Securely Outsourcing Attribute-BasedEncryption with Checkability

Jin Li, Xinyi Huang, Jingwei Li, Xiaofeng Chen, and Yang Xiang, Senior Member, IEEE

Abstract—Attribute-Based Encryption (ABE) is a promising cryptographic primitive which significantly enhances the versatility ofaccess control mechanisms. Due to the high expressiveness of ABE policies, the computational complexities of ABE key-issuing anddecryption are getting prohibitively high. Despite that the existing Outsourced ABE solutions are able to offload some intensivecomputing tasks to a third party, the verifiability of results returned from the third party has yet to be addressed. Aiming at tackling thechallenge above, we propose a new Secure Outsourced ABE system, which supports both secure outsourced key-issuing anddecryption. Our new method offloads all access policy and attribute related operations in the key-issuing process or decryption toa Key Generation Service Provider (KGSP) and a Decryption Service Provider (DSP), respectively, leaving only a constant numberof simple operations for the attribute authority and eligible users to perform locally. In addition, for the first time, we propose anoutsourced ABE construction which provides checkability of the outsourced computation results in an efficient way. Extensivesecurity and performance analysis show that the proposed schemes are proven secure and practical.

Index Terms—Attribute-based encryption, access control, outsourcing computation, key issuing, checkability

Ç

1 INTRODUCTION

AS a novel public key primitive, attribute-based encryp-tion (ABE) [1] has attracted much attention in the

research community. For the first time, ABE enables ef-ficient public key-based fine-grained sharing. In ABE sys-tem, users’ private keys and ciphertexts are labeled withsets of descriptive attributes and access policies respec-tively, and a particular key can decrypt a particular cipher-text only if associated attributes and policy are matched.Until now, there are two kinds of ABE having been pro-posed: key-policy attribute-based encryption (KP-ABE)and ciphertext-policy attribute-based encryption (CP-ABE).In KP-ABE, the access policy is assigned in private key,whereas, in CP-ABE, it is specified in ciphertext.

Recently, as the development of cloud computing [2],users’ concerns about data security are the main obstaclesthat impedes cloud computing from wide adoption. Theseconcerns are originated from the fact that sensitive dataresides in public cloud, which is maintained and operatedby untrusted cloud service provider (CSP). ABE provides asecure way that allows data owner to share outsourced

data on untrusted storage server instead of trusted serverwith specified group of users. This advantage makes themethodology appealing in cloud storage that requires se-cure access control for a large number of users belonging todifferent organizations.

Nevertheless, one of the main efficiency drawbacks ofABE is that the computational cost during decryption phasegrows with the complexity of the access formula. Thus,before widely deployed, there is an increasing need toimprove the efficiency of ABE. To address this problem,outsourced ABE, which provides a way to outsource inten-sive computing task during decryption to CSP withoutrevealing data or private keys, was introduced [3], [4]. It hasa wide range of applications. For example, in the mobilecloud computing consisting of mobile devices or sensors asinformation collection nodes, user terminal (e.g., mobiledevice) has limited computation ability to independentlycomplete basic encryption or decryption to protectsensitive data residing in public cloud. Outsourced ABEallows user to perform heavy decryption through ‘‘bor-rowing’’ the computation resources from CSP. Therefore,in this paradigm, the computation/storage intensive taskscan be performed even by resource-constrained users.

Beyond the heavy decryption outsourced, we observethat the attribute authority has to deal with a lot of heavycomputation in a scalable system. More precisely, the attri-bute authority has to issue private keys to all users, but yetgeneration of private key typically requires large modularexponentiation computation, which grows linearly with thecomplexity of the predicate formula. When a large numberof users call for their private keys, it may overload the at-tribute authority. Moreover, key management mechanism,key revocation in particular, is necessary in a secure andscalable ABE system. In most of existing ABE schemes, therevocation of any single private key requires key-updateat attribute authority for the remaining unrevoked keyswhich share common attributes with the one to be re-

. J. Li is with the School of Computer Science, Guangzhou University,China and State Key Laboratory of Integrated Service Networks (ISN),Xidian University, China. E-mail: lijin@gzhu.edu.cn.

. X. Huang is with the Fujian Provincial Key Laboratory of NetworkSecurity and Cryptology, School of Mathematics and Computer Science,Fujian Normal University, China. E-mail: xyhuang81@gmail.com.

. J. Li is with the College of Information Technical Science, NankaiUniversity, China. E-mail: lijw@mail.nankai.edu.cn.

. X. Chen is with the State Key Laboratory of Integrated Service Networks(ISN), Xidian University, Xi’an, China. E-mail: xfchen@xidian.edu.cn.

. Y. Xiang is with the School of Information Technology, DeakinUniversity, Australia. E-mail: yang@deakin.edu.au.

Manuscript received 24 July 2013; revised 30 Sept. 2013; accepted 7 Oct.2013. Date of publication 20 Oct. 2013; date of current version 16 July 2014.Recommended for acceptance by J. Chen.For information on obtaining reprints of this article, please send e-mail to:reprints@ieee.org, and reference the Digital Object Identifier below.Digital Object Identifier no. 10.1109/TPDS.2013.271

1045-9219 � 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 2014 2201

voked. All of these heavy tasks centralized at authorityside would make it an efficiency bottleneck in the accesscontrol system.

1.1 ContributionAiming at eliminating the most overhead computation atboth the attribute authority and the user sides, we proposean outsourced ABE scheme not only supporting out-sourced decryption but also enabling delegating keygeneration. In this construction, we introduce a trivialpolicy controlled by a default attribute and use an ANDgate connecting the trivial policy and user’s policy. Duringkey-issuing, attribute authority can outsource computationthrough delegating the task of generating partial privatekey for user’s policy to a key generation service provider(KGSP) to reduce local overhead. Moreover, the outsourceddecryption is realized by utilizing the idea of key blinding.More precisely, user can send the blinded private key to adecryption service provider (DSP) to perform partialdecryption and do the complete decryption at local.Following our technique, constant efficiency is achievedat both attribute authority and user sides.

In addition, we observe that when experiencing com-mercial cloud computing services, the CSPs may be selfishin order to save its computation or bandwidth, which maycause results returned incorrectly. In order to deal with thisproblem, we consider to realize checkability on resultsreturned from both KGSP and DSP, and provide a securityand functionality enhanced construction, which is provablesecure under the recent formulized refereed delegation ofcomputation (RDoC) model. Out technique is to make asecret sharing on the outsourcing key for KGSP and let kparallel KGSPs utilize their individual share to generatepartial private keys. After that an additional key combina-tion phase is performed at authority side to avoid maliciouscollaboration between at most k� 1 KGSPs and users.Moreover, we use the idea of ‘‘ringer’’ [5] and appendingredundancy to fight against the dishonest actions of KGSPsand DSP. As far as we know, this is the first timeconsidering the checkability of outsourced ABE.

1.2 Related WorkThe notion of ABE, which was introduced as fuzzyidentity-based encryption in [1], was firstly dealt with byGoyal et al. [6]. Two different and complementary notionsof ABE were defined in [6]: KP-ABE and CP-ABE. Aconstruction of KP-ABE was provided in the same paper [6],while the first CP-APE construction supporting tree-basedstructure in generic group model is presented by Bethen-court et al. [7]. Accordingly, several constructions support-ing for any kinds of access structures were provided [8],[9] for practical applications [10], [11]. Concerningrevocation of ABE, a delegatable revocation is proposedin [12] to achieve scalable and fine-grained access control.

To reduce the load at local, it always desires to deliverexpensive computational tasks outside. Actually, theproblem that how to securely outsource different kinds ofexpensive computations has drew considerable attentionfrom theoretical computer science community. Atallah et al.[13] presented a framework for secure outsourcing of

scientific computations such as matrix multiplication andquadrature. Nevertheless, the solution used the disguisetechnique and thus leaded to leakage of private informa-tion. Atallah and Li [14] investigated the problem ofcomputing the edit distance between two sequences andpresented an efficient protocol to securely outsource se-quence comparison with two servers. Furthermore,Benjamin and Atallah [15] addressed the problem of secureoutsourcing for widely applicable linear algebraic compu-tations. Nevertheless, the proposed protocols required theexpensive operations of homomorphic encryption. Atallahand Frikken [16] further studied this problem and gaveimproved protocols based on the so-called weak secrethiding assumption. Recently, Wang et al. [17] presentedefficient mechanisms for secure outsourcing of linearprogramming computation.

We note that though several schemes have been intro-duced to securely outsource kinds of expensive computa-tions, they are not suitable for reliving ABE computationaloverhead of exponentiation at user side. To achieve thisgoal, the traditional approach is to utilize server-aidedtechniques [18], [19], [20]. However, previous work areoriented to accelerating the speed of exponentiation usinguntrusted servers. Directly utilizing these techniques inABE will not work efficiently. Another approach might beto leverage recent general outsourcing technique or del-egating computation [21], [22], [23], [24], [25] based onfully homomorphic encryption or interactive proof sys-tem. However, Gentry [25] has shown that even for weaksecurity parameters on ‘‘bootstrapping’’ operation of thehomomorphic encryption, it would take at least 30 secondson a high performance machine. Therefore, even if theprivacy of the input and output can be preserved by uti-lizing these general techniques, the computational over-head is still huge and impractical.

Another several related work similar to us are [4], [26],[3], [27]. In [3], a novel paradigm for outsourcing thedecryption of ABE is provided while in [4], [26] the authorspresented the ABE schemes which allow to securelyoutsource both decryption and encryption to third partyservice providers. Compared with our work, the two lackof the consideration on the eliminating the overheadcomputation at attribute authority. Additionally, we con-sider a security and functionality enhanced constructionenabling checkability on returned results from CSPs.Recently Lai et al. [28] proposed a concrete constructionfor ABE with verifiable decryption, which achieves bothsecurity and verifiability without random oracles. Theirwork appends a redundancy with ciphertext and uses thisredundancy for correctness checking. We emphasize thatcompared with our scheme their construction does notconsider to offload the overhead computation at authorityby outsourcing key-issuing.

1.3 OrganizationThis paper is organized as follows. In Section 2 we describesome preliminaries. In Section 3, we present the systemmodel and security definition. The proposed constructionand its security analysis are presented in Section 4. InSection 5, we consider a both security and functionalityenhanced construction under RDoC model. The performance

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142202

analysis for the schemes are given in Section 6. Finally, wedraw conclusion in Section 7.

2 PRELIMINARY

In this section, we define the notations used in this paperand review some cryptographic background.

2.1 NotationsThe notations used in this paper are listed in Table 1.

2.2 Cryptographic BackgroundIn this paper, we use the bilinear pairings on elliptic curves.We now give a brief review on the property of pairing andthe candidate hard problem that will be used.

Definition 1 (Bilinear Map). Let G;GT be cyclic groups ofprime order q, writing the group action multiplicatively. g isa generator of G. Let e : G�G! GT be a map with thefollowing properties:

. Bilinearity: eðga1; gb2Þ ¼ eðg1; g2Þab for all g1; g2 2 G, anda; b 2R Zq;

. Non-degeneracy: There exists g1; g2 2 G such thateðg1; g2Þ 6¼ 1, in other words, the map does not send allpairs in G�G to the identity in GT ;

. Computability: There is an efficient algorithm to computeeðg1; g2Þ for all g1; g2 2 G.

Definition 2 (DBDH Problem). The decision Bilinear Diffie-Hellman (DBDH) problem is that, given g, gx, gy, gz 2 G forunknown values x; y; z 2R Zq, and T 2R GT , to decide ifT ¼ eðg; gÞxyz.

We say that the ðt; �Þ-DBDH assumption holds in G if not-time algorithm has probability at least 1

2þ � in solving theDBDH problem for non-negligible �.

3 SYSTEM MODEL AND SECURITY DEFINITION

3.1 System ModelWe present the system model for outsourced ABE schemein Fig. 1. Compared with the model for typical ABE, aKGSP and a DSP are additionally involved.

. KGSP is to perform aided key-issuing computationto relieve AA load in a scale system when a largenumber of users make requests on private keygeneration and key-update.

. DSP is to complete delegated expensive operationsto overcome the disadvantage that the decryption

phase in typical ABE requires a large number ofoverload operations at U.

Following the custom in [3], we denote ðIenc; IkeyÞ as theinput to encryption and key generation. In CP-ABEscheme, ðIenc; IkeyÞ ¼ ðA; !Þ while that is ð!;AÞ in KP-ABE, where ! and A are attribute set and access structure,respectively. Then, based on the proposed system model,we provide algorithm definitions as follows.

. Setupð�Þ: The setup algorithm takes as inputVasecurity parameter �. It outputs a public key PK anda master key MK.

. KeyGeninitðIkey;MKÞ : For each user’s private keyrequest, the initialization algorithm for delegatedkey generation takes as inputVan access policy (orattribute set) Ikey and the master key MK. It outputsthe key pair ðOKKGSP; OKAAÞ.

. KeyGenoutðIkey; OKKGSPÞ : The delegated key gen-eration algorithm takes as inputVthe access struc-ture (or attribute set) Ikey and the key OKKGSP forKGSP. It outputs a partial transformation keyTKKGSP.

. KeyGeninðIkey; OKAAÞ : The inside key generationalgorithm takes as inputVthe access structure (orattribute set) Ikey and the key OKAA for attributeauthority. It outputs another partial transformationkey TKAA.

. KeyBlindðTKÞ : The transformation key blindingalgorithm takes as inputVthe transformation keyTK ¼ ðTKKGSP; TKAAÞ. It outputs a private key SKand a blinded transformation key fTK.

. EncryptðM; IencÞ: The encryption algorithm takes asinputVa message M and an attribute set (or accessstructure) Ienc to be encrypted with. It outputs theciphertext CT .

. DecryptoutðCT; fTKÞ : The delegated decryption algo-rithm takes as inputVa ciphertext CT which wasassumed to be encrypted under the attribute set (oraccess structure) Ienc and the blinded transformationkey fTK for access structure (or attribute set) Ikey. Itoutputs the partially decrypted ciphertext CTpart if�ðIkey; IencÞ ¼ 1, otherwise outputs ?, where �ð�; �Þ isa predicate predefined.

. DecryptðCTpart; SKÞ: The decryption algorithm takesas inputVthe partially decrypted ciphertext CTpart

and the private key SK. It outputs the originalmessage M.

TABLE 1Notations Used in This Paper

Fig. 1. System model for outsourced ABE scheme.

LI ET AL.: SECURELY OUTSOURCING ATTRIBUTE-BASED ENCRYPTION WITH CHECKABILITY 2203

3.2 Security DefinitionIn this work, we assume that all the entities except AA are‘‘honest-but-curious’’. More precisely, they will follow ourproposed protocol but try to find out as much privateinformation as possible based on their possessions. Theadversary model described in Fig. 2 is considered. Moreprecisely, since KGSP and U respectively owns theknowledge of OKKGSP for KGSP and user’s private key,they are considered as active attackers which are allowed tocollude with DSP and SSP to launch harmful attack sep-arately. Following this consideration, two types of adver-saries are categorized.

. Type-I adversary defined as a group of curious userscolluding with SSP and DSP, is able to potentiallyaccess private keys for all the corrupted users, all theciphertext stored at SSP, all the blinded transforma-tion keys stored at DSP, etc, and aims to decryptciphertext intended for users not in the group.

. Type-II adversary defined as KGSP colluding withSSP and DSP, is able to potentially access all the keysfor KGSP, all the ciphertexts stored at SSP, all theblinded transformation keys stored at DSP, etc, andaims to decrypt any ciphertext.

Having this intuition, we follow the RCCA (replayablechosen ciphertext attack) security in [29], [3] to defineRCCA security. For saving space, we just show the defi-nition of RCCA security here, and the detailed game can berefered to Appendix A, which is available in the ComputerSociety Digital Library at http://doi.ieeecomputersociety.org/10.1109/TPDS.2013.271.

Definition 3 (RCCA Security). An outsourced CP-ABE orKP-ABE scheme with delegated key generation and decryp-tion is secure against replayable chosen-ciphertext attack ifall polynomial time adversaries have at most a negligibleadvantage in the RCCA security game for both type-I andtype-II adversaries.

4 PROPOSED CONSTRUCTION

4.1 Access Structure

Definition 4 (Access Structure). Let fP1; . . . ; Png be a setof parties. A collection A � 2fP1;P2;...;Png is monotone if 8B;C:if B 2 A and B � C then C 2 A. An access structure (ormonotone access structure) is a collection (or monotonecollection) A of non-empty subsets of fP1; P2; . . . ; Png. Thesets in A are called authorized sets.

Furthermore, we could define the predicate �ð�; �Þ asfollows:

�ð!;AÞ ¼ 1 if ! 2 A0 otherwise.

�(1)

In this paper, the role of the party is taken by theattributes. Thus, the access structure A will contain theauthorized sets of attributes. Specifically, our constructionsupports for access structure described as A ¼ f! � U : j! \!�j � dg where U is the attribute universe, ! and !� areattribute sets and d is a predefined threshold value.

For simplicity, we will take user’s attribute set to inputto key generation instead of his access structure which isdifferent from our definition in Section 3.1. We note thatsuch substitution is trivial since user is easy to compute hisaccess structure with the individual attribute set. Further-more, we deliver the decision for access control to �ð�; �Þ andredefine such predicate as follows:

�dð!; !�Þ ¼ 1 if j! \ !�j � d0 otherwise.

�(2)

4.2 Intuition for Proposed ConstructionThe challenge for constructing outsourced ABE scheme isthe realization of delegated key generation and decryption.

. To outsource private key generation, we utilize ahybrid key policy Policy ¼ PolicyKGSP ^ PolicyAA inproposed construction, where ^ is an AND gateconnecting two sub-policies PolicyKGSP andPolicyAA. PolicyKGSP is for the request attribute setwhich will be performed at KGSP while PolicyAA is atrivial policy controlled by AA. The reason that wesay it is trivial is that a single default attribute � isappended with each request attribute set, which hasno effect on the global access control policy. Usingthis trick, we are allowed to randomly generate anoutsourcing key (which is OKKGSP in our construc-tion) to delegate partial key generation operation toKGSP without master or private key leakage.

. To outsource decryption, we make use of the idea in[4] by choosing a random ‘‘blinding factor’’ (whichis t in our construction) to produce blinded trans-formation key which is able to be sent to DSP toperform decryption partially instead of private keyitself. This skill allows us to delegate partialdecryption operation to DSP without private keyor original message leakage.

4.3 ConstructionBefore providing our construction, we define the Lagrangecoefficient Di;S for i 2 Zq and a set S of elements in Zq:Di;S ¼

Qj2S;j6¼i

x�ji�j . Our scheme is based on ABE in [1] which

shares the same access formula. The message space for ourconstruction is GT . Actually, using the hybrid encryptiontechnique, we can easily extend it to support for messagespace consisting of f0; 1g�. The construction in detail isshown as follows.

. Setupð�Þ: First, define the attributes in universe U aselements in Zq. For simplicity, let n ¼ jUj and we can

Fig. 2. Adversary model for outsourced ABE scheme.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142204

take the first n elements in Zq (i.e. 1; 2; . . . ; nmod q)to be the universe. Next, select a generator g 2R Gand an integer x 2R Zq, and set g1 ¼ gx. Then, pickelements g2; h; h1; . . . ; hn 2R G. Finally, output thepublic key PK ¼ ðg; g1; g2; h; h1; . . . ; hnÞ and the mas-ter key MK ¼ x.

. KeyGeninitð!;MKÞ: For each user’s private key re-quest on !, select x1 2R Zq and set x2 ¼ x� x1 mod q.Finally output OKKGSP ¼ x1 as the outsourcing keyfor KGSP andOKAA ¼ x2 for attribute authority itself.

. KeyGenoutð!;OKKGSPÞ : Randomly select a d � 1 de-gree polynomial qð�Þ such that qð0Þ ¼ x1. Then, foreach i 2 !, choose ri 2R Zq, and compute di0 ¼ gqðiÞ2 �ðg1hiÞri and di1 ¼ gri . Finally, output TKKGSP ¼ðfdi0; di1gi2!Þ.

. KeyGeninð!;OKAAÞ : Select r� 2R Zq and computed�0 ¼ gx2

2 � ðg1hÞr� and d�1 ¼ gr� . Finally, outputTKAA ¼ ðd�0; d�1Þ.

. KeyBlindðTK ¼ ðTKKGSP; TKAAÞÞ: S e lec t t 2R Zq,and compute fTK ¼ ðfdti0; dti1gi2![f�gÞ. Finally, outputSK ¼ ðt; TKÞ and fTK.

. EncryptðM;!0Þ: Firstly, select a random numbers 2R Zq. Then, compute C0 ¼M � eðg1; g2Þs, C1 ¼ gs,E� ¼ ðg1hÞs and Ei ¼ ðg1hiÞs for i 2 !0. Finally,publish the ciphertext as CT ¼ ð!0 [ f�g; C0; C1;fEigi2!0[f�gÞ.

. DecryptoutðCT; fTKÞ: Suppose that a ciphertext CT isencrypted under an attribute set !0 and we have ablinded transformation key fTK for attribute set !,which satisfies the restriction that �dð!; !0Þ ¼ 1.Then, outsourced decryption proceeds as follows.Firstly, an arbitrary d-element subset set S � ! \ !0is selected. Then, the partially decrypted ciphertextis computed as follows:

CTpart ¼e C1; d

t�0

� �Qi2S e C1; d

ti0

� �Di;Sð0Þ

e dt�1; E�

� �Qi2S e d

ti1; Ei

� �Di;Sð0Þ

¼ eðg; g2Þstx2eðg; g2ÞstP

i2S qðiÞDi;Sð0Þ

¼ eðg; g2Þstx2eðg; g2Þstx1

¼ eðg1; g2Þst: (3)

. DecryptðCTpart; SKÞ: Completely decrypt the cipher-text as follows:

C0

ðCTpartÞ1t

¼ M � eðg1; g2Þs

eðg1; g2Þst� �1

t

¼ M � eðg1; g2Þs

eðg1; g2Þs¼M: (4)

4.4 Security Analysis

Theorem 1. The outsourced ABE scheme is indistinguishablesecure against chosen-plaintext attack in selective modelunder DBDH assumption.

Proof. Please refer to this proof in Appendix B availableonline. g

4.5 Practical ConsiderationWe can consider to utilize our construction in hybridclouds. More precisely, KGSP is maintained as a private

cloud with high trust to deal with sensitive information,but leaving SSP and DSP as public cloud to provide publicstorage and computation service respectively. Actually,this type of hybrid setting has become more and moreattractive as many organizations are moving to the publiccloud due to its benefit of highly available and scalableresources but still want to store and process the critical datain the private cloud.

We provide the working process of proposed construc-tion for outsourced key generation and decryption Fig. 3.

In the outsourced key generation, AA and KGSP areallowed to perform computation to produce partial trans-formation key for customized and default attributes.Specifically, after producing the key pair ðOKKGSP; OKAAÞwith KeyGeninitð!;MKÞ, two individual phase can beexecuted simultaneously. 1) At KGSP, OKKGSP is involvedto generate partial transformation key for customizedattribute set !. 2) At AA, OKAA is involved to generatethe other partial transformation key for default attribute �.The parallel computation is benefit for improving efficien-cy in key generation for ABE system.

In the outsourced decryption, user firstly fetchesciphertext from SSP and computes the intersection subsetS locally. Therefore, only a partial ciphertext, blindedtransformation key and intersection subset need to bedelivered to DSP to perform partial decryption. Alterna-tively, it allows another scenario, in which after keygeneration user directly sends his attribute set ! andcorresponding blinded transformation key fTK to DSP to bestored. In this case, the DSP performs a role as proxy, whocan automatically retrieve ciphertexts that user is interest-ed in and forward to him partially decrypted one. The DSPcould be the user’s mail server, or the same entity alongwith SSP in cloud environment.

5 ANOTHER CONSTRUCTION WITH CHECKABILITY

We observe that in the commercial cloud computing, forsaving computation or bandwidththe, CSPs may be selfishto execute only a fraction of delegated operation and returnresult incorrectly. The dishonest action of CSPs may causeusers obtain incorrect keys or messages. We also point outthat our first construction provides provable secrecy in thesense that KGSP is maintained as a private cloud with hightrust. By this, we mean that an untrusted KGSP is able tocollaborate with user to fake private key to enhance his‘‘power’’. More precisely, Suppose a user and the KGSPcollude together. They are able to obtain OKKGSP ¼ x1 andfd�0; d�1g corresponding to this user. With this possession,they can generate TK0KGSP for target attribute set !0 andjoint it with fd�0; d�1g to obtain the faked TK0. Using thisone, ciphertext satisfied by !0 can be decrypted.

Therefore, in this section, aiming at providing check-ability as well as reducing the trust on KGSP, we proposeanother construction under the widely used RDoC model.

5.1 Outsourced ABE in Refereed Delegation ofComputation Model

RDoC model originates from the model of refereed gamesin [30], and is later formalized in [20], [31]. In RDoC model,the client is able to interact with multiple servers and it has

LI ET AL.: SECURELY OUTSOURCING ATTRIBUTE-BASED ENCRYPTION WITH CHECKABILITY 2205

a right output as long as there exists one server that followsthe proposed protocol. One of the most advantages ofRDoC over traditional model with single server is that thesecurity risk on the single server is reduced to multipleservers involved in. As the result of both the practicalityand utility, RDoC model recently has been widely utilizedin the literature of outsourced computation [20], [31], [32],[33], [16].

To reduce the trust on KGSP, we will consider theoutsourced ABE system in RDoC model, in which k KGSPscooperatively work together to provide AA with the keygeneration service (k� 1 are malicious at most). In thiscase, an additional collusion between user and at mostk� 1 malicious KGSPs is allowed. Then, the two typesadversaries defined in Section 3.2 are semi-merged togeth-er and able to obtain OKKGSP½i� for malicious KGSP½i�,private keys for all the corrupted users, all the blindedtransformation keys stored at DSP and so on, wherei ¼ 1; 2; . . . ; k� 1.

Having this intuition above, we can redefine the securitydefinition of our setting for RDoC model. The challengerwill maintain the table T , set D and integer j to provide theadversary with three type of oracles (if RCCA is consideredOMð�Þ should be added).

. OOKKGSPðIkey; bÞ: Challenger sets j ¼ jþ 1 and runs

key generation (including key blinding) completely

for Ikey to obtain SK; fOKKGSP½i�gki¼1and fTK. After

adding the entry ðj; Ikey; SK; fOKKGSP½i�gki¼1; fTKÞ into

T , return fOKKGSP½i�gki¼1;i 6¼b.. O eTKðiÞ: The challenger checks whether the entry

ði; Ikey; SK; fOKKGSP½j�gkj¼1; fTKÞ exists in T , if so

return fTK; otherwise return ?.. OSKðiÞ: The challenger checks whether the entryði; Ikey; SK; fOKKGSP½j�gkj¼1

; fTKÞ exists in T , if so setD ¼ D [ fIkeyg and return SK, otherwise return ?.

5.2 Intuition for Proposed ConstructionFor simplicity, we only consider and provide the secondconstruction with two KGSPs. The key challenge for oursecond construction exists in two folds.

. One is how to prevent from the collusion betweenthe user and the malicious KGSP. Our solution is tointelligently extend the hybrid policy trick in thefirst construction. Specifically, in addition to build-ing an AND gate between PAA and PKGSP, weintroduce a (2, 2)-secret sharing on PKGSP and makeeach KGSP only know its own share OKKGSP½i� fori ¼ 1, 2. In this sense, even if user collude with aKGSP and obtain fOKKGSP½i�g for i ¼ 1 or 2, hecannot recover the secret (which is actually x1 in ourconstruction) to serve the devil.

Fig. 3. Outsourced key generation and decryption.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142206

. The other is how to detect the dishonest action fromKGSPs and DSP beyond collusion. To fight againstit,/ we extend the idea of ‘‘ringer’’ [5] to our setting

to convince that KGSPs do indeed perform allthe computations that were outsourced to them.More precisely, AA generates a random valueðd � 1Þ-degree polynomial qRGð�Þ and sends italong with qKGSP½i�ð�Þ in a random order toKGSP½i�. Each KGSP generates partial transfor-mation key using both qRGð�Þ and qKGSP½i�ð�Þ, andAA detects the dishonest action by checking allthe partial transformation key computed fromqRGð�Þ (to make sure that all the honest KGSPswill obtain the same result from OKRG in ahonest computation, the random values frig forqRGð�Þ should be selected by AA in advance).

/ In addition, we detect the dishonest action of amalicious DSP by adding redundancy. Specifi-cally, we can require that all the users in thesystem agree on a redundancy 0k (i.e., a k-length0 bit string) and append it with original messagein each encryption. Then, after performingcomplete decryption to obtain the plaintext, theuser can detect the dishonest action of DSP bychecking the redundency.

5.3 The Construction under RDoC ModelWe provide our second construction with two KGSPs asfollows.

. Setupð�Þ: It is similar to the same algorithm in ourprevious construction but an integer k should beagreed in public key. Specifically, the PK ¼fg; g1; g2; h; h1; . . . ; hn; kg and MK ¼ x are output.

. KeyGeninitð!;MKÞ: For each user’s private keyrequest on !, AA picks x11; x12 2R Zq and setsOKKGSP½1� ¼ x11, OKKGSP½2� ¼ x12 and OKAA ¼ x2 ¼x� x11 � x12 mod q. Next, select ðd � 1Þ-degree ran-dom polynomials qKGSP½1�ð�Þ and qKGSP½2�ð�Þ withthe restrictions: 1) let !0 be any ðd � 1Þ-elementsubset of !, qKGSP½1�ðiÞ ¼ qKGSP½2�ðiÞ for each i 2 !0;2) qKGSP½1�ð0Þ ¼ x11; 3) qKGSP½2�ð0Þ ¼ x12. Thirdly, toenable convincing the dishonest action of KGSPslater, select another random polynomial qRGð�Þ.Furthermore, for each i 2 !, pick rKGSP½1�;i; rKGSP½2�;i;rRG;i 2R Zq with the restriction that rKGSP½1�;j ¼rKGSP½2�;j where j 2 !0. Finally, AA sends ðS½1�REAL;SRGÞ and ðS½2�REAL; SRGÞ to KGSP[1] and KGSP[2]respectively, where the pair S½j�REAL ¼ ðqKGSP½j�ð�Þ;frKGSP½j�;igi2!Þ and SRG ¼ ðqRGð�Þ; frRG;igi2!Þ for j ¼1; 2. We emphasize that in the both communicationsS½��REAL and SRG should be sent in random orders toavoid KGSPs knowing which one is really to becomputed for partial transformation key.

. KeyGenoutðS½j�REAL; SRGÞ: KGSP½j� generates partialtransformation key for both qKGSP½j�ð�Þ and qRGð�Þ.More precisely, KGSP½j� computes

TKKGSP½j� ¼ d½j�i0; d½j�i1� �

i2!

where d½j�i0 ¼ gqKGSP½j�ðiÞ2 ðg1hiÞrKGSP½j�;i , d½j�i1 ¼ grKGSP½j�;i

and

TKRGj¼ d½RGj�i0; d½RGj�i1� �� �

where d½RGj�i0 ¼ gqRGðiÞ2 ðg1hiÞrRG;i , d½RGj�i1 ¼ grRG;i , and

sends ðTKKGSP½j�; TKRGjÞ to AA in its receiving order.

. KeyGeninð!;OKAAÞ: Similar to the same algorithmdescribed in our basic construction, AA selectsr� 2R Zq and computes d�0 ¼ gx2

2 � ðg1hÞr� and d�1 ¼gr� . Finally output TKAA ¼ ðfd�0; d�1gÞ.

. KeyCheckðTKKGSP½1�; TKRG1; TKKGSP½2�; TKRG2

Þ: AAchecks that both KGSPs produce the correct outputs,i.e., d½1�j0 ¼ d½2�j0, d½1�j1 ¼ d½2�j1 for all j 2 !0 andd½RG1�i0 ¼ d½RG2�i0, d½RG1�i1 ¼ d½RG2�i1 for all i 2 !.After that, continue to combine the partial transfor-mation key together by computing di0 ¼ d½1�i0 � d½2�i0and di1 ¼ d½1�i1 � d½2�i1 for all i 2 !. Finally output thecomplete transformation key TK ¼ ðfdi0; di1gi2![f�gÞ.

. KeyBlindðTKÞ : It is identical to the same algorithmin our previous construction and outputs SK ¼ðt; TKÞ and fTK.

. EncryptðM;!0Þ: User firstly appends the message Mto be encrypted with a redundancy 0k to obtainMT ¼Mk0k where k is the concatenation of string.Then, the rest is identical to the same algorithm in thefirst construction but to encrypt MT . Finally, outputCT ¼ ð!0 [ f�g;MTeðg1; g2Þs; gs; fg1higi2!0 ; g1hÞ.

. DecryptoutðCT; fTKÞ: It is identical to the same algo-rithm in previous construction and outputs CTpart ¼eðg1; g2Þst.

. DecryptðCTpart; SKÞ: It is identical to the samealgorithm in previous construction except that thedishonest action of DSP should be detected throughchecking redundancy. Specifically, by executing thedecryption algorithm in previous construction, MT

is obtained. The user continues to check whether aredundancy 0k is appended with MT . If so (i.e.,MT ¼Mk0k), M is obtained through truncation;otherwise, a dishonest action of DSP is detected.

5.4 AnalysisOur second construction has almost the same efficiencywith the first one. Specifically, in key-issuing, thoughanother key combination operation is required at attributeauthority side, it costs mutiplications for j!j times, which isnegligible using the modern devices.

Then, we provide the security analysis below.

Theorem 2. The second construction is secure against chosen-plaintext attack in the sense of the security definition modifiedin Section 5.1 under DBDH assumption.

Proof. Please refer to the proof in Appendix C availableonline. g

5.5 CheckabilityBeyond outsourced key generation and decryption, thecheckability on KGSP is supported in our second construc-tion. Specifically, since KGSP[1] (or KGSP[2]) cannot distin-guish the outsourced private key generation from the two

LI ET AL.: SECURELY OUTSOURCING ATTRIBUTE-BASED ENCRYPTION WITH CHECKABILITY 2207

outsourced tasks. If KGSP[1] (KGSP[2]) fails during anyexecution of KeyGenoutð�Þ, it will be detected with probabilityd�1þj!j

2j!j which is not less than 12. In addition, through ap-

pending redundancy, the dishonest action of DSP can beeasily detected in our construction.

6 PERFORMANCE ANALYSIS

In this Section, we provide the performance analysis fromboth theoretical calculation and empirical evaluation of ourmain construction in Section 4.3.

6.1 Efficiency AnalysisWe compare our scheme with the original ABE [1] and thestate-of-the-art [3], [4] in Table 2. We use EXP to denote amulti-based exponentiation operation in G and P the pair-ing operation. We assume one multi-based exponentiationmultiplies up to 2 single-based exponentiations and takesroughly the same time as single-based exponentiations.

! and d denotes the attribute set and threshold valuerespectively.

To the best of our knowledge, the outsourced keygeneration in ABE has not been considered before and ourscheme is the first construction achieving this property.Following our terminology, the number of exponentiationsin the group G for AA is reduced to two, while in otherABE schemes [1], [3], [4], it is linear with the number ofattributes in the request set (i.e., 2j!j). Actually in our con-struction, the exponentiation computation is delivered toKGSP and requester. More precisely, after obtaining thetransformation key from AA, the requester must spendj!j þ 1 exponentiations on generating private key and blind-ed transformation key.

In decryption, a trick similar to [3], [4] is used in ourscheme and the three schemes achieve the identicalefficiency: all the pairing operations are delivered to DSPand the computational cost of decryption for user is co-nstant, only one exponentiation operation. Whereas theoriginal ABE scheme [1] requires 2d pairing as well as 2d

TABLE 2Efficiency Comparison

Fig. 4. Evaluation of our main construction. (a) Setup. (b) Key generation. (c) Encryption. (d) Key blinding. (e) Decryption.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142208

exponentiation operations for a single decryption, where dis the threshold value.

Concerning on the communication complexity in ourscheme, user has to send a private key request to AA andreceive 2j!j þ 2 elements in G. Furthermore, he is able tosend blinded transformation key (as well as 2j!j þ 2 ele-ments in G) to DSP to perform partially decryption infuture. In general, an element in G is set to be 160-bit longfor 280 security. The data transferred among the cloud ser-vice providers, AA and user is tens of KBs at most, whichcan be processed efficiently.

6.2 ExperimentNote that in order to precisely measure the overhead ofoutsourced and local computation, all the computationsinvolving our construction are performed in an identicalenvironment, that is on a Linux Mint 13 machine withIntel(R) Core(TM)2 Duo CPU clocked at 2.40 GHz and 2 GBof system memory.

Generally, as shown in Fig. 4, it is not surprising to seethat our outsourced construction totally takes more timethan the original ABE scheme. This is because theoutsourcing computation cannot be realized in the mannerof ‘‘one plus one equals two’’, and some additional costshould be paid for preserving privacy.

Fig. 4a illustrates the efficiency comparison between ouroutsourced construction and original ABE in setup phase.Compared with the original scheme, our construction re-quires an additional initialization of the default attribute,leading to its slowness. Similarly, our key generation timein total (i.e., including the time cost at both AA and KGSP)is relatively longer than that of the original scheme (asshown in Fig. 4b). This is because key generation for user’sreal attributes are delegated to KGSP, while a defaultattribute is controlled by AA at local. Compared with theoriginal scheme, our outsourced construction involves thecomputation for an additional one attribute (i.e., the de-fault attribute). Fortunately, owing to outsourced compu-tation, the computation cost at AA side is reduced toconstant (nearly three single-based modular exponentia-tions in G). File encryption in the outsourced constructionis also slower than the original scheme because the defaultattribute is required to be naturally embedded in encryp-tion policy.

Regarding to decryption, our construction requires thekey blinding phase which is not demanded in originalscheme. As shown in Fig. 4d, the key blinding costs time onms level. But we point out that the key blinding can berealized in amortized model. Specifically, user is able torun the key blinding process just once, and then enjoy his/her efficient local decryption. Fig. 4e demonstrates thedecryption efficiency comparison for a varying thresholdvalue. Though our outsourced scheme takes more time intotal, user just needs to pool the shadow in the partialdecrypted ciphertext, which involves one modular expo-nentiation and division in GT .

To sum up, our outsourced construction achieves ef-ficiency at both AA and user sides during key-issuing anddecryption without introducing significant overhead com-pared to the original approach (our execution time is stillwithin ms).

7 CONCLUSION

We provide a new outsourced ABE scheme simultaneouslysupporting outsourced key-issuing and decryption. Withthe aid of KGSP and DSP, our scheme achieves constantefficiency at both authority and user sides. In addition,we provide a trust-reduced construction with two KGSPswhich is secure under recently formulized RDoC model.Unlike the state-of-the-art outsourced ABE, checkability issupported by this construction. The security of proposedschemes have been analyzed and given in this paper.Experimental results demonstrate that our constructionsare efficient and practical.

ACKNOWLEDGMENT

This work is supported by National Natural Science Founda-tion of China (Grants 61100224, 61202450, 61272455), NaturalScience Foundation of Guangdong Province (No.S2013010013671), Distinguished Young Scholars Fund ofDepartment of Education, Guangdong Province (No.Yq2013126), PhD Programs Foundation of Ministry of Educa-tion of China (Grant 20123503120001), Distinguished YoungScholars Fund of Department of Education, Fujian Province(JA13062), Fok Ying Tung Education Foundation (Grant No.141065), Doctoral Fund of Ministry of Education of China (No.20130203110004), ISN Research Fund (ISN 15-02, 15-03),Program for New Century Excellent Talents in University(No. NCET-13-0946), and China 111 Project (No. B08038).

REFERENCES

[1] A. Sahai and B. Waters, ‘‘Fuzzy Identity-Based Encryption,’’ inProc. Adv. Cryptol.-EUROCRYPT, LNCS 3494, R. Cramer, Ed.,Berlin, Germany, 2005, pp. 457-473, Springer-Verlag.

[2] D. Zeng, S. Guo, and J. Hu, ‘‘Reliable Bulk-Data Dissemination inDelay Tolerant Networks,’’ IEEE Trans. Parallel Distrib. Syst.http://doi.ieeecomputersociety.org/10.1109/TPDS.2013.221

[3] M. Green, S. Hohenberger, and B. Waters, ‘‘Outsourcing theDecryption of ABE Ciphertexts,’’ in Proc. 20th USENIX Conf. SEC,2011, p. 34.

[4] Z. Zhou and D. Huang, ‘‘Efficient and Secure Data StorageOperations for Mobile Cloud Computing,’’ in Cryptology ePrintArchive, Report 2011/185, 2011.

[5] P. Golle and I. Mironov, ‘‘Uncheatable Distributed Computa-tions,’’ in Proc. Conf. Topics Cryptol., CT-RSA, 2001, pp. 425-440.

[6] V. Goyal, O. Pandey, A. Sahai, and B. Waters, ‘‘Attribute-BasedEncryption for Fine-Grained Access Control of EncryptedData,’’ in Proc. 13th ACM Conf. Comput. Commun. Security, 2006,pp. 89-98.

[7] J. Bethencourt, A. Sahai, and B. Waters, ‘‘Ciphertext-PolicyAttribute-Based Encryption,’’ in Proc. IEEE Symp. Security Pri-vacy, May 2007, pp. 321-334.

[8] L. Cheung and C. Newport, ‘‘Provably Secure Ciphertext PolicyABE,’’ in Proc. 14th ACM Conf. CCS, 2007, pp. 456-465.

[9] T. Nishide, K. Yoneyama, and K. Ohta, ‘‘Attribute-Based Encryp-tion with Partially Hidden Encryptor-Specified Access Structures,’’in Proc. Appl. Cryptogr. Netw. Security, LNCS 5037, S. Bellovin,R. Gennaro, A. Keromytis, and M. Yung, Eds., Berlin, Germany,2008, pp. 111-129, Springer-Verlag.

[10] F. Han, J. Qin, H. Zhao, and J. Hu, ‘‘A General Transformationfrom KP-ABE to Searchable Encryption,’’ Future Gen. Comput.Syst., vol. 30, pp. 107-115, Jan. 2014.

[11] H. Zhao, J. Qin, and J. Hu, ‘‘Energy Efficient Key ManagementScheme for Body Sensor Networks,’’ IEEE Trans. Parallel Distrib.Syst., vol. 24, no. 11, pp. 2202-2210, Nov. 2013.

[12] S. Yu, C. Wang, K. Ren, and W. Lou, ‘‘Achieving Secure, Scalable,Fine-Grained Data Access Control in Cloud Computing,’’ in Proc.IEEE 29th INFOCOM, 2010, pp. 534-542.

LI ET AL.: SECURELY OUTSOURCING ATTRIBUTE-BASED ENCRYPTION WITH CHECKABILITY 2209

[13] M.J. Atallah, K. Pantazopoulos, J.R. Rice, and E.E. Spafford,‘‘Secure Outsourcing of Scientific Computations,’’ in Trends inSoftware Engineering, vol. 54, M.V. Zelkowitz, Ed. Amsterdam,The Netherlands: Elsevier, 2002, pp. 215-272.

[14] M.J. Atallah and J. Li, ‘‘Secure Outsourcing of Sequence Compar-isons,’’ Int’l J. Inf. Security, vol. 4, no. 4, pp. 277-287, Oct. 2005.

[15] D. Benjamin and M.J. Atallah, ‘‘Private and Cheating-FreeOutsourcing of Algebraic Computations,’’ in Proc. 6th Annu.Conf. PST, 2008, pp. 240-245.

[16] M.J. Atallah and K.B. Frikken, ‘‘Securely Outsourcing LinearAlgebra Computations,’’ in Proc. 5th ACM Symp. ASIACCS, 2010,pp. 48-59.

[17] C. Wang, K. Ren, and J. Wang, ‘‘Secure and Practical Outsourcingof Linear Programming in Cloud Computing,’’ in Proc. IEEEINFOCOM, 2011, pp. 820-828.

[18] K. Bicakci and N. Baykal, ‘‘Server Assisted Signatures Revisited,’’in Proc. Topics Cryptol.-CT-RSA, LNCS 2964, T. Okamoto, Ed., Berlin,Germany, 2004, pp. 1991-1992. Springer-Verlag.

[19] M. Jakobsson and S. Wetzel, ‘‘Secure Server-Aided SignatureGeneration,’’ in Proc. Public Key Cryptogr., 2001, pp. 383-401.

[20] S. Hohenberger and A. Lysyanskaya, ‘‘How to Securely Out-source Cryptographic Computations,’’ in Proc. Theory Cryptogr.,LNCS 3378, J. Kilian, Ed., Berlin, Germany, pp. 264-282, Springer-Verlag.

[21] S. Goldwasser, Y.T. Kalai, and G.N. Rothblum, ‘‘DelegatingComputation: Interactive Proofs for Muggles,’’ in Proc. 40thAnnu. ACM STOC, 2008, pp. 113-122.

[22] C. Gentry, ‘‘Fully Homomorphic Encryption Using Ideal Lat-tices,’’ in Proc. 41st Annu. ACM STOC, 2009, pp. 169-178.

[23] R. Gennaro, C. Gentry, and B. Parno, ‘‘Non-Interactive VerifiableComputing: Outsourcing Computation to Untrusted Workers,’’ inProc. Adv. Cryptol.-CRYPTO, LNCS 6223, T. Rabin, Ed., Berlin,Germany, 2010, pp. 465-482, Springer-Verlag.

[24] K.-M. Chung, Y. Kalai, F.-H. Liu, and R. Raz, ‘‘Memory Delegation,’’in Proc. Adv. Cryptol.-CRYPTO, LNCS 6841, P. Rogaway, Ed., Berlin,2011, pp. 151-168, Springer-Verlag.

[25] C. Gentry and S. Halevi, ‘‘Implementing Gentry’s Fully-HomomorphicEncryption Scheme,’’ in Proc. Adv. Cryptol.-EUROCRYPT, LNCS 6632,K. Paterson, Ed., Berlin, Germany, 2011, pp. 129-148, Springer-Verlag.

[26] J. Li, C. Jia, J. Li, and X. Chen, ‘‘Outsourcing Encryption ofAttribute-Based Encryption with Mapreduce,’’ in Proc. Int’l Conf.Inf. Commun. Security, 2012, pp. 191-201.

[27] J. Li, X. Chen, J. Li, C. Jia, J. Ma, and W. Lou, ‘‘Fine-GrainedAccess Control System Based on Outsourced Attribute-BasedEncryption,’’ in Proc. 18th ESORICS, 2013, pp. 592-609.

[28] J. Lai, R. Deng, C. Guan, and J. Weng, ‘‘Attribute-basedEncryption with Verifiable Outsourced Decryption,’’ IEEE Trans.Inf. Forensics Security, vol. 8, no. 8, pp. 1343-1354, Aug. 2013.

[29] R. Canetti, H. Krawczyk, and J. Nielsen, ‘‘Relaxing Chosen-Ciphertext Security,’’ in Proc. Adv. Cryptol.-CRYPTO, LNCS 2729,D. Boneh, Ed., Berlin/Heidelberg, 2003, pp. 565-582, Springer-Verlag.

[30] U. Feige and J. Kilian, ‘‘Making Games Short (ExtendedAbstract),’’ in Proc. 29th Annu. ACM STOC, 1997, pp. 506-516.

[31] R. Canetti, B. Riva, and G. Rothblum, ‘‘Two Protocols for Delegationof Computation,’’ in Proc. Inf. Theor. Security, LNCS 7412, A. Smith,Ed., Berlin, Germany, 2012, pp. 37-61, Springer-Verlag.

[32] X. Chen, J. Li, J. Ma, Q. Tang, and W. Lou, ‘‘New Algorithms forSecure Outsourcing of Modular Exponentiations,’’ in Proc.ESORICS, LNCS 7459, S. Foresti, M. Yung, and F. Martinelli,Eds., Berlin, Germany, 2012, pp. 541-556, Springer-Verlag.

[33] R. Canetti, B. Riva, and G.N. Rothblum, ‘‘Practical Delegation ofComputation Using Multiple Servers,’’ in Proc. 18th ACM Conf.CCS, 2011, pp. 445-454.

Jin Li received the BS degree inmathematics fromSouthwest, University, in 2002 and the PhD degreein information security fromSun Yat-senUniversity,in 2007. Currently, he works at GuangzhouUniversity as a Professor. He has been selectedas one of science and technology new star inGuangdong province. His research interests in-clude applied cryptography and security in cloudcomputing. He has published over 50 researchpapers in refereed international conferences andjournals and has served as the program chair or

program committee member in many international conferences.

Xinyi Huang received the PhD degree from theSchool of Computer Science and SoftwareEngineering, University of Wollongong, Australia,in 2009. He is currently a Professor at theFujian Provincial Key Laboratory of NetworkSecurity and Cryptology, School of Mathematicsand Computer Science, Fujian Normal Universi-ty, China. His research interests include cryp-tography and information security. He haspublished over 60 research papers in refereedinternational conferences and journals. His work

has been cited more than 1000 times at Google Scholar. He is in theEditorial Board of the International Journal of Information Security (IJIS,Springer) and has served as the program/general chair or programcommittee member in over 40 international conferences.

Jingwei Li received the BS degree in mathe-matics from the Hebei University of Technology,China, in 2005 and is currently pursuing the PhDdegree in computer technology in Nankai Uni-versity. He is currently a visiting student (spon-sored by The State Scholarship Fund of China)in Penn State University. His research interestsinclude applied cryptography and cloud security.

Xiaofeng Chen received the BS and MSdegrees in mathematics from the NorthwestUniversity, China and the PhD degree in cryp-tography from Xidian University, in 2003. Cur-rently, he works at Xidian University as aprofessor. His research interests include appliedcryptography and cloud computing security. Hehas published over 80 research papers inrefereed international conferences and journals.His work has been cited more than 1000 times atGoogle Scholar. He has served as the program/

general chair or program committee member in over 20 internationalconferences.

Yang Xiang received the PhD degree in com-puter science from Deakin University, Australia.He is currently a Full Professor at School of In-formation Technology, Deakin University. He isthe Director of the Network Security and Com-puting Lab (NSCLab). His research interests in-clude network and system security, distributedsystems, and networking. In particular, he iscurrently leading his team developing active de-fense systems against large-scale distributednetwork attacks. He is the Chief Investigator of

several projects in network and system security, funded by the Aus-tralian Research Council (ARC). He has published more than 130 re-search papers in many international journals and conferences, such asIEEE Transactions on Computers, IEEE Transactions on Parallel andDistributed Systems, IEEE Transactions on Information Security andForensics, and IEEE Journal on Selected Areas in Communications.Two of his papers were selected as the featured articles in theApril 2009 and the July 2013 issues of IEEE Transactions on Paralleland Distributed Systems. He has published two books, SoftwareSimilarity and Classification (Springer) and Dynamic and AdvancedDataMining for Progressing Technological Development (IGI-Global). Hehas served as the Program/General Chair for many internationalconferences such as ICA3PP 12/11, IEEE/IFIP EUC 11, IEEE TrustCom13/11, IEEE HPCC 10/09, IEEE ICPADS 08, NSS 11/10/09/08/07. Hehas been the PC member for more than 60 international conferences indistributed systems, networking, and security. He serves as the AssociateEditor of IEEETransactions onComputers, IEEETransactions onParalleland Distributed Systems, Security and Communication Networks (Wiley),and the Editor of the Journal of Network and Computer Applications. He istheCoordinator, Asia for IEEEComputer Society Technical Committee onDistributed Processing (TCDP). He is a Senior Member of the IEEE.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142210