Analysis of an ABE Scheme with Verifiable Outsourced Decryption

Abstract

Attribute-based encryption (ABE) is a popular cryptographic technology to protect the security of users’ data in cloud computing. In order to reduce its decryption cost, outsourcing the decryption of ciphertexts is an available method, which enables users to outsource a large number of decryption operations to the cloud service provider. To guarantee the correctness of transformed ciphertexts computed by the cloud server via the outsourced decryption, it is necessary to check the correctness of the outsourced decryption to ensure security for the data of users. Recently, Li et al. proposed a full verifiability of the outsourced decryption of ABE scheme (ABE-VOD) for the authorized users and unauthorized users, which can simultaneously check the correctness of the transformed ciphertext for both them. However, in this paper we show that their ABE-VOD scheme cannot obtain the results which they had shown, such as finding out all invalid ciphertexts, and checking the correctness of the transformed ciphertext for the authorized user via checking it for the unauthorized user. We first construct some invalid ciphertexts which can pass the validity checking in the decryption algorithm. That means their “verify-then-decrypt” skill is unavailable. Next, we show that the method to check the validity of the outsourced decryption for the authorized users via checking it for the unauthorized users is not always correct. That is to say, there exist some invalid ciphertexts which can pass the validity checking for the unauthorized user, but cannot pass the validity checking for the authorized user.

1. Introduction

Recently, cloud computing has become a very fascinating computing paradigm, in which storage and computation have moved away from terminal devices to the remote side. There are many novel applications in this area, such as outsourcing computation [1,2] and outsourcing verification [3]. This new and popular method brings important revolutions for the management, distribution and sharing data of enterprises and individuals, especially for some constrained devices, such as mobile phone, wireless sensors. Cloud clients (or sensors) are able to achieve significant cost savings by outsourcing their data storage and computation to some cloud service providers. Since the data of cloud clients (or sensors) are out of control by themselves, how to ensure the data security of cloud clients (sensors) is a significant problem in academia and industrial. Utilizing all kinds of cryptographic schemes is an essential method to achieve this goal. While attribute-based encryption (ABE) [4] is one of the most popular notions to study and utilize in cloud computing since it has the property of the flexible and fine-grained access control.

The notion of ABE was first introduced by Sahai and Waters [4]. There are two different types of ABE schemes according to the manner to deploy the access control policy, key-policy attribute-based encryption (KP-ABE) [5] and ciphertext-policy attribute-based encryption (CP-ABE) [6]. The ciphertexts are labeled with sets of attributes and access policies over these attributes are associated with clients’ private keys in the KP-ABE scheme. While every ciphertext is associated with an access policy, and every client’s private key is associated with a set of attributes in the CP-ABE scheme. However, decryption operations of most requirement that the set of attributes should satisfy the access policy in any ABE system and in most existing ABE schemes, one of the main drawbacks is that the length of the ciphertext and the decryption computational cost grow with the complexity of the access policy. This becomes critical obstacle in various applications, especially the applications on resource-limited devices.

In order to reduce the decryption time and the computation cost, Green et al. [7] proposed an ABE scheme with outsourced decryption (ABE-OD). In their scheme, an authorized client first delegated an untrusted cloud server to convert the original ciphertext into a transformed ciphertext with a transformation key, and then the client obtained the plaintext from the transformed ciphertext by spending a small overhead. The ABE-OD scheme would not leak any information about the encrypted data. However, the ABE-OD proposed by Green et al. cannot ensure the correctness of the transformed ciphertext since the cloud server is public and untrusted. The untrusted cloud server may send a wrong transformed ciphertext to the clients for saving computing cost or suffering from malicious attack which also causes to generate the incorrectly transformed ciphertext. In order to ensure the correctness of the ciphertext, Lai et al. [8] put forth an ABE-OD scheme that can check the correctness of the transformed ciphertext generated by the cloud server, which was called ABE with verifiable outsourced decryption (ABE-VOD). In their ABE-VOD scheme, the data owner encrypted a plaintext and a random message to the ciphertext respectively, and generated a commitment of an actual plaintext and the random message. And in the decryption algorithm of their ABE-VOD scheme, the client should compute the plaintext and the random message to use the commitment to verify whether the transformed ciphertext is generated correctly. A client was able to verify the correctness of the transformed ciphertext if and only if his/her attributes set satisfies the access structure associated with the ciphertext. Subsequently, several ABE-VOD schemes were proposed according to different methods and distinct scenarios in [9,10,11,12,13]. And Qiu et al. [14] used an ontology-based approach to achieve attribute-based access controls as well.

Recently, Li et al. [15] proposed a full verifiability for outsourced decryption in ABE, which could simultaneously check the correctness of transformed ciphertext for the authorized clients and unauthorized clients. In their scheme, a data owner constructed two access policies for the authorized clients and unauthorized clients, respectively. And then the data owner uses a short “signature” for each ciphertext to ensure that the client could verify the validity of the transformed ciphertext. In order to avoid first computing the plaintext and then verifying the validity of the ciphertext, Li et al. used “verify-then-decrypt” skill rather than “decrypt-then-verify” paradigm. That is to say, the client first verified the validity of the ciphertext or the transformed ciphertext, and then decrypted the ciphertext and obtains the corresponding plaintext or the random message if the ciphertext or the transformed ciphertext passed the verification of its validation.

1.1. Motivation and Contribution

In cloud computing, the ABE-OD scheme cannot ensure the correctness of the ciphertext or the transformed ciphertext for cloud server being untrusted. The untrusted server may send a wrong transformed ciphertext to the users for saving computing cost or it may have suffered from malicious attack which also produces the incorrect ciphertext or transformed ciphertext. In order to ensure the correctness of the ciphertext or the transformed ciphertext, the ABE-VOD schemes were proposed in [9,10,11,12,13,15].

However, we firstly show that the validity verification method in decryption algorithm of the ABE-VOD scheme put forth by Li et al. [15] cannot always check the validity of all ciphertexts in this paper. That is to say, there exist some invalid ciphertexts which can pass the validity checking and output the “corresponding” plaintexts. Furthermore, even if the untrusted server honestly performs the outsourced decryption for these invalid ciphertexts, the decryption algorithm cannot check them (the decryption algorithm cannot output ⊥). Thus, the “verify-then-decrypt” skill used in [15] is unavailable. Then, we show that the method to check the validity of the outsourced decryption for the authorized user via checking it for the unauthorized user is not always correct. That is to say, there exist some invalid ciphertexts which can pass the validity checking for the unauthorized user, but cannot pass the correctness of the ciphertexts checking for the authorized user.

1.2. Organization of the Paper

The rest of this paper is organized as follows. The system model of the ABE-VOD and some basic mathematic knowledge are introduced in Section 2. In Section 3, we review the ABE-VOD scheme proposed by Li et al., and analyze their scheme. Finally, the conclusions are given in Section 4.

2. Premilinary

In the section, we will recall the definition of ABE-VOD and some basic mathematic knowledge in [15].

2.1. System Model

The ABE-VOD Scheme consists of seven algorithms: Setup, KeyGen, Encrypt, Decrypt, GenTK${}_{out},$ Transform${}_{out}$ and Decrypt${}_{out}.$ The detailed is described as follows.

• Setup$(1^{\lambda },U).$ Take as input a security parameter $1^{\lambda }$ and attribute universe description $U,$ generate a master secret key $msk$ and public parameters $PK.$
• KeyGen$(msk,PK,S).$ Take as input the master secret key $msk,$ the public parameters $PK$ and an attribute set $S,$ generate the client’s private key $SK.$ If a client is an authorized one, use $S{K}_{DS}$ to represent the private key of the authorized client, where $DS$ represents an attribute set of the authorized client. If a client is an unauthorized one, the client uses $S{K}_{VS}$ to represent the private key of the unauthorized client, where $VS$ represents an attribute set of the unauthorized client.
• Encrypt$(PK,M,\mathbb{A},\overline{\mathbb{A}}).$ Take as input the public parameters $PK,$ the plaintext M and two access structures $\mathbb{A},\overline{\mathbb{A}},$ and output a ciphertext $CT.$
• Decrypt$(SK,CT).$ Take as input a private key $SK$ and a ciphertext $CT.$ If the client’s attribute set S satisfies the access policy $\mathbb{A},$ then the client utilizes the private key $S{K}_{DS}$ to decrypt the ciphertext; otherwise, the client utilizes the private key $S{K}_{VS}$ to decrypt the ciphertext. After the client checks the correctness of the ciphertext, he/she outputs the plaintext M if the ciphertext is valid; otherwise, the client outputs $\perp .$
• GenTK${}_{out}(PK,SK).$ Take as input the public parameters $PK$ and the private key $SK,$ genetate a transformation key $TK$ and a retrieving key $RK.$ If a client is an authorized one, let $SK=S{K}_{DS}$ and set $TK=T{K}_{DS},$ $RK=R{K}_{DS};$ otherwise, let $SK=S{K}_{VS}$ and set $TK=T{K}_{VS},$ $RK=R{K}_{VS}.$
• Transform${}_{out}(TK,CT).$ Take as input the transformation key $TK$ and the ciphertext $CT,$ generate the transformed ciphertext $TCT.$
• Decrypt${}_{out}(CT,TCT,RK).$ Take as input a ciphertext $CT,$ a transformed ciphertext $TCT$ and a retrieving key $RK.$ If the client’s attribute set S satisfies the access policy $\mathbb{A},$ the client is an authorized one and then he/she utilizes $CT,$ $TCT$ and $R{K}_{DS}$ to decrypt the ciphertext; otherwise, the client utilizes the private key $CT,$ $TCT$ and $R{K}_{VS}$ to decrypt the ciphertext. After the client checks the correctness of the ciphertext, outputs the plaintext M if the ciphertext is valid; otherwise, outputs $\perp .$

2.2. Bilinear Pairing

Let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ be two multiplicative groups which have the same prime order $q,$ ${\mathbb{Z}}_q^{*}$ be the multiplicative group of the finite field ${\mathbb{F}}_q.$ A bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ [16], which satisfies the followings three properties:

• Bilinearity: For any $\alpha ,\beta ,\gamma \in {\mathbb{G}}_1,$

  $$e(\alpha ,\beta \gamma )=e(\alpha ,\beta )e(\alpha ,\gamma ),\mathrm{and}$$

  $$e(\alpha \beta ,\gamma )=e(\alpha ,\gamma )e(\beta ,\gamma ).$$
• Non-degeneracy: There are elements $\alpha ,\beta \in {\mathbb{G}}_1,$ such that $e(\alpha ,\beta )\ne 1,$ where 1 is the identity element of ${\mathbb{G}}_2$.
• Computability: For any elements $\alpha ,\beta \in {\mathbb{G}}_1,$ there is an efficient algorithm to compute $e(\alpha ,\gamma ).$

The concrete bilinear pairings e will be using the modified Weil [17] or Tate pairings [18] on some elliptic curves. We will define two hard problems used in our paper below: Decisional Diffie-Hellman (DDH) problem and Computational Diffie-Hellman (CDH) problem. Let $\alpha$ be a generator of the group ${\mathbb{G}}_1.$

Definition 1.

(CDH problem in ${\mathbb{G}}_1).$ Given $\alpha , {\alpha }^x, {\alpha }^y\in {\mathbb{G}}_1$, to compute ${\alpha }^{xy}.$

Definition 2.

(DDH problem in ${\mathbb{G}}_1).$ Given $\alpha ,$ ${\alpha }^x,$ ${\alpha }^y,$ ${\alpha }^z$$\in {\mathbb{G}}_1$, to decide whether $xy\equiv z\mathrm{mod}q$ holds or not.

It is obvious that the DDH problem in ${\mathbb{G}}_1$ is easy since it can verify above congruence by using the bilinear pairing e. However, as far there is no polynomial-time algorithm to solve CDH problem in ${\mathbb{G}}_1$, we assume that CDH problem in ${\mathbb{G}}_1$ is hard.

2.3. Linear Secret Sharing Schemes

We recall a description for LSSS in [19]. Let $\mathcal{P}$ be a set of parties. A secret sharing scheme $\Pi$ is called linear (over ${\mathbb{Z}}_p$) if it satifies the following conditions.

• The secret shares of each party form a vector in ${\mathbb{Z}}_p.$
• Let A is a matrix with l rows and n columns. Let the function $\rho$ represent the party labeling row i as $\rho \left(i\right),$ where is the ith row of $A.$ Suppose a vector ${\overrightarrow{v}}_i={(s,r_2,\dots ,r_n)}^T$ is the column vector and $r_2,\dots ,r_n$ are random value in ${\mathbb{Z}}_p,$ where $s\in {\mathbb{Z}}_p$ is the secret to be shared. $A\overrightarrow{v}$ is the vectors of l shares for the the secret s with respect to $\Pi .$ The share ${\left(A\overrightarrow{v}\right)}_i$ belongs to party $\rho \left(i\right).$ Suppose that $\Pi$ is an LSSS of the access policy $\mathbb{A}$ and $S\in \mathbb{A}$ is any authorized set. Let $I=\{i:\rho (i)\in S\}\subset \left[l\right]=\{1,2,\dots ,l\}.$ If $\left\{{\lambda }_i\right\}$ are valid shares for any secret s with respect to $\Pi ,$ then we can compute constants ${\{{\omega }_i\in {\mathbb{Z}}_p\}}_{i\in I}$ such that ${\displaystyle \sum _{i\in I}}{\omega }_i{\lambda }_i=s,$ where ${\lambda }_i={\left(A\overrightarrow{v}\right)}_i.$

Notations. The vector $(1,0,\dots ,0)$ is the “target” vector of any LSSS. For any unauthorized set of rows I in $A,$ the target vector is not in the span of the rows of set $I.$ For any authorized set of rows I in $A,$ the target vector is in the span of $I.$

3. Analysis of Li et al.’s Abe-Vod Scheme

Since ABE-VOD scheme proposed by Li et al. is much complex, we recall it in Appendix B and the security model in Appendix A.

3.1. The Excepted Functionalities of the ABE-VOD Scheme

In the subsection, we analyze the construction of the ABE-VOD scheme proposed by Li et al. The scheme wanted to get the following results at least.

• First, any ABE-VOD should have the decryption functionality. The decryption algorithm of the ABE-VOD can correctly check the valid ciphertext and invalid ciphertext (any encryption scheme must satisfy this condition). That is to say, the Decrypt algorithm outputs a corresponding plaintext of some ciphertext if and only if the ciphertext is valid, or the Decrypt${}_{out}$ algorithm outputs the corresponding plaintext of a transformed ciphertext if and only if the transformed ciphertext is correct.
• Then, the ABE-VOD scheme can simultaneously check the correctness of the transformed ciphertext for the authorized users and unauthorized users by using “verifying-then-decrypt” method to guarantee the correctness of the transformed ciphertext.

3.2. The ABE-VOD Scheme Cannot Verify the Validity of All Ciphertexts

In general, the goal of the verification formulas of the decryption algorithm are to check the correctness of ciphertext. However, the decryption algorithm of ABE-VOD scheme proposed by Li et al. only checks validity of a part of ciphertext, but not checks whether the output of the decryption algorithm for some ciphertext is the original plaintext . In the subsection, we show that there exist some ciphertexts which are verified by the decryption algorithm, but its output isn’t the original plaintext.

As analysis in [15], the ciphertext stored in cloud server maybe be tampered by some malicious attackers or the transformed ciphertext could be generated via using incorrect one by the untrusted cloud server. We will view these activities as attacks of an adversary and describe how an adversary constructs an invalid ciphertext below, which the decryption algorithm will view as a valid ciphertext and output the “corresponding” plaintext.

The adversary takes as input a random message $M\in {\{0,1\}}^m$ and the two LSSS access structures $\mathbb{A}$ = $(A,\rho )$, $\overline{\mathbb{A}}$ = $(\overline{A},\overline{\rho }).$

The adversary first picks up a random string $R\in {\{0,1\}}^m,$ two random vectors

$$\overrightarrow{v}=(s_1,v_{12},\cdots ,v_{1n})\in {\left({\mathbb{Z}}_p^{*}\right)}^n$$

and

$${\overrightarrow{v}}^{\prime }=(s_2,v_{22},\cdots ,v_{2n})\in {\left({\mathbb{Z}}_p^{*}\right)}^n$$

and two random elements $s_1^{\prime },s_2^{\prime }\in {\mathbb{Z}}_p^{*}$ such that $s_1\ne s_1^{\prime }$ and $s_2\ne s_2^{\prime }.$ For each row $A_i$ of A, ${\overline{A}}_i$ of $\overline{A}$, it picks $r_{1,i},r_{2,i}\in {\mathbb{Z}}_p^{*}$ uniformly at random. Then, it calculates:

$$C_M=M\oplus H_3(e{(g,g)}^{\alpha s_1^{\prime }}),$$

$${\eta }_1=H_1\left(e{(g,g)}^{\alpha s_1}\right),$$

$$C_1=g^{s_1},$$

$$C_{1,i}=g^{a{A}_i·\overrightarrow{v}}{T}_{\rho \left(i\right)}^{-r_{1,i}},D_{1,i}=g^{r_{1,i}}\forall i\in \{1,2,\cdots ,l\}.$$

Set $C{T}_M=(C_M,C_1,{\left\{C_{1,i}\right\}}_{i\in \left[l\right]},{\left\{D_{1,i}\right\}}_{i\in \left[l\right]}),$ and compute:

$$C_R=R\oplus H_3(e{(g,g)}^{\alpha s_2^{\prime }}),$$

$${\eta }_2=H_1\left(e{(g,g)}^{\alpha s_2}\right),$$

$$C_2=g^{s_2},$$

$$C_{2,i}=g^{a{\overline{A}}_i·{\overrightarrow{v}}^{\prime }}{T}_{\overline{\rho }\left(i\right)}^{-r_{2,i}},D_{2,i}=g^{r_{2,i}},\forall i\in \left[l\right].$$

Set $C{T}_R=(C_R,C_2,{\left\{C_{2,i}\right\}}_{i\in \left[l\right]},{\left\{D_{2,i}\right\}}_{i\in \left[l\right]}).$

$${\sigma }_1=H_2{(C_M,C_R)}^{{\eta }_1},{\sigma }_M=\{{\sigma }_1,H_2(C_M,C_R)\},$$

$${\sigma }_2=H_2{(C_M,C_R)}^{{\eta }_2},{\sigma }_R=\{{\sigma }_2,H_2(C_M,C_R)\}.$$

The ciphertext $CT=(\mathbb{A},\overline{\mathbb{A}},C{T}_M,{\sigma }_M,C{T}_R,{\sigma }_R).$

Obviously, the ciphertext $CT$ is not a valid ciphertext of the message M since the adversary picks two distinct random numbers $s_1$ and $s_1^{\prime }$ to produce the ciphertext $C{T}_M$, and picks two distinct random numbers $s_2$ and $s_2^{\prime }$ to produce the ciphertext $C{T}_R$. However, the decryption algorithm will view it as a valid ciphertext and output the “corresponding” plaintext. When the decryption algorithm takes as input $CT$ and $SK,$ it runs as follows.

• If S satisfies the access policy $\mathbb{A}$, the private key $SK$ of an authorized client is

  $$(DS,K=g^{\alpha }{y}^{t_1},K_0=g^{t_1},{\{K_i=T_i^{t_1}\}}_{at{t}_i\in DS}).$$
  Let $I=\{i:\rho (i)\in S\}\subset \left[l\right]=\{1,2,\cdots ,l\}.$ Then it calculates ${\omega }_i\in {\mathbb{Z}}_p^{*}$ for $i\in I$ such that ${\mathsf{\Sigma }}_{i\in I}{\omega }_i{A}_i$ = $(1,0,\cdots ,0),$ and computes:

  $$X_M=\frac{e(C_1,K)}{{\displaystyle \prod _{i\in I}}{\left(e(C_{1,i},K_0)e(D_{1,i},K_{\rho \left(i\right)})\right)}^{{\omega }_i}},$$

  which equals $e{(g,g)}^{\alpha s_1}.$
  It is clear that the equality

  $$e({\sigma }_1,g)=e(H_2(C_M\left|\right|C_R),g^{{\eta }_1})$$

  holds, where ${\eta }_1=H_1\left(X_M\right).$ Then it computes

  $$M^{\prime }=C_M\oplus H_3\left(X_M\right)=M\oplus e{(g,g)}^{\alpha s_1^{\prime }}\oplus e{(g,g)}^{\alpha s_1}.$$
  However, $M^{\prime }$ does not equal M since $s_1^{\prime }\ne s_1.$ That is to say, the decryption algorithm cannot refuse the plaintext of the ciphertext which is produced by other “encryption” algorithm.
• If S satisfies the access policy $\overline{\mathbb{A}}$, the private key $SK$ of an unauthorized client is

  $$(VS,K=g^{\alpha }{y}^{t_2},K_0=g^{t_2},{\{K_i=T_i^{t_2}\}}_{at{t}_i\in VS}).$$
  Let $I=\{i:\overline{\rho }\left(i\right)\in S\}\subset \{1,2,\cdots ,l\}.$ Then it calculates ${\omega }_i\in {\mathbb{Z}}_p^{*}$ for $i\in I$ such that ${\mathsf{\Sigma }}_{i\in I}{\omega }_i\overline{A_i}$ = $(1,0,\cdots ,0),$ and computes:

  $$X_R=\frac{e(C_2,KP)}{{\displaystyle \prod _{i\in I}}{\left(e(C_{2,i},K{P}_0)e(D_{2,i},K{P}_{\overline{\rho }\left(i\right)})\right)}^{{\omega }_i}},$$

  which equals $e{(g,g)}^{\alpha s_2}.$
  For the same reason above, the equality

  $$e({\sigma }_2,g)=e(H_2(C_M\left|\right|C_R),g^{{\eta }_2})$$

  holds, where ${\eta }_2=H_1\left(X_R\right).$ Then it computes

  $$R^{\prime }=C_R\oplus H_3\left(X_R\right)=R\oplus e{(g,g)}^{\alpha s_2^{\prime }}\oplus e{(g,g)}^{\alpha s_2}.$$
  However, $R^{\prime }$ does not equal R since $s_2^{\prime }\ne s_2.$

Thus, the decryption algorithm of the ABE-VOD scheme proposed by Li et al. for both the authorized client and the unauthorized client cannot check the validity of all ciphertexts. I.e., there exist some invalid ciphertexts which can pass the validity checking. Furthermore, their ABE-VOD scheme cannot check the validity of the outsourcing computation by checking the correctness of the corresponding ciphertext since the output of both the Decrypt algorithm and Decrypt${}_{out}$ algorithm is not always correct.

3.3. The ABE-VOD Scheme Is Not Full Verifiable

Since verifying the correctness of the outsourced decryption for unauthorized clients is very important, Li et al. considered the following scenario. The authorized user wants to, but is not able to, process some pending businesses when the time or position of the authorized client is limited. He/she needs someone to help him/her to verify whether a pending business is correctly processed and does not want the latter to know anything about the content of the business. Thus Li et al. proposed the ABE-VOD scheme which could utilize an unauthorized client to help him/her to verify the correctness of the transformed ciphertext. We construct the following ciphertext which can pass the correctness checking for an unauthorized client but it is not a valid ciphertext for the authorized client.

The adversary takes as input a random message $M\in {\{0,1\}}^m$ and the two LSSS access structures $\mathbb{A}$ = $(A,\rho )$, $\overline{\mathbb{A}}$ = $(\overline{A},\overline{\rho }).$

The adversary first picks a random string $R\in {\{0,1\}}^m,$ two random vectors

$$\overrightarrow{v}=(s_1,v_{12},\cdots ,v_{1n})\in {\left({\mathbb{Z}}_p^{*}\right)}^n$$

and

$${\overrightarrow{v}}^{\prime }=(s_2,v_{22},\cdots ,v_{2n})\in {\left({\mathbb{Z}}_p^{*}\right)}^n.$$

For each row ${\overline{A}}_i$ of $\overline{A}$, it picks $r_{2,i}\in {\mathbb{Z}}_p^{*}$ uniformly at random. And it uniformly picks

$$C_M\in {\{0,1\}}^m,{\eta }_1\in {\mathbb{Z}}_p^{*},C_1,{\{C_{1,i},D_{1,i}\}}_{\left[l\right]}\in {\mathbb{G}}_1$$

at random.

Set $C{T}_M=(C_M,C_1,{\left\{C_{1,i}\right\}}_{i\in \left[l\right]},{\left\{D_{1,i}\right\}}_{i\in \left[l\right]})$, then it calculates:

$$C_R=R\oplus H_3\left(e{(g,g)}^{\alpha s_2}\right),$$

$${\eta }_2=H_1\left(e{(g,g)}^{\alpha s_2}\right),$$

$$C_2=g^{s_2},$$

$$C_{2,i}=g^{a{\overline{A}}_i·{\overrightarrow{v}}^{\prime }}{T}_{\overline{\rho }\left(i\right)}^{-r_{2,i}},D_{2,i}=g^{r_{2,i}},\forall i\in \left[l\right].$$

Set $C{T}_R=(C_R,C_2,{\left\{C_{2,i}\right\}}_{i\in \left[l\right]},{\left\{D_{2,i}\right\}}_{i\in \left[l\right]}).$

$${\sigma }_1=H_2{(C_M,C_R)}^{{\eta }_1},{\sigma }_M=\{{\sigma }_1,H_2(C_M,C_R)\},$$

$${\sigma }_2=H_2{(C_M,C_R)}^{{\eta }_2},{\sigma }_R=\{{\sigma }_2,H_2(C_M,C_R)\}.$$

The ciphertext $CT=(\mathbb{A},\overline{\mathbb{A}},C{T}_M,{\sigma }_M,C{T}_R,{\sigma }_R).$

It is clear that if S satisfies the access policy $\mathbb{A},$ the authorized client cannot pass the checking of the correctness of the ciphertext. Because the elements $C_M,C_1,{\left\{C_{1,i}\right\}}_{i\in \left[l\right]},{\left\{D_{1,i}\right\}}_{i\in \left[l\right]}$ are random elements, which is a valid ciphertext with a negligible probability. That is to say, since the equation ${\eta }_1=H_1(\frac{e(C_1,K)}{{\displaystyle \prod _{i\in I}}{\left(e(C_{1,i},K_0)e(D_{1,i},K_{\rho \left(i\right)})\right)}^{{\omega }_i}})$ with negligible probability for random elements $C_M,$ $C_1,$ ${\eta }_1,$ ${\left\{C_{1,i}\right\}}_{i\in \left[l\right]},$ ${\left\{D_{1,i}\right\}}_{i\in \left[l\right]},$ ${\sigma }_1$ is a valid signature of $H_2(C_M,C_R)$ with negligible probability. We use the decryption algorithm to check the equality

$$e({\sigma }_1,g)=e(H_2(C_M\left|\right|C_R),g^{{\eta }_1}),$$

which holds with negligible probability for random elements $C_M,C_1,$ ${\eta }_1,$ ${\left\{C_{1,i}\right\}}_{i\in \left[l\right]},{\left\{D_{1,i}\right\}}_{i\in \left[l\right]}.$

However, if S satisfies the access policy $\overline{\mathbb{A}},$ the unauthorized client can pass the correctness checking of the ciphertext. Because the adversary uses the Encrypt algorithm to encrypt the message R for the unauthorized client. The equations

$${\eta }_2=H_1\left(e{(g,g)}^{\alpha s_2}\right),$$

$$\mathrm{and}{\sigma }_2=H_2{(C_M,C_R)}^{{\eta }_2}$$

hold. That means

$$e({\sigma }_2,g)=e(H_2(C_M\left|\right|C_R),g^{{\eta }_2})$$

always holds. Thus, the decryption algorithm can output plaintext R correctly. Especially, when the untrusted server honestly runs the Transform${}_{out}$ algorithm, the unauthorized client can always pass the correctness checking of the transformed ciphertext.

Thus, the ABE-VOD scheme cannot verify the correctness of the ciphertext or the transformed ciphertext for the authorized user via verifying it for the unauthorized user.

3.4. Furthermore Analysis

We have showed that the decryption algorithm cannot satisfy two functionalities, checking the correctness of all ciphertexts and “full verifiable” above. Next, we will explain the reason and possibly reasonable method.

On one hand, the construction of the above ABE-VOD scheme utilized ABE-OD scheme proposed by Green et al. [7] and short signature scheme proposed by Boneh et al. [16]. The one-time signature ${\sigma }_1$ of a “message” $H_2(C_M,C_R)$ (or ${\sigma }_2$ of a “message” $H_2(C_M,C_R)$) is unforgeable and it also ensures that

$$e({\sigma }_1,g)=e(H_2(C_M\left|\right|C_R),g^{{\eta }_1})$$

or

$$e({\sigma }_2,g)=e(H_2(C_M\left|\right|C_R),g^{{\eta }_2})$$

holds if and only if ${\sigma }_1$ and ${\sigma }_2$ are valid signatures of $H_2(C_M\left|\right|C_R)$ (or $C_M$ and $C_R$) under public key $g^{{\eta }_1}$ and $g^{{\eta }_2},$ respectively. However, there is no condition that guarantees the validity of $C_M$ and $C_R.$ That is to say, we can choose any random element as $C_M$ (or $C_R$). Thus, the above adversary can construct an invalid $C_M$ or $C_R$ but the ciphertext $CT$ can be verified as a valid ciphertext. It seems that the method to sign a part of the ciphertext cannot guarantee all invalid ciphertexts to be refused. It needs another secure mechanism to guarantee the part of the ciphertext is valid.

On the other hand, from the unauthorized client’s view, $C_M$ is a random element in ${\{0,1\}}^m,$ which is independent of $C_R,\overline{\mathbb{A}}$ and ${\sigma }_R.$ Thus, the unauthoized client has no capability to verify the validity of $C_M,$ and the construction in [15] cannot check the correctness of the ciphertext and the transformed ciphertext for the authorized users by checking the validity of the ciphertext and the correctness of the transformed ciphertext for the unauthorized clients.

4. Conclusions

In this paper, we showed that the validity verification method in decryption algorithm of the ABE-VOD scheme put forth by Li et al. cannot always check the validity of all ciphertexts. There exist some invalid ciphertexts which can pass the validity checking and the “verify-then-decrypt” skill used in [15] is unavailable. Then, we showed that the method to check the validity of the outsourced decryption for the authorized client via checking it for the unauthorized client was not always correct. There exist some invalid ciphertexts which can pass the validity checking for the unauthorized client but cannot pass the validity checking for the authorized client. Finally, we pointed out that although the scheme used signature skill to guarantee the ciphertext cannot be tampered, the signing key of the “signature scheme” used in the encryption scheme was not fixed and anyone can generated it. That caused our constructions.