackers which are allowed to collude with DSP andSSP to launch harmful attack separately. Following thisconsideration, two types of adversaries are categorized.• Type-I adversary defined as a group of curious users

colluding with SSP and DSP, is able to potentiallyaccess private keys for all the corrupted users, allthe ciphertext stored at SSP, all the blinded transfor-mation keys stored at DSP, etc, and aims to decryptciphertext intended for users not in the group.

• Type-II adversary defined as KGSP colluding withSSP and DSP, is able to potentially access all thekeys for KGSP, all the ciphertexts stored at SSP, allthe blinded transformation keys stored at DSP, etc,and aims to decrypt any ciphertext.

Having this intuition, we follow the RCCA (replayablechosen ciphertext attack) security in [29][3] to defineRCCA security. For saving space, we just show thedefinition of RCCA security here, and the detailed gamecan be refered to Appendix A.

Definition 3 (RCCA Security): An outsourced CP-ABEor KP-ABE scheme with delegated key generation and

decryption is secure against replayable chosen-ciphertextattack if all polynomial time adversaries have at most anegligible advantage in the RCCA security game for bothtype-I and type-II adversaries.

4 PROPOSED CONSTRUCTION

4.1 Access Structure

Definition 4 (Access Structure): Let {P1, . . . , Pn} be aset of parties. A collection A ⊆ 2{P1,P2,...,Pn} is monotoneif ∀B,C : if B ∈ A and B ⊆ C then C ∈ A. An accessstructure (or monotone access structure) is a collection(or monotone collection) A of non-empty subsets of{P1, P2, . . . , Pn}. The sets in A are called authorized sets.

Furthermore, we could define the predicate γ(·, ·) asfollows.

γ(ω,A) =

{1 if ω ∈ A0 otherwise

(1)

In this paper, the role of the party is taken by theattributes. Thus, the access structure A will contain theauthorized sets of attributes. Specifically, our construc-tion supports for access structure described as A = {ω ⊆U : |ω ∩ ω∗| ≥ d} where U is the attribute universe, ωand ω∗ are attribute sets and d is a predefined thresholdvalue.

For simplicity, we will take user’s attribute set to inputto key generation instead of his access structure which isdifferent from our definition in section III.A. We note thatsuch substitution is trivial since user is easy to computehis access structure with the individual attribute set.Furthermore, we deliver the decision for access controlto γ(·, ·) and redefine such predicate as follows.

γd(ω, ω∗) =

{1 if |ω ∩ ω∗| ≥ d0 otherwise

(2)

4.2 Intuition for Proposed Construction

The challenge for constructing outsourced ABE schemeis the realization of delegated key generation and de-cryption.• To outsource private key generation, we utilize a

hybrid key policy Policy = PolicyKGSP ∧ PolicyAA inproposed construction, where ∧ is an AND gate con-necting two sub-policies PolicyKGSP and PolicyAA.PolicyKGSP is for the request attribute set which willbe performed at KGSP while PolicyAA is a trivialpolicy controlled by AA. The reason that we say it istrivial is that a single default attribute θ is appendedwith each request attribute set, which has no effecton the global access control policy. Using this trick,we are allowed to randomly generate an outsourc-ing key (which is OKKGSP in our construction) todelegate partial key generation operation to KGSPwithout master or private key leakage.

• To outsource decryption, we make use of the idea in[4] by choosing a random “blinding factor” (which

5

is t in our construction) to produce blinded trans-formation key which is able to be sent to DSPto perform decryption partially instead of privatekey itself. This skill allows us to delegate partialdecryption operation to DSP without private key ororiginal message leakage.

4.3 Construction

Before providing our construction, we define the La-grange coefficient ∆i,S for i ∈ Zq and a set S of elementsin Zq : ∆i,S =

∏j∈S,j 6=i

x−ji−j . Our scheme is based on

ABE in [1] which shares the same access formula. Themessage space for our construction is GT . Actually, usingthe hybrid encryption technique, we can easily extend itto support for message space consisting of {0, 1}∗. Theconstruction in detail is shown as follows.

• Setup(λ) : First, define the attributes in universe U aselements in Zq . For simplicity, let n = |U| and we cantake the first n elements in Zq (i.e. 1, 2, . . . , n mod q)to be the universe. Next, select a generator g ∈R Gand an integer x ∈R Zq , and set g1 = gx. Then,pick elements g2, h, h1, . . . , hn ∈R G. Finally, outputthe public key PK = (g, g1, g2, h, h1, . . . , hn) and themaster key MK = x.

• KeyGeninit(ω,MK) : For each user’s private keyrequest on ω, select x1 ∈R Zq and set x2 = x −x1 mod q. Finally output OKKGSP = x1 as theoutsourcing key for KGSP and OKAA = x2 forattribute authority itself.

• KeyGenout(ω,OKKGSP) : Randomly select a d − 1degree polynomial q(·) such that q(0) = x1. Then,for each i ∈ ω, choose ri ∈R Zq , and computedi0 = g

q(i)2 · (g1hi)

ri and di1 = gri . Finally, outputTKKGSP = ({di0, di1}i∈ω).

• KeyGenin(ω,OKAA) : Select rθ ∈R Zq and computedθ0 = gx2

2 · (g1h)rθ and dθ1 = grθ . Finally, outputTKAA = (dθ0, dθ1).

• KeyBlind(TK = (TKKGSP, TKAA)) : Select t ∈R Zq ,and compute T̃K = ({dti0, dti1}i∈ω∪{θ}). Finally, out-put SK = (t, TK) and T̃K.

• Encrypt(M,ω′) : Firstly, select a random numbers ∈R Zq . Then, compute C0 = M · e(g1, g2)s,C1 = gs, Eθ = (g1h)s and Ei = (g1hi)

s fori ∈ ω′. Finally, publish the ciphertext as CT =(ω′ ∪ {θ}, C0, C1, {Ei}i∈ω′∪{θ}).

• Decryptout(CT, T̃K) : Suppose that a ciphertext CTis encrypted under an attribute set ω′ and we havea blinded transformation key T̃K for attribute setω, which satisfies the restriction that γd(ω, ω′) = 1.Then, outsourced decryption proceeds as follows.Firstly, an arbitrary d-element subset set S ⊆ ω ∩ ω′is selected. Then, the partially decrypted ciphertextis computed as follows.

CTpart =e(C1, d

tθ0)

∏i∈S e(C1, d

ti0)∆i,S(0)

e(dtθ1, Eθ)∏i∈S e(d

ti1, Ei)

∆i,S(0)

= e(g, g2)stx2e(g, g2)st∑i∈S q(i)∆i,S(0)

= e(g, g2)stx2e(g, g2)stx1

= e(g1, g2)st (3)

• Decrypt(CTpart, SK) : Completely decrypt the ci-phertext as follows.

C0

(CTpart)1t

=M · e(g1, g2)s

[e(g1, g2)st]1t

=M · e(g1, g2)s

e(g1, g2)s= M (4)

4.4 Security AnalysisTheorem 1: The outsourced ABE scheme is indistin-

guishable secure against chosen-plaintext attack in se-lective model under DBDH assumption.

Proof: Please refer to this proof in Appendix B.

4.5 Practical ConsiderationWe can consider to utilize our construction in hybridclouds. More precisely, KGSP is maintained as a privatecloud with high trust to deal with sensitive information,but leaving SSP and DSP as public cloud to providepublic storage and computation service respectively. Ac-tually, this type of hybrid setting has become more andmore attractive as many organizations are moving to thepublic cloud due to its benefit of highly available andscalable resources but still want to store and process thecritical data in the private cloud.

We provide the working process of proposed construc-tion for outsourced key generation and decryption in Fig.3.

In the outsourced key generation, AA and KGSPare allowed to perform computation to produce par-tial transformation key for customized and defaultattributes. Specifically, after producing the key pair(OKKGSP, OKAA) with KeyGeninit(ω,MK), two individ-ual phase can be executed simultaneously. i) At KGSP,OKKGSP is involved to generate partial transformationkey for customized attribute set ω. ii) At AA, OKAA

is involved to generate the other partial transformationkey for default attribute θ. The parallel computation isbenefit for improving efficiency in key generation forABE system.

In the outsourced decryption, user firstly fetches ci-phertext from SSP and computes the intersection subsetS locally. Therefore, only a partial ciphertext, blindedtransformation key and intersection subset need to bedelivered to DSP to perform partial decryption. Alter-natively, it allows another scenario, in which after keygeneration user directly sends his attribute set ω andcorresponding blinded transformation key T̃K to DSP tobe stored. In this case, the DSP performs a role as proxy,

6

KGSP AA U

(a) Outsourced Key Generation

DSP U SSP

(b) Outsourced Decryption

Fig. 3. Outsourced Key Generation and Decryption

who can automatically retrieve ciphertexts that user isinterested in and forward to him partially decrypted one.The DSP could be the user’s mail server, or the sameentity along with SSP in cloud environment.

5 ANOTHER CONSTRUCTION WITH CHECKA-BILITY

We observe that in the commercial cloud computing,for saving computation or bandwidththe, CSPs may beselfish to execute only a fraction of delegated operationand return result incorrectly. The dishonest action ofCSPs may cause users obtain incorrect keys or messages.We also point out that our first construction providesprovable secrecy in the sense that KGSP is maintainedas a private cloud with high trust. By this, we meanthat an untrusted KGSP is able to collaborate withuser to fake private key to enhance his “power”. Moreprecisely, Suppose a user and the KGSP collude together.They are able to obtain OKKGSP = x1 and {dθ0, dθ1}corresponding to this user. With this possession, they cangenerate TK ′KGSP for target attribute set ω′ and joint itwith {dθ0, dθ1} to obtain the faked TK ′ . Using this one,ciphertext satisfied by ω′ can be decrypted.

Therefore, in this section, aiming at providing check-ability as well as reducing the trust on KGSP, we pro-

pose another construction under the widely used RDoCmodel.

5.1 Outsourced ABE in Refereed Delegation of Com-putation Model

RDoC model originates from the model of refereedgames in [30], and is later formalized in [20][31]. InRDoC model, the client is able to interact with multipleservers and it has a right output as long as there existsone server that follows the proposed protocol. One of themost advantages of RDoC over traditional model withsingle server is that the security risk on the single serveris reduced to multiple servers involved in. As the resultof both the practicality and utility, RDoC model recentlyhas been widely utilized in the literature of outsourcedcomputation [20][31][32][33][16].

To reduce the trust on KGSP, we will consider theoutsourced ABE system in RDoC model, in which kKGSPs cooperatively work together to provide AA withthe key generation service (k− 1 are malicious at most).In this case, an additional collusion between user andat most k − 1 malicious KGSPs is allowed. Then, thetwo types adversaries defined in Section III.B are semi-merged together and able to obtain OKKGSP[i] for mali-cious KGSP[i], private keys for all the corrupted users,

7

all the blinded transformation keys stored at DSP andso on, where i = 1, 2, . . . , k − 1.

Having this intuition above, we can redefine the se-curity definition of our setting for RDoC model. Thechallenger will maintain the table T , set D and integerj to provide the adversary with three type of oracles (ifRCCA is considered OM (·) should be added).• OOKKGSP

(Ikey, b): Challenger sets j = j+ 1 and runskey generation (including key blinding) completelyfor Ikey to obtain SK, {OKKGSP[i]}ki=1 and T̃K. Afteradding the entry (j, Ikey, SK, {OKKGSP[i]}ki=1, T̃K)into T , return {OKKGSP[i]}ki=1,i6=b.

• OT̃K

(i): The challenger checks whether the entry(i, Ikey, SK, {OKKGSP[j]}kj=1, T̃K) exists in T , if soreturn T̃K; otherwise return ⊥.

• OSK(i): The challenger checks whether the entry(i, Ikey, SK, {OKKGSP[j]}kj=1, T̃K) exists in T , if soset D = D∪{Ikey} and return SK, otherwise return⊥.

5.2 Intuition for Proposed ConstructionFor simplicity, we only consider and provide the secondconstruction with two KGSPs. The key challenge for oursecond construction exists in two folds.• One is how to prevent from the collusion between

the user and the malicious KGSP. Our solution isto intelligently extend the hybrid policy trick inthe first construction. Specifically, in addition tobuilding an AND gate between PAA and PKGSP, weintroduce a (2, 2)-secret sharing on PKGSP and makeeach KGSP only know its own share OKKGSP[i] fori = 1, 2. In this sense, even if user collude with aKGSP and obtain {OKKGSP[i]} for i = 1 or 2, hecannot recover the secret (which is actually x1 inour construction) to serve the devil.

• The other is how to detect the dishonest action fromKGSPs and DSP beyond collusion. To fight againstit,

– we extend the idea of “ringer” [5] to our settingto convince that KGSPs do indeed perform allthe computations that were outsourced to them.More precisely, AA generates a random value(d − 1)-degree polynomial qRG(·) and sends italong with qKGSP[i](·) in a random order toKGSP[i]. Each KGSP generates partial transfor-mation key using both qRG(·) and qKGSP[i](·),and AA detects the dishonest action by check-ing all the partial transformation key computedfrom qRG(·) (to make sure that all the honestKGSPs will obtain the same result from OKRG

in a honest computation, the random values{ri} for qRG(·) should be selected by AA inadvance).

– In addition, we detect the dishonest action of amalicious DSP by adding redundancy. Specifi-cally, we can require that all the users in the sys-tem agree on a redundancy 0k (i.e., a k-length

0 bit string) and append it with original mes-sage in each encryption. Then, after performingcomplete decryption to obtain the plaintext, theuser can detect the dishonest action of DSP bychecking the redundency.

5.3 The Construction under RDoC Model

We provide our second construction with two KGSPs asfollows.• Setup(λ) : It is similar to the same algorithm in

our previous construction but an integer k shouldbe agreed in public key. Specifically, the PK ={g, g1, g2, h, h1, . . . , hn, k} and MK = x are output.

• KeyGeninit(ω,MK) : For each user’s private keyrequest on ω, AA picks x11, x12 ∈R Zq and setsOKKGSP[1] = x11, OKKGSP[2] = x12 and OKAA =x2 = x−x11−x12 mod q. Next, select (d−1)-degreerandom polynomials qKGSP[1](·) and qKGSP[2](·) withthe restrictions: i) let ω′ be any (d − 1)-elementsubset of ω, qKGSP[1](i) = qKGSP[2](i) for eachi ∈ ω′; ii) qKGSP[1](0) = x11; iii) qKGSP[2](0) =x12. Thirdly, to enable convincing the dishonestaction of KGSPs later, select another random poly-nomial qRG(·). Furthermore, for each i ∈ ω, pickrKGSP[1],i, rKGSP[2],i, rRG,i ∈R Zq with the restrictionthat rKGSP[1],j = rKGSP[2],j where j ∈ ω′. Finally,AA sends (S[1]REAL, SRG) and (S[2]REAL, SRG) toKGSP[1] and KGSP[2] respectively, where the pairS[j]REAL = (qKGSP[j](·), {rKGSP[j],i}i∈ω) and SRG =(qRG(·), {rRG,i}i∈ω) for j = 1, 2. We emphasizethat in the both communications S[·]REAL and SRG

should be sent in random orders to avoid KGSPsknowing which one is really to be computed forpartial transformation key.

• KeyGenout(S[j]REAL, SRG) : KGSP[j] generates par-tial transformation key for both qKGSP[j](·) andqRG(·). More precisely, KGSP[j] computes

TKKGSP[j] = ({d[j]i0, d[j]i1}i∈ω)

where d[j]i0 = gqKGSP[j](i)2 (g1hi)

rKGSP[j],i , d[j]i1 =grKGSP[j],i and

TKRGj = ({d[RGj ]i0, d[RGj ]i1})

where d[RGj ]i0 = gqRG(i)2 (g1hi)

rRG,i , d[RGj ]i1 =grRG,i , and sends (TKKGSP[j], TKRGj ) to AA in itsreceiving order.

• KeyGenin(ω,OKAA) : Similar to the same algorithmdescribed in our basic construction, AA selectsrθ ∈R Zqand computes dθ0 = gx2

2 · (g1h)rθ anddθ1 = grθ . Finally output TKAA = ({dθ0, dθ1}).

• KeyCheck(TKKGSP[1], TKRG1 , TKKGSP[2], TKRG2) :AA checks that both KGSPs produce the correctoutputs, i.e., d[1]j0 = d[2]j0, d[1]j1 = d[2]j1 for allj ∈ ω′ and d[RG1]i0 = d[RG2]i0, d[RG1]i1 = d[RG2]i1for all i ∈ ω. After that, continue to combine thepartial transformation key together by computing

8

di0 = d[1]i0 · d[2]i0 and di1 = d[1]i1 · d[2]i1 for alli ∈ ω. Finally output the complete transformationkey TK = ({di0, di1}i∈ω∪{θ}).

• KeyBlind(TK) : It is identical to the same algorithmin our previous construction and outputs SK =

(t, TK) and T̃K.• Encrypt(M,ω′) : User firstly appends the messageM to be encrypted with a redundancy 0k to obtainMT = M ||0k where || is the concatenation of string.Then, the rest is identical to the same algorithm inthe first construction but to encrypt MT . Finally, out-put CT = (ω′∪{θ},MT e(g1, g2)s, gs, {g1hi}i∈ω′ , g1h).

• Decryptout(CT, T̃K) : It is identical to the same algo-rithm in previous construction and outputs CTpart =e(g1, g2)st.

• Decrypt(CTpart, SK) : It is identical to the samealgorithm in previous construction except that thedishonest action of DSP should be detected throughchecking redundancy. Specifically, by executing thedecryption algorithm in previous construction, MT

is obtained. The user continues to check whethera redundancy 0k is appended with MT . If so (i.e.,MT = M ||0k), M is obtained through truncation;otherwise, a dishonest action of DSP is detected.

5.4 Analysis

Our second construction has almost the same efficiencywith the first one. Specifically, in key-issuing, though an-other key combination operation is required at attributeauthority side, it costs mutiplications for |ω| times, whichis negligible using the modern devices.

Then, we provide the security analysis below.Theorem 2: The second construction is secure against

chosen-plaintext attack in the sense of the security defi-nition modified in Section 5.1 under DBDH assumption.

Proof: Please refer to the proof in Appendix C.

5.5 Checkability

Beyond outsourced key generation and decryption, thecheckability on KGSP is supported in our second con-struction. Specifically, since KGSP[1] (or KGSP[2]) cannotdistinguish the outsourced private key generation fromthe two outsourced tasks. If KGSP[1] (KGSP[2]) failsduring any execution of KeyGenout(·), it will be detectedwith probability d−1+|ω|

2|ω| which is not less than 12 . In

addition, through appending redundancy, the dishonestaction of DSP can be easily detected in our construction.

6 PERFORMANCE ANALYSIS

In this Section, we provide the performance analysisfrom both theoretical calculation and empirical evalu-ation of our main construction in Section 4.3.

6.1 Efficiency AnalysisWe compare our scheme with the original ABE [1] andthe state-of-the-art [3][4] in TABLE 2. We use EXP todenote a multi-based exponentiation operation in G andP the pairing operation. We assume one multi-basedexponentiation multiplies up to 2 single-based exponen-tiations and takes roughly the same time as single-basedexponentiations. ω and d denotes the attribute set andthreshold value respectively.

To the best of our knowledge, the outsourced keygeneration in ABE has not been considered before andour scheme is the first construction achieving this prop-erty. Following our terminology, the number of expo-nentiations in the group G for AA is reduced to two,while in other ABE schemes [1][3][4], it is linear with thenumber of attributes in the request set (i.e. 2|ω|). Actuallyin our construction, the exponentiation computation isdelivered to KGSP and requester. More precisely, afterobtaining the transformation key from AA, the requestermust spend |ω|+1 exponentiations on generating privatekey and blinded transformation key.

In decryption, a trick similar to [3][4] is used in ourscheme and the three schemes achieve the identicalefficiency: all the pairing operations are delivered toDSP and the computational cost of decryption for useris constant, only one exponentiation operation. Whereasthe original ABE scheme [1] requires 2d pairing as wellas 2d exponentiation operations for a single decryption,where d is the threshold value.

Concerning on the communication complexity in ourscheme, user has to send a private key request to AA andreceive 2|ω| + 2 elements in G. Furthermore, he is ableto send blinded transformation key (as well as 2|ω| + 2elements in G) to DSP to perform partially decryptionin future. In general, an element in G is set to be 160-bit long for 280 security. The data transferred among thecloud service providers, AA and user is tens of KBs atmost, which can be processed efficiently.

6.2 ExperimentNote that in order to precisely measure the overhead ofoutsourced and local computation, all the computationsinvolving our construction are performed in an identicalenvironment, that is on a Linux Mint 13 machine withIntel(R) Core(TM)2 Duo CPU clocked at 2.40 GHz and 2GB of system memory.

Generally, as shown in Fig. 4, it is not surprising tosee that our outsourced construction totally takes moretime than the original ABE scheme. This is because theoutsourcing computation cannot be realized in the man-ner of “one plus one equals two”, and some additionalcost should be paid for preserving privacy.

Fig. 4(a) illustrates the efficiency comparison betweenour outsourced construction and original ABE in setupphase. Compared with the original scheme, our construc-tion requires an additional initialization of the defaultattribute, leading to its slowness. Similarly, our key

9

Schemes Key generation (AA) Key generation (KGSP) Decryption (U) Decryption (DSP)

original ABE [1] 2|ω|EXP – 2dP+2dEXP –outsourced ABE in [3] 2|ω|EXP – EXP 2dP+2dEXPoutsourced ABE in [4] 2|ω|EXP – EXP 2dP+2dEXPoutsourced ABE in this paper 2EXP 2|ω|EXP EXP 2dP+2dEXP

The symbol ‘–’ denotes that this property is not considered in the corresponding scheme.TABLE 2

Efficiency Comparison

0

1 0 0

2 0 0

3 0 0

4 0 0

5 0 0

1 0 07 05 03 0

Time C

ost (m

s)

N u m b e r o f A t t r i b u t e s i n U n i v e r s e

A A i n O r i g i n a l A B E A A i n O u t s o u r c e d A B E

1 0

(a) Setup

0

2 5 0

5 0 0

7 5 0

1 0 0 0

1 2 5 0

1 0 07 05 03 0

Time C

ost (m

s)

N u m b e r o f A t t r i b u t e s i n P r i v a t e K e y R e q u e s t

A A i n O r i g i n a l A B E K G S P i n O u t s o u r c e d A B E A A i n O u t s o u r c e d A B E

1 0

(b) Key Generation

0

1 0 0

2 0 0

3 0 0

4 0 0

5 0 0

1 0 07 05 03 0

Time C

ost (m

s)

N u m b e r o f A t t r i b u t e s i n E n c r y p t i o n P o l i c y

U s e r i n O r i g i n a l A B E U s e r i n O u t s o u r c e d A B E

1 0

(c) Encryption

0

5 0

1 0 0

1 5 0

2 0 0

2 5 0

3 0 0

3 5 0

4 0 0

1 0 07 05 03 0

Time C

ost (m

s)

N u m b e r o f A t t r i b u t e s i n U s e r ’ s P r i v a t e K e y

U s e r i n O u t s o u r c e d A B E

1 0

(d) Key Blinding

0

2 0 0

4 0 0

6 0 0

5 03 01 51 0

Time C

ost (m

s)

T h r e s h o l d V a l u e

U s e r i n O r i g i n a l A B E D S P i n O u t s o u r c e d A B E U s e r i n O u t s o u r c e d A B E

5

(e) Decryption

Fig. 4. Evaluation of Our Main Construction

generation time in total (i.e., including the time costat both AA and KGSP) is relatively longer than thatof the original scheme (as shown in Fig. 4(b)). Thisis because key generation for user’s real attributes aredelegated to KGSP, while a default attribute is controlledby AA at local. Compared with the original scheme, ouroutsourced construction involves the computation foran additional one attribute (i.e., the default attribute).Fortunately, owing to outsourced computation, the com-putation cost at AA side is reduced to constant (nearlythree single-based modular exponentiations in G). Fileencryption in the outsourced construction is also slowerthan the original scheme because the default attribute isrequired to be naturally embedded in encryption policy.

Regarding to decryption, our construction requires thekey blinding phase which is not demanded in originalscheme. As shown in Fig. 4(d), the key blinding coststime on ms level. But we point out that the key blindingcan be realized in amortized model. Specifically, useris able to run the key blinding process just once, andthen enjoy his/her efficient local decryption. Fig. 4(e)

demonstrates the decryption efficiency comparison for avarying threshold value. Though our outsourced schemetakes more time in total, user just needs to pool theshadow in the partial decrypted ciphertext, which in-volves one modular exponentiation and division in GT .

To sum up, our outsourced construction achieves ef-ficiency at both AA and user sides during key-issuingand decryption without introducing significant overheadcompared to the original approach (our execution timeis still within ms).

7 CONCLUSION

We provide a new outsourced ABE scheme simultane-ously supporting outsourced key-issuing and decryp-tion. With the aid of KGSP and DSP, our scheme achievesconstant efficiency at both authority and user sides. Inaddition, we provide a trust-reduced construction withtwo KGSPs which is secure under recently formulizedRDoC model. Unlike the state-of-the-art outsourcedABE, checkability is supported by this construction. Thesecurity of proposed schemes have been analyzed and

10

given in this paper. Experimental results demonstratethat our constructions are efficient and practical.

REFERENCES

[1] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” inAdvances in Cryptology - EUROCRYPT 2005, ser. Lecture Notes inComputer Science, R. Cramer, Ed. Springer Berlin / Heidelberg,2005, vol. 3494, pp. 457–473.

[2] D. Zeng, S. Guo, and J. Hu, “Reliable bulk-data disseminationin delay tolerant networks,” IEEE Transactions on Parallel andDistributed Systems, 2013.

[3] M. Green, S. Hohenberger, and B. Waters, “Outsourcing thedecryption of ABE ciphertexts,” in Proceedings of the 20th USENIXconference on Security, ser. SEC’11. Berkeley, CA, USA: USENIXAssociation, 2011, pp. 34–34.

[4] Z. Zhou and D. Huang, “Efficient and secure data storage oper-ations for mobile cloud computing,” Cryptology ePrint Archive,Report 2011/185, 2011.

[5] P. Golle and I. Mironov, “Uncheatable distributed computations,”in Proceedings of the 2001 Conference on Topics in Cryptology: TheCryptographer’s Track at RSA, ser. CT-RSA 2001. London, UK,UK: Springer-Verlag, 2001, pp. 425–440.

[6] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-basedencryption for fine-grained access control of encrypted data,” inProceedings of the 13th ACM conference on Computer and communi-cations security, 2006, pp. 89–98.

[7] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policyattribute-based encryption,” in IEEE Symposium on Security andPrivacy 2007, may 2007, pp. 321–334.

[8] L. Cheung and C. Newport, “Provably secure ciphertext policyABE,” in Proceedings of the 14th ACM conference on Computer andcommunications security, ser. CCS ’07, 2007, pp. 456–465.

[9] T. Nishide, K. Yoneyama, and K. Ohta, “Attribute-based encryp-tion with partially hidden encryptor-specified access structures,”in Applied Cryptography and Network Security, ser. Lecture Notesin Computer Science, S. Bellovin, R. Gennaro, A. Keromytis, andM. Yung, Eds. Springer Berlin / Heidelberg, 2008, vol. 5037, pp.111–129.

[10] F. Han, J. Qin, H. Zhao, and J. Hu, “A general transformationfrom kp-abe to searchable encryption,” Future Generation ComputerSystems, 2013.

[11] H. Zhao, J. Qin, and J. Hu, “Energy efficient key managementscheme for body sensor networks,” IEEE Transactions on Paralleland Distributed Systems, vol. 24, no. 11, pp. 2202–2210, 2013.

[12] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable,and fine-grained data access control in cloud computing,” inProceedings of the 29th conference on Information communications, ser.INFOCOM’10. Piscataway, NJ, USA: IEEE Press, 2010, pp. 534–542.

[13] M. J. Atallah, K. Pantazopoulos, J. R. Rice, and E. E. Spafford,“Secure outsourcing of scientific computations,” in Trends in Soft-ware Engineering, ser. Advances in Computers, M. V. Zelkowitz,Ed. Elsevier, 2002, vol. 54, pp. 215 – 272.

[14] M. J. Atallah and J. Li, “Secure outsourcing of sequence com-parisons,” International Journal of Information Security, vol. 4, pp.277–287, 2005.

[15] D. Benjamin and M. J. Atallah, “Private and cheating-free out-sourcing of algebraic computations,” in Proceedings of the 2008Sixth Annual Conference on Privacy, Security and Trust, ser. PST ’08.Washington, DC, USA: IEEE Computer Society, 2008, pp. 240–245.

[16] M. J. Atallah and K. B. Frikken, “Securely outsourcing linear al-gebra computations,” in Proceedings of the 5th ACM Symposium onInformation, Computer and Communications Security, ser. ASIACCS’10. New York, NY, USA: ACM, 2010, pp. 48–59.

[17] C. Wang, K. Ren, and J. Wang, “Secure and practical outsourcingof linear programming in cloud computing,” in IEEE InternationalConference on Computer Communications (INFOCOM), 2011, pp.820–828.

[18] K. Bicakci and N. Baykal, “Server assisted signatures revisited,” inTopics in Cryptology - CT-RSA 2004, ser. Lecture Notes in ComputerScience, T. Okamoto, Ed. Springer Berlin / Heidelberg, 2004, vol.2964, pp. 1991–1992.

[19] M. Jakobsson and S. Wetzel, “Secure server-aided signature gen-eration,” in Public Key Cryptography, 2001, pp. 383–401.

[20] S. Hohenberger and A. Lysyanskaya, “How to securely outsourcecryptographic computations,” in Theory of Cryptography, ser. Lec-ture Notes in Computer Science, J. Kilian, Ed. Springer Berlin /Heidelberg, 2005, vol. 3378, pp. 264–282.

[21] S. Goldwasser, Y. T. Kalai, and G. N. Rothblum, “Delegatingcomputation: interactive proofs for muggles,” in Proceedings of the40th annual ACM symposium on Theory of computing, ser. STOC ’08.New York, NY, USA: ACM, 2008, pp. 113–122.

[22] C. Gentry, “Fully homomorphic encryption using ideal lattices,”in Proceedings of the 41st annual ACM symposium on Theory ofcomputing, ser. STOC ’09. New York, NY, USA: ACM, 2009, pp.169–178.

[23] R. Gennaro, C. Gentry, and B. Parno, “Non-interactive verifiablecomputing: Outsourcing computation to untrusted workers,” inAdvances in Cryptology - CRYPTO 2010, ser. Lecture Notes inComputer Science, T. Rabin, Ed. Springer Berlin / Heidelberg,2010, vol. 6223, pp. 465–482.

[24] K.-M. Chung, Y. Kalai, F.-H. Liu, and R. Raz, “Memory dele-gation,” in Advances in Cryptology - CRYPTO 2011, ser. LectureNotes in Computer Science, P. Rogaway, Ed. Springer Berlin /Heidelberg, 2011, vol. 6841, pp. 151–168.

[25] C. Gentry and S. Halevi, “Implementing gentry’s fully-homomorphic encryption scheme,” in Advances in Cryptology -EUROCRYPT 2011, ser. Lecture Notes in Computer Science, K. Pa-terson, Ed. Springer Berlin / Heidelberg, 2011, vol. 6632, pp.129–148.

[26] J. Li, C. Jia, J. Li, and X. Chen, “Outsourcing encryption ofattribute-based encryption with mapreduce,” in International Con-ference on Information and Communications Security, ser. LectureNotes in Computer Science. Springer Berlin / Heidelberg, 2012.

[27] J. Li, X. Chen, J. Li, C. Jia, J. Ma, and W. Lou, “Fine-grained accesscontrol system based on outsourced attribute-based encryption,”in 18th European Symposium on Research in Computer Security(ESORICS), 2013.

[28] J. Lai, R. Deng, C. Guan, and J. Weng, “Attribute-based encryptionwith verifiable outsourced decryption,” Information Forensics andSecurity, IEEE Transactions on, vol. 8, no. 8, pp. 1343–1354, 2013.

[29] R. Canetti, H. Krawczyk, and J. Nielsen, “Relaxing chosen-ciphertext security,” in Advances in Cryptology - CRYPTO 2003,ser. Lecture Notes in Computer Science, D. Boneh, Ed. SpringerBerlin / Heidelberg, 2003, vol. 2729, pp. 565–582.

[30] U. Feige and J. Kilian, “Making games short (extended abstract),”in Proceedings of the twenty-ninth annual ACM symposium on Theoryof computing, ser. STOC ’97. New York, NY, USA: ACM, 1997,pp. 506–516.

[31] R. Canetti, B. Riva, and G. Rothblum, “Two protocols for delega-tion of computation,” in Information Theoretic Security, ser. LectureNotes in Computer Science, A. Smith, Ed. Springer Berlin /Heidelberg, 2012, vol. 7412, pp. 37–61.

[32] X. Chen, J. Li, J. Ma, Q. Tang, and W. Lou, “New algorithmsfor secure outsourcing of modular exponentiations,” in ComputerSecurity ESORICS 2012, ser. Lecture Notes in Computer Science,S. Foresti, M. Yung, and F. Martinelli, Eds. Springer Berlin /Heidelberg, 2012, vol. 7459, pp. 541–556.

[33] R. Canetti, B. Riva, and G. N. Rothblum, “Practical delegationof computation using multiple servers,” in Proceedings of the 18thACM conference on Computer and communications security, ser. CCS’11. New York, NY, USA: ACM, 2011, pp. 445–454.

ACKNOWLEDGEMENTS

This work is supported by National Natural ScienceFoundation of China (Grant No.61100224, No.61202450,No.61272455), Ph.D. Programs Foundation of Ministryof Education of China (Grant No. 20123503120001), Dis-tinguished Young Scholars Fund of Department of Edu-cation, Fujian Province (JA13062), the Fundamental Re-search Funds for the Central Universities (K50511010001and JY10000901034), and China 111 Project (No. B08038).

11

Jin Li received his B.S. (2002) in Mathemat-ics from Southwest University. He got his Ph.Ddegree in information security from Sun Yat-sen University at 2007. Currently, he works atGuangzhou University as a professor. He hasbeen selected as one of science and technologynew star in Guangdong province. His researchinterests include Applied Cryptography and Se-curity in Cloud Computing. He has publishedover 50 research papers in refereed internationalconferences and journals and has served as the

program chair or program committee member in many internationalconferences.

Xinyi Huang received his Ph.D. degree from theSchool of Computer Science and Software En-gineering, University of Wollongong, Australia,in 2009. He is currently a Professor at the Fu-jian Provincial Key Laboratory of Network Secu-rity and Cryptology, School of Mathematics andComputer Science, Fujian Normal University,China. His research interests include cryptogra-phy and information security. He has publishedover 60 research papers in refereed internationalconferences and journals. His work has been

cited more than 1000 times at Google Scholar. He is in the EditorialBoard of International Journal of Information Security (IJIS, Springer)and has served as the program/general chair or program committeemember in over 40 international conferences.

Jingwei Li received his B.S. in Mathematicsin 2005 from the Hebei University of Technol-ogy, China. He is currently a visiting student(sponsored by The State Scholarship Fund ofChina) in Penn State University. Besides, heis a Ph.D candidate in computer technology inNankai University. His research interests includeapplied cryptography, cloud security.

Xiaofeng Chen received his B.S. and M.S. onMathematics in Northwest University, China. Hegot his Ph.D degree in Cryptography from XidianUniversity at 2003. Currently, he works at XidianUniversity as a professor. His research interestsinclude applied cryptography and cloud comput-ing security. He has published over 80 researchpapers in refereed international conferences andjournals. His work has been cited more than1000 times at Google Scholar. He has served asthe program/general chair or program committee

member in over 20 international conferences.

Yang Xiang received his PhD in Computer Sci-ence from Deakin University, Australia. He iscurrently a full professor at School of InformationTechnology, Deakin University. He is the Directorof the Network Security and Computing Lab(NSCLab). His research interests include net-work and system security, distributed systems,and networking. In particular, he is currentlyleading his team developing active defense sys-tems against large-scale distributed network at-tacks. He is the Chief Investigator of several

projects in network and system security, funded by the Australian Re-search Council (ARC). He has published more than 130 research papersin many international journals and conferences, such as IEEE Trans-actions on Computers, IEEE Transactions on Parallel and DistributedSystems, IEEE Transactions on Information Security and Forensics, andIEEE Journal on Selected Areas in Communications. Two of his paperswere selected as the featured articles in the April 2009 and the July 2013issues of IEEE Transactions on Parallel and Distributed Systems. He haspublished two books, Software Similarity and Classification (Springer)and Dynamic and Advanced Data Mining for Progressing TechnologicalDevelopment (IGI-Global). He has served as the Program/General Chairfor many international conferences such as ICA3PP 12/11, IEEE/IFIPEUC 11, IEEE TrustCom 13/11, IEEE HPCC 10/09, IEEE ICPADS08, NSS 11/10/09/08/07. He has been the PC member for more than60 international conferences in distributed systems, networking, andsecurity. He serves as the Associate Editor of IEEE Transactions onComputers, IEEE Transactions on Parallel and Distributed Systems,Security and Communication Networks (Wiley), and the Editor of Journalof Network and Computer Applications. He is the Coordinator, Asia forIEEE Computer Society Technical Committee on Distributed Processing(TCDP). He is a Senior Member of the IEEE.