Professional Documents
Culture Documents
I NTRODUCTION
J. Xu, Q. Wen, W. Li and Z. Jin are with the State Key Laboratory
of
Networking and Switching Technology, Beijing University of Posts and
Telecommunications, Beijing, 100876, China.
E-mail: liwenmin02@gmail.com
1045-9219 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
Doctor
such
Chief data
Doctor)
Orthopedics
}
.
T
o
make
sharing
be
achievable,
attribute-based
encryption
applicable.
is
1045-9219 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
2
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
2
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
computing
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
1.4 Organization
In the following section, we describe some
related mathematical problems. A formal
definition of hybrid VD-CPABE and its
corresponding security model is given in
section 3. In Section 4, we propose a
concrete construction for VD-CPABE. In
P RELIMINARY
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
4
TABLE 1
Role description
Role
Data owner
uploads his
User
the
Description
Authority
Attribute key generator center
(trusted third party)
Encrypting party who
encrypted data to the
cloud
Decrypting party who outsources
A
B
C
B
OR
AND
AND
OR
AND
OR
AND
AND
2.3 Circuits
In the context, we still restrict our
attention to the
monotone boolean circuit with a single
output gate [9]. The definition of a circuit
and its evaluation are as follows.
Definition 1. A single-output circuit is a 5tuple f = (n, q, A, B, tt). Here n is the
number of inputs, q is the number of
gates, and n + q is the number of
wires.
Inputs=
}, Wires=
{q1,} ...,
n
+
q}, Let
Gates=
{n {+1,
+ ...,
1, .n...,
n A:
+ Gates
and
OutputWire=
{n
Then
Wires/OutputWires
is a q}function toB:identify
each
gates first incoming
wire,
Gates
Wires/OutputWires
is a
function
identify
eachGates
gates
second
incoming to
wire
and G:
OR AND
D
OR
G
H
AND
E
OR
H
NOT
OR
circuit
corresponding
theleft
B)
(C
D) (E toF)
(tt circuit
H) f = (A
i+j
Definition
3.
(k- Multilinear
Decision-DiffieHellman
problem).
A challenger
runs G(, k)
to
get a sequence
of groups tt = (tt1, ..., ttk) of prime order
p where
functionality and a single fan-out. Every noninput wire is the outgoing wire of some gates.
We require
A(w) < B(w) < w for all w Gates. Let
depth(w)
equals wire
to the length
of theif shortest
path to
an
input
1 and
w Inputs
then
depth(w) = plus
1.
We define the evaluation of the circuit f as
f(x) on
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
4
each
with
a canonical
g
= gccomes
gpk.. Then
it advantage
pickssgenerator
s, c, cin
1, g
2..., Z
1,
...,
The
s k j [1,k]
c the
distinguishing
tuple
(g,
g , g c , ...,
c
g ,g
j)
from (g, gs, gc1 , ..., gck , gc ) is negligible in
.
Encrypt.
The simulator
encrypts
K0 under
the
f , random
chooses
K1
fromstructure
key space
and
flips asends
random
coin the
b. Then
the CK
simulator
Kb and
ciphertext
to the adversary.
KeyGen Queries II. The adversary makes
repeated
private
queriesxcorresponding
to
the
of key
attributes
q1 , ..., xq where f
(x)sets
= 0.
Guess. The adversary outputs a guess b of b.
We define the advantage
of an adversary A
in thisscheme
game is is
Pr[b = b] 1 . Then a
KEM
2
secure against selective
chosen plaintext
attacks if the advantage is negligible.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
4
C =
C,
Init.
Thestrucadversary
a challenge
, where
access
ture fgives
it wishes to
be challenged.
Setup. The simulator runs the Setup
algorithm and
b.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
6
s
1
C = g , r = H (g ), C = M s1
M
1
2
M
k 1
k
H1(g
s2 k ),
s
s2
2
C
R = gk1, r2 = H2(gk ), CR = R
H1(gk ),
1 =
M AC.SignIDo ,r1 (CM ||CR ), 2
=
M AC.SignIDo ,r2 (CM ||CR ).
Where
(C
1ts3=
H
gs3 yts3
r1s3
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
computing
and
Init.
The the
VD-CPABE
algorithm
submits
challenge
access adversary
structure f
and two
equal
length messages M0 and M1.
Setup. The simulator runs the Setup algorithm
and
gives the public parameters PK to
adversary.
KeyGen Queries I. The adversary makes
the
repeated
private
key queries
to the
sets
x1,corresponding
x)q1 =
. We
(x
that of
i attributes
q1 we have
f...,
0. require
i
Encrypt.
The simulator
encrypts
K0 under
the
structure
f by using
the KEM
algorithm.
Then
the simulator flips a random coin v and
encrypts Mv under the symmetric key K0
by using the AE algorithm. Then the total
ciphertext is given to the VD-CPABE
algorithm adversary.
KeyGen Queries II. The adversary makes
repeated
private
key queries corresponding to
the
sets
f (x)
= of
0. attributes xq1 , ..., xq where
Guess. The adversary outputs a guess v of
v.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
6
game is P r[v = v] 1 .
2
2 = g s3 y ts3 H
is
ts3
Set
M s3=
, H
an
d
s
ts
R =s3 {2, g 3 , g 3
, H
k
k 1
3,k1
The
partial
ciphertext
is
M , M , CR, CR, R).
(CM , C
Note that the value g yt , 3 gt and
H t (ID o ) are the private keys for the
encrypter shown in the KeyGen
algorithm.
2) Given the circuit access structure
f, it
generates
a complement
using De Morgans
rule circuit f
such that negation gates appear only at
the input wires.
Takes f for example, the encryption
algorithm
chooses random r1, 1 Zp and lets
..., rn+q
rn+q = s1. The randomness rw is
associated
with wire w. We then describe how the
circuit
f shares the encryption
exponent s1. We use the monotone
boolean circuits given by Garg et al. [9].
The structure of the shares depends on
if w
is an Input wire, an OR gate, or an AND
gate. The circuit descriptions are as
follows.
Input
wire.chooses
For w [1,
n], this
algorithm
random
z Z .
The shares
are: Cw,1 = yrw (yhww)zwp,
Cw,2 = gzw .
Gate
OR. Let j = depth(w).
This
algorithm
The shareschoose
are: random aw Zp.
Cw,1 =
g aw
a(rwawrA(w))
, C
w,2 = g
j
, C
w,3 =
a(rwawrB(w))
gj
.
Gate
AND.
Let
j = depth(w).
This
algorithm choose
random a
w, bw
Zp. The shares
are:
a(r
r
w w
b r
A(w)
B(w)
Cw,1 = gaw ,w,2
C= g
.
For the OR and
AND gates in circuit
j
f, the sharing methods are as the
same as in f. When negation gates
appear in the input level, setting fw (x)
=
xw ,
the
shares
of
the
corresponding
w
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
6
MK = g.
Hybrid-Encrypt(PK, f = (n, q, A, B,
ttateT ype),
M {0, 1 m)). This algorithm is executed
by the }
data
owner
.Takin
g the
public
para
meter
s PK,
a
descri
ption
fa of
circui
ta and
mess
age
m
M
{0, 1}
as
input,
the
hybri
d
encry
ption
algori
thm
works
as
follow
s.
CM , C
M , CR, CR, , the ciphertext of f
and f
firstly chooses a random t Zp. Then it
creates
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
computing
Data owner
Cloud Server
User
Authority
Run Setup(, n,l) to get MK = g
1 MACID
,r
,r
s1
s2
PK (g , kH , 1H ,2H ,3111n
y,h 212n
,...,h ,h ,...,h )
If x 1,iiiiin
K
( yh )t , If x 0, K ( )yh
t
i
(CM ||CR )
TK {x {0,1}n , L, iK ,i [1,n]}
f ( x) 1,
M
e(CM , K ) , r H ( )
12
M
C M
Verify the validity of 1
f ( x) 0, e(C R , K ) , r H ( )
R
22
R
C R
Verify the validity of 2
YES
NO
Reject
If f ( x) 1, recover M H 1( M )
CM
If f ( x) 0, recover R H 1( R) CR
n+w
e( j
g
a(rwawrA(w))
, ga ) e(gj
arwt
, gt) = gj+1 .
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
computing
from the bottom up. If f(x) = 1 we will
Gate AND.
be able
to partially decrypt the
ciphertext for M and if f(x) = 0 we will
be able to partially decrypt the ciphertext
for R. Consider the wire w at depth
Let j = depth(w). If
fA(w)(x) =
fA(w)(x) = 1, the algorithm computes:
Ew = e(EA(w), Cw,1) e(EB(w), Cw,2)
e(Cw,3, L)
ar t
arB(w)t
a w)
=
e(gA(w
, g
e(g
, g bw
)
j
)
a(rwawrjA(w)bwrB(w)) t
arwt
e(gj
, g ) = gj+1 .
If f(x) = fn+q = 1, the algorithm
computes
C
computes C = (gk)
M
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
computing
Init.
The the
VD-CPABE
algorithm
submits
challenge
access adversary
structure f
and two
equal
length messages M0 and M1.
Setup. The simulator runs the Setup algorithm
and
gives the public parameters PK to
adversary.
KeyGen Queries I. The adversary makes
the
repeated
private
key queries
to the
sets
x1,corresponding
x)q1 =
. We
(x
that of
i attributes
q1 we have
f...,
0. require
i
Encrypt.
The simulator
encrypts
K0 under
the
structure
f by using
the KEM
algorithm.
Then
the simulator flips a random coin v and
encrypts Mv under the symmetric key K0
by using the AE algorithm. Then the total
ciphertext is given to the VD-CPABE
algorithm adversary.
KeyGen Queries II. The adversary makes
repeated
private
key queries corresponding to
the
sets
f (x)
= of
0. attributes xq1 , ..., xq where
Guess. The adversary outputs a guess v of
v.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
6
game is P r[v = v] 1 .
2
2 = g s3 y ts3 H
is
ts3
Set
M s3=
, H
an
d
s
ts
R =s3 {2, g 3 , g 3
, H
k
k 1
3,k1
The
partial
ciphertext
is
M , M , CR, CR, R).
(CM , C
Note that the value g yt , 3 gt and
H t (ID o ) are the private keys for the
encrypter shown in the KeyGen
algorithm.
2) Given the circuit access structure
f, it
generates
a complement
using De Morgans
rule circuit f
such that negation gates appear only at
the input wires.
Takes f for example, the encryption
algorithm
chooses random r1, 1 Zp and lets
..., rn+q
rn+q = s1. The randomness rw is
associated
with wire w. We then describe how the
circuit
f shares the encryption
exponent s1. We use the monotone
boolean circuits given by Garg et al. [9].
The structure of the shares depends on
if w
is an Input wire, an OR gate, or an AND
gate. The circuit descriptions are as
follows.
Input
wire.chooses
For w [1,
n], this
algorithm
random
z Z .
The shares
are: Cw,1 = yrw (yhww)zwp,
Cw,2 = gzw .
Gate
OR. Let j = depth(w).
This
algorithm
The shareschoose
are: random aw Zp.
Cw,1 =
g aw
a(rwawrA(w))
, C
w,2 = g
j
, C
w,3 =
a(rwawrB(w))
gj
.
Gate
AND.
Let
j = depth(w).
This
algorithm choose
random a
w, bw
Zp. The shares
are:
a(r
r
w w
b r
A(w)
B(w)
Cw,1 = gaw ,w,2
C= g
.
For the OR and
AND gates in circuit
j
f, the sharing methods are as the
same as in f. When negation gates
appear in the input level, setting fw (x)
=
xw ,
the
shares
of
the
corresponding
w
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
6
MK = g.
Hybrid-Encrypt(PK, f = (n, q, A, B,
ttateT ype),
M {0, 1 m)). This algorithm is executed
by the }
dataamowner.
Taking the public parameters
PK,
description
message
M f of a circuit and a
{0, 1} as input, the hybrid encryption
algorithm
(tt
1, ..., ttk) with an efficient
multilinear
map e,
a generator g and an instance g, ga, gc1
, ..., gck
tt1, T ttk. Then it flips a fair binary
coin u
outside of Bs view. If u = 0. The
challenger sets
a
T = kg
j [1,k]
j ; otherwise it sets T as
a random
group element in ttk.
Next,
the
attacker
declares
the
challenge
access
policy f
.
Remark.
When
the
attacker
declares
the
challenge
access
policy
f ,on
for
simplicity,
we will focus
our attention
the
original
policy f . Similarly,
we
CM , C
M , CR, CR, , the ciphertext of f
and f
works as follows.
m
finally outputs the partially decrypted
cipher-text
a(rw
tuple
awrA(w bwrB(w))
s.
)
Cw,3
gj
(gj
jyB(w) a1 aj 1 )
)
can
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
6
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
8
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
computing
see rw as ayw.
B generates the challenge
ac x
k n+
as T
gciphertext
q
and
the description of the
k
circuit
f . Then B sends them to A1.
KeyGen Queries II. The adversary
makes repeated private key queries corresponding
to the
sets of attributes xq1 , ..., xq where f
(x) = 0. The
challenger responds the key queries as in
phase I.
Guess. The adversary outputs a guess b
of b. If
b = b it guesses that T is a tuple;
otherwise, it
guesses that it is random.
This immediately shows that the adversary
A1 with non-trivial advantage in the KEM
security game will have an identical
advantage in breaking the k-MDDH
assumption.
Init.
Firstly,
the challenger
generates
MDDH
instance
as in Algorithm
B-1. kNext, the attacker declares theastchallenge
partial decrypted ciphertext g .
k
Setup.
a security
parameter
, the
depth
lGiven
forn,the
circuit
and
the number
of
attributes
B
chooses
y2n Zp. For i [1, 2n], random y1, ...,
and
B sets hi = g vi , Y = k =
ack
ga , g
g k sends
PK = (g
,
H
,
H
,
Y,
h
,
...,
hn, hn+1,
1
2
1
k
..., h2n) to A2.
KeyGen Queries I. The adversary makes
repeated
private keys for any set S.
B chooses random t = ck + and
computes
t
a
K
= gquery
. Wefor
require
that
the
H = g ykey
private
t have
not
be
answered.
ack xn+q
Encrypt. B computes T g
and the
challenge
cj )
+
ciphertext C =at (xrn+qsends
them to
g
j
k
A2 .
will guess u =
1 if b = b, so we have Pr[u
= u|2u = 1] = 1 .
Thus, we compute the overall advantage
that the simulator solves the k-MDDH
problem is
P r[u = u ] = P r[u = 0]P r[u = u |u = 0]
+ P r[u =
.
2
k
1]P r[u = u |u = 1] = 2
1
+
Theorem 5.2. If the KEM is CPA secure and the
AE
is CCA secure then the proposed hybrid
CP-ABE
scheme is CPA secure.
Proof. Suppose there exist a polynomial-time
adver- sary attacks the AE scheme with
advantage a and an adversary attacks the
KEM scheme with advantage k, then the
advantage for the adversary, who attacks
the proposed hybrid encryption, is < 2k +
a.
Now we define two games to prove
security. The experiment Exp1 is specified by
our VD-CPABE game that interacts with the
adversary in the manner de- scribed in the
definition of the CPA experiment. The
experiment Exp2 modifies the VD-CPABE
algorithm that the encryption key for the AE
algorithm is chosen at random from key
space rather than the legitimate one
generated by the KEM algorithm.
Let A and B be the events that v = v
appears
in Exp1 and Exp2 respectively. Then we show
that
the
adversarys
views
Exp1 and |Exp
2 are
indistinguishable.
In inparticular,
Pr[A]
Pr[B]
| 2
k.
Consider
a
simulator
B
that
interacts
with
an
adversary
A
who
attacks
the
KEM
1
scheme
using
B Aruns
setup
A. to
algorithmbyand
gives APK
1.
A1 passes PK to AA and queries Kb to B by
using
the encryption oracle of Game.KEM. Then A1
flips a
coin
v and
computes
C =a AE.Enc
Kb (Mv ). It
sends
C Then
to B and
get
KEM
ciphertext
CK
forAC.
A
sends
(C,
CK)
to
=
1
When
outputs
v
v,
A
outputs
b =AA0.
A
1
to indicate that Kb is the real key.
Otherwise, if v = v, A1 outputs b = 1 to
indicate
that Kb
is a random element.It is clear by
construction
. Then B
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
computing
that
whenofbA= is
0
identical
in E
the view
to that
A
KeyGen Queries II. The adversary makes
We
suppose
the attack
polynomial-time
adversaries
A1, A2 .can
this scheme
with
advantage
We willB compute
ksimulator
probability
that the
can solve the
the k-MDDH problem.
When u =to attack
0 the this
adversary
advantage
scheme has
that an
is
1
Pr[b
. The
simulator
guess=ub 1=|u 0= if0]b =
= b, +sokwe
have
Pr[u 2= will
u|u
= 0] =
+ k.
When u = 1 the adversary has
no advantage
to guess
b. Therefore
Pr[b = b|u = 1] = 1 .
2
The
simulator
2
xp
1 and when b = 1 the view of AA is
identical
to that in Exp2. That is Pr[v = v|b = 0] =
Pr[A] and
Pr[v = v|b = 1] = Pr[B]. Therefore,
1
(Pr[A] Pr[B])
2
=
=
1
2
1
1
2
KEM
query
get a ciphertext
CK
forencryption
C. Then
sends and
(C,
. When
A
v, AA22outputs
v. CK)
We to
canAAsee
that
A outputs
Exp
2 can be perfectly
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
1
0
TABLE 2
Pairing operation time
Parameter = 62
= 80
Time
15ms
= 80 = 160
= 160 = 200
16ms
31ms
21
| a.
We define the advantage that the
adversary wins in
Exp1 as , that is |Pr[A] 1 | . Since |Pr[B]
1
|
|Pr[B]
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
computing
Then we have < 2k + a, where k and
power and data owners
a are
data in the cloud.
assumed negligible.
Thus, the proposed system could be
applied to protect the datas confidentiality.
IMPLEMENTATION
In
this
section,
we
simulate
the
cryptographic opera- tions by using of the
Gnu MP library [20] in vc 6.0. The
experiments are performed on a computer
using the Intel Core i5-2400 at a frequency
of 3.10 GHz with 4GB memory and Windows
7 operation system. Without considering the
addition of two elements over the integer,
the hash function
and
exclusiveOR
operations, we denote the cost of a
multilinear pairing by P. denotes the
security parameter. denotes the group
elements size in bits. With different
parameters, the average running time of P
operation in 100 times is obtained and
demonstrated in TABLE
2. For P operations, in order to implement in
practice efficiently, we use the optimized
definition in [23].
We instantiate our hybrid VD-CPABE
scheme with = 80 and = 160. When we
operate
the
encryption
and
partial
decryption algorithms, the input wire and the
AND gate need to garble twice and the OR
gate needs to garble triple. The algorithm for
generating
MAC
needs
one
garbling
operation and other addition operations over
the integer, and the algorithm for verifying
MAC needs to garble triple. Based on the
above parameter settings, the most running
time to finish our encryption and decryption
algorithms are illustrated in Fig. 4.
In addition, suppose that the symmetric
cipher is 128-bit. The bandwidth of the
transmitted ciphertext
11
C ONCLUSION
ACKNOWLEDGMENTS
The authors would like to thank NSFC (Grant
Nos. 61300181,
61272057,
61202434,
61170270, 61100203,
61121061), the Fundamental Research Funds
for the Central Universities (Grant Nos.
2012RC0612, 2011Y- B01).
Springer-Verlag Berlin, Heidelberg, 2013.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TPDS.2015.2392752, IEEE Transactions on Parallel and Distributed Systems
XU et al.: circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud
X computing
11