Comment on “An Efficient ABE Scheme With Verifiable Outsourced Encryption and Decryption”

Recently in IEEE Access (DOI: 10.1109/ACCESS.2018.2890565), Li et al. proposed a secure outsourcing algorithm for modular exponentiation in one single untrusted server model and a new method of generating transformation keys. They claimed that their solution can securely outsource encryption and decryption to untrusted ESP (encryption service providers) and DSP (decryption service providers), leaving only a constant number of simple operations for the DO (data owner) and eligible users to perform locally. In addition, both DO and qualified users can check the correctness of the results returned from ESP and DSP, respectively. Although the authors provide security proofs for their scheme, unfortunately, after carefully observing their scheme, we find that the scheme has security vulnerabilities. These vulnerabilities allow the adversary to generate the sub-key for any attribute and replace ciphertext sub-item, which result in the adversary to be able to break their scheme. In response to this problem, we propose an improved solution and proved its security.


I. INTRODUCTION
In 2019, Li et al. [1] proposed an ABE scheme with verifiable encryption and decryption outsourcing which can securely outsource encryption and decryption to untrusted ESP and DSP, respectively. Moreover, qualified users only need to perform a constant number of simple operations locally to complete the encryption and decryption work. In addition, DO and qualified users in this scheme can verify the correctness of the results returned from ESP and DSP. The scheme provides a certain security analysis, which proves the data confidentiality and outsourcing security of the proposed access control system.
However, this solution has two security vulnerabilities. One vulnerability is that any user is able to construct the subkey corresponding to any attribute with his own user private key. The other is that any ciphertext sub-item related to an attribute can be replaced. The two vulnerabilities result in that any user is able to make his user private key satisfy any access policy by modifying his user private key or the The associate editor coordinating the review of this manuscript and approving it for publication was Jenny Mahoney. ciphertext related to the access policy, and then can decrypt the ciphertext of any file which he has no right of access.
For specific proofs, see Chapter 3.

II. REVIEW OF THE LI ET AL.'S SCHEME
We recapitulate Li et al.'s scheme [1]. The scheme consists of the following seven algorithms. 1) Setup(U ): Given U as the universe attributes, this algorithm first chooses a group G of prime order p, a generator g of G and a hash function H : {0, 1} * → Z * p which will map any attribute described as binary string to a random group element in Z * p . It randomly picks several exponents α, a ∈ Z * p and assigns (g, e(g, g) a , g a , H ) as the public parameter PK and g α as the master secret key MSK .
2) Keygen(PK , MSK , I key ): Given the public parameter PK , the master secret key MSK and the I key ∈ U , where I key is an attribute set S. Firstly, it randomly chooses t ∈ Z * p . Then, it generates the private secret key SK as (K = g α g at , L = g t , ∀x ∈ S, K x = g H (att(x))t ).
3) Encryption(PK , M , (M , ρ)): Given the public parameter PK , this algorithm is executed by DO under the cooperation of ESP. It describes a DO who wants to encrypt message VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ M with an LSSS access structure (M , ρ), the function ρ associates rows of M to the attributes, M is an l × n matrix.
The DO chooses a random s ∈ Z * p and a random vector v = (s, y 2 , y 3 , , , y n ) ∈ Z n p , then calculates . In addition, the DO chooses random r 1 , ...r l ∈ Z p , and then obtains the ciphertext CT = {C = M * e(g, g) as , C = g s , The first two items (C, C ) of CT are computed by DO, and the rest of the items are computed with Algorithm1 and Algorithm2 under the cooperation of ESP. 4) GenTK (SK ): This algorithm takes the private key SK = (K , L, K x ), x ∈ Sas input. Then it randomly chooses two values z 1 , z 2 ∈ Z * p and a K j in K x , note that the attribute j ∈ S must be a necessary one to fully decrypt the CT . Then it generates two transformation keys TK 1 and TK 2 , and the corresponding retrieving keys are RK 1 and RK 2 , respectively. Finally, the user sends the TK 1 and TK 2 to DSP 1 and DSP 2 . 5) Transform out (CT , TK 1 , TK 2 , PK ): In this algorithm, DSP i , for i = 1, 2 takes the PK , CT and the corresponding key TK i as inputs. Then it takes a partially decrypted ciphertext CT [i] , for i = 1, 2 as outputs. If the attribute set S = I key satisfies the access structure (M , ρ), let I ⊂ {1, 2...l} be defined as are valid shares of any secret s according to M , then i∈I ω i λ i = s. After the calculations by DSP 1 and DSP 2 , the user gets the transformed ciphertext as CT = (CT [11 ,CT [21 ). 6) CheckCorrectness(RK [1] , RK [2] , CT [1] , CT [2] PK ): Given the CT [i] and RK i , then it checks the correctness of the computing by DSP i ,for i = 1,2. If the outputs done by DSP 1 and DSP 2 are correct, then it outputs CT * . 7) Decryption(PK , CT , CT * ): After the CheckCorrectness algorithm outputs CT * , the decryption algorithm takes the CT * and the CT as inputs, then it computes M = C/CT * , finally it takes the message M as output.

III. CRYPTANALYSIS
There exist two evident vulnerabilities in Li et al.'s scheme. The first is that it is easy to obtain the sub-key g H (x)t related to the attribute x from known g t and H (x) in a user private key. The second is that it is easy to obtain the sub-item g aλ i from known g r i and H (A) in a ciphertext.
where S does not satisfy the challenger's access structure (M * , ρ * ). But using g t or g H (x)t of the private key, the adversary can obtain the sub-key g H (y)t of any attribute y / ∈ S by the following way: The adversary sets up a S , which satisfies the challenger's access structure (M * , ρ * ), and with the above way, the private key corresponding to the attribute y is generated as: Method 2: Replacing ciphertext. Similar to the private key, the ciphertext is easily replaced, too. Given the following ciphertext sub-item: We obtain: Thus, the hash value of the attribute A is replaced by the hash value of the attribute B.
Therefore, the adversary can decrypt the challenger's ciphertext to obtain the plaintext m v by making the queried user's private key matching the challenger's access structure with the above two methods, and correctly give a guess v of v, i.e., v = v with probability 1.

IV. OUR SCHEME
In response to the above-mentioned security loopholes, we revise the original plan and come up with a new plan. The key is to modify the key construction algorithm to avoid the security risks of the K x part.
The specific improvements are as follows: 1) Setup(U ): It defines another hash function H 1 : {0, 1} * → G, then it outputs the PK , MSK as follows: PK = (g, e(g, g) a , g a , H , H 1 ) Keygen(PK , MSK , I key ): The algorithm chooses a random t ∈ Z * p . It generates the private key SK as: Note that Only the items (D i ) i=l i=1 are computed under the cooperation of ESP, like the original scheme's Algorithm 2 .

V. SECURITY PROOF
The proof of this article is based on the expansion of Waters' scheme [2]. If Waters' scheme can achieve targeted sCPA security, then the solution in this article can also achieve targeted sCPA security.
Proof: The scheme proposed in this article is similar to the Waters' scheme in both ciphertext and key form. Compared with the Waters' scheme, the scheme proposed in this paper uses H 1 (x) H 2 (x) instead of H (x) in the original scheme.
Assuming that there is an adversary A A A who can break the scheme in this paper with a non-negligible advantage under the deterministic q-BDHE assumption, then the simulator B B B can be constructed to break the Waters scheme with a nonnegligible advantage.
The simulation process of the simulator B B B is the same as the large-attribute space structure of Waters.
Initialization: The simulator B B B obtains the system public key from the challenger C C C. PK = (g, e(g, g) a , g a , H 1 , H 2 , H ) Note that H (ρ(x)) = H 1 (ρ(x)) H 2 (ρ(x)) . And the simulator sends it to the adversary A A A as its own public key.
Phase 1: The adversary A A A sends the attribute set S A A A to the simulator B B B, and the simulator uses S A A A as its own attribute set to obtain the private key SK SA A A from the challenger C C C, and finally sends it to A A A.

SK S
The simulator B B B submits two challenge messages M 0 and M 1 to the challenger C C C. The challenger C C C chooses a random b ∈ {0, 1} and encrypts M b . The challenge ciphertext is then generated as CT * = {C = M b * e(g, g) as , C = g s , The simulator B B B sends CT * to the adversary A A A. Phase 2: Repeat Phase1 query. Guess: If the conjecture that the adversary A A A outputs b is b , then the guess that B B B outputs is also b .
In summary, the simulator B B B completely simulates the challenge of the adversary A A A to the Waters' solution. If the adversary A A A can break the solution in this article with a nonnegligible advantage, it can also break the Waters' solution with a non-negligible advantage.

VI. CONCLUSION
We find two vulnerabilities of Li et al.'s scheme, which make their scheme vulnerable to two attacks of generating the subkey of any attribute and replacing ciphertext. Either of two attacks enables the adversary to decrypt any ciphertext by modifying his user private key to make it match the ciphertext or modifying the ciphertext to make it match his user private key. Therefore, Li et al.'s scheme is insecure and cannot defend against selected plaintext attack and selected ciphertext attack. Finally, in response to these problems, we propose a new algorithm to improve the security of the basic scheme. VOLUME 8, 2020