Analysis of an ABE Scheme with Verifiable Outsourced Decryption

Attribute-based encryption (ABE) is a popular cryptographic technology to protect the security of users’ data in cloud computing. In order to reduce its decryption cost, outsourcing the decryption of ciphertexts is an available method, which enables users to outsource a large number of decryption operations to the cloud service provider. To guarantee the correctness of transformed ciphertexts computed by the cloud server via the outsourced decryption, it is necessary to check the correctness of the outsourced decryption to ensure security for the data of users. Recently, Li et al. proposed a full verifiability of the outsourced decryption of ABE scheme (ABE-VOD) for the authorized users and unauthorized users, which can simultaneously check the correctness of the transformed ciphertext for both them. However, in this paper we show that their ABE-VOD scheme cannot obtain the results which they had shown, such as finding out all invalid ciphertexts, and checking the correctness of the transformed ciphertext for the authorized user via checking it for the unauthorized user. We first construct some invalid ciphertexts which can pass the validity checking in the decryption algorithm. That means their “verify-then-decrypt” skill is unavailable. Next, we show that the method to check the validity of the outsourced decryption for the authorized users via checking it for the unauthorized users is not always correct. That is to say, there exist some invalid ciphertexts which can pass the validity checking for the unauthorized user, but cannot pass the validity checking for the authorized user.


Introduction
Recently, cloud computing has become a very fascinating computing paradigm, in which storage and computation have moved away from terminal devices to the remote side. There are many novel applications in this area, such as outsourcing computation [1,2] and outsourcing verification [3]. This new and popular method brings important revolutions for the management, distribution and sharing data of enterprises and individuals, especially for some constrained devices, such as mobile phone, wireless sensors. Cloud clients (or sensors) are able to achieve significant cost savings by outsourcing their data storage and computation to some cloud service providers. Since the data of cloud clients (or sensors) are out of control by themselves, how to ensure the data security of cloud clients (sensors) is a significant problem in academia and industrial. Utilizing all kinds of cryptographic schemes is an essential method to achieve this goal. While attribute-based encryption (ABE) [4] is one of the most popular notions to study and utilize in cloud computing since it has the property of the flexible and fine-grained access control.
The notion of ABE was first introduced by Sahai and Waters [4]. There are two different types of ABE schemes according to the manner to deploy the access control policy, key-policy attribute-based encryption (KP-ABE) [5] and ciphertext-policy attribute-based encryption (CP-ABE) [6]. The ciphertexts are labeled with sets of attributes and access policies over these attributes are associated with clients' private keys in the KP-ABE scheme. While every ciphertext is associated with an access policy, and every client's private key is associated with a set of attributes in the CP-ABE scheme. However, decryption operations of most requirement that the set of attributes should satisfy the access policy in any ABE system and in most existing ABE schemes, one of the main drawbacks is that the length of the ciphertext and the decryption computational cost grow with the complexity of the access policy. This becomes critical obstacle in various applications, especially the applications on resource-limited devices.
In order to reduce the decryption time and the computation cost, Green et al. [7] proposed an ABE scheme with outsourced decryption (ABE-OD). In their scheme, an authorized client first delegated an untrusted cloud server to convert the original ciphertext into a transformed ciphertext with a transformation key, and then the client obtained the plaintext from the transformed ciphertext by spending a small overhead. The ABE-OD scheme would not leak any information about the encrypted data. However, the ABE-OD proposed by Green et al. cannot ensure the correctness of the transformed ciphertext since the cloud server is public and untrusted. The untrusted cloud server may send a wrong transformed ciphertext to the clients for saving computing cost or suffering from malicious attack which also causes to generate the incorrectly transformed ciphertext. In order to ensure the correctness of the ciphertext, Lai et al. [8] put forth an ABE-OD scheme that can check the correctness of the transformed ciphertext generated by the cloud server, which was called ABE with verifiable outsourced decryption (ABE-VOD). In their ABE-VOD scheme, the data owner encrypted a plaintext and a random message to the ciphertext respectively, and generated a commitment of an actual plaintext and the random message. And in the decryption algorithm of their ABE-VOD scheme, the client should compute the plaintext and the random message to use the commitment to verify whether the transformed ciphertext is generated correctly. A client was able to verify the correctness of the transformed ciphertext if and only if his/her attributes set satisfies the access structure associated with the ciphertext. Subsequently, several ABE-VOD schemes were proposed according to different methods and distinct scenarios in [9][10][11][12][13]. And Qiu et al. [14] used an ontology-based approach to achieve attribute-based access controls as well.
Recently, Li et al. [15] proposed a full verifiability for outsourced decryption in ABE, which could simultaneously check the correctness of transformed ciphertext for the authorized clients and unauthorized clients. In their scheme, a data owner constructed two access policies for the authorized clients and unauthorized clients, respectively. And then the data owner uses a short "signature" for each ciphertext to ensure that the client could verify the validity of the transformed ciphertext. In order to avoid first computing the plaintext and then verifying the validity of the ciphertext, Li et al. used "verify-then-decrypt" skill rather than "decrypt-then-verify" paradigm. That is to say, the client first verified the validity of the ciphertext or the transformed ciphertext, and then decrypted the ciphertext and obtains the corresponding plaintext or the random message if the ciphertext or the transformed ciphertext passed the verification of its validation.

Motivation and Contribution
In cloud computing, the ABE-OD scheme cannot ensure the correctness of the ciphertext or the transformed ciphertext for cloud server being untrusted. The untrusted server may send a wrong transformed ciphertext to the users for saving computing cost or it may have suffered from malicious attack which also produces the incorrect ciphertext or transformed ciphertext. In order to ensure the correctness of the ciphertext or the transformed ciphertext, the ABE-VOD schemes were proposed in [9][10][11][12][13]15].
However, we firstly show that the validity verification method in decryption algorithm of the ABE-VOD scheme put forth by Li et al. [15] cannot always check the validity of all ciphertexts in this paper. That is to say, there exist some invalid ciphertexts which can pass the validity checking and output the "corresponding" plaintexts. Furthermore, even if the untrusted server honestly performs the outsourced decryption for these invalid ciphertexts, the decryption algorithm cannot check them (the decryption algorithm cannot output ⊥). Thus, the "verify-then-decrypt" skill used in [15] is unavailable. Then, we show that the method to check the validity of the outsourced decryption for the authorized user via checking it for the unauthorized user is not always correct. That is to say, there exist some invalid ciphertexts which can pass the validity checking for the unauthorized user, but cannot pass the correctness of the ciphertexts checking for the authorized user.

Organization of the Paper
The rest of this paper is organized as follows. The system model of the ABE-VOD and some basic mathematic knowledge are introduced in Section 2. In Section 3, we review the ABE-VOD scheme proposed by Li et al., and analyze their scheme. Finally, the conclusions are given in Section 4.

Premilinary
In the section, we will recall the definition of ABE-VOD and some basic mathematic knowledge in [15].

System Model
The ABE-VOD Scheme consists of seven algorithms: Setup, KeyGen, Encrypt, Decrypt, GenTK out , Transform out and Decrypt out . The detailed is described as follows.

•
Setup(1 λ , U). Take as input a security parameter 1 λ and attribute universe description U, generate a master secret key msk and public parameters PK. • KeyGen(msk, PK, S). Take as input the master secret key msk, the public parameters PK and an attribute set S, generate the client's private key SK. If a client is an authorized one, use SK DS to represent the private key of the authorized client, where DS represents an attribute set of the authorized client. If a client is an unauthorized one, the client uses SK VS to represent the private key of the unauthorized client, where VS represents an attribute set of the unauthorized client. • Encrypt(PK, M, A,Ā). Take as input the public parameters PK, the plaintext M and two access structures A,Ā, and output a ciphertext CT. • Decrypt(SK, CT). Take as input a private key SK and a ciphertext CT. If the client's attribute set S satisfies the access policy A, then the client utilizes the private key SK DS to decrypt the ciphertext; otherwise, the client utilizes the private key SK VS to decrypt the ciphertext. After the client checks the correctness of the ciphertext, he/she outputs the plaintext M if the ciphertext is valid; otherwise, the client outputs ⊥. • GenTK out (PK, SK). Take as input the public parameters PK and the private key SK, genetate a transformation key TK and a retrieving key RK. If a client is an authorized one, let SK = SK DS and set TK = TK DS , RK = RK DS ; otherwise, let SK = SK VS and set TK = TK VS , RK = RK VS . • Transform out (TK, CT). Take as input the transformation key TK and the ciphertext CT, generate the transformed ciphertext TCT.

•
Decrypt out (CT, TCT, RK). Take as input a ciphertext CT, a transformed ciphertext TCT and a retrieving key RK. If the client's attribute set S satisfies the access policy A, the client is an authorized one and then he/she utilizes CT, TCT and RK DS to decrypt the ciphertext; otherwise, the client utilizes the private key CT, TCT and RK VS to decrypt the ciphertext. After the client checks the correctness of the ciphertext, outputs the plaintext M if the ciphertext is valid; otherwise, outputs ⊥.
The concrete bilinear pairings e will be using the modified Weil [17] or Tate pairings [18] on some elliptic curves. We will define two hard problems used in our paper below: Decisional Diffie-Hellman (DDH) problem and Computational Diffie-Hellman (CDH) problem. Let α be a generator of the group G 1 .
It is obvious that the DDH problem in G 1 is easy since it can verify above congruence by using the bilinear pairing e. However, as far there is no polynomial-time algorithm to solve CDH problem in G 1 , we assume that CDH problem in G 1 is hard.

Linear Secret Sharing Schemes
We recall a description for LSSS in [19]. Let P be a set of parties. A secret sharing scheme Π is called linear (over Z p ) if it satifies the following conditions.

•
The secret shares of each party form a vector in Z p . • Let A is a matrix with l rows and n columns. Let the function ρ represent the party labeling row i as ρ(i), where is the ith row of A. Suppose a vector v i = (s, r 2 , . . . , r n ) T is the column vector and r 2 , . . . , r n are random value in Z p , where s ∈ Z p is the secret to be shared.
A v is the vectors of l shares for the the secret s with respect to Π. The share (A v) i belongs to party ρ(i). Suppose that Π is an LSSS of the access policy A and S ∈ A is any authorized set.
Notations. The vector (1, 0, . . . , 0) is the "target" vector of any LSSS. For any unauthorized set of rows I in A, the target vector is not in the span of the rows of set I. For any authorized set of rows I in A, the target vector is in the span of I.

Analysis of Li et al.'s Abe-Vod Scheme
Since ABE-VOD scheme proposed by Li et al. is much complex, we recall it in Appendix B and the security model in Appendix A.

The Excepted Functionalities of the ABE-VOD Scheme
In the subsection, we analyze the construction of the ABE-VOD scheme proposed by Li et al. The scheme wanted to get the following results at least.

•
First, any ABE-VOD should have the decryption functionality. The decryption algorithm of the ABE-VOD can correctly check the valid ciphertext and invalid ciphertext (any encryption scheme must satisfy this condition). That is to say, the Decrypt algorithm outputs a corresponding plaintext of some ciphertext if and only if the ciphertext is valid, or the Decrypt out algorithm outputs the corresponding plaintext of a transformed ciphertext if and only if the transformed ciphertext is correct. • Then, the ABE-VOD scheme can simultaneously check the correctness of the transformed ciphertext for the authorized users and unauthorized users by using "verifying-then-decrypt" method to guarantee the correctness of the transformed ciphertext.

The ABE-VOD Scheme Cannot Verify the Validity of All Ciphertexts
In general, the goal of the verification formulas of the decryption algorithm are to check the correctness of ciphertext. However, the decryption algorithm of ABE-VOD scheme proposed by Li et al. only checks validity of a part of ciphertext, but not checks whether the output of the decryption algorithm for some ciphertext is the original plaintext . In the subsection, we show that there exist some ciphertexts which are verified by the decryption algorithm, but its output isn't the original plaintext.
As analysis in [15], the ciphertext stored in cloud server maybe be tampered by some malicious attackers or the transformed ciphertext could be generated via using incorrect one by the untrusted cloud server. We will view these activities as attacks of an adversary and describe how an adversary constructs an invalid ciphertext below, which the decryption algorithm will view as a valid ciphertext and output the "corresponding" plaintext.
The adversary first picks up a random string R ∈ {0, 1} m , two random vectors v = (s 1 , v 12 , · · · , v 1n ) ∈ (Z * p ) n and v = (s 2 , v 22 , · · · , v 2n ) ∈ (Z * p ) n and two random elements s 1 , s 2 ∈ Z * p such that s 1 = s 1 and s 2 = s 2 . For each row A i of A,Ā i ofĀ, it picks r 1,i , r 2,i ∈ Z * p uniformly at random. Then, it calculates: ), and compute: Obviously, the ciphertext CT is not a valid ciphertext of the message M since the adversary picks two distinct random numbers s 1 and s 1 to produce the ciphertext CT M , and picks two distinct random numbers s 2 and s 2 to produce the ciphertext CT R . However, the decryption algorithm will view it as a valid ciphertext and output the "corresponding" plaintext. When the decryption algorithm takes as input CT and SK, it runs as follows.

•
If S satisfies the access policy A, the private key SK of an authorized client is Then it calculates ω i ∈ Z * p for i ∈ I such that Σ i∈I ω i A i = (1, 0, · · · , 0), and computes: which equals e(g, g) αs 1 .
It is clear that the equality e(σ 1 , g) = e(H 2 (C M ||C R ), g η 1 ) holds, where η 1 = H 1 (X M ). Then it computes However, M does not equal M since s 1 = s 1 . That is to say, the decryption algorithm cannot refuse the plaintext of the ciphertext which is produced by other "encryption" algorithm.
However, R does not equal R since s 2 = s 2 .
Thus, the decryption algorithm of the ABE-VOD scheme proposed by Li et al. for both the authorized client and the unauthorized client cannot check the validity of all ciphertexts. I.e., there exist some invalid ciphertexts which can pass the validity checking. Furthermore, their ABE-VOD scheme cannot check the validity of the outsourcing computation by checking the correctness of the corresponding ciphertext since the output of both the Decrypt algorithm and Decrypt out algorithm is not always correct.

The ABE-VOD Scheme Is Not Full Verifiable
Since verifying the correctness of the outsourced decryption for unauthorized clients is very important, Li et al. considered the following scenario. The authorized user wants to, but is not able to, process some pending businesses when the time or position of the authorized client is limited. He/she needs someone to help him/her to verify whether a pending business is correctly processed and does not want the latter to know anything about the content of the business. Thus Li et al. proposed the ABE-VOD scheme which could utilize an unauthorized client to help him/her to verify the correctness of the transformed ciphertext. We construct the following ciphertext which can pass the correctness checking for an unauthorized client but it is not a valid ciphertext for the authorized client.
The adversary first picks a random string R ∈ {0, 1} m , two random vectors For each rowĀ i ofĀ, it picks r 2,i ∈ Z * p uniformly at random. And it uniformly picks ), then it calculates: It is clear that if S satisfies the access policy A, the authorized client cannot pass the checking of the correctness of the ciphertext. Because the elements C M , C 1 , {C 1,i } i∈[l] , {D 1,i } i∈[l] are random elements, which is a valid ciphertext with a negligible probability. That is to say, since the equation (e(C 1,i ,K 0 )e(D 1,i ,K ρ(i) )) ω i ) with negligible probability for random elements C M , C 1 , , σ 1 is a valid signature of H 2 (C M , C R ) with negligible probability. We use the decryption algorithm to check the equality e(σ 1 , g) = e(H 2 (C M ||C R ), g η 1 ), which holds with negligible probability for random elements C M , C 1 , However, if S satisfies the access policyĀ, the unauthorized client can pass the correctness checking of the ciphertext. Because the adversary uses the Encrypt algorithm to encrypt the message R for the unauthorized client. The equations always holds. Thus, the decryption algorithm can output plaintext R correctly. Especially, when the untrusted server honestly runs the Transform out algorithm, the unauthorized client can always pass the correctness checking of the transformed ciphertext. Thus, the ABE-VOD scheme cannot verify the correctness of the ciphertext or the transformed ciphertext for the authorized user via verifying it for the unauthorized user.

Furthermore Analysis
We have showed that the decryption algorithm cannot satisfy two functionalities, checking the correctness of all ciphertexts and "full verifiable" above. Next, we will explain the reason and possibly reasonable method.
On one hand, the construction of the above ABE-VOD scheme utilized ABE-OD scheme proposed by Green et al. [7] and short signature scheme proposed by Boneh et al. [16]. The one-time signature σ 1 of a "message" H 2 (C M , C R ) (or σ 2 of a "message" H 2 (C M , C R )) is unforgeable and it also ensures that holds if and only if σ 1 and σ 2 are valid signatures of H 2 (C M ||C R ) (or C M and C R ) under public key g η 1 and g η 2 , respectively. However, there is no condition that guarantees the validity of C M and C R . That is to say, we can choose any random element as C M (or C R ). Thus, the above adversary can construct an invalid C M or C R but the ciphertext CT can be verified as a valid ciphertext. It seems that the method to sign a part of the ciphertext cannot guarantee all invalid ciphertexts to be refused. It needs another secure mechanism to guarantee the part of the ciphertext is valid. On the other hand, from the unauthorized client's view, C M is a random element in {0, 1} m , which is independent of C R ,Ā and σ R . Thus, the unauthoized client has no capability to verify the validity of C M , and the construction in [15] cannot check the correctness of the ciphertext and the transformed ciphertext for the authorized users by checking the validity of the ciphertext and the correctness of the transformed ciphertext for the unauthorized clients.

Conclusions
In this paper, we showed that the validity verification method in decryption algorithm of the ABE-VOD scheme put forth by Li et al. cannot always check the validity of all ciphertexts. There exist some invalid ciphertexts which can pass the validity checking and the "verify-then-decrypt" skill used in [15] is unavailable. Then, we showed that the method to check the validity of the outsourced decryption for the authorized client via checking it for the unauthorized client was not always correct. There exist some invalid ciphertexts which can pass the validity checking for the unauthorized client but cannot pass the validity checking for the authorized client. Finally, we pointed out that although the scheme used signature skill to guarantee the ciphertext cannot be tampered, the signing key of the "signature scheme" used in the encryption scheme was not fixed and anyone can generated it. That caused our constructions. Acknowledgments: Our work was supported by the Sichuan Key Technology Support Program (No. 18ZDYF2907).

Author Contributions:
The five authors of the paper have extensively participated in all of the paper analysis and manuscript revised. Fagen Li, Shaoquan Jiang and Shijie Zhou added to and revised the related works. Yongjian Liao and Yichuan He mainly wrote the manuscript.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Security Model
We recall the security model in [15]. We first consider the selective chosen plaintext attack (CPA) security model for ABE with fully verifiable outsourcing decryption is described by the following game between an adversary A and a challenger C. • Init. The adversary A sets a challenge access policy A * that it wishes to challenge. • Setup. The challenger C executes the algorithm Setup to generate the public parameters PK and the master secret key msk. C sends PK to A, and keeps msk secret. • Phase 1. The challenger C sets a set D and a table T initially empty. The adversary A makes the following queries: Private key query. The adversary A makes private key queries on an attribute set S, the challenger C runs KeyGen algorithm to generate a private key SK S , and sets D = D ∪ S. Then it returns the private key to the adversary A. The only restriction is that the attribute set cannot satisfy the access policy A * .

-
(2) Trans f ormation key query. A makes transformation key queries on an attribute set S, and C searches the tuple (S, SK S , TK S , RK S ) in the table T. If such tuple exists, it returns TK S as response. Otherwise, it executes KeyGen(PK, msk, S) to generate SK S and GenTK out (PK, SK S ) to generate (TK S , RK S ). Then the adversary A stores the tuple (S, SK S , TK S , RK S ) in table T. It returns the transformation key TK S to A.
• Challenge. The adversary A submits two messages M 0 and M 1 with the same size. Then C randomly picks a bit b ∈ {0, 1} and R with the same length as M 0 and M 1 , and computes CT * = Encrypt(PK, M b , A * ). Finally, the challenger C sends to CT * to A as a challenge ciphertext. • Phase 2. A proceeds to make Private key queries and Trans f ormation key queries as Phase 1, however the only restriction is that the attribute set does not satisfy the access policy A * . The advantage of the adversary A in the above game is where the probability is taken over the random bits by the adversary A and the challenger C.
Definition A1. An ABE-VOD scheme is selective CPA-secure if every polynomial time adversary A has at most a negligible advantage in the above game.
Next, we review the formal definition of verifiability for an ABE-VOD scheme through a game between an adversary A and a challenger C [15]. The definition is just considered the part of the authorized user here, which is the same as the definition of verifiability for the unauthorized user. The game is described as follows: • Init. The adversary A sets an access policy A * that it wishes to challenge. • Setup. The challenger runs the Setup(1 λ , U) to generate the public parameters PK and the master key msk, then keeps msk secret and sends PK to the adversary. • Phase 1. The adversary A can execute the private key query and the trans f ormation key query as in Phase 1 in the above security game.
- (1) Private key query. The adversary A makes private key queries on an attribute set S, the challenger runs KeyGen(msk, PK, S) to generate SK and sets D = D {S} which is initially empty. It then returns the private key SK S to the adversary. The only restriction is that the attribute set S cannot satisfy the access policy A * . - (2) Trans f ormation key query. A makes transformation key queries on the attribute set S; C searches the tuple (S, SK S , TK S , RK S ) in the table T. If the tuple exists, C returns TK S as a response. Otherwise, it executes KeyGen(msk, PK, S) to generate SK S and GenTK out (PK, SK S ) to generate (TK S , RK S ). Then C stores the tuple (S, SK S , TK S , RK S ) in table T and returns the transformation key TK S to A. • KeyGen(msk, PK, S). To generate private keys for two types of clients (the authorized client and the unauthorized client). If S is an attribute set of the authorized client, then the algorithm picks a random value t 1 ∈ Z * p . The private key of the authorized client is If S is an attribute set of the unauthorized client, then the algorithm picks a random value t 2 ∈ Z * p . The private key for the unauthorized client is • Encrypt(M, A,Ā). Take as input a message M ∈ {0, 1} m and two LSSS access structures A = (A, ρ), A = (Ā,ρ). A andĀ are two l × n matrixes. ρ is a map from each row A i of A to an attribute ρ(i) andρ is a map from each rowĀ i ofĀ to an attributeρ(i). The encryption algorithm first picks a random string R ∈ {0, 1} m and two random vectors For each row A i of A,Ā i ofĀ, it picks r 1,i , r 2,i ∈ Z * p uniformly at random. Then it computes: -(1) If S satisfies the access policy A, then the client is an authorized one and the private key of the client is SK= (DS, K = g α y t 1 , K 0 = g t 1 , Then the client is able to compute ω i ∈ Z * p for i ∈ I such that Σ i∈I ω i A i = (1, 0, · · · , 0), and the client calculates: (e(C 1,i , K 0 )e(D 1,i , K ρ(i) )) ω i = e(g, g) αs 1 , and η 1 = H 1 (X M ). After the client checks whether the following equality e(σ 1 , g) = e(H 2 (C M ||C R ), g η 1 ) holds or not. If it holds, the client calculates otherwise, the client outputs ⊥. - (2) If S satisfies the access policyĀ, then the client is an unauthorized one and the private key of the client is SK = (VS, K = g α y t 2 , K 0 = g t 2 , {K i = T t 2 i } att i ∈VS ). Let I = {i : ρ(i) ∈ S} ⊂ {1, 2, · · · , l}. Then the client is able to compute ω i ∈ Z * p for i ∈ I such that Σ i∈I ω iĀi = (1, 0, · · · , 0), and the client calculates: X R = e(C 2 , KP) ∏ i∈I (e(C 2,i , KP 0 )e(D 2,i , KPρ (i) )) ω i = e(g, g) αs 2 , and η 2 = H 1 (X R ). After the client checks whether the following equality e(σ 2 , g) = e(H 2 (C M ||C R ), g η 2 ) holds or not. If it holds, the client computes otherwise, the client outputs ⊥.
• GenTK out (SK). Take the private key SK as input. If the client is an authorized one, the private key is SK (DS, K = g α y t 1 , K 0 = g t 1 , {K i = T t 1 i } att i ∈DS ). If the client is an unauthorized one, the private key is SK = (VS, K = g α y t 2 , K 0 = g t 2 , {K i = T t 2 i } att i ∈VS ). Then the client picks two random values z 1 , z 2 ∈ Z * p , and the transformation keys are respectively. The retrieving keys are RK DS = z 1 and RK VS = z 2 , respectively. • Transform out (TK, CT). Takes as input the ciphertext CT and the transformation key TK. For the authorized client, the transformation key is TK = TK DS , and for the unauthorized client, the transformation key is TK = TK VS . The transformed is described as follows.