A lightweight verifiable outsourced decryption of attribute-based encryption scheme for blockchain-enabled wireless body area network in fog computing

Wireless body area network includes some tiny wearable sensors for monitoring the physiological data of user, which has been a promising method of promoting the quality and efficiency greatly in healthcare. The collected physical signs are aggregated into the medical documents and uploaded to cloud server for utilizing by the remote user. As these files are highly sensitive privacy data, there is a vital challenge that constructs a secure and efficient communication architecture in this application scenario. Based on this standpoint, we present a lightweight verifiability ciphertext-policy attribute-based encryption protocol with outsourced decryption in this article. Specifically, our construction enjoys the following six features: (1) Although the outsourced decryption enables to save the computation overhead of the data user sharply in an attribute-based encryption scheme, the ciphertext is out of control and the correctness cannot be guaranteed by the data owner. The proposal provides the verifiability of ciphertext that ensures the user to check the correctness efficiently. (2) The size of the ciphertext is constant that is not increased with the complexity of attribute and access structure. (3) For Internet of Things devices, it introduces the fog computing into our protocol for the purpose of low latency and relation interactions, which has virtually saved the bandwidth. (4) With the help of blockchain technique, we encapsulate the hash value of public parameter, original and transformed ciphertext and transformed key into a block, so that the tamper-resistance is facilitated against an adversary from inside and outside the system. (5) In the standard model, we prove that it is selectively chosen-plaintext attack-secure and verifiable provided that the computational bilinear Diffie–Hellman assumption holds. (6) It implements this protocol and shows the result of performance measurement, which indicates a significant reduction on communication and computation costs burden on every entity in wireless body area network.


Introduction
Internet of Things (IoTs) connect physical devices on Internet, including sensor nodes, smart terminals, and other wireless communication equipments. [1][2][3] As a main application of IoTs, the wireless body area network (WBAN) has attracted a tremendous attention recently. [4][5][6] WBAN consists of various wearable intelligent sensors on the body, which are connected in the form of wireless communication link. The sensors in WBAN provide the constant health monitoring (for example, the heart beat, the body temperature, the blood pressure, and electrocardiogram), and real-time feedback to the data user (DU) or medical staff. Taking advantages of WBAN, the patient enjoys a promising physical mobility and experiences a high-quality healthcare service at home. In addition, these collected physiological data are uploaded to the cloud platform for being utilized by the DU.
As a distributed computation model over a shared pool, cloud computing provides infrastructure as a service like physical computing resources, data partitioning, storage, and so on. [7][8][9] In the cloud paradigm, the user just pays for enjoying the corresponding cloud services supported by the cloud service provider (CSP) instead of managing and maintaining the infrastructure, which reduces the local storage overhead and provides the convenient data access service. Uploading the physiological data in WBAN to cloud platform, it realizes the real-time data sharing, the elastic computation resource distribution and the accurate response in time. However, the data owner (DO) loses the capacity of controlling over it physically after being stored on the cloud platform, and the physiological data contains some sensitive privacy. Therefore, it is essential to implement the confidentiality protection with access control against the unauthorized user and curious CSP.
For enjoying the confidentiality and access control in cloud, the attribute-based encryption (ABE) scheme was proposed as a preeminent cryptographic primitive. 10 ABE is an one-to-many encryption mode that the authorized entity is able to decrypt the protected data only if the access structure and attribute attached with private key and ciphertext. Moreover, this scheme is divided into two types, key-policy ABE (KP-ABE) schemes [11][12][13] and ciphertext-policy ABE (CP-ABE) schemes. [14][15][16][17] In the former, the private key is related to designated policies, while the ciphertext is labeled by some attributes. The user decrypts this ciphertext successfully unless these access policies are met by some attributes of such ciphertext, which reflects the permission of this user. On the contrary, in the latter, the ciphertext is associated with access policy, while some attribute sets are embedded into private key. CP-ABE scheme shows some requirements for the decryptor. In the cloud-assisted WBAN, the physiological data are stored on the cloud storage server (CSS), and shared among the authorized DUs. Consequently, it is more practical to adopt CP-ABE scheme to support confidentiality and access control in the cloud-assisted WBAN. Unfortunately, in the CP-ABE scheme, there is a shortcoming that the overhead is expensive due to the complexity of access structure in the phase of decryption, which impedes the application of ABE in IoTs device with limited resource.
For decreasing the computation overhead of decryption burdened on the DU, the concept of outsourced decryption was presented. 18 Concretely, a ciphertext and a transformation key are given to CSS, and it transforms this ciphertext into a partial one, rather that is directly decrypted by the DU. The user only spends a little cost in accessing the plaintext from this partial ciphertext. Nevertheless, the validity of this transformed ciphertext cannot be ensured for an untrusted CSS. Some curious CSS may distort and tamper the transformed ciphertext. Therefore, the verifiability of the transformed ciphertext is necessary for the outsourced decryption ABE. 19 Moreover, the blockchain technique is a desirable method of resisting the data tampering as well. 20,21 Blockchain technology is a backbone of the Bitcoin cryptocurrency, 22 which is considered as a peer-to-peer distributed ledger technology to record data. The distinguishing features of this technology are decentralized maintenance, secure transporting and accessing the data as well as anti-tamper and undeniability. Taking blockchain into outsourced decryption ABE protocol, the ciphertext, the partial ciphertext, the transformation key, and other important parameters are encapsulated into a block chronologically, which avoids to be tampered from any entity, including the inside and outside adversary.
At the same time of enjoying the convenience, the cloud-assisted IoTs also suffers from the huge network latency, the massive data, and other various drawbacks. 23 To avoid these drawbacks, one of the preeminent technique measure is fog computing. As shown in Figure 1, fog computing is presented for extending the cloud service to the edge of the IoTs, 24-26 which promotes the resources and services to be closer to the IoTs devices. In the face of the explosion of data in IoTs, fog computing enables to provide small latency and real-time application.

Related works
ABE is a popular topic that enjoys the confidentiality and fine-grained access control. However, the weakness of original ABE scheme is that it needs some expensive operations in decryption, and the overhead is related to the complexity of access structure. Green et al. 18 introduced the model of ABE with outsourced computing to reduce the computational cost in decryption, which transformed the decryption operation to CSS and reduced the overhead of the DU significantly. Unfortunately, the correctness of transformed ciphertext in Green et al. 18 cannot be checked. Lai et al. 19 presented a verifiability ABE protocol with outsourced decryption to verify the validity of the transformed ciphertext. To improve the efficiency, Lin et al. 27 combined an attribute-based key encapsulation mechanism (KEM), a commitment protocol, and a symmetric key encryption scheme to achieve efficient verifiability. Moreover, they also put forward a unified model for outsourced decryption ABE with verifiability. Qin et al. 28 encrypted the data in symmetric encryption, and this symmetric key is encrypted under ABE scheme. By comparing the hash values, this protocol realized the verification of the outsourced ciphertext in correctness. Mao et al. 29 designed an improved verifiability ABE protocol with outsourced decryption to cut down the size of ciphertext and computational cost obviously, which committed to such plaintext by means of a random parameter. The scheme in Li et al. 30 gave a novel verifiable outsourced decryption of ABE scheme that the size of ciphertext is constant, which not only verified the validity of transformed ciphertext, but also made the overhead be irrelevant to the complexity of access structure. Li et al. 31 introduced an ABE protocol with fully verifiable oursourced decryption as well, and all the users (including authorized and unauthorized) enabled to check the correctness of transformed ciphertext. Recently, the scheme in Li et al. 32 demonstrated an verifiability ABE with outsourced computing in both the encryption and decryption phases. This protocol caused the cost of transformed key generation to be constant and shifted the burden on both the DO and user.
Furthermore, the blockchain technology is also employed to guarantee the validity of the outsourced data. If only encapsulated the vital parameters into a block, any entity (including the authorized user and trusted or curious authority from inside, and the unauthorized user and adversary from outside) could not tamper these data. Guo et al. 33 encapsulated the electronic health records (EHRs) in blockchain to guarantee the validity in the attribute-based cryptography primitive, every patient endorsed a message according to his attribute for avoiding to reveal his or her privacy. For applying in distribution system, the protocol in Guo et al. 34 demonstrated a multiauthority ABE for medical data. Taking advantage of the blockchain technique, the integrity of these private data in cloud is protected. Liu et al. 35 adopted the CP-ABE to provide strong privacy preservation in data sharing. Moreover, the index of physiological data is stored in the blockchain, which ensured that such sensitive data could not be modified arbitrarily. The schemes [36][37][38][39] are all focused on the integrity and correctness of the outsourced data in cloud depending on the blockchain technology.
Although ABE scheme with outsourced decryption reduces the cost significantly, the mass data processing from sensor nodes is still greatly hindering the application of resource-limited IoT devices. Taking cloud-fog architecture into consideration, fog node (FN) is likely to be a proxy that executes partial computation. With the assistance of FN, it will need less calculation cost on the resource-limited IoT device. In the environment of fog computing, Zuo et al. 40 first presented the chosenciphertext attack (CCA)-secure model in ABE with outsourced decryption. Integrating CP-ABE and searchable encryption, Miao et al. 41 proposed an efficient fine-grained ciphertext searching system, which shifted partial computation overhead from the DU to the selected FN. Fan et al. 42 introduced an access control scheme with multiple authorities for privacy preservation in the fog-assisted IoT architecture, which operated the verifiable outsourced decryption by FN and ensured a real-time application. Considering the computing capacity of the sensor node, Wang et al. 43 presented a fine-grained access control with distributed outsourced computing, in which the receiver and sender just executed little calculation with the help of the FN.

Contributions
To this article, for preserving the privacy in WBAN, a lightweight verifiability CP-ABE protocol with outsourced decryption is presented. The contributions of our protocol are listed as following.
1. By adding verification algorithm in decryption, this scheme enjoys the verifiability of ciphertext to check the correctness by the DU. Moreover, depending on the blockchain technology, it encapsulates the important data into a block chronologically and protects these data from being tampered by inside and outside adversary. 2. The size of ciphertext is constant that is independent with the complexity of attributed set and access policy. Moreover, FN affords partial computation and storage task that cuts the cost of IoT device equipped by the DO. 3. Provided that the assumption of computational bilinear Diffie-Hellman (CBDH) holds, we formally prove this proposal is verifiable in the standard model, and selectively chosen-plaintext attack (CPA)-secure. 4. As for simulation and comparison, we implement our constrution and demonstrate the result of performance measurement, which indicates a significant reduction on the bandwidth of communication and computation for every entity in this protocol.

Organization
The remaining paper is organized as follows. Section ''Preliminaries'' introduces some basic knowledges and concepts, such as the notions of bilinear map, security assumption and access structure, the definition and security model of verifiability CP-ABE scheme with outsourced decryption in this article. Section ''The architecture of system model'' describes the detailed characters in our system model. Section ''Our construction'' presents our concrete CP-ABE scheme with verifiable oursourced decryption for WBAN. Section ''Security analysis'' proves the security and verifiability of this proposal. Section ''Performance evaluation'' demonstrates the experimental results on the performance comparison with the related schemes. Finally, Section ''Conclusion'' states our conclusions of such article.

Preliminaries
In this part, some preliminary knowledges regarding the cryptographic primitives that our scheme depends on are introduced.

Bilinear map
Suppose that (G, +) and (G T , 3 ) are bilinear cyclic groups with the prime order p. A bilinear map e : G 3 G ! G T possesses the following three properties:

Complexity assumption
Let G be a finite cyclic group with prime order p, and a, b, c 2 Z Ã p be selected uniformly at random. The difficult problem underlying the security of our protocol are shown as below.
Definition 1 CBDH problem. Given a tuple of elements fA = aP, B = bP, C = cPg 2 G 3 , the CBDH problem in (p, G, G T ,ê) is to calculate the bilinear pairinĝ e(P, P) abc .
The CBDH assumption in (p, G, G T ,ê) is that there is no probabilistic polynomial-time (PPT) algorithm A to solve CBDH problem successfully with nonnegligible advantage. The advantage of A is defined as where this probability is over the randomly chosen tuple of (p, a, b, c).
Access structure Definition 2 Access structure. Suppose that fP 1 , P 2 , . . . , P n g is a set of parties. There is a monotone collection A 2 fP 1 , P 2 , ..., P n g , where if B 2 A, B C, C 2 A for any B and C. Moreover, the access structure A (respectively, monotone access structure) is called a collection (respectively, monotone access structure) of non-empty subsets of fP 1 , P 2 , . . . , P n g, that is, A 2 fP 1 , P 2 , ..., P n g nf[g. Hence, the set belonging to A is an authorized set. Otherwise, it is unauthorized.

Formal definition of CP-ABE with outsourced decryption
The CP-ABE scheme with outsourced decryption consists of seven algorithms as follows.
Setup(1 l ) ! (PK, MSK): This algorithm inputs security parameter 1 l , and then it outputs the public parameters PK and master secret key MSK of this system. KeyGen(PK, MSK, Att) ! SK Att : This algorithm inputs the public parameters PK, master secret key MSK, and an attribute set Att. Then, returns SK Att as a private key for Att. Encrypt(PK, M, A) ! CT: This algorithm inputs public parameters PK, a message M and an access policy A, and then it returns the ciphertext CT of M as an answer. Decrypt(PK, SK Att , CT ) ! M: This algorithm inputs the public parameters PK, the private key SK Att for Att and the ciphertext CT, and then it returns M as an answer if SK Att satisfies the access structure A. GenTK out (PK, SK Att ) ! (TK Att , RK Att ): This algorithm inputs the public parameters PK and the private key SK Att for attribute set Att, and then it returns a transformation key TK Att and a retrieving key RK Att correspondingly as an answer. Transform out (PK, CT, TK Att ) ! CT 0 : This algorithm inputs the public parameters PK, the ciphertext CT, and the transformation key TK Att for Att, and then it returns a partial ciphertext CT 0 as an answer. Decrypt out (PK, CT , CT 0 , RK Att ) ! M: This algorithm inputs the public parameters PK, the ciphertext CT, the partial ciphertext CT 0 , and the retrieving key RK Att , and then returns message M as an answer.

Security model for CP-ABE with outsourced decryption
Confidentiality. As the traditional CCA-secure does not permit any changes on bits of ciphertext, which is not suitable for the above model of CP-ABE with outsourced decryption. Thus, it proposes the selectively CPA-secure model in the following game between a challenge C and an adversary A.
Init: The adversary A submits A Ã as a challenge access policy.
Setup: The challenger C selects a security parameter 1 l for executing Setup, and then it returns the public parameters PK to A and keeps master secret key MSK secretly.
Query Phase 1: Challenger C maintains an empty list L and a set E. Adversary A issues two queries as below. Challenge: Adversary A submits two messages M 0 and M 1 with the same length, and a challenge access policy A Ã that cannot be satisfied by Att. C randomly selects b 2 f0, 1g and calculates CT Ã = Encrypt (PK, M b , A Ã ). After that, C returns the challenge ciphertext CT Ã to A.
Query Phase 2: The adversary continues to make the same queries on Private-Key-Extraction and Transformation-Key-Extraction as in Query Phase 1. However, the private key should not meet the challenge access policy A Ã .
Guess: Adversary A returns its guess b 0 2 f0, 1g on b.
The advantage of A in this game is defined as Definition 3. This verifiability CP-ABE protocol with outsourced decryption is selectively CPA-secure if the advantage of all the PPT adversaries is negligible in the above security model.
Verifiability. The verifiability for CP-ABE protocol with outsourced decryption is proposed by the interaction between adversary and challenger in the following.
Init: Adversary A submits A Ã as a challenge access policy.
Setup: Challenger C operates Setup to generate the public parameters PK and the master secret key MSK. After that, it returns PK to adversary. Query Phase 1: Adversary queries on Private-Key-Extraction and Transformation-Key-Extraction as in Query Phase 1 of the above security game. Challenge: Adversary A submits a message M Ã and a challenge access structure A Ã to C, it calculates CT Ã = Encrypt(PK, M Ã , A Ã ) and reponses it to A as a challenge ciphertext. Query Phase 2: The adversary adaptively launches the query in Query Phase 1.
Output: Adversary A returns attribute set Att Ã and transformed ciphertext CT Ã 0 . We suppose that the tuple (Att Ã , SK Att Ã , TK Att Ã , RK Att Ã ) is included in the list L. Otherwise, C generates this tuple by querying on Private-Key-Extraction and Transformation-Key-Extraction.
A wins this game if Decrypt out (PK, CT Ã , CT Ã 0 , RK Att Ã ) 2 fM Ã , ?g. Moreover, the advantage of A in above model is defined as

Definition 4
Verifiability. This CP-ABE scheme with outsourced decryption is verifiable, if the advantage Adv Ver ABE out , A (1 l ) for all PPT adversaries A is negligible.

The architecture of system model
The architecture of this system consists of the DO (such as patient), the FNs, the CSS, the trusted authority (TA) and the DU (such as doctor and researcher). The relationship between them is described in Figure 2 and elaborated as follows. DO in this system is considered as a patient, who enjoys the medical monitoring service from CSP. The wearable IoT devices collect the physiological data and medical images of the patient in WBAN, such as electrocardiograph (ECG), physical status video (PSV), blood pressure (BP), and so on. And then, these data are delivered to a collection device by the wireless network. Since the physical data are sensitive privacy information, for the sake of protecting the medical data and realizing fine-grained access control, DO designs an access policy that is used to encrypt the data under the verifiable outsourced decryption CP-ABE scheme with public system parameter PK acquired from TA. After that, the encrypted data is uploaded to the FN via Internet.
FN are located on the edge of network, which has the ability of computing, transmitting, and temporarily storing the medical data. There are three primary missions in our proposal. First, FN is in charge of retransmitting the ciphertext from DO to CSS. Second, after receiving the transformation key TK from DU, FN computes the transformed ciphertext CT and returns it back to DU. Third, FN manages and maintains a blockchain that stores the hash value of a public parameter PK, a transformation key TK, a ciphertext CT, and a transformed ciphertext CT 0 in every encrypting into a block chronologically. Depending on the purpose of anti-tamper, all the data stored in the blockchain will never be distorted by anyone. Specifically, according to this mode, any variations on this key or ciphertext would change the corresponding hash value in the blockchain, and all the entities in this system will perceive these variations. Consequently, blockchain is beneficial for protecting integrity in a verifiable and permanent method from inside and outside adversary.
CSS owns considerable storage space and calculation capability, which supplies outsourced storage and computation service to the customers. In this system, CSS is responsible for storing the outsourced data from DO in the form of ciphertext, which could be accessed by DU.
TA is a system parameter generator center, whose responsibility is generating the public parameters PK and master secret key, and distributing secret key to the registered DO and DU. Furthermore, it executes Setup and KeyGen algorithms as well.
DU represents the medical staff for diagnosis, the researcher for medical science and the relatives for solicitude, and so on. Each of registered user accepts the attribute secret key relying on its characteristics. If their attributes meet the access policy of DO, DU enables to access his or her medical data. In detail, after receiving the partial encrypted medical file (i.e. the transformed ciphertext CT 0 ) from FN, DU downloads the ciphertext CT from CSS for verification and decryption by taking advantage of attribute secret key and transformation key pair to achieve the accurate plaintext medical data.

Our construction
In this section, it lists some employed notations in Table 1. Furthermore, it designs seven concrete algorithms that are demonstrated in the following.
Setup(1 l ) ! (PK, MSK): TA takes 1 l as input, it selects a bilinear mapê : G 3 G ! G T , where G and G T are additional and multiplicative cyclic groups with prime order p. Let P be a generator of G, TA chooses a, b 2 Z Ã p randomly and calculates A =ê(P, P) a , B = bP, B 0 = (1=b)P. Then, it picks two collision resistance hash functions H 1 : f0, 1g Ã ! Z Ã p and H 2 : G T ! f0, 1g Ã . At last, TA returns the public parameters params = hê, G, G T , p, P, A, B, B 0 , B, H 1 , H 2 i and master secret key MSK = ha, bi. KeyGen(PK, MK, Att) ! SK Att : Considering that P is linear secret sharing scheme (LSSS) for an access policy A, 30 Att is an authorized attribute set and I = jAttj. Then, it obtains shares fa i g i2I of the secret g 2 Z Ã p , and g = P i2I a i t i denotes the party corresponding to shares fa i g i2I as att i 2 Att, where ft i 2 Z p g i2I is the attribute underlying att i . For the different Att and Att#, (g = P i2I a i t i ) att i 2Att 6 ¼ holds. TA computes K 1 = ((a + g)=b)P, K 2 = gP, and sends SK Att = hK 1 , K 2 i to DU with attribute Att. Encrypt(PK, M, A) ! CT: To encrypt M 2 f0, 1g Ã , it first selects e M 2 f0, 1g Ã and s, s 0 2 Z Ã p . Next, DO computes After that, it returns the ciphertext Decrypt(PK, SK Att , CT ) ! M: Input the private key SK Att and ciphertext CT, DU calculates hD, D 0 i as follows D =ê (C 2 , K 1 ) e(C 3 , K 2 ) =ê (sbP, ((a + g)=b)P) e(sP, gP) =ê (P, P) s(a + g) e(P, P) sg =ê(P, P) sa  The multiplicative cyclic group with prime order p. P The generator of G.

H i
The collision resistance hash function i = 1, 2.

PK
The public parameters of this system.

MSK
The master secret key of this system. Att The authorized attribute set. I The number of attribute in Att.

SK Att
The private key of user with attribute Att.

TK Att
The transformation key of user with attribute Att.

RK Att
The retrieving key of user with attribute Att.

Security analysis
In this part, it proves that this protocol is selectively CPA-secure and verifiable in the standard model. Theorem 1. Provided that the protocol in Waters 17 is selectively CPA-secure, our proposal is selectively CPAsecure as well.
Proof. This protocol is selectively CPA-secure under the following two games.
Game 0 : It is the original selectively CPA-secure game in CP-ABE protocol. Game 1 : Challenger picks b C 2 G at random, and keeps the rest of challenge ciphertext to generate The proof of this theorem consists of the following two lemmas. Lemma 1 proves the indistinguishability between Game 0 and Game 1 , while Lemma 2 demonstrates that the advantage of adversary in Game 1 is negligible. Consequently, it concludes that the advantage in Game 0 is also negligible. Lemma 1. Assume that the scheme in Waters 17 is selectively CPA-secure, Game 0 and Game 1 are computationally indistinguishable.
Proof. Suppose that an adversary A distinguishes Game 0 and Game 1 with non-negligible probability, and an simulator B attacks the scheme 17 under the selective CPA security model with non-negligible advantage.
C is a challenger in the selective CPA security model in Waters. 17 A simulator interacts with A by executing the following algorithms. Init: The adversary A delivers A Ã to B as a challenge access structure. Then, the simulator gives this policy to C. The challenger feeds back the public parameters in additional group PK 0 = hp, G, G T ,ê, P, aP,ê(P, P) a , fT i = s i Pg 8i i of Waters. 17 Setup: B chooses x, y 2 Z Ã p at random and gets B = xP, B 0 = yP.
Moreover, it chooses H 1 : f0, 1g Ã ! Z Ã p and H 2 : G T ! f0, 1g Ã as two collision-resistant hash functions. B transmits PK = hê, G, G T , p, P, A, B, B 0 , H 1 , H 2 i to A. Query Phase 1: The adversary A makes a private key query on attribute set Att i . Simulator queries Private-Key-Extraction with C on Att i , and then accesses the private key SK Att i . At last, B returns the private keys SK Att i to adversary. Challenge: A submits two challenge plaintexts M 0 and M 1 with equal size to the simulator. It picks a value h 2 f0, 1g and two message e M 0 , e M 1 2 f0, 1g Ã randomly. Then, it sends h e M 0 , e M 1 , A Ã i to the challenger. C selects random u 2 f0, 1g, encrypts the message e M u under PK 0 and A Ã according to the encryption in Waters. 17 After that, the ciphertext The simulator chooses s 2 Z Ã p randomly and computes b

Query Phase 2:
A queries on Private-Key-Extraction adaptively as in Query Phase 1, and B responds it as before. Guess: A returns its guess h 0 2 f0, 1g for B, and it outputs h 0 as its guess for u.
Provided that h = u, B has simulated Game 0 appropriately. Otherwise, B has appropriately simulated Game 1 with non-negligible advantage, we design an algorithm B as a simulator who attacks the selectively CPA-secure protocol with non-negligible advantage.
Lemma 2. Provided that the scheme in Waters 17 is selectively CPA-secure, the adversary's advantage in Game 1 is negligible.
Proof. Suppose that the advantage of A in Game 1 is non-negligible. Besides, there is an algorithm B as a simulator who attacks the protocol 17 in the selectively CPA-secure model with a non-negligible advantage.
Assume that C is a challenger in selective CPA-security model, B interacts with A by running the algorithms as below.
Init: A transmits a challenge access structure A Ã to B. Simulator also gives A Ã to C. The challenger C delivers the public parameters in the additional group PK 0 = hp, G, G T ,ê, P, aP,ê(P, P) a , fT i = s i Pg 8i i of Waters 17 back to simulator. Setup: Simulator picks random x, y 2 Z Ã p , computes B = xP, B 0 = yP, and there are two hash functions H 1 : f0, 1g Ã ! Z Ã p and H 2 : G T ! f0, 1g Ã with collision-resistant.
After that, B transmits PK = hê, G, G T , p, P, A, B, B 0 , H 1 , H 2 i to adversary. Query Phase 1: A adaptively issues the private key query on Att i . Simulator receives a private key SK Att i by querying Private-Key-Extraction with C on Att i . Then, the simulator returns the private key SK Att i to adversary. Challenge: The adversary A submits two equal size messages M 0 and M 1 . Simulator sends hM 0 , M 1 , A Ã i to C. After that, C picks u 2 f0, 1g at random, encrypts M u under PK 0 and A Ã as the encryption in Waters. 17 Then, it gives the result ciphertext CT Ã 0 = hA Ã , C 1 , C 2 , C 3 i back to B. The simulator B chooses s 0 2 Z Ã p , e M 2 f0, 1g Ã and b C 2 G T randomly, and calculates C 0 as a challenge ciphertext. Query Phase 2: Adversary queries on Private-Key-Extraction adaptively as in Query Phase 1. Simulator responses this query correspondingly. Guess: Finally, adversary returns a guess h 0 2 f0, 1g to simulator, it also takes h 0 as its guess for u.
Obviously, B has simulated Game 1 appropriately. Provided that the advantage of adversary in Game 1 is non-negligible, B attacks selectively CPA-secure protocol 17 with non-negligible advantage.
In conclusion, these two lemmas show that the first four algorithms in our protocol as basic CP-ABE protocol is selectively CPA-secure. After that, in the following theorem, we will prove that if basic CP-ABE protocol is selectively CPA-secure, the whole protocol is selectively CPA-secure as well.
Theorem 2. Provided that basic CP-ABE protocol is selectively CPA-secure, this protocol with outsourced decryption is selectively CPA-secure as well.
Proof. Suppose that, in the selectively CPA-secure model, the advantage of A is non-negligible. B acts as a simulator to attack the basic CP-ABE scheme with non-negligible advantage.
C is a challenger in the selectively CPA-secure model of basic CP-ABE protocol. Simulator interacts with A according to the algorithms as below.
Init: The adversary A gives A Ã to B as a challenge access structure. Then, simulator transmits this structure to C. Challenger outputs the public parameters PK = hê, G, G T , p, P, A, B, B 0 , H 1 , H 2 i of basic CP-ABE scheme to B. Setup: Simulator gives the above parameters PK to A. Query Phase 1: B maintains an empty list L as well as a set E. A launches the following queries adaptively. Private-Key-Extraction: Based on the attribute set Att, B queries the key generation oracle to receive the private key SK Att . After that, B sets E = E [fAttg and responses a private key SK Att to A. Transformation-Key-Extraction: Based on the attribute set Att, B searches hAtt, SK Att , TK Att , RK Att i from the list L. And outputting the transformation key TK Att to the adversary A if it exists. Otherwise, B picks u, v 2 Z Ã p , computes K 0 1 = ((u + v)=b) P, K 0 2 = vP, and B stores this tuple hAtt, Ã , TK Att = (Att, K 0 1 , K 0 2 ), ui into L and transmits it to A.
Note that, the simulator B is unable to access the actual retrieving key RK Att = a=u. It computes the following: Provided that the guess h 0 of A in this protocol is correct, the guess in basic CP-ABE scheme is also correct. Therefore, it concludes that if A enables to attack the proposal with non-negligible advantage, in the selectively CPA-secure model, there is a simulator B that attacks basic CP-ABE protocol with non-negligible advantage.
Theorem 3. Provided that CBDH assumption defined in Definition 1 holds, this CP-ABE protocol with outsourced decryption is verifiable.
Proof. Assume that A attacks verifiability of this scheme with non-negligible advantage. In addition, B acts as a simulator that enables to solve CBDH problem with non-negligible advantage.
Setup: Simulator B randomly picks a, x, y 2 Z Ã p , let H 1 : f0, 1g Ã ! Z Ã p and H 2 : G T ! f0, 1g Ã be collisionresistant hash functions. After that, simulator defines the public parameters PK = hê, G, G T , p, P, A =ê(P, P) a , B = xP, B 0 = yP, H 1 , H 2 i, and master secret key MSK = a. It returns PK to adversary. Query Phase 1: A makes some queries on KeyGen(PK, MK, Att), Transform out (PK, CT, TK Att ), Decrypt(PK, SK Att , CT) and Decrypt out (PK, CT , CT 0 , RK Att ) algorithms. As simulator possesses master secret key MSK, it is able to response these queries properly.
Challenge: A submits a message M Ã and a challenge access policy A Ã to B. The simulator calculates the ciphertext CT Ã of M Ã and returns CT Ã = hA Ã , b C, C 1 , M Ã 2 f0, 1g Ã is selected by the simulator at random. Note that, B is forbidden to access the random parameter s. Query Phase 2: Adversary launches the same query on private key as in Query Phase 1, and simulator responses as before. Output: A returns an attribute set Att Ã and the transformed ciphertext where t Att Ã is a retrieving key for the attribute set Att Ã controlled by simulator B.

Performance evaluation
In this section, it demonstrates the cost evaluation between this protocol and other related schemes 19,[28][29][30][31]40 from the aspects of communication and computation overhead.

Communication overhead
Let jGj and jG T j be the element length in the additional cyclic group G and the multiplicative cyclic group G T , respectively. N denotes the number of attribute, and L M denotes the length of message. For scheme in Qin et al., 28 L SE is denoted to the length of a symmetric encryption ciphertext, and L VK is the length of a verification key. Moreover, for protocol in Mao et al., 29 L CM is represented to the length of commit on a message. As shown in Table 2, it compares the communication cost in the phase of KeyGen, Encrypt, GenTK out , and Transform out . In the algorithm of KeyGen, the communication overhead between TA and DU is 2jGj. In the algorithm of Encrypt, the communication overhead between DO and CSS in our scheme is (5jGj + 2L M ).
In the phase of transformation key generation, the overhead in communication is also 2jGj. Meanwhile, in the algorithm of Transform out , the communication overhead between FN and DU is (jGj + 2jG T j). To sum up, from this table, we can conclude that the size of the transmitted data with constant length in every Lai et al. 19 N + (N + 2)jG T j (4N + 3)jGj + 2jG T j N + (N + 2)jG T j j Gj + 4jG T j Qin et al. 28 (N + 2)jG T j (2N + 1)jGj + jG T j + L SE + L VK (N + 2)jG T j 2jG T j + L SE + L VK Mao et al. 29 N + (N + 2)jG T j (2N + 2)jGj + L M + L CM N + (N + 2)jG T j j Gj + jG T j + L M + L CM Li et al. 30 2jG T j 5jGj + 2jG T j 2jG T j j Gj + 4jG T j Li et al. 31 N + (N + 2)jG T j (2N + 3)jGj + L M N + (N + 2)jG T j 2jGj + jG T j + L M Zuo et al. 40 (2N + 1)jG T j (N + 2)jG T j + 2L M (2N + 1)jG T j j G T j + 2L M Ours 2jGj 5jGj + 2L M 2jGj j Gj + 2jG T j phase is the smallest, which indicates a significant advantage of our protocol in communication.

Computation overhead
We implement our scheme with previous works 30,31,40 depending on pairing-based cryptography (PBC) library, 44 the operations are executed on the 64-bit Windows 10 operation system, 2.20-GHz Intel Core i5-5200u CPU with 8-GB RAM. Concretely, we select the Type A elliptic curve parameter with the 160-bit order. Figures 3-7 demonstrate the experimental results in the average time of 100 operations. Specifically, in Figure  3, because of integrating the attribute into g, it is obvious that the overhead of key generation in this protocol is constant and more efficient than others. We compare the time of encryption spent among these four schemes in Figure 4, which shows that our cost is much less than others for the reason that the overhead in this protocol is not increased with the quantity of attribute embedded in the access policy. Figures 5 and 7 show that the cost of decryption and outsourced decryption, respectively. However, the overhead of our proposal is a little more than Li et al.'s protocol 30 for the reason that it needs one more bilinear pairing operations in our verification algorithm. Finally, in Figure 6, it demonstrates that the operation cost of this proposal is equal to the scheme in Li et al. 30 in the phase of transformation. Conclusions as a result, this protocol shows a better performance in the phases of KeyGen, Encrypt, Decrypt, Transform out , and Decrypt out , respectively.

Conclusion
In this article, it presents a lightweight verifiable outsourced CP-ABE protocol for the typical WBAN in IoT, which enables a user to verify the correctness of the transformed ciphertext. The security is proven to be selectively CPA-secure, and the verifiability is reduced to CBDH assumption in the standard model. In addition, the complicated decryption operation is outsourced to the FN instead of being laid on the device of DU. As for the communication and computation    overhead, they do not depend on the amount of attributes, which reduces the cost of the whole system greatly. Therefore, this scheme has some applications in the limited power devices, such as IoTs. Moreover, our scheme takes advantage of fog computing to provide low latency and real-time interactions, while the blockchain protects the public parameter and ciphertext from being tampered by the inside and outside adversary.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.