Attribute-Based Equality Test Over Encrypted Data Without Random Oracles

Sensitive data would be encrypted before uploading to the cloud due to the privacy issue. However, how to compare the encrypted data efficiently becomes a problem. Public Key Encryption with Equality Test (PKEET) provides an efficient way to check whether two ciphertexts (of possibly different users) contain the same message without decryption. As an enhanced variant, Attribute-based Encryption with Equality Test (ABEET) provides a flexible mechanism of authorization on the equality test. Most of the existing ABEET schemes are only proved to be secure in the random oracle model. Their security, however, would not be guaranteed if random oracles are replaced with real-life hash functions. In this work, we propose a construction of CP-ABEET scheme and prove its security based on some reasonable assumptions in the standard model. We then show how to modify the scheme to outsource complex computations in decryption and equality test to a third-party server in order to support thin clients.


I. INTRODUCTION
The rapid development of cloud computing has brought a variety of convenient services to enterprises and individuals, including cloud storage. Users can upload massive data to the cloud, saving storage overhead while effectively avoiding data loss. Considering the privacy of the data, users generally prefer to encrypt private data and store it in the cloud instead of storing it directly in plaintext form. This also makes it inconvenient for users to search for the data they want in the traditional method. An easy way to address it is to download the files locally, decrypt them, and then search over them. However, it is not practical because it requires a large computation and storage cost. In order to solve the above problems, searchable encryption [1], [2] emerged.
As time goes by, the more files the users upload, the greater possibility of data redundancy is in the cloud, i.e. the encrypted version of the data uploaded by the user may be The associate editor coordinating the review of this manuscript and approving it for publication was Jiafeng Xie. the same. This kind of data redundancy will bring a great storage burden to cloud computing. Therefore, it is necessary to find and delete duplicated files to optimize the cloud storage. Encrypted data deduplication has attracted many researchers' attention. The technique of checking whether two ciphertexts contain the same message is a key to this problem. In addition, new data management requirements arise when considering enterprise data storage. Access control for (encrypted) data also needs to be considered in the enterprise. In a large company, access control of (encrypted) data can be staggered. It is necessary that users with different responsibilities (that is, attributes) have access to the corresponding encrypted data.
Public Key Encryption with Equality Test (PKEET), introduced by Yang et al. [3], is a variant of Public Key Encryption with Keyword Search (PEKS) [1]. It allows the server to check whether two ciphertexts generated under (possibly) different public keys contain the same message without decryption, which is not supported by PEKS. However, [3] allows anyone to execute the equality test, which runs the risk of privacy leakage. To solve this issue, Tang [4]- [6] and Ma et al. [7] designed different PKEET schemes supporting different kinds of authorization mechanisms.
It is well known that Attribute-based Encryption (ABE) enjoys the advantage of flexible access control. The combination of ABE and PKEET simplifies the key management of PKEET and makes its authorization more flexible. Recently, Zhu et al. [8] introduced the notion of Key-policy Attribute-based Encryption with Equality Test (KP-ABEET). Wang et al. [9] and Cui et al. [10] studied the ciphertext-policy counterpart and presented their constructions of Ciphertext-policy Attribute-based Encryption with Equality Test (CP-ABEET). Take CP-ABEET as an example, it embeds an access policy in the encryption of a message, so that only the authorized receiver whose attribute set satisfies the embedded policy could successfully decrypt and test the ciphertexts.
CP-ABEET can effectively solve the aforementioned problems. Figure 1 illustrates the system model of CP-ABEET. The company sets different attributes (such as financial data, warehouse data), and assigns the private key to each employee according to their responsibilities in form of a set of attributes. Data is encrypted with an access policy embedded. When the attribute set satisfies the access policy, the employee can decrypt the data and process it. (For example, if the attributes of Receiver 2 only match files 2 and 3, he can only decrypt files 2 and 3, but not files 1 and 4.) This also means that there is no need to re-encrypt the data if the attributes of employees change as a result of a job change. New employees can also directly process the data which has been encrypted before they entered the company. The third-party server periodically checks the encrypted data, deletes duplicate data and frees up storage space. In this process, the server cannot extract the information contained in the encrypted data, and encrypted data deduplication does not affect the use of data.

A. RELATED WORKS
The notion of PKEET was introduced by Yang et al. [3] in 2010 as a new variant of searchable encryption mechanism. A fascinating feature of PKEET is that users could check whether two ciphertexts contain the same message without decryption. In [3], any entity can perform the equality test on ciphertexts. Due to the lack of access control, there is a risk of information leakage on users' private data. Therefore, Tang [4] proposed the notion of Fine-grained authorization policy PKEET (FG-PKEET) to realize the accurate authorization, which only allows two authorized users to perform the equality test. Furthermore, Ma et al. [11] proposed Public key encryption with delegated equality test (PKE-DET), which only allows the delegated party to test. To make the authorization more flexible, Ma et al. [7] proposed a flexible PKEET scheme, which supports four types of authorization. Subsequently, a variety of enhanced schemes [12]- [14] have been proposed to improve security. Zhang et al. [12] proposed an efficient PKEET scheme under a specific cryptographic assumption in the standard model.
To solve the problem of complex certificate management in the PKI setting, Ma [15] combined Identity-based Encryption (IBE) with PKEET and introduced the notion of Identitybased Encryption with Equality Test (IBEET). Users in IBEET scheme use their identity-related keys to generation the trapdoor, which thereby achieves the equality test on its ciphertexts. However, if the server is curious, it may illegally benefit from launching a brute force attack against the encrypted data, because ciphertexts can be generated publicly. To solve this problem, Wu et al. [16] presented an IBEET scheme against insider attacks. Later, Wu et al. [17] proposed another efficient IBEET scheme which reduces the use of time-consuming Hash-to-Point function. In their scheme, it is restricted that only particular keywords can be tested in order to improve the security level.
As an extension of IBE, ABE [18] supports a more flexible authorization mechanism. There are two variants of ABE: Key-policy Attribute-based Encryption (KP-ABE) [19]- [21] and Ciphertext-policy Attribute-based Encryption (CP-ABE) [22]- [24]. In the former, each user is associated with an access policy, and encryption is done w.r.t. an attribute set; in the latter, each user is associated with a set of attributes, and encryption is done w.r.t. an access policy. In each variant, only if the attribute set satisfies the access policy will the decryption succeed. However, ABE schemes suffers from the problem of complex computation. Complexity of ABE schemes usually increases along with the access policy. Green et al. [25] suggested securely outsourcing the heavy computation in decryption of an ABE ciphertext to a third-party server, and proposed a concrete scheme, which significantly reduces the overhead of users.
Zhu et al. [8] first proposed the construction of KP-ABEET scheme, which is a combination of KP-ABE and PKEET, which provides a more flexible authorization mechanism than previous works. Later, Wang et al. [9] proposed a construction of CP-ABEET scheme. Recently, Cui et al. [10] proposed another CP-ABEET scheme, which enhances the security of [9]. Then, Cui et al. [26] provided another CP-ABEET scheme, which supports to outsource the dominating computations of decryption and equality test to a third-party. Its security is proved in the random oracle model. However, real-life hash function is a deterministic algorithm, which cannot guarantee that the output of the algorithm is completely random and uniformly distributed. If we replace the random oracles with real-life hash functions, the security may no longer be guaranteed. How to construct a secure and efficient ABEET scheme in standard model remains an open problem.

B. OUR CONTRIBUTIONS
In this paper, we study the construction of CP-ABEET in the standard model. • We propose a new CP-ABEET scheme, which is inspired by Zhang et al. [12] and adopts the technique of Lai et al. [27] in constructing CCA-secure PKE scheme to eliminate the rely on the random oracle heuristic. Specifically, to encrypt a message, we use a linear secret sharing scheme to share a secret random value s, and use s to hide both the message and its hash. Then we use Lai et al.'s technique to ensure the ciphertext's integrity. In both the decryption and the test algorithm, one should first use the decryption key or the trapdoor to reconstruct (an exponentiated form of) the random s, and then recover the message or its hash value.
• We prove the security of our CP-ABEET scheme in the standard model based on some reasonable mathematical assumptions. Namely, an unauthorized adversary could not distinguish which message is encrypted for a given ciphertext, while an authorized adversary should not be able to recover the message from a given ciphertext.
• In order to support thin clients (and resource-limited devices), we modify the scheme to outsource complex computations in decryption and equality test to a third-party server, and present an outsourced CP-ABEET scheme.
• We implement our schemes using Java Pairing-Based Cryptography (JPBC) library. Experiment results show that they have comparable and even better efficiency than their counterparts in the random oracle model.

C. PAPER ORGANIZATION
We introduce some necessary preliminaries in Sect. II, and give the definition of CP-ABEET scheme and its security models in Sect. III. We describe our concrete construction of CP-ABEET scheme in Sect. IV, and prove its security in Sect. V. The outsourced construction of CP-ABEET scheme is given in Sect. VI. We provide a comparison of our schemes with some typical related schemes in the literature in Sect. VII. Experiment results are also given here. Finally, we conclude the paper in Sect. VIII.

II. PRELIMINARIES A. ACCESS STRUCTURE
Definition 1 (Access Structure [28]): Let P = {P i } n i=1 be a set of n parties, and A be a subset of 2 P . We say A is \{∅} is called a monotone access structure. Sets in A are authorized, and those outside of A are unauthorized.
In this paper, we consider monotone access structures. We use attributes to represent parties, and represent the authorized set of parties in access structure A sets of attributes.
Definition 2 (Linear Secret Sharing Scheme [29]): We say a secret sharing scheme over a set of parties P is linear (over Z p ) if the following conditions hold.
1) For each party in P, the secret shares form a vector over Z p . 2) There exists a share generating matrix M of size × n.
We use a map ρ(·) to connect each row of M with its corresponding party in P. Let s ∈ Z p be the secret to be shared, and r 2 , · · · , r n be random elements of Z p . The vector Mv, where v = (s, r 2 , · · · , r n ), contains the shares of s according to , and (Mv) i is the share belonging to party ρ(i). There is an efficient linear reconstruction algorithm which can find a set of constants {w i } for recovering the secret s, e.g. i∈I w i λ i = s, where I is the set of indices of parties in an authorized set and {λ i } are valid shares of s generated by [29].

B. BILINEAR PAIRING
Given cyclic groups G, G T of prime order p and a generator g of G, we say e : G × G → G T is a bilinear pairing if (1) ∀g 1 , g 2 ∈ G, ∀x, y ∈ Z p , e(g 1 x , g 2 y ) = e(g 1 , g 2 ) xy ; (2) e(g, g) = 1 G T ; and (3) ∀g 1 , g 2 ∈ G, e(g 1 , g 2 ) can be computed in polynomial time.

C. MATHEMATICAL ASSUMPTION
Decisional q-parallel Bilinear Diffie-Hellman Exponent (Decisional q-BDHE) assumption [28] is defined as follows. Suppose G is a group of prime order p, and g is a generator. Randomly choose s, a, b 1 , · · · , b q ∈ Z p . If an adversary is given y := G, p, g, g s , g a , · · · , g (a q ) , , g (a q+2 ) , · · · , g (a 2q ) , it could not distinguish e(g, g) a q+1 s from a random element R ∈ G T .

Definition 3 (Decisional q-BDHE Assumption):
We say that the Decisional q-BDHE assumption holds if for any probabilistic polynomial-time (PPT) adversary A, we have:

Definition 4 (CP-ABEET):
A CP-ABEET scheme is defined by the following PPT algorithms.
• Setup(1 k , U ): It takes as input a security parameter 1 k and the maximal number U of attributes in the system, and returns the system parameters SP and a master secret key Msk.
• KeyGen(SP, Msk, S): It takes as input SP, Msk and a set S of attributes, and returns a private key Sk S .
• Enc(SP, (M , ρ), m): It takes as input SP, an access structure (M , ρ) and a message m, and returns a ciphertext Ct.
• Dec(Ct, Sk S ): It takes as input a ciphertext Ct and a private key Sk S , and returns a plaintext m or a special symbol ⊥ indicating decryption failure.
• Trapdoor(SP, Msk, S): It takes as input SP, Msk and a set S of attributes, and returns a trapdoor Td S .
It takes as input a ciphertext Ct A and a trapdoor Td S A of user A, and a ciphertext Ct B and a trapdoor Td S B of user B, and returns 1 if Ct A and Ct B contain the same plaintext, and 0 otherwise.

B. SECURITY MODELS
Below we define a security property of CP-ABEET, called one-wayness against selective access structure and chosen ciphertext attacks (OW-SAS-CCA) security against authorized adversaries. The adversary cannot recover the message from a given ciphertext even if it is given the corresponding trapdoor.

Game-I: Let
A be an authorized adversary. 1) Setup: A chooses a challenge access structure (M * , ρ * ) and submits it to C. Then C generates SP and Msk, publishes SP and keeps Msk secret. 2) Query Phase 1: A is allowed to issue the following queries for polynomially many times.
• Private key Query: Given an attribute set S, it returns the corresponding decryption key Sk S .

IV. OUR CONCRETE CONSTRUCTION
In this part we present our concrete construction of CP-ABEET scheme. It works as below.
• Setup(1 k , U ): With a security parameter 1 k and the maximal number U of attributes in the system, the setup algorithm computes as follows: -Choose the groups G and G T of prime order p along with a bilinear pairing e : G × G → G T , and a generator g of G. -Choose the random exponents a, α, β, k 1 , k 2 , k 3 ∈ Z p and h ∈ G, and compute g a , g 1 = g α , h U ∈ G that are associated with the U attributes in the system. -Choose two collision-resistant hash functions: H 1 : where is the number of rows of an LSSS matrix.
as the master secret key.
• KeyGen(SP, Msk, S): The key generation algorithm randomly chooses t, t ∈ Z p , computes and returns the following private key Sk S : The encryption algorithm chooses a random vector ω = (s, y 2 , · · · , y n ) ∈ Z n p , and computes λ i = M i · ω for i = 1 to , where M i is the vector corresponding to the i-th row of M . Then it randomly chooses r 0 , r 1 , · · · , r ∈ Z p , and computes
• Trapdoor(SP, Msk, S): The trapdoor algorithm randomly choosest ∈ Z p , sets and returns the trapdoor as Then we define the set For both A and B, the algorithm computes X as below: Notice that here we omit the subscripts A, B for simplicity. Then it computes and outputs 1 if H A = H B , and 0 otherwise. Correctness of our scheme could be verified straightforward, so we omit it here.

V. SECURITY ANALYSIS
In this section, we analyze the security of our CP-ABEET scheme and prove in the standard model that our scheme is OW-SAS-CCA secure and IND-SAS-CCA secure under the security models given in Sect. III-B.
A. OW-SAS-CCA SECURITY Theorem 1: Suppose that the decisional q-BDHE assumption holds, our CP-ABEET scheme is OW-SAS-CCA secure against authorized adversaries in standard model.
Proof: Based on the security model defined in section III-B, we simulate the security game between the adversary and challenger. Suppose that there exits an adversary A that attempts to break the OW-SAS-CCA security of our CP-ABEET scheme in standard model. And we define a simulator B who attempts to solve the decisional q-BDHE problem (c.f. Def. 3) from the challenger C. Given a random problem instance (y, Z), B aims to decide whether Z is equal to e(g, g) a q+1 s (b = 0) or a random element of G T (b = 1).
This part shows how to build the simulator B. 1) Setup: A chooses a challenge access structure (M * , ρ * ) and submits it to B. Then B computes as follows: -Choose a group G T of prime order p along with a bilinear pairing e : G×G → G T , and a generator g of G.
-Choose the elements α , β ∈ Z p , compute g 2 = g β , and implicitly set α = α + a q by setting where h = g a . Then choose the random elements x v , x w , y u , y v , y w ∈ Z p and set u = g a g y u = g a+y u , v = (g a ) x v g y v = g ax v +y v , w = (g a ) x w g y w = g ax w +y w .
-Choose a random z x ∈ Z p for each attribute A x where 1 ≤ x ≤ U . Define X as the set of i where VOLUME 8, 2020 Notice that if X = ∅, we have h x = g z x . -Choose two collision-resistant hash functions H 1 : where is the number of rows of an LSSS matrix.
Here we assume that all the queries submitted by A would not violate the restrictions specified in the game (c.f. Def. 5).
• Private key query: Given an attribute set S from A, B randomly chooses r, t ∈ Z p and finds a vector w = (w 1 , w 2 , · · · , w n ) ∈ Z p n * with w 1 = −1 such that w · M i = 0 for all i ∈ I , where I = {i : ρ(i) ∈ S}. Such a vector exists according to Def. 2. B implicitly sets t as t = r + w 1 a q + w 2 a q−1 + · · · + w n a q−n+1 , by defining Then it computes K d as otherwise, there exists one or more mappings between the rows of matrix M and x ∈ S. Let X be the set of i s.t. ρ(i) = x. B sets K x as Notice that the terms g a q+1 /b i which cannot be simulated would all be cancelled out due to the character that w · M i = 0. Then B computes K t , L and {K x } x∈S using the method described in Section IV. Finally, B returns • Trapdoor query: B computes and returns Td S using the method described in section IV.
• Decryption query: Given an attribute set S and a ciphertext Ct, there two cases: a) Case 1: S does not satisfy (M * , ρ * ). B gets Sk S from private key query, and uses Sk S to run the decryption algorithm to decrypt Ct. b) Case 2: S satisfies (M * , ρ * ). B runs Trapdoor If the equation does not hold, B returns ⊥; otherwise, it continue to check the equation If it holds, B aborts, and we denote this event by E 1 ; otherwise, B computes Then B randomly chooses y 2 , · · · , y n ∈ Z p and shares s using the vector ω = (s, sa +y 2 , sa 2 +y 3 , · · · , sa n−1 + y n ). Define A i as the set of all k = i but ρ * (k) = ρ * (i).

4) Query Phase 2:
In this phase, B answers queries in the same way as in Query Phase 1 with the following restriction: • Given a decryption query (Ct * , S), while S satisfies (M * , ρ * ), B returns ⊥, as A is not allowed to this query.
we get a collision of hash function H 2 . In this case B aborts. We define this event by E 2 .
• If T + C 4 x v + x w = 0 holds, where T = H 2 (C 1 , C 2 , C 3 , C 6 ), B aborts. We define this event by E 3 . 5) Guess: Finally, A outputs a message m . B outputs b = 0 if m = m * , indicating that Z = e(g, g) a q+1 s , and a random bit b otherwise. Analysis: In this part, we analyse the events that makes the simulation fail or abort.
• The failures caused by hash functions: Firstly, we pay our attention to the one-wayness of H 1 . In the simulation process, adversary A has the authorization to query the trapdoor for challenge access structure so that it can obtain the hash value of challenge message H 1 (m * ). Adversary A may learn some information about message m * from H 1 (m * ). In other words, the simulation fails if adversary A breaks the one-wayness of hash function H 1 . We define this event as E 4

and we have
Pr where ε OW is the probability that adversary A successfully breaks the one-wayness of H 1 .
Then we turn to the collision resistance of hash function H 2 . When E 2 occurs during the decryption queries in Query Phase 2, there exits a hash collision such that T = H 2 (C 1 , C 2 , C * 3 , C * 6 ) = T * = H 2 (C * 1 , C * 2 , C * 3 , C * 6 ). We have where ε CR is the probability that adversary A successfully breaks the collision resistance of H 2 .
• The failures caused by simulation limits: During the whole simulation process, some events will make it abort in which simulator B cannot give a logical answer to decryption queries from A. E 1 and E 3 occur when the elements of queried ciphertext satisfy the relation: T + C 4 x v + x w = 0. Because that element T depends on the submitted ciphertext and x v , x w are fixed, the probabilities of E 1 and E 3 depend on the randomness of C 4 = r 0 chosen from Z p . It means that equation T + C 4 x v + x w happens with probability at most 1/p in a single query. We have where q means A is allowed to issue Decryption query for q times. We obtain the final failure and abortion probability Pr [F] as Below we analyze the probability that B successfully guess the value of b. If T = e(g, g) a q+1 s , the simulation provided by B is perfect, and the in view of A, the challenge ciphertext is the same as a real ciphertext. We have that Pr ; otherwise, which means T is a random element of G T , the challenge ciphertext hides the message perfectly, and the probability that A outputs the correct message is thus negligible, e.g. Pr[b = 1|b = 1] = 1 − negl(1 k ) · Pr [¬F]. Therefore, we have: If A breaks the OW-SAS-CCA security of our CP-ABEET scheme with non-negligible advantage, the probability that B solves the decisional q-BDHE problem is thus non-negligibly larger than 1 2 , which contradicts the decisional q-BDHE assumption. This completes the proof of Theorem 1.

B. IND-SAS-CCA SECURITY
Theorem 2: Suppose that the decisional q-BDHE assumption holds, our CP-ABEET scheme is IND-SAS-CCA secure against unauthorized adversaries in standard model.
Proof: Based on the security model defined in section III-B, we simulate the security game between the VOLUME 8, 2020 adversary and challenger. Suppose that there exits an adversary A that attempts to break the IND-SAS-CCA security of our CP-ABEET scheme in standard model. And we define a simulator B who attempts to solve the decisional q-BDHE problem from the challenger C. Given a random problem instance (y, Z), B aims to decide whether Z is equal to e(g, g) a q+1 s (b = 0) or a random element of G T (b = 1).
This part shows how to build the simulator B. 1) Setup: A chooses a challenge access structure (M * , ρ * ) and submits it to B. Then B generates the system parameters SP basing on the q-BDHE challenge instance y. Firstly, B randomly chooses elements α , β ∈ Z p . Then it implicitly sets α = α + a q , β = β + a q by setting where h = g a . Besides, B chooses random elements x v , x w , y u , y v , y w ∈ Z p and sets Then we show how to obtain the group elements Notice that if X = ∅, h x = g z x . Then it chooses two cryptographic hash functions: → Z p where is the number of rows in LSSS matrix. Finally, it publishes SP = (G, G T , p, e, H 1 , H 2 , g, g a , e(g 1 , h), e(g 2 , h), u, v, w, h 1 , · · · , h U ) as the system parameter. Notice that the master secret key Msk = (h α , h β , k 1 , k 2 , k 3 ) is unknown to B. 2) Query Phase 1: In this phase, Trapdoor query executes as same as that in the proof of Theorem 1 with another restriction that all the submitted attribute sets cannot satisfy the challenge access structure (M * , ρ * ).
• Private key query: Given an attribute set S from A, B randomly chooses r, r ∈ Z p and finds a vector w = (w 1 , w 2 , · · · , w n ) ∈ Z p n * with w 1 = −1 such that w · M i = 0 for all i ∈ I , where I = {i : ρ(i) ∈ S}. Such a vector exists according to Def. 2. B implicitly sets t as t = r + w 1 a q + w 2 a q−1 + · · · + w n a q−n+1 by defining Then it computes K d as otherwise, there exists one or more mappings between the rows of matrix M and x ∈ S. Let X be the set of i s.t. ρ(i) = x. B sets K x as Notice that the terms g a q+1 /b i which cannot be simulated would all be cancelled out due to the character that w · M i = 0. To generate the second part of Sk S , B implicitly sets the value t as t = r + w 1 a q + w 2 a q−1 + · · · + w n a q−n+1 by defining The elements K t and {K x } x∈S could be generated using r , t in a similar way. Finally, B returns Sk S .
• Decryption query: In this phase, B will answer the decryption queries from A. Given an attribute set S and a ciphertext Ct, there two cases: a) Case 1: S does not satisfy the challenge access structure (M * , ρ * ). B can firstly obtain the corresponding private key Sk S . Then it uses the Sk S to decrypt the queried ciphertext as the Dec algorithm does. b) Case 2: S satisfies the challenge access structure (M * , ρ * ). B cannot directly decrypt the queried ciphertext using the corresponding Sk S . Besides, it has no authorization for the Td. Suppose the submitted ciphertext is Ct = (C 1 , C 2 , C 3 , C 4 , C 5 , C 6 ). First of all, the ciphertext validity should be verified as follows. B computes T = H 2 (C 1 , C 2 , C 3 , C 6 ). Then, it checks whether e(C 3 , u T v C 4 w) = e(C 5 , g).
If the equation doesn't hold, the system output ⊥; otherwise, B continue to check the following equation: If it holds, B aborts and we denote this event as E 1 ; otherwise, B obtains the correspondinĝ H andm using the similar method described in the proof of OW-SAS-CCA security above. B chooses a random element s ∈ Z p . Then it computes Then the message can be recovered as followŝ If the submitted ciphertext Ct is valid and m is the message encrypted in this ciphertext Ct,Ĥ is the hash value of m. Then B computes Then the message can be recovered as followŝ m = C 1 · e(C 5 , P 2,m ) e(C 3 , P 1,m ) = C 1 · e(g as , (g 1 ) −1 ) = m · e(g 1 , h) s · e(g as , (g 1 ) −1 ) = m.
Correctness of this process can be proven in the same way described in the proof of OW-SAS-CCA security above. If the submitted ciphertext Ct is valid and m is the massage encrypted in Ct, the message can be recovered through this process. If the equationĤ = H 1 (m) holds, B outputm to A. 3) Challenge: A randomly chooses two messages m 0 , m 1 ∈ M and sends them to B. Then B randomly chooses a bit δ ∈ {0, 1} and generates the corresponding challenge ciphertext Ct * = Enc(m δ ) as follows: Firstly, B computes Secondly, B randomly chooses y 2 , · · · , y n ∈ Z p and shares the secret using the vector ω = (s, sa+y 2 , sa 2 + y 3 , · · · , sa n−1 + y n ). Then, B chooses random values r 1 , · · · , r ∈ Z p . Besides, for 1 ≤ i ≤ n, we define A i as the set of all k = i where ρ(i) = ρ(k). B generates C * 6 = {(c i , d i )} 1≤i≤ as follows: Then, B computes T * = H 2 (C * 1 , C * 2 , C * 3 , C * 6 ) and sets C * which means there exits a hash collision of hash function H 2 , B aborts. We define this event as E 2 . c) Otherwise, if the equation T + C 4 x v + x w = 0 holds where T is as described before, B aborts. We define this event as E 3 . 5) Guess: A outputs a guess δ ∈ {0, 1}. B outputs b = 0 if δ = δ, indicating that Z = e(g, g) a q+1 s , and a random bit b otherwise. Analysis: In this part, we analyse the events that makes the simulation fail or abort.
• The failures caused by hash functions: Firstly, we pay our attention to the one-wayness of H 1 . In the simulation process, A has no authorization to query the trapdoor for challenge access structure so that it cannot obtain the hash value of challenge message H 1 (m δ ). So adversary successfully breaking one-wayness of H 1 won't reveal any information of challenge message. Then we turn to the collision resistance of hash function H 2 . When E 2 occurs during the decryption queries in Query Phase 2, there exits a hash collision that T = where ε CR is the probability that A successfully breaks the collision resistance of H 2 .
• The failures caused by simulation limits: During the whole simulation process, some events will make it abort in which B cannot give a logical answer to decryption queries from A. VOLUME 8, 2020 E 1 and E 3 occur when the elements of queried ciphertexts satisfy the relation: T + C 4 x v + x w = 0. Because that element T depends on the submitted ciphertext and x v , x w are fixed, the probabilities of E 1 and E 3 depend on the randomness of C 4 = r 0 chosen from Z p . It means that equation T + C 4 x v + x w happens with a probability which is at most 1/p in one round query. We have where q D means A is allowed to issue Decryption query for q D times. We obtain the failure and abortion probability Pr [F] as Below we analyze the probability that B successfully guess the value of b. If Z = e(g, g) a q+1 s , the simulation provided by B is perfect, and in view of A, the challenge ciphertext is the same as a real ciphertext. We have that Pr ; otherwise, which means Z is a random element of G T , the challenge ciphertext hides the message perfectly, and the probability that A correctly guesses the bit β is 1 2 . Thus, the probability that B correctly guesses the bit b is . Therefore, we have the followings.
where [1 − (ε CR + q D /p)] is a non-negligible probability. From the probability analysis above, we know that if A can break the IND-SAS-CCA security of CP-ABEET scheme with a non-negligible advantage, then B has a non-negligible advantage in solving the decisional q-BDHE problem. This completes the proof of Theorem 2.

VI. AN OUTSOURCED CONSTRUCTION IN THE STANDARD MODEL
The construction in Section IV addresses the aforementioned problems, but if Dec and Test algorithms are executed locally, the computational overhead is too high for resource-constrained clients; if these algorithms are executed by the server, there is a risk of data leakage.
To optimize the computation efficiency of our CP-ABEET scheme, we give an improved construction called Outsourced CP-ABEET (OCP-ABEET) that can be proven secure in standard model. We take advantage of outsourcing technique which was firstly proposed by Green et al. [25] and combine it with above basic CP-ABEET scheme. This new construction includes eight algorithms. Setup and Enc algorithms are defined as the same with the former construction defined in Section IV. KeyGen, Transform 1 , Transform 2 , Dec, Trapdoor and Test algorithms are defined as follows.
• KeyGen(SP, Msk, S): The key generation algorithm takes as input the system parameters SP, the master secret key Msk and a set S of attributes. Then it chooses random elements z, z , t, t ∈ Z p and computes: • Transform 1 (Ct, Sk S ): Given a ciphertext Ct and a private key Sk S , it partially decrypt Ct by the reconstruction property of LSSS. Suppose the attribute set S can satisfy the access structure (M , ρ) of Ct. Let I ⊆ {1, 2, · · · , } be defined as I = {i : ρ(i) ∈ S} where ρ belongs to (M , ρ). We define the set {w i ∈ Z p } i∈I such that if {λ i } are valid shares of any secret s according to M of (M , ρ), then we have i∈I w i λ i = s. It computes = e(g, h) βs/z e(g, g) ast /z /( i∈I e(g, g) aλ i w i t /z ) = e(g, h) βs/z = e(g 2 , h) s/z .
Then it outputs (X , X ).
• Dec(Ct, Sk Z , Sk S ): The decryption algorithm computes T = H 2 (C 1 , C 2 , C 3 , C 6 ), and check whether e(C 3 , u T v C 4 w) = e(C 5 , g). If the equation doesn't hold, output ⊥; otherwise, it runs Transform 1 (Ct, Sk S ) to get (X , X ). Then it computeŝ and outputsm if the following equation hold: • Trapdoor(SP, Msk, S): The trapdoor algorithm takes as input the system parameters SP, the master secret key Msk and the set S of attributes. Then it chooses random elementsẑ,t ∈ Z p , computes and outputs trapdoor (Td Z , Td S ) as: Finally it outputs 1 if the equation H A = H B holds, and 0 otherwise. In our construction, users generate trapdoors based on their attribute sets and send them to the outsourced server for transforming ciphertexts. As a result, most of the computational costs of DEC and TEST are transferred to the outsourced server. Concretely, the main operations in Dec algorithm and Test algorithm are split into two algorithms, Transform 1 and Transform 2 , respectively, which are outsourced to the third-party servers. After the outsourced server returns the transformation result, the user can quickly complete the final steps of decryption or equality test. It is ensured that the outsourced server does not learn information about the messages. Figure 2 shows the outsourcing framework of CP-ABEET.
Our OCP-ABEET scheme also achieves OW-SAS-CCA and IND-SAS-CCA security in standard model. The correctness and security can be proven by combining corresponding proofs of the CP-ABEET scheme above.

VII. EFFICIENCY EVALUATION
We compare our CP-ABEET scheme with some related schemes in Table 1, in terms of computational complexity, functional properties, assumptions, security level and etc. In the comparison we mainly consider the dominant computation, e.g. bilinear pairing evaluation and exponentiation operation, in encryption, decryption and test algorithms. The second to the fourth columns show the computation costs of Enc, Dec and Test algorithms. The fifth column indicates whether the scheme is attribute-based. The sixth column shows the authorization type of each scheme. The following two columns indicate the underlying assumptions and security levels of the related schemes. The last column shows whether the scheme is proven secure in ROM (Random oracle model) or SM (Standard model).
From Table 1, we can know that our CP-ABEET and OCP-ABEET schemes enjoy the highest level of security guarantee among all the attribute-based encryption schemes supporting equality test. And our OCP-ABEET scheme provides almost the best efficiency among all the ABEET schemes.
To better show the practical performance of our new CP-ABEET, we strictly simulated our scheme system and made a practical comparison with the last CP-ABEET [10] scheme which is proven secure in random oracle. We mainly used the Java Pairing-Based Cryptography (JPBC) library and the Bouncycastle library to realize our system. And all of these experiments were executed by Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz on Windows 7 64-bit system with 8GB memory. We ran the complete system and obtained the running time of main algorithms: KeyGen, Enc, Dec and Test algorithms. To make the result more universal and credible, we independently set the test times as 500, 1000, 2000 and 4000. Figure 3(a), 3(b), 3(c), 3(d) show us that our CP-ABEET is more efficient than scheme in [10] in Test algorithm, and the efficiency of KeyGen, Enc and Dec algorithm is similar with that in [10]. As the number of tests increases, the running time increases linearly.
To illustrate the efficiency of our OCP-ABEET scheme, we also implemented it and compared the computational cost between our first CP-ABEET scheme and our OCP-ABEET scheme. As shown in Figure 4(a), 4(b), 4(c) and 4(d), the black line represents the computational cost of our OCP-ABEET scheme, the red line represents local computing portion in our OCP-ABEET scheme and the blue line represents outsourcing portion in our OCP-ABEET scheme (mainly the computational cost of Transform 1 and Transform 2 algorithms). To support outsourced computing, KeyGen algorithm of our OCP-ABEET scheme has a slightly higher computational cost, while the two Enc algorithms have equivalent computational cost. Surprisingly, since most of the computations are outsourced to the outsourced server, the result of Dec algorithm and Test algorithm can be obtained by performing simple calculation locally. While ensuring security, it is convenient for devices   with limited computing power, such as mobile phones, to execute our OCP-ABEET scheme.

VIII. CONCLUSION
In this paper, we propose a new construction of CP-ABEET scheme which is proven secure in standard model. Our CP-ABEET scheme supports flexible authorized equality test on ciphertext. One-wayness is achieved if the adversary is given trapdoor and indistinguishability is achieved if the adversary is not given trapdoor. This scheme can be applied to delete the flexible authorized deduplication on encrypted data, which means users can optimize the storage space in cloud by delegating their equality test. By the comparison with related works, we achieve a more secure CP-ABEET scheme in standard model. In addition, our OCP-ABEET scheme in standard model is more efficient for users with low computing capability and mobile devices.