Outsourced ciphertext-policy attribute-based encryption with partial policy hidden

Attribute-based encryption is an efficient and flexible fine-grained access control scheme. However, how to realize the attribute privacy concerns in the access policy and optimize the heavy computing overhead have been not adequately addressed. First, in view of the open-access policies formulated by data owners in the cloud environment and the linear growth of bilinear pairing operations with the number of attributes in the decryption process, a verifiable outsourced attribute-based encryption with partial policy hidden scheme is proposed, in which the attribute name of access policy can be sent while attribute value involving sensitive information can be hidden, so nobody can infer information from the access policy. Second, the bilinear pairing operation and modular power operation are outsourced to the cloud server, then users only need to perform constant exponential operation to decrypt. In addition, the proposed scheme is based on the composite order bilinear group and satisfies full secure under the standard model. Finally, compared with other schemes in term of function and performance, it shows that this scheme is more efficient and suitable for resource-constrained mobile devices in outsourcing environment.


Introduction
With the rapid development of cloud computing, it is increasingly favored by all fields of the Internet because of its powerful computing resources and storage performance, thus lead to a new computing pattern: outsourcing computing. 1 Under cloud computing environment, users with limited computing and storage resources can outsource some time-consuming computing to the cloud server in order to reduce the burden. Based on the pay-as-you-go service, users can enjoy various information services provided by the cloud. When the data owner (DO) uploads the encrypted data to the cloud, he also loses actual control of the data. However, the cloud server is not completely trusted, so how to protect the private information in the uploaded data has become a popular research. Because DO encrypts data under access policy, ciphertexts can be decrypted by anyone with a set of attributes that satisfies the access policy. In attribute-based encryption (ABE) schemes, access policy is embedded in ciphertext implicitly and outsourced to cloud service provider (CSP) together with the ciphertext in a cloud environment. Because access policies are publicly available, everyone can access policies that contain private information. For example, in an electronic medical system, a patient authorizes a cardiologist to access encrypted data through the access policy as {Department: Cardiology; Doctor: Alice}. Without decryption, anyone who gains access to the encrypted data and can conclude that the patient might suffer from ''heart disease.'' If the content of the attribute value in the policy is not visible, that is, the policy is set as {Department: XXX; Doctor: XXX}, then the patient's privacy can be guaranteed. Thus, the idea that a policy is not uploaded to the cloud with ciphertext is produced by Nishide et al. 2 and Lai et al. 3 Subsequently, Li et al. 4 proposed an efficient ABE scheme with partial hidden policy. The scheme has less decryption cost, but the public parameters, ciphertext, and attribute information related to the policy are easily obtained by arbitrary malicious users. Therefore, Yin et al. 5 proposed a more efficient scheme to supplement the deficiency of the scheme proposed by Li et al. 4 in the standard model. And it was successfully reduced to the Decisional Bilinear Diffie-Hellman (DBDH) assumption.
However, most of the above schemes are based on the construction of prime order group. Cui et al. 6 proposed a construction based on the composite order group supporting the attribute value hidden, but it only achieves selective security. In the application scenario of the electronic medical system, Zhang et al. 7 not only implement policy concealment but also render less computing cost and storage overhead during the decryption process. In addition, the scheme is full secure under the standard model. However, the bilinear pairing operation and modular power operation involved in the decryption process are still associated with the number of attributes. To decrease the complicate pairing operation, Zhang et al. 8 proposed a semi-hiding ABE scheme with a constant pairing operation; however, modular power operation remains linearly related to the number of attributes. To solve communication delay in remote cloud service centers, Xiong et al. 9 introduced an attribute-based broadcast encryption scheme with partial policy hidden, user revocation, and outsourced decryption in the edge computing environment. The scheme has more practical function, but it was proved to be only selective secure.
In addition to implement partial policy hidden, the proposed scheme transfers the decryption load from user's local device to the cloud. Therefore, the proposed scheme can easily be executed in resource-constrained devices (like mobile phones or Internet of things (IoT) devices). Because local computing nodes in an IoT environment are limited in computation and energy. For example, the merging of distributed ledger technology and IoT system is also the embodiment of outsourcing application in F Shahid et al.'s 10 scheme. Therefore, to satisfy the typical IoT requirements, the proposed scheme transfers decryption load from local terminal to the cloud.

Our contribution
In order to preserve users' privacy, the modern ABE schemes offer a ''hidden access structure.'' These schemes divide the ''access structure'' into two parts, namely, ''attribute name'' and ''attribute value,'' such that, attribute name is publicized and attribute value remains confidential. However, many of the existing ABE schemes are either inefficient or offer just a ''selective security.'' In almost all of the existing schemes, the decryption cost increases linearly with ''number of attributes.'' This article proposes a ''full secure'' ABE scheme with an outsourced decryption. The proposed system model transfers the decryption load from users' local device to the highly resourceful cloud nodes. The proposed scheme has the characteristics of partial policy hiding and flexible expression. With respect to attribute hiding, the attribute is divided into two parts: attribute name and attribute value. When encrypting the data, the attribute value is only used to compute the ciphertext and not sent to the cloud along with the ciphertext. In addition, 1. It has a flexible expression in access policy. The proposed scheme employs linear secret sharing scheme (LSSS) to support ''AND,''''OR,'' and ''Threshold'' structure. 2. It offers outsourced decryption, while at the same time, and simultaneously eliminates redundant ciphertext components. In the decryption process, the bilinear pairing operation and modular power operation are outsourced to the CSP which will execute to compute the computation instead of the users. Users only need to verify the calculation results returned by CSP and perform a constant exponential operation to recover the plaintext. 3. It is proven to be full secure against chosen plaintext attack (CPA). Some of the abovementioned schemes satisfy selective secure by adding the ''Init'' stage, that is, adversary commits the challenge object in advance; however, selective secure is weaker than full secure. The proposed scheme was proven to be full secure through dual system encryption technology. 11 4. It has advantages in terms of performance and function. From the comparison and experiment, it shows that our scheme is more effective in terms of function, communication cost, and computing cost than the previously established schemes. 3,5,7 Related work ABE Sahai and Waters 12 proposed a new public key cryptosystem, ABE, which can be divided into two categories according to the location of the access policy: KP-ABE 13 and CP-ABE, 14 the policy in the KP-ABE scheme is embedded in the key and the policy in the CP-ABE scheme is contained in the ciphertext. Bethencourt et al. 14 gave the CP-ABE scheme first, but only supported the ''AND'' gate structure. In order to achieve better ability of policy expression, Waters 15 proposed the CP-ABE based on LSSS under the standard model. Since the policy is embedded in the ciphertext for CP-ABE, it means that the DO can set the policy to determine which attributes can access to the ciphertext, namely, making a fine-grained access control of the data. Compared to KP-ABE, CP-ABE is more widely used than KP-ABE, such as personal health care systems and fine-grained sharing in cloud storage.

Policy hidden
In order to resolve the privacy issue of user attributes in the cloud environment, Nishide et al. 2 first proposed a CP-ABE scheme that supports the hiding of the access structure. The access structure is set implicitly in the ciphertext, which is not sent along with the ciphertext. Lewko et al. 16 proposed a full secure CP-ABE scheme using the dual system encryption technology under the standard model. In Lai et al.'s 3 scheme, the attribute is divided into two parts: attribute name and attribute value. The attribute name can be publicized, while the attribute value is hidden. And Jin et al. 17 established a CP-ABE scheme supporting partial policy hiding. The ABE scheme achieves full secure, but the access structure uses the ''AND'' gate structure. In order to reduce the bilinear pairwise operation and modular exponentiation involved in decryption process, other specific schemes 3,18-20 have been established. First, it is judged whether the attribute of users is matched with access policy before decryption first, if matched successfully, then the decryption operation is performed. But some of the proposed schemes 18-20 only support ''AND'' gate structure, and the linear pair operation and modular exponentiation are still linearly related to the number of attributes during decryption process. Moreover, the schemes are proved to be only selective secure. Lai et al. 3 adopted more flexible LSSS structure, and the scheme is full secure under the standard model. But the bilinear pairing operations and modular exponentiations involved in the user testing phase and decryption phase increase linearly with the complexity of the policy. Yan et al. 21 introduced a multi-authority ABE of partial policy hidden with dynamic policy updating. In the above schemes, the policy hiding is only to hide the attribute value, hence it is called semi-hidden policy. Hao et al. 22 used the Bloom filter to achieve complete hidden, that is, neither the attribute name nor attribute value is disclosed. In addition to judging whether the attribute information is in the set, the Bloom filter can also remove the mapping function between the matrix and the attribute, making the attribute completely hidden. However, the formal implementation of attribute privacy protection is not provided in the security proof process. In addition, the function of attribute hidden completely can also be realized using the inner product predicate encryption technology. 23 Nevertheless, most of them only support the ''AND'' gate structure with weak expression ability, which limits in the actual application process.

Outsourced ABE
For the first time, Green et al. 24 proposed an outsourced ABE scheme that is secure in random oracle model. The scheme commits the decryption operation to the decryption server provider (DSP), thus the ciphertext is converted into the Elgamal type, and then delivered to users to reduce the computing cost of data user (DU). Li et al. 25 presented an offline/online ABE scheme, which reduces the computational overhead during the encryption phase using offline/online technology. Furthermore, ''chameleon'' hash function is introduced to implement verification before the decryption phase. The scheme is proved to satisfy the adaptive chosen ciphertext attack security, but the bilinear pairing operation involved in decryption process remains a large overhead for the user. Fan et al. 26 introduced a verifiable outsource scheme for multi-authorization in cloud-fog computing, which outsources encryption and decryption to fog nodes close to the end user. Relative to the remote CSP, fog nodes can handle data with low latency, which is ideal choice for real-time calculation of data. Zhang et al. 27 proposed an access control of full outsourcing scheme for the first time, in which the key generation, encryption, and decryption operations are all handled by the cloud, but it lacks a verification mechanism. Zhao et al. 28 proposed a verifiable full outsourcing scheme based on the original scheme. 27 The scheme supports verification and optimizes performance such that the computational cost does not increase significantly with the number of attributes or access policy complexity. For the issue of key leakage, Yan et al. 29 proposed a traceable CP-ABE scheme in a multi-domain environment.

Organization
The rest of the article is organized as follows.

Preliminaries
Composite order bilinear group The scheme of this article is based on the design of composite order bilinear group whose order is the product of four distinct primes. Let F be an algorithm that inputs security parameter 1 l and outputs a tuple (p 1 , p 2 , p 3 , p 4 , G, G T , e), where p 1 , p 2 , p 3 , and p 4 are the four distinct primes, G and G T are the cycle groups of order N = p 1 p 2 p 3 p 4 , and e : G 3 G ! G T is a map function such that Assuming that there is an group operation in G and G T and the mapping function e, it is computable in polynomial time in l. Let G p 1 , G p 2 , G p 3 , and G p 4 represent the subgroups of G, the subgroups have order p 1 , p 2 , p 3 , and p 4 , respectively, then G = G p 1 3 G p 2 3 G p 3 3 G p 4 . If g 1 2 G p 1 , g 2 2 G p 2 , then e(g 1 , g 2 ) = 1. If the elements in the mapping function e are elements of different subgroups, the equation still hold; thus, the composite order bilinear group is said to satisfy its orthogonality.

LSSS
The secret sharing scheme on the participant set P is called the LSSS if the following conditions are met.
1. A vector can be formed by the secret share of each party over Z p . 2. For the secret sharing scheme P, there is a matrix M of size ' 3 n that maps each row of the matrix to an associated participant P. For i = 1, :::, ', r(i) is the party associated with the ith row of M. We first generate a column vector v = (s, y 2 , y 3 , :::, y n ), where s 2 Z p is a shared secret and r i is randomly selected, i = 2, :::, n. According to scheme P, Mv is ' secret shares of the shared secret s, which indicates that l i = (Mv) i held the secret share by the participants r(i).
The LSSS has the characteristics of linear reconstruction. If S 2 A is an access authorization set, then there is a constant fv i 2 Z p g i2I that let P i2I v i l i = s hold, where l i is the effective share of the secret s,

Complexity assumption
The security of this article is based on the following complexity assumptions, and a detailed description of the complexity assumptions is given. Assumption 1. Given a group generation algorithm F, define the following distribution j j , then this assumption can be broken.

Definition 1. For any probability polynomial time, if
Adv1 F, A (l) is a negligible function, then the algorithm meets Assumption 1.
Assumption 2. Given a group generation algorithm F, define the following distribution If the advantage of adversary A satisfies Adv2 F, A (l) = Pr½A(D, T 1 ) = 1 À Pr½A(D, T 2 ) = 1 j j , then this assumption can be broken.

Definition 2. For any probability polynomial time, if
Adv2 F, A (l) is a negligible function, then the algorithm meets Assumption 2.
Assumption 3. Given a group generation algorithm F, define the following distribution If the advantage of adversary A satisfies Adv3 F, A (l) = Pr½A(D, T 1 ) = 1 À Pr½A(D, T 2 ) = 1 j j , then this assumption can be broken. Assumption 4. Given a group generation algorithm F, define the following distribution If the advantage of adversary A satisfies Adv4 F, A (l) = Pr½A(D, T 1 ) = 1 À Pr½A(D, T 2 ) = 1 j j , then this assumption can be broken.

System model
The system model proposed in this article is shown in Figure 1, including DO, storage service provider (SSP), DSP, DU, and attribute authority (AA).
The DO specifies an access policy and performs an encryption algorithm on the data using the public parameter (PK) generated by AA, which generates a complete ciphertext (CT), and outsources the policy of the hiding of attribute value along with the ciphertext (CT) to the cloud server.
The DU can access the ciphertext file in the cloud server and download the ciphertext from the SSP. Due to the terminal device of limited resources, the module exponent and the bilinear pairing operation involved in the decryption process are performed by the DSP that uses the transformed key (TK) generated by the AA. The DSP generates the transformed ciphertext and sends it to the DU. The DU verifies the computing result returned by the DSP and decrypts it with the secret key (SK) saved by itself and recovers the plaintext.

Algorithm definition
This article assumes that collusion does not occur between servers. AA is a key distribution center and is completely trusted. The algorithm contained in the scheme consists of the following six algorithms.
Setup(1 l ) ! (PK, MSK): Create the public parameter (PK) and the master secret key (MSK) upon inputting security parameter l.
KeyGen(PK, MSK, §) ! SK 0 : The algorithm returns the secret key SK 0 by inputting the public parameter (PK), the master secret key (MSK), and the attribute set §.
Encrypt(PK, m, (M, r, c)) ! CT: Generate a ciphertext (CT) upon receiving public parameter (PK), message m, and access control policy (M, r, c) as input, where c is the set of attribute value that is sent along with CT to CSP.
KeyGen out (SK 0 , z) ! (TK, SK): The algorithm outputs the transformed key (TK) for outsourcing decryption and the secret key (SK) of decryption by inputting SK 0 and selecting a random value z 2 Z Ã N . T ransform out (TK, CT) ! CT 0 : Generate partial decryption ciphertext CT 0 by inputting the transformed key (TK) and the ciphertext (CT).
Decrypt(SK, CT 0 ) ! m: The plaintext m is recovered by inputting the secret key (SK) of user's local decryption and partially decryption ciphertext CT 0 .

Security model
We define the security model of this article through the security game between simulator B and adversary A. The game process is as follows: Setup: Challenger B performs the Setup algorithm and outputs the public parameter (PK) and the master secret key (MSK) to the adversary A.
Phase 1: The adversary A adaptively issues a polynomial bounded key query to the key generation oracle, query as follows: O KeyGen : The adversary submits the attribute set §, and the simulator executes the KeyGen out algorithm to output the secret key SK § , which will be transmitted to adversary A.
Challenge: Adversary A submits to simulator B two equal length messages m 0 and m 1 and two access policies A 0 0 = (M, r, c 0 ) and A 0 1 = (M, r, c 1 ) with the restriction that none of them can be satisfied by any of the queried attribute sets in phase 1. B flips a random coin b 2 f0, 1g and outputs the challenge ciphertext CT b under the access policy A = (M, r, c b ) to A.
Phase 2: Similar to Phase 1, but adversary A cannot query B for a set of attributes that satisfy the policies A 0 0 and A 0 1 . Guess: The adversary A outputs the guess value b 0 = f0, 1g, and if b 0 = b, then the adversary A wins the game.

Our construction
The verifiable outsourced ABE scheme proposed that supports policy hiding in the cloud environment is based on the scheme of Zhang et al., 7 which can realize the attribute hiding in the policy and support the outsourced decryption procession. The scheme is composed of the following seven algorithms, and the detailed description of each algorithm is as follows: 1. Initialization: AA performs group generation algorithm F(1 l ), receives a security parameter l as input, outputs (N , p 1 , p 2 , p 3 , p 4 , G, G T , e), and sets the attribute universe U = Z N .
, 1g l simultaneously, and finally outputs the system PK = (N, g, g a , e(g, g) a , H, X 4 , H 1 , H 2 ) and the master secret key MSK = (a, h, X 3 ).
The user attribute set is defined as § = (x S , S), where x S represents the attribute name index, x S Z N , and S = fs i g i2x S represents the attribute value set.
3. KeyGen (PK, MSK, §): The algorithm chooses The algorithm selects r 2 G T and computes s = H 1 (r, m) and F = H 2 (r). Taking the system public parameter (PK) and message m, the DO can receive C = r Á e(g, g) as , generated by running the KeyGen algorithm then selects z 2 R Z N to obtain transformed key TK = (K = K 01=z = g a=z Á g at=z R 1=z , 1=z g i2x S ) and user's secret key SK = (z, TK).
7. Decrypt(SK, CT 0 ) : The algorithm is run by DU, which takes CT 0 = (C, C 00 , CT transform ) and SK as input, then computes r = C . CT z transform , m = C È H 1 (r) and s = H 1 (r, m). If C = r Á e(g, g) as , CT transform = e(g, g) as=z , then it indicates that the result returned by the cloud server is correct, and the plaintext m is output finally.

Security proof
Theorem 1. If the Assumptions 1-4 hold, then the proposed scheme based on the defined security model is proved to be full secure and satisfy CPA security.
The security proof of the scheme is similar to the literature, 3 that is, the dual system encryption technology is used to prove its security. First, define two semifunctional structures: semi-functional ciphertext and semi-functional key. The normal secret key can decrypt normal ciphertext and semi-functional ciphertext, but the semi-functional secret key cannot decrypt semifunctional ciphertext. And semi-functional key and semi-functional ciphertext are only used in security proof and do not appear in actual systems.
Semi-functional ciphertext: We set the CT normal = ((M, r), C, C 0 , C 00 , fC 1, x , D 1, x g 1 ł x ł ' ) as the normal ciphertext and select the generator g 2 of the subgroup G p 2 , c 0 2 R Z N , v 0 2 R Z n N , and z i 2 R Z N associated with the attribute, g x 2 R Z N related to the number of matrix rows M x . We can set the semi-functional Semi-functional key: we set SK normal = (z, PK, K = g a=z Á g at=z R, L = g t=z R 01=z , fK i = (g s i h) t=z Á R i 1=z g i2x S ) and select d 1 , d 2 , fd i g i2x S 2 R Z N . The semi-functional key may be one of the following three cases: Semi-functional key of type 1 Semi-functional key of type 2 Semi-functional key of type 3 The proof of this article's security is based on the Assumptions 1-4 and is demonstrated through a series of games, now we define the following games: Game 0 : In the first game, all ciphertext and keys are normal.
Game r : As the second game, the challenge ciphertext is semi-functional, and all keys are normal and Game r represent Game 0, 3 .
The number of key query between the simulator and adversary is set to q. We define the following game, where q 2 ½1, q.
Game k, 1 : In this game, the challenge ciphertext is semi-functional, the first k 2 1 keys are semi-functional of type 3, the kth key is semi-functional of type 1, and the latter keys are normal.
Game k, 2 : In this game, the challenge ciphertext is semi-functional, the first k 2 1 keys are semi-functional of type 3, the kth key is semi-functional of type 2, and the latter keys are normal. Game k, 3 : In this game, the challenge ciphertext is semi-functional, the first k keys are semi-functional of type 3 and the latter keys are normal. Note that the challenge ciphertext in the Game q, 3 is semi-functional, and all keys are semi-functional of type 3.
Game F 0 : In this game, the challenge ciphertext is a semi-functional ciphertext generated by selecting an encrypted message from m 0 and m 1 given the adversary, and all keys are semi-functional of type 3.
Game F 1 : The last game is the same as Game F 0 , except that C 1, x in the challenge ciphertext is the random elements in the group G p 1 3 G p 2 3 G p 4 . However, the challenge ciphertext in the game is one of the opponents randomly selected in ½c 0 , c 1 , so the advantage of the adversary A is 0.
We can prove that these games are indistinguishable based on Lemmas 1-6. If the Assumptions 1-4 hold, it can be proved that Game real and Game F1 are indistinguishable, so the adversary does not exist to break this solution with a non-negligible advantage. Proof. If there exists an advantage of adversary A such that Game real Adv A À Game 0 Adv A j j = e in Game real and Game 0 , then we can construct a simulator B to break Assumption 1 with Adv1 F, A (l) = e. B gets g, X 3 , X 4 , T and simulates Game real or Game 0 with adversary A.
Setup: B chooses a, a, a 0 2 R Z N , and Z 2 R G p 4 , then sets Y = e(g, g) a , h = g a 0 , and H = h Á Z and sends the system public parameter (PK) to A.
Phase 1: B has the response of A's key request. Since B knows the master secret key MSK = (a, h, X 3 ), it can generate a normal key through the key generation algorithm.
Challenge: Adversary A submits to simulator B two equal length messages m 0 and m 1 and two access policies A 0 0 = (M, r, c 0 ) and A 0 1 = (M, r, c 1 ) with the restriction that none of them can be satisfied by any of the queried attribute sets in phase 1. Let c b = (t r(1) , t r(2) , . . . , t r(') ). B flips a random coin b 2 f0, 1g and performs the following steps: t r(2) , . . . , t r(') ) and obtains r b associated the m b , then it does the following calculations sets the challenge ciphertext as CT b = ((M, r), C, C 0 , C 00 , fC 1, x , D 1, x g 1 ł x ł ' ) and sends it to A. If T G p 1 3 G p 2 , let T = g s g c 2 , then C = r b e(g, g) as , C 0 = g s g c Hence, this challenge ciphertext is semi-functional and B simulates game Game 0 , if T G p 1 , then B simulates Game real and it is normal ciphertext.
Phase 2: Similar to Phase 1, but adversary A cannot query B for a set of attributes that satisfy the policies A 0 0 and A 0 1 . Note that, if T G p 1 3 G p 2 , then B simulates Game 0 ; if T G p 1 , then B simulates Game Real . Finally, B can distinguish T and Adv1 F, A (l) = e according to the output of A.
Lemma 2. Suppose the algorithm F satisfies Assumption 2, then the Game kÀ1, 3 and Game k, 1 are computationally indistinguishable.
Proof. If there exists an advantage of adversary A such that Game kÀ1, 3 Adv A À Game k, 1 Adv A j j = e in Game kÀ1, 3 and Game k, 1 , then we can construct a simulator B to break Assumption 2 with Adv1 F, A (l) = e. B gets g, X 1 X 2 , Y 2 Y 3 , X 3 , X 4 , and T and simulates Game kÀ1, 3 or Game k, 1 with adversary A.
Setup: B chooses a, a, a 0 2 R Z N , and Z 2 R G p 4 , then sets Y = e(g, g) a , h = g a 0 , and H = h Á Z and sends the system public parameter (PK) to A. B has the response of A's key query. Since B knows the master secret key, it can generate a normal key through the key generation algorithm.
Phase 1: B answers the jth secret key query associated with attribute set § = (x S , S). The procedure is as follow: and creates a semi-functional key of type 3. The specific steps are as follows Note that it is semi-functional of type 3, because the value of t,d,d 0 2 R Z N modulo p 2 is not uncorrelated to the value of the modulo p 3 .
2. For j.k, because B knows the master secret key MSK = (a, h, X 3 ), it can generate normal key through the key generation algorithm. 3. B responds to the kth secret key query and randomly selectsR,R 0 ,R i 2 R Z p 3 , where i 2 x S , then computes K = g a T aR0 , L = TR 0 , and fK i = T a 0 + s iR i g i2x S . The procession is as follow: , then generate semi-functional key of type 1 Note that the value of a, a 0 , s i modulo p 2 is not uncorrelated to the value of the modulo p 3 .

it is normal key.
Challenge: Adversary A submits to simulator B two equal length messages m 0 and m 1 and two access policies A 0 0 = (M, r, c 0 ), A 0 1 = (M, r, c 1 ) with the restriction that none of them can be satisfied by any of the queried attribute sets in Phase 1. B flips a random coin b 2 f0, 1g and performs the following steps: B selectss 2 R Z N and obtains r b associated the m b , then it does the following calculations , r), C, C 0 , C 00 , fC 1, x , D 1, x g 1 ł x ł ' ) and sends it to A. If T G p 1 3 G p 2 , let T = g s g c 2 , then C = r b e(g, g) as , C 0 = g s g c 2 C 1, x = T aM x Áṽ i T À(a 0 + t r(x) )rZ c, x g 2 We know this challenge ciphertext is semi-functional and the value of a, a 0 , ft r(x) g 1 ł x ł ' ,s, fṽ i g 1 ł x ł ' , and fr x g 1 ł x ł ' modulo p 1 is not uncorrelated to the value of the modulo p 2 .
Phase 2: Similar to Phase 1, but adversary A cannot query B for a set of attributes that satisfy the policies  Proof. If there exists an advantage of adversary A such that Game k, 1 Adv A À Game k, 2 Adv A j j = e in Game k, 1 and Game k, 2 , then we can construct a simulator B to break Assumption 2 with Adv2 F, A (l) = e. B gets g, X 1 X 2 , Y 2 Y 3 , X 3 , X 4 , and T and simulates Game k, 1 or Game k, 2 with adversary A.
Setup: B chooses a, a, a 0 2 R Z N , and Z 2 R G p 4 , then sets Y = e(g, g) a , h = g a 0 , and H = h Á Z and sends the system public parameter (PK) to A. B has the response of A's key request. Since B knows the master secret key MSK = (a, h, X 3 ), it can generate a normal key through the key generation algorithm.
Phase 1: B answers the jth secret key query associated with attribute set § = (x S , S). The first k 2 1 type 3 semi-functional keys and the kth and the following are constructed as normal keys according to the method of Lemma 2.
Similarly, to answer the kth key request, B additionally selects t 2 R Z N , and sets K = g a T aR (Y 2 Y 3 ) t , L = TR 0 , and fK i = T a 0 + s iR i g i2x S . The reason of making this change is to add (Y 2 Y 3 ) t term which randomizes the G p 2 part of the key component K. If , it is semi-functional key of type 2. Challenge: Same as Lemma 2. Phase 2: Similar to Phase 1, but adversary A cannot query B for a set of attributes that satisfy the policies  Proof. If there exists an advantage of adversary A such that Game k, 2 Adv A À Game k, 3 Adv A j j = e in Game k, 2 and Game k, 3 , then we can construct a simulator B to break Assumption 2 with Adv2 F, A (l) = e. B gets g, X 1 X 2 , Y 2 Y 3 , X 3 , X 4 , and T and simulates Game k, 2 or Game k, 3 with adversary A.
Setup: B chooses a, a, a 0 2 R Z N , and Z 2 R G p 4 , then sets Y = e(g, g) a , h = g a 0 , and H = h Á Z and sends the system public parameter (PK) to A. B has the response of A's key request. Since B knows the master secret key MSK = (a, h, X 3 ), it can generate a normal key through the key generation algorithm.
Phase 1: B answers the jth secret key query associated with attribute set § = (x S , S). The first k 2 1 type 3 semi-functional keys and the kth and the following are constructed as normal keys according to the method of Lemma 2.
B responds to the kth secret key query and randomly selects r, The procession is as follow: (a) If T G p 1 3 G p 2 3 G p 3 , let T = g t 0 g 2dR , then generate semi-functional key of type 3 Note that the value of t modulo p 2 is not uncorrelated to its value modulo p 3 .
(b) If T G p 1 3 G p 3 , it is semi-functional key of type 2.
Challenge: Same as Lemma 2. Phase 2: Similar to Phase 1, but adversary A cannot query B for a set of attributes that satisfy the policies A 0 0 and A 0 1 . Note that, if T G p 1 3 G p 2 3 G p 3 , then B simulates Game k, 2 ; if T G p 1 3 G p 3 , then B simulates Game k, 3 . Finally, B can distinguish T and Adv2 F, A (l) = e according to the output of A.
Lemma 5. Suppose the algorithm F satisfies Assumption 3, then the Game q, 3 and Game F 0 are computationally indistinguishable.
Proof. If there exists an advantage of adversary A such that Game q, 3 Adv A À Game F0 Adv A = e in Game q, 3 and Game F0 , then we can construct a simulator B to break Assumption 3 with Adv3 F, A (l) = e. B gets g, g 2 , X 1 X 2 , Y 2 Y 3 , X 3 , X 4 , and T and simulates Game q, 3 or Game F0 with adversary A. Setup: B chooses a, a, a 0 2 R Z N , and Z 2 R G p 4 , then sets Y = e(g, g) a , h = g a 0 , and H = h Á Z and sends the system public parameter (PK) to A.
Phase 1: B answers the secret key query associated with attribute set § = (x S , S) and selects t,d, d 0 2 R Z N , fd i 2 R Z N g i2x S ,R,R 0 , andR i 2 R G p 3 . Then, semi-functional key of type 3 is created as follows K = (g a X 2 )g at Rgd 2 = g a g at Rg d where g d 2 = X 2 gd 2 . Challenge: Adversary A submits to simulator B two equal length messages m 0 and m 1 and two access policies A 0 0 = (M, r, c 0 ) and A 0 1 = (M, r, c 1 ) with the restriction that none of them can be satisfied by any of the queried attribute sets in Phase 1. B flips a random coin b 2 f0, 1g and performs the following steps: t r(2) , . . . , t r(') ), and obtains r b associated the m b , then it does the following calculations 4. B sets the challenge ciphertext as CT b = ((M, r), C, C 0 , C 00 , fC 1, x , D 1, x g 1 ł x ł ' ) and sends it to A. If g s Y 2 = g s g c 2 , then Note that the value of a, a 0 , ft r(x) g 1 ł x ł ' , s, fṽ i g 1 ł x ł ' , fr x g 1 ł x ł ' modulo p 1 is not uncorrelated to its value modulo p 2 .
Phase 2: Similar to Phase 1, but adversary A cannot query B for a set of attributes that satisfy the policies A 0 0 and A 0 1 . Note that, if T = e(g, g) as , the challenge ciphertext is a semi-functional ciphertext generated by encryption of m b , then B simulates Game q, 3 . Otherwise it is a semi-functional ciphertext that is encrypted by random messages in G T , then B simulates Game F0 . Finally, B can distinguish T and Adv3 F, A (l) = e according to the output of A. Lemma 6. Suppose the algorithm F satisfies Assumption 4, then the Game F0 and Game F1 are computationally indistinguishable.
Proof. If there exists an advantage of adversary A such that Game F0 Adv A À Game F1 Adv A j j = e in Game F0 and Game F1 , then we can construct a simulator B to break Assumption 4 with Adv4 F, A (l) = e. B gets g, g 2 , g t 0 , B 2 , h t 0 Y 2 , X 3 , X 4 , hZ, g r 0 D 2 D 4 , and T and simulates Game F0 or Game F1 with adversary A.
Setup: B chooses a, a, a 0 2 R Z N , and Z 2 R G p 4 , then sets Y = e(g, g) a , h = g a 0 , and H = h Á Z and sends the system public parameter (PK) to A.
Phase 1: B answers the secret key query associated with attribute set § = (x S , S) and selects t 2 R Z N , R, R 0 , and R i 2 R G p 3 . Then, semi-functional key of type 3 is created as follows We observed K = g a g at Rg d 2 , L = g t R 0 g d 0 2 , and = B~t 2 , and g d i 2 = B s it 2 Y~t 2 . Note that the value of a,t, fs i g 1 ł i ł n modulo p 1 is not uncorrelated to its value modulo p 2 .
Challenge: Adversary A submits to simulator B two equal length messages m 0 and m 1 and two access policies A 0 0 = (M, r, c 0 ) and A 0 1 = (M, r, c 1 ) with the restriction that none of them can be satisfied by any of the queried attribute sets in Phase 1. Let c b = (t r(1) , t r(2) , . . . , t r(') ). B flips a random coin b 2 f0, 1g and performs the following steps: t r(2) , . . . , t r(') ), and obtains r b associated the m b , then it does the following calculations Phase 2: Similar to Phase 1, but adversary A cannot query B for a set of attributes that satisfy the policies A 0 0 and A 0 1 . Note that, if T = h r 0 A 2 A 4 , the challenge ciphertext is a semi-functional ciphertext generated by encryption of m b , then B simulates Game F0 . If T G p 1 3 G p 2 3 G p 3 , it is a semi-functional ciphertext that is encrypted by random messages in G T , and C 1, x is the random element in G p 1 3 G p 2 3 G p 3 , then B simulates Game F1 . Finally, B can distinguish T and Adv4 F, A (l) = e according to the output of A.

Performance analysis
The scheme of this article is compared with that of Lai et al., 3 Yin et al., 5 and Zhang et al. 7 from the perspectives of function and performance. In the scheme comparison process, G p i represents the subgroup of the order p i , and G p i p j represents the subgroup of the order p i p j , N represents the number of attribute universe, ' j j represents the number of the matrix M row, S j j represents the number of user attributes, and y j j represents the number of attribute sets that satisfy the policy. We use Exp, Exp T , and P to denote a module exponential operation in G, a module exponential operation in G T , and a bilinear pair operation, respectively. Because the main computing overhead of this scheme contains linear pairwise operation and modular exponentiation, module multiplication and hash operation can be ignored. Table 1 mainly compares the functionalities of the schemes. It can be seen that the schemes all implement the policy-hiding function, and they are all proven to be full secure apart from the scheme proposed by Yin et al. 5 is selective secure under the standard model and this scheme 5 does not support outsourced decryption operations. However, the schemes of Lai et al. 3 and Zhang et al. 7 are constructed based on the composite order group, which realizes the full security of the scheme, but does not support outsourcing decryption as well. The proposed scheme is based on the composite order group, and it not only realizes policy hidden but also supports outsourced decryption operations, which reduces the user's computational cost. In addition, it is proved to satisfy full secure under the standard model. Table 2 mainly shows the comparison of the public key size (PK size), user's secret key (SK size), and ciphertext size (CT size). Because the scheme proposed by Yin et al. 5 is based on the prime order group and the rest of the schemes are the composite order group, only the schemes of Lai et al., 3 Zhang et al., 7 and this article are analyzed in Table 2. It can be seen from Table 2 that the size of the proposed scheme' secret key is S j j + 3, while the schemes of Lai et al. 3 and Zhang et al. 7 are both S j j + 2. However, the CT size of the proposed scheme is much shorter by ' j j + 1 in scheme of Zhang et al. 7

and 2 '
j j + 1 in scheme of Lai et al. 3 and the PK size of the proposed scheme is shorter by N in scheme of Lai et al. 3 Table 3 shows the computational overhead. In the encryption process, the exponent operation involved in this scheme is (4 ' j j + 1)Exp + 1Exp T , which is much lower than other schemes of Lai et al. 3 and Zhang et al., 7 but slightly higher than the scheme proposed by Yin et al. 5 Since the outsourcing decryption operation is not supported in schemes of Lai et al., 3 Zhang et al., 7 and Yin et al., 5 the decryption process can be separated into two phases: decryption match test and data decryption. It is first judged whether to match the policy in decryption match test period. If matched successfully, then perform the decryption operation. But the linear pair operation and the modular exponentiation operation during the decryption period are performed, which are still linearly increasing with the number of attributes. The scheme transfers the most decryption operation to the cloud server, and the cost of outsourced decryption is still less than other schemes, so the DU in this scheme only needs 1 exponent time to complete the decryption procession, which greatly reduces the user's computational overhead.
The proposed scheme makes a trade-off between ciphertext size and cost of decryption. More precisely, the scheme accepts unnecessary exercises of decryption process in order to reduce the ciphertext size. However, because decryption is performed by sufficiently powerful cloud nodes; therefore, additional decryption exercises are acceptable. From the analysis above, our scheme not only has the characteristic of outsourcing decryption and policy hidden but also has certain performance advantages.

Experiment analysis
Through the above theoretical analysis, our scheme has more advantages in terms of function and efficiency. In order to more accurately evaluate the actual performance of the scheme, we further analysis computing overhead through experiments, including the encryption time and the decryption time.
Experimental environment: Windows 10, InterÒ Core TM i5-8300H (2.30 GHz), memory 8 GB, the experimental code is based on java pairing-based cryptography library (JPBC-2.0.0), and MyEclipse development environment. In the experiment, the paired structure of type A is used to construct an elliptic curve y 2 = x 3 + x on a finite field. The order of the group is r, and the order of the base field is q. Here, we take r = 160 bit, q = 512 bit, where the pairing operation and modular exponent invoked pairing.pairing() and G-1.powZn(), respectively, in the library for testing.
Experimental setup: In the ciphertext-policy ABE scheme, the number of attributes in the access policy affects the encryption and decryption time. In the experiment process, because the high computational overhead is outsourced to the cloud server for calculation, we only test the computing time of the terminal device. In the experiment, we set the number of attributes as 50 and increase by 10 the number of attributes each time, generating five different access policies. By comparing the computing time of the terminal user under different access policies, we tested 10 times for each policy and took an average value as the experimental result. Figure 2 has two subgraphs (Figure 2(a) and (b)), which represents the execution time of the DO's encryption and the execution time of the DU's decryption. In Figure 2(a), we can see that the execution time of the proposed scheme is lower than the computational time of other schemes of Lai et al. 3 and Yin et al., 5 but slightly higher than the calculation time of the scheme proposed by Yin et al. 5 In Figure 2(b), during the procedure of user's decryption, the schemes of Lai et al., 3 Yin et al., 5 and Zhang et al. 7 do not support the outsourced decryption operation. And they involve the  (7 ' j j + 2)Exp + 2Exp T -1 y j jExp + 1Exp T + ( y j j + 2)P y j jExp + y j jExp T + ( y j j + 2)P Yin et al. 5 ( ' j j + 2)Exp + 3Exp T + 1P -1 Exp T + 1P ( y j j + 2)Exp T + ( y j j + 1)P Zhang et al. 7 (6 ' j j + 2)Exp + 2Exp T -2 y j jExp + 2P y j jExp + y j jExp T + ( y j j + 2)P This article (4 ' j j + 1)Exp + 1Exp T y j jExp T + (2 y j j + 1)P -1 Exp T DO: data owner; DU: data user.
computational cost of the bilinear pair operation and the computational cost increasing linearly with the number of attributes. This scheme achieves outsourcing decryption operations and verification operations, so the user only needs to perform constant exponential operation, which greatly reduces the user's computational overhead. By comprehensive analysis, the proposed scheme is superior to other schemes in terms of function, communication, and computational burden, so it is effective and feasible in the application of cloud computing.

Conclusion
In order to solve the problem of privacy protection and heavy computing overhead in the cloud outsourcing environment, this article proposes a partial policyhiding ABE scheme that can verify the result of outsourcing decryption. The privacy of user attributes is realized by dividing attributes into two parts: attribute name and attribute value, attribute name disclosure and attribute value concealment. For the bilinear pairing operation and module power operation, this article will decrypt the operation by outsourcing to the cloud server and verify the outsourced calculation results to ensure the accuracy of the returned calculation results. It is proved that the scheme based on the static assumption problem can achieve full secure under the standard model. Finally, through theoretical and experiment analysis, it shows that our scheme has more advantages than other schemes.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.