Weighted Attribute Based Conditional Proxy Re-Encryption in the Cloud

1  Introduction

Proxy re-encryption (PRE) refers to a cryptographic system with secure ciphertext transformation, where the agent acts as an intermediary for the ciphertext transformation, allowing the user to obtain the intended ciphertext. At the same time, in the process of ciphertext transformation, the agent can neither obtain the plaintext information nor the encryption key of the DO, so the agent can carry out ciphertext transformation in an untrustworthy environment. However, the disadvantage of the traditional PRE is that if the agent has the correct key for the DO, the agent can change all the ciphertexts of the DO to be decrypted by the user directly. The more granular delegation of decryption permissions that are required in a lot of application scenarios is not satisfied by this.

It was not until 2009 that Weng et al. [1] introduced the idea of Conditional proxy re-encryption (CPRE) to address this issue. This approach allows the DO to define a condition during the encryption process, which is then used to construct ciphertext with a transformation condition that can only be satisfied if the agent has a re-encryption key that satisfies that condition. The introduction of CPRE limits the ability of the agent to re-encrypt data, limiting it to transforming the partially satisfied ciphertexts of the DO even when the agent possesses the re-encryption key. Subsequently, various attribute-based conditional proxy re-encryption (AB-CPRE) schemes emerged to restrict the user’s decryption rights further. In the AB-CPRE scheme, the access structure will be used as a condition to restrict the agent from transforming the ciphertext. This optimizes the CPRE scheme in conjunction with the granular access control structure of attribute-based encryption (ABE), which provides a more granular delegation of decryption permissions than before.

The AB-CPRE scheme currently in use assumes that two users with identical attributes have the same access rights. For instance, an access policy should be set so that only physicians over 45 years old can access encrypted files. However, the physician attribute may comprise ‘director physician’, ‘associate director physician’, ‘house physician’, ‘doctor in charge of a case’. If we were to allow the director physician, associate director physician, or house physician over 45 years old to access the file, we would have to add three of the four sub-attributes divided under the physician attribute to the access structure. This access policy is {{“Director Physician” OR “Associate Director Physician” OR “house physician”} AND “Age > 45”}. Considering all possible situations will inevitably lead to a greater number of characteristics in the management system, making the access structure more complicated. The current AB-CPRE adopts the same access structure as its predecessor, treating attribute characteristics at the same level without hierarchical classification based on importance.

According to the needs of the actual situation, each attribute of the user is given a weight according to its own importance so that the user gets a set of weighted attributes. Assign weights of 4, 3, 2, and 1 to ‘director physician’, ‘associate director physician’, ‘house physician’, ‘doctor in charge of a case’, respectively. If a weighted access policy is constructed, it can only satisfy the above three cases. This weighted access policy is {“Physician {2}” AND “Age > 45”}, where “Physician {2}” indicates that the node requirement can only be satisfied if the user’s attribute weight is not less than 2. As shown in Fig. 1, the improved weighted access tree is simpler, and the effect is more pronounced as the user attributes are divided into more levels.

Figure 1: Comparison of access policy

By assigning appropriate weights to the attributes, the identity characteristics of each user are further refined, and the agent can more accurately restrict the user’s decryption rights through the weighted access policy. At the same time, setting a weighted access policy can further simplify the access structure. Therefore, in order to granular delegation of decryption permissions for AB-CPRE, it is meaningful to propose a weighted attribute-based conditional proxy re-encryption (WAB-CPRE) scheme at this stage.

1.1 Related Work

Blaze et al. [2] first presented the idea of PRE, who created a scheme that was fundamentally comparable to the ElGamal encryption method [3] by using a public-key cryptography algorithm with straightforward proxies. As PRE is slowly becoming an important cryptographic primitive in secure cloud computing and cloud storage, PRE is required to support a more granular delegation of decryption permissions for practical applications at this stage. Weng et al. [1] presented the idea of CPRE for the first time and proved that the scheme satisfies CCA security. However, early CPRE schemes used simple keywords or “AND” joins of multiple keywords as conditions for re-encryption by the agent, but these CPRE schemes are still somewhat unsatisfactory for the granular delegation of decryption permissions required by practical examples.

An AB-CPRE system was initially presented by Zhao et al. [4] in 2010. It allows attribute-based management of decryption delegation by allowing access structures and attribute sets to be established. The scheme embeds access structure in the re-encryption key, the collection of attributes into the ciphertext, for the first time realizing granular conditions than the keyword. A new AB-CPRE technique was suggested by Yang et al. [5], who also showed how useful the scheme is for cloud deployment. This scheme uses a ciphertext policy to realize AB-CPRE, which is more natural and flexible compared to the literature [4]. An identity-based CPRE will be presented by Yao et al. [6] in 2021. It solves the problem that the traditional PRE scheme focuses on access authorization and ignores key updates and ciphertext evolution. Subsequently, a granular certificateless CPRE scheme without pairings was proposed by Yang et al. [7]. It not only solves the problem of the traditional certificates CPRE scheme that does not support one-to-many transformations but also improves the efficiency of the scheme through the without pairings approach.

In 2023, Tang et al. [8] proposed an attribute-based verifiable CPRE scheme, which is based on homomorphic signatures, and introduced a verification server so that the re-encrypted ciphertext can be verified by a verification server. The scheme can determine whether the original ciphertext has been correctly transformed and thus can effectively detect the agent’s illegal activities. First, in 2024, a single-hop directly revocable AB-CPRE was proposed based on standard LWE assumptions [9], which provides more flexible access control while allowing the delegate to dynamically authorize and revoke a user’s decryption privileges.

However, none of the existing AB-CPRE schemes describe the importance of attributes, but in reality, the access rights of different users with the same attribute may not be the same. Liu et al. [10] generalized the traditional ABE and proposed a weighted ABE scheme by performing weighting operations on attributes according to their importance. Only when the ciphertext contains a set of attributes with different weights that satisfy the access structure can the user decrypt the ciphertext. However, this scheme is only an improvement of the traditional ABE, and there is no function for a semi-trusted agent to securely transfer the decryption right of its ciphertext. Therefore, this scheme, compared to the scheme [10], in addition to supporting the delegation of decryption rights, also has a more fine-grained delegation of decryption rights than the current AB-CPRE. Meanwhile, this program supports the direct revocation of user access rights, which solves the complex revocation work of traditional attribute-based encryption. High user-side efficiency is also a major advantage of this scheme, which enables users to decrypt access to data on cloud services on resource-constrained devices.

1.2 Contribution

A WAB-CPRE scheme will be presented in conjunction with Liu et al. [10] approach to achieve a more flexible and granular delegation of decryption permissions in a cloud computing environment. The following are the principal contributions:

•   By introducing the concept of weighted attributes, the user’s identity characteristics are refined, and the decryption delegation of the AB-CPRE scheme is fine-grained. Assigning weights to each user’s attributes according to the degree of importance can relieve the number of system attributes and ease the server management burden. The effect of this simplification is more pronounced when the user hierarchizes more attributes or has more levels at which each attribute is hierarchized.

•   In conjunction with CPRE technology, a weighted access tree will be set up to control user access rights. The cloud service provider (CSP) can successfully transform the ciphertext decryption permission to the user as long as the user’s collection of weighted attributes satisfies the weighted access structure set by the DO.

•   By assigning the re-encryption procedures to the server, outsourcing techniques help the DO cut down on computational and communication expenses. At the same time, the scheme supports the direct revocation of the user’s decryption right, eliminating the tedious procedure of updating the ciphertext data and distributing re-encryption keys in the original revocation function.

•   The security of the CPA is accomplished under decision l-Expanded Bilinear Diffie-Hellman exponent (l-Expanded DBDH) assumptions. To illustrate the greater user-side computing and communication efficiency of the proposed method, simulation experiments are carried out in addition to a comparison and analysis of its functionality and performance.

1.3 Organization

The remainder of the document is arranged as follows: Section 2 focuses on basic preparatory knowledge. Section 3 gives the algorithm definition and security model, and the application scenarios are specifically analyzed at the end of this section. Section 4 details the specific construction and security analysis. Then, in Section 4, the performance analysis is made by comparing the scheme with the existing schemes. Lastly, Section 6 provides the paper’s conclusion.

2  Preliminaries

2.1 Access Structure

Definition 1: If there are n participants, let {P1,P2,…,Pn} be a collection of participants. The set P⊆2{P1,P2,⋯,Pn} is monotone if ∀D,E: D∈P, D⊆E then E∈P, where the access structure is a nonempty subset of {P1,P2,…,Pn}, P⊆2{P1,P2,⋯,Pn}∖(∅). Assume that there is an authorized subset of set P and that there are illegal sets for the other sets that are not in P.

2.2 Weighted Access Tree

In the WAB-CPRE scheme, the DO uses a collection of descriptive weighted attributes A to structure the associated re-encryption key. DO specifies the desired P for the message and creates the ciphertext under P. When a collection of descriptive weighted attributes A satisfies P, the CSP successfully transforms the ciphertext and transmits it to the user. We name Γ, which contains both leaf and non-leaf nodes, as its weighted access tree. The non-leaf node x consists of the number of sub-nodes numx and the threshold kx, where 0≤kx≤numx. When kx=numx and kx=1 are set to “AND” and “OR” gates, the leaf node represents a weighted attribute, and the kx of its parent node is increased by 1 if the user’s weight for that attribute is satisfied. The function parent(x) can be called on the parent of node x, while the function att(x) can extract the weighted attribute connected to the leaf node. Assign a unique index value to each child node of a non-leaf node in order from 1 to numx, and the function index(x) is used to represent the index value of that child node.

2.3 Satisfying a Weighted Access Tree

Γn is defined as a weighted access tree with root x. Define a collection of attributes A satisfies Γx as Γx(A)=1. We define a recursive algorithm to compute the value of Γx(A). The Γx of a non-leaf node x returns 1, and a specific number of its leaf nodes must be required to all have a Γx′ of 1. If x is a leaf node, the value of Γx′ is 1 when the weight of the attribute attribute λx in A is not less than the weight of the attribute of the leaf node, that is, weight(λx)≥weight(att(x)).

2.4 The Decisional l-Expanded BDHE Assumption

We introduce the paper [11] constructing the decision l∗-Expanded Bilinear Diffie-Hellman Exponent problem. The a,b,c0,⋯,cl+1,d∈ZP chosen randomly and g is a generating element of the cyclic group G. Assume that an opponent is provided X=

g,ga,gb,gab/d,gb/d∀i∈[0,2l+1],i≠l+1,j∈[0,l+1]gais,gaibs/cj∀i∈[0,l+1]gaib/ci,gci,gaid,gabci/d,gbci/d∀i∈[0,2l+1],j∈[0,l+1]gaibd/cj∀i∈[0,l+1],i≠jgaibcj/ci

Define random tuple (X,R)∈GT and tuple (X,T=e(g,g)al+1bs)∈GT, where R is chosen independently from GT. Let Algorithm B have an advantage in solving the decision l-Expanded BDHE in G is ϵ.

|Pr[B(X,T=e(g,g)al+1bs)=0]−Pr[B(X,T=R)=0]|≥ϵ

Definition 2: The assumption of decision l-Expanded BDHE is valid if no algorithm is able to obtain a non-negligible advantage in polynomial time when addressing the problem.

3  Definition and Application

3.1 Algorithm Definition

Setup(1λ,W)→Params: After inputting the master entity’s security parameters 1λ and attribute universe W, this algorithm produces the scheme’s public parameters, and the public parameters are published by the master entity.

KenGen(u)→Sku,Pku: The algorithm outputs the key pairs Sku, Pku for the user u.

Enc(PkA,m,Γ)→CA: Given an access tree Γ input the message m that you want to encrypt and the DO’s public key PkA. The algorithm generates ciphertext CA.

ReKenGen(SkA,AB,PkB)→SkA→B: After inputting the private key SkA of the DO and a collection of weighted attributes AB and public key PkB of the user B. Subsequently, the algorithm outputs SkA→B associated with the set of weighted attributes.

ReEnc(SkA→B,CA)→CB: The algorithm is performed by the CSP. Enter the ciphertext CA and the user’s re-encryption key SkA→B. If the collection of weighted attributes AB satisfies the weighted access structure P, the algorithm sends the ciphertext CB to the user.

Dec(SkB,CB)→m: The decryption algorithm takes the key SkB and the converted ciphertext CB as input, which produces the plaintext m if SkB is a working decryption key.

3.2 Security Model Definition

Init. The adversary 𝒜 chooses and declares a weighted access structure P∗.

Setup. Challenger ℬ executes the Setup algorithm and outputs params and then performs the KenGen algorithm to obtain the key pairs PkQ/SkQ. Finally, 𝒜 sends the output params to ℬ.

Phase 1. Using a different collection of weight attributes A1,A2,A3,…,Aq1, respectively, adversary 𝒜 asks challenger ℬ for the re-encryption keys. Subsequently, challenger ℬ responds by executing the KenGen algorithm to distribute the key pairs PkJ/SkJ a for adversary 𝒜 and by using the ReKenGen(SkQ,Aj,PkQ)→rkQ→J algorithm to create a re-encryption key for 𝒜. Finally, the key pairs PkJ/SkJ and rk are returned to the adversary.

Challenge. Two challenge messages of identical length, m1 and m2, are sent by the adversary. The challenger ℬ tosses a coin β at random and encrypts the message mβ by running an Enc algorithm under a weighted access structure P∗ and submits the ciphertext C∗ to 𝒜.

Phase 2. Using a different collection of weight attributes Aq1+1,Aq1+2,Aq1+3,…,Aq2 again, adversary 𝒜 asks the challenger for the re-encryption keys. As in phase 1, the challenger returns PkJ and rk to the adversary if Ai satisfies P∗; otherwise, PkJ/SkJ and rk are returned to the adversary.

Guess. A guess about β is output by the adversary.

Definition 3: A WAB-CPRE scheme satisfies CPA security if, for any PPT adversary 𝒜, there exists a negligible function ϵ(K) such that AdvA≤ϵ(K), which defines 𝒜’s advantage in this game to be AdvA=Pr[β′=β]−12.

3.3 Application Scenario

The system model of the WAB-CPRE scheme includes four entities: the data owner (DO), the user, the cloud service provider (CSP), and the key generation center (KGC). Using the hospital employee system as an example, we can better demonstrate the system model by designating the DO Alice and the user Bob as the medical staff and the hospital administration, respectively. Assuming that the collection of weighted attributes of the healthcare worker meets the weighted access structure set by the hospital administrator, Fig. 2a shows the data sharing procedure from the hospital administrator (Alice) to the healthcare worker (Bob), and Fig. 2b illustrates the multiple operations involved between the various entities.

Figure 2: System model and workflow

First, Alice sets the access rights for each file according to the roles of the accessors and delivers the encrypted ciphertext to the CSP. Subsequently, Alice assigns re-encryption keys to healthcare workers (which includes Bob) at different position levels in each department and uploads them to the CSP. The CSP stores a large amount of received ciphertext data and keys in two separate tables. Bob notifies the CSP of his requirement for access to the pertinent files by sending a request. The CSP extracts the appropriate ciphertext file and Bob’s re-encryption key from a lookup table and performs the ReEnc algorithm. If Bob’s collection of attributes meets the weighted access structure, the CSP successfully transforms the ciphertext and transmits it to Bob. At last, Bob runs the algorithm to decrypt and extract the plaintext data.

The system takes advantage of cloud services by outsourcing large amounts of data and complex calculations to a CSP, which acts as a semi-trusted platform and will not extract any information from the uploaded data. Having the correct re-encryption key is an important condition for CSP to securely translate decryption permissions. When a healthcare worker leaves the hospital or joins the staff, there is no revocation of the role attribute in the system, but rather the revocation of the old healthcare worker’s access rights and the granting of the new healthcare worker’s access rights. Therefore, when a healthcare worker leaves and joins the staff, the system can remove or add the re-encryption key for that healthcare worker directly from the cloud.

4  Construction and Security Analysis

4.1 The Construction

Setup(1λ,W): First, the security parameter 1λ and the attribute domain W are input for the algorithm. Define a bilinear map e:G0×G0→GT, where G0 and GT are cyclic groups of prime order p, and g is chosen as the generators of G0, a hash function H:{0,1}→G0. The scheme assigns a maximum weight of li to each attribute separately. The random number zi,h(i0),h(i1),…,h(ili)∈G0 is generated for ∀wi∈W and published (Table 1 shows the meaning of each symbol in this scheme):

Params={e(g,g),g,H(⋅),∀wi∈W{zi,h(i0),…,h(ili)}}

KenGen(u): The key generation center first selects xu,αu,βu∈Zp for user u randomly and computes yu=gxu,hu=gβu,fu=e(g,g)αu, then outputs user’s key pairs Pku, Sku.

Sku={xu,αu,βu}, Pku={yu,hu,fu}.

Enc(PkA,m,Γ): The DO inputs the public key PkA, the message m, and the weighted access tree Γ. Let Y be the collection of leaf nodes of a weighted access tree Γ. Each leaf node λi represents an attribute that has a weight value of ωi, where 0<ωi<li. For ∀λi∈Y, the encryption algorithm randomly generates s(i0),s(i1),…,s(iωi−1)∈ZP. Generates the secret value s∈ZP of the root node R and generates a polynomial qR of order kR−1 such that qR(0)=s. Then, a kx−1 order polynomial is generated for all child nodes x of the root node R, setting qx(0)=qparent(x)(index(x)) finally until all leaf nodes are assigned the unique secret value s(iωi). The function att(x), which indicates the attributes connected to that leaf node x, is defined exclusively in cases when x is a leaf node.

First, set c=m⋅fAs and c′=hAs.

Then let 0≤j≤ωi, when j=0, for ∀λi∈Y set:

c(i0)=gs(i0),c~(i0)=(h(i0))s(i0)

when 0<j<ωi, for ∀λi∈Y set:

c(ij)=gs(ij),c˜(ij)=(h(ij))s(ij)⋅H(att(λi))s(ij−1)

c(ij)=gqλi(0),c~(ij)=(h(ij))qλi(0)⋅H(att(λi))s(ij−1)

Finally, output ciphertext:

CA={c,c′,∀λi∈Y{c(ij),c~(ij)}j∈[0,ωi]}

ReKenGen(SkA,AB,PkB): The algorithm starts by picking a random number r∈Zp for ∀wi∈AB pick r(ij)∈Zp, where j∈[0,ωi′] (ωi′ denotes the magnitude of the weight of the weighted attribute wi).

Firstly, set k=(yBαAgr)−βA

Secondly, for ∀wi∈AB, when j=0 set:

k(i0)=gr(h(i0))r(i0),k~(i0)=gr(i0)

when j∈(0,ωi′] set:

k(ij)=g−rH(wi)r(ij),k~(ij)=gr(ij),k~~(ij)=gr(h(ij))r(ij)

Finally, output the re-encryption key:

SkA→B={k,k(i0),k~(i0),∀wi∈P{k(ij),k~(ij),k~~(ij)}j∈(0,ωi′]}

ReEnc(SkA→B,CA): First, define a recursive algorithm ReEncNdn(SkA→B,CA), where n is a node of the tree Γ. ① In the case where n is a leaf node, then define z=att(n) and give the following definition: If z∉AB, then ReEncNdn(SkA→B,CA)=⊥; otherwise, let ReEncNdn(SkA→B,CA)=Fn. Then, run the recursive algorithm ReEncNdn(SkA→B,CA) to find the specific value of Fn.

First, when j=0 set:

B(i0)=e(c(i0),k(i0))⋅e(c~(i0),k~(i0))−1=e(g,g)r⋅s(i0)

Second, when j∈(0,ωi] set:

B(ij)=B(ij−1)⋅e(c(ij−1),k(ij))⋅e(c~(ij),k~(ij))−1⋅e(c(ij),k~~(ij))=e(g,g)rs(ij)

Finally, if ωi≤ωi′ is satisfied, then B(iωi)=e(g,g)r⋅qλi(0) and let Fn=B(iωi)=e(g,g)r⋅qn(0).

② In the case where n is a non-leaf node, the recursive algorithm ReEncNdx(SkA→B,CA) is called. Let Sn be the set of Fv of size not less than tn, where v is a leaf node of n and Fv≠⊥. Then Fn=⊥ if there isn’t such a collection, otherwise:

Fn=∏v∈SnFv△i,Sn′(0),whereSn′={index(v):v∈Sn}i=index(v),=∏v∈Sn(e(g,g)r⋅qv(0))△i,Sn′(0)=∏v∈Sn(e(g,g)r⋅qparent(v)(index(v)))△i,Sn′(0)=∏v∈Sn(e(g,g)r⋅qn(i))△i,Sn′(0)=e(g,g)r⋅qn(0)

③ If n is the root node, then Fn=e(g,g)r⋅s.

At last compute c~=e(k,c′)e(g,g)r⋅s=fAs⋅xB and c=m⋅fAs, then outputs the re-encrypted ciphertext as CB={c,c~}.

Dec(SkB,CB): The user performs the decryption algorithm. After entering a valid private key SkB and the re-encrypted ciphertext CB, the following computation is performed to obtain the plaintext message:

c(c~)xB−1=m⋅fAs(fAs⋅xB)xB−1=m

4.2 Security Analysis

There are two separate situations to take into account. ① The first case is when none of the collection of attributes Aj satisfies the P∗. Adversary 𝒜 would receive the key pairs PkJ/SkJ and the re-encryption key rkQ→J that challenger ℬ provided to the user. ② The second case is when at least one of the attribute collections Aj satisfies the weighted access structure P∗. Therefore, the challenger ℬ returns the user’s public keys PkJ and rkQ→J to 𝒜.

Assume, for the first example, that there is a polynomial-time 𝒜 whose advantage in attacking the selective access tree model in this scheme is AdvA. The security model for this case is the same as in the paper [10]. The following describes in detail the parameterization, ciphertext generation, and re-encryption key request of adversary 𝒜 by simulator ℬ during the simulation process. The simulation process is shown below:

Definition 4: Assume that the decisional l∗-Expanded BDHE assumption is valid. Then, given a challenge access tree Γ∗, no adversary with polynomial time could selectively compromise our system.

First, challenger ℬ chooses two cyclic groups, G0 and GT, where g is the generator of G0. ℬ flips an arbitrary binary coin μ. When μ=0, 𝒜 sets (X,T=e(g,g)aω∗+1bs); when μ=1, the challenger ℬ sets (X,R), where R is chosen independently from GT.

Init. 𝒜 selects and declares a weighted access structure P∗.

Setup. Choose random indices v(k0)⋯v(kω∗),vzk,a,cj,b,d,r∈Zp, and ω∗ is the weight value of attribute k, k∈U (U is attribute universe). The challenger uses an empty table in order to mimic the hash function H. When 𝒜 asks a query k that has never been asked before, ℬ computes gvzk and adds a table entry (k,gvzk) to the table, returning gvzk to 𝒜. The challenger chooses a random identity Q and executes the KenGen algorithm to obtain key pairs PkQ/SkQ, where e(g,g)r=e(ga,gb) is defined and parameterized:

h(k0)=gv(k0)⋅∏j∈[1ω∗]g−ajb/cj,h(ki)=gv(ki)⋅∏j∈[0ω∗+1],i≠jg−a(ω∗+1−j)b/c(ω∗+1−j).

Phase 1. Adversary 𝒜 makes a key query to the challenger. ℬ implicitly setting r(k0)=∑i∈S(k0)gci+1 and executes the KenGen algorithm using a random user identity and generates the key pairs PkJ/SkJ for adversary 𝒜. For ∀k∈S∗, define a set S(kt), where t∈[0,ω∗].

When t=0, set K~(k0)=gr(k0)=∏i∈S(k0)gci+1

K(k0)=gab(h(k0))r(k0)=gab⋅(K~(k0))v(k0)⋅∏j∈[1ω∗],i∈S(k0)j≠i+1g−ajbci+1/cj

When t∈(0,ω∗], set K~(kt)=gr(kt)=∏i∈S(kt)gaid

K(kt)=g−ab⋅(K~(kt))vzk

K~~(kt)=gab(h(kt))r(kt)=gab(K~(kt))vzk⋅∏j∈[0ω∗+1],i∈S(kt)j≠ig−aω∗+1−j+ibd/cω∗+1−j.

Challenge. When ℬ starts to create a challenge ciphertext, it is necessary first to establish the individual node polynomials of the access tree Γx. If the collection S does not satisfy Γx, then Γx(S)=0. To access all sub-nodes x′ of the tree Γx, define λx′∈Zp and compute λx′=qx(index(x′)). Ultimately, polynomials for the remaining nodes are recursively created.

When x′ is a sub-node of x that satisfies the collection of weighted attributes, the value of qx(index(x′)) can be calculated. The simulator subsequently runs the recursive algorithm RecSat(Γx′,S,qx(index(x′))) to generate a polynomial for that node. If the node x′ is an unsatisfiable child node, the value of gqx(index(x′) can be computed by interpolation algorithm. The simulator then runs the recursive algorithm RecUnsat(Γx′,S,gqx(index(x′))) to generate a polynomial for the node. At last, the value of qk(0) for each leaf node is output, k.

Let s(ki)=airk′∈Zp. Two equal-length challenge messages m1 and m2, are submitted by adversary 𝒜, and the challenger tosses a coin, β.

Cm=mβ⋅T,c(k0)=grk′,

c~(k0)=(h(k0))rk′=(grk′)v(k0)⋅∏j∈[1,ωk∗]gaibrk′/cj.

When i∈(0,ω∗], it set:

c(ki)=gai⋅rk′,c~(ki)=(gai⋅rk′)v(ki)⋅(gai−1⋅rk′)vzk⋅∏j∈[1,ωk∗]gaω∗+1−j+ibrk′/cω∗+1−j.

If T=e(g,g)aω∗+1bs is a correct Expanded BDHE tuple, then Cm is the ciphertext encrypted by mβ. If not, then Cm is a random element in GT, and 𝒜 will not have access to valid information about β.

Guess. 𝒜 will provide a guess β′. Judge the output according to the following rules: If β′=β, the simulator outputs 1. If not, the simulator outputs 0.

When the simulator outputs 1, the simulation attack view of adversary 𝒜 is the same as the actual attack view, so that we can get Pr[B(y,T=e(g,g)aω∗+1bs)=0]=12+AdvA. On the other hand, if the simulator returns 0, then the message mβ is concealed from 𝒜, where T is a random selection from GT. As a result, the simulator is able to play that game with a non-negligible advantage.

For the second scenario, the collection of weighted attributes Aj of the key query performed by 𝒜 all satisfy the challenge weighted access structure P∗. Thus, 𝒜 can obtain the transformed ciphertext. A detailed description of the proposed scheme’s security game under the CPA follows.

Init. 𝒜 selects and declares a weighted access structure P∗.

Setup. As in the same case, challenger ℬ sets the public parameters and sends them to 𝒜. Subsequently, ℬ selects a random identity Q and executes the KenGen algorithm to obtain the public PkQ and private key SkQ.

Phase 1. The adversary 𝒜 performs a re-encryption key lookup operation by providing a weighted attribute set Aj to the challenger ℬ (This weighted attribute set Aj satisfies the weighted access structure P∗). For the weighted access structure Aj received by the challenger for the j th time, ℬ first randomly chooses xJ,αJ,βJ∈Zp and generates the private key SkJ of 𝒜. Subsequently, select r,r(it), where i∈Aj,t∈[0,ωi∗], and return PkQ, PkJ, rk={k=(yJαQgr)−βQ,k(it),k~(it),∀i∈A{k(it),k~(it),k~~(it)}t∈(0,ωi∗]} to 𝒜.

Challenge. Challenger ℬ chooses s,s(it)∈ZP, where i∈Aj,t∈[0,ωi∗−1]. Then, the challenger distributes secret values according to P∗ declared by 𝒜 so that each leaf node of Γ is assigned a unique secret value. Finally, after 𝒜 sends two challenge messages m1,m2, ℬ chooses ϑ∈ZP, and computes c=e(g,g)ϑ,c′=gβ⋅s to return the ciphertext C to 𝒜.

Phase 2. The challenger keeps answering A’s questions on re-encryption key generation.

Guess. A guess about β is output by the adversary 𝒜.

We will cite a game [12] where the challenged ciphertext c is either e(g,g)α⋅s or e(g,g)ϑ, where ϑ∈ZP. The adversary 𝒜 has to guess which is correct. Next, we prove with likelihood 1−O(q2/p) that A’s guess is c=e(g,g)α⋅s in the simulation. Adversary 𝒜 has an advantage of at most O(q2/p) given c=e(g,g)α⋅s, since the challenge message c=e(g,g)ϑ is independent of the encrypted message.

When 𝒜 requests the group oracles, we require 𝒜 to obtain values only from the simulation. Here we consider an oracle query as a rational function π=γ/η and 𝒜 queries only in the variables xA,xB,αA,αB,βA,βB,s,s(it),r,r(i,t). Since the adversary’s two different formal rational functions γ/η, γ′/η′ will have an accidental collision caused by the random choice of variables, the condition is set that no collision of this kind occurs in any of the groups G0, GT. A collision occurs if and only if for different rational functions γ/η and γ′/η′ of the query satisfy γη′−ηγ′=0. Note that the total degree of γη′−ηγ′ is in our case at most 5, the likelihood of this event, according to the Schwartz-Zippel Lemma [13,14], is O(1/p). By a union bound, the probability of a collision occurring is maximized to O(q2/p) so that it can be calculated that there is a 1−O(q2/p) probability that no accidental collision will occur.

Conditional on the absence of collisions, if the challenger sets ϑ=α⋅s, we must show that the opponents’ views are identically distributed. In particular, under the above setup conditions, the only way to make an adversary’s viewpoint different is two queries π, π′ in G0 such that π≠π′ but π|ϑ=α⋅s≠π′|ϑ=α⋅s. However, that case will not occur since only e(g,g)ϑ is computed from the element ϑ in G0. Thus, for some constant ψ≠0, one must have π−π′=ψαs−ψϑ. When we provide a query a to the adversary, the adversary 𝒜 will never be able to construct a query for e(g,g)ψαs as long as there is no accidental collision, which contradicts the above theory, thus proving the theorem.

4.3 Correctness Analysis

This subsection demonstrates the correctness of the scheme. First, this subsection shows the process of DO A decrypting the original ciphertext CA using the original key SkA. Secondly, a correctness proof of the evolution of the ciphertext from the original ciphertext CA to CB is given. Finally, evidence of the correctness of the evolved ciphertext CB in the decryption process is presented.

(1)   Decryption of original ciphertext CA: The original encrypted message and the public-private key pair obtained by the DO are CA={c,c′,∀λi∈Y{c(ij),c~(ij)}j∈[0,ωi]}, SkA={xA,αA,βA} and PkA={yA,hA,fA} respectively. The decryption of original ciphertext is given as follows:

m⋅fAse(g,hAs)αA⋅βA−1=m⋅e(g,g)αAe(g,gβA)αA⋅βA−1=m

(2)   The agent acquires the evolved ciphertext CB: Upload the original ciphertext CA={c,c′,∀λi∈Y{c(ij),c~(ij)}j∈[0,ωi]} and the re-encryption key SkA→B={k,k((i0)),k~((i0)),∀w∈P{k(ij),k~(ij),k~~(ij)}j∈(0,ωi′]} to the cloud server. Only the process of calculating c~ is given below, and c is the same as the original ciphertext:

c~=e((yBαAgr)−βA,hAs)e(g,g)rs(ij−1)⋅e(c(ij−1),k(ij))⋅e(c~(ij),k~(ij))−1⋅e(c(ij),k~~(ij))=e((yBαAgr)−βA,hAs)e(g,g)rs(ij−1)⋅e(gs(ij−1),g−rH(wi)r(ij))⋅e((h(ij))s(ij)⋅H(att(λi))s(ij−1),gr(ij))−1⋅e(gs(ij),gr(h(ij))r(ij))=e((yBαAgr)−βA,hAs)e(g,g)rs(ij−1)⋅e(gs(ij−1),g−r)⋅e(gs(ij−1),H(wi)r(ij))⋅e((h(ij))s(ij),gr(ij))−1⋅e(H(att(λi))s(ij−1),gr(ij))−1⋅e(gs(ij),gr)⋅e(gs(ij),(h(ij))r(ij))=e((yBαAgr)−βA,hAs)e(gs(ij),gr)=e((gxBαAgr)−βA,gβA⋅s)e(g,g)r⋅s=fAs⋅xB

(3)   Decryption of delegated ciphertext CB:When the user wants to access the ciphertext CA, the agent will use the re-encryption key SkA→B of user B to obtain the evolved ciphertext CB. Subsequently, the user decrypts it using his private key SkB={xB,αB,βB} and the CB={m⋅fAs,fAs⋅xB} obtained from the agent. The derivation process is as follows:

m⋅fAs(fAs⋅xB)−xB=m

5  Performance Analysis

5.1 Performance Comparison

As shown in Table 2, it demonstrates the functionality and performance comparison of the proposed scheme with Xiong’s scheme [16], Yao’s scheme [6,15,17]. Let tw,tv,tm,te and tp denote the computation time of signature verification, ciphertext verification, multiplication operation, modular exponentiation, and pairing, respectively.