Data Rights Confirmation Scheme Based on Auditable Ciphertext CP-ABE in the Cloud Storage Environment

Abstract

Advances in information technology have made data accessible anytime and anywhere. Currently, data confirmation is a popular area of research. Many current approaches to data confirmation rely on submitting certificates of ownership, embedding digital watermarks, or using blockchain. However, none of these approaches can avoid exposing source data to third parties that are not fully trusted. To address this issue, this paper proposes a new data confirmation method based on ciphertext policy attribute-based encryption (CP-ABE), which is widely used in cloud storage environments. The unique identifier of the data owner is encrypted by Paillier encryption and embedded into the ciphertext, so that the ownership corresponding to the plaintext is converted to the ownership corresponding to the ciphertext. During the entire confirmation process, third-party organizations cannot access the source data, reducing the risk of source data leakage. Finally, the feasibility of the scheme is proved by security proof and experiment comparison.

1. Introduction

Currently, data have become something within people’s reach, and more and more people are becoming aware of the ownership and usage of their data. What is “data confirmation”? The purpose of data confirmation is to legally establish ownership of the data and the right of the data owner to determine who can have access to the data. Data confirmation requires determining the type of rights, how they will be acquired, and how they will be distributed. With the popularity of cloud computing, people have begun to share data. There are many ways to share data, such as uploading to third-party trading platforms, cloud servers, Github [1], etc., resulting in the inability to ensure the privacy of users. Many scholars have begun to study data sharing, privacy issues [2,3], and how data are uploaded. In addition, the speed of data dissemination is extremely fast. Meng et al. [4] modeled network public opinion data to predict public opinion crisis warnings. Cao et al. [5] proposed a more comprehensive recommendation scheme based on real-world shared mobile data. The proposal of ciphertext-policy attribute-based encryption provides a good answer to these problems. CP-ABE allows the data owner to specify that only those who conform to the access policy can access the data. Figure 1 shows the execution process of CP-ABE. The data owner Alice has some data $(definedinthefigureas“Data”)$, and she sets a set of access policies ($(A\wedge B)\vee (C\wedge D)$ in the figure) according to the potential user subjectively, and combines $Data$ with access policies to encrypt and upload to the server. At this time, there are two users $Use{r}_1$ and $Use{r}_2$ in the system; $Use{r}_1$ has attributes A and B, and $Use{r}_2$ has attributes A and C, then according to the access policies in the ciphertext, $Use{r}_1$ can decrypt and access the data, but $Use{r}_2$ fails to decrypt. However, due to the replicability of the data, ownership of the data cannot be determined. The development of blockchain [6,7,8] has brought the possibility of data rights confirmation. Due to its immutability and traceability, the information of the data owner cannot be tampered with once it is on the chain, and it can be easily traced back to the source and destination of the data. However, as a result of the decentralized and public nature of blockchain technology, the privacy of the data owner cannot be guaranteed. Using traditional third-party hosting or issuing certificates of ownership does not guarantee that the data owner’s source data will not be leaked. Therefore, there is the need of a scheme that solves the above problems.

Consider the following scenario: Alice wants to store her data on the cloud and share them with others, but she only wants a specific group of people to access the data. Therefore, she specifies an access policy and encrypts the data using CP-ABE before uploading it. Bob is a member of Alice’s designated group, and he retrieves and decrypts the data from the cloud. Smith is Bob’s friend, but he is not a part of the designated group. Smith contacts Bob and obtains a copy of the data. One day, Alice discovers that Smith is using her data and wants to seek compensation. However, Smith claims that the data are his own. How can Alice prove that the data belong to her?

In 2005, Sahai and Waters [9] introduced the notion of fuzzy identity-based encryption. which was later extended to attribute-based encryption (ABE). In an ABE system, the ciphertext and key are associated with the attribute set and access structure, and decryption only succeeds when the attribute set satisfies the access structure. Goyal et al. [10] suggested correlating the access policy with the ciphertext and key, respectively, and divided ABE for the first time into ciphertext-policy attribute-based encryption (CP-ABE) and key-policy attribute-based encryption (KP-ABE) in 2006. Bethencourt et al. [11] introduced the first CP-ABE system in 2007, embedding the access tree structure within ciphertext; however, it is challenging to deploy in practice. Waters et al. [12] built on Bethencourt et al.’s work in the following year and proposed a CP-ABE system with an efficient general access structure while also proving selection security under the standard model. In 2012, Lewko and Waters [13] developed a broad strategy for converting the standard model’s concept of selection security into adaptive security. In today’s cloud computing, CP-ABE has a significant influence. In 2015, Ning et al. [14] proposed a traceable and auditable CP-ABE scheme in cloud computing to address key abuse by dishonest users in the cloud storage environment [15], but it does not provide key revocation. Yu et al. [16] proposed a traceable and undeniable CP-ABE scheme based on Ning’s work to solve the problem of semi-honest institutions illegally selling keys.

Under the big data environment [17], data can be used to verify the validity of the protocol [18] and can also be used to train the robot [19]. However, these web data have no real ownership. Yun Peng et al. [20] investigated the basic challenges surrounding data confirmation in 2016. Bing Guo et al. [21] presented a service system to defend the property rights of personal data in 2017. Shuaiyu Wang et al. [22] suggested a large data correct confirmation technique based on blockchain technology in the same year, but the issue is that the data source cannot be verified. In 2018, Hailong Wang and his colleagues [23] introduced a novel approach for verifying big data using blockchain and digital watermarking technology, but the authority agency can access the data owner’s source data. Although this solution can be applied to the environment of cloud storage, due to the limitation of its form of plaintext confirmation, the privacy of users cannot be guaranteed. Zhao et al. [24] developed a smart contract-based big data property right confirmation system the following year. In 2021, Zhou et al. [25] proposed a data ownership confirmation scheme based on consortium blockchain in IoT environments [26], with a focus on controlling the flow of data. However, the scheme cannot be applied to one-to-many environments such as cloud storage. Professors Jintai Ding and Ke Tang from Tsinghua University announced their plans to develop an innovative solution for managing large-scale data transactions. Their approach involves leveraging cutting-edge cryptography techniques and advanced mechanisms for economic design to create a robust and effective system for processing and exchanging data. By combining these two technologies, they aim to address the unique challenges associated with managing and securing large volumes of data, ultimately providing a reliable and efficient solution for businesses and organizations worldwide. This technique assures data transaction security while also increasing transaction efficiency. In 2022, Liu et al. [27] proposed a data ownership confirmation scheme based on the Ethereum blockchain and smart contracts. The parties authenticate their identities through a protocol for generating data fingerprints based on smart contracts. However, the article did not address the issue of user privacy protection on the public blockchain.

Based on the research status above, we propose a new data confirmation scheme in the cloud storage environment, focusing on user privacy protection and preventing the leakage of original plaintext data. The scheme can effectively protect the privacy of data owners while ensuring data confirmation, and in the process of confirmation, no one can access plaintext, thus reducing the risk of data leakage. We embed the data owner’s identification information into CP-ABE using Paillier encryption and change the plaintext confirmation form to the ciphertext confirmation form. An audit phase is introduced at the end of the confirmation process.

Our contributions are as follows:

(1)

User privacy protection. We propose a new data confirmation scheme based on CP-ABE in the cloud storage environment. Users only need to embed the information with their own identity into the ciphertext after Paillier encryption and upload it to the cloud. They do not need to worry about revealing their identity.

(2)

Prevent original plaintext data leakage. During the entire right confirmation process, the authority $AT$ can only access the ciphertext and only needs to process the ciphertext. This greatly reduces the risk of plaintext data leakage during the right confirmation process.

(3)

The scheme is safe and efficient. We reduce the scheme to the three-prime subgroup decision problem and prove that the scheme is safe, and through experimental analysis, our scheme is almost as efficient as the scheme proposed by Allison et al. [21] in terms of system setup, key generation, encryption, and encryption algorithms.

Table 1. Comparison of our scheme and other schemes.

	Zhou et al. [25]	Liu et al. [27]
Ways of identifying	Key verification	Fingerprint tracking protocol
Confirmation method	Consortium blockchain and smart contracts	Smart contract
Security assumption	Collision-resistant properties of hash function	null
Source data security	✔	✔
Can be applied to the cloud storage environment	×	×
	Wang et al. [23]	ours
Ways of identifying	Digital watermark	Pailler decryption
Confirmation method	Digital watermarking + blockchain	CP-ABE and Paillier encryption
Security assumption	CDH assumption	Subgroup decision problem for 3 primes
Source data security	×	✔
Can be applied to the cloud storage environment	✔	✔

shows the comparison between our scheme and other data confirmation schemes.

Section 2 will present a formal definition and explanation of several fundamental concepts. Section 3 will focus on constructing the scheme, which will include defining the security requirements, implementing the scheme, and providing a security proof. In Section 4, we will conduct experiments and analysis to evaluate the effectiveness of the scheme. Finally, Section 5 will summarize the scheme and its contributions.

2. Preliminaries

2.1. Access Structure

Definition 1

([9]). Consider a set S containing n attributes, where each attribute is denoted by $s_i$ for $1\le i\le n$, a set $\mathbb{A}\in 2^{\{s_1,\dots ,s_n\}}\setminus \{\varnothing \}$ is an access structure on S, for $\forall B,C\in \mathbb{A}$: if $B\in \mathbb{A}$ and $B\subseteq C$, then $C\in \mathbb{A}$, and $\mathbb{A}$ is called monotonic. If a set is in $\mathbb{A}$, then it is called an authorized set, otherwise it is called a non-authorized set.

2.2. Linear Secret-Sharing Schemes

Definition 2.

LSSS [28,29]. Suppose S represents the set of attributes, and let p be a prime number. A secret sharing scheme is denoted as Π and is operating on ${\mathbb{Z}}_p$. If the following two criteria are met by Π, then Π is referred to as linear:

• The secret $s\in {\mathbb{Z}}_p$ shared by each participant forms a column vector on ${\mathbb{Z}}_p$.
• A secret sharing scheme Π has a shared generator matrix M, which is an l-by-n matrix for every access structure $\mathbb{A}$ defined on S. For $i=1,\dots ,l$, the ith line of M is marked as an attribute $\rho \left(i\right)$ (ρ is a map that maps each row of matrix M to Π). Given a vector $\mathit{v}=(s,r_2,\dots ,r_n)$, where s is the shared secret, $r_2,\dots ,r_n$ are randomly selected; $\mathit{\lambda }=M_{l\times n}·\mathit{v}$ identifies the l shares of Π to the secret number s. Line i belongs to attribute $\rho \left(i\right)$.

Secret Recovery: Assuming $\mathsf{\Pi }$ accesses the LSSS of the structure $\mathbb{A}$, S is the set of authorization attributes owned by the user, and M is the shared generation matrix. Define $J=1,\dots ,j$ and $J=\{j\mid \rho (j)\in S\}$. For the vector ${\left\{{\lambda }_j\right\}}_{j\in J}$ generated by the product of matrix M and secret vector v, there exists a vector $\mathbf{w}=\left\{w_j\right\}$ of integers in ${\mathbb{Z}}_p$ such that ${\sum }_{j\in J}{M}_j·w_j=(1,0,\dots ,0)$ and $\rho {\left(j\right)}^T·\mathbf{w}=s\left(modN\right)$, $\left\{w_j\right\}$ can be found in polynomial time, and $\left\{w_j\right\}$ does not exist for non-authorized sets.

Definition 3

([30]). Suppose $\mathbb{A}$ is a monotonic access structure. In such a case, the definition of the shared generator matrix M yields the following conclusions:

–

If $M\in \mathbb{A}$, there exists a vector $\left\{{\kappa }_i\right\}$ of integers in ${\mathbb{Z}}_p$ such that $M^T·\left\{{\kappa }_i\right\}={(1,0,\dots ,0)}^T$.

–

If $M\notin \mathbb{A}$, there exists a vector $\left\{{\nu }_i\right\}$ of integers in ${\mathbb{Z}}_p$ such that $M^T·\left\{{\nu }_i\right\}={(0,0,\dots ,0)}^T$ and ${\nu }_1=1$.

2.3. Composite Order Bilinear Groups

Prime order bilinear groups and composite order bilinear groups [31] are comparable; the difference is that the order of $G_1,G_2,G_T$ is a composite number N, where N is the product of some large prime numbers, such as $N=p_1{p}_2\dots p_n$, and e is a bilinear map, $e:G_1\times G_2\to G_T$. For any element $a_i$ in $G_{p_i}$ and element $b_j$ in $G_{p_j}(i\ne j)$, $e(a_i,b_j)=1.$

Assumption 1. (Subgroup decision problem for 3 primes):

We define the distribution shown below for a group generator $\mathcal{G}$:

$$\mathcal{G}\to \mathbb{G}=(N=p_1{p}_2{p}_3,G,G_T,e)$$

$$g_1\leftarrow G_{p_1},E_3\leftarrow G_{p_3}$$

$$Distr=(E_3,g,\mathbb{G})$$

$$X_1\leftarrow G_{p_1{p}_2},X_2\leftarrow G_{p_1}$$

In breaking Assumption 1, Algorithm $\mathcal{A}$ has the following advantage:

$$Adver{1}_{\mathcal{G},\mathcal{A}}\left(1^{\lambda }\right):=\mid Pr[\mathcal{A}(Distr,X_1)=1]-Pr[\mathcal{A}(Distr,X_2)=1]\mid$$

Definition 4.

If $Adver{1}_{\mathcal{G},\mathcal{A}}\left(1^{\lambda }\right)$ is a negligible function of $1^{\lambda }$ for every polynomial time algorithm $\mathcal{A}$, we claim that $\mathcal{G}$ satisfies Assumption 1.

Assumption 2.

We define the following distribution for a group generator $\mathcal{G}$:

$$\mathcal{G}\to \mathbb{G}=(N=p_1{p}_2{p}_3,G,G_T,e)$$

$$g_1,E_1\leftarrow G_{p_1},E_2,F_2\leftarrow G_{p_2},E_3,F_3\leftarrow G_{p_3}$$

$$Distr=(\mathbb{G},g,E_1{E}_2,F_3,E_2{F}_3)$$

$$X_1\leftarrow G,X_2\leftarrow G_{p_1{p}_3}$$

In breaking Assumption 2, Algorithm $\mathcal{A}$ has the following advantage:

$$Adver{2}_{\mathcal{G},\mathcal{A}}\left(1^{\lambda }\right):=\mid Pr[\mathcal{A}(Distr,X_1)=1]-Pr[\mathcal{A}(Distr,X_2)=1]\mid$$

Definition 5.

If $Adver{2}_{\mathcal{G},\mathcal{A}}\left(1^{\lambda }\right)$ is a negligible function of $1^{\lambda }$ for every polynomial time algorithm $\mathcal{A}$, we claim that $\mathcal{G}$ satisfies Assumption 2.

Assumption 3.

We define the following distribution for a group generator $\mathcal{G}$:

$$\mathcal{G}\to \mathbb{G}=(N=p_1{p}_2{p}_3,G,G_T,e)$$

$$\gamma ,t\leftarrow {\mathbb{Z}}_N$$

$$g_1\leftarrow G_{p_1},E_2,F_2,H_2\leftarrow G_{p_2},E_3,F_3\leftarrow G_{p_3}$$

$$Distr=(\mathbb{G},g,g^{\gamma }{E}_2,E_3,g^t{F}_2,H_2)$$

$$X_1\leftarrow e{(g,g)}^{\gamma t},X_2\leftarrow G_{p_1{p}_3}$$

In breaking Assumption 3, Algorithm $\mathcal{A}$ has the following advantage:

$$Adver{3}_{\mathcal{G},\mathcal{A}}\left(1^{\lambda }\right):=\mid Pr[\mathcal{A}(Distr,X_1)=1]-Pr[\mathcal{A}(Distr,X_2)=1]\mid$$

Definition 6.

If $Adver{3}_{\mathcal{G},\mathcal{A}}\left(1^{\lambda }\right)$ is a negligible function of $1^{\lambda }$ for every polynomial time algorithm $\mathcal{A}$, we claim that $\mathcal{G}$ satisfies Assumption 3.

2.4. CDH Assumption

Computational Diffie–Hellman Assumption can be defined as follows:

Consider a finite cyclic group $\mathbb{G}$ with n elements. The CDH assumption holds in $\mathbb{G}$ if, given $g,g^a,$ and $g^b$, $g^{ab}$ cannot be calculated. The formal definition is as follows:

$$g,g^a,g^b\nRightarrow g^{ab}$$

for all efficient algorithms A:

$$Pr\left[A(g,g^a,g^b)\right]<ϵ$$

where g is a generator in the group $\mathbb{G}$, $a,b\leftarrow Z_n$.

2.5. Paillier Encryption

The Paillier encryption algorithm [32] is a public key encryption algorithm based on the composite residual difficulty problem, which satisfies the additive homomorphic operation. It contains the following steps:

• Key generation:

  (1)

  Obtain two large prime numbers $p_1$ and $p_2$ that satisfy $gcd(p_1{p}_2,(p_1-1)(p_2-1))=1$. This ensures that the prime numbers $p_1$ and $p_2$ have equal lengths.

  (2)

  The following values are computed: $n=p_1{p}_2$, $\lambda =lcm((p_1-1),(p_2-1)))$.

  (3)

  Define $\mathbb{L}\left(x\right)=(x-1)/n$.

  (4)

  Randomly select a positive integer g less than $n^2$, and there exists $\mu ={\left(\mathbb{L}\left(g^{\lambda }mod{n}^2\right)\right)}^{-1}modn$.

  (5)

  System public key $pk=(n,g)$, and system secret key $sk=(\lambda ,\mu )$.

• Encryption:
  Given the plaintext $\mathbb{M}$, randomly select $\gamma \in {\mathbb{Z}}_{n^2}^{*}$ and calculate $\mathbb{C}=g^{\mathbb{M}}{\gamma }^{n}mod{n}^2$.
• Decryption:
  $\mathbb{M}=\mathbb{L}\left({\mathbb{C}}^{\lambda }mod{n}^2\right)\times \mu modn$.

2.6. Fully Secure CP-ABE

Allison et al. [33] proposed a CP-ABE scheme that is fully secure. The scheme is built using composite order bilinear groups and $LSSS$. Four algorithms can be executed in polynomial time:

–

$Setup(\phi ,\mathcal{U})\to PK,MSK$: The setup procedure receives two input parameters: the security parameter $\phi$, which determines the level of security required, and the attribute universe $\mathcal{U}$, which defines the set of attributes. It then generates two output values: the public parameter $PK$, which can be shared publicly and used for encryption and decryption, and the master key $MSK$, which is kept secret and used for key generation.

–

$KeyGen(MSK,\mathcal{S},PK)\to SK$: Given the master key $MSK$, the user’s attribute $\mathcal{S}$, and the public parameter $PK$ as input, the key generation algorithm computes the decryption key $SK$ as its output. The decryption key $SK$ can be used to decrypt data encrypted using the corresponding attribute $\mathcal{S}$ and the public parameter $PK$.

–

$Encrypt\left(\right(A,\rho ),PK,\mathcal{M})\to CT$: To encrypt a plaintext $\mathcal{M}$, the encryption algorithm takes as input a matrix A, where each row of the matrix is mapped to an attribute $\rho$, along with the public parameter $PK$. The encryption algorithm computes the ciphertext $CT$ as its output.

–

$Decrypt(CT,PK,SK)\to \mathcal{M}$: Given the ciphertext $CT$, the public parameter $PK$, and the decryption key $SK$, the decryption algorithm computes the corresponding plaintext $\mathcal{M}$ as its output. The decryption key $SK$ must be associated with an authorization set mapped to rows of the matrix used during encryption, otherwise the decryption will fail.

3. Construction

3.1. Membership

Our system consists of five parties (as shown in Figure 2). The data owner $\left(Do\right)$ is in charge of data encryption and uploading. The data user $\left(Du\right)$ is responsible for retrieving and decrypting the data submitted by the data owner from the cloud. The authority $\left(AT\right)$ is in charge of giving decryption keys to data users, participating in the ciphertext’s signature, and storing the credentials of the data owner. The public auditor $\left(PA\right)$ is in charge of publicly auditing the ciphertext and extracting the information of the ciphertext owner from credentials. Finally, the cloud server $\left(Cloud\right)$ is responsible for storing the ciphertext uploaded by the data owner.

3.2. Security

3.2.1. IND-CPA Security

We can rephrase the description of the $IND-CPA$ security game process for our proposed scheme, which is equivalent to the one proposed by Allison et al. [21], as follows:

–

$Setup$: The adversary $\mathcal{A}$ is given the public parameter $PK$ after the challenger $\mathcal{B}$ calls the $Setup(1^{\phi },U)$ algorithm.

–

$Phase1$: Adversary $\mathcal{A}$ can dynamically request the decryption keys $S{k}_i$ associated with attribute sets $S_1,\dots ,S_{q_r}$ from the challenger $\mathcal{B}$. In response, $\mathcal{B}$ executes the key generation algorithm to generate $S{k}_i$ and sends it to $\mathcal{A}$.

–

$Challenge$: Adversary $\mathcal{A}$ provides two equal-length messages $M_1$ and $M_2$ and a generator matrix $A^{*}$ that corresponds to an access structure ${\mathbb{A}}^{*}$ that does not satisfy $S_1,\dots ,S_{q_r}$ to the challenger $\mathcal{B}$. Then $\mathcal{B}$ randomly chooses a bit $\sigma \in \{0,1\}$ and generates the ciphertext $C{T}_{A^{*},T}$ by calling the encryption algorithm with $s{k}_{Do}$, $<A^{*},\rho >$, $PK$, and $M_{\sigma }$. Finally, $\mathcal{B}$ sends $C{T}_{A^{*},T}$ to adversary $\mathcal{A}$.

–

$Phase2$: Adversary $\mathcal{A}$ keeps asking $\mathcal{B}$ for decryption keys $S{k}_i$ corresponding to attribute sets $S_{q_{r+1}},\dots ,S_q$, where each set cannot satisfy the access structure ${\mathbb{A}}^{*}$. Upon each request, $\mathcal{B}$ calls the key generation algorithm and sends $S{k}_i$ to adversary $\mathcal{A}$.

–

$Guess$: $\mathcal{A}$ outputs a guess ${\sigma }^{{}^{\prime }}\in \{0,1\}$.

The advantage of the adversary in this game is defined as:

$$Ad{v}_{\left(A\right)}=\mid Pr[{\sigma }^{{}^{\prime }}=\sigma ]-1/2\mid$$

Definition 7.

If we assume that any adversary with polynomial time has only a negligible advantage in winning the aforementioned game, we can confidently assert that our scheme is secure.

3.2.2. Dishonest User Game (Non-Replicability of Ciphertext)

The dishonest user game of this scheme is defined as follows: A user attempts to confuse the auditor by forging the authority’s signature and republishing a ciphertext. The game is played by a challenger and an adversary.

–$Setup$: Challenger $\mathcal{B}$ starts the $Setup(1^{\phi },U)$ algorithm and sends the public parameters $PK$ and $s{k}_{Do}$ to the attacker $\mathcal{A}$.

$CiphertextGeneration$: Challenger $\mathcal{B}$ generates the ciphertext $C{T}_{A,T}$ through the $Encrypt$ algorithm and sends it to $\mathcal{A}$; $\mathcal{A}$ generates a new ciphertext $C{T}_{A,T^{{}^{\prime }}}^{{}^{\prime }}$ according to the initial ciphertext $C{T}_{A,T}$.

$Output$:

If $Decrypt(S{k}_{Du},C{T}_{A,T})=Decrypt(S{k}_{Du},C{T}_{A,T^{{}^{\prime }}}^{{}^{\prime }})$ and $C_0^{{}^{\prime }}=M·e(g^{\alpha \beta },g^{s{T}^{{}^{\prime }}})$ then we say that the attacker successfully copies the ciphertext.

The adversary’s advantage in the dishonest user game is defined as

$$Adv=\mid Pr\left[\mathcal{A}success\right]\mid$$

Definition 8.

If the probability of a polynomial-time adversary winning the game described above is negligible, then we consider the ciphertext of our scheme to be secure and irreproducible.

In order to satisfy the requirement of data confirmation, the conventional CP-ABE scheme is insufficient. To ensure auditing capabilities in our CP-ABE scheme, we have developed a method that involves incorporating the data owner’s unique identifier (such as an address or ID number) into the ciphertext using Paillier encryption. The process of our scheme is illustrated in Figure 3.

3.3. Implementation

• $\mathbf{Setup}(1^{\phi },U)\to PK,MSK,P{k}_{AT},S{k}_{AT}$: In the setup phase of our system, we provide the security parameter $\phi$ and the user attribute universe U as inputs to the setup algorithm. This algorithm then generates a group G of order $N=p_1{p}_2{p}_3$, a mapping e, an integer group ${\mathbb{Z}}_N$, and a hash function $H:H\left(x\right)\to {\mathbb{Z}}_N$. This setup process establishes the necessary parameters and functions to enable secure and efficient cryptographic operations in our system. The resulting setup allows us to implement our system in a manner that satisfies our security and performance requirements. Then the system proceeds to select random parameters $\alpha ,a\in {\mathbb{Z}}_N$, and the generator $g\in G_{p_1}$. For each attribute $s\in U$, the system randomly selects a corresponding value $u_i\in {\mathbb{Z}}_N$. The system global parameter is set as

  $$PK=(N,G,{\mathbb{Z}}_N,H\left(x\right),g,g^a,e{(g,g)}^{\alpha },{\{\mathcal{U}=g^{u_i}\}}_{\forall i\in U})$$
  $MSK=(\alpha ,g_3)$($g_3\in G_{p_3}$ and is a generator) and $MSK$ is sent to the authority $AT$; $AT$ performs the following steps locally: randomly selecting two safe large primes p and q, which satisfy $gcd(pq,(p-1\left)\right(q-1\left)\right)=1$, calculating $n=pq,\lambda =lcm(p-1,q-1)$, and then randomly selecting a positive integer $g_1$ that is less than $n^2$. Next, AT computes $\mu ={\left(L\left(g^{\lambda }mod{n}^2\right)\right)}^{-1}modn$ and randomly selects a value $\beta \in {\mathbb{Z}}_N$. The public parameter $P{k}_{AT}=(n,g_1,g^{\beta })$ is generated, whereas the private key $S{k}_{AT}=(\lambda ,\mu ,\beta )$ is stored locally.
• $\mathbf{Encrypt}(P{k}_{AT},<A,\rho >,PK,M)\to C{T}_{A,T}:$
  $\mathbf{Step}\mathbf{1}$: The unique identifier (e.g., ID number, address, mailbox, etc.) is hashed by data owner $Do$ and mapped to an integer in ${\mathbb{Z}}_N$, denoted as

  $$t_{id}=H\left(identity\right)\to {\mathbb{Z}}_N$$

  After mapping the data owner’s unique identifier to an integer in ${\mathbb{Z}}_N$, $Do$ chooses a value $r\stackrel{R}{⟵}{\mathbb{Z}}_{n^2}^{*}$ and employs Paillier encryption to generate the encrypted output $T=g_1^{t_{id}}{r}^{n}mod{n}^2$. The Algorithm 1 is as follows (here we assume the unique identifier string is $“address”$):

Algorithm 1 Encrypt $t_{id}$

Input:    $String“address”$

1: $addrHash$← Convert $“address”$ to a byte array after hashing;  2: $t_{id}\leftarrow MapaddrHashinto{\mathbb{Z}}_N;$  3: $r\leftarrow Randomlypickanelementfrom{\mathbb{Z}}_N;$  4: $T\leftarrow UsePaillierencryptiontoobtainencryptedidentityinformation;$

Output:

$t_{id}$ = 79847630022358710946125273965671104052858 065717629025639108307113838327353

• $\mathbf{Step}\mathbf{2}$: To encode the access structure for the data, the owner of the data, $Do$, creates a shared generator matrix A with dimensions l by n using the LSSS. First, a secret number $s\stackrel{R}{⟵}{\mathbb{Z}}_n$ is randomly selected. Then, $n-1$ random numbers $y_2,\dots ,y_n\stackrel{R}{⟵}{\mathbb{Z}}_n$ are selected to generate a vector $\mathbf{y}=(s,y_2,\dots ,y_n)$. Finally, random numbers $r_i\stackrel{R}{⟵}{\mathbb{Z}}_N$ are chosen for each row $A_{i\in \left[l\right]}$ of matrix A($\left[l\right]$ that represents the entire set of $\{1,2,\dots ,l\}$), $H\left(M\right)$ is obtained by taking a hash of the plaintext M and mapping it to $G_T$ to generate ciphertext:

  $$\overline{C{T}_{A,T}}=<\overline{C_0}=G_T\left(H\left(M\right)\right)·e{(g,g)}^{\alpha s},C_1=g^{sT},C_{i,1}=g^{aT{A}_i·\mathit{v}}{\mathcal{U}}_{\rho \left(i\right)}^{-r_i},C_{i,2}=g^{r_i},C_{i,3}=g^{\beta T{A}_i·\mathit{v}}>$$
  $\mathbf{Step}\mathbf{3}$: Both $\overline{C_0},g^s$ and T are sent to the authority $AT$ for decryption. The decryption process begins with $AT$ decrypting $G_T\left(H\left(M\right)\right)$ using the following method:

  $$G_T\left(H\left(M\right)\right)=\overline{C_0}/e(g^{\alpha },g^s)$$
  After successfully decrypting $G_T\left(H\left(M\right)\right)$, the authority $AT$ checks if it already has a record of $G_T\left(H\left(M\right)\right)$ in its database. If a record already exists, the application is rejected; otherwise, $AT$ utilizes their private key $\beta$ to sign the message and generates

  $$C_0^{{}^{\prime }}=G_T\left(H\left(M\right)\right)·e{(g,g)}^{\alpha s\beta }$$

  and stores the data credentials of $Do$ in the local database in the form of $T:G_T\left(H\left(M\right)\right):timeStamp$. By following this process, it is guaranteed that there is only one legitimate owner associated with the original data source. This measure also serves as a safeguard against any attempts by malicious actors to produce ciphertext and assert false ownership over the data. Furthermore, this also serves to prevent $AT$ from directly accessing the plaintext, which enhances the security of the system. Finally, $C_0^{{}^{\prime }}$ is sent back to the data owner $Do$ for further processing. The user credentials setting Algorithm 2 is as follows:

Algorithm 2 Store user credentials

Input:    $\overline{C_0}$, $g^s$, T

1: Divide $\overline{C_0}$ by $e(g^{\alpha },g^s)$ to get $G_T\left(H\left(M\right)\right)$;  2: if Retrieving $G_T\left(H\left(M\right)\right)$ locally is empty then  3:    Element P = $e{(g,g)}^{\alpha s\beta }$;  4:    Date $date$ = Get the current time through the time function;  5:    $Recordlist\left[\right]$← (T,$G_T\left(H\left(M\right)\right)$,$date$);  6: end if  7: return $P*G_T\left(H\left(M\right)\right)$;

• $\mathbf{Step}\mathbf{4}$: $Do$ first calculates

  $$C_0=M·{(C_0^{{}^{\prime }}/G_T\left(H\left(M\right)\right))}^T$$

  after receiving $C_0^{{}^{\prime }}$, afterwards, the ciphertext is assigned the value

  $$C{T}_{A,T}=<C_0=M·e{(g,g)}^{\alpha sT\beta },C_1=g^{sT},C_{i,1}=g^{aT{A}_i·\mathit{v}}{\mathcal{U}}_{\rho \left(i\right)}^{-r_i},C_{i,2}=g^{r_i},C_{i,3}=g^{\beta T{A}_i·\mathit{v}}>$$

  and uploads $C{T}_{A,T}$ to the cloud.
  Note: A notable characteristic of this scheme is the possibility of having multiple owners for a given $data$, which is made feasible by the additive homomorphism property of Paillier encryption. For example, in a scenario where the data are jointly owned by two parties, denoted as $D{o}_1$ and $D{o}_2$, they can both hash their unique identifiers and use them to generate separate $Paillier$ ciphertexts $T_1$ and $T_2$ using different random numbers, then $D{o}_1,D{o}_2$ calculate $T_1=g_1^{t_{i{d}_1}}{r}_2^{n}mod{n}^2,T_2=g_1^{t_{i{d}_2}}{r}_2^{n}mod{n}^2$, let $T=T_1·T_2$.
  During the entire encryption stage, we have realized data confirmation. Hash the plaintext and map it to $G_T$ for encryption($\overline{C_0}=G_T\left(H\left(M\right)\right)·e{(g,g)}^{\alpha s}$) and send it to $AT$; $AT$ only needs to perform division and signature operations on $\overline{C_0}$, and store user ID T locally as a certificate. Therefore, $AT$ cannot touch the plaintext.

3.

$\mathbf{KeyGen}(MSK,S,PK)\to S{k}_{Du}:$ The generation of the decryption key in this scheme is a collaborative process between $Du$ and $AT$; $Du$ first chooses a random number $t\stackrel{R}{⟵}{\mathbb{Z}}_N$ as a parameter. Next, $Du$ forwards their personal set of attributes S and the value $g^t$ to “$AT$ as part of its request to generate a key. Then, $AT$ selects random numbers $h\stackrel{R}{⟵}{\mathbb{Z}}_N$ and $R_0,R_1,R_2,R_3,R_i\in G_{p_3}$ to generate part of the decryption key

$$S{k}_{pri}=<S,\overline{D}=g^{\beta \alpha },\overline{D_1}=g^{ah},\overline{D_2}=g^{\beta h},\overline{D_3}=g^{th},{\{\overline{D_i}={\mathcal{U}}_i^h\}}_{i\in S}>$$

Finally, $AT$ transmits the decryption key $S{k}_{pri}$ and a collection of values labeled as $\{R_0,R_1,$$R_2,R_3,R_i\}$ to $Du$, and $Du$ generates the decryption key locally using these values:

$$S{k}_{Du}=<S,D=\overline{D}{R}_0,D_1={\overline{D_1}}^t{R}_1,D_2={\overline{D_2}}^t{R}_2,D_3=\overline{D_3}{R}_3,{\{D_i={\overline{D_i}}^t{R}_i\}}_{i\in S}>$$

4.

$\mathbf{Decrypt}(S{k}_{Du},C{T}_{A,T})\to M:$ The decryption key allows $Du$ to decrypt the ciphertext and obtain access to the data. The decryption algorithm searches for a vector $\mathbf{w}$ such that $A_i^T·\mathbf{w}={(1,0,\dots ,0)}^T(i\in S)$, if the attributes of $Du$ do not satisfy the access policy, then there is only one vector $\left\{{\kappa }_i\right\}$, such that $A_i^T·\left\{{\kappa }_i\right\}={(0,0,\dots ,0)}^T(i\in S)$ and ${\kappa }_1=1$, the plaintext M is obtained by the following formula:

$$F=e(C_1,D{D}_1{D}_2)$$

$$E={\mathsf{\Pi }}_{\rho \left(i\right)\in S}{\left(e(C_{i,1}{C}_{i,3},D_3)e(C_{i,2},D_i)\right)}^{w_i}$$

$$M=C/F/E$$

5.

$\mathbf{Audit}(PK,M,M^{*},P{k}_{AT},S{k}_{AT},MSK)\to t_{id}$: If the data owner $Do$ suspects that his data have been infringed upon or abused, he can prove his ownership by interacting with the public auditor $PA$ and the authority $AT$. This interaction serves two purposes:

(a)

To demonstrate that $Do$ was the first to upload the data;

(b)

To prove that the ciphertext corresponding to the data is indeed generated by $Do$.

$\mathbf{Step}\mathbf{1}$: To prove that $Do$ is the first to upload the data, the source data M and $C{T}_{A,T}$ are sent by $Do$ to the public auditor $PA$. $PA$ obtains the hash value of the source data M by applying the hash function $H\left(x\right)$ and sends it to the authority $AT$ to identify the owner of the plaintext.

$\mathbf{Step}\mathbf{2}$: First, PA carries out a comparison:

$$M\stackrel{?}{=}{M}^{*},C_0\stackrel{?}{=}M·e(g^{\alpha \beta },C_1)$$

If they are equal, $PA$ enter the $t_{id}$ extraction process using n, $\lambda$, defines $L\left(x\right)=(x-1)/n$, calculates $\mu ={\left(L\left(g^{\lambda }mod{n}^2\right)\right)}^{-1}modn$, then by $L\left(T^{\prime \lambda }mod{n}^2\right)\times \mu modn$ to extract the $D{o}^{\prime }s$$t_{id}$.

$\mathbf{Step}\mathbf{3}$: $PA$ is needed to verify whether the given equation is valid or false.

$$H\left(identity\right)\to {\mathbb{Z}}_N\stackrel{?}{=}{t}_{id}$$

Assuming the equation is satisfied, we can conclude that the data belong to the user $Do$. Let us take the unique identifier $“address”$ during encryption as an example: the decryption Algorithm 3 and the decrypted $t_{id}$ are as follows:

Algorithm 3 Decrypt $t_{id}$

1: $\lambda \leftarrow (p-1)\ast (q-1)$;  2: $\mu \leftarrow Get\mu accordingtotheformula{\left(L\left(g_1^{\lambda }mod{n}^2\right)\right)}^{-1}modn;$  3: $t_{id}\leftarrow Obtainthe{t}_{id}intheciphertextaccordingtothedecryptionalgorithmL\left(T^{\prime \lambda }mod{n}^2\right)$$\times \mu modn;$

Output:

$t_{id}^{\prime }$ = 79847630022358710946125273965671104052858 065717629025639108307113838327353

If the data are generated by multiple users, then $t_{i{d}_1}+t_{i{d}_2}\equiv L(g^{\lambda (t_{i{d}_1}+t_{i{d}_2})}·{(r_1·r_2)}^{\lambda n})·\mu modn$, $PA$ verifies $H\left(identit{y}_1\right)\to {\mathbb{Z}}_N+H\left(identit{y}_2\right)\to {\mathbb{Z}}_N\stackrel{?}{=}{t}_{i{d}_1}+t_{i{d}_2}$.

During the entire audit phase, $PA$ needs to do two things:

(1)

Compare whether the leaked plaintext is the same as that owned by $Do$ and calculate whether the ciphertext is generated by $Do$ through the formula $C_0\stackrel{?}{=}M·e(g^{\alpha \beta },C_1)$;

(2)

Obtain the user credential T corresponding to the plaintext in the $AT$’s database and obtain the owner of the plaintext through Paillier decryption.

3.4. Correctness

$$e(C_1,D)=e(g^{sT},g^{\beta \alpha }{R}_0{g}^{\beta ht}{R}_2{g}^{aht}{R}_1)=$$

$$e(g^{sT},g^{\beta \alpha })e(g^{sT},g^{\beta ht})e(g^{sT},g^{aht})$$

$${\mathsf{\Pi }}_{\rho \left(i\right)\in S}{\left(e(C_{i,1}{C}_{i,3},D_3)e(C_{i,2},D_i)\right)}^{w_i}=$$

$${\mathsf{\Pi }}_{\rho \left(i\right)\in S}(e(g^{aT{A}_i·\mathit{v}}{\mathcal{U}}_{\rho \left(i\right)}^{-r_i}{g}^{\beta T{A}_i·\mathit{v}},g^{th}{R}^{{}^{\prime }})$$

$$e(g^{r_i},{\mathcal{U}}_i^{ht}{R}_i^{{}^{″}}))$$

$$={\left(e(g^{aT},g^{ht})e(g^{\beta T},g^{ht})\right)}^{\Sigma A_i·\mathit{v}·w_i}$$

$$=e(g^{aTs},g^{th})e(g^{\beta Ts},g^{th})$$

$$F=e(g^{sT},g^{\beta \alpha })e(g^{sT},g^{\beta ht})e(g^{sT},g^{aht})/$$

$$e(g^{aTs},g^{th})e(g^{\beta Ts},g^{th})$$

$$=e{(g,g)}^{\alpha \beta sT}$$

$$C_0/F=M$$

3.5. IND-CPA Security

Suppose there is an adversary $\mathcal{A}$ who can eavesdrop on the channel between the user and the data owner, and he can obtain the ciphertext corresponding to the plaintext within a limited time, so as to crack the key and gain unlimited access to the ciphertext. Our scheme’s $IND-CPA$ security is analogous to the $IND-CPA$ security of the $CP-ABE$ scheme proposed by Allison and his colleagues in [33], and we only prove Assumption 1 here. To begin with, we create a semi-functional ciphertext (defined as SF-C) and a semi-functional key (defined as SF-K) in the following format:

SF-C: We define $g_2$ as the generator element of the group $G_{p_2}$. It randomly selects $f\stackrel{R}{⟵}{\mathbb{Z}}_N$, for each attribute, selects $z_i\stackrel{R}{⟵}{\mathbb{Z}}_N$, then selects ${\gamma }_i\stackrel{R}{⟵}{\mathbb{Z}}_N$ for each row of the shared generator matrix and two random vectors $\mathbf{u},\mathbf{w}\in {\mathbb{Z}}_N^n$, SF-C is defined as follows: $C_1=g^{sT}·g_2^f,C_2=g^{\beta sT}·g_2^{\beta f},C_{i,1}=g^{aT{A}_i·\mathit{v}}{\mathcal{U}}_{\rho \left(i\right)}^{-r_i}{g}_2^{A_i·\mathbf{u}+{\gamma }_i{z}_{\rho \left(i\right)}},C_{i,2}=g^{r_i}{g}_2^{-{\gamma }_i},C_{i,3}=g^{\beta T{A}_i·\mathit{v}}·g_2^{A_i·\mathbf{w}}$

SF-K: We can create two types of SF-K by randomly selecting the parameters $d,h,c\stackrel{R}{⟵}{\mathbb{Z}}_N,R_0^{{}^{\prime }},R_1^{{}^{\prime }},R_2^{\prime },R_3^{\prime },R_i^{{}^{\prime }}\in G_{p_3}$ as follows:

$\mathbf{Type}\mathbf{1}:D=g^{\beta \alpha }{g}_2^d{R}_0^{\prime },D_1=g^{aht}{g}_2^d{R}_1^{\prime },D_2=g^{\beta ht}{g}_2^d{R}_2^{\prime },D_3=g^{ht}{g}_2^c{R}_3^{{}^{\prime }},\{D_i={\mathcal{U}}_i^{ht}{R}_i^{{}^{\prime }}{g}_2^{c{z}_i}\}$

$\mathbf{Type}\mathbf{2}:D=g^{\beta \alpha }{g}_2^d{R}_0^{\prime },D_1=g^{aht}{g}_2^d{R}_1^{\prime },D_2=g^{\beta ht}{g}_2^d{R}_2^{\prime },D_3=g^{ht}{R}_3^{{}^{\prime }},\{D_i={\mathcal{U}}_i^{ht}{R}_i^{{}^{\prime }}\}$(let $c=0$)

Upon decrypting an SF-C with an SF-K, an additional term is introduced into the plaintext due to the semi-functional properties of the key and ciphertext:

$$e{(g_2,g_2)}^{3fd-2u_{1}c}$$

where $u_1$ represents the first item of the vector $\mathbf{u}$. We will now introduce a series of games to analyze the security of our proposed scheme:

$Gam{e}_{Real}$: In this game, both the ciphertext and the decryption key are valid, and the security of the scheme is not compromised.

$Gam{e}_0$: We define a game where all keys are normal, but the challenge ciphertext is SF-C. Let q be the number of times the attacker requests the key. For $k\in [1,q]$, we define:

$Gam{e}_{k,1}$: The challenge ciphertext is SF-C, the first $\mathit{k}-\mathit{1}$ keys requested by the adversary are SF-K of Type 2, the kth key is SF-K of Type 1, and the rest are normal. $Gam{e}_{k,2}:$ We define a game where the challenge ciphertext is SF-C, the first k keys are SF-K of Type 2, and the remaining keys are normal.

At the end of the game, we play the game’s last round ($Gam{e}_{final}$): all the keys are Type 2 SF-K, and the ciphertext is generated by semi-functionally encrypting random messages without using the two messages supplied by the adversary.

Lemma 1.

Assume the existence of a polynomial-time algorithm$\mathcal{A}$such that$Gam{e}_{Real}Ad{v}_A-Gam{e}_{0}Ad{v}_A=ϵ$. where ϵ is a non-negligible value. We can find a polynomial-time algorithm$\mathcal{B}$ to break Assumption 1 by ϵ.

Proof. 

Sending $g,g_3,X$ to $\mathcal{B}$, $\mathcal{B}$ will simulate $Gam{e}_{Real}$ or $Gam{e}_0$ with adversary $\mathcal{A}$; $\mathcal{B}$ randomly selects $\alpha ,a,\beta \in {\mathbb{Z}}_N$, and selects a random exponent $u_i\in {\mathbb{Z}}_N$ for each attribute in the system, then randomly selects two safe large prime numbers $p,q$ such that $gcd(pq,(p-1\left)\right(q-1\left)\right)=1$, calculates $n=pq,\lambda =lcm(p-1,q-1)$, then randomly selects a positive integer $g_1$ less than $n^2$, and $\mu ={\left(L\left(g^{\lambda }mod{n}^2\right)\right)}^{-1}modn$, the public parameter

$$PK=(N,g,g^a,g^{\beta },e{(g,g)}^{\alpha },{\{\mathcal{U}=g^{u_i}\}}_{\forall i\in U})$$

and public key

$$Pk=(n,g_1,g^{\beta })$$

are sent to $\mathcal{A}$.    □

Next, $\mathcal{A}$ sends two equal-length messages $M_0,M_1$, T generated by his own unique identity and a shared generator matrix $(A^{*},\rho )$ to $\mathcal{B}$, $\mathcal{B}$ implicitly sets $g^{sT}$ to the part of $G_{p_1}$ (and possibly $G_{p_1{p}_2}$ element). Then, $\mathcal{B}$ flips a coin and pick $\sigma \in \{0,1\}$ and sets:

$$C_0=M_{\sigma }e(g^{\alpha \beta },X),C_1=X$$

then randomly selects $y_2^{{}^{\prime }},\dots ,y_n^{{}^{\prime }},r_i^{{}^{\prime }}\stackrel{R}{⟵}{\mathbb{Z}}_N$, sets the vector ${\mathit{v}}^{{}^{\prime }}=(1,y_2^{{}^{\prime }},\dots ,y_n^{{}^{\prime }})$, then sets $C_{i,1}=X^{aT{A}_i·{\mathit{v}}^{{}^{\prime }}}{X}^{-r_i^{{}^{\prime }}{u}_{\rho \left(i\right)}},C_{i,2}=X^{r_i^{{}^{\prime }}},C_{i,3}=X^{\beta T{A}_i·{\mathit{v}}^{{}^{\prime }}}$. We implicitly set $\mathit{v}$ to $(s,s{y}_1^{{}^{\prime }},\dots ,s{y}_n^{{}^{\prime }})$,$r_i=s{r}_i^{{}^{\prime }}$, so when $X\in G_{p_1}$, it is a correctly distributed normal ciphertext.

If $X\in G_{p_1{p}_2}$, let $g_2^{f^{{}^{\prime }}}$ be the $G_{p_2}$ part of X ( $X=g^s{g}_2^{f^{{}^{\prime }}}$), so $C_1=g^{sT}{g}_2^{f^{{}^{\prime }}T},C_2=g^{s\beta T}{g}_2^{\beta f^{{}^{\prime }}T},C_{i,1}=g^{saT{A}_i·{\mathit{v}}^{{}^{\prime }}}{g}^{-s{r}_i^{{}^{\prime }}{u}_{\rho \left(i\right)}}·g_2^{f^{{}^{\prime }}aT{A}_i·{\mathit{v}}^{{}^{\prime }}-f^{{}^{\prime }}{r}_i^{{}^{\prime }}{u}_{\rho \left(i\right)}},C_{i,2}=g^{s{r}_i^{{}^{\prime }}}{g}_2^{f^{{}^{\prime }}{r}_i^{{}^{\prime }}},C_{i,3}=g^{s\beta T{A}_i{\mathit{v}}^{{}^{\prime }}}{g}_2^{f^{{}^{\prime }}\beta T{A}_i{\mathit{v}}^{{}^{\prime }}}$. Let

$$\mathbf{u}=f^{{}^{\prime }}aT{\mathit{v}}^{{}^{\prime }},{\gamma }_i=-f_i{r}_i^{{}^{\prime }},z_{\rho \left(i\right)}=u_{\rho \left(i\right)},\mathbf{w}=f^{{}^{\prime }}\beta T{\mathit{v}}^{{}^{\prime }}$$

this is a correctly distributed semi-functional ciphertext. We simulated and ran local experiments to test our scheme against Choose Plaintext Attack, and in both $X\in G_{p_1}$ and $X\in G_{p_1{p}_2}$ scenarios, attacker $\mathcal{A}$ was unable to decrypt the data. Figure 4 illustrates the process of a chosen plaintext attack and the experimental results obtained by the attacker. Therefore, $\mathcal{A}$ can break Assumption 1 with the advantage of $ϵ$.

Assumptions 2 and 3 can be proved by similar constructions above; see Allison’s scheme [33] for details.

3.6. Ciphertext Non-Replicability

Suppose there is an adversary $\mathcal{A}$ who can eavesdrop on the channel between the data owner and $AT$. The purpose of $\mathcal{A}$ in this game is to obtain the signature of $AT$ and embed its own $T^{\prime }$ in the ciphertext and replace the identity of the data owner in the ciphertext data with its own identity, so as to obtain the ownership of the data. We assume that the adversary will not send his identity information to $AT$ without being able to copy the ciphertext (even if sent, it does not pass authentication).

Lemma 2.

Assume that there is a polynomial-time algorithm $\mathcal{A}$ that can break the CDH Assumption with the advantage of ϵ in the polynomial time, then we can construct a polynomial-time algorithm $\mathcal{B}$ that falsifies ciphertext with the advantage of ϵ.

Proof. 

$\mathcal{B}$ first runs the $Setup(1^{\phi },U)\to (PK,MSK,P{k}_{AT},S{k}_{AT})$ algorithm, and $PK,P{k}_{AT}$ are sent to the adversary $\mathcal{A}$.    □

Ciphertext generation:$\mathcal{B}$ first interacts with $AT$ to generate the ciphertext $C{T}_{A,T}$, and sends $C{T}_{A,T}$ to $\mathcal{A}$. The adversary has two ways to generate its own ciphertext:

• Case 1: After the adversary (dishonest user) decrypts the ciphertext and obtains the plaintext M, it regenerates the ciphertext $C{T}^{{}^{\prime }}$ by itself. This method is obviously not advisable, because even if the original decryption key of the ciphertext is generated, it is unable to decrypt $C{T}^{{}^{\prime }}$ and $G_T\left(H\left(M\right)\right)$ has been stored locally in the authority.
• Case 2: The adversary obtains the signature and generates the ciphertext by eavesdropping on the channel between the data owner and $AT$, and sending information that is beneficial to $\mathcal{A}$ to $AT$; $\mathcal{B}$ randomly selects $s\stackrel{R}{⟵}{\mathbb{Z}}_n$, hashes the plaintext M and maps it to $G_T$, $\overline{C_0}=G_T\left(H\left(M\right)\right)·e{(g,g)}^{\alpha s}$ and $\overline{C_0},g^s$ are sent to $\mathcal{A}$.

The adversary $\mathcal{A}$ attempts to generate a random number $s^{{}^{\prime }}$ such that $e{(g,g)}^{\alpha s^{{}^{\prime }}}=e{(g,g)}^{\alpha s}$, so he can send $\overline{C_0^{{}^{\prime }}}=G_T\left(H\left(M\right)\right)·e{(g,g)}^{\alpha s^{{}^{\prime }}},g^{s^{\prime }}$ and his own identity $T^{{}^{\prime }}$ to obtain the signature of $AT$, and then according to $Encrypt(P{k}_{AT},<A,\rho >,PK,M)\to C{T}_{A,T}$ algorithm to generate ciphertext and publishes it, $\mathcal{A}$ can obtain $g^s$ after eavesdropping on the channel, by calculating $e(g,g^s)$, he can get $e{(g,g)}^s$, that is, the adversary $\mathcal{A}$ knows $e{(g,g)}^{\alpha }$ and $e{(g,g)}^s$, wants to calculate $e{(g,g)}^{\alpha s}$. This is a $CDH$ problem, there is no polynomial time algorithm to break it, so

$$Adv=\mid Pr\left[\mathcal{A}success\right]\mid <ϵ$$

4. Experiments and Analysis

In this section, we mainly analyze the efficiency of our scheme and compared it with the Fully secure CP-ABE scheme proposed by Allison et al. [33] in setup, key generation, encryption, decryption, and memory consumption. The experiment is in the win10, 16GB, AMD Ryzen 5 R2600 Six -Core 3.40GHz platform. We choose to use the JPBC library of JAVA to build the environment and generate a composite order group with a size of 512 bits and an integer cyclic group with a size of 258 bits through an 83-bit elliptic curve. The data were obtained by running the experiments on a locally set up environment and were saved in a text file in “.xlsx” format. The figures were generated by comparing the data using MATLAB plotting.

Figure 5 shows the setup comparison between our scheme and Allison et al.’s scheme. Since the complexity of the setup is $O\left(N\right)$ (N represents the number of attributes in the attribute universe), the time efficiency is almost the same except for computer errors.

The master key is in the form of a key–value pair:

MSK: alpha:210810353108659863024409106247517618452769941479846636980134442864523125
95818033429445987282464226795828802774079330
g3:507123706182628610741111547764849270218939290666858116887669480037266931236
6558956079248951460266712797586740186721012,3848333923503209101783513197106326
835379604308979589246948604032780415086659341351001892795149863403912326337017
537761,0
beta:3971351897302668818568847385425920497495147741445579066512932780617650627
246730432329467425793820791111050407589402

Figure 6 shows a comparison of the key generation time between our scheme and the scheme proposed by Allison et al. Our scheme involves interactive key generation, resulting in higher overhead compared to Allison’s scheme when the attribute space is small. However, as the attribute space grows, the performance gap between the two schemes decreases.

Figure 7 illustrates a comparison of the encryption time between our scheme and the scheme proposed by Allison et al. The ciphertext complexity of Allison et al.’s scheme is $O(C+N)$, and the complexity of our scheme is also $O(C+N)$, where C represents the length of the ciphertext and N represents the number of attributes in the attribute space. In fact, Allison et al.’s scheme involves $C+2N$ terms, whereas ours involves $C+3N$ terms, which results in a small difference in overhead.

The generated ciphertext is also stored in the form of key–value pairs. We take plaintext “$hello$” as an example, and the encrypted $C_0$ format is as follows:

CT_AT:

C0_0:{x=18512619911661450195327750867443546794232624419671207238173221146535506

95552872207298169171836981828215064641158984234,y=70592147653957222146120442588

2624722810944092606551932879619145643069907176528665887436471753185725971617607

9123508797}

C0_1:{x=10305743198129175737055428555819461127421625147813759967731163938926816

650740214215836427503578249751830703585598710737,y=9864469019751328170985532932

3260154136345304295214862269824474212174107344885351182673330718902818130451275

75927761095}

C0_2:{x=85627632985010802758634299337508008509965737271381026168608890332725357

51769387446114503063186080075196481905182611275,y=69157043429120428487195645886

4787393452354723338419697486692137357841812076088296305720924512144895097136125

4706491542}

C0_3:{x=85627632985010802758634299337508008509965737271381026168608890332725357

51769387446114503063186080075196481905182611275,y=69157043429120428487195645886

4787393452354723338419697486692137357841812076088296305720924512144895097136125

4706491542}

C0_4:{x=10828209153804955834077646467569440299821102129146337294704720899926979

6582045437576244731444812151580842960742884772,y=411045008855643689234607591514

8105748998457729928230076680665408791706458037634503664240890763024397642409757

902239244}

Figure 8 presents a comparison of the decryption time between our scheme and the scheme proposed by Allison et al. The time overhead is mainly focused on computing the secret s, so apart from computational errors, there is no difference in overhead.

The plaintext obtained by decrypting the above ciphertext is as follows:

ourScheme.Decrypt(“file/Key”,“file/CT_AT”);

The plaintext after decryption is:hello

Finally, Figure 9 shows a comparison of the memory overhead between our scheme and the scheme proposed by Allison et al. Due to the involvement of our scheme’s interactive functions, such as $sendToAT\left(\right)$, $KeyGenAT\left(\right)$, and $id$ extraction function $extractID\left(\right)$, our scheme incurs a higher memory overhead than Allison et al.’s scheme.

5. Conclusions

Based on Paillier encryption and CP-ABE, this paper proposes a data rights confirmation scheme, which effectively solves the ownership of data and the right to use data. The work of confirming the rights of the plaintext is transferred to the confirmation of the ciphertext. Before the plaintext audit, no one can access the original data except the user designated by the data user, which provides a guarantee that the source data will not be leaked. Finally, the security of the scheme is proved, and the efficiency and feasibility of the scheme are analyzed through experiments. First, this article does not exclude the third party, and the data transaction behavior between users is not specified, but only stipulates the “ownership” of data and the “rights to use” of data. Second, this paper does not consider how to implement the tracking of the key and revocation of the key when the data owner discovers the data leakage. Finally, there is no guarantee that the credentials stored in $AT$ are authentic. In future work, we will conduct related research on data transactions. Considering the key tracing and key revocation problems, the traceability and revocability of keys can be achieved by combining the scheme proposed by Ning et al. [14] and the subset coverage technique. How to combine smart contracts and blockchain to solve the problem of traditional third-party untrustworthiness is also part of our future work.