A Blockchain-Based Efficient and Verifiable Attribute-Based Proxy Re-Encryption Cloud Sharing Scheme

Abstract

When choosing a third-party cloud storage platform, the confidentiality of data should be the primary concern. To address the issue of one-to-many access control during data sharing, it is important to encrypt data with an access policy that enables fine-grained access. The attribute-based encryption scheme can be used for this purpose. Additionally, attribute-based proxy re-encryption (ABPRE) can generate a secret key using the delegatee’s secret key and access policy to re-encrypt the ciphertext, allowing for one-to-many data sharing. However, this scheme still has some flaws, such as low efficiency, inability to update access rules, and private data leakage. To address these issues, we proposed a scheme that combines attribute-based encryption (ABE) and identity-based encryption (IBE) to achieve efficient data sharing and data correctness verification. We also integrated this scheme with blockchain technology to ensure tamper-proof and regulated data storage, addressing issues such as data tampering and lack of supervision on third-party servers. Finally, to demonstrate the security of our scheme, we evaluated the communication overhead and computation overhead. Our results showed that our scheme is more efficient than other schemes and is secure against chosen plaintext attacks with verifiable properties.

1. Introduction

Attribute-based encryption (ABE) was proposed by Waters et al. [1] as a means of achieving fine-grained access control for outsourced data to protect its confidentiality. ABE has been widely adopted in many applications. The characteristic of ABE is that it uses an access policy for users with different attribute sets in the encryption stage, ensuring that only qualified users can successfully obtain and decrypt plaintext. However, one of the drawbacks of ABE is that the access policy can become outdated and lack flexibility. Furthermore, the complexity of ABE decryption increases linearly as the number of attributes increases, making it unaffordable for mobile devices with limited computational capabilities.

The ABE scheme encrypts plaintext using an access policy, ensuring that only users with legal attributes can successfully decrypt the ciphertext. However, if the delegatee lacks the legal attributes required to decrypt the ciphertext, they can only decrypt it by obtaining the secret key of the delegator, which creates a significant security risk. Moreover, the complexity of ABE decryption increases linearly with the number of attributes, which can be time-consuming, especially on mobile devices with limited computational capabilities.

To address the issues mentioned above, we proposed a solution that combines identity-based encryption (IBE) with ABE [2]. By deploying IBE on mobile devices and ABE on PC devices, we can achieve effective encryption and decryption. Additionally, IBE enables the conversion of ABE ciphertext to IBE ciphertext, allowing delegatees with limited computational capabilities to access data at a lower computation cost.

In this paper, the EV-ABPRE encryption scheme based on blockchain is suggested. The scheme combines CP-ABE with IBE to construct an encryption scheme that can verify the correctness of re-encrypted ciphertext. Our scheme intends to use the re-encryption key to change the ABE ciphertext into the IBE ciphertext and to liberate the delegatee from the decryption, which requires massive computational capabilities. When EV-ABPRE is used to motivate the scene, the delegator deploys the CP-ABE scheme on the PC to enable fine-grained access to the outsourced data. The delegatee accesses the data from the deployed IBE scheme to implement the effective decryption process, and that delegatee cannot directly access the original ciphertext. The delegator obtains the unique identifier of the delegatee (such as the telephone number and e-mail address); then, the algorithm is executed to output a re-encryption key and returns it to the proxy nodes. The proxy nodes generate the re-encrypted ciphertext that the delegatee could decrypt using their own IBE key to obtain the plaintext.

Our research aims to improve the security of attribute-based proxy re-encryption (ABPRE) schemes, which are commonly used to protect the confidentiality of outsourced data. While the current ABPRE scheme is effective in safeguarding the data’s confidentiality, it lacks the ability to verify whether the proxy nodes honestly re-encrypted the ciphertext. This presents a significant security problem, as a dishonest proxy node could potentially leak sensitive data. To address this problem, we propose an effective and verifiable attribute-based proxy re-encryption scheme (EV-ABPRE) based on blockchain technology. Our research objective is to develop a scheme that not only maintains data confidentiality but also provides a verifiable method for ensuring the honesty of the proxy nodes. We define two types of security definitions, semantic security and verifiability, and examine our scheme’s efficacy in meeting these requirements.

2. Related Work

It is well-known that IBE is an efficient encryption scheme that can utilize any string recognized as a public key and generate an IBE secret key from the string. Boneh and Franklin et al. [3] first proposed an IBE scheme based on bilinear groups. The advantage of the IBE scheme is that it does not require certificates of the public-key system, unlike traditional public-key encryption. Therefore, there is no overhead for storing and managing certificates. This scheme is widely used because of its confidentiality and efficient key management.

Waters proposed an ABE scheme to enable one-to-many data sharing [4]. ABE can be divided into two types, namely ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE), depending on where the access policy is embedded [1]. The access policy is integrated into the encryption process, and only delegatees with legal attributes can successfully decrypt the ciphertext. Goyal et al. [1] noted that a drawback of encrypted data is that it can only be selectively shared at a coarse-grained level. To achieve fine-grained data sharing, they proposed the key policy attribute-based encryption. Muhammad et al. [5] combined the attribute-based access control (ABAC) framework with cloud storage and suggested an adapted CP-ABE approach to achieve fine-grained access control. The CP-ABE approach is suitable for data sharing with multiple users, while the KP-ABE approach is suitable for data sharing with a single user.

Proxy re-encryption (PRE) was first proposed by Blaze et al. [6], wherein semi-trusted proxy nodes use a re-encryption key to re-encrypt the ciphertext, allowing the delegatee to decrypt it. This approach achieves secure data sharing between the delegator and the delegatee without revealing the plaintext [7]. However, G et al. [8] proposed a bidirectional PRE scheme that cannot guarantee the security of the delegator’s data, and only supports one-to-one data sharing. To address these limitations, Chen et al. [9] proposed an electronic medical record system that combines blockchain and proxy re-encryption, providing a secure solution for sharing sensitive data.

The attribute-based proxy re-encryption (ABPRE) scheme was suggested by Liang et al. [10], who combined the ABE scheme with the PRE scheme. This scheme provides a unidirectional and multi-use ciphertext policy ABPRE (CP-ABPRE) by adding attribute-based counterparts to traditional proxy re-encryption, enabling users to carry out delegation in access control environments. The scheme supports an AND-gate policy for multivalued and negative attributes, allowing the user identified by the attribute to specify the proxy. Luo et al. [11] proposed a new CP-ABPRE scheme that supports multi-valued attributes, negative attributes, and the AND-gate policy, while Liang et al. [12] improved the existing CP-ABPRE by pointing out its vulnerability to a chosen-plaintext attack (CPA) and showing its security against a chosen-ciphertext attack (CCA) using the random oracle model. Hong et al. [13] proposed an attribute-based data retrieval scheme with proxy re-encryption to achieve fine-grained access control and data retrieval over ciphertexts. However, the problem with all KP-ABPRE methods, according to Luo et al. [14], is that they are based on classical number-theoretic assumptions, which make them vulnerable to quantum attacks. To address this, Luo proposed the first KP-ABPRE scheme based on learning with errors. Yang et al. [15] developed a one-way, non-interactive, non-transitive, non-transferable, and verifiable attribute-based proxy re-encryption scheme to ensure that user permissions are updated dynamically. Finally, Hong et al. [16] pointed out the time-bounded security and key exposure protection issues in existing ABPRE schemes and proposed a system in which users’ access privileges are time-bounded. However, the delegatee requires the computational capabilities in the decryption phase to be linearly related to the number of attributes. If the computation capabilities of the delegatee’s device are limited, it will take a long time to decrypt the ciphertext, and the delegatee cannot ensure the validity of the returned re-encrypted ciphertext from proxy nodes.

The linear increase in decryption complexity in ABPRE with the number of attributes is a significant burden for users with limited computation capabilities. To address this, Hua et al. [2] proposed a CP-HAPRE scheme that combines CP-ABE with IBE. This approach reduces the delegatee’s burden on computational capabilities during the generation of the re-encryption key, which is generated by the unique identifier of the delegatee and the secret key of the delegator. By using this method, the complexity of generating the re-encryption key is independent of the number of attributes, making it more efficient and practical for users with limited computational capabilities.

While the previously discussed schemes require semi-trusted proxy nodes to facilitate data sharing, dishonest proxy nodes may use previously encrypted ciphertexts, even those generated at random, to minimize computation costs [17]. This can be extremely detrimental to accurate data if the plaintext differs from the correct plaintext. To address this issue, Lin et al. [18] proposed a general unidirectional single-hop ABPRE construction that introduces a commitment scheme and key derivation function to verify whether the proxy nodes have correctly re-encrypted the ciphertext. Ge et al. [19] proposed a verifiable and fair attribute-based proxy re-encryption (VF-ABPRE) scheme to support bidirectional verification operations for the proxy nodes and the delegatee, with proven confidentiality, verifiability, and fairness. However, the scheme is not suitable for delegatees with limited computational capabilities.

Blockchain is a decentralized and tamper-proof distributed ledger that provides anti-forgery features. To ensure data confidentiality, encryption algorithms are necessary, and cryptography technology can ensure secure data transmission. Zuo et al. [20] proposed a scheme that combines blockchain technology with CP-ABE, providing a secure and efficient cloud sharing scheme for the discrete logarithm problem and the decision q-parallel BDHE. Eltayieb et al. [21] proposed certificateless proxy re-encryption as an effective access control mechanism for protecting access to outsourced data. Zhang et al. [22] suggested a blockchain proxy re-encryption scheme with keyword search and attribute-based encryption, achieving better collusion resistance by using node classification and separating ciphertext storage.

3. Preliminaries

This section is mainly used to introduce the cryptography knowledge used in this scheme.

3.1. Bilinear Maps

${\mathbb{G}}_1$ and ${\mathbb{G}}_{\mathrm{T}}$ are two cyclic groups of prime order $\mathrm{p}$. Let $\mathrm{g}$ be a generator of ${\mathbb{G}}_1$ and $\mathrm{e}: {\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_{\mathrm{T}}$ be a map with the following properties:

Bilinearity: For $\mathrm{a},\mathrm{b}\in {\mathbb{Z}}_{\mathrm{p}}, \mathrm{u},\mathrm{v}\in {\mathbb{G}}_1$, both $\mathrm{e}\left({\mathrm{u}}^{\mathrm{a}},{\mathrm{v}}^{\mathrm{b}}\right)=\mathrm{e}\left({\mathrm{u}}^{\mathrm{b}},{\mathrm{v}}^{\mathrm{a}}\right)=\mathrm{e}{\left(\mathrm{u},\mathrm{v}\right)}^{\mathrm{ab}}$;

Non-degenerative: $\mathrm{e}\left(\mathrm{g},\mathrm{g}\right)\ne 1$. If the group operations in ${\mathbb{G}}_1$ and bilinear map $\mathrm{e}: {\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_{\mathrm{T}}$ can be computed efficiently, then ${\mathbb{G}}_1$ is a bilinear group;

Computability: There is an efficient algorithm for any $\mathrm{g}\in {\mathbb{G}}_1$, and all can be calculated $\mathrm{e}\left(\mathrm{g},\mathrm{g}\right)$.

3.2. LSSS [23]

Definition 1. 

Let $\mathbb{P}=\left\{P_1,P_2,\dots ,P_n\right\}$ be a collection of a series of participants; a secret sharing scheme$\prod$ in $\mathbb{P}$ is linear when the following two conditions are satisfied:

• Each participant has a secret about  $s$ what constitutes a vector on  ${\mathbb{Z}}_p$;
• There exists a matrix  $\mathbb{A}$ called the sharing-generate matrix for $\prod ; \mathbb{A}$ is an $l\times n$ matrix, and $\rho \left(i\right)$ is an injective function that maps each row of $\mathbb{A}$ to an attribute set, $i\in l$. Randomly select vector $\overrightarrow{\mathrm{v}}=\left(s,r_2,\dots ,r_n\right)$; $s$ is a secret that needs to be shared. So ${\mathbb{A}}_i\overrightarrow{\mathrm{v}}, i\in l$, is the $i$th party of $\rho \left(i\right)$.

3.3. q-Parallel BDHE Assumption

${\mathbb{G}}_1$ is a cyclic group of prime order $\mathrm{p}$. Let $\mathrm{g}$ be a generator of ${\mathbb{G}}_1$. Select elements $\mathrm{a},\mathrm{s},{\mathrm{b}}_1,\dots ,{\mathrm{b}}_{\mathrm{n}}\in {\mathbb{Z}}_{\mathrm{p}}$, given vector $\mathrm{g},{\mathrm{g}}^{\mathrm{s}},{\mathrm{g}}^{\mathrm{a}},{\mathrm{g}}^{{\mathrm{a}}^{\mathrm{q}}},{\mathrm{g}}^{{\mathrm{a}}^{\mathrm{q}+1}},{\mathrm{g}}^{{\mathrm{a}}^{2\mathrm{q}}},$ ${\mathrm{g}}^{{\mathrm{sb}}_{\mathrm{j}}},{\mathrm{g}}^{\mathrm{a}/{\mathrm{b}}_{\mathrm{j}}},\dots ,{\mathrm{g}}^{{\mathrm{a}}^{\mathrm{q}+2}/{\mathrm{b}}_{\mathrm{j}}},\dots ,{\mathrm{g}}^{{\mathrm{a}}^{2\mathrm{q}}/{\mathrm{b}}_{\mathrm{j}}}$, of which $\forall 1\le \mathrm{j}\le \mathrm{q}$, ${\mathrm{g}}^{{\mathrm{sab}}_{\mathrm{k}}/{\mathrm{b}}_{\mathrm{j}}},\dots ,{\mathrm{g}}^{{\mathrm{sa}}^{\mathrm{q}}{\mathrm{b}}_{\mathrm{k}}/{\mathrm{b}}_{\mathrm{j}}},$ of which $\forall \mathrm{j}\le 1,\mathrm{q}\ge \mathrm{k},\mathrm{j}\ne \mathrm{k}$.

The decisional q-parallel BDHE assumption immediately assumes that a probability polynomial time (PPT) algorithm that outputs $\mathrm{e}=\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathrm{sa}}^{\mathrm{q}+1}}\in {\mathbb{G}}_1$ with a non-negligible probability $ϵ$ does not exist.

4. Modeling EV-ABPRE

EV-ABPRE combines two distinct encryption schemes, CP-ABE and IBE, where the private key Generator (PKG) generates and distributes secret keys for both. Given the typical use of a mobile device by the delegatee with limited computational capabilities and storage, data are encrypted using the CP-ABE scheme. Moreover, since the delegatee uses a mobile device, the IBE scheme is employed, which is better suited for such environments with limited computational capabilities and storage space.

The delegator is responsible for encrypting the plaintext using the CP-ABE scheme, followed by uploading the resulting ciphertext to the ciphertext chain-T. Subsequently, the delegator uploads the access policy, ciphertext storage address, and metadata to index chain-I. Once the delegatee successfully authenticates and sends its ID to the delegator, the latter generates the re-encryption key and uploads it to the proxy nodes. Finally, the system returns the verification result to the delegatee.

The ciphertext chain-T stores the ciphertext uploaded by the delegator, and the entire network verifies that the data have been successfully written into the block during storage. However, if the amount of data is large, it can cause a single point of failure, leading to a waste of storage space. To address this issue, SUN et al. [24] proposed a chain structure proposal that has been extended using the chord algorithm. This approach offers improved fault tolerance and scalability by enabling nodes to efficiently locate and retrieve data, even in large-scale decentralized networks.

The proxy nodes play a crucial role in the re-encryption process by retrieving the ciphertext from ciphertext chain-T, re-encrypting it, and then forwarding it to the delegatee. Throughout this entire process, the proxy node has no access to the plaintext, ensuring its confidentiality.

The private key generator (PKG) is responsible for generating both the public key and secret key for the CP-ABE scheme and the IBE scheme.

The access policy, storage address, and metadata information are recorded and stored in the index chain-I.

4.1. Scheme Definition

EV-ABPRE is a cryptographic system composed of two encryption schemes—CP-ABE and IBE—along with the necessary re-encryption algorithms. The EV-ABPRE algorithm is the following:

$\mathrm{Setup}\left(1^{\mathsf{\lambda }}\right)\to \left({\mathrm{PP}}_{\mathrm{CP}},{\mathrm{PP}}_{\mathrm{IBE}},\mathrm{MK}\right)$: The PKG takes as input security parameters λ and executes the $\mathrm{Setup}$ algorithm, which returns public parameters ${\mathrm{PP}}_{\mathrm{CP}}$ and ${\mathrm{PP}}_{\mathrm{IBE}}$ and master key $\mathrm{MK}$.

${\mathrm{KeyGen}}_{\mathrm{IBE}}\left({\mathrm{PP}}_{\mathrm{IBE}},\mathrm{MK},\mathrm{ID}\right)\to \left({\mathrm{SK}}_{\mathrm{ID}}\right)$: The PKG takes as input public parameters ${\mathrm{PP}}_{\mathrm{IBE}}$, master key $\mathrm{MK}$, and the delegatee’s $\mathrm{ID}$ and then executes the ${\mathrm{KeyGen}}_{\mathrm{IBE}}$ algorithm, which returns the IBE secret key ${\mathrm{SK}}_{\mathrm{ID}}$.

${\mathrm{Encrypt}}_{\mathrm{CP}}\left(\mathrm{m},\left(\mathbb{A},\mathsf{\rho }\right),{\mathrm{PP}}_{\mathrm{CP}}\right)\to \mathrm{CT}$: The delegator takes as input plaintext $\mathrm{m}$, access policy $\left(\mathbb{A},\mathsf{\rho }\right)$ and public parameters ${\mathrm{PP}}_{\mathrm{CP}}$ and then executes the ${\mathrm{Encrypt}}_{\mathrm{CP}}$ algorithm, which returns the ciphertext $\mathrm{CT}$.

${\mathrm{KeyGen}}_{\mathrm{CP}}\left({\mathrm{PP}}_{\mathrm{CP}},\mathrm{MK},\mathrm{S}\right)\to \left({\mathrm{SK}}_{\mathrm{S}}\right)$: The PKG takes as input public parameters ${\mathrm{PP}}_{\mathrm{CP}}$ of CP-ABE, master key MK, and attribute sets $\mathrm{S}$. Then, it executes the ${\mathrm{KeyGen}}_{\mathrm{CP}}$ algorithm, which returns secret key ${\mathrm{SK}}_{\mathrm{S}}$.

$\mathrm{ReKeyGen}\left({\mathrm{PP}}_{\mathrm{CP}},{\mathrm{SK}}_{\mathrm{S}},\mathrm{ID}\right)\to {\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$: The delegator takes as input public parameters ${\mathrm{PP}}_{\mathrm{CP}}$, ABE secret key ${\mathrm{SK}}_{\mathrm{S}}$, and the delegatee’s $\mathrm{ID}$ and then executes the $\mathrm{ReKeyGen}$ algorithm, which returns re-encryption key ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$.

$\mathrm{ReEncrypt}\left({\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}},\mathrm{CT},{\mathrm{PP}}_{\mathrm{CP}}\right)\to {\mathrm{C}\mathrm{T}}^{\prime }$: The proxy nodes take as input the delegator’s re-encryption key ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$, ciphertext $\mathrm{CT}$ from the ciphertext chain-T, and public parameters ${\mathrm{PP}}_{\mathrm{CP}}$. They then execute the $\mathrm{ReEncrypt}$ algorithm, which returns the re-encrypted ciphertext.

$\mathrm{DecRe}\left({\mathrm{CT}}^{\prime },{\mathrm{SK}}_{\mathrm{ID}}\right)\to \mathrm{m}/\perp$: The delegatee takes as input re-encrypted ciphertext ${\mathrm{CT}}^{\prime }$ and their secret key ${\mathrm{SK}}_{\mathrm{ID}}$ and then executes the $\mathrm{DecRe}$ algorithm. If successful, this returns the plaintext. Otherwise, it returns the false symbol ⊥.

$\mathrm{Claim}\left({\mathrm{SK}}_{\mathrm{S}},{\mathrm{CT}}^{\prime }\right)$: The delegator takes as input re-encrypted ciphertext ${\mathrm{CT}}^{\prime }$ and secret key ${\mathrm{SK}}_{\mathrm{S}}$ and then verifies whether the semi-trusted proxy nodes re-encrypted the ciphertext honestly. The algorithm returns a Boolean value of true or false depending on the outcome of the verification (Figure 1).

4.2. Scheme Definition

In the EV-ABPRE scheme, because the CP-ABE and IBE schemes are integrated into the entire process, the original ciphertext and re-encrypted ciphertext are defined, respectively.

4.2.1. Semantic Security

Regarding the choice of the security model, we have adopted the selective model, which requires the adversary to submit the challenge policy before the security game [4].

Original ciphertext semantically secure: The scheme is considered semantically secure with respect to the original ciphertext if adversary $\mathcal{A}$ has only a negligible advantage in the game, according to the selective model.

$\mathrm{Init}$: Adversary $\mathcal{A}$ chooses an access policy $\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right)$ and ${\mathrm{ID}}^{\ast }$, of which ${\mathbb{A}}^{\ast }$ is an $\mathrm{l}\times \mathrm{n}$ matrix.

$\mathrm{Setup}$: In this phase, challenger $\mathcal{B}$ executes the algorithm $\mathrm{Setup}$, which returns public parameter $\mathrm{PP}$.

Query Phase 1:

${\mathcal{O}}_{{\mathrm{SK}}_{\mathrm{ID}}}\left({\mathrm{ID}}_{\mathrm{i}}\right)$: The adversary $\mathcal{A}$ submits a query for the IBE key. If ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}^{\ast }$, the challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{IBE}}$ algorithm, which generates and returns IBE secret key ${\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$. Otherwise, false symbol $\perp$ is returned.

${\mathcal{O}}_{{\mathrm{SK}}_{\mathrm{S}}}\left({\mathrm{S}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the ABE key. If ${\mathrm{S}}_{\mathrm{i}}\notin {\mathbb{A}}^{\ast }$, challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{CP}}$ algorithm, which generates and returns ABE secret key ${\mathrm{SK}}_{{\mathrm{S}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$. Otherwise, false symbol $\perp$ is returned.

${\mathcal{O}}_{\mathrm{RK}}\left({\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the re-encryption key, and challenger $\mathcal{B}$ executes the $\mathrm{ReKeyGen}$ algorithm, which generates and returns re-encryption key ${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$.

${\mathcal{O}}_{\mathrm{re}}\left(\mathrm{CT},{\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the re-encryption result, and challenger $\mathcal{B}$ executes ${\mathrm{KeyGen}}_{\mathrm{IBE}}$, $\mathrm{ReKeyGen}$ and $\mathrm{ReEncrypt}$ algorithms, which generate and return re-encrypted ciphertext ${\mathrm{CT}}^{\prime }$ to adversary $\mathcal{A}$.

Challenge Phase:

Adversary $\mathcal{A}$ submits the access policy $({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }$) and two plaintexts ${\mathrm{m}}_0 {\mathrm{and} \mathrm{m}}_1$ of equal length to challenger $\mathcal{B}$. Challenger $\mathcal{B}$ selects a plaintext randomly and then executes the ${\mathrm{Encrypt}}_{\mathrm{CP}}\left({\mathrm{m}}_{\mathsf{\sigma }},\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right),{\mathrm{PP}}_{\mathrm{CP}}\right)$ algorithm, which returns ciphertext $\mathrm{CT}$ to adversary $\mathcal{A}$.

Query Phase 2:

Phase 1 queries are repeated while removing any queries that are not allowed.

Guess Phase:

Adversary $\mathcal{A}$ outputs its guess ${\mathsf{\sigma }}^{\prime }\in \left\{0,1\right\}$, and the advantage of an adversary, $\mathcal{A}$, relative to winning the game is defined as follows.

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{Sem}-\mathrm{Or}}=\left|\mathrm{Pr}\left[\mathsf{\sigma }={\mathsf{\sigma }}^{\prime }\right]-\frac{1}{2}\right|$$

(1)

If adversary $\mathcal{A}$ has a negligible advantage in the following game, then the scheme’s original ciphertext is semantically secure under the selective model.

The re-encrypted ciphertext is semantically secure: The scheme is considered semantically secure with respect to the re-encrypted ciphertext if adversary $\mathcal{A}$ only has a negligible advantage in the game, according to the selective model.

$\mathrm{Init}$: Adversary $\mathcal{A}$ chooses an access policy $\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right)$ and ${\mathrm{ID}}^{\ast }$, of which ${\mathbb{A}}^{\ast }$ is an $\mathrm{l}\times \mathrm{n}$ matrix.

$\mathrm{Setup}$: In this phase, challenger $\mathcal{B}$ executes the algorithm $\mathrm{Setup}$, which returns public parameter $\mathrm{PP}$.

Query Phase 1:

${\mathcal{O}}_{{\mathrm{SK}}_{\mathrm{ID}}}{\mathrm{ID}}_{\mathrm{i}}$: Adversary $\mathcal{A}$ submits a query for the IBE key. If ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}^{\ast }$, challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{IBE}}$ algorithm, which generates and returns the IBE secret key ${\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$. Otherwise, false symbol $\perp$ is returned.

${\mathcal{O}}_{{\mathrm{SK}}_{\mathrm{S}}}\left({\mathrm{S}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the ABE key. If ${\mathrm{S}}_{\mathrm{i}}\notin {\mathbb{A}}^{\ast }$, challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{CP}}$ algorithm, which generates and returns the ABE secret key ${\mathrm{SK}}_{{\mathrm{S}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$. Otherwise, false symbol $\perp$ is returned.

${\mathcal{O}}_{\mathrm{RK}}\left({\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the re-encryption key. If ${\mathrm{S}}_{\mathrm{i}}\in {\mathbb{A}}^{\ast }$, challenger $\mathcal{B}$ generates re-encryption key ${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}$ randomly. Otherwise, $\mathcal{B}$ executes the $\mathrm{ReKeyGen}$ algorithm, which generates and returns the re-encryption key ${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$.

Challenge Phase:

Adversary $\mathcal{A}$ submits identity ${\mathrm{ID}}^{\ast }$, access policy $\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right)$, and two plaintexts ${\mathrm{m}}_0 {\mathrm{and} \mathrm{m}}_1$ of equal length to challenger $\mathcal{B}$. Next, $\mathcal{A}$ executes the $\mathrm{ReKeyGen}$ algorithm to obtain the re-encrypted ciphertext. Challenger $\mathcal{B}$ then randomly selects a plaintext and executes the ${\mathrm{Encrypt}}_{\mathrm{CP}}\left({\mathrm{m}}_{\mathsf{\sigma }},\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right),{\mathrm{PP}}_{\mathrm{CP}}\right)$ algorithm to obtain ciphertext $\mathrm{CT}$, followed by the $\mathrm{ReEncrypt}\left({\mathrm{rk}}_{{\mathrm{S}}^{\ast }\to {\mathrm{ID}}^{\ast }},\mathrm{CT},\mathrm{PP}\right)$ algorithm, which returns re-encrypted ciphertext ${\mathrm{CT}}^{\prime }$ to $\mathcal{A}$.

Query Phase 2:

Phase 1 queries are repeated while removing any queries that are not allowed.

Guess Phase:

Adversary $\mathcal{A}$ outputs a guess, ${\mathsf{\sigma }}^{\prime }\in \left\{0,1\right\}$, and adversary $\mathcal{A}$ wins the game if $\mathsf{\sigma }={\mathsf{\sigma }}^{\prime }$.

The advantage of adversary $\mathcal{A}$ in winning the game is defined as

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{Sem}-\mathrm{Re}}=\left|\mathrm{Pr}\left[\mathsf{\sigma }={\mathsf{\sigma }}^{\prime }\right]-\frac{1}{2}\right|$$

(2)

Definition 2. 

The EV-ABPRE scheme is CPA-secure under the selective model if all PPT adversaries, their advantage$Ad{v}_{\mathcal{A}}^{Sem-Re}$ and$Ad{v}_{\mathcal{A}}^{Sem-Or}$ are negligible.

4.2.2. Verifiability

$\mathrm{Init}$: Adversary $\mathcal{A}$ chooses an access policy $\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right)$ and ${\mathrm{ID}}^{\ast }$, of which ${\mathbb{A}}^{\ast }$ is an $\mathrm{l}\times \mathrm{n}$ matrix.

$\mathrm{Setup}:$ In this phase, challenger $\mathcal{B}$ executes the algorithm $\mathrm{Setup}$, which returns public parameter $\mathrm{PP}$.

Query phase 1:

${\mathcal{O}}_{{\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}}\left({\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the IBE key. If ${\mathrm{ID}}_{\mathrm{i}}\ne {\mathrm{ID}}^{\ast }$, challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{IBE}}$ algorithm, which generates and returns the IBE secret key ${\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$. Otherwise, false symbol $\perp$ is returned.

${\mathcal{O}}_{\mathrm{RK}}\left({\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the re-encryption key. If ${\mathrm{S}}_{\mathrm{i}}\in {\mathbb{A}}^{\ast }$, it generates re-encryption key ${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}$ randomly. Otherwise, challenger $\mathcal{B}$ executes the $\mathrm{ReKeyGen}$ algorithm, which generates and returns the re-encryption key ${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$.

${\mathcal{O}}_{\mathrm{Claim}}\left({\mathrm{SK}}_{{\mathrm{S}}_{\mathrm{i}}},{\mathrm{CT}}^{\prime }\right)$: Adversary $\mathcal{A}$ submits a query for the re-encrypted ciphertext verification, and challenger $\mathcal{B}$ returns the verification result.

Challenge phase:

Adversary $\mathcal{A}$ submits access policy $\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right)$ and plaintext ${\mathrm{m}}^{\ast }$ to challenger $\mathcal{B}$. Challenger $\mathcal{B}$ executes ${\mathrm{Encrypt}}_{\mathrm{CP}}\left({\mathrm{m}}^{\ast },\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right),\mathrm{PP}\right)\to \mathrm{CT}$ and then returns ciphertext $\mathrm{CT} \mathrm{to}$ adversary $\mathcal{A}$.

Query Phase 2:

Phase 1 queries are repeated while removing any queries that are not allowed.

Guess phase:

Adversary $\mathcal{A}$ outputs attribute set ${\mathrm{S}}^{\ast },{\mathrm{S}}^{\ast }\in {\mathbb{A}}^{\ast }$, and re-encrypted ciphertext ${\mathrm{CT}}^{\prime }$ if$\mathrm{DecRe}\left({\mathrm{CT}}^{\ast \prime },{\mathrm{SK}}_{{\mathrm{S}}^{\ast }}\right)\ne {\mathrm{m}}^{\ast }$.

The advantage of adversary $\mathcal{A}$ in winning the game is defined as

$${\mathrm{Adv}}_{\mathcal{A}}^{Ver}=|\mathrm{Pr}\left[\mathrm{A} \mathrm{wins}|\mathrm{Ver}\right]$$

(3)

Definition 3. 

The EV-ABPRE scheme is verifiable under the selective model if all PPT adversaries’ advantage$Ad{v}_{\mathcal{A}}^{Ver}$ is negligible.

5. Our Construction

5.1. The EV-ABPRE Construction

$\mathrm{Setup}\left(1^{\mathsf{\lambda }}\right)\to \left({\mathrm{PP}}_{\mathrm{CP}},{\mathrm{PP}}_{\mathrm{IBE}},\mathrm{MK}\right)$: The PKG generates a bilinear pairing tuple ${\mathrm{PP}}_{\mathrm{CP}}\left(\mathrm{p},\mathrm{g},{\mathbb{G}}_1,{\mathbb{G}}_{\mathrm{T}},\mathrm{e}\right)$ and then randomly selects element $\mathsf{\alpha },\mathsf{\beta }\in {\mathbb{Z}}_{\mathrm{p}},\mathrm{u},\mathrm{h},\mathrm{w},\mathrm{v},\mathrm{f}\in {\mathbb{G}}_1$, selecting encoding function $\mathrm{F}:{\mathbb{G}}_{\mathrm{T}}\to {\mathbb{G}}_1$. ${\mathrm{PP}}_{\mathrm{CP}}=\left\{\mathrm{g},\mathrm{u},\mathrm{h},\mathrm{w},\mathrm{v},\mathrm{f},\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }},\mathrm{F}\right\},{\mathrm{PP}}_{\mathrm{IBE}}=\{\mathrm{u},\mathrm{h},\mathrm{g},\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }},\mathrm{F}$} and the master key $\mathrm{MK}=\left\{\mathsf{\alpha }\right\}$.

${\mathrm{KeyGen}}_{\mathrm{IBE}}\left({\mathrm{PP}}_{\mathrm{IBE}},\mathrm{MK},\mathrm{ID}\right)\to \left({\mathrm{SK}}_{\mathrm{ID}}\right)$: PKG selects random numbers $\mathrm{r}\in {\mathbb{Z}}_{\mathrm{p}}$ and outputs ${\mathrm{SK}}_{\mathrm{ID}}=\left({\mathrm{g}}^{\mathsf{\alpha }}{\left({\mathrm{u}}^{\mathrm{ID}}\mathrm{h}\right)}^{\mathrm{r}},{\mathrm{g}}^{\mathrm{r}}\right)$.

${\mathrm{Encrypt}}_{\mathrm{CP}}\left(\mathrm{m},\left(\mathbb{A},\mathsf{\rho }\right),{\mathrm{PP}}_{\mathrm{CP}}\right)\to \mathrm{CT}$: The delegator encrypts plaintext $\mathrm{m}$ with LSSS access policy $\left(\mathbb{A},\mathsf{\rho }\right)$, of which $\mathbb{A}$ is an $\mathrm{l}\times \mathrm{n}$ matrix and $\mathsf{\rho }$ is an injective function that maps the $\mathrm{i}$th row of $\mathbb{A}$ to an attribute set $\mathrm{T}=\left({\mathrm{t}}_{\mathsf{\rho }\left(1\right)},{\mathrm{t}}_{\mathsf{\rho }\left(2\right)},\dots ,{\mathrm{t}}_{\mathsf{\rho }\left(\mathrm{l}\right)}\right)$. Choosing a random vector $\overrightarrow{\mathrm{v}}=\left(\mathrm{s},\widetilde{{\mathrm{r}}_2},\dots ,\widetilde{{\mathrm{r}}_{\mathrm{n}}}\right)\in {\mathbb{Z}}_{\mathrm{p}}$, $\mathrm{s}$ is the secret to be shared. For each row of $\mathbb{A},$ ${\mathsf{\lambda }}_{\mathrm{i}}={\mathrm{A}}_{\mathrm{i}}\overrightarrow{\mathrm{v}}$ is computed. Elements $\mathrm{k},{\mathrm{y}}_2,\dots ,{\mathrm{y}}_{\mathrm{l}},{\mathrm{z}}_{\mathrm{i}}\left(\mathrm{i}\in \mathrm{S}\right)\in {\mathbb{Z}}_{\mathrm{p}}$ are selected randomly. Then, $\mathrm{C}=\mathrm{m}·\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\mathrm{s}},{\mathrm{C}}_0={\mathrm{g}}^{\mathrm{s}},{\mathrm{C}}_{\mathrm{i},1}={\mathrm{w}}^{{\mathsf{\lambda }}_{\mathrm{i}}}{\mathrm{v}}^{{\mathrm{y}}_{\mathrm{i}}},{\mathrm{C}}_{\mathrm{i},2}={\mathrm{u}}^{{\mathrm{t}}_{\mathsf{\rho }\left(\mathrm{i}\right)}},{\mathrm{C}}_{\mathrm{i},3}={\mathrm{g}}^{{\mathrm{y}}_{\mathrm{i}}},{\mathrm{C}}_{\mathrm{i},4}={\mathrm{g}}^{{\mathrm{z}}_{\mathsf{\rho }\left(\mathrm{i}\right)}},{\mathrm{C}}_5={\mathrm{f}}^{\mathrm{s}},\mathrm{CT}=\left(\mathrm{C},{\mathrm{C}}_0,{\left\{{\mathrm{C}}_{\mathrm{i},1},{\mathrm{C}}_{\mathrm{i},2},{\mathrm{C}}_{\mathrm{i},3},{\mathrm{C}}_{\mathrm{i},4}\right\}}_{i=1}^l,{\mathrm{C}}_5\right)$ is computed.

${\mathrm{KeyGen}}_{\mathrm{CP}}\left({\mathrm{PP}}_{\mathrm{CP}},\mathrm{MK},\mathrm{S}\right)\to \left({\mathrm{SK}}_{\mathrm{S}}\right)$: PKG takes as input public parameters ${\mathrm{PP}}_{\mathrm{CP}}$, master key $\mathrm{MK}$, and attribute set $\mathrm{S}=\left({\mathrm{att}}_1,{\mathrm{att}}_2,\dots {\mathrm{att}}_{\left|\mathrm{S}\right|}\right)$; PKG randomly selects ${\mathrm{r}}_1,{\mathrm{r}}_2,\dots ,{\mathrm{r}}_{\left|\mathrm{S}\right|}\in {\mathbb{Z}}_{\mathrm{p}},{\mathrm{r}}^{\prime }={\mathrm{r}}_1+{\mathrm{r}}_2+\dots +{\mathrm{r}}_{\left|\mathrm{S}\right|} \in {\mathbb{Z}}_{\mathrm{p}}$ and computes

$${\mathrm{K}}_0={\mathrm{g}}^{\mathsf{\alpha }}{\mathrm{w}}^{{\mathrm{r}}^{\prime }},{\mathrm{K}}_1={\mathrm{g}}^{{\mathrm{r}}^{\prime }},{\mathrm{K}}_{\mathrm{i},2}={\mathrm{g}}^{{\mathrm{r}}_{\mathrm{i}}},{\mathrm{K}}_{\mathrm{i},3}={\mathrm{u}}^{{\mathrm{att}}_{\mathrm{i}}}{\mathrm{v}}^{-{\mathrm{r}}^{\prime }},{\mathrm{K}}_{\mathrm{j},4}={\mathrm{g}}^{\frac{{\mathsf{\lambda }}_{\mathrm{i}}}{{\mathrm{z}}_{\mathsf{\rho }\left(\mathrm{i}\right)}}}$$

$${\mathrm{SK}}_{\mathrm{S}}=\left({\mathrm{K}}_0,{\mathrm{K}}_1,{\left\{{\mathrm{K}}_{\mathrm{i},2}{\mathrm{K}}_{\mathrm{i},3}\right\}}_{i=1}^{\left|S\right|},{\left\{{\mathrm{K}}_{\mathrm{j},4}\right\}}_{j=1}^l\right)$$

$\mathrm{ReKeyGen}\left({\mathrm{PP}}_{\mathrm{CP}},{\mathrm{SK}}_{\mathrm{S}},\mathrm{ID}\right)\to {\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$: The delegator takes as input ${\mathrm{PP}}_{\mathrm{CP}},{\mathrm{SK}}_{\mathrm{S}}=\left({\mathrm{K}}_0,{\mathrm{K}}_1,{\left\{{\mathrm{K}}_{\mathrm{i},2}{\mathrm{K}}_{\mathrm{i},3}\right\}}_{i=1}^{\left|S\right|},{\left\{{\mathrm{K}}_{\mathrm{j},4}\right\}}_{j=1}^l\right)$,$\mathrm{ID}$, and the delegator selects a random number, $\widetilde{\mathrm{r},} \tilde{\mathrm{t}} \in {\mathbb{Z}}_{\mathrm{p}}$. Then, it computes

$${\mathrm{rk}}_{\mathrm{o}}={\mathrm{K}}_0{\mathrm{f}}^{ \tilde{\mathrm{r}}},{\mathrm{rk}}_1={\mathrm{K}}_1,{\mathrm{rk}}_{\mathrm{i},2}={\mathrm{K}}_{\mathrm{i},2},{\mathrm{rk}}_{\mathrm{i},3}={\mathrm{K}}_{\mathrm{i},3},{\mathrm{rk}}_4=\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha } \tilde{\mathrm{t}}}\right){\mathrm{g}}^{ \tilde{\mathrm{r}}},{\mathrm{rk}}_5={\left({\mathrm{u}}^{\mathrm{ID}}\mathrm{h}\right)}^{ \tilde{\mathrm{t}}},{\mathrm{rk}}_6={\mathrm{g}}^{ \tilde{\mathrm{t}}}$$

$${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}=\left({\mathrm{rk}}_{\mathrm{o}},{\mathrm{rk}}_1,{\left\{{\mathrm{rk}}_{\mathrm{i},2},{\mathrm{rk}}_{\mathrm{i},3}\right\}}_{i=1}^{\left|S\right|},{\mathrm{rk}}_4,{\mathrm{rk}}_5,{\mathrm{rk}}_6\right)$$

$\mathrm{ReEncrypt}\left({\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}},\mathrm{CT},{\mathrm{PP}}_{\mathrm{CP}}\right)\to {\mathrm{CT}}^{\prime }$: The proxy nodes takes as input ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}=\left({\mathrm{rk}}_{\mathrm{o}},{\mathrm{rk}}_1,{\left\{{\mathrm{rk}}_{\mathrm{i},2},{\mathrm{rk}}_{\mathrm{i},3}\right\}}_{i=1}^{\left|S\right|},{\mathrm{rk}}_4,{\mathrm{rk}}_5,{\mathrm{rk}}_6\right)$, $\mathrm{CT}=\left(\mathrm{C},{\mathrm{C}}_0,{\left\{{\mathrm{C}}_{\mathrm{i},1},{\mathrm{C}}_{\mathrm{i},2},{\mathrm{C}}_{\mathrm{i},3},{\mathrm{C}}_{\mathrm{i},4}\right\}}_{i=1}^l,{\mathrm{C}}_5\right)$. If the ciphertext $\mathrm{CT}$ and access policy $\left(\mathbb{A},\mathsf{\rho }\right)$ is associated and attribute set $\mathrm{S}$ satisfies $\mathbb{A}$, then $\mathrm{I}=\left\{\mathrm{i}:\mathsf{\rho }\left(\mathrm{i}\right)\in \mathrm{S}\right\}$ and ${\left\{{\mathsf{\omega }}_{\mathrm{i}}\in {\mathbb{Z}}_{\mathrm{p}}\right\}}_{\mathrm{i}\in \mathrm{I}}$ exists, resulting in ${\displaystyle \sum }_{\mathrm{i}\in \mathrm{l}}{\mathsf{\omega }}_{\mathrm{i}}{\mathrm{A}}_{\mathrm{i}}=\left(1,0,\dots ,0\right)$; thus, the proxy nodes computes

$$\mathrm{B}=\frac{\mathrm{e}\left({\mathrm{C}}_0,{\mathrm{rk}}_0\right)}{{{\displaystyle \prod }}_{\mathrm{i}\in \mathrm{I}}{\left(\mathrm{e}\left({\mathrm{C}}_{\mathrm{i},1},{\mathrm{rk}}_1\right)·\mathrm{e}\left({\mathrm{C}}_{\mathrm{i},2},{\mathrm{rk}}_2\right)·\mathrm{e}\left({\mathrm{C}}_{\mathrm{i},3},{\mathrm{rk}}_{\mathrm{j},3}\right)\right)}^{{\mathsf{\omega }}_{\mathrm{i}}}}$$

(4)

$$\begin{gathered} {\mathrm{C}}^{\prime }=\mathrm{C}/\mathrm{B},{\mathrm{C}}_0^{\prime }={\mathrm{rk}}_4,{\mathrm{C}}_1^{\prime }={\mathrm{rk}}_5,{\mathrm{C}}_2^{\prime }={\mathrm{rk}}_6,{\mathrm{C}}_3^{\prime }={\mathrm{C}}_5,{\mathrm{C}}_{\mathrm{i},4}^{\prime }={\mathrm{C}}_{\mathrm{i},4},{\mathrm{C}\mathrm{T}}^{\prime }= \\ \left({\mathrm{C}}^{\prime },{\mathrm{C}}_0^{\prime },{\mathrm{C}}_1^{\prime },{\mathrm{C}}_2^{\prime },{\mathrm{C}}_3^{\prime },{\left\{C_{i,4}^{\prime }\right\}}_{i=1}^l\right) \end{gathered}$$

$\mathrm{DecRe}\left({\mathrm{CT}}^{\prime },{\mathrm{SK}}_{\mathrm{ID}}\right)\to \mathrm{m}$: The delegatee takes as input

$\mathrm{C}\mathrm{T}\prime =\left({\mathrm{C}}^{\prime },{\mathrm{C}}_0^{\prime },{\mathrm{C}}_1^{\prime },{\mathrm{C}}_2^{\prime },{\mathrm{C}}_3^{\prime },{\left\{{\mathrm{C}}_{\mathrm{i},4}^{\prime }\right\}}_{\mathrm{i}=1}^{\mathrm{l}}\right),{ \mathrm{SK}}_{\mathrm{ID}}=\left({\mathrm{g}}^{\mathsf{\alpha }}{\left({\mathrm{u}}^{\mathrm{ID}}\mathrm{h}\right)}^{\mathrm{r}},{\mathrm{g}}^{\mathrm{r}}\right)$ and then calculates

$$\frac{\mathrm{e}\left({\mathrm{K}}_{\mathrm{ID},0},{\mathrm{C}}_2^{\prime }\right)}{\mathrm{e}\left({\mathrm{K}}_{\mathrm{ID},1},{\mathrm{C}}_1^{\prime }\right)}=\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha } \tilde{\mathrm{t}}}$$

(5)

$${\mathrm{g}}^{ \tilde{\mathrm{t}}}=\frac{{\mathrm{C}}_0^{\prime }}{\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha } \tilde{\mathrm{t}}}\right)}$$

(6)

$$\mathrm{m}={\mathrm{C}}^{\prime }·\mathrm{e}\left({\mathrm{g}}^{ \tilde{\mathrm{t}}},{\mathrm{C}}_3^{\prime }\right)$$

(7)

$\mathrm{Claim}\left({\mathrm{SK}}_{\mathrm{S}},{\mathrm{CT}}^{\prime }\right)$: The delegator inputs ${\mathrm{SK}}_{\mathrm{S}}=\left({\mathrm{K}}_0,{\mathrm{K}}_1,{\left\{{\mathrm{K}}_{\mathrm{i},2}{\mathrm{K}}_{\mathrm{i},3}\right\}}_{i=1}^{\left|S\right|},{\left\{{\mathrm{K}}_{\mathrm{j},4}\right\}}_{j=1}^l\right)$,

${\mathrm{C}\mathrm{T}}^{\prime }=\left({\mathrm{C}}^{\prime },{\mathrm{C}}_0^{\prime },{\mathrm{C}}_1^{\prime },{\mathrm{C}}_2^{\prime },{\mathrm{C}}_3^{\prime },{\left\{C_{i,4}^{\prime }\right\}}_{i=1}^l\right)$.

We verify whether $\mathrm{e}\left({\mathrm{K}}_{\mathrm{j},4},{\mathrm{C}}_{\mathrm{i},4}^{\prime }\right)$ is equal to $\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathsf{\lambda }}_{\mathrm{i}}}$. If it is equal to it, true is returned; otherwise, false is returned.

${\mathrm{A}}_{\mathrm{i}}$ is the $\mathrm{i}$ row of matrix $\mathrm{A}$, ${\mathrm{A}}_{\mathrm{i}}=\left({\mathrm{a}}_{\mathrm{i},1},{\mathrm{a}}_{\mathrm{i},2},\dots ,{\mathrm{a}}_{\mathrm{i},\mathrm{n}}\right)$.

$$\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathsf{\lambda }}_{\mathrm{i}}}=\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathrm{A}}_{\mathrm{i}}\overrightarrow{\mathrm{v}}}=\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathrm{a}}_{\mathrm{i},1}\mathrm{s}+{\mathrm{a}}_{\mathrm{i},2}{\mathrm{r}}_2+\dots +{\mathrm{a}}_{\mathrm{i},\mathrm{n}}{\mathrm{r}}_{\mathrm{n}}}={\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathrm{s}}\right)}^{{\mathrm{a}}_{\mathrm{i},1}}{{\displaystyle \prod }}_{\mathrm{k}=2}^{\mathrm{n}}{\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathrm{r}}_{\mathrm{k}}}\right)}^{{\mathrm{a}}_{\mathrm{i},\mathrm{k}}}$$

5.2. Correctness

Compute the correctness of the re-encrypted ciphertext if attribute set $\mathrm{S}$ of re-encryption key ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$ satisfies access policy $\left(\mathbb{A},\mathsf{\rho }\right)$; the following is computed.

$$\begin{array}{cc}\hfill B& =\frac{\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{g}}^{\mathsf{\alpha }}{\mathrm{w}}^{{\mathrm{r}}^{\prime }}{\mathrm{f}}^{\tilde{\mathrm{r}}}\right)}{{{\displaystyle \prod }}_{\mathrm{i}\in \mathrm{I}}{\left(\mathrm{e}\left({\mathrm{w}}^{{\mathsf{\lambda }}_{\mathrm{i}}}{\mathrm{v}}^{{\mathrm{y}}_{\mathrm{i}}},{\mathrm{g}}^{{\mathrm{r}}^{\prime }}\right)·\mathrm{e}\left({\mathrm{u}}^{{\mathrm{t}}_{\mathsf{\rho }\left(\mathrm{i}\right)}},{\mathrm{g}}^{{\mathrm{r}}_{\mathrm{i}}}\right)·\mathrm{e}\left({\mathrm{g}}^{{\mathrm{y}}_{\mathrm{i}}},{\mathrm{u}}^{{\mathrm{t}}_{\mathsf{\rho }\left(\mathrm{i}\right)}}{\mathrm{v}}^{-{\mathrm{r}}^{\prime }}\right)\right)}^{{\mathsf{\omega }}_{\mathrm{i}}}}\hfill \\ & =\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{g}}^{\mathsf{\alpha }}\right)\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{w}}^{{\mathrm{r}}^{\prime }}\right)/\mathrm{e}{\left(\mathrm{w},\mathrm{g}\right)}^{\mathrm{r}{{\displaystyle \sum }}_{\mathrm{i}\in \mathrm{I}}{\mathsf{\omega }}_{\mathrm{i}}{\mathsf{\lambda }}_{\mathrm{i}}}\\ & =\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\mathrm{s}}\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{f}}^{\tilde{\mathrm{r}}}\right)\end{array}$$

(8)

$${\mathrm{C}}^{\prime }=\frac{\mathrm{m}}{\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{f}}^{\tilde{\mathrm{r}}}\right)}= \mathrm{m}·\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\mathrm{s}}/(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\mathrm{s}}\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{f}}^{\tilde{\mathrm{r}}}\right))=\mathrm{m}/\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{f}}^{\tilde{\mathrm{r}}}\right)$$

(9)

$$\frac{\mathrm{e}\left({\mathrm{K}}_{\mathrm{ID},0},{\mathrm{C}}_2^{\prime }\right)}{\mathrm{e}\left({\mathrm{K}}_{\mathrm{ID},1},{\mathrm{C}}_1^{\prime }\right)}=\frac{\mathrm{e}\left({\mathrm{g}}^{\mathsf{\alpha }}{\left({\mathrm{u}}^{\mathrm{ID}}\mathrm{h}\right)}^{\mathrm{r}},{\mathrm{g}}^{\tilde{\mathrm{t}}}\right)}{\mathrm{e}\left({\mathrm{g}}^{\mathrm{r}},{\left({\mathrm{u}}^{\mathrm{ID}}\mathrm{h}\right)}^{\tilde{\mathrm{t}}}\right)}=\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\tilde{\mathrm{t}}}$$

(10)

$$\frac{{\mathrm{C}}_0^{\prime }}{\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\tilde{\mathrm{t}}}\right)}=\frac{\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\tilde{\mathrm{t}}}\right){\mathrm{g}}^{\tilde{\mathrm{r}}}}{\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\tilde{\mathrm{t}}}\right)}={\mathrm{g}}^{\tilde{\mathrm{r}}}$$

(11)

$$\mathrm{m}={\mathrm{C}}^{\prime }·\mathrm{e}\left({\mathrm{g}}^{\tilde{\mathrm{t}}},{\mathrm{C}}_3^{\prime }\right)=\frac{\mathrm{m}}{\mathrm{e}\left({\mathrm{g}}^{\mathrm{s}},{\mathrm{f}}^{\tilde{\mathrm{r}}}\right)} \mathrm{e}\left({\mathrm{g}}^{\tilde{\mathrm{t}}},{\mathrm{f}}^{\mathrm{s}}\right)$$

(12)

5.3. Semantic Security

Theorem 1. 

EV-ABPRE is semantically secure under the q-parallel BDHE assumption.

Proof. 

Suppose there is a PPT adversary, $\mathcal{A}$, that has a non-negligible advantage, ɛ, in breaking the original ciphertext semantic security of the EV-ABPRE scheme. In this case, we can construct simulator $\mathcal{B}$, which can solve the q-parallel BDHE assumption with the same advantage, ɛ. Specifically, $\mathcal{B}$ generates a q-parallel instance $\left(\overrightarrow{\mathrm{v}},\mathrm{T}\right)$ with the goal of determining whether T is equal to $\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathrm{s} \mathsf{\beta }}^{\mathrm{q}+1}}$ or whether it is randomly selected from ${\mathbb{G}}_{\mathrm{T}}$. □

Lemma 1. 

EV-ABPRE is originally ciphertext secure under the q-parallel BDHE assumption.

Query Phase 1:

$\mathrm{Init}$: Adversary $\mathcal{A}$ outputs access policy $({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }$) and ${\mathrm{ID}}^{\ast }$, of which ${\mathbb{A}}^{\ast }$ is an $\mathrm{l}\times \mathrm{n}$ matrix, and challenger $\mathcal{B}$ creates three forms that are initially empty ${\mathcal{L}}_{\mathrm{RK}}$ = $({\mathrm{S}}_{\mathrm{i}}$,${\mathrm{ID}}_{\mathrm{i}}$,${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}),{\mathcal{L}}_{{\mathrm{SK}}_{\mathrm{ID}}}$=$({\mathrm{ID}}_{\mathrm{i}}$,${\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}})$, and ${\mathcal{L}}_{{\mathrm{SK}}_{\mathrm{S}}}$ = (${\mathrm{S}}_{\mathrm{i}}$,${\mathrm{SK}}_{{\mathrm{S}}_{\mathrm{i}}}$).

$\mathrm{Setup}:$ Challenger $\mathcal{B}$ randomly selects $\mathrm{n}\in {\mathbb{Z}}_{\mathrm{p}}$ and sets $\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }}=\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathrm{n}}\mathrm{e}\left({\mathrm{g}}^{\mathsf{\beta }},{\mathrm{g}}^{{\mathsf{\beta }}^{\mathrm{q}}}\right)$, so we are aware that $\mathsf{\alpha }=\mathrm{n}+{\mathsf{\beta }}^{\mathrm{q}+1}$; it then sets $\mathrm{PP}=\left\{\mathrm{g},\mathrm{u},\mathrm{h},\mathrm{w},\mathrm{v},\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }}\right\}$. Then, element $\mathsf{\gamma }$is randomly selected, and $\mathrm{f}={\mathrm{g}}^{\mathsf{\gamma }}$ is computed. Encoding function $\mathrm{F}:{\mathbb{G}}_{\mathrm{T}}\to {\mathbb{G}}_1$ is selected. Finally, public parameter $\mathrm{PP}=\left(\mathrm{g},\mathrm{u},\mathrm{h},\mathrm{w},\mathrm{f},\mathrm{v},\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }},\mathrm{F}\right)$ is returned.

${\mathcal{O}}_{{\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}}\left({\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the IBE key. If ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}^{\ast }$, challenger $\mathcal{B}$ returns false symbol $\perp$ to adversary $\mathcal{A}$. Otherwise, $\mathcal{B}$ selects a vector $\overrightarrow{\mathsf{\theta }}=\left({\mathsf{\theta }}_1,{\mathsf{\theta }}_2,\dots ,{\mathsf{\theta }}_{\mathrm{n}}\right)$, of which ${\mathsf{\theta }}_1$=−1 and for all i where ${\mathsf{\rho }}^{\ast }\left(\mathrm{i}\right)\in \mathrm{S}$, we know $\overrightarrow{\mathsf{\theta }}$·${\mathbb{A}}_{\mathrm{i}}^{\ast }=0$; then, the following is computed.

$${\mathrm{K}}_{\mathrm{ID},1}={\mathrm{g}}^{{\mathrm{r}}^{\prime }}{\displaystyle \prod }_{\mathrm{i}=1}^{{\mathrm{n}}^{\ast }}{\left({\mathrm{g}}^{{\mathsf{\beta }}^{\mathrm{q}+1-\mathrm{i}}}\right)}^{{\mathsf{\theta }}_{\mathrm{i}}}\triangleq {\mathrm{g}}^{\mathrm{r}}$$

(13)

From the above, $\mathrm{r}={\mathrm{r}}^{\prime }+{\displaystyle \sum }_{\mathrm{i}=1}^{{\mathrm{n}}^{\ast }}{\mathsf{\theta }}_{\mathrm{i}}·{\mathsf{\beta }}^{\mathrm{q}+1-\mathrm{i}}$.

In that case,

$$\begin{gathered} { \mathrm{K}}_{\mathrm{ID},0}={\mathrm{g}}^{\mathsf{\alpha }}{\left({\mathrm{u}}^{{\mathrm{ID}}_{\mathrm{i}}}\mathrm{h}\right)}^{\mathrm{r}}={\mathrm{g}}^{{\mathsf{\beta }}^{\mathrm{q}+1}+\mathrm{n}}·{\left({\mathrm{u}}^{{\mathrm{ID}}_{\mathrm{i}}}\mathrm{h}\right)}^{{\mathrm{r}}^{\prime }+{\displaystyle \sum }_{\mathrm{i}=1}^{{\mathrm{n}}^{\ast }}{\mathsf{\theta }}_{\mathrm{i}}{\mathsf{\beta }}^{\mathrm{q}+1-\mathrm{i}}} \\ ={\mathrm{g}}^{\mathrm{m}}{\left({\mathrm{u}}^{{\mathrm{ID}}_{\mathrm{i}}}\mathrm{h}\right)}^{{\mathrm{r}}^{\prime }}{\displaystyle \prod }_{\mathrm{i}=2}^{{\mathrm{n}}^{\ast }}{\left({\mathrm{g}}^{{\mathsf{\beta }}^{\mathrm{q}+1-\mathrm{i}}}\right)}^{{\mathsf{\theta }}_{\mathrm{i}}} \end{gathered}$$

(14)

This returns ${\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$ and stores it in form ${\mathcal{L}}_{{\mathrm{SK}}_{\mathrm{ID}}}$.

${\mathcal{O}}_{{\mathrm{SK}}_{\mathrm{S}}}\left({\mathrm{S}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the ABE key. If ${\mathrm{S}}_{\mathrm{i}}\in {\mathbb{A}}^{\ast }$, challenger $\mathcal{B}$ returns false symbol ⊥ to the adversary. Otherwise, challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{CP}}$ algorithm, which generates and returns the ABE secret key ${\mathrm{SK}}_{{\mathrm{S}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$ and stores it in form ${\mathcal{L}}_{{\mathrm{SK}}_{\mathrm{S}}}$.

${\mathcal{O}}_{\mathrm{RK}}\left({\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the re-encryption key. If $\left({\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$ already exists in form ${\mathcal{L}}_{\mathrm{RK}}$, challenger $\mathcal{B}$ returns ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$ to adversary $\mathcal{A}$. Otherwise, $\mathcal{B}$ first executes the ${\mathrm{KeyGen}}_{\mathrm{CP}}$ algorithm, which generates a CP-ABE secret key ${\mathrm{SK}}_{{\mathrm{S}}_{\mathrm{i}}}$. Then, $\mathcal{B}$ executes the $\mathrm{ReKeyGen}$ algorithm, which generates and returns re-encryption key ${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$ and stores it in ${\mathcal{L}}_{\mathrm{RK}}$.

${\mathcal{O}}_{\mathrm{re}}\left(\mathrm{CT},{\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the re-encryption result, challenger $\mathcal{B}$ will run algorithms ${\mathrm{KeyGen}}_{\mathrm{IBE}}$, $\mathrm{ReKeyGen}$ and $\mathrm{ReEncrypt}$. the challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{IBE}}$, $\mathrm{ReKeyGen}$ and $\mathrm{ReEncrypt}$ algorithm, which generates and returns the re-encrypted ciphertext ${\mathrm{CT}}^{\prime }$ to the adversary $\mathcal{A}$.

Challenge phase:

Adversary $\mathcal{A}$ submits access policy $({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }$) and two plaintexts ${\mathrm{m}}_0{ \mathrm{and} \mathrm{m}}_1$ of equal length to challenger $\mathcal{B}$. Challenger $\mathcal{B}$ then randomly selects a plaintext and executes the ${ \mathrm{Encrypt}}_{\mathrm{CP}}\left({\mathrm{m}}_{\mathsf{\sigma }},\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right),\mathrm{PP}\right)$ algorithm to obtain ciphertext $\mathrm{CT}$. Definition $\mathrm{X}=\left\{\mathrm{i}:\mathsf{\rho }\left(\mathrm{i}\right)=\mathrm{x}\right\}$ is as follows.

$${\mathrm{u}}^{{\mathrm{t}}_{\mathsf{\rho }\left(\mathrm{x}\right)}}={\mathrm{g}}^{{\mathrm{t}}_{\mathrm{x}}}{\displaystyle \prod }_{\mathrm{i}\in \mathrm{X}}{\mathrm{g}}^{{\mathsf{\beta }\mathrm{A}}_{\mathrm{i},1}^{\ast }}{\mathrm{g}}^{{\mathsf{\beta }}^2{\mathrm{A}}_{\mathrm{i},2}^{\ast }}\dots \dots {\mathrm{g}}^{{\mathsf{\beta }}^{{\mathrm{n}}^{\ast }}{\mathrm{A}}_{\mathrm{i},\mathrm{n}}^{\ast }}$$

(15)

$$\mathrm{C}={\mathrm{m}}_{\mathsf{\sigma }}\mathrm{Te}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathrm{ns}},{ \mathrm{C}}_0={\mathrm{g}}^{\mathrm{s}}$$

$${\mathrm{C}}_{\mathrm{i},1}={\mathrm{w}}^{{\mathsf{\lambda }}_{\mathrm{i}}}{\mathrm{v}}^{{\mathrm{y}}_{\mathrm{i}}}={\displaystyle \prod }_{\mathrm{j}=1}^{{\mathrm{l}}^{\ast }}{\mathrm{v}}^{{\mathrm{y}}_{\mathrm{j}}}{\displaystyle \prod }_{\mathrm{i}=2}^{{\mathrm{n}}^{\ast }}{\mathrm{w}}^{\widetilde{{\mathrm{r}}_{\mathrm{i}}}{\mathrm{A}}_{\mathrm{j},\mathrm{i}}^{\ast }}$$

(16)

$${ \mathrm{C}}_{\mathrm{i},2}={\left({\mathrm{u}}^{{\mathrm{t}}_{\mathsf{\rho }\left(\mathrm{i}\right)}}\mathrm{h}\right)}^{-{\mathrm{y}}_{\mathrm{i}}}={\mathrm{g}}^{{\mathrm{t}}_{\mathrm{i}}}{\displaystyle \prod }_{\mathrm{j}=1}^{{\mathrm{l}}^{\ast }}{\displaystyle \prod }_{\mathrm{x}=1}^{{\mathrm{n}}^{\ast }}{({\mathrm{g}}^{{\mathsf{\beta }}^{\mathrm{x}}{\mathrm{A}}_{\mathrm{j},\mathrm{x}}^{\ast }}\mathrm{h})}^{-{\mathrm{y}}_{\mathrm{j}}}$$

(17)

$${\mathrm{C}}_{\mathrm{i},3}={\displaystyle \prod }_{\mathrm{j}=1}^{{\mathrm{l}}^{\ast }}{\mathrm{g}}^{{\mathrm{y}}_{\mathrm{j}}}$$

(18)

$${\mathrm{C}}_4={\mathrm{f}}^{\mathrm{s}}$$

$$\mathrm{CT}=\left(\mathrm{C},{\mathrm{C}}_0,{\left\{{\mathrm{C}}_{\mathrm{i},1},{\mathrm{C}}_{\mathrm{i},2},{\mathrm{C}}_{\mathrm{i},3}\right\}}_{\mathrm{i}=1}^{\mathrm{l}},{\mathrm{C}}_4\right)$$

Ciphertext $\mathrm{CT}$ is returned to adversary $\mathcal{A}$.

Query phase 2:

Phase 1 queries are repeated while removing any queries that are not allowed.

Guess phase:

Adversary$\mathcal{A}$outputs its guess, ${\mathsf{\sigma }}^{\prime }\in \left\{0,1\right\}$. If $\mathsf{\sigma }={\mathsf{\sigma }}^{\prime }$, this means $\mathrm{T}=\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathrm{s} \mathsf{\beta }}^{\mathrm{q}+1}}$, and $\mathcal{A}$ wins in the game, with $\mathrm{C}={\mathrm{m}}_{\mathsf{\sigma }}\mathrm{Te}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathrm{ns}}=\mathrm{me}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathrm{s} \mathsf{\beta }}^{\mathrm{q}+1}}\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathrm{ns}}=\mathrm{me}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathrm{s}\left(\mathrm{n}+{\mathsf{\beta }}^{\mathrm{q}+1}\right)}=\mathrm{me}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\mathrm{s} }$. When $\mathrm{T}=\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{{\mathrm{r} \mathsf{\alpha }}^{\mathrm{q}+1}}$, this means $\mathrm{Pr}\left[\mathsf{\sigma }={\mathsf{\sigma }}^{\prime }\right]=1/2+ϵ$; therefore, ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{Sem}-\mathrm{Or}}=\mathrm{Pr}\left[\mathsf{\sigma }={\mathsf{\sigma }}^{\prime }\right]-1/2=ϵ$, which means that $\mathcal{B}$ has a non-negligible advantage when solving the q-parallel BDHE assumption.

Proof. 

Suppose that there is a PPT adversary, $\mathcal{A}$, that has a non-negligible advantage, ɛ, in breaking the re-encrypted ciphertext semantic security of the EV-ABPRE scheme. In this case, we can construct simulator $\mathcal{B}$, which can solve the q-parallel BDHE assumption with the same advantage, ɛ. □

Lemma 2. 

EV-ABPRE is re-encrypted and ciphertext secure under the q-parallel BDHE assumption.

$\mathrm{Init}:$Adversary $\mathcal{A}$ outputs access policy $({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }$) and ${\mathrm{ID}}^{\ast }$, of which ${\mathbb{A}}^{\ast }$ is an $\mathrm{l}\times \mathrm{n}$ matrix, and challenger $\mathcal{B}$ creates two forms that are initially empty: ${\mathcal{L}}_{\mathrm{RK}}$=$({\mathrm{S}}_{\mathrm{i}}$,${\mathrm{ID}}_{\mathrm{i}}$,${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}) \mathrm{and} {\mathcal{L}}_{{\mathrm{SK}}_{\mathrm{ID}}}$=(${\mathrm{ID}}_{\mathrm{i}}$,${\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}$).

$\mathrm{Setup}:$Challenger $\mathcal{B}$ randomly selects $\mathrm{n}\in {\mathbb{Z}}_{\mathrm{p}}$. Then, element$\mathsf{\gamma }$is randomly selected, and $\mathrm{f}={\mathrm{g}}^{\mathsf{\gamma }}$ is computed. Encoding function $\mathrm{F}: {\mathbb{G}}_{\mathrm{T}}\to {\mathbb{G}}_1$ is selected. Finally, public parameter $\mathrm{PP}=\left(\mathrm{g},\mathrm{u},\mathrm{h},\mathrm{w},\mathrm{f},\mathrm{v},\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }},\mathrm{F}\right)$ is outputted.

${\mathcal{O}}_{{\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}}\left({\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the IBE key. If ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}^{\ast }$, challenger $\mathcal{B}$ returns false symbol $\perp$. Otherwise, challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{IBE}}$ algorithm, which generates and returns the IBE secret key ${\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}$ to the adversary $\mathcal{A}$ and stores it in form ${\mathcal{L}}_{{\mathrm{SK}}_{\mathrm{ID}}}$.

${\mathcal{O}}_{{\mathrm{SK}}_{\mathrm{S}}}\left({\mathrm{S}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the ABE key. If ${\mathrm{S}}_{\mathrm{i}}\notin {\mathbb{A}}^{\ast }$, challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{CP}}$ algorithm, which generates and returns the ABE secret key ${\mathrm{SK}}_{{\mathrm{S}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$. Otherwise, false symbol $\perp$ is returned.

${\mathcal{O}}_{\mathrm{RK}}\left({\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the re-encryption key. If $\left({\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$ already exists in form ${\mathcal{L}}_{\mathrm{RK}}$, challenger $\mathcal{B}$ returns the ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$ to adversary $\mathcal{A}$. Otherwise, if ${\mathrm{S}}_{\mathrm{i}}\notin {\mathbb{A}}^{\ast }$, challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{CP}}$ algorithm, which returns the ABE secret key ${\mathrm{SK}}_{{\mathrm{S}}_{\mathrm{i}}}$; then, it randomly selects $\mathrm{t} \prime ,{\mathrm{s}}^{\prime }\in {\mathbb{Z}}_{\mathrm{p}}$ and computes ${\mathrm{rk}}_0={\mathrm{K}}_0·{\mathrm{f}}^{{\mathrm{t}}^{\prime }},{\mathrm{rk}}_1={\mathrm{K}}_1,{\left\{{\mathrm{rk}}_{\mathrm{j},2}={\mathrm{K}}_{\mathrm{j},2},{\mathrm{rk}}_{\mathrm{j},3}={\mathrm{K}}_{\mathrm{j},3}\right\}}_{\mathrm{j}=1}^{\left|\mathrm{S}\right|},{\mathrm{rk}}_4=\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }{\mathrm{s}}^{\prime }}\right){\mathrm{g}}^{{\mathrm{t}}^{\prime }},{\mathrm{rk}}_5={\left({\mathrm{u}}^{{\mathrm{ID}}_{\mathrm{i}}}\mathrm{h}\right)}^{{\mathrm{s}}^{ }},{\mathrm{rk}}_6={\mathrm{g}}^{{\mathrm{s}}^{\prime }}$, returning ${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$ and storing it in ${\mathcal{L}}_{\mathrm{RK}}$. Otherwise, ${\mathrm{S}}_{\mathrm{i}}\in {\mathbb{A}}^{\ast }$, a random re-encryption key, is randomly generated by challenger $\mathcal{B}$. It selects $\mathrm{t} \prime ,{\mathrm{s}}^{\prime }\in {\mathbb{Z}}_{\mathrm{p}}$ randomly, ${\mathrm{r}}_1,{\mathrm{r}}_2,\dots ,{\mathrm{r}}_{\left|\mathrm{S}\right|}$, ${\mathrm{rk}}_0\in {\mathbb{G}}_1$, ${\mathrm{r}}^{\prime }={\mathrm{r}}_1+{\mathrm{r}}_2+\dots +{\mathrm{r}}_{\left|\mathrm{S}\right|}$, and then computes

$${\mathrm{rk}}_1={\mathrm{g}}^{{\mathrm{r}}^{\prime }}{\left\{{\mathrm{rk}}_{\mathrm{j},2}={\mathrm{g}}^{{\mathrm{r}}_{\mathrm{j}}},{\mathrm{rk}}_{\mathrm{j},3}={\left({\mathrm{u}}^{{\mathrm{att}}_{\mathrm{j}}}\mathrm{h}\right)}^{{\mathrm{r}}_{\mathrm{j}}}{\mathrm{v}}^{-{\mathrm{r}}^{\prime }}\right\}}_{\mathrm{j}=1}^{\left|\mathrm{S}\right|},{\mathrm{rk}}_4=\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }{\mathrm{s}}^{\prime }}\right){\mathrm{g}}^{{\mathrm{t}}^{\prime }},{\mathrm{rk}}_5={\left({\mathrm{u}}^{\mathrm{ID}}\mathrm{h}\right)}^{{\mathrm{s}}^{\prime }},{\mathrm{rk}}_6={\mathrm{g}}^{{\mathrm{s}}^{\prime }}.$$

${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}$ is returned to adversary $\mathcal{A}$ and is then stored in ${\mathcal{L}}_{\mathrm{RK}}$.

Challenge phase:

Adversary $\mathcal{A}$ submits identity ${\mathrm{ID}}^{\ast }$, access policy $\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right)$, and two plaintexts ${\mathrm{m}}_0{ \mathrm{and} \mathrm{m}}_1$ of equal length to challenger $\mathcal{B}$. Next, $\mathcal{A}$ executes the $\mathrm{ReKeyGen}$ algorithm to obtain the re-encrypted ciphertext. Challenger $\mathcal{B}$ then randomly selects a plaintext and executes the ${ \mathrm{Encrypt}}_{\mathrm{CP}}\left({\mathrm{m}}_{\mathsf{\sigma }},\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right),\mathrm{PP}\right)$ algorithm to obtain ciphertext $\mathrm{CT}$, followed by the $\mathrm{ReEncrypt}\left({\mathrm{rk}}_{{\mathrm{S}}^{\ast }\to {\mathrm{ID}}^{\ast }},\mathrm{CT},\mathrm{PP}\right)$ algorithm, which generates and returns re-encrypted ciphertext ${\mathrm{CT}}^{\prime }$ to adversary $\mathcal{A}$.

$${\mathrm{C}}_3^{\prime }={\mathrm{C}}_0^{\mathsf{\gamma }}={\mathrm{f}}^{\mathrm{s}},{\mathrm{CT}}^{\ast \prime }=\left({\mathrm{C}}^{\prime },{\mathrm{C}}_0^{\prime },{\mathrm{C}}_1^{\prime },{\mathrm{C}}_2^{\prime },{\mathrm{C}}_3^{\prime }\right).$$

Query phase 2:

Phase 1 queries are repeated while removing any queries that are not allowed.

Guess phase:

We first show that adversary $\mathcal{A}$ has the ability to distinguish between a random re-encryption key and a well-formed re-encryption key. When ${\mathrm{S}}_{\mathrm{i}}\in {\mathbb{A}}^{\ast }$, challenger $\mathcal{B}$ selects a ${\mathrm{rk}}_0\in {\mathbb{G}}_1$. There must be a random number, ${\mathrm{t}}^{″}\in {\mathbb{Z}}_{\mathrm{p}}$, which results in ${\mathrm{rk}}_4={\mathrm{g}}^{\mathsf{\alpha }}{\mathrm{w}}^{{\mathrm{r}}^{\prime }}{\mathrm{f}}^{{\mathrm{t}}^{″}}$ for ${\mathrm{rk}}_0$. From the above, ${\mathrm{rk}}_6=\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha } \mathrm{s} \prime }\right){\mathrm{g}}^{{\mathrm{t}}^{″}}$. The random re-encryption key can be written as ${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}^{\prime }=\left({\mathrm{g}}^{\mathsf{\alpha }}{\mathrm{w}}^{{\mathrm{r}}^{\prime }}{\mathrm{f}}^{{\mathrm{t}}^{″}},{\mathrm{g}}^{{\mathrm{r}}^{\prime }},{\left\{{\mathrm{g}}^{{\mathrm{r}}_{\mathrm{j}}},{\mathrm{u}}^{{\mathrm{att}}_{\mathrm{j}}}{\mathrm{v}}^{-{\mathrm{r}}^{\prime }}\right\}}_{\mathrm{j}=1}^{\mathrm{l}}, \mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha } \mathrm{s} \prime }\right){\mathrm{g}}^{{\mathrm{t}}^{\prime }},{\left({\mathrm{u}}^{\mathrm{ID}}\mathrm{h}\right)}^{{\mathrm{s}}^{\prime }},{\mathrm{g}}^{{\mathrm{s}}^{\prime }}\right)$.

The well-formed re-encryption key can be written as

$${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}^{\prime }=\left({\mathrm{g}}^{\mathsf{\alpha }}{\mathrm{w}}^{{\mathrm{r}}^{\prime }}{\mathrm{f}}^{ \mathrm{t} ″},{\mathrm{g}}^{{\mathrm{r}}^{\prime }},{\left\{{\mathrm{g}}^{{\mathrm{r}}_{\mathrm{j}}},{\mathrm{u}}^{{\mathrm{att}}_{\mathrm{j}}}{\mathrm{v}}^{-{\mathrm{r}}^{\prime }}\right\}}_{\mathrm{j}=1}^{\mathrm{l}}, \mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }{\mathrm{s}}^{\prime }}\right){\mathrm{g}}^{{\mathrm{t}}^{″}},{\left({\mathrm{u}}^{\mathrm{ID}}\mathrm{h}\right)}^{{\mathrm{s}}^{\prime }},{\mathrm{g}}^{{\mathrm{s}}^{\prime }}\right)$$

Therefore, adversary $\mathcal{A}$ requires a clear distinction between randomly generated $\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }{\mathrm{s}}^{\prime }}\right){\mathrm{g}}^{{\mathrm{t}}^{″}}$ and well-formed $\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }{\mathrm{s}}^{\prime }}\right){\mathrm{g}}^{{\mathrm{t}}^{\prime }}$. These two parts are encryptions of the IBE for ${\mathrm{g}}^{{\mathrm{t}}^{\prime }}$ and ${\mathrm{g}}^{{\mathrm{t}}^{″}}$. Therefore, adversary $\mathcal{A}$ distinguishes the random re-encryption key and the re-encryption key generated according to the algorithm with the same distribution as the IBE scheme, $\mathrm{Pr}\left[\mathsf{\sigma }={\mathsf{\sigma }}^{\prime }\right]=\frac{1}{2}+ϵ$; therefore, ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{Sem}-\mathrm{Re}}=\mathrm{Pr}\left[\mathsf{\sigma }={\mathsf{\sigma }}^{\prime }\right]-\frac{1}{2}=ϵ$, and challenger $\mathcal{B}$ has a non-negligible advantage in solving the q-parallel BDHE assumption.

5.4. Verifiability

Proof. 

Suppose there is a PPT adversary, $\mathcal{A}$, that has a non-negligible advantage, ɛ, in breaking the verifiability of the EV-ABPRE scheme. In this case, we can construct simulator $\mathcal{B}$, which can solve the q-parallel BDHE assumption with the same advantage, ɛ. □

Lemma 3. 

EV-ABPRE is verifiable under the discrete logarithm assumption.

$\mathrm{Init}:$Adversary $\mathcal{A}$ outputs access policy $({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }$) and ${\mathrm{ID}}^{\ast }$, of which ${\mathbb{A}}^{\ast }$ is an $\mathrm{l}\times \mathrm{n}$ matrix, and challenger $\mathcal{B}$ creates two forms that are initially empty: ${\mathcal{L}}_{\mathrm{RK}}$=$({\mathrm{S}}_{\mathrm{i}}$,${\mathrm{ID}}_{\mathrm{i}}$,${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}) \mathrm{and} {\mathcal{L}}_{{\mathrm{SK}}_{\mathrm{ID}}}$=(${\mathrm{ID}}_{\mathrm{i}}$,${\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}$).

$\mathrm{Setup}:$Challenger $\mathcal{B}$ randomly selects $\mathrm{n}\in {\mathbb{Z}}_{\mathrm{p}}$. Then, it randomly selects element $\mathsf{\gamma }$ and computes $\mathrm{f}={\mathrm{g}}^{\mathsf{\gamma }}$. Encoding function $\mathrm{F}:{\mathbb{G}}_{\mathrm{T}}\to {\mathbb{G}}_1$ is selected. Finally, public parameter $\mathrm{PP}=\left(\mathrm{g},\mathrm{u},\mathrm{h},\mathrm{w},\mathrm{f},\mathrm{v},\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }},\mathrm{F}\right)$ is outputted.

Query phase 1:

${\mathcal{O}}_{{\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}}\left({\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the IBE key. If ${\mathrm{ID}}_{\mathrm{i}}={\mathrm{ID}}^{\ast }$, challenger $\mathcal{B}$ returns false symbol $\perp$. Otherwise, challenger $\mathcal{B}$ executes the ${\mathrm{KeyGen}}_{\mathrm{IBE}}$ algorithm, which generates and returns the IBE secret key ${\mathrm{SK}}_{{\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$, and stores it in ${\mathcal{L}}_{{\mathrm{SK}}_{\mathrm{ID}}}$.

${\mathcal{O}}_{\mathrm{RK}}\left({\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$: Adversary $\mathcal{A}$ submits a query for the re-encryption key. If $\left({\mathrm{S}}_{\mathrm{i}},{\mathrm{ID}}_{\mathrm{i}}\right)$ already exists in form ${\mathcal{L}}_{\mathrm{RK}}$, challenger $\mathcal{B}$ returns ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$ to the adversary. Otherwise, $\mathcal{B}$ first executes the ${\mathrm{KeyGen}}_{\mathrm{CP}}$ algorithm, which generates a CP-ABE secret key ${\mathrm{SK}}_{{\mathrm{S}}_{\mathrm{i}}}$. Then, challenger $\mathcal{B}$ executes the $\mathrm{ReKeyGen}$ algorithm, which generates and returns re-encryption key ${\mathrm{rk}}_{{\mathrm{S}}_{\mathrm{i}}\to {\mathrm{ID}}_{\mathrm{i}}}$ to adversary $\mathcal{A}$ and stores it in ${\mathcal{L}}_{\mathrm{RK}}$.

${\mathcal{O}}_{\mathrm{Claim}}\left({\mathrm{SK}}_{\mathrm{S}},{\mathrm{CT}}^{\prime }\right)$: Adversary $\mathcal{A}$ submits a query for the re-encrypted ciphertext verification to check whether the re-encrypted ciphertext is valid. If it is valid, true is returned to adversary $\mathcal{A}$. Otherwise, false is returned.

Challenge phase:

Adversary $\mathcal{A}$ submits access policy $\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right)$ and plaintext ${\mathrm{m}}^{\ast }$ to challenger $\mathcal{B}$. Challenger $\mathcal{B}$ executes ${\mathrm{Encrypt}}_{\mathrm{CP}}\left({\mathrm{m}}^{\ast },\left({\mathbb{A}}^{\ast },{\mathsf{\rho }}^{\ast }\right),\mathrm{PP}\right)\to \mathrm{CT}$ and then returns ciphertext $\mathrm{CT} \mathrm{to}$ adversary $\mathcal{A}$.

Query phase 2: Repeats the query of phase 1, removing queries that are not allowed.

Guess phase:

Adversary $\mathcal{A}$ outputs an IBE key, ${\mathrm{SK}}_{{\mathrm{ID}}^{\ast }}$, as well as re-encrypted ciphertext ${\mathrm{CT}}^{\ast \prime }$. If $\mathrm{DecRe}\left({\mathrm{CT}}^{\ast \prime },{\mathrm{SK}}_{{\mathrm{ID}}^{\ast }}\right)\ne {\mathrm{m}}^{\ast }$, $\mathcal{A}$ wins the game, and the advantage of $\mathcal{A}$ in winning this game is defined as ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{Ver}}=|\mathrm{Pr}[\mathcal{A} \mathrm{wins}|\mathrm{Ver}]$. For all PPT adversaries, if its advantage, ${ \mathrm{Adv}}_{\mathcal{A}}^{\mathrm{Ver}}$, is negligible, this means that the scheme is verifiable.

6. Performance Evaluation

To further evaluate the scheme, we selected several similar ones and compared them in three aspects: functionality, communication overhead, computational overhead, and security. By conducting simulation experiments, we analyzed the advantages and disadvantages of the scheme and similar ones in terms of computing costs.

6.1. Functionality Comparison

The functionality comparison between our scheme and other secure data sharing schemes is shown in

Table 1. Functionality comparison.

Scheme	Attribute Sets	Blockchain	ABE	PRE	Verifiable	Security
[12]	√	×	√	√	√	CPA
[19]	√	×	√	√	√	Semantic security
[25]	√	×	√	√	×	CPA
[26]	√	√	√	√	×	CPA
Our scheme	√	√	√	√	√	Semantic security

. Proxy re-encryption is used in all schemes in [12,19,25,26], but it cannot ensure that the original ciphertext is tamper-proof without the participation of the blockchain, and the schemes in [12,25,26] cannot verify whether or not the re-encrypted ciphertext is honestly re-encrypted by the proxy nodes. The scheme ensures the security of the data storage and sharing process based on the blockchain. Fine-grained access control is offered via attribute-based proxy re-encryption, and the delegator can confirm the validity of the ciphertext. In conclusion, our scheme offers more advantages in comparison in terms of functionality.

Table 1 presents a comparison of the functionalities of our secure data sharing scheme with similar schemes. While all schemes in [12,19,25,26] use proxy re-encryption, they cannot guarantee the original ciphertext’s tamper-proof nature without the involvement of the blockchain. Additionally, schemes in [25,26] fail to verify whether the proxy nodes have honestly re-encrypted the ciphertext. Our scheme ensures secure data storage and sharing via the blockchain and offers fine-grained access control using attribute-based proxy re-encryption. The delegatee can also verify the re-encrypted ciphertext’s validity. Hence, our scheme has a more comprehensive set of functionalities than the others, making it more advantageous.

6.2. Communication Overhead

The communication overhead of our scheme was evaluated by analyzing the length of the secret key, public parameter, ciphertext, and re-encryption key, as shown in

Table 2. Delegator’s communication overhead.

Scheme	Secret Key	Ciphertext	Public Parameters
[12]	$3\left|{\mathbb{G}}_1\right|$	$\left(2+2\mathrm{n}\right)\left|{\mathbb{G}}_1\right|$	$3\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$
[19]	$\left(3+\mathrm{n}\right)\left|{\mathbb{G}}_1\right|$	$\left(2+3\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$	$\left(5+\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$
[25]	$\left(2+2\mathrm{n}\right)\left|{\mathbb{G}}_1\right|$	$\left(2+\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$	$3\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$
[26]	$\left(2+\mathrm{n}\right)\left|{\mathbb{G}}_1\right|$	$\left(2+2\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$	$3\left|{\mathbb{G}}_1\right|$
Our scheme	$\left(3+4\mathrm{n}\right)\left|{\mathbb{G}}_1\right|$	$\left(2+5\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$	$6\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$

and

Table 3. Delegatee’s communication overhead.

Scheme	Secret Key	Re-Encrypted Ciphertext	Public Parameters
[12]	$3\left|{\mathbb{G}}_1\right|$	$\left(1+2\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+2\left|{\mathbb{G}}_{\mathrm{T}}\right|$	$3\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$
[19]	$\left(3+\mathrm{n}\right)\left|{\mathbb{G}}_1\right|$	$\left(1+3\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+3\left|{\mathbb{G}}_{\mathrm{T}}\right|$	$\left(5+\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$
[25]	$\left(2+2\mathrm{n}\right)\left|{\mathbb{G}}_1\right|$	$\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$	$3\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$
[26]	$\left(3+\mathrm{n}\right)\left|{\mathbb{G}}_1\right||$	$\left(2+2\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$	$3\left|{\mathbb{G}}_1\right|$
Our scheme	$4\left|{\mathbb{G}}_1\right|$	$\left(5+\mathrm{n}\right)\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$	$3\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_{\mathrm{T}}\right|$

. Our results demonstrate that our scheme has low communication overhead, especially when compared to other similar schemes. For instance, the length of the secret key and ciphertext in our scheme is shorter than that of [19,25]. Furthermore, our scheme has smaller-sized public parameters and re-encryption keys than [12,26]. These results indicate that our scheme is more efficient in terms of communication overhead.

For the sake of simplicity, we use $\mathrm{n}$ to denote the number of attributes and the bit length of the elements. As demonstrated in Table 2 and Table 3, only [12] and our scheme achieved a constant-length secret key for the delegatee. Taking into account all aspects, our scheme is still more efficient in terms of the delegatee’s local storage space.

6.3. Computational Overhead

We consider only the most expensive exponentiation and pairing operations, where E represents an exponential operation on group ${\mathbb{G}}_1$, $\mathrm{P}$ represents a bilinear operation, and $\mathrm{x}$ represents the number of attributes. Comparing our scheme with [12,14] in terms of computational overhead, we observe that our scheme requires more computational capabilities for encrypting plaintext and generating re-encrypted plaintext. However, in our scheme, the computational capabilities required for generating the re-encryption key and decrypting the re-encrypted ciphertext are constant, whereas in scheme [12,14], the computational capabilities required are linearly related to the number of attributes. This significantly reduces the computation stress of the delegator and the delegatee in our algorithm for generating the re-encryption key and decrypting the re-encrypted ciphertext (

Table 4. Computational overhead.

Scheme	Enc	ReKeyGen	ReEnc	DecRe
[12]	$\left(3+2\mathrm{x}\right)\mathrm{E}$	$\left(4+2\mathrm{x}\right)\mathrm{E}$	$\left(2+2\mathrm{x}\right)\mathrm{P}+\mathrm{xE}$	$\left(1+2\mathrm{x}\right)\mathrm{P}+\mathrm{xE}$
[19]	$\left(3+3\mathrm{x}\right)\mathrm{E}$	$\left(7+4\mathrm{x}\right)\mathrm{E}$	$\left(2+2\mathrm{x}\right)\mathrm{P}+\mathrm{xE}$	$\left(1+2\mathrm{x}\right)\mathrm{P}+\mathrm{xE}$
Our scheme	$\left(3+5\mathrm{x}\right)\mathrm{E}$	$6\mathrm{E}$	$\left(1+3\mathrm{x}\right)\mathrm{P}+\mathrm{xE}$	$3\mathrm{P}$

).

6.4. Security Properties

• Collusion Resistance: By executing the $\mathrm{ReKeyGen}$ algorithm, it outputs ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}=\left({\mathrm{rk}}_{\mathrm{o}},{\mathrm{rk}}_1,{\left\{{\mathrm{rk}}_{\mathrm{i},2},{\mathrm{rk}}_{\mathrm{i},3}\right\}}_{i=1}^{\left|S\right|},{\mathrm{rk}}_4,{\mathrm{rk}}_5,{\mathrm{rk}}_6\right)$. We are aware that ${\mathrm{rk}}_{\mathrm{o}}={\mathrm{K}}_0{\mathrm{f}}^{\tilde{\mathrm{r}}},{\mathrm{rk}}_1={\mathrm{K}}_1,{\mathrm{rk}}_{\mathrm{i},2}={\mathrm{K}}_{\mathrm{i},2},{\mathrm{rk}}_{\mathrm{i},3}={\mathrm{K}}_{\mathrm{i},3},{\mathrm{rk}}_4=\mathrm{F}\left(\mathrm{e}{\left(\mathrm{g},\mathrm{g}\right)}^{\mathsf{\alpha }\tilde{\mathrm{t}}}\right){\mathrm{g}}^{\tilde{\mathrm{r}}},{\mathrm{rk}}_5={\left({\mathrm{u}}^{\mathrm{ID}}\mathrm{h}\right)}^{\tilde{\mathrm{t}}},{\mathrm{rk}}_6={\mathrm{g}}^{\tilde{\mathrm{t}}}$, if the semi-trusted proxy conspires with the delegatee; that is, the re-encryption key and the delegatee’s ID are known, and it is easy for $\mathcal{A}$ to recover ${\mathrm{g}}^{\tilde{\mathrm{r}}}$ from ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$ since ${\mathrm{rk}}_{\mathrm{S}\to \mathrm{ID}}$ contains the IBE encryption of ${\mathrm{g}}^{\tilde{\mathrm{r}}}$ under ID. If $\mathcal{A}$ wants to obtain the private key of the delegator, it needs to find a way to obtain ${\mathrm{rk}}_{\mathrm{o}}$. However, $\mathcal{A}$ cannot obtain blinding factor part ${\mathrm{f}}^{\tilde{\mathrm{r}}}$.
• Verifiability: Existing cloud storage solutions lack trusted third parties, which creates a risk of malicious data deletion by delegatees. To address this issue, our scheme leverages the decentralized nature of the blockchain to provide a trusted environment for verifiable schemes. By utilizing the tamper-proof and traceability properties of the blockchain, we store the ciphertext on ciphertext chain-T. After receiving the re-encrypted ciphertext, the trustee sends ciphertext sub-item ${\mathrm{C}}_{\mathrm{i},4}^{\prime }$ to the client, and the delegator obtains verification results using the verification algorithm. The blockchain’s traceability property increases the cost of dishonest re-encryption by semi-trusted agents. This approach effectively avoids the risk of the malicious tampering of data by a semi-trusted proxy or an illegal delegatee.
• Extensibility: The blockchain is a decentralized ledger. The data on the chain are generated by consensus, traceable, and cannot be deleted. To ensure that uploaded data can be checked quickly, and the scheme stores the complete ciphertext in ciphertext chain-T. The access policy, storage address, and metadata information are stored in index chain-I for easy verification and traceability. We want to ensure that we address the issue of the limited block storage capacity and prevent a single-point failure due to a large amount of data, which would result in a waste of storage space. Therefore, we combined the chord algorithm with ciphertext chain-T to extend the chain structure.
• Privacy: Our scheme provides protection for both data content privacy and delegatee identity privacy. Specifically, the ciphertext encrypted by ABE is stored in ciphertext chain-T, while index chain-I only stores the storage address and access policy. This approach enables fine-grained control and secure data sharing while protecting the delegatee’s identity privacy via the use of a unique identity identifier for interactions.

6.5. Simulation Experiment

To evaluate the computational efficiency of our scheme, we compared it with schemes [12,19] and measured the performance of each based on computational overhead data. To simulate EV-ABPRE and scheme [12,19], we utilized the C++ programming language and the pairing-based cryptography library. The experiment was conducted in a virtual environment (Parallels Desktop) using a Windows 11 operating system, an Apple M1 CPU clocked at 3.2 GHz, and 8 GB of RAM. We computed the computational overhead of the three schemes in the encryption, re-encryption key generation, re-encryption, and decryption phases.

Figure 2a shows that the computational capabilities required for the encryption phase increase linearly with the number of attributes. To ensure data security, the encryption process requires an increased number of pairing operations, resulting in higher computational demands for our scheme compared to the schemes in [12,19].

Figure 2b shows that as the number of attributes increases in the schemes in [12,19], the delegator’s required computational capabilities to generate the re-encryption key also increase. In contrast, the computational capabilities consumed by the delegator to generate the re-encryption key in our scheme remain constant. This advantage becomes more apparent as the number of attributes increases.

Figure 2c shows that as the number of attributes increases, the proxy nodes’ requirement for computational capabilities to generate the re-encrypted ciphertext also increases. Our scheme’s increased pairing operations ensure data security, but it also requires more computational capabilities compared to the schemes in [12,19].

Figure 2d shows that as the number of attributes increases in the schemes in [12,19], the delegatee’s required computational capabilities to decrypt the re-encrypted ciphertext also increase. However, the computational capabilities consumed by the delegatee to decrypt the re-encrypted ciphertext in our scheme remain constant. This benefit becomes clearer as the number of attributes increases.

7. Conclusions

Our scheme combines blockchain and EV-ABPRE. On the basis of blockchain, an efficient and verifiable attribute-based proxy re-encryption cloud sharing scheme is suggested, which realizes fine-grained and secure data sharing by using two blockchains and the encryption scheme proposed in this paper. Our scheme solves the obsolete access policy in the ABE scheme and reduces the computation costs of the delegatee during decryptions. In comparison to the traditional ABPRE scheme, it adds the function of verifying whether the ciphertext is honestly encrypted by proxy nodes. In terms of functionality, the comparison with various encryption systems, communication overhead, and computation overhead shows that the scheme has the advantage of less computational capabilities and storage space while simultaneously improving security, but it needs to add a verification ciphertext segment to the encryption process.

However, the PKG in this scheme is too large in the entire system, and this can easily become the performance bottleneck of the system. In future research, we hope to achieve efficient and safe cloud data sharing by combining the multi-attribute authorization center with this scheme. In addition, in the verifiable attribute-based proxy re-encryption scheme, the authenticity of data can be greatly protected, but compared with other similar schemes, it is more sophisticated than others in the encryption phase. The computational power consumption of EV-ABPRE will also be further improved in the encryption phase, which is also a problem we will solve in future research.