Tree species identification based on the fusion of bark and leaves

1.   Introduction

With the rapid increase in the adoption of Internet of Things (IoT) ^[1,2,3,4] technologies and digitization of medical records in today's modern world of wireless communications, a paradigm shift can now be seen in health care industry. Application of IoT in eHealth aims to integrate diverse constrained ^[5] self-configuring medical smart devices that interacts with each other through global network architecture ^[6] as illustrated in Figure 1. Due to this, eHealth big data explosion is currently witnessed. To relieve Health care industries the trouble of high storage and computation costs at the same time enhance immediate sharing, the data generated from diverse IoT devices is moved to the cloud server to take advantage of the dynamic scalable resources at a lower cost. Moreover, cloud computing ensures an easy access of data anywhere anytime irrespective of the location and device. In spite of the merits supplied by the cloud, it is assumed to be insecure hence cannot be trusted with sensitive data such as IoT generated medical data. Therefore, data should be encrypted before outsourcing ^[7] so that in case the storage devices are compromised, the privacy of data can still be maintained. In addition, data owner may choose to enforce data access control measures permitting only the authorized users that possess certain attributes to access the shared data while on the other hand denying access to unauthorized users ^[8]. To realize the aforementioned goals, several significant research work have been proposed.

Attribute-based encryption (ABE) ^[9] which is an enhancement of identity-based encryption (IBE) ^[10] has attracted much wide attention recently in areas including cloud services ^[11,12], IoT ^[13,14], distributed environments ^[15] and medical systems ^[16] because of its rich features including fine-grained data access control and data confidentiality. Moreover, the primitive offers an additional appealing feature where data is no longer shared on one-to-one basis instead one-to-many. There are two existing complementary variants of ABE. One is Key-Policy ABE (KP-ABE) ^[17,18] and the other is Ciphertext-Policy ABE (CP-ABE) ^[19,20]. In KP-ABE, the cipher message is associated (encoded) with attributes set and decryption key is associated (encoded) with access structure while in Ciphertext Policy-ABE (CP-ABE), the cipher message is associated (encoded) with access structure and decryption key is associated (encoded) with an attributes set. In comparison to KP-ABE, CP-ABE scheme is more flexible since the determination of access policy is done by the encryptor instead of key allocator ^[21] hence more appealing for practical applications.

Attribute-Based Signature (ABS) ^[22] has also widely attracted immense research attention for its fascinating feature of signing a message while simultaneously maintaining the privacy of the signer. In ABS, a signer in possession of attributes set issued by authority can sign a message using a predicate that satisfies her attributes. ABS similar to ABE is presented in two variants; Signature-Policy Attribute Based Signature (SP-ABS) ^[7,23] where signing key is associated (encoded) with attributes set and the plaintext message is signed by making use of the predicate that is satisfied by the set of attributes that belongs to the signing key while in the second variant Key-Policy Attribute Based Signature (KP-ABS) ^[24] the signing key is associated (encoded) with the predicate that is satisfied by the set of attributes while the message is associated (encoded) with set of attributes.

In real life scenario some of the applications such as health care need encryption combined with signing to achieve concurrently the flavour of confidentiality of medical data and authenticity of the data owner ^[25] and in most cases the anonymity of users ^[26] and hiding sensitive information ^[27,28] that belongs to patients. Medical data uploaded to the cloud and are designed for sharing may include sensitive private information such as patient's names, diseases, prescription etc. To ensure the confidentiality of these data is safeguarded, access mechanism should be provided that allows only authorized parties to access them. Simultaneously, the data users for instance government, research institutions, insurance companies and other hospitals should be convinced that the data sent originated from the actual owner to avoid downloading the corrupted data that may be sent by malicious user. As an illustration take for example a data owner "Doctor A" that outsources hospital records to the public cloud for storage. In this case the cloud has to verify whether the data was outsourced truly by an actual user that has set of attributes represented as "Government Hospital $\wedge$ level $\in \{4, 5, 6\}$". Whenever a staff of "Insurance B" accesses the eHealth cloud to obtain the stored data, she will be convinced that the owner of data is indeed a doctor that has certain attributes represented as "Government Hospital $\wedge$ level $\in \{4, 5, 6\}$" while the actual doctor's identity "Doctor A" is kept private. To realize this scenario, the viable solution is to adopt Attribute Based Signcryption (ABSC) technology, that combines flavours of ABE and ABS in single logical step. The cryptographic primitive is efficient compared to classical "encrypt-then-sign" or "sign-then-encrypt" technologies approaches ^[29]. The ABE part of attribute-based signcryption achieves data confidentiality while ABS part achieves privacy and authentication. However, the rising challenge is how to edge off the expensive computational cost ^[30] emerging from bilinear pairing and exponentiation which are introduced by primitive while concurrently supporting fine-grained access control for resource-constrained device users. The promising solution is to outsource expensive computations to the cloud. Few existing work in literature have been proposed that discusses this ^[31,32,33]. The schemes supports outsourced designcryption functionality where the blinding key is send to the cloud to transform ciphertext to a simple one. The final user performs lighter pairing computation to obtain the plaintext message. In addition to supporting designcryption, the scheme in ^[33] supports outsourcing of signcryption, where cloud is delegated a task of executing expensive computations and data owner performs simpler local computations.

Verification is another essential feature needful for validating the outsourced computations results to ensure proxy returns correct output. In ^[31,33] only the validity of the outsourced transformed ciphertext is checked while the validity of returned outsourced generated key is not verified. Malicious user may return invalid key without the knowledge of the data owner which might cause inaccurate findings. According to the information we have, there is no proposed work currently in literature that achieves verifiable fully outsourced attribute-based signcryption. Therefore our work proposes this new novel where we incorporated outsourcing service providers ^[34] and blinding key technique ^[31,35] to fulfill the desired goals.

1.1.   Our contributions

Taking into account the resource limitations affecting IoT devices in terms of battery, computation power, memory storage space etc, we propose in this paper a new novel verifiable fully outsourced attribute-based signcryption (VFOABSC) scheme for IoT eHealth big data system in cloud computing. In our proposed scheme, the execution of expensive computations are delegated to the powerful cloud server while lightweight computations is handled by the local IoT device user. As far as we know, this is the first proposed ABSC scheme in literature that is fully outsourced. The sequence work flow of our scheme is illustrated in Figure 2. The main contributions of this paper are:

● We introduced for the fist time a new novel VFOABSC that achieves full outsourcing of expensive ABSC computations to accommodate resource-constrained IoT devices. Initially we provide the formal framework behind the design philosophy of VFOABSC with the goal of fulfilling authentication, confidentiality and privacy of data owner simultaneously. The architecture of VFOABSC can be considered as an elaborate combination of attribute-based encryption schemes with outsourcing key generation, verification of outsourcing key generation, outsourcing signcryption and outsourcing designcryption. To realize this, we incorporated seven types of service providers that are responsible for executing expensive tasks.

● This paper proposes, an efficient ABSC scheme, that outsources the key generation tasks (both decryption and signing keys), key verification task, signcryption task and designcryption task simultaneously. Moreover, all the participants in the proposed system can verify the validity and correctness of the outsourcing computations with the support of outsourcing verification cloud service provider.

● The correctness together with security prove of the proposed scheme including its efficiency and complexity are analyzed. In addition, we also compared our scheme with other existing attribute-based signcryption schemes in terms of security requirements, outsourcing functionalities, storage overhead (size of the decryption key, size of the signing key, size of the ciphertext) and the computation overhead incurred while executing signcryption (outsourced and local) and designcryption (outsourced and local).

1.2.   Organization

The remainder of this paper is arranged as follows; Section 2 provides a review of existing related work regarding the secure outsourced attribute-based cryptographic primitives (encryption, signature and signcryption). We describe preliminaries which are employed throughout this proposed paper in Section 3, we also define the formal system model and the security model of our VFOABSC scheme in this section. In Section 4 we present a concrete construction of our proposed scheme. Moreover, we consider security proof and performance in Section 5 and Section 6 respectively. Finally we provide conclusion in Section 7.

2.   Related work

2.1.   Attribute-Based Encryption (ABE) that securely outsources intensive computations operations.

The functionality advantages derived from ABE access control is so immense. However, it is computationally expensive. This is due to high computation overhead encountered while executing encryption and decryption operations ^[36,37,38]. To overcome this hurdle and therefore improve efficiency of lightweight devices, Green et al. ^[35] proposed a primitive that aims to offload intensive computations to the cloud service provider while leaving lighter computations to the end user. Generally the key generating algorithm is designed to return two key pair to the data user as follows:

1. A short El Gamal-form private key known as retrieving key rk.

2. Its paired key known as transformation key tk, which is send to the server for transformation purposes and its publicly known.

In their scheme, a transformation key $tk$ is sent to the cloud server to transform the original ciphertext $CT$ satisfied by end user's set of attributes or access policy into a simpler ciphertext $CT^\prime$. The user spends the least computation overhead to recover the original message from the transformed ciphertext. While the scheme enhances the computational efficiency, however malicious cloud may substitute the original ciphertext and provide the user with a transformed ciphertext from an alternate ciphertext which the cloud requires the user to decrypt. To ensure the cloud server executes the outsourced decryption honestly and returns a valid transformed ciphertext, a number of schemes have been proposed ^{[11,39,40,41]}. Lai et al. ^[40] and Mao et al. ^[41] separately proposed novel technique where verifiability of ciphertext is performed on a returned transformed ciphertext. In order to realize this functionality, Lai et al. ^[40] appended an extra verification instance to the existing encryption/decryption algorithm phases of ABE. The presented technique increases the computation and communication costs since encryption algorithm needs the data owner to encrypt the additional random message and also generate a checksum value associated to two equal messages. On the other hand decryption process demands the cloud server to execute the basic decryption algorithm twice and in addition requires data user to perform verification on the outsourced computations regarding encrypted messages. To overcome the stated challenges, Lin et al. ^[11] presented a more efficient ABE primitive with verifiable outsourced decryption by incorporating flavours of a symmetric-key encryption scheme, an attribute based key encapsulation mechanism, and a commitment scheme in generic model. While verifiability provides reassuring solution to outsourced decryption, nonetheless the length of ciphertext and the amount of complex pairing operations grows in proportion with the attribute size. This greatly impedes its application in resource-constrained IoT devices. To solve the underlying problem, schemes ^[13,39] were proposed. Qinlong et al. ^[13] proposed a secure scheme that outsources majority of encryption, decryption and signing computations concurrently from IoT device to fog node. To save communication cost, Li et al. ^[39] presented a novel technique verifiable outsourced decryption CP-ABE scheme that has a constant ciphertext length.

Recently, Wang et al.^[34] and Zhang et al. ^[42] independently presented efficient Ciphertext-Policy ABE (CP-ABE) schemes that can simultaneously outsource expensive key generation, encryption and decryption operations securely to the cloud. The local users incurs less computation costs.

2.2.   Attribute-Based Signature (ABS)

ABS is an extension of identity-based signature, a scheme proposed and formalized by Shamir ^[10] where signer's identity is described using a set of descriptives attributes. In 2008, Piyi et al. ^[43] presented fuzzy identity-based signature scheme a primitive that is closely related to attribute-based signature. The scheme enables data owners to generate signatures with a subset of the attributes they own. The first ABS which achieves user's privacy where a user could sign a document by utilizing a subset of his attributes was formalized in 2008 by Guo et al. ^[44]. In this primitive, the authors claimed it to be unforgeable under adaptive message attack based on intractability strong extended Diffie-Hellman assumption. In 2009, Tan et al. ^[45] proved the scheme to be vulnerable to partial key replacement attack. First ABS scheme supporting a powerful set of predicates involving AND, OR and Threshold gates was formally introduced Maji et al ^[22]. Nonetheless, the security of this scheme is feeble as their design philosophy is solely proved in the generic group model. From that time, many similar works have been proposed ^{[7,23,46,47,48,49]}. Construction of threshold attribute-based signature applicable to small attribute universe and large attribute universe was formally introduced by Shahandashti et al. ^[50]. In this scheme, a document is signed using attributes subset while the verification of the signature is validated if the set of attributes used in signing is nearly close to the set of attributes that are used to verify.

2.3.   Attribute-Based Signcryption

In 2010, Maji et al. ^[51] proposed the first ABSC primitive that presents merits of both ABE and ABS in one logical step to achieve confidentiality of data, fine-grained access control, and unforgeability simultaneously. To realize this scheme, they combined technologies of FIBE ^[9] and features of new threshold attribute-based signature. The primitive was proved to be secure under selective-predicate attack. The signing access structure of this scheme is static in the setup phase and therefore does not work so well in practice. To eliminate the weakness, ABSC which is dynamic in nature was presented by Emura et al. ^[52], where encryptor's access structures is updated without the need to re-issue the signing private keys to the users. Morever, this primitive presents another essential feature public verifiability, where any third party can perform verification on the validity of the ciphertext before forwarding to the intended recipient. Therefore, undesirable cost of designcrypting invalid ciphertexts are eliminated. In 2013, Hu et al. ^[53] proposed a novel Fuzzy Attribute-Based Signcryption (FABSC) that is applicable to Body Area Network. In this scheme, patients are allowed to specify the attributes set a physician is supposed to have in order to access a particular portion of sensitive data. In order to achieve it, the intersection between the physician's credentials and the essential parts should exceed a predetermined threshold for a physician to access the data. A threshold ABSC primitive that has constant-size ciphertexts and non-monotonic access structure and which make use of inner-product encryption was proposed in 2013 by Han et al. ^[54]. Moreover, the scheme has an additional functionality public verification of ciphertext. Since then, many works on the same theme have been proposed ^{[29,31,33,55,56,57,58,59]}. Furthermore, ABSC primitives that outsources expensive computations to resolve the limitations confronting resource-constrained device users has also attracted many researchers ^[29,31,33]. The scheme in ^[31], offloads expensive computations to the cloud to realize verifiable outsourced designcryption while the final user executes lightweight computations. Compared to scheme ^[33] that outsources only demanding designcryption computations, scheme ^[29] outsources simultaneously heavy computations of signcryption and designcryption.

3.   Preliminaries

In this section, we present cryptographic preliminaries definitions essential for understanding this paper.

3.1.   Notations

The various notations utilized throughout this paper are illustrated in Table 1.

3.2.   Access policies formats

Our scheme is constructed under access structures, monotone span program and linear secret sharing scheme policies.

3.2.1.   Access structures

(Access structure ^[60]). Let $\mathbb{E}$ denote the attribute universe. A collection $\mathbb{X}\subseteq2^\mathbb{E}\backslash\left\{{\emptyset}\right\}$ is monotone if $\forall$ $\mathbb{Z, W}$: if $\mathbb{Z}\in\mathbb{X}$ and $\mathbb{Z}\subseteq\mathbb{W}$, then $\mathbb{W}\in\mathbb{X}$. An access structure is a collection $\mathbb{X}$ of non-empty subsets $\mathbb{X}\subseteq2^\mathbb{E}\backslash\left\{{\emptyset}\right\}$. The sets in $\mathbb{X}$ are called authorized sets, and the sets not in $\mathbb{X}$ are unauthorized sets.

3.2.2.   Monotone span program (MSP)

$MSP$ is a algebraic model of computation that is linear in nature ^[56]. To construct $MSP$, a Boolean formula is first converted into an access tree where $AND$ ($\wedge$) and $OR$ ($\vee$) form interior nodes while leaf nodes are the attributes ^[61]. As an example assume data users that can access the data from the cloud have policies such as " Name $\wedge$ InsNo" for INSURANCE COMPANY or "DEATH $\vee$ ALIVE $\wedge$ CRITICAL" for GOVERNMENT or "BLOOD $\wedge$ SALIVA" for RESEARCH INSTITUTION where NAME, InsNo, DEATH, ALIVE, CRITICAL, BLOOD and SALIVA are the attributes while INSURANCE COMPANY, GOVERNMENT, RESEARCH INSTITUTION are data users. The formula shows that any user with attributes set: ($NAME$, $InsNo$), $(DEATH, ALIVE, CRITICAL)$, $(BLOOD, SALIVA)$ satisfies the policy. Figure 3 shows an example of eHealth big data storage system access tree for Insurance company and Government with its corresponding matrix below it. Using the method as outlined in ^[61], the access tree which is an input is converted into its equivalent matrix $M$. The labeling begins from the root node where it is labeled using vector (1) and the global counter c is assigned with value 1. The labeling is done top down as follows:

ⅰ. When the parent node is OR ($\vee$) gate denoted using vector $\upsilon$, then its children is also denoted using $\upsilon$ (and the value of c remains the same).

ⅱ. When the parent node is an AND ($\wedge$) gate denoted using a vector $\upsilon$, then we append 0's at the end of $\upsilon$ (if there is a necessity) to make it of length c. Then we mark its left child as $\upsilon$$\arrowvert$1 (in this case $\arrowvert$ denotes concatenation) and the right child is marked using the vector (0, ..., 0$\arrowvert$-1), where (0, ..., 0) is the zero vector of length c. We should note that this two vectors sum to $\upsilon$$\arrowvert$0. The value of c is incremented by 1. value of c is incremented when AND ($\wedge$) is encountered. Once the entire tree has been labeled, the vectors denoting the leaf nodes (attributes) compose the rows of linear sharing secret scheme (lsss) matrix. If the vectors differ in length, we have to append 0's at the end of the shorter ones to ensure that all vectors display the same length.

Let $\Psi$: $\{0, 1\} ^n$$\to$$\{0, 1\}$ represent a monotone function ^[60]. A monotone span program is represented as $\Theta = (M, \rho)$ over $\mathbb{Z}_p$. It is an $\ell$$\times k$ matrix M that has entries in $\mathbb{Z}_p$ and the labeling $\varPhi:[\ell]\to[n]$ that links each row of M with an input variable for (t$_{1}$, t$_{2}$, ....., t$_{\ell}$) $\in \{0, 1\}$$^n$.

A span program allows the input if it meets the following:

$\Psi$ ($t _{1}$, $t _{2}$, ....., $t _{\ell}$) = 1 $\Leftrightarrow$ $\exists$ $\varphi$ $\in$ $\mathbb{F}$$^{1\times \ell}$ : $\varphi \textbf{M} = [1, 0, 0, ...., 0]$

and ($\forall$ i: x$_{\varPhi(i)}$) = 0 $\Rightarrow$ $\varphi_{i}$ = 0

Basically, $\Psi$($t _{1}$, $t _{2}$, ...$t _{l}$) = 1 provided that the rows of M indexed by $\{{\rm{i}} \rvert {\rm{t}} _\varPhi(i) = 1\}$ spans the vector [1, 0, 0, ...., 0]. Span programs can be constructed from Boolean functions^[56].

3.2.3.   Linear secret sharing scheme

Definition 1. (Linear secret sharing scheme(LSSS) ^[60]) A secret-sharing scheme $\varPi$$_\mathbb{X}$ for the access structure $\mathbb{X}$ over a given set of attributes $\vartheta$ is called linear (in $\mathbb{Z}$$_{p}$) if

1. The shares derived from secret $\xi\in$ $\mathbb{Z}$$_{p}$ for each party forms a vector over $\mathbb{Z}_{p}$

2. For every access structure $\mathbb{X}$ on $\vartheta$, there exist a matrix M that has $\ell$ row size and $k$ column size referred to as sharing-generating matrix for $\varPi$. A function $\rho$ labels every row $i$ of matrix M using the attributes from $\varPi$. During the generation of shares we take into consideration the column vector $\vec{\psi} = (\xi, y_2, y_3, .., y_k)$, where $\xi$ is the secret to be shared into $\ell$ parts, and $y_2, y_3, .., y_k$ are randomly chosen from $\mathbb{Z}$$_{p}$. Therefore M$\vec{\psi}$ denotes the vector of $\ell$ shares of $\xi$ that corresponds to $\varPi$ and every share in M$\vec{\psi}$ belongs to the party $\rho$(i).

The pair (M, $\rho$) denotes the access policy structure $\mathbb{X}$.

LSSS can be summarized using two randomized algorithms:

 

3.2.4.   Bilinear maps

Let map e: $\mathcal{G}\times\mathcal{G}\to\mathcal{G}_{T}$ denote bilinear pairing where $\mathcal{G}$ and $\mathcal{G}_\tau$ represent two multiplicative cyclic groups that belongs to prime order p. Let $g$ be generator of $\mathcal{G}$. Bilinear map e has the following properties:

● Bilinearity: $\forall g\in\mathcal{G}$ and $a, b \in \mathbb{Z}_{p}^*$ we have $e(g^a, g^b) = e(g, g)^{ab} = e(g^b, g^a)$.

● Non-degeneracy: $e(g, g)\neq 1$.

● Computability: There is an efficient algorithm to compute $e(g, g)$ for all $g\in\mathcal{G}$.

3.3.   Claim predicates

Claim predicates, are policy formulas applied to the attributes /credential sets. They model access control policies.

Definition 2. We utilize $\mathcal{U}$ to denote universe of attributes. A predicate (over $\mathcal{U}$) represents a monotone boolean function where inputs are related to the attributes universe $\mathcal{U}$. An attribute set $S\subset\mathcal{U}$ satisfies predicate $\varUpsilon$ (or $\varUpsilon$ accepts $R$) if $\varUpsilon(\mathcal{U}) = 1$. This means an input is set to be true (i.e set to 1) if its equivalent attribute belong to attribute set $S$. And the input is set to be false (i.e set to 0) if its equivalent attribute does not belong to attribute set $S$. We denote using $\varUpsilon(S) = 0$ if $S$ does not satisfy $\varUpsilon$.

Since we have the predicate $\varUpsilon$ as monotone, then it means $\varUpsilon(R) = true$ and therefore $\varUpsilon(W) = true$ for each attribute set $W\supset R$.

Assuming $\varUpsilon$ is claim predicate and $R_\varUpsilon$ is an attribute set employed in $\varUpsilon$ then a labeled matrix $\Theta = ($M$_{\ell\times k}, \rho)$ corresponds to MSP for $\varUpsilon$, here M is $\ell\times k$ matrix while $\rho:[\ell]\to R_\varUpsilon$ labels the rows of M using the attributes from $R_\varUpsilon$. Attributes are taken as variables of MSP.

We represent $A\subset\mathcal{U}$ as set of attributes. We also define $x_1 = \{i\in[\ell]:[\rho(i) = v]\wedge[v\in A]\}$ and $x_0 = \{i\in[\ell]:[\rho(i) = v]\wedge[v\notin A]\}$. Then $x_1 = \{i\in[\ell]:\rho(i)\in A\}$ and $x_0 = \{i\in[\ell]:\rho(i)\notin A\}$. In this case $x_1\cup x_0 = [\ell]$.

A predicate $\varUpsilon$ (consisting $\Theta = (M_{\ell\times k}, \rho)$) accepts an input $A$ that denotes attribute set by following this basis,

$\varUpsilon(A) = 1\iff\big[\exists(z_1, ..., z_\ell)\in\mathbb{Z}^\ell_p$ such that $\sum_{i\in[\ell]}z_i.\vec{M}^i = (1, 0, ,, 0)$ and $z_i = 0$ $\forall i$, where $\rho(i)\notin A$$\big]$. The following result is essential while presenting the security proof of the proposed scheme.

Lemma 1. Let $\varUpsilon$, $\mathcal{U}$ denote predicate and attribute set respectively. If $\varUpsilon(A) = false$ then there exist $\vec{\omega} = (\omega_1, \omega_2, ...\omega_k)\in\mathbb{Z}^k_p$ with $\omega_1 = -1$ such that $\vec{\omega}.\vec{M}^{(i)} = 0$ $\forall i$ where $\rho(i)\in A$.

3.4.   Hard Problems

3.4.1.   Diffie-Helman Exponent problem

Consider bilinear group $\varOmega = (p, e, \mathcal{G}, \mathcal{G}_\tau)$ with distribution tuple $\mathcal{T} = (\varOmega, g, g^y, g^{y^2}, ..., g^{y^q}, ..g^{y^{q+2}}, .., g^{y^{2q}})$ such that $g\in\mathcal{G}^{2q}$ and $y\gets\{2, 3, .., p-1\}$. Given $\mathcal{T}_{y, g} = (g, g^y, g^{y^2}, ..., g^{y^q}, ..g^{y^{q+2}}, .., g^{y^{2q}})\xleftarrow{R}\mathcal{T}$, it computes $g^{y^{q+1}}$. The adversary advantage $\mathcal{A}$ in solving $q$-Diffie-Helman Exponent (abbreviated as $q-DHE$) problem is defined as $Adv^{q-DHE}_{\mathcal{A}} = Pr[g^{y^{q+1}}\gets\mathcal{A}(\mathcal{T}, \mathcal{T}_{y, g})]\leq\epsilon$

Definition 3. We establish that the q-DHE problem in ($\mathcal{G}, \mathcal{G}_\tau$) is $(\tau, \epsilon)$-hard if the advantage $Adv^{q-DHE}_{\mathcal{A}}\leq\epsilon$ for all PPT adversary $\mathcal{A}$ running in time at most $\tau$.

3.4.2.   $q$-1 Problem

Consider bilinear group $\varOmega = (p, e, \mathcal{G}, \mathcal{G}_\tau)$. Select $g\in\mathcal{G}$ and 2q + 2 random exponents $\varepsilon, y, k_1, ..., k_q\gets\{2, 3, .., p-1\}$. Given $\mathcal{T}_{\varepsilon, y, g} = (\varOmega, g, g^\theta, \{g^{z^i}, g^{k_j, g^{\theta k_j}}$, $g^{z^ik_j}, g^{z^i/k^2_j}\}_{(i, j)\in[q, q]}$, $\{g^{z^i/k_j}\}_{(i, j)\in[2q, q], i\not = q+1}$, $\{g^{z^ik_j/k^2_{j^\prime}}\}_{(i, j, j^\prime)\in[2q, q, q], j\not = j^\prime}$, $\{g^{\theta z^ik_j/k_j^\prime}$, $g^{\theta z^ik_j/k^2_{j^\prime}}\}_{(i, j, j^\prime)\in[q, q, q], j\not = j^\prime}$$)$, it then computes $X_\upsilon\xleftarrow{R}\mathcal{G}_\tau$ where $\upsilon = \{0, 1\}$. The $q-1$ problem confirms whether $X = e(g, g)^{\theta.y^{q+1}}$ when $\upsilon = 0$ or $X$ is a random number of $\mathcal{G}_\tau$ otherwise.

Definition 4. We establish that the q-1 problem in ($\mathcal{G}, \mathcal{G}_\tau$) is $(\tau, \epsilon)$-hard if the advantage $Adv^{q-1}_{\mathcal{A}} = Pr[\upsilon^\prime = \upsilon]-1/2$ for all PPT adversary $\mathcal{A}$ running in time at most $\tau$.

3.5.   System model of VFOABSC

Figure 4 illustrates an architecture based on our proposed VFOABSC scheme. In our proposed scheme expensive ABSC computations are delegated to the cloud server so as to minimize computation overhead encountered by lightweight IoT devices with inefficient computational capability. Trusted Attribute Authority $(TAA)$ sends the outsourcing master key (both signing and decryption) to respective servers to generate partial key (signing and decryption) then $TAA$ locally completes the process by generating full signing and decryption keys. To reduce heavy computations while checking the validity of outsourced generated key (both signing and decryption), $TAA$ requests trusted third party to verify. When data owner receives signing key from $TAA$, it generates two keys from it. One of the key is sent to the cloud server to be used for executing partial signcryption and its local key is utilized in generating the remainder portion of the ciphertext. Data owner then uploads full ciphertext to the cloud that is considered to be secure. To decrypt the data, the IoT device user sends decryption blinding key to the server to execute expensive computations if its attributes satisfies access structure policy. If that is the case, it uses the corresponding retrieving key to perform full decryption.

Our proposed system comprise the following participants: trusted attribute authority (TAA), cloud server, data owner and data user. The functionalities of these participants are:

1. Trusted Attribute Authority (TAA): It generates the outsourcing master key (both signing and decryption) then sends to the respective servers for them to generate partial key (signing and decryption). Upon receiving partial keys from the servers, $TAA$ completes the process by generating full signing and decryption keys. It is the only entity entirely trusted by all other participants in the system.

2. Cloud server: There are seven cloud servers in our system. The first is for generating partial decryption key, the second for generating partial signing key, the third for verifying outsourced signing partial generated key, the fourth for verifying outsourced decryption partial generated key, fifth performs outsourced signcryption to generate partial ciphertext, sixth performs outsourced designcryption to generate partial plaintext and the seventh stores data for the owner at the same time provides data access services to the users.

3. Data owner: Generates two keys from the signing key. Sends one key to the cloud server for generating partial ciphertext while he remains with another key. Once it receives partial ciphertext from the cloud, it computes full ciphertext using his own key. Finally it outsources full ciphertext to the cloud.

4. Data user: The user with lightweight IoT device such as medical sensors sends a decryption blinding key to the proxy to transform ciphertext into simple one. When it receives partially decrypted ciphertext it uses retrieving key to complete the decryption. It can only fully decrypt the ciphertext when his attributes satisfies access policy in the ciphertext.

Sixteen algorithms are defined in our system as follows:

Setup $(1^\kappa, U)\to (PP, MSK)$

This algorithm takes the input values $\kappa$ and $U$ as security parameter and the universe of attributes respectively. It returns as an output the public parameters $PP$ and master key $MSK$.

SigKeyGen.init$(PP, MSK)$$\to$$(MSK_{OKGSP_s}, MSK_{TAA_s})$.

$TAA$ executes this pre-processing algorithm. It takes the input $PP$ and $MSK$ as public parameters and master key respectively and returns as output outsourcing signing master key $MSK_{OKGSP_s}$ and local signing master key $MSK_{TAA_s}$

SigKeyGen.out$(PP, MSK_{OKGSP_s}, A_s)\to(ISK_s)$.

$OKGSP_s$ executes this algorithm. It takes as input public parameters $PP$, outsourcing signing master key $MSK_{OKGSP_s}$ and attribute set $A_s$. It gives as an output intermediate private signing key $ISK_s$.

SigKeyGenout.ver $(PP, MSK_{OKGSP_s}, ISK_s\to$b$\in\{0, 1\})$

Outsourced verification service provider $(OVSP_s)$ executes this algorithm. It takes the input $PP$, $MSK_{KGSP_s}$ and $ISK_s$ as public parameters, outsourcing signing master key and intermediate private signing key respectively. It yields $b = 1$ if the equations are true, otherwise it yields $b = 0$.

SigKeyGen.local $(PP, MSK_{TAA_s}, A_s, ISK_s) \to (SK_{A_s})$

$TAA$ executes this algorithm. It takes as an input public parameters $PP$, signing local master key $MSK_{TAA_s}$, attribute set $A_s$ and intermediate signing key $ISK_s$. It yields as an output complete private signing key $SK_{A_s}$.

SigKey.blind $(SK_{A_s})\to(TSK_{A_s}, RSK_{A_s})$

The input to this algorithm is signing private key $SK_{A_s}$. It outputs transformation private signing key $TSK_{A_s}$ with its respective retrieving key $RSK_{A_s}$.

DecKeyGen.init$(PP, MSK)$ $\to$ $(MSK_{OKGSP_d}, MSK_{TAA_d})$. $TAA$ executes this pre-processing algorithm. It takes public parameters $PP$ and master key $MSK$ as input. It returns as an output outsourcing decryption master key $MSK_{OKGSP_d}$ and local decryption master key $MSK_{TAA_d}$.

DecKeyGen.out $(PP, MSK_{OKGSP_d}, A_d)\to(ISK_d)$

$OKGSP_d$ executes this algorithm. It takes as input public parameters $PP$, master key $MSK_{OKGSP_d}$ for outsourcing decryption key generation and attribute set $A_d$. It yields intermediate private decryption key $ISK_d$ as an output.

DecKeyGenout.ver$(PP, MSK_{OKGSP_d}, ISK_d\to\mu\in\{0, 1\})$ Outsourced verification service provider $(OVSP_d)$ executes this algorithm. It takes the input $PP$, $MSK_{OKGSP_d}$ and $ISK_d$ as public parameters, outsourcing decryption master key and intermediate decryption private key respectively. It outputs $\mu = 1$ if the equations holds, otherwise it outputs $\mu = 0$.

DecKeyGen.local$(PP, MSK_{TAA_d}, A_d, ISK_d)\to(SK_{A_d})$:

$TAA$ executes this algorithm. It takes as an input public parameters $PP$, local master key $MSK_{TAA_d}$, attribute set $A_d$ and intermediate decryption key $ISK_d$. It outputs complete decryption private key $SK_{A_d}.$

DecKey.blind $(SK_{A_d})\to(TSK_{A_d}, RSK_{A_d})$:

The user takes decryption private key $SK_{A_d}$ as an input to this algorithm and yields transformation private key $TSK_{A_d}$ and its associated retrieval secret key $RSK_{A_d}$ as an output.

Signcrypt.out $(PP, TSK_{A_s}, \varUpsilon_s, \varUpsilon_e)\to ICT$:

$OSSP$ executes this algorithm. It takes as input public parameters $PP$, signing transformation key $TSK_{A_s}$, signing attributes $A_s$, signing predicate $\varUpsilon_s$ and encryption predicate $\varUpsilon_e$. It produces as an output intermediate ciphertext $ICT$.

Signcrypt.local $(PP, M, RSK_{A_s}, ICT)\to SCT_{\varUpsilon_e}$:

The algorithm takes public parameters $PP$, message $M$, retrieving key $RSK_{A_s}$ and intermediate ciphertext $ICT$ as input. It produces complete ciphertext $SCT_{\varUpsilon_e}$ as an output.

Verification $(PP, SCT_{\varUpsilon_e})\to$$valid$ or $\bot$

The algorithm takes as input $PP$, original ciphertext $SCT_{\varUpsilon_e}$ to output either valid or invalid symbol $\bot$

Designcrypt.out $(PP, TSK_{A_d}, A_d, SCT_{\varUpsilon_e})\to (TCT_{A_d})$:

This algorithm is executed by $ODSP$. It takes public parameters $PP$, the key for transformation $TSK_{A_d}$, an attribute set $A_d$, ciphertext $SCT_{\varUpsilon_e}$ as input. It returns transformed ciphertext $TCT_{A_d}$ as output.

Designcrypt.local $(PP, SCT_{\Upsilon_e}, A_d, SK_{A_d}, \varUpsilon_e)$ = $M$ or $\bot$:

This algorithm takes as input $PP$, original ciphertext $SCT_{\varUpsilon_e}$, an attribute set $A_d$, decryption private key $SK_{A_d}$ and encryption predicate $\varUpsilon_e$. It returns as an output message $M$ or invalid symbol $\bot$.

3.6.   Security model of VFOABSC

3.6.1.   Confidentiality of the message:

Identical to ^[25], we employ a security game that describes the confidentiality of the message. We consider a challenger $\mathcal{C}$ and an adversary $\mathcal{E}$.

Setup: $\mathcal{C}$ executes $Setup$ algorithm to obtain public parameter $PP$ and master key $MSK$. It sends $PP$ to $\mathcal{E}$.

Query Phase 1: Challenger $\mathcal{C}$ creates an empty table $\bf{T}_1$, a integer counter $\varsigma = 0$ and an empty set $R$. $\mathcal{E}$ then it adaptively issues the following queries:

1. DecKey Queries: $\mathcal{C}$ on obtaining an attribute set $A_d$ sets a counter $\varsigma = \varsigma+1$, then executes $SK_{A_d}\gets$DecKeyGen.local($PP, MSK_{TAA_d}, A_d$, DecKeyGen.out ($PP, MSK_{OKGSP_d}, A_d$)) where $\Upsilon^*_e(A_d) = 0$. Then sets $\bf{T}_1 = \bf{T}_1\cup \{A_d\}$. It sends $SK_{A_d}$ to $\mathcal{E}$.

2. DecKey.blind Query: On obtaining an input attribute set $A_d$ it executes $SK_{A_d}\gets$DecKeyGen.local($PP, MSK_{TAA_d}, A_d$, DecKeyGen.out($PP, MSK_{OKGSP_d}, A_d$)), $(TSK_{A_d}, RSK_{A_d})$ $\gets$DecKey.blind $(SK_{A_d})$. It then stores the entry $(\varsigma, A_d, SK_d, TSK_{A_d}, RSK_{A_d})$ in table $\bf{T}_1$ then supply the adversary $\mathcal{E}$ with $TSK_{A_d}$.

Challenge Phase: $\mathcal{E}$ submits two messages $M_0$ and $M_1$ of equal length alongside decryption predicate $\varUpsilon^*_e(A_d)$ with the condition that no attribute set in $\bf{T}_1$ should satisfy the decryption predicate $\varUpsilon^*_e(A_d)$. Next, $\mathcal{C}$ picks a bit $\gamma\in\{0, 1\}$ randomly. $\mathcal{C}$ then executes signcryption on $M_\gamma$ using $\varUpsilon^*_e(A_d) = 1$.

Query Phase 2: Upon receiving $SCT_{\varUpsilon_e}^*$, $\mathcal{E}$ adaptively continues to issue queries in the same way as in Query Phase 1 with the condition that it cannot Designcrypt Query, for an attribute set $A_d$ and $A_s$ in such way that $\varUpsilon^*_e(A_d) = 1$ and $\varUpsilon^*_s(A_s) = 1$

Guess Phase: $\mathcal{E}$ outputs a guess bit $\gamma^\prime\in\{0, 1\}$ and wins the game if $\gamma^\prime = \gamma$, otherwise outputs $\bot$.

Definition 5. VFOABSC scheme is CPA-secure if no PPT adversary that have non-negligible advantage wins the security game above.

3.6.2.   Unforgeability of ciphertext:

The following security game of the formal unforgeability definition involves challenger $\mathcal{C}$ and adversary $\mathcal{A}$.

Setup: Challenger $\mathcal{C}$ executes $Setup$ algorithm to obtain public parameter $PP$ and master key $MSK$. It sends $PP$ to $\mathcal{A}$.

Query Phase 1: Challenger $\mathcal{C}$ in addition to creating an empty table $\bf{T}_2$ also creates an integer counter $\beta$ and empty set $R$. $\mathcal{A}$ then issues adaptively queries as follows:

1.DecryptKey Queries and DecKey.blind Query are similar to the described CPA-secure game.

2. SigncryptKey Queries: $\mathcal{C}$ initially sets $\beta = \beta+1$, and for an attribute set $A_s$, it executes $(SK_{A_s})\gets$SigKeyGen.local ($PP, MSK_{TAA_s}, A_s$, SigKeyGen.out$(PP, MSK_{OKGSP_s}, A_s))$ where $\varUpsilon^*_e(A_s) = 0$ then sets $\bf{T}_2 = \bf{T}_2\cup\{A_d\}\cup\{A_s\}$. Finally it sends the signing key $SK_{A_s}$ to $\mathcal{A}$.

3. SigKey.blind: On obtaining an input attribute set $A_s$ it executes $(SK_{A_s})\gets$SigKeyGen.local ($PP, MSK_{AA_s}, A_s$, SigKeyGen.out$(PP, MSK_{OKGSP_s}, A_s))$, $(TSK_{A_s}, RSK_{A_s})\gets$ SigKey.blind$(SK_{A_s})$. It stores the entry $(\beta, \diamond, SK_s, TSK_{A_s}, RSK_{A_s})$ in table $\bf{T}_2$ then supply the adversary with $TSK_{A_s}$.

Forgery: $\mathcal{A}$ returns forged ciphertext $SCT^*_{\varUpsilon^*_e}$ for the selective signing predicate $\varUpsilon^*_s$.

Output: $\mathcal{A}$ wins the game if it outputs valid ciphertext $SCTY^*_{\varUpsilon^*_e}$ where $\mathcal{A}$ has never issued query on signcrypt record $(M^*, \varUpsilon^*_s, \varUpsilon^*_e)$ and false otherwise.

Definition 6. The VFOABSC scheme is said to be existential unforgeable secure if no PPT adversary $\mathcal{A}$ that have non-negligible advantage wins the security game above.

3.6.3.   Privacy of Signcryptor:

The formal definition of signcryptor privacy of VFOABSC scheme is based on security game between a challenger $\mathcal{C}$ and adversary $\mathcal{A}$.

Setup: $\mathcal{C}$ executes $Setup$ algorithm to obtain public parameter $PP$ and master key $MSK$. It sends $PP$ and $MSK$ to $\mathcal{A}$ where $MSK$ is combination of $MSK_{OKGSP_s}$ and $MSK_{TAA_s}$.

Challenge: $\mathcal{A}$ presents a message $M\in\mathcal{M}$, signing predicate $\varUpsilon_{s(A^1_s)} = \varUpsilon_{s(A^2_s)} = 1$, and also an encryption predicate $\varUpsilon_e$. Then, $\mathcal{C}$ selects $b\gets\{0, 1\}$ to obtain $SK_{A^b_s}\gets$SigKeyGen.local($PP, MSK_{TAA_s}, A_s,$SigKeyGen.out $(PP, MSK_{OKGSP_s}, A_s))$ then outputs a challenge ciphertext $SCT_{\varUpsilon_e}\gets$ Signcrypt.local($PP, M, \varUpsilon_e$, Signcrypt.out$(PP, SK_{A^b_s}, \varUpsilon_s))$ to $\mathcal{A}$.

Guess: $\mathcal{A}$ outputs guess bit $b^\prime\in\{0, 1\}$

Output: $\mathcal{C}$ outputs true if $b^\prime = b$, and false otherwise.

It should be noted that adversary $\mathcal{A}$ can itself generate signing keys and ciphertexts in view of the fact that he has knowledge about the master key of the system.

Definition 7. The VFOABSC scheme is considered perfectly private if no PPT adversary $\mathcal{A}$ that have non-negligible advantage wins the security game above.

4.   The concrete construction

We present in this section the main construction of our proposed Verifiable Fully Outsourced Attribute-Based Signcryption System (VFOABSC) which is based on attribute-based signcryption due to ^[25] with the extension of outsourced key generation, outsourced key verification, outsourced signcryption and outsourced designcryption computation simultaneously to improve the efficiency of lightweight IoT devices. We first modified the offline/online signcryption phases in Rao's scheme ^[25] to outsourcing and owner signcryption phases respectively. Then to realize the above stated desirable features, we utilized the cryptographic scheme due to Wang et al. ^[34]. Our scheme supports both boolean function predicates and large attribute universe $U = \{0, 1\}^*$. Moreover, it allows public verifiability mechanism for ciphertext. In the construction of our scheme the signing predicate and its counterpart encryption predicate are both represented using Monotone Span Programs (MSPs). We denote signing predicate and encryption predicate using $\varUpsilon_s = (M_s, \rho_s)$ and $\varUpsilon_e = (M_e, \rho_e)$ respectively. $M_s$(resp. $M_e$) represents $\ell_s\times k_s$ (resp. $\ell_e\times k_e$) matrix with $\rho_s:[\ell_s]\to U$ (resp. $[\ell_e]\to U$) denoting row labeling function. The $i^{th}$ row of matrix $M_s$ (resp.$M_e$) is represented using the notation $\vec{M}^{(i)}_s$ (resp. $\vec{M}^{(i)}_e$). In our scheme, it is assumed that the row labeling function $\rho_s$ to be injective in the signing predicate $\varUpsilon_s = (M_s, \rho_s)$. We utilize the bilinear group tuple $\varOmega = (q, \mathcal{G}, \mathcal{G}_\tau, e)$. Our new scheme consist of the following sixteen algorithms.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Abbreviations: $|A_d|(|A_s|)$: indicates number of decryption(signing attributes), $\ell_e(\ell_s)$: Attribute size in encryption (signing) predicate, $L_\mathcal{G}$: denotes the length of an element in $\mathcal{G}$, $L_{\mathcal{G}_\tau}$: denotes the length of an element in $\mathcal{G}\tau$, $L_{\mathbb{Z}_p}$: denotes the length of an element in $\mathbb{Z}_p$, $|U_d|$: universe of encryption attributes, $n$: the number of elements, $L_M$: Length of the message, $V$: verification key size, $|Sig|$: size of message of one-time signature scheme.

Abbreviations: $\ell_e(\ell_s)$: Attribute size in encryption (signing) predicate, $\mathcal{E}_1, \mathcal{E}_2$: Modular exponential computations in $\mathcal{G}$ and $\mathcal{G}_\tau$ respectively, $\mathcal{P}$: Pairing computation, $OFL$: Offline, $ONL$: Online.

5.   Security analysis

Theorem 5.1 (Message Confidentiality:). Assuming the security in Rao's scheme ^[25] is assured, then the scheme proposed is also secure.

Proof. Suppose an adversary $\mathcal{E}$ that has non-negligible advantage has ability to break VFOABSC scheme. In similar way an algorithm $\mathcal{Q}$ can break the scheme ^[25] with non-negligible advantage.

We take $\mathcal{C}$ as a challenger related to algorithm $\mathcal{Q}$ in the selective CPA-secure game due to the scheme proposed by Rao ^[25]. $\mathcal{Q}$ executes $\mathcal{E}$ as follows.

Setup To obtain public parameters $PP^\prime$, $\mathcal{C}$ runs Setup algorithm in ^[25]. The output is

$PP^\prime = (\Sigma, g_T, g, h_e, u_e, w_e, u_s, w_s, \vartheta, \varrho_1, \varrho_2, \varrho_3, M, U$, $H_1, H_2, H_3, H_s$)

Then it sends $PP^\prime$ to $\mathcal{Q}$. Likewise, Setup algorithm is executed by $\mathcal{Q}$ in this paper to obtain the following public parameters

$PP$ = ($\varPi, \varSigma, g, h_e, u_e, w_e, u_s, w_s, \nu, \eta_1, \eta_2, \eta_3, \mathcal{M}, U, H_1$, $H_2, H_3$, $H_s$)

It then sends $PP$ to $\mathcal{E}$.

Query Phase 1 $\mathcal{Q}$ initialises both an empty Table $\bf{T}_1$ and an empty set $R$. Next, $\mathcal{E}$ issues queries adaptively as follows;

1. DecKey Queries: Similar to ^[62], we combine the simulation of DecKeyGen algorithms DecKeyGen.out and DecKeyGen.local as a single key query. When $\mathcal{E}$ makes a decryption query for the attribute set $A_d$, $\mathcal{Q}$ sends $A_d$ to $\mathcal{C}$ to obtain decryption key $SK_{A_d}$. $\mathcal{Q}$ then sets $R = R\cup\{A_d\}$. Finally it sends $SK_{A_d}$ to $\mathcal{E}$.

2. DecKey.blind Query: When $\mathcal{E}$ makes query for transformation key that corresponds to an attribute set $A_d$, $\mathcal{Q}$ will look for the entry tuple $(\varsigma, A_d, SK_d, TSK_{A_d}, RSK_{A_d})$ in table $\bf{T}_1$. If there exists the entry that corresponds to the query, $\mathcal{Q}$ will response with $TSK_{A_d}$, else an integer $z\in\mathbb{Z}^*_p$ is randomly selected by $\mathcal{Q}$, then computes $TSK_{A_d} = (TK_{d0}, TK_{d1}, \{TK_{d0, i}, TK_{d1, i}\}$ $\forall i\in A_d).$ where $TK_{d0}: = g^{\alpha/z}\nu^{\delta/z}$, $TK_{d1}: = g^{\delta/z}$, $TK_{d0, i} = (u_e^{i}h_e)^{\delta_i/z}w^{-\delta/z}$, $TK_{d1, i} = g^{\delta_i/z}$. $TSK_{A_d}$ is taken as another type of $SK_d$. $\mathcal{Q}$ finally stores the tuple entry $(A_d, \diamond, SK^\prime_{A_d}, \diamond)$ in Table $\bf{T}_1$ and return $TSK_{A_d}$ to $\mathcal{E}$.

Challenge Phase: $\mathcal{Q}$ receives the challenge access structure $\varUpsilon^*_e(A_d)$ from $\mathcal{E}$. $\mathcal{Q}$ then randomly chooses two messages $M_0$ and $M_1$ of equal length which he forwards to $\mathcal{C}$ to get a challenge ciphertext $SCT_{\varUpsilon_e}^* = (C_0, C_1, \{C^\prime_{i1}, C^\prime_{i2}\}i\in[\ell_e], \sigma_0, \{\sigma_i\}i\in[\ell_s])$ by executing Signcrypt algorithm of ^[25]. $\mathcal{Q}$ finally sends $SCT_{\varUpsilon_e}^*$ to $\mathcal{E}$.

Query Phase 2: $\mathcal{E}$ issues another sequence of queries with the condition that the querying key will not satisfy access structure. $\mathcal{Q}$ responds in similar way to the one simulated in Query Phase 1 and provides responds as in Query Phase 1.

Guess Phase: $\mathcal{E}$ provides as an output guess $\gamma$ likewise $\mathcal{Q}$ gives its output as $\gamma$.

In keeping with the earlier discussion, suppose $\mathcal{E}$ can attack our VFOABSC scheme with non-negligible advantage in the selective CPA-secure game. Likewise an algorithm $\mathcal{Q}$ can attack the scheme ^[25].

Theorem 5.2 (Ciphertext Unforgeability:). The proposed VFOABSC scheme is unforgeable if CDH hardness assumption holds.

Proof. Assume an adversary $\mathcal{A}$ can attack VFOABSC scheme with non-negligible advantage, then we can build an algorithm simulation $\mathcal{Q}$ that uses $\mathcal{A}$ to solve CDH problem. Provided with a tuple $(g, A = g^a, B = g^b)\in\mathcal{G}^3$ which is a random CDH instance, the role of $\mathcal{C}$ is to compute $g^{ab}$ where $a, b\in_R\mathbb{Z}^*_p$

Setup $\mathcal{Q}$ sets parameters as in Theorem 5.1. Selects randomly $a, b\in_R\mathbb{Z}^*_p$. Then sets $\varSigma = e(g^a, g^b)$. The aim of $\mathcal{Q}$ is to compute $g^{ab}$.

Queries $\mathcal{C}$ takes an empty Table $\bf{T}_1$ with an empty set $R$. Next, $\mathcal{Q}$ issues sequences of queries adaptively as follows;

1. DecKey Queries and DecKey.blind Query. These are similar to the above described CPA- game.

2. SigKey Query. We combine the SigKey algorithms simulation SigKey.out and SigKey.local as a single key query. When $\mathcal{A}$ makes a signing key query for the attribute set $A_s$, $\mathcal{Q}$ sends $A_s$ to $\mathcal{C}$ to obtain signing key $SK_{A_s}$. $\mathcal{Q}$ then sets $R = R\cup\{A_s\}$. Finally it sends $SK_{A_s}$ to $\mathcal{A}$.

3. SigKey.blind Query Assuming $\mathcal{A}$ makes a transformation secret signing key query associated with attributes $A_s$. $\mathcal{A}$ will find out if its stored in tuple $(A_s, SK_{A_d}, SK_{A_s}, TSK_{A_d}, RSK_{A_d})$. If it exists, $\mathcal{Q}$ returns $TSK_{A_s}$, otherwise it picks at random $\phi\in_R\mathbb{Z}^*_p$ then computes $TSK_{A_s} = [A_s, TK_{s1}, TK_{s2}, \{TK_{s, j}\}_{j\in A_s}$ where $TK_{s1} = g^{\alpha/\phi}\nu^{\delta^\prime/\phi}$, $TK_{s2} = g^{\delta^\prime/\phi}$, $TK_{s, j} = H_s(a)^{\delta^\prime/\phi}$, $\forall j\in A_s$. $TSK_{A_s}$ is represented as another kind of $SK_{A_s}$. For that matter, in the data owner's view there is similarity between third party (cloud) and end users. Lastly, the tuple record $(A_s, \diamond, SK^\prime_{A_s}, \diamond)$ is stored in $\bf{T}_1$ and $TSK_{A_s}$ is returned to $\mathcal{A}$.

Forgery $\mathcal{A}$ outputs forged ciphertext $SCT^*_{\varUpsilon_e}$, constructed under attribute set $A_s$ with the constraint that $A_s\notin\bf{T}_1$. $\mathcal{C}$ aborts if $A^*_s = A^\prime_s$

Whenever the signcryption ciphertext is valid, $\mathcal{A}$ wins and obtains

$\dfrac{e(\sigma_0, g^f)}{e(u_s^{\varsigma}w_s, C^f_{01}).(\Pi_{i\in[\ell_s]}e(\nu^{\varpi_i}H_s(\rho_s(i))^f, g^{\psi.{c_i}+\zeta x_i}) }$

$e(g^{ab}, g^f)$ = $\dfrac{e(\sigma_0, g^f)}{e((u_s^{\varsigma}w_s)^\xi, g^f).(\Pi_{i\in[\ell_s]}e(\nu^{\varpi_i}H_s(\rho_s(i))^{\psi.{c_i}+\zeta x_i}, g^f) }$

$g^{ab}$ = $\dfrac{\sigma_0}{(u_s^{\varsigma}w_s)^\xi.(\Pi_{i\in[\ell_s]}(\nu^{\varpi_i}H_s(\rho_s(i))^{\psi.{c_i}+\zeta x_i} }$ as a solution of CDH problem.

6.   Performance

This section describes the performance comparisons of several existing ABSC schemes ^{[25,29,31,51,52,53,56,57]} with our scheme. Table 2 provides a summary of the security requirements in terms of authentication, privacy, confidentiality, public verifiability and unforgeability. From the shown results, schemes ^{[25,29,31,57]} like our scheme enjoys all the security requirements mentioned above. Scheme ^[52,56] do not provide authentication, while ^{[51,52,53,56]} do not support signcryptor's privacy. On the other hand schemes ^[51,52,53] do not support public verifiability. All the schemes supports unforgeability security requirement. In Table 3, we compared the schemes in terms of functionality. Its only our VFOABSC scheme that achieves outsourcing key generation, outsourcing key generation verification, outsourcing signcryption and outsourcing designcryption simultaneously. The results in Table 3 indicates that our proposed scheme is more efficient in comparison with other schemes, since heavy computations are offloaded to the third party whose computation processing power is immense. As far as we know, our proposed VFOABSC scheme is the first ABSC scheme in literature that realizes fully outsourcing of expensive computations and therefore possesses promising and desirable properties applicable to resource-constrained IoT devices. Furthermore, similar to ^{[25,29,31,56,57]} our scheme adopted monotone span program rich in flexible expressions. Previous existing works ^[51,52,53] were constructed under threshold policy which is coarse-grained in nature and supports simple predicates and therefore do not have wider applications. Table 4 describes storage cost comparisons. Similar to schemes ^[31,56,57] our scheme has equal length size of private key and signing key which is slightly smaller in comparison with the sizes of other schemes. Scheme ^[29] has larger ciphertext size compared to other schemes. Scheme ^[25] do not have local signcryption computations. Abundant computation overhead is outsourced. Our scheme outsources majority of signcryption computations and therefore suffers less local computations costs compared to ^[29].

Table 5 presents the computation costs comparisons of signcryption (outsourced and local) and designcryption (outsourced and local) algorithms. During signcryption operation process, the data owner in our scheme and scheme ^[29] borrows computation power from the cloud service provider to generate partial ciphertext that is related to encryption and signing predicates. It will then use the portion generated to compute the remaining part of ciphertext. The cost burden on the data owner side reduces significantly. In designcryption phase, the final user in our scheme like in ^[29,31], only suffers single exponentiation cost in $\mathcal{G}_\tau$ compared to other schemes ^{[25,51,52,53,56,57]}.

For computation efficiency comparisons, we implemented our experiment using Stanford Pairing-Based Crypto (PBC) library ^[63] in VC++ 6.0. A laptop equipped with 2.67GHz Intel Core $i$3-M390 CPU and 8GB RAM executing in 64-bit Windows 10 operating system is used in our implementation. The size of $\mathcal{G}$ and $\mathbb{Z}_p$ is set to 64B (i.e 512 bits) whereas the size of $\mathcal{G}_\tau$ is set to 128B (i.e 1024 bits). Moreover, we adopted type A bilinear ^[63], in this case we employed supersingular curve $y^2 = x^3 + x$ defined when supplying ECC group. From the above stated settings, we obtained the results as shown in Table 7. Notation $T_{\mathcal{E}_1}$ denotes exponentiation computation time in $\mathcal{G}$, $T_{\mathcal{E}_2}$ denotes exponentiation computation time in $\mathcal{G}_\tau$ while $T_\mathcal{P}$ denotes pairing computation time. In Table 6 we make comparison of the execution time for both outsourced and local signcryption and outsourced and local designcryption of our scheme against schemes ^{[25,29,31,51,52,53,56,57]} by utilizing 10 and 20 number of attributes (in both signing and encryption predicates). Analyzing from the output, our scheme compared to others takes minimal execution time in running both local signcryption (164.52 $ms$) and local designcryption (3.68 $ms$) by employing 10 number of attributes (in both signing and encryption predicates) and (288.24 $ms$) and (3.68 $ms$) respectively for 20 number of attributes (in both signing and encryption predicates). This is because we outsourced expensive computation to the cloud server. Figure 5 and Figure 6 shows the corresponding graphs of signcryption (both outsourced and local) and designcryption (both outsourced and local) respectively for 10 number of attributes (in both signing and encryption predicates) while Figure 7 and Figure 8 presents the corresponding graphs of signcryption (both outsourced and local) and designcryption (both outsourced and local) respectively using size of 20 attributes (in both encryption and signing predicates). Therefore from the indicated results, our proposed scheme surpass those of the existing schemes in terms of computation overhead while at the same time achieving the desired security goals.

7.   Conclusion

This paper proposed ABSC scheme that is fully outsourced which as far as we know is the first work in literature that is fully outsourced. The scheme alleviates burden from IoT devices with limited resources and therefore improves computation efficiency without jeopardizing data owner's privacy. To realize this, we enhanced the scheme due to Rao ^[25] where we offloaded complex computations such as pairing and exponentiations operations to the cloud to make use of available abundant and scalable resources. Simple remaining computations is executed by respective IoT device user. In addition, our scheme supports confidentiality, fine-grained access control, unforgeability, public privacy, authentication and public verifiability properties. We also presented security proof to demonstrate that our proposed scheme is CPA-secure. Moreover, the simulation output indicates that our proposed scheme is efficient and therefore applicable to resource-constrained IoT devices due to limited storage capacity and lower computation power.

Our future work will include building provably secure fully outsourced ABSC scheme that supports policy updating in IoT devices while at the same time achieving CCA2 security.

Acknowledgments

The authors appreciate the work done by anonymous reviewers and their valuable comments. This work was supported by National Natural Science Foundation of China under Grant No. 61602097, Sichuan Science-Technology Support Plan Program under Grant Nos. 2016GZ0065, 2016ZC2575 and 17ZA0322, Fundamental Research Funds for the Central Universities under Grant No. ZYGX2015J072.

Conflict of interest

All authors declare that there is no conflicts of interest in this paper.