An Efficient Attribute-Based Encryption Scheme with Data Security Classification in the Multi-Cloud Environment

Abstract

As an increasing number of people and corporations move their data to the cloud side, how to ensure efficient and secure access to data stored on the cloud side has become a key focus of current research. Attribute-Based Encryption (ABE) is largely recognized as the best access control method for safeguarding the cloud storage environment, and numerous solutions based on ABE have been developed successively. However, the majority of current research is conducted within a single cloud provider, and only the limited number of schemes for the multi-cloud environment also fail to support the data security classification on the cloud side. Therefore, we propose an efficient attribute-based encryption scheme with data security classification in the multi-cloud environment. In our scheme, the data owner’s data are divided into two security levels and stored in different cloud providers, which improves the security of outsourcing data. Moreover, based on Ciphertext-Policy Attribute-Based Encryption (CP-ABE), our scheme can not only provide a fine-grained access control for the data user, but also completely exploit the cloud side to facilitate outsourcing decryption to lighten the data user’s computing load. The security analysis showed that our scheme is effective against selective-attribute plaintext attack, as well as protects the privacy of the data. The experimental results also demonstrated that the computational overhead is obviously less than other existing schemes.

1. Introduction

Cloud computing, as a new and promising paradigm for information technology and services, provides consumers with simple, quick, and convenient options for data storage and sharing [1]. Due to its advantages such as unlimited storage resources and low maintenance cost, an increasing number of users and businesses are opting to migrate their data to the cloud side. To guarantee the security of outsourcing data, the data owners usually encrypt their data before uploading them to the cloud side. However, with a vast amount of encrypted data stored in the cloud side, efficiently and securely accessing the desired data poses a challenge.

Attribute-Based Encryption (ABE), as a typical encryption method, offers a fine-grained access control for the cloud storage service. It ensures secure and efficient access to encrypted outsourced data. The earliest prototype of Attribute-Based Encryption (ABE) can be traced back to a vague notion of identity-based encryption in 2005 [2]. Then, the concept of ABE was extended, and schemes for both small-scale and large-scale attribute sets were developed. For the first time, the Key-Policy Attribute-Based Encryption (KP-ABE) and Ciphertext-Policy Attribute-Based Encryption (CP-ABE) methods were separated from ABE in 2006 by Goyal et al. [3]. In their scheme, the access structure tree was introduced into the secret key, and the first KP-ABE scheme was proposed. In 2007, Bethencour et al. introduced the access structure tree into ciphertext and proposed the first CP-ABE scheme [4].

The ciphertext can be successfully decrypted to obtain the plaintext only when the attribute set meets the access policy in both KP-ABE and CP-ABE, which implements fine-grained access control for encrypted data on the cloud server. However, in CP-ABE, the secret key is determined by the attribute set of the data user, and the ciphertext is related to the access policy. On the contrary, the secret key is tied to the access structure and the ciphertext is attached to the attribute set in KP-ABE. Since the access structure of CP-ABE is set by the data owner, CP-ABE has become a widely adopted technique for securing data in cloud storage environments by users.

There exist numerous CP-ABE schemes. For example, a multi-authority CP-ABE method that permitted outsourcing the decryption and updating policy was created in [5]. Moreover, a novel CP-ABE method was proposed in [6], in which the edge nodes were responsible for a portion of the encryption and decryption. An efficient multi-cloud keyword search method that utilized attribute-based encryption and a consortium blockchain was proposed in [7], but all the decryption work was completed by the data user, which increased the computational burden. To address the above problem, Li et al. proposed a privacy-preserving CP-ABE access control scheme that utilizes outsourcing decryption in the multi-cloud environment [8]. However, the outsourced decryption in [8] was completed by the proxy, which added an insecure entity.

The encrypted data are stored within a single cloud server provider, which may cause the leakage of all stored data when the cloud server provider is attacked. To address this issue, one approach is to use the multi-cloud environment for data storage. However, the current schemes in the multi-cloud environment fail to support data security classification and cloud outsourcing decryption. Therefore, an efficient Attribute-Based Encryption scheme with Data Security Classification (ABE-DSC) in the multi-cloud environment is proposed in this paper. During the encryption phase, the data owner’s data are divided into two parts based on their security level and stored in different cloud server providers. In the decryption phase, the partial decryption operation is outsourced to the cloud server.

The contributions can be summarized as follows:

(1)

Multiple cloud service providers are used to host the data owner’s data. The data stored in different cloud service providers are partial and disjoint. The multi-cloud scheme enhances data privacy protection compared to other single-cloud schemes. In our scheme, the data are divided into different security levels and stored in multiple cloud service providers.

(2)

The cloud side participates in the decryption work. Partial decryption operations are outsourced to the cloud side, while a few operations are left to the data user to execute locally. Outsourcing decryption to the cloud side can significantly reduce the computational burden on the data user.

(3)

CP-ABE was employed to offer fine-grained access control. In the paper, the data owner can easily define fine-grained access control policies. Besides, the data user can access the corresponding data only when the attribute set embedded in the data user’s secret key satisfies the access control policy in the ciphertext.

(4)

A comprehensive security analysis demonstrated that the proposed scheme is effective against selective-attribute plaintext attacks and enhances the capacity to protect the privacy of the data compared with the current solutions. Besides, the computational efficiency of the proposed scheme was demonstrated through experiments.

2. Related Work

Multi-cloud storage. The utilization of multi-cloud storage technology has become increasingly prevalent in recent years, while how to realize secure multi-cloud storage has become a challenge. There are many types of research on multi-cloud storage [9,10,11,12,13,14,15,16,17,18]. Li et al. [19] proposed an identity-based multi-copy scheme in the multi-cloud environment. In their paper, all copies were delivered to multiple cloud service providers that work together to store the data owner’s data. Celesti A et al. [20] optimized the entire system in terms of multi-cloud storage by testing and verifying the data storage system composed of cloud service providers. Besides, the security of multi-cloud storage has garnered significant attention from researchers, and it is a key area of focus for many researchers. Viswanath et al. [21] focused on the encryption algorithm of the data storage in a multi-cloud environment, but the integrity audit of the outsourced data was not provided. The scheme in [22] was proposed to implement the integrity verification of the outsourced data, which was a decentralized self-audit scheme for multi-cloud storage. However, the audit scheme in [22] relied on trusted authorities such as cloud service organizers, which made it difficult to identify malicious service providers when a server dispute occurred. To solve the issue, Zhang et al. [23] presented a blockchain-based multiple cloud storage data audit method to safeguard the integrity of information and give a fair resolution to service complaints. Although all of the above schemes implemented data storage in a multi-cloud environment, they failed to classify the security level of the stored data.

Ciphertext-Policy Attribute-Based Encryption. CP-ABE is a proven technology that has been utilized to achieve fine-grained access control of data stored on the cloud side. Numerous research works have been conducted on CP-ABE [24,25,26,27,28,29,30,31,32,33]. Chen et al. [34] provided a CP-ABE scheme that incorporates shared decryption for secure multi-cloud storage. Based on access control, their scheme enabled semi-authorized users to collaborate and obtain encrypted data. Yin et al. [35] proposed a fine-grained authorized keyword secure search scheme based on CP-ABE, which not only achieved fine-grained and secure access control for the data, but also supported keyword-based privacy protection search for the encrypted data. Yu et al. [36] put forward a privacy protection scheme that leveraged multi-authority CP-ABE to enhance privacy protection in a data-sharing environment. Zhang et al. [37] proposed a large-universe CP-ABE scheme, which offered a partially hidden access structure and novel key revocation in their paper. A blockchain-based fine-grained access control scheme for data security and extensibility was proposed in [38], which supported multiple attribute authorities, employed a constant size ciphertext and key, and achieved enhanced privacy protection. The above schemes implemented fine-grained access control on the basis of CP-ABE, but in the decryption stage, all decryption operations were completed by the data user, which resulted in a huge computational burden.

3. Preliminaries

The primary knowledge, including bilinear maps, access structure, and hardness assumption, is presented in this part.

3.1. Bilinear Maps

Assume that $G_0$ and $G_1$ are two multiplicative cyclic groups with prime order p, where g is the generator of $G_0$. Then, a bilinear map is denoted as e: $G_0\times G_0\to G_1$, which possesses the following features:

(1)

Bilinearity: for any $x,y\in G_0$, $a,b\in z_p^{*}$ are selected randomly and $e(x^a,y^b)=e{(x,y)}^{ab}$ are established.

(2)

Non-degeneracy: $e(g^a,g^b)\ne 1$, where g is the generator of $G_0$.

(3)

Computability: for all $y,z\in G_0$, a polynomial-time algorithm is available to calculate $e(y,z)\in G_1$.

3.2. Access Structure

$Shamir(t,n)$ is a threshold secret-sharing scheme that allows for the division of a secret S into n parts, and these n parts are then distributed among n individuals to save. When at least t people take out their secret information at the same time, the original secret S can be recovered.

Based on $Shamir(t,n)$, the access structure tree T is defined to depict the access structure. In the access structure tree T, the root node represents a secret value, non-leaf nodes other than the root node represent thresholds, and leaf nodes represent attributes. The thresholds of non-leaf nodes are divided into three types: “and”, “or”, and “of”, where n is the number of children of the non-leaf nodes and t is the threshold. When $t=n$, the non-leaf node indicates the threshold “and”. When $t=1$, the non-leaf node indicates the threshold “or”. When $1<t<n$, the non-leaf node indicates the threshold “of”. The secret value of the root node can be obtained if and only if the attributes in the attribute set meet the entire access structure tree.

Figure 1 provides an example of the access structure tree. The attribute set of the data user must meet the access structure tree in order to access the data. For example, the data user’s attribute set is {Att1, Att3, Att4, Att5} or {Att2, Att3, Att5}, which meets the access structure tree in Figure 1, and the data user can access the data. However, if the data user’s attribute set is {Att1, Att2, Att3} or {Att3, Att4, Att5}, which does not meet the access structure tree in Figure 1, the data user cannot access the data.

3.3. Determine Bilinear Diffie–Hellman Assumption

DBDH problem. Let $G_1$ and $G_2$ be two multiplicative cyclic groups with prime order p and g be the generator of $G_1$. Assume a challenger $\mathcal{C}$ selects random numbers $x,y,z,\in z_p^{*}$ and, then, calculates the $g^x,g^y,g^z,e{(g,g)}^{xyz}$, where e is a bilinear map. If the challenger $\mathcal{C}$ gives $(g,g^x,g^y,g^z)$ to an adversary $\mathcal{A}$, the DBDH problem is to distinguish $e{(g,g)}^{xyz}$ from a random element $R\in G_2$ by a polynomial-time algorithm, which has the advantage $Ad{v}_{\mathcal{A}}^{DBDH}$ for solving the DBDH problem in $G_1$ if $Ad{v}_{\mathcal{A}}^{DBDH}\le |Pr[\mathcal{A}(g^x,g^y,g^z,Z=e{(g,g)}^{xyz})=0]-Pr[\mathcal{A}(g^x,g^y,g^z,Z=R)=0]|$.

DBDH assumption. If all polynomial-time algorithms have at most a negligible advantage $Ad{v}_{\mathcal{A}}^{DBDH}$ in solving the DBDH, then the DBDH assumption holds.

4. System Overview

In this section, the system model and security requirements are outlined.

4.1. System Model

The system model in the paper is shown in Figure 2. The system model consists of four entities: Central Authorization (CA), Data User (DU), Data Owner (DO), and Multi-Cloud Service Providers (MCSPs). MCSPs include two cloud service providers, i.e., Cloud Service Provider A (CSPA) and Cloud Service Provider B (CSPB).

(1)

Data Owner (DO): The DO is a party that possesses large amounts of data to be uploaded to the cloud side. It is in charge of defining the access structure and, then, generating the ciphertext of the data. In addition, it is also responsible for dividing the entire data. The DO’s entire data are divided into two parts based on their level of security, which are encrypted and then sent to CSPA and CSPB, respectively.

(2)

Multi-Cloud Service Providers (MCSPs): An MCSP is a party that offers a range of services, such as data storage. There are two cloud service providers among the MCSPs: CSPA and CSPB. CSPA is used to store low-security data, and CSPB is used to store high-security data. Besides, a list of attribute sets is stored in both CSPA and CSPB, and the attribute set corresponds to the data user’s identification in this list. It is also in charge of outsourcing decryption for the DU. When the attribute set of the DU meets the access structure, CSPA or CSPB decrypts the ciphertext first and, then, sends the result of the partial decryption to the DU. It should be noted that CSPA and CSPB are two different cloud service providers, such as Azure and Amazon.

(3)

Data User (DU): The DU is a party that desires to access the ciphertext stored in the MCSP. If the attribute set of the DU meets the access structure, it can use the secret key to decrypt the ciphertext and obtain the data. Note that only by decrypting the encrypted data in both CSPA and CSPB can the entire data be obtained. The process of decryption for the DU involves three steps: first, the DU obtains the ciphertext sent by CSPA and decrypts it for the second time by using the corresponding secret key that has been authorized by the CA. Then, the DU needs to request a new secret key from the CA, which is used to decrypt the ciphertext from CSPB. Finally, once the DU has obtained the new secret key, it can request the data stored in CSPB and decrypt the ciphertext for the second time to obtain the data. At this point, the DU obtains the entire data in the MCSP.

(4)

Central Authority (CA): The CA is a fully trusted entity that performs any assigned tasks according to the protocol specifications and generates the correct output. It is in charge of generating the secret key for the DU and CSPA, as well as generating the new secret key for the DU based on the attribute set.

In the proposed model, we utilized two cloud service providers to store data and divide the ABE-DSC security level of the cloud service providers into two levels. It should be emphasized that, depending on the needs of the DO, the suggested model can be extended to several security levels by utilizing multiple cloud service providers. If multiple cloud service providers are used, the process of data storage and access is similar to the scheme in the paper.

4.2. Security Assumptions

Semi-trusted multi-cloud service providers: Assume that the cloud side is semi-trusted. This means that the MCSP will store the DO’s data honestly and execute requests initiated by the DU reliably. However, the MCSP still keeps sufficient interest in the DO’s data stored in the MCSP. For example, if the DO uploads the ciphertext to the MCSP, the MCSP may attempt to extract as much information as possible from the ciphertext, such as access the structure and the plaintext. Furthermore, the security assumptions about thecollusion attacks of the cloud side with the DO and DU are similar to the security assumptions proposed in [5,6,7,8], which is also beyond our scope of discussion.

Trusted central authority: In the paper, the CA is used to generate the public key and assign the secret key to the DU and MCSP. Assume that the CA is reliable and communicates with the DU through the secure channel. In addition, collusion between the CA and DU is also forbidden.

In the paper, security mainly focuses on the fact that the MCSP is unable to obtain any underlying plaintext information from the outsourced data stored in the MCSP. The formal security definition is provided through a game between the Challenger $\mathcal{C}$ and Adversary $\mathcal{A}$.

Selective-attribute plaintext attacks game is defined as follows.

Setup. Adversary $\mathcal{A}$ selects the access structure tree T and sends to Challenger $\mathcal{C}$. $\mathcal{C}$ performs the initialization algorithm (i.e., $Setup$) to generate $(PK,MK)$, and sends the $PK$ to $\mathcal{A}$.

Phase 1. $\mathcal{A}$ adaptively requests the attribute $\omega$ from $\mathcal{C}$.The only requirement is that the attribute $\omega$ does not belong to the access structure tree T, i.e., $\omega =\left\{a_j\right|a_j\in \Omega ,a_j\notin T\}$. $\mathcal{C}$ executes the key generation algorithm (i.e., $Keygen$) to generate $(\omega ,SK)$ and sends $SK$ to $\mathcal{A}$.

Challenge. $\mathcal{A}$ sends two pieces of information $m_0$ and $m_1$ with an equal length to $\mathcal{C}$. $\mathcal{C}$ selects $b\in \{0,1\}$ to execute the encryption algorithm (i.e., $Enc$) and generate ciphertext $c_b$ and, then, sends $c_b$ to $\mathcal{A}$.

Phase 2. $\mathcal{A}$ continues to request the attribute $\omega$ as Phase 1, with the only requirement that the attribute $\omega$ does not belong to the access structure tree T.

Guess. $\mathcal{A}$ can guess $b^{\prime }\in \{0,1\}$, that is $\mathcal{A}$ can guess that $c_b$ is encrypted by $m_0$ or $m_1$.

The advantage of winning the game above for $\mathcal{A}$ is defined as $Adv=Pr[b^{\prime }=b]-\frac{1}{2}$.

Definition. If the advantage $Adv$ of any probability polynomial time that results in $\mathcal{A}$ winning the game above can be ignored, then our scheme is efficient against selective-attribute plaintext attacks.

5. Proposed Scheme

A detailed description of the proposed solution is provided as follows. There are six stages: $Setup$, $Keygen$, $Enc$, $decrypt the data of CSPA$, $request the new secret key$, and $decrypt the data of CSPB$. The process of our scheme in the paper is shown in Figure 3.

5.1. Setup

The $Setup$ algorithm is run to generate the Public Key (i.e., $PK$) and the Master Key ($MK$). k is a security parameter as the input of the algorithm. Assume that $G_0$ and $G_1$ are two multiplicative cyclic groups with large prime order p, where g is the generator of group $G_0$. The bilinear map is denoted as e: $G_0\times G_0\to G_1$. Suppose that the attribute set is $\Omega =\{a_1,a_2,\dots ,a_n\}$, where n is the number of attributes. The algorithm selects $t_1,t_2,\dots ,t_n,\alpha \in z_p^{*}$ at random and generates $y=e{(g,g)}^{\alpha }$. For each $t_j$, $T_j=g^{t_j}(1\le j\le n)$ is computed. Finally, the $Setup$ algorithm produces the following results:

$$\left\{\begin{array}{c}PK=\{e,g,y,T_j(1\le j\le n)\}\hfill \\ MK=\{\alpha ,t_j(1\le j\le n)\}\hfill \end{array}\right.$$

5.2. Keygen

The central authority executes the $Keygen$ algorithm to generate the Secret Key $SK$ for the data user UID, whose attribute set is $\omega$. The central authority selects an element $r\in z_p^{*}$ and, then, calculates $d_0=g^{\alpha -r}$. For $\forall a_j\in \omega$, the central authority first randomly selects $u_j,v_j\in z_p^{*}$ and calculates $d_{j,1}=g^{(r-u_j)t_j^{-}1}$, $d_{j,2}=g^{(r-v_j)t_j^{-}1}$, and $d_{j,3}=g^{u_j{t}_j^{-}1}$. Then, the central authority selects random elements $k_j,b_j\in z_p^{*}$ for $\forall a_j\in \omega$, and the condition $k_j(u_j+v_j)=b_j$ holds, where $k_j$ is the secret value to request the new secret key from the central authority. The $SK$ is defined as follows:

$$SK=\left\{\begin{array}{c}S{K}_1={\{d_{j,1},k_j\}}_{a_j\in \omega }\hfill \\ S{K}_2={\left\{d_{j,2}\right\}}_{a_j\in \omega }\hfill \\ S{K}_3={\{d_0,d_{j,3}\}}_{a_j\in \omega }\hfill \end{array}\right.$$

Finally, the central authority sends $S{K}_1$ to CSPA, $S{K}_2$ to CSPB, and $S{K}_3$ to the DU, respectively.

5.3. Enc

The DO runs the $Enc$ algorithm to encrypt the DO’s entire data m and output the ciphertext $C_T$. The DO divides the entire data m into two parts based on their security levels and then encrypts both parts by using the same access structure before uploading to the MCSP. The $Enc$ algorithm is divided into three steps:

The first step is to divide the data m. Based on the security levels of the data, the DO divides the entire data m into two parts, namely $m_a$ and $m_b$. It should be noted that $m_a$ represents low-security data that are stored with CSPA and $m_b$ represents high-security data that are stored with CSPB.

The second step is to generate the access structure. The procedure for creating an access structure is as below:

First, the DO selects $s\in z_p^{*}$ at random and, then, calculates $c_0=g^s$. Subsequently, let s be the root node of the access tree structure T. The root node of T can be labeled, while other non-leaf nodes remain unlabeled. Finally, recursively label the non-leaf nodes in T according to the following three situations:

(1)

When the non-leaf node is labeled as ∧ and its child nodes are not labeled, the $Shamir(t,n)$ secret-sharing technology is adopted, where n denotes the number of current node’s child nodes and t represents the number of minimum child nodes required to reconstruct secret s. It should be noted that $t=n$ in this situation. Assign $s_i=f\left(i\right)$ to the current node’s children, and label it as assigned.

(2)

When the non-leaf node is labeled as ∨ and its child node is not labeled, the $Shamir(t,n)$ secret-sharing technology is adopted, where the meaning of n and t is the same as mentioned above. It should be noted that $t=1$. Assign $s_i=f\left(i\right)$ to the current node’s children, and label it as assigned.

(3)

When the non-leaf node is labeled as $of$ and its child node is not labeled, the $Shamir(t,n)$ secret-sharing technology is adopted, where the meaning of n and t is the same as mentioned above. It should be noted that $t\ne n$. Assign $s_i=f\left(i\right)$ to the current node’s children, and label it as assigned.

In the three situations mentioned above, the polynomial $y=f\left(x\right)={\sum }_{i=0}^{t-1}{a}_i{x}^i$ is uniquely determined by t points, which are $(x_i,y_i)=(i,s_i)$ and ${f\left(x\right)|}_{x=0}={\sum }_{i=0}^{t-1}f\left(i\right)l_i\left(0\right)$$=s$, where $l_i\left(0\right)$ is the Lagrange coefficient.

For each leaf node in the access structure tree T (i.e., $a_{j,i}\in T$), $c_{j,i}=T_j^{s_i}$ is computed, where i is the index of the leaf node and j is the index of the attribute.

Figure 4 shows an example of access structure tree T sharing secret s. First, the value of the root node (i.e., ∧ node) is set to s. For non-leaf nodes in the second layer, the $Shamir(2,2)$ threshold secret-sharing scheme is used to assign secrets s, that is the values of the ∨ node and the $of$ node are $s_i$. Subsequently, for the child nodes of the ∨ node, the $Shamir(1,2)$ threshold secret-sharing scheme is used to assign secret $s_i$ and set the values of its child nodes as $s_1$ and $s_2$. For the child nodes of $of$ node, the $Shamir(2,3)$ threshold secret-sharing scheme is used to assign secret $s_i$ and set the values of its child nodes as $s_3$, $s_4$, and $s_5$.

The third step is to encrypt the data $m_a$ and $m_b$, respectively. The process of encrypting is as follows:

$m_a$ encryption: The DO calculates $c_1=m_a·y^s=m_a·e{(g,g)}^{\alpha s}$ and generates the ciphertext $C_{T_1}$ of $m_a$: $C_{T_1}=\{T,c_0,c_1,{\left\{c_{j,i}\right\}}_{a_{j,i}\in T}\}$.

$m_b$ encryption: The DO calculates $c_2=m_b·y^s=m_b·e{(g,g)}^{\alpha s}$ and generates the ciphertext $C_{T_2}$ of $m_b$: $C_{T_2}=\{T,c_0,c_2,{\left\{c_{j,i}\right\}}_{a_{j,i}\in T}\}$.

The result of the $Enc$ algorithm is represented as:

$$C_T=\left\{\begin{array}{c}{C}_{T_1}=\{T,c_0,c_1,{\left\{c_{j,i}\right\}}_{a_{j,i}\in T}\}\hfill \\ C_{T_2}=\{T,c_0,c_2,{\left\{c_{j,i}\right\}}_{a_{j,i}\in T}\}\hfill \end{array}\right.$$

Finally, the DO sends $C_{T_1}$ to CSPA and $C_{T_2}$ to CSPB, respectively.

5.4. Data Decryption of CSPA

When the DU needs to access the data stored in CSPA, CSPA first queries the list of attribute sets according to the identification of the DU. If the DU’s attributes meet the access tree structure, CSPA executes the first partial decryption, then the DU performs the second decryption and attains the desired data. The specific algorithm consists of $CSPA$ $outsourcing$ $decryption$ and $DU$ $decryption$.

$CSPA$ $outsourcing$ $decryption$: CSPA performs the first decryption for the ciphertext $C_{T_1}$ stored in CSPA and obtains the first partial decryption result $C_{T_1}^{\prime }$:

$$\begin{array}{cc}\hfill C_{T_1}^{\prime }& =\prod _{a_j\in {\omega }^{\prime }}e{(T_j^{s_i},d_{j,1})}^{l_i\left(0\right)}\hfill \\ & =\prod _{a_j\in {\omega }^{\prime }}e{(g^{t_j{s}_i},g^{(r-u_j)t_j^{-1}})}^{l_i\left(0\right)}\hfill \\ & =e{(g,g)}^{{\sum }_{a_j\in {\omega }^{\prime }}(r-u_j)s_i{l}_i\left(0\right)}\hfill \end{array}$$

Then, CSPA sends the ciphertext $C_{T_1}$, the first partial decryption result $C_{T_1}^{\prime }$, and the secret value $k_j$ to the DU. It should be noted that the secret value $k_j$ is obtained by the Oblivious Transfer protocol between CSPA and the DU.

$DU$ $decryption$: Upon receiving the information above sent by CSPA, the DU executes the second decryption for the ciphertext $C_{T_1}$ and obtains the second partial decryption result $C_{T_1}^{\prime \prime }$:

$$\begin{array}{cc}\hfill C_{T_1}^{\prime \prime }& =\prod _{a_j\in {\omega }^{\prime }}e{(T_j^{s_i},d_{j,3})}^{l_i\left(0\right)}\hfill \\ & =\prod _{a_j\in {\omega }^{\prime }}e{(g^{t_j{s}_i},g^{u_j{t}_j^{-1}})}^{l_i\left(0\right)}\hfill \\ & =e{(g,g)}^{{\sum }_{a_j\in {\omega }^{\prime }}{u}_j{s}_i{l}_i\left(0\right)}\hfill \end{array}$$

Subsequently, the DU obtains the data stored in CSPA according to the two partial decryption results above:

$$\begin{array}{cc}& e(c_0,d_0)C_T^{\prime }{C}_T^{\prime \prime }\hfill \\ & =e(g^s,g^{\alpha -r})e{(g,g)}^{{\sum }_{a_j\in {\omega }^{\prime }}(r-u_j)s_i{l}_i\left(0\right)}e{(g,g)}^{{\sum }_{a_j\in {\omega }^{\prime }}{u}_j{s}_i{l}_i\left(0\right)}\hfill \\ & =e(g^s,g^{\alpha -r})e{(g,g)}^r\hfill \\ & =e(g^s,g^{\alpha })\hfill \end{array}$$

Finally, the DU obtains the data $m_a$ stored in CSPA:

$$\begin{array}{c}\hfill m_a^{\prime }=\frac{c_1}{e(g^s,g^{\alpha })}=\frac{m_a·e{(g,g)}^{\alpha s}}{e(g^s,g^{\alpha })}=m_a\end{array}$$

5.5. The Request of The New Secret Key

Based on the secret value $k_j$ sent by CSPA, the DU is required to request the new secret key from the central authority. It should be noted that the new secret key is employed to decrypt the ciphertext $C_{T_2}$ stored in CSPB. The details are as follows.

First, the central authority calculates the following values based on $k_j$:

$$\begin{array}{c}\hfill v_j=\frac{b_j}{k_j}-u_j\end{array}$$

$$\begin{array}{c}\hfill d_{j,3}^{\prime }=g^{v_j{t}_j^{-1}}\end{array}$$

Then, the new secret key $S{K}_3^{\prime }$ is denoted as:

$$\begin{array}{c}\hfill S{K}_3^{\prime }={\{d_0,d_{j,3}\}}_{a_j\in \omega }\end{array}$$

Finally, the central authority sends the new secret key $S{K}_3^{\prime }$ to the DU.

5.6. Data Decryption of CSPB

If the DU wants to obtain the entire data, it is essential to obtain and decrypt the data stored in CSPB. When the DU accesses the data stored in CSPB, CSPB first queries the list of attribute sets based on the DU’s identification. If the DU’s attributes meet the access structure, CSPB executes the first partial decryption. Then, the DU performs the second decryption and obtains the desired data. The $data$ $decryption$ $of$ $CSPB$ algorithm, similar to the $data$ $decryption$ $of$ $CSPA$ algorithm, is also divided into two parts.

$CSPB$ $outsourcing$ $decryption$: CSPB performs the first partial decryption of the ciphertext $C_{T_2}$, and the first partial decryption result $C_{T_2}^{\prime }$ is calculated as follows:

$$\begin{array}{cc}\hfill C_{T_2}^{\prime }& =\prod _{a_j\in {\omega }^{\prime }}e{(T_j^{s_i},d_{j,2})}^{l_i\left(0\right)}\hfill \\ & =\prod _{a_j\in {\omega }^{\prime }}e{(g^{t_j{s}_i},g^{(r-v_j)t_j^{-1}})}^{l_i\left(0\right)}\hfill \\ & =e{(g,g)}^{{\sum }_{a_j\in {\omega }^{\prime }}(r-v_j)s_i{l}_i\left(0\right)}\hfill \end{array}$$

Then, CSPB sends the ciphertext $C_{T_2}$ and the first partial decryption result $C_{T_2}^{\prime }$ to the DU.

$DU$ $decryption$: Upon receiving the information sent by CSPB, the DU performs the second partial decryption and obtains the second partial decryption result $C_{T_2}^{\prime \prime }$:

$$\begin{array}{cc}\hfill C_{T_2}^{\prime \prime }& =\prod _{a_j\in {\omega }^{\prime }}e{(T_j^{s_i},d_{j,3})}^{l_i\left(0\right)}\hfill \\ & =\prod _{a_j\in {\omega }^{\prime }}e{(g^{t_j{s}_i},g^{v_j{t}_j^{-1}})}^{l_i\left(0\right)}\hfill \\ & =e{(g,g)}^{{\sum }_{a_j\in {\omega }^{\prime }}{v}_j{s}_i{l}_i\left(0\right)}\hfill \end{array}$$

Subsequently, the DU obtains the data stored in CSPB according to the two partial decryption results above:

$$\begin{array}{cc}& e(c_0,d_0)C_T^{\prime }{C}_T^{\prime \prime }\hfill \\ & =e(g^s,g^{\alpha -r})e{(g,g)}^{{\sum }_{a_j\in {\omega }^{\prime }}(r-v_j)s_i{l}_i\left(0\right)}e{(g,g)}^{{\sum }_{a_j\in {\omega }^{\prime }}{v}_j{s}_i{l}_i\left(0\right)}\hfill \\ & =e(g^s,g^{\alpha -r})e{(g,g)}^r\hfill \\ & =e(g^s,g^{\alpha })\hfill \end{array}$$

Finally, the DU obtains the data $m_b$ stored in CSPB:

$$\begin{array}{c}\hfill m_b^{\prime }=\frac{c_1}{e(g^s,g^{\alpha })}=\frac{m_b·e{(g,g)}^{\alpha s}}{e(g^s,g^{\alpha })}=m_b\end{array}$$

At this point, the DU obtains the entire data m.

$$\begin{array}{c}\hfill m=m_a\cup m_b\end{array}$$

6. Security Analysis

6.1. The Enhancement of Privacy Protection

When all of the DO’s data are uploaded to a specific cloud service provider, the DO’s entire data are at risk of leakage if the cloud service provider is attacked. However, in our scheme, the DO’s data are stored on two cloud service providers (i.e., CSPA and CSPB), respectively. Assume that CSPA is under attack; only the portion of the DO’s data stored in CSPA is at risk of being leaked, while the privacy of the DO’s data stored in CSPB is not threatened. In addition, the security levels of CSPA and CSPB are different and the data of CSPB can be obtained only after the data of CSPA are obtained. Obviously, compared to the schemes in [5,6,7,8], ABE-DSC is more effective in protecting the privacy of the DO’s data.

Table 1. Comparisons of the privacy protection of the DO’s data.

Scheme	Storage Environment	Division of Cloud Service Providers
Ref. [5]	single-cloud	✕
Ref. [6]	single-cloud	✕
Ref. [7]	multi-cloud	✕
Ref. [8]	multi-cloud	✕
ABE-DSC (our scheme)	multi-cloud	✔

shows the comparison between ABE-DSC and the schemes in [5,6,7,8] in the privacy protection of the DO’s data. The DO’s data in the scheme in [5] and the scheme in [6] are stored in a single-cloud environment, that is all the DO’s data are stored in a specific cloud service provider. The DO’s entire data are at risk of leakage if the cloud service provider is attacked. Although the scheme in [7] and the scheme in [8] are stored in a multi-cloud environment, their schemes do not divide them to by cloud service provider, and all cloud service providers have the same security level. In ABE-DSC, the data are stored in a multi-cloud environment based on the security levels, and the data in CSPB can only be accessed once the data in CSPA are acquired. Obviously, compared to the scheme above, ABE-DSC not only offers data security classification, but also enhances the protection of DO’s data more efficiently.

6.2. Selective-Attribute Plaintext Attacks Game

The formal security proof for ABE-DSC based on the attack game is proposed.

Theorem 1. 

Assuming that the DBDH holds, it is difficult for an adversary to break through ABE-DSC within polynomial time by selecting attributes. Therefore, ABE-DSC is effective against selective-attribute plaintext attacks.

Proof. 

If the polynomial-time adversary $\mathcal{A}$ is able to win the selective-attribute plaintext game with an undeniable advantage $\epsilon$, then a simulator $\mathcal{B}$ can be designed to address the DBDH problem with the advantage of $\frac{\epsilon }{2}$.

First, the challenger $\mathcal{C}$ performs the $Setup$ algorithm, which generates $G_0$ and $G_1$ with the prime order p and the generator g. The bilinear map e is constructed. $\mathcal{C}$ randomly chooses $a,b,c,z\in Z_p^{*}$ and $z\in Z_p^{*}$. Then, $\mathcal{C}$ tosses a fair binary coin $\mu \in \{0,1\}$. Let $Z=e{(g,g)}^{abc}$ when $\mu =0$. Otherwise, $Z=e{(g,g)}^z$. $\mathcal{C}$ takes $A=g^a,B=g^b,C=g^c$, and g as the input.

Subsequently, the challenger $\mathcal{C}$ entrusts the simulator $\mathcal{B}$ to engage in the selective-attribute attack game with the adversary $\mathcal{A}$ as below.

Setup: $\mathcal{A}$ selects the access structure tree T and sends it to $\mathcal{B}$. $\mathcal{B}$ randomly selects $x^{\prime }\in z_p^{*}$. Let $e{(g,g)}^{\alpha }=e{(g,g)}^{x^{\prime }}·e{(g,g)}^{ab}$, then $\alpha =x^{\prime }+ab$. When $a_j\in \Omega$ and $a_j\notin T$, $k_j\in z_p^{*}$ is randomly selected. Let $T_j=B^{\frac{1}{k_j}}$, then $t_j=\frac{b}{k_j}$.

Phase 1: $\mathcal{A}$ needs to request the secret key according to attribute set $\omega =\{a_j\in \Omega ,a_j\notin T\}$. $\mathcal{B}$ selects at random an element $r^{\prime }\in z_p^{*}$. Let $d_0=g^{x^{\prime }-r^{\prime }b}$, then $r=r^{\prime }b+ab$. The process of calculation is as follows:

$$\begin{array}{cc}& d_0=g^{x^{\prime }-r^{\prime }b}\hfill \\ & =g^{\alpha -ab-r^{\prime }b}\hfill \\ & =g^{\alpha -(ab+r^{\prime }b)}\hfill \end{array}$$

$\mathcal{B}$ randomly selects $u_j\in z_p^{*}$, then builds the keys $d_{j,1}=g^{(r-u_j)t_j^{-}1}$ and $d_{j,3}=g^{u_j{t}_j^{-}1}$. $\mathcal{B}$ sends $d_0$, $d_{j,1}=g^{(r-u_j)t_j^{-}1}$, and $d_{j,3}=g^{u_j{t}_j^{-}1}$ to $\mathcal{A}$. Then, $\mathcal{A}$ calculates $d_j=d_{j,1}·d_{j,3}=A^{k_j}{g}^{k_j·r^{\prime }}$. The calculation process is as follows:

$$\begin{array}{cc}& d_j=g^{(r-u_j)t_j^{-}1}·g^{u_j{t}_j^{-}1}\hfill \\ & =g^{\frac{(ab+r^{\prime }b)k_j}{b}}\hfill \\ & =g^{a{k}_j}{g}^{k_j{r}^{\prime }}\hfill \\ & =A^{k_j}{g}^{k_j·r^{\prime }}\hfill \end{array}$$

At this point, $\mathcal{A}$ obtains the secret key $s{k}_{w_j}=\left(d_0,\forall a_j\in w_j:d_j\right)$.

Challenge: $\mathcal{A}$ sends the message $m_0$ and $m_1$ with an equal length. $\mathcal{B}$ executes an encryption algorithm on $m_v$ to generate ciphertext $c_v$, where $\mu \in \{0,1\}$. The encryption process is as follows:

First, let $c_0=g^c$, then $\mathcal{B}$ calculates $c_1$ as follows.

$$\begin{array}{cc}& c_1=m_v·e{(g,g)}^{\alpha ·c}\hfill \\ & =m_v·e{(g,g)}^{ab+x^{\prime }}c·e(g^c,g^{x^{\prime }})\hfill \\ & =m_v·e{(g,g)}^{abc}\hfill \\ & =m_v·Z_{\mu }·e(g^c,g^{x^{\prime }})\hfill \end{array}$$

Secondly, let the root node of tree T be $g^c$ and the assignment method of other non-leaf nodes be the same as that in the $Enc$ algorithm. For each leaf node (i.e., $a_{j,i}$), $c_{j,i}=g^{f\left(i\right)k_j}$ is calculated. The ciphertext $c_T=(T,c_0,c_1,\forall a_{j,i}\in T:c_{j,i})$ is sent to $\mathcal{A}$.

Phase 2: $\mathcal{A}$ follows the procedures of Phase 1 above to request the secret key.

Guess: $\mathcal{A}$ can guess $v^{\prime }\in \{0,1\}$.

Assume that $v^{\prime }=v$, $\mathcal{B}$ will guess $\mu =0$, that is $Z=e{(g,g)}^{abc}$. Assume that $v^{\prime }\ne v$, $\mathcal{B}$ will guess that $\mu =1$, that is $Z=e{(g,g)}^z$. When $\mu =0$, the advantage of $\mathcal{A}$ is:

$$\begin{array}{c}\hfill Pr[b^{\prime }=b|Z=e{(g,g)}^{abc}]=\frac{1}{2}+\epsilon \end{array}$$

When $\mu =1$, the advantage of $\mathcal{A}$ is:

$$\begin{array}{c}\hfill Pr[b^{\prime }\ne b|Z=e{(g,g)}^z]=\frac{1}{2}\end{array}$$

To sum up, the total advantage of solving the DBDH for $\mathcal{B}$ can be assumed as follows:

$$\frac{1}{2}Pr[{\mu }^{\prime }=\mu |\mu =0]+\frac{1}{2}Pr[{\mu }^{\prime }=\mu |\mu =1]-\frac{1}{2}=\frac{\epsilon }{2}$$

Consequently, $\mathcal{B}$ is capable of resolving the DBDH problem with the undeniable advantage of $\frac{\epsilon }{2}$, which contradicts the acknowledged complexity assumption of the DBDH problem. □

7. Evaluation

This section provides the performance analysis of the ABE-DSC proposed in the paper. In comparison to the schemes in [5,6,7,8], which were built upon CP-ABE, the thorough analysis of the basic features, computational efficiency, and experimental evaluation are given.

7.1. Comparisons of the Basic Features

The comparisons of the basic features are presented in

Table 2. Comparisons of the basic features.

Scheme	CP-ABE	Outsourcing of Decryption	Multi-Cloud	Data Security Classification
Ref. [5]	✔	✔	✕	✕
Ref. [6]	✔	✔	✕	✕
Ref. [7]	✔	✕	✔	✕
Ref. [8]	✔	✔	✔	✕
ABE-DSC (our scheme)	✔	✔	✔	✔

. The schemes in [5,6] are CP-ABE schemes with outsourced decryption; however, the schemes above are only conducted within the single-cloud environment, and their applicability is limited in the multi-cloud environment. On the contrary, the scheme in [7] is conducted in the multi-cloud environment, but the operation of decryption in [7] is completed by the DU, which fails to realize the outsourcing of the decryption. The scheme in [8] is a CP-ABE scheme that implements outsourced decryption in the multi-cloud environment. However, the decryption is outsourced to the proxy, which adds an insecure entity. Although the schemes in [7,8] are conducted in the multi-cloud environment, they fail to realize the security classification of the data. Compared with the schemes in [5,6,7,8], a CP-ABE scheme with data security classification in the multi-cloud is proposed, which also realizes the outsourcing of the decryption.

7.2. Computational Efficiency

To verify the efficiency of ABE-DSC, the computational cost of ABE-DSC is compared with those of the existing schemes [5,6,7,8].

The notations and the corresponding description are shown in

Table 3. Notations.

Notation	Description
$G_0$	One exponential operation in group $G_0$.
$G_1$	One exponential operation in group $G_1$.
$C_e$	One operation of bilinear pairs.
m	The number of attributes of the entire scheme.
n	The number of authorizations.
t	The number of attributes in ciphertext.
k	The number of attributes in the secret key.
s	The number of attributes in the DU’s attribute set that meet the access structure.

. Note that the computational overhead of the multiplication and hash operations was negligible compared to that of the other operations mentioned in the table, and the computational overhead of $G_1$ was significantly less than that of $G_0$ and $C_e$.

As shown in

Table 4. Comparisons of the computational overhead.

Scheme	Setup	Keygen	Enc	Decryption
Ref. [5]	$3G_0+G_1$	$7k{G}_0$	$5t{G}_0+(2t+1)G_1$	$s{G}_0+3s{C}_e$
Ref. [6]	$(m+2)G_0+G_1$	$(4k+1)G_0$	$(4t+2)G_0$	$s{G}_0+(2s+2)Ce$
Ref. [7]	$(n+3)G_0+n{G}_1$	$5n{G}_0+4k{G}_0$	$(2t+2)G_0+G_1$	$2s{G}_0+s{G}_1+(s+2)C_e$
Ref. [8]	$2G_0+G_1$	$(4k+1)G_0$	$(2t+1)G_0+G_1$	$(s+2)G_1+3s{C}_e$
ABE-DSC	$G_0+G_1$	$k{G}_0$	$(t+3)G_0$	$2s{G}_1+(2s+1)C_e$

, the computational overheads of ABE-DSC and the existing schemes [5,6,7,8] were compared in several phases. In the $Setup$ phase, the computational overheads of all schemes mentioned in Table 4 were constant and related to the exponential operations in $G_0$ and $G_1$. The scheme in [6] generates a parameter for each attribute, which results in a high computational overhead due to the increased number of exponential operations in $G_0$. Similarly, the computational overhead of the scheme in [7] is also influenced by the number of authorizations (i.e., n). In comparison, ABE-DSC has fewer exponential operations in $G_0$ and $G_1$ than the schemes mentioned above, which reduces the computational overhead during this phase. In the $Keygen$ phase, all schemes [5,6,7,8] and ABE-DSC depend on the exponential operation in $G_0$, and the number of operations in $G_0$ is directly related to the number of attributes in the secret key (i.e., k). The scheme [7] utilizes multi-authorization to generate the secret key, which results in a high computational overhead due to the increased number of authorizations involved. ABE-DSC has fewer exponential operations in $G_0$ compared to the other schemes, which reduces the computational overhead during this stage.

In the $Enc$ phase, the computational overheads of the schemes in [5,7,8] are all related to the number of exponential operations in $G_0$ and $G_1$, while those of the scheme in [6] and ours are only related to the exponential operations in $G_0$. Since the computational overhead of $G_1$ is much smaller than that of $G_0$, we only compared the computational overhead of $G_0$ in these schemes. The exponential operation in $G_0$ in the schemes in [5,6,7,8] and ABE-DSC is associated with the number of attributes in the ciphertext (i.e., t). Since the coefficient of t in ABE-DSC is smaller than that in the other schemes, ABE-DSC has less computational overhead in this phase.

In the decryption phase, the computational overhead of the schemes in [5,6] is associated with $G_0$ and $C_e$, that of the scheme in [7] is associated with $G_0$, $G_1$, and $C_e$, and those of the scheme in [8] and ours are related to $G_1$ and $C_e$. Since the impact of $G_1$ is negligible on the computational overhead, the computational overhead of $G_0$ and $C_e$ are considered in these schemes. The computational overhead of $G_0$ and $C_e$ is related to the number of attributes that satisfy the access structure (i.e., s). The computational overhead of $C_e$ in the scheme is smaller than those in the schemes in [5,6,8], but it is slightly larger than that of the scheme in [7]. However, the scheme in [7] has the operation in $G_0$, while ABE-DSC does not have the operation in $G_0$. Therefore, ABE-DSC has a lower computational overhead than other schemes in this phase.

7.3. Experimental Evaluation

To further demonstrate the computational efficiency of ABE-DSC, we conducted a series of experiments between ABE-DSC and the schemes in [5,6,7,8]. The experimental results evaluated the time cost of the schemes discussed above as the number of the DU’s attributes increases. The experiments were conducted by using the JAVA language and using the IntelliJIDEA2018 tool and the jPBC2.0 open-source encryption library. The hardware configuration was an Intel(R) Core(TM) i7-8750H CPU @ 2.20 GHz; the operating system was Windows 10; the encryption environment was initialized with the Type A hypersingular elliptic curve $y^2=x^3+x$ of order 160 bit. Based on the encryption environment of this scheme, for the convenience of the comparison, the specific parameters were set as follows: the number of all attributes was 50, and the number of the DU’s attributes was set as $N=10,20,30,40,50$ in the experiments. The experimental results obtained were the average of 10 executions.

Figure 5, Figure 6, Figure 7 and Figure 8 show the time cost of ABE-DSC and the schemes in [5,6,7,8] in the $Setup$, $Keygen$, $Enc$, and decryption phases with the increase of the DU’s attributes.

Figure 5 shows the time cost of ABE-DSC and the schemes in [5,6,7,8] during the $Setup$ phase. As Figure 5 shows, the time cost during the $Setup$ phase was almost constant and did not increase with the number of the DU’s attributes. Due to the additional process of assigning a parameter to each attribute in the scheme in [6], the computational overhead of $G_0$ was greater than that of the other existing schemes. Therefore, the time cost of the scheme in [6] was much greater than that of the other schemes in this phase. Assume that there are three authorizations (i.e., the minimum of authorizations) in the scheme in [7]. These authorizations participate in the $Setup$ phase, which resulted in the greater computational overhead of $G_0$ and consumed more time compared to the schemes in [5,8] and ours. Compared to the schemes in [5,8], ABE-DSC had a smaller computational overhead for $G_0$, and the time cost of ABE-DSC was less than those of the schemes in [5,8]. In other words, compared to the schemes in [5,6,7,8], ABE-DSC consumed less time in this phase.

The time cost of the $Keygen$ phase is depicted in Figure 6. The time cost of ABE-DSC and the schemes in [5,6,7,8] exhibited a linear interrelationship with the number of the DU’s attributes. The scheme in [5] had a higher computational overhead for $G_0$ compared to the other schemes, which resulted in a greater time cost. In the scheme in [7], the computational overhead of $G_0$ is also dependent on the number of authorizations, so the time cost of the scheme in [7] was greater than those of the schemes in [6,8] and ABE-DSC. Since the computational overhead of $G_0$ in the schemes in [6,8] was almost the same, the time cost of the scheme in [6] was close to that of the scheme in [8]. Compared to other schemes, ABE-DSC has a lower computational overhead of $G_0$, which resulted in a smaller time cost in this phase.

Figure 7 presents the results of time cost between ABE-DSC and the schemes in [5,6,7,8] in the $Enc$ phase. Since the computational consumption of $G_0$ is much greater than that of $G_1$, the impact of $G_0$ on the time cost is larger than that of $G_1$. Since the schemes in [5,6] have a significantly larger computational consumption of $G_0$ than the other schemes, this led the schemes in [5,6] t have a higher time cost compared to the other schemes. In addition, the scheme in [5] has a higher computational consumption of $G_0$ compared to the scheme in [6], which resulted in the scheme in [5] having the highest time cost among all the schemes, followed by the scheme in [6]. The schemes in [7,8] almost have the same calculations for $G_0$, so the time cost of the scheme in [7] was close to that of the scheme in [8]. Compared to the other schemes, there is less computational consumption for $G_0$ in ABE-DSC, so the time cost was less than the other schemes in this phase.

As seen in Figure 8, the time cost during the decryption phase was proportionally linear to the number of the DU’s attributes in the schemes mentioned. The computational overhead of the scheme in [7] is influenced by $G_0$, $G_1$, and $C_e$. Therefore, its computational overhead was higher than the other schemes, which resulted in a greater time cost in the decryption phase. The schemes in [5,6,8] and ABE-DSC have a similar computational overhead of $C_e$, but the schemes in [5,6] have operations on $G_0$, while the other scheme and ours only have operations on $G_1$. Since the computational overhead of $G_0$ is bigger than that of $G_1$, the time cost of the schemes in [5,6] was greater than that of the scheme in [8] and ours. In addition, the scheme in [5] has a greater computational overhead of $C_e$ than the scheme in [6]. Therefore, the scheme in [5] had a greater time cost compared to that of the scheme in [6]. For the scheme in [8] and ABE-DSC, due to the greater impact of $C_e$ on the time cost compared to $G_1$ and the smaller computational overhead of $C_e$ in the scheme, ABE-DSC had a lesser time cost compared to that of the scheme in [8]. In short, compared with the other schemes, ABE-DSC consumed less time in this phase.

ABE-DSC employs cloud service providers for outsourcing decryption, thereby reducing the computational burden on the DU. We further demonstrated the efficiency of outsourcing decryption in ABE-DSC through the experiment. Since ABE-DSC and the schemes in [7,8] are executed in the multi-cloud environment, we compared the time cost of non-cloud decryption (i.e., other decryption operations except the cloud-outsourced decryption) in ABE-DSC to that in the schemes in [7,8]. As depicted in Figure 9, there was a linear relationship between the time cost of non-cloud decryption and the number of the DU’s attributes. Due to the fact that the scheme in [7] fails to provide outsourcing of decryption and the decryption operations are all completed by the DU, the time cost of non-cloud decryption in the scheme in [7] was significantly greater than that of the scheme in [8] and ours. The outsourcing decryption in the paper was only completed through the cloud service providers, while the outsourcing decryption in the scheme in [8] was completed by cloud service providers and a proxy. Therefore, the scheme in [8] not only added an insecure entity, but also consumed more time in the decryption process compared to ABE-DSC. Overall, ABE-DSC effectively reduced the computational burden on the DU.

8. Conclusions

An efficient attribute-based encryption scheme with data security classification in the multi-cloud environment was proposed in this paper. Our scheme divides the DO’s data into two parts based on different security levels and stores these parts using two different cloud service providers, which enhances the security of outsourcing data. The cloud service providers not only support data storage, but also offer outsourcing of decryption to alleviate the computational burden on the DU. Additionally, our scheme provides fine-grained access control for the DU based on CP-ABE. The security analysis indicated that our scheme was effective against selective-attribute plaintext attacks. The experimental results showed that ABE-DSC incurred less computational overhead compared to the other schemes.