Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls for IoT

Abstract

Devices in the Internet of Things (IoT) usually use cloud storage and cloud computing to save storage and computing cost. Therefore, the efficient realization of one-to-many communication of data on the premise of ensuring the security of cloud storage data is a challenge. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) can not only protect the security of data in the cloud and achieve one-to-many communication but also achieve fine-grained access control for data. However, the single-authority CP-ABE faces the crisis of single point of failure. In order to improve security, the Multi-Authority CP-ABE (MA-CP-ABE) is adopted. Although there are provably-secure MA-CP-ABE schemes, Edward Snowden’s research shows that provably-secure cryptographic schemes are vulnerable to backdoor attacks, resulting in secret disclosure, and thus threatening security. In addition, ABE requires huge computational overhead in key generation, encryption and decryption, which increase with the increase in the number of attributes and the complexity of the access structure, and there are a large number of resource-constrained devices in the IoT. To mitigate this issue, we construct the Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls (OO-MA-CP-ABE-CRFs) scheme. This scheme not only uses Cryptographic Reverse Firewall (CRF) to resist backdoor attacks but also uses online/offline key generation, online/offline encryption and outsourcing encryption technology to optimize the efficiency of the MA-CP-ABE scheme with reverse firewall, reducing the storage and computing cost of users. Finally, the security of the OO-MA-CP-ABE-CRFs scheme is proved, and the experimental results indicate that the scheme is efficient and practical.

1. Introduction

With the increasing number of terminal devices connected to the Internet of Things (IoT), the data to be processed increase exponentially. At the same time, with the widespread use of cloud computing and cloud storage technologies, the data from IoT devices were uploaded to the cloud for storage and processing. Considering that the dishonest cloud seriously threatens the privacy and security of data, it is necessary to encrypt the data before cloud storage. Attribute-Based Encryption (ABE) can not only protect data privacy but also realize fine-grained access control to data.

ABE was originally proposed by Sahai and Waters, which can be classified as Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE), respectively. In the CP-ABE (KP-ABE) scheme, the user’s private key (ciphertext) is associated with its attributes, and the ciphertext (private key) is associated with the access structure. Only when the attributes of the user meet the access structure of the ciphertext can the user use the private key to recover the plaintext correctly. Because users can use CP-ABE to specify flexible access structures for ciphertext, they can achieve fine-grained access control for ciphertext, so CP-ABE has been widely used in cloud computing [1,2,3,4,5,6]. Because the user’s private key is generated by an attribute authority, the attribute authority knows the user’s private key and can decrypt the ciphertext. Therefore, the attribute authority is required to be a trusted third party. In addition, the single-authority ABE scheme has a series of negative effects such as heavy computing burden, single point of failure crisis, and excessive central authority. The Multi-Authority ABE (MA-ABE) scheme can solve the problem of limited computing resources and single point of failure in the single-authority ABE scheme, so it has been widely used in the IoT [7,8,9].

Edward Snowden’s disclosure showed that even if the user’s machine is executing the cryptographic scheme normally, it may be placed on the machine by the adversary with undetectable backdoor vulnerabilities, so the user’s secret is exposed, thus endangering the user’s security [10,11,12]. Even provably secure cryptographic schemes face this threat, including the provably secure MA-ABE scheme. The Cryptographic Reverse Firewall (CRF) uses a trusted machine placed between the user’s machine and the external environment to intercept illegal data streams entering the machine and modifying system parameters in time, which can resist internal vulnerabilities such as backdoors, thereby providing users with privacy security [13]. Therefore, it is necessary to construct an MA-ABE scheme with CRFs (MA-ABE-CRFs).

One of the main drawbacks of the ABE encryption scheme is that the computational cost of encryption, decryption and key generation increases with the increase in the complexity of the access structure or the number of attributes. MA-ABE-CRFs faces the same drawback because of the increase in attribute authorities and the increase in CRFs, which lead to higher computing cost. The devices in the IoT have limited storage and computing resources, so it is necessary not to use MA-ABE directly. The online/offline key generation, online/offline encryption and outsourced decryption to improve the efficiency of MA-ABE are considered [14]. The online/offline technology splits the computation for MA-ABE into two phases: an offline preparation phase, in which users can do a lot of work, such as offline key generation and offline encryption; and a second phase, where once the user knows the encrypted plaintext and attributes/access structure, the user can quickly generate a key online to encrypt the plaintext. Outsourcing pre-decryption can transfer a large amount of decryption computing cost to cloud service providers, thus reducing users’ decryption computing cost, and is more suitable for resource-constrained IOT devices. Considering the efficiency of MA-ABE-CRFs, especially for IoT devices with limited storage and computing resources, we can consider online/offline key generation, online/offline encryption and outsourced decryption to improve the efficiency of MA-ABE-CRFs [14]. Therefore, it is necessary to study the Online/Offline MA-CP-ABE-CRFs (OO-MA-CP-ABE-CRFs) to ensure the security of data in the IoT and improve the efficiency of data transmission.

In this paper, we combine CRF and CP-ABE, and adopt multi-authority, online/offline, outsourced decryption to construct OO-MA-CP-ABE-CRFs for IoT. The specific contributions are as follows:

(1)

We propose a new MA-CP-ABE-CRF scheme, which not only avoids the crisis of single point of failure of single-authority ABE but also provides flexible access control for ciphertext data. In addition, four CRFs are used to re-randomize key parameters. This allows the MA-CP-ABE scheme to maintain functionality and resist ex-filtration even if it is compromised by unexpected attacks.

(2)

In order to make the scheme suitable for IoT, we have adopted online/offline key generation, online/offline encryption, and outsourcing decryption technologies to improve the computational efficiency of the scheme. These technologies are not only adopted by users and attribute authority but also by the four CRFs, which can significantly improve the efficiency of the scheme. Compared with other studies in terms of computational and storage overhead, our scheme has obvious advantages.

(3)

We have theoretically analyzed and proven the correctness and security of the OO-MA-CP-ABE-CRFs scheme, including CPA security, weak security reservation, and weak demonstration resistance. These security guarantees that devices in IOT are secure even when attacked by backdoors.

The rest of this article is organized as follows. Section 2 discusses the related work. Section 3 presents the preliminaries. Section 4 describes the proposed OO-MA-CP-ABE-CRFs scheme. Section 5 presents the performance analysis of the proposed scheme. Section 6 presents a real-world application of the proposed scheme. Finally, Section 7 concludes this work.

2. Related Work

This section mainly summarizes the related works on ABE, CRF and online/offline cryptography.

2.1. Attribute-Based Encryption

ABE was originally proposed by Sahai and Waters on the basis of Fuzzy Identity-Based Encryption (FIBE) [15]. Goyal et al. [16] extended FIBE technology to ABE technology and defined two types of ABE, called KP-ABE and CP-ABE, respectively. The complete framework of the first anti-collusion CP-ABE scheme was proposed by Bethencourt et al. [17]. Since CP-ABE can customize access control policies by data owners, it is widely used in various cloud scenarios due to the advantages of fine-grained access control. Because the single-authority ABE scheme has a series of negative effects such as heavy computing burden, single point of failure crisis, and excessive central authority, Chase [18] constructed an MA-ABE scheme to solve such problems. Chase et al. [19] further protect user privacy by eliminating the trusted central authority to prevent information from being concentrated on specific users. Lin et al. [20] proposed a threshold-based multi-authority FIBE scheme that can be extended to MA-ABE. Qian et al. [21] proposed an MA-ABE scheme supporting attribute revocation and dynamic policy updates to meet the privacy security requirements of patients in the personal health record (PHR) system.

2.2. Cryptographic Reverse Firewall

Due to the influence of Snowden’s ex-filtration incident, Mironov et al. [13] introduced the concept of a CRF, which aims to intercept and update the receiving and sending messages of the client in time to prevent malicious adversary in the system. Zhou et al. [22] proposed an IBE-based CRF scheme. Chen et al. [23] rely on the malleable smooth projective hash function with key malleability and element re-randomizability to construct multiple CRF-based cryptographic protocols. Zhou et al. [24] designed a single-round CL-PKE-CRF protocol with low communication overhead. Zhou et al. [25] proposed a searchable public key encryption scheme based on CRF, which can resist various attack methods without a secure channel, thereby fully guaranteeing the user’s information security. Ma et al. [26] designed an online/offline CP-ABE-CRF scheme, which effectively reduces the computational overhead while resisting secret ex-filtration, and further ensures the practicability of the scheme on lightweight devices. Hong et al. [27] constructed an MA-KP-ABE-CRF scheme, which supports a non-monotonic access structure.

2.3. Online/Offline Cryptography

It is also worth noting that not only does the CRF framework bring a lot of computing overhead, but most of the ABE scheme design process itself generally has expensive computing operations. Many researchers use online/offline technology to solve this problem. Khan et al. [28] entrusted the heaviest computing operations to the offline stage through online/offline technology, which reduced computing overhead, and designed an online/offline-aided attribute-based multi-keyword search scheme. In order to reduce the communication overhead in the verification phase, Ali et al. [29] designed a verifiable online/offline multi-keyword search scheme. For fields such as smart grids with high security and timeliness, Zhang et al. [30] outsourced a large number of calculations to the encryption and decryption server, reducing the calculation overhead of the client, and constructed outsourcing attributed-based ranked searchable encryption. In order to further reduce the computational burden of data owners and clients, Shao et al. [31] based on the online/offline MA-ABE scheme combined with key conversion technology to outsource the complex operation of the decryption stage to the proxy server.

3. Preliminaries

This introduces preliminaries of the OO-MA-CP-ABE-CRFs scheme.

3.1. Bilinear Groups

Let $\mathbb{G}$, ${\mathbb{G}}_T$ be two multiplicative cyclic groups with a prime order of p. Among them, g is the generator of the group $\mathbb{G}$, and the bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ has the following three properties:

(1)

Bilinearity: For any $P,Q\in \mathbb{G}$ and $a,b\in {\mathbb{Z}}_p^{*}$, it can calculate; $e(P^a,Q^b)=e{(P,Q)}^{ab}$.

(2)

Non-degeneracy: If $P,Q\in \mathbb{G}$ is assumed, then $e(P,Q)\ne 1$ is established;

(3)

Computability: For any $P,Q\in \mathbb{G}$, there exists an efficient algorithm to compute $e(P,Q)$.

$q-$type assumption. The challenger first calls parameters of bilinear pairings p, $\mathbb{G}$, ${\mathbb{G}}_T$, e, and picks a random group element $g\in \mathbb{G}$ and random exponents $a,s,b_1,b_2,\dots ,b_q\leftarrow {\mathbb{Z}}_q$. Then, the challenger sends the following terms to the adversary.

$g,g^s$

$g^{a^i},g^{b_j},g^{a^i/b_j^2},\forall (i,j)\in [q,q]$

$g^{a^i/b_j},\forall (i,j)\in [2q,q]withi\ne q+1$

$g^{a^i{b}_j/b_{j^{\prime }}^2},\forall (i,j,j^{\prime })\in [2q,q,q]withj\ne j^{\prime }$

$g^{s{a}^i{b}_j/b_{j^{\prime }}},g^{s{a}^i{b}_j/b_{j^{\prime }}^2},\forall (i,j,j^{\prime })\in [q,q,q]withj\ne j^{\prime }$

Finally, the challenger flips a random coin $b\in \{0,1\}$, sets $T=e{(g,g)}^{s{a}^{q+1}}$ if $b=0$ and otherwise $T\in {\mathbb{G}}_T$ is a random term, and sends T to attacker. The attacker outputs a guess $b^{\prime }\in \{0,1\}$ for b. The advantage of the attacker in the game is $|Pr[b=b^{\prime }]-\frac{1}{2}|$. We say that the $q-$type assumption holds if all probabilistic polynomial time attackers have at most a negligible advantage in the above security game.

3.2. Linear Secret Sharing Schemes

Assuming that $\{P_1,P_2,\dots ,P_n\}$ is a set of participants, if $B\in \mathbb{A}$ and $B\subseteq C$ have $C\in \mathbb{A}$, then we say that the set $\mathbb{A}\subseteq 2^{\{P_1,P_2,\dots ,P_n\}}$ is monotonous for any B and C. A monotonic access structure is the set of all non-empty subsets of $\{P_1,P_2,\dots ,P_n\}$, namely $\mathbb{A}\subseteq 2^{\{P_1,P_2,\dots ,P_n\}}\backslash \{⌀\}$. For this reason, sets in $\mathbb{A}$ are called authorized sets, whereas sets not in $\mathbb{A}$ are called non-authorized sets.

A linear secret sharing scheme $\mathsf{\Pi }$ with a set of parties is linear on ${\mathbb{Z}}_p$, the following conditions need to be satisfied:

(1)

The shares of each party constitute a vector over ${\mathbb{Z}}_p$;

(2)

There exists a share-generating matrix M with l rows and n columns for scheme $\mathsf{\Pi }$. Furthermore, there exists a function $\rho$ that maps each row of the matrix M to an associated party. For example, each row $i\in \left[l\right]$ of the matrix is closely related to $\rho \left(i\right)$, where $\left[l\right]=1,\dots ,l$. For column vector $\stackrel{\rightharpoonup }{v}=(s,r_2,\dots ,r_n)$, we choose s from ${\mathbb{Z}}_p$ as the secret value that needs to be shared, and $r_2,\dots ,r_n\in {\mathbb{Z}}_p$ are randomly selected. $M\overrightarrow{v}$ represents a vector composed of l elements, and each element is the secret share generated by the scheme $\mathsf{\Pi }$ for s. The share ${\left(M\overrightarrow{v}\right)}_i$ belongs to party $\rho \left(i\right)$.

3.3. Cryptographic Reverse Firewall

The CRF was originally proposed by Mironov and Stephens Davidowitz to provide a strong security backing for modern cryptographic algorithms to avoid the threat of backdoors. CRF acts as a function of message interception and parameter update in the entire cryptographic system. Deploying a cryptographic scheme that correctly implements CRF can effectively ensure that the scheme can still retain its security even if it runs on an infected machine. Appendix A provides more details about CRF.

3.4. System Model

As shown in Figure 1, the scheme includes five participants and corresponding reverse firewalls. They are the global identity authority (GA), attribute authorities (AA), the cloud service provider (CSP), the data owner (DO) and the data user (DU). Among them, the CRF of GA is ${\mathcal{W}}_{\mathrm{GA}}$, the CRF of AA is ${\mathcal{W}}_{\mathrm{AA}}$, the CRF of DO is ${\mathcal{W}}_{\mathrm{DO}}$, and the CRF of DU is ${\mathcal{W}}_{\mathrm{DU}}$.

Specifically, (1) GA generates global parameter $GP$. (2) If the process is corrupted, then ${\mathcal{W}}_{\mathrm{GA}}$ randomizes the $GP$, obtains and broadcasts $G{P}^{\prime }$ globally. (3) GA outputs its own public/private key pair $(GPK,GMK)$ by $G{P}^{\prime }$. (4) If the process is compromised, ${\mathcal{W}}_{\mathrm{GA}}$ outputs the updated public/private key pair $(GP{K}^{\prime },GM{K}^{\prime })$, and returns it to GA. (5) AA outputs its own public/private key pair $(AP{K}_k,AM{K}_k)$. (6) If the process is compromised, ${\mathcal{W}}_{\mathrm{AA}}$ ouputs the updated public/private key pair $AP{K_k}^{\prime }$, $AM{K_k}^{\prime }$. (7) DO offline encryption and output offline ciphertext ${CT}_{off}$. (8) DO encrypts plaintext online and outputs the ciphertext $C{T}_{\mathbb{A}}$ under the access structure $\mathbb{A}$. (9) If the encryption process is compromised, ${\mathcal{W}}_{\mathrm{DO}}$ outputs the updated intermediate ciphertext $IT$ offline. (10) ${\mathcal{W}}_{\mathrm{DO}}$ outputs the updated ciphertext $C{T}^{\prime }$. (11) GA outputs the user’s decryption key $ugsk$ offline. (12) If the process is compromised, ${\mathcal{W}}_{\mathrm{GA}}$ outputs the intermediate secret key $ISK$ offline. (13) ${\mathcal{W}}_{\mathrm{GA}}$ outputs the user’s updated decryption key $ugs{k}^{\prime }$ online. (14) AA outputs the user’s offline decryption key ${uask}_{off}$. (15) AA outputs the decryption key ${uask}_{on,S_{GID}}$ of the user online. (16) If the process is compromised, ${\mathcal{W}}_{\mathrm{AA}}$ of ${AA}_k$ outputs the updated offline decryption key $uas{k_{off}}^{\prime }$.(17) ${\mathcal{W}}_{\mathrm{AA}}$ outputs the user’s updated online decryption key $uas{k}_{on,S_{GID}}^{\prime }$ online. (18) In order to realize outsourcing pre-decryption, DU outputs a conversion key $TK$ and a retrieval key $RK$. (19) If the process is compromised, ${\mathcal{W}}_{\mathrm{DU}}$ outputs an updated conversion key $T{K}^{\prime }$ and a corresponding random $\beta$. (20) CSP performs outsourcing pre-decryption and outputs the transformed ciphertext $TCT$. (21) If the process is compromised, ${\mathcal{W}}_{\mathrm{DU}}$ outputs an updated transformed ciphertext $TC{T}^{\prime }$. (22) DU outputs the plaintext. For the normalized definition of OO-MA-CP-ABE-CRF, see Appendix B.

3.5. Security Model

We define the security model of the OO-MA-CP-ABE-CRFs scheme based on the security model [26,27]. Similar to [26,27], it is assumed that GA, AA, DO and DC are fully trusted, and the CSP is semi-trusted. Because the algorithms (Global.$\mathrm{Setup}$, $\mathrm{GASetup}$, $\mathrm{AASetup}$, $\mathrm{GA}.\mathrm{KeyGen}.\mathrm{off}$, $\mathrm{GA}.\mathrm{KeyGen}.\mathrm{on}$, $\mathrm{AA}.\mathrm{KeyGen}.\mathrm{off}$, $\mathrm{AA}.\mathrm{KeyGen}.\mathrm{on}$, $\mathrm{Encrypt}.\mathrm{off}$, $\mathrm{Encrypt}.\mathrm{on}$ and $\mathrm{KeyGen}.\mathrm{ran}$) in the scheme still maintain functionality after implanting malicious trapdoors, so it is necessary to consider that these algorithms may be compromised without the knowledge of the executor. In addition, considering that ${\mathcal{W}}_{\mathrm{DO}}$ and ${\mathcal{W}}_{\mathrm{DU}}$ are curious about the user’s data, we assume that ${\mathcal{W}}_{\mathrm{DO}}$ and ${\mathcal{W}}_{\mathrm{DU}}$ are semi-trusted. Since ${\mathcal{W}}_{\mathrm{GA}}$, ${\mathcal{W}}_{\mathrm{AA}}$ have access to the decryption key of the user, it is assumed that ${\mathcal{W}}_{\mathrm{GA}}$, ${\mathcal{W}}_{\mathrm{AA}}$ are completely trusted. Additionally, all CRFs are considered trusted zones and cannot be tampered with by any outsiders.

The CPA security game for OO-MA-CP-ABE-CRFs is played by a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

Initialization: Adversary $\mathcal{A}$ sends the access structure ${\mathbb{A}}^{*}$ and the functionality maintaining algorithms to challenger $\mathcal{C}$.

Setup: The Setup algorithm is executed by challenger $\mathcal{C}$. The updated global public parameter $G{P}^{\prime }$, updated public key $GP{K}^{\prime }$ and $AP{K_k}^{\prime }$ of the authority are sent to the adversary $\mathcal{A}$.

Phase 1: The adversary $\mathcal{A}$ can adaptively query the Key Generation Oracle (KGO). $\mathcal{A}$ queries for attribute set $S_i$ and user identity $GID$, which requires that $S_i$ does not satisfy the challenge policy ${\mathbb{A}}^{*}$, $i=1,2,\cdots ,q$. The challenge $\mathcal{C}$ replies to adversary with user’s updated decryption key $(ugs{k}^{\prime },uas{k}_{S_{GID}}^{\prime })$, and updated conversion key $T{K}^{\prime }$.

Challenge: Adversary $\mathcal{A}$ sends two equal-length plaintexts $m_0$, $m_1$ to $\mathcal{C}$. $\mathcal{C}$ selects a random bit $b\in \{0,1\}$, and sends the updated ciphertext $C{T}_b^{\prime }$ to the adversary $\mathcal{A}$, where $C{T}_b^{\prime }$ is the ciphertext of $m_b$ under access structure ${\mathbb{A}}^{*}$.

Phase 2: The process is the same as Phase 1.

Guess: The adversary $\mathcal{A}$ outputs a guess $b^{\prime }\in \{0,1\}$ for b. The advantage of $\mathcal{A}$ in the game is $|Pr[b=b^{\prime }]-\frac{1}{2}|$.

Definition: The OO-MA-CP-ABE-CRFs is CPA secure if all probabilistic polynomial time $\left(PPT\right)$ adversaries have at most a negligible advantage in the above security game.

4. OO-MA-CP-ABE-CRFs

In this section, we first construct a basic OO-MA-CP-ABE scheme based on [32]. The random of the ciphertext and key in this scheme is all re-randomized. Then, based on this basic OO-MA-CP-ABE scheme, we construct an OO-MA-CP-ABE-CRFs scheme, and finally, prove the security of the constructed scheme.

4.1. Basic Construction of OO-MA-CP-ABE Scheme

In order to make the basic OO-MA-CP-ABE scheme suitable for constructing the CRF framework, we construct a concessive OO-MA-CP-ABE scheme, which can be divided into four phases and contains a total of 11 algorithms.

(1) Initialization phase. GA and AA perform initialization.

➀ Global.$\mathrm{Setup}(\lambda ,U)\to \mathrm{GP}$. GA chooses a security parameter $\lambda$ and describes a tuple $(\mathbb{G},{\mathbb{G}}_T,p,e)$, where $\mathbb{G}$ and ${\mathbb{G}}_T$ are two cyclic multiplicative groups of large prime order p and $e:(\mathbb{G}\times \mathbb{G})\to {\mathbb{G}}_T$ is a bilinear map. Let g be a generator of $\mathbb{G}$. GA randomly chooses $h,u,v,w\leftarrow \mathbb{G}$ and outputs the global system parameters $GP=(g,h,u,v,w)$.

➁ $\mathrm{GA}.\mathrm{Setup}(GP)\to \left(GPK,GMK\right)$. GA randomly chooses $\alpha \leftarrow \mathbb{Z}$, outputs $GPK=e{(g,g)}^{\alpha }$, and keeps $GMK=\alpha$ by itself.

➂ $\mathrm{AA}.\mathrm{Setup}(GP,k,U_k)\to (AP{K}_k,AM{K}_k)$. It first takes $GP,k,U_k$ as input, where $k\in \left[K\right]$. Then, $A{A}_k$ randomly chooses ${\alpha }_k\leftarrow {\mathbb{Z}}_p$, and lets $(\widehat{u},\widehat{h})=(u^{{\alpha }_k},h^{{\alpha }_k})$. Finally, it outputs $AP{K}_k=(\widehat{u},\widehat{h})$ and keeps $AM{K}_k={\alpha }_k$.

(2) Encryption phase. DO encrypts plaintext offline and online.

➃ $\mathrm{Encrypt}.\mathrm{off}(GP,GPK,APK)\to C{T}_{off}$. The algorithm takes $GP,GPK,APK={\cup }_{k\in \left[K\right]}AP{K}_k$ as input, and the DO randomly chooses $s\leftarrow {\mathbb{Z}}_p$, $t_j\leftarrow {\mathbb{Z}}_p$, $j\in \left[J\right]$, J is used by DO to determine the size of the offline ciphertext pool. It calculates $Km=GP{K}^s=e{(g,g)}^{\alpha s}$, $C_0^{\prime }=g^s$, ${C_{j,1}}^{\prime }={\left(\widehat{h}\right)}^{-t_j}$, ${C_{j,2}}^{\prime }=g^{t_j}$, ${C_{j,3}}^{\prime }=v^{t_j}$, and outputs $C{T}_{off}=(s,Km,{C_0}^{\prime },{\{{C_{j,1}}^{\prime },{C_{j,2}}^{\prime },{C_{j,3}}^{\prime }\}}_{j\in \left[J\right]})$.

➄ $\mathrm{Encrypt}.\mathrm{on}(GP,APK,m,\mathbb{A},C{T}_{off})\to C{T}_{\mathbb{A}}$. On input public parameters $PK$, an intermediate ciphertext $IT$, a plaintext m and an LSSS access structure $\mathbb{A}=(M,\rho )$, where M is an $l\times n(l\le N^{\prime })$ matrix. DO randomly chooses $y_2,\dots ,y_n\leftarrow {\mathbb{Z}}_p$, sets $\stackrel{\rightharpoonup }{y}={(s,y_2,\cdots ,y_n)}^T$, and obtains $\stackrel{\rightharpoonup }{\lambda }={({\lambda }_1,{\lambda }_2,\cdots ,{\lambda }_l)}^T=M\stackrel{\rightharpoonup }{y}$. In addition, for $j\in \left[l\right]$, suppose $\rho \left(j\right)$ corresponds to an attribute controlled by $A{A}_k$. DO sets $C=m·Km$, $C_0={C_0}^{\prime }$, $C_{j,1}={C_{j,1}}^{\prime }{\widehat{u}}^{-\rho \left(j\right)t_j}={\left(\widehat{h}{\widehat{u}}^{\rho \left(j\right)}\right)}^{-t_j}$, $C_{j,2}={C_{j,2}}^{\prime }=g^{t_j}$, $C_{j,3}={C_{j,3}}^{\prime }·w^{{\lambda }_j}=w^{{\lambda }_j}{v}^{t_j}$, outputs $C{T}_{\mathbb{A}}=(C,C_0,\left\{C_{j,1},C_{j,2},C_{j,3}{\}}_{j\in \left[l\right]}\right)$.

(3) Key generation phase. GA and AA generate decryption keys offline and online for the user.

➅ $\mathrm{GA}.\mathrm{KeyGen}.\mathrm{off}(GP,GMK)\to ugsk$. GA randomly chooses $r\leftarrow {\mathbb{Z}}_p$, calculates $K_0=g^{\alpha }{w}^r$, $K_3=g^r$, $D=v^{-r}$, and outputs $ugsk=(K_0,K_3,D)$.

➆ $\mathrm{AA}.\mathrm{KeyGen}.\mathrm{off}(GP,AM{K}_k)\to uas{k}_{off}$. For $k\in \left[K\right]$, $A{A}_k$ randomly chooses $r_i\leftarrow {\mathbb{Z}}_p$, $i\in \left[\right|U_k\left|\right]$, calculates ${K_{i,1}}^{\prime }=g^{\frac{r_i}{{\alpha }_k}}$ and ${K_{i,2}}^{\prime }=h^{r_i}$, and outputs $uas{k}_{off}={\{r_i,K_{i,1}^{\prime },K_{i,2}^{\prime }\}}_{i\in \left[\right|U_k\left|\right]}$.

➇ $\mathrm{AA}.\mathrm{KeyGen}.\mathrm{on}(GP,GID,AP{K}_k,S_{GID,k},uas{k}_{off})\to uas{k}_{on,S_{GID}}$. For $i\in \left[\left|S_{GID,k}\right|\right]$, $\mathrm{A}{\mathrm{A}}_k$ calculates $K_{i,1}={K_{i,1}}^{\prime }=g^{\frac{r_i}{{\alpha }_k}}$, $K_{i,2}={K_{i,2}}^{\prime }·u^{att{r}_i{r}_i}={\left(u^{att{r}_i}h\right)}^{r_i}$, it outputs $uas{k}_{on}={\{K_{i,1},K_{i,2}\}}_{i\in \left[\left|S_{GID,k}\right|\right]}$. It should be noted that the decryption key of the user GID is $\left(ugsk,uas{k}_{on}\right)$.

(4) Decryption phase. For outsourcing decryption, DU generates a conversion key and a retrieval key. CSP performs outsourcing decryption by conversion key, and DU performs final decryption by retrieval key.

➈ $\mathrm{KeyGen}.\mathrm{ran}(ugsk,uas{k}_{on})\to (TK,RK)$. The data user DU randomly chooses $\tau \leftarrow {\mathbb{Z}}_p$, calculates ${\tilde{K}}_0={K_0}^{\prime }{}^{\frac{1}{\tau }}=g^{\frac{\alpha }{\tau }}{w}^{\frac{r}{\tau }}$, ${\tilde{K}}_3={K_3}^{\prime }{}^{\frac{1}{\tau }}=g^{\frac{r}{\tau }}$ and $\tilde{D}={D^{\prime }}^{\frac{1}{\tau }}=v^{-\frac{r}{\tau }}$. For $i\in \left[\left|S_{GID,k}\right|\right]$, it calculates ${\tilde{K}}_{i,1}={K_{i,1}}^{\prime }{}^{\frac{1}{\tau }}=g^{\frac{r_i}{{\alpha }_k\tau }}$, ${\tilde{K}}_{i,2}={{K_{i,2}}^{\prime }}^{\frac{1}{\tau }}={\left(u^{att{r}_i}h\right)}^{\frac{r_i}{\tau }}$, finally outputs a conversion key $TK=(S_{GID},{\tilde{K}}_0,{\tilde{K}}_3,\tilde{D},{\{{\tilde{K}}_{i,1},{\tilde{K}}_{i,2}\}}_{i\in \left[\left|S_{GID,k}\right|\right]})$ and a retrieval key $RK=\tau$.

➉ $\mathrm{Decrypt}.\mathrm{out}(TK,CT)\to TCT$. On input, a conversion key $TK$ for the attribute set ${\mathrm{S}}_{\mathrm{GID}}$ and a ciphertext $CT$ for access structure $\mathbb{A}$. The CSP judges whether ${\mathrm{S}}_{\mathrm{GID}}$ satisfies $\mathbb{A}$, if not, then it returns ⊥. Otherwise, CSP calculates ${\{w_i\in {\mathbb{Z}}_p\}}_{j\in I}$ satisfying ${\displaystyle \sum _{j\in I}}{w}_i{\stackrel{\rightharpoonup }{M}}_j=(1,0,\cdots ,0)$, where $I=\left\{j\right|\rho \left(j\right)\in S_{GID}\}\subseteq \left[l\right]$, and ${\stackrel{\rightharpoonup }{M}}_j$ is row j of matrix M. Then, it calculates $B=\frac{e({\tilde{K}}_0,C_0)}{{\prod }_{j\in I}{T_j}^{w_j}}=e{(g,g)}^{\frac{\alpha s}{\tau }}$, where $T_j=e({\tilde{K}}_{i,1},C_{j,1})·e({\tilde{K}}_{i,2}·\tilde{D},C_{j,2})·e({\tilde{K}}_3,C_{j,3})$, and outputs decrypted transformed ciphertext $TCT=(C,B)$.

⑪ $\mathrm{Decrypt}.\mathrm{user}(RK,TCT)\to m$. The algorithm is executed by DU, inputs a retrieval key $RK$ and the transformed ciphertext $TCT$, and finally decrypts $\frac{C}{{\left(B\right)}^{\tau }}=\frac{e{(g,g)}^{\alpha s}·m}{{\left(e(g,g^{\frac{\alpha s}{\tau }})\right)}^{\tau }}$ to obtain the plaintext m.

Theorem 1. 

The basic OO-MA-CP-ABE scheme is CPA secure if the OO-MA-CP-ABE scheme in [32] is selective CPA-secure.

Proof. 

The form of user key SK and ciphertext CT in the scheme is the same as that in [32]. Therefore, the modification does not affect the security proof. Furthermore, the key-blinding technique in [33] is used. The proof is similar to [33], so it is omitted. □

4.2. Construction of OO-MA-CP-ABE-CRFs

We propose the OO-MA-CP-ABE-CRFs based on the above basic construction, which can resist the exfiltration of secret information from arbitrarily compromised functional-maintaining algorithms executed by the GA, AA, DO and DU. The structure of OO-MA-CP-ABE-CRFs is specifically as follows.

(1) Initialization phase. GA, AA, ${\mathcal{W}}_{\mathrm{GA}}$ and ${\mathcal{W}}_{\mathrm{GA}}$ perform initialization.

➀ Before broadcasting $\mathrm{GP}\leftarrow \mathrm{Setup}(˘,\mathrm{U})$ to other participants, GA first sends $GP$ to ${\mathcal{W}}_{\mathrm{GA}}$ for the algorithm ${\mathcal{W}}_{\mathrm{GA}}$. Global.$\mathrm{Setup}$.

${\mathcal{W}}_{\mathrm{GA}}$.Global.$\mathrm{Setup}(GP)\to G{P}^{\prime }$. After receiving $GP$, ${\mathcal{W}}_{\mathrm{GA}}$ randomly selects $a,b,c,d,e\leftarrow {\mathbb{Z}}_p$ and calculates $g^{\prime }=g^a$, $u^{\prime }=u^b$, $h^{\prime }=h^c$, $w^{\prime }=w^d$, $v^{\prime }=v^e$. The algorithm outputs $G{P}^{\prime }=(g^{\prime },u^{\prime },h^{\prime },w^{\prime },v^{\prime })$ and broadcasts $G{P}^{\prime }$ to all members of the system.

➁ When GA receives the updated global public parameter $G{P}^{\prime }$, it runs algorithm $\mathrm{GA}.\mathrm{Setup}(G{P}^{\prime })$ to obtain $\left(GPK,GMK\right)$ and sends it to ${\mathcal{W}}_{\mathrm{GA}}$, and ${\mathcal{W}}_{\mathrm{GA}}$ performs the algorithm ${\mathcal{W}}_{\mathrm{GA}}.\mathrm{GA}.\mathrm{Setup}$.

${\mathcal{W}}_{\mathrm{GA}}.\mathrm{GA}.\mathrm{Setup}(G{P}^{\prime },GPK,GMK)\to (GP{K}^{\prime },GM{K}^{\prime })$. ${\mathcal{W}}_{\mathrm{GA}}$ randomly selects $f\leftarrow {\mathbb{Z}}_p$, sets ${\alpha }^{\prime }=\alpha +f$, calculates and outputs $GP{K}^{\prime }=GPK·e{(g^{\prime },g^{\prime })}^f=e{(g^{\prime },g^{\prime })}^{\alpha +f}=e{(g^{\prime },g^{\prime })}^{{\alpha }^{\prime }}$, $GM{K}^{\prime }=GMK+f=\alpha +f={\alpha }^{\prime }$, while keeping f by itself.

➂ After receiving the updated $G{P}^{\prime }$, AA runs $\mathrm{AA}.\mathrm{Setup}(GP,k,U_k)\to (AP{K}_k,AM{K}_k)$ and sends $(AP{K}_k,AM{K}_k)$ to ${\mathcal{W}}_{\mathrm{AA}}$. ${\mathcal{W}}_{\mathrm{AA}}$ performs the algorithm ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{Setup}$.

${\mathcal{W}}_{\mathrm{AA}}.\mathrm{Setup}(G{P}^{\prime },AP{K}_k,AM{K}_k)$$\to (AP{K_k}^{\prime },AM{K_k}^{\prime })$. ${\mathcal{W}}_{\mathrm{AA}}$ randomly selects ${\tilde{\alpha }}_k\leftarrow {\mathbb{Z}}_p$, sets ${{\alpha }_k}^{\prime }={\alpha }_k+{\tilde{\alpha }}_k$, $({\widehat{u}}^{\prime },{\widehat{h}}^{\prime })=({u^{\prime }}^{{{\alpha }_k}^{\prime }},{h^{\prime }}^{{{\alpha }_k}^{\prime }})$ and ouputs $AP{K_k}^{\prime }=(\widehat{u}·u^{\prime {\tilde{\alpha }}_k},\widehat{h}·h^{\prime {\tilde{\alpha }}_k})=$$({u^{\prime }}^{{\alpha }_k+{\tilde{\alpha }}_k},{h^{\prime }}^{{\alpha }_k+{\tilde{\alpha }}_k})=({u^{\prime }}^{{{\alpha }_k}^{\prime }},{h^{\prime }}^{{{\alpha }_k}^{\prime }})=({\widehat{u}}^{\prime },{\widehat{h}}^{\prime })$, while keeping $AM{K_k}^{\prime }={\alpha }_k+{\tilde{\alpha }}_k={{\alpha }_k}^{\prime }$ by itself.

(2) Encryption phase. DO and ${\mathcal{W}}_{\mathrm{DO}}$ encrypt plaintext offline and online.

The DO runs $\mathrm{Encrypt}.\mathrm{off}(G{P}^{\prime },GP{K}^{\prime },AP{K}^{\prime })$ and $\mathrm{Encrypt}.\mathrm{on}(G{P}^{\prime },AP{K}_{\mathbb{A}},m,\mathbb{A},C{T}_{off})$ to obtain the ciphertext $C{T}_{\mathbb{A}}$ of the message m under the access structure $\mathbb{A}$, and sends $C{T}_{\mathbb{A}}$ to ${\mathcal{W}}_{\mathrm{DO}}$ before uploading $C{T}_{\mathbb{A}}$ to the CSP. ${\mathcal{W}}_{\mathrm{DO}}$ performs the following algorithms.

➃ ${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{off}(G{P}^{\prime },GM{K}^{\prime },AP{K}^{\prime })\to IT$. ${\mathcal{W}}_{\mathrm{DO}}$ randomly selects $\tilde{s}\leftarrow {\mathbb{Z}}_p$, ${\tilde{t}}_j\leftarrow {\mathbb{Z}}_p$, $j\in \left[J\right]$, calculates $\widehat{K}m=e{(g^{\prime },g^{\prime })}^{{\alpha }^{\prime }\tilde{s}}$, ${\widehat{C}}_0={g^{\prime }}^{\tilde{s}}$, ${\widehat{C}}_{j,1}={{\widehat{h}}^{\prime }}^{-{\tilde{t}}_j}$, ${\widehat{C}}_{j,2}={g^{\prime }}^{{\tilde{t}}_j}$, ${\widehat{C}}_{j,3}={v^{\prime }}^{{\tilde{t}}_j}$, and outputs $IT=(\tilde{s},\widehat{K}m,{\widehat{C}}_0,{\{{\widehat{C}}_{j,1},{\widehat{C}}_{j,2},{\widehat{C}}_{j,3}\}}_{j\in \left[J\right]})$.

➄ ${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{on}(G{P}^{\prime },IT,C{T}_{\mathbb{A}})\to {C{T}_{\mathbb{A}}}^{\prime }$. ${\mathcal{W}}_{\mathrm{DO}}$ sets ${\stackrel{\rightharpoonup }{y}}^{\prime }={(\tilde{s},{y_2}^{\prime },\cdots ,{y_n}^{\prime })}^T$, where ${y_i}^{\prime }\leftarrow {\mathbb{Z}}_p$, $i=1,\cdots ,n$, ${\stackrel{\rightharpoonup }{\lambda }}^{\prime }={({\tilde{\lambda }}_1,\cdots ,{\tilde{\lambda }}_l)}^T=M{\stackrel{\rightharpoonup }{\mathrm{y;}}}^{\prime }$, $s^{\prime }=s+\tilde{s}$, ${t_j}^{\prime }=t_j+{\tilde{t}}_j,{{\lambda }_j}^{\prime }={\lambda }_j+{\tilde{\lambda }}_j$. It calculates ${\widehat{C}}^{\prime }=C·\widehat{K}m=me{(g^{\prime },g^{\prime })}^{{\alpha }^{\prime }(s+\tilde{s})}=me{(g^{\prime },g^{\prime })}^{{\alpha }^{\prime }{s}^{\prime }}$, where $s^{\prime }=s+\tilde{s}$. Then, it sets ${\widehat{C}}_0^{\prime }=C_0·{\widehat{C}}_0={g^{\prime }}^{(s+\tilde{s})}={g^{\prime }}^{s^{\prime }}$, ${\widehat{C}}_{j,1}^{\prime }=C_{j,1}·{\widehat{C}}_{j,1}·{{\widehat{u}}^{\prime }}^{-\rho \left(j\right){\tilde{t}}_j}={\left({{\widehat{u}}^{\prime }}^{\rho \left(j\right)}{\widehat{h}}^{\prime }\right)}^{-t_j}·{{\widehat{h}}^{\prime }}^{-{\tilde{t}}_j}·{{\widehat{u}}^{\prime }}^{-\rho \left(j\right){\tilde{t}}_j}={\left({{\widehat{u}}^{\prime }}^{\rho \left(j\right)}{\widehat{h}}^{\prime }\right)}^{-{t_j}^{\prime }}$, ${\widehat{C}}_{j,2}^{\prime }=C_{j,2}·{\widehat{C}}_{j,2}={g^{\prime }}^{(t_j+{\tilde{t}}_j)}={g^{\prime }}^{{t_j}^{\prime }}$, ${\widehat{C}}_{j,3}^{\prime }=C_{j,3}·{\widehat{C}}_{j,3}·{w^{\prime }}^{{\tilde{\lambda }}_j}=({v^{\prime }}^{t_j}{w^{\prime }}^{{\lambda }_j})·{v^{\prime }}^{{\tilde{t}}_j}{w^{\prime }}^{{\tilde{\lambda }}_j}={v^{\prime }}^{(t_j+{\tilde{t}}_j)}{w^{\prime }}^{({\lambda }_j+{\tilde{\lambda }}_j)}={v^{\prime }}^{{t_j}^{\prime }}{w^{\prime }}^{{{\lambda }_j}^{\prime }}$, and outputs the updated ciphertext

$C{T}^{\prime }=(\mathbb{A},{\widehat{C}}^{\prime },{{\widehat{C}}_0}^{\prime },{\left\{{\widehat{C}}_{j,1}^{\prime },{\widehat{C}}_{j,2}^{\prime },{\widehat{C}}_{j,3}^{\prime }\right\}}_{j\in \left[l\right]})$.

(3) Key generation phase. GA, AA, ${\mathcal{W}}_{\mathrm{GA}}$ and ${\mathcal{W}}_{\mathrm{AA}}$ generate decryption key offline and online for user.

GA runs $\mathrm{GA}.\mathrm{KeyGen}.\mathrm{off}(G{P}^{\prime },GMK)\to ugsk$, and sends $ugsk$ to ${\mathcal{W}}_{\mathrm{GA}}$. ${AA}_k$ runs $\mathrm{AA}.\mathrm{KeyGen}.\mathrm{off}(G{P}^{\prime },AM{K}_k)$ and $\mathrm{AA}.\mathrm{KeyGen}.\mathrm{on}(G{P}^{\prime },GID,AP{K}_k,S_{GID,k},uas{k}_{off})$, then sends $uas{k}_{on,S_{GID}}$ to ${\mathcal{W}}_{\mathrm{AA}}$. ${\mathcal{W}}_{\mathrm{GA}}$ and ${\mathcal{W}}_{\mathrm{AA}}$ perform the following algorithms.

➅ ${\mathcal{W}}_{\mathrm{GA}}.\mathrm{GAKeyGen}.\mathrm{off}(G{P}^{\prime },f)\to ISK$. ${\mathcal{W}}_{\mathrm{GA}}$ randomly selects $\tilde{r}\leftarrow {\mathbb{Z}}_p$, calculates ${\widehat{K}}_0={g^{\prime }}^f{w^{\prime }}^{\tilde{r}}$, ${\widehat{K}}_3={g^{\prime }}^{\tilde{r}}$, $\widehat{D}={v^{\prime }}^{-\tilde{r}}$, and outputs an intermediate secret key $ISK=(\tilde{r},{\widehat{K}}_0,{\widehat{K}}_3,\widehat{D})$.

➆ ${\mathcal{W}}_{\mathrm{GA}}.\mathrm{GAKeyGen}.\mathrm{on}(G{P}^{\prime },ISK,ugsk)\to ugs{k}^{\prime }$. ${\mathcal{W}}_{\mathrm{GA}}$ sets $r^{\prime }=\tilde{r}+r$. It calculates ${\widehat{K}}_0^{\prime }={\widehat{K}}_0·K_0={g^{\prime }}^{(\alpha +f)}{w^{\prime }}^{(\tilde{r}+r)}={g^{\prime }}^{{\alpha }^{\prime }}{w^{\prime }}^{(\tilde{r}+r)}={g^{\prime }}^{{\alpha }^{\prime }}{w^{\prime }}^{r^{\prime }}$, ${\widehat{K}}_3^{\prime }={\widehat{K}}_3·K_3={g^{\prime }}^{(r+\tilde{r})}={g^{\prime }}^{r^{\prime }}$, ${\widehat{D}}^{\prime }={v^{\prime }}^{-(r+\tilde{r})}={v^{\prime }}^{-r^{\prime }}$, outputs the updated $ugs{k}^{\prime }=({\widehat{K}}_0^{\prime },{\widehat{K}}_3^{\prime },{\widehat{D}}^{\prime })$ and sends it to the user.

➇ ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{off}(G{P}^{\prime },AM{K_k}^{\prime })\to uas{k_{off}}^{\prime }$. ${\mathcal{W}}_{\mathrm{AA}}$ randomly selects ${\tilde{r}}_i\leftarrow {\mathbb{Z}}_p$, $i\in \left[\left|S_{GID,k}\right|\right]$, calculates ${\widehat{K}}_{i,1}={g^{\prime }}^{\frac{{\tilde{r}}_i}{{{\alpha }_k}^{\prime }}}$, ${\widehat{K}}_{i,2}={h^{\prime }}^{{\tilde{r}}_i}$, and outputs $uas{k_{off}}^{\prime }=({\tilde{r}}_i,{\widehat{K}}_{i,1},{\widehat{K}}_{i,2})$.

➈ ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{on}(G{P}^{\prime },{\tilde{r}}_i,S_{GID},GID,uas{k}_{on},S_{GID,k},uas{k_{off}}^{\prime })\to uas{k}_{on,S_{GID}}^{\prime }$. ${\mathcal{W}}_{\mathrm{AA}}$ sets ${r_i}^{\prime }=r_i+{\tilde{r}}_i$, calculates ${\widehat{K}}_{i,1}^{\prime }=K_{i,1}·{\widehat{K}}_{i,1}={g^{\prime }}^{\frac{r_i}{{{\alpha }_k}^{\prime }}}·{g^{\prime }}^{\frac{{\tilde{r}}_i}{{{\alpha }_k}^{\prime }}}={g^{\prime }}^{\frac{(r_i+{\tilde{r}}_i)}{{{\alpha }_k}^{\prime }}}={g^{\prime }}^{\frac{{r_i}^{\prime }}{{{\alpha }_k}^{\prime }}}$, ${\widehat{K}}_{i,2}^{\prime }=K_{i,2}·{\widehat{K}}_{i,2}·{\left({u^{\prime }}^{att{r}_i}\right)}^{{\tilde{r}}_i}={\left({u^{\prime }}^{att{r}_i}{h}^{\prime }\right)}^{r_i}·{h^{\prime }}^{{\tilde{r}}_i}·{u^{\prime }}^{att{r}_i\times {\tilde{r}}_i}={\left({u^{\prime }}^{att{r}_i}{h}^{\prime }\right)}^{{r_i}^{\prime }}$, and outputs $uas{k}_{on,S_{GID}}^{\prime }={\left\{{\widehat{K}}_{i,1}^{\prime },{\widehat{K}}_{i,2}^{\prime }\right\}}_{i\in \left[\left|S_{GID,k}\right|\right]}$.

(4) Decryption phase. The ${\mathcal{W}}_{\mathrm{DU}}$ re-randomizes the conversion key. The CSP uses the re-randomized conversion key to perform outsourcing decryption. ${\mathcal{W}}_{\mathrm{DU}}$ performs the decryption algorithm.

After obtaining $(TK,RK)\leftarrow \mathrm{KeyGen}.\mathrm{ran}(ugs{k}^{\prime },uas{k}_{on,S_{GID}}^{\prime })$, DU sends $TK$ to ${\mathcal{W}}_{\mathrm{DU}}$ for the algorithm ${\mathcal{W}}_{DU}.\mathrm{TKUpdate}$.

➉ ${\mathcal{W}}_{DU}.\mathrm{TKUpdate}\left(TK\right)\to (T{K}^{\prime },\beta )$. ${\mathcal{W}}_{\mathrm{DU}}$ randomly selects $\beta \leftarrow {\mathbb{Z}}_p$ and calculates ${\tilde{K}}_0^{\prime }={\tilde{K}}_0^{\frac{1}{\beta }}={g^{\prime }}^{\frac{{\alpha }^{\prime }}{\tau \beta }}{w^{\prime }}^{\frac{r^{\prime }}{\tau \beta }}$, ${\tilde{K}}_3^{\prime }={\tilde{K}}_3^{\frac{1}{\beta }}={g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }}$, ${\tilde{D}}^{\prime }={\tilde{D}}^{\frac{1}{\beta }}={v^{\prime }}^{-\frac{r^{\prime }}{\tau \beta }}$. For $i\in \left[\right|u_k\left|\right],k\in \left[K\right]$, it computes ${\tilde{K}}_{i,1}^{\prime }={{\tilde{K}}_{i,1}}^{\frac{1}{\beta }}={g^{\prime }}^{\frac{{r_i}^{\prime }}{{{\alpha }_k}^{\prime }\tau \beta }}$, ${\tilde{K}}_{i,2}^{\prime }={{\tilde{K}}_{i,2}}^{\frac{1}{\beta }}={\left({u^{\prime }}^{att{r}_i}{h}^{\prime }\right)}^{\frac{{r_i}^{\prime }}{\tau \beta }}$, outputs the updated conversion key $T{K}^{\prime }=(SGID,{\tilde{K}}_0^{\prime },{\tilde{K}}_3^{\prime },{\tilde{D}}^{\prime },{\{{\tilde{K}}_{i,1}^{\prime },{\tilde{K}}_{i,2}^{\prime }\}}_{i\in \left[\right|u_k\left|\right]})$, while keeping $\beta$ by itself.

The CSP receives $T{K}^{\prime }$, runs $\mathrm{Decrypt}.\mathrm{out}(T{K}^{\prime },C{T}^{\prime })\to TCT$, and sends $TCT$ to ${\mathcal{W}}_{\mathrm{DU}}$. ${\mathcal{W}}_{\mathrm{DU}}$ performs the algorithm ${\mathcal{W}}_{DU}.\mathrm{Decrypt}(TCT,\beta )$.

⑪ ${\mathcal{W}}_{DU}.\mathrm{Decrypt}(TCT,\beta )\to TC{T}^{\prime }$. ${\mathcal{W}}_{\mathrm{DU}}$ calculates $B^{\beta }=e{(g^{\prime },g^{\prime })}^{\frac{{\alpha }^{\prime }{s}^{\prime }}{\tau }}$ and outputs $TC{T}^{\prime }=(B^{\beta },{\widehat{C}}^{\prime })$.

After receiving $TC{T}^{\prime }=(B^{\beta },{\widehat{C}}^{\prime })$, DU runs $\mathrm{Decrypt}.\mathrm{user}(RK,TC{T}^{\prime })\to m$, and obtains the plaintext m.

4.3. Security Analysis

Theorem 2. 

The proposed OO-MA-CP-ABE-CRFs is CPA secure and CRFs for GA, AAs, DO and DU maintain functionally, weakly preserve security, and weakly resist exfiltration if the basic structure of OO-MA-CP-ABE in Section 4.1 is CPA secure.

Proof. 

We prove the security of our construction via the following parts. □

FUNCTIONALITY MAINTAINING.

If the user attribute set ${\mathrm{S}}_{\mathrm{GID}}$ satisfies the access policy $\mathbb{A}$, then there is

$$\begin{array}{c}{T}_j=e({\tilde{K}}_{i,1}^{\prime },{\widehat{C}}_{j,1}^{\prime })·e({\tilde{K}}_{i,2}^{\prime }·{\tilde{D}}^{\prime },{\widehat{C}}_{j,2}^{\prime })·e({\tilde{K}}_3^{\prime },{\widehat{C}}_{j,3}^{\prime })\hfill \\ =e\left({g^{\prime }}^{\frac{{r_i}^{\prime }}{{{\alpha }_k}^{\prime }\tau \beta }},{\left({{\widehat{u}}^{\prime }}^{\rho \left(j\right)}{\widehat{h}}^{\prime }\right)}^{-{t_j}^{\prime }}\right)·e({\left({u^{\prime }}^{att{r}_i}{h}^{\prime }\right)}^{\frac{{r_i}^{\prime }}{\tau \beta }}·{v^{\prime }}^{-\frac{r^{\prime }}{\tau \beta }},{g^{\prime }}^{{t_j}^{\prime }})·e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{v^{\prime }}^{{t_j}^{\prime }}{w^{\prime }}^{{{\lambda }_j}^{\prime }})\hfill \\ =e({g^{\prime }}^{\frac{{r_i}^{\prime }}{{{\alpha }_k}^{\prime }\tau \beta }},{\left({{u^{\prime }}^{{{\alpha }_k}^{\prime }}}^{\rho \left(j\right)}{h^{\prime }}^{{{\alpha }_k}^{\prime }}\right)}^{-{t_j}^{\prime }})·e({\left({u^{\prime }}^{att{r}_i}{h}^{\prime }\right)}^{\frac{{r_i}^{\prime }}{\tau \beta }}·{v^{\prime }}^{-\frac{r^{\prime }}{\tau \beta }},{g^{\prime }}^{{t_j}^{\prime }})·e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{v^{\prime }}^{{t_j}^{\prime }}{w^{\prime }}^{{{\lambda }_j}^{\prime }})\hfill \\ =e({g^{\prime }}^{\frac{{r_i}^{\prime }}{{{\alpha }_k}^{\prime }\tau \beta }},{\left({u^{\prime }}^{\rho \left(j\right)}{h}^{\prime }\right)}^{-{{\alpha }_k}^{\prime }{t_j}^{\prime }})·e({\left({u^{\prime }}^{att{r}_i}{h}^{\prime }\right)}^{\frac{{r_i}^{\prime }}{\tau \beta }}·{v^{\prime }}^{-\frac{r^{\prime }}{\tau \beta }},{g^{\prime }}^{{t_j}^{\prime }})·e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{v^{\prime }}^{{t_j}^{\prime }}{w^{\prime }}^{{{\lambda }_j}^{\prime }})\hfill \\ =e({g^{\prime }}^{\frac{{r_i}^{\prime }}{{{\alpha }_k}^{\prime }\tau \beta }},{\left({u^{\prime }}^{\rho \left(j\right)}{h}^{\prime }\right)}^{-{{\alpha }_k}^{\prime }{t_j}^{\prime }})·e({\left({u^{\prime }}^{att{r}_i}{h}^{\prime }\right)}^{\frac{{r_i}^{\prime }}{\tau \beta }}·{v^{\prime }}^{-\frac{r^{\prime }}{\tau \beta }},{g^{\prime }}^{{t_j}^{\prime }})·e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{v^{\prime }}^{{t_j}^{\prime }}{w^{\prime }}^{{{\lambda }_j}^{\prime }})\hfill \\ =e{(g^{\prime },\left({u^{\prime }}^{\rho \left(j\right)}{h}^{\prime }\right))}^{-\frac{{r_i}^{\prime }{t_j}^{\prime }}{\tau \beta }}·e({g^{\prime }}^{{t_j}^{\prime }},{\left({u^{\prime }}^{att{r}_i}{h}^{\prime }\right)}^{\frac{{r_i}^{\prime }}{\tau \beta }})·e({g^{\prime }}^{{t_j}^{\prime }},{v^{\prime }}^{-\frac{r^{\prime }}{\tau \beta }})·e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{v^{\prime }}^{{t_j}^{\prime }}{w^{\prime }}^{{{\lambda }_j}^{\prime }})\hfill \\ =e{(g^{\prime },\left({u^{\prime }}^{\rho \left(j\right)}{h}^{\prime }\right))}^{-\frac{{r_i}^{\prime }{t_j}^{\prime }}{\tau \beta }}·e{(g^{\prime },\left({u^{\prime }}^{att{r}_i}{h}^{\prime }\right))}^{\frac{{r_i}^{\prime }{t_j}^{\prime }}{\tau \beta }}·e({g^{\prime }}^{{t_j}^{\prime }},{v^{\prime }}^{-\frac{r^{\prime }}{\tau \beta }})·e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{v^{\prime }}^{{t_j}^{\prime }}{w^{\prime }}^{{{\lambda }_j}^{\prime }})\hfill \\ =e({g^{\prime }}^{{t_j}^{\prime }},{v^{\prime }}^{-\frac{r^{\prime }}{\tau \beta }})·e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{v^{\prime }}^{{t_j}^{\prime }}{w^{\prime }}^{{{\lambda }_j}^{\prime }})\hfill \\ =e({g^{\prime }}^{{t_j}^{\prime }},{v^{\prime }}^{-\frac{r^{\prime }}{\tau \beta }})·e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{v^{\prime }}^{{t_j}^{\prime }})·e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{w^{\prime }}^{{{\lambda }_j}^{\prime }})\hfill \\ =e({g^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{w^{\prime }}^{{{\lambda }_j}^{\prime }})\hfill \\ =e{(g^{\prime },w^{\prime })}^{\frac{r^{\prime }{{\lambda }_j}^{\prime }}{\tau \beta }}\hfill \end{array}$$

so successfully calculate

$$\begin{array}{c}B=\frac{e({\tilde{K}}_0^{\prime },{\widehat{C}}_0^{\prime })}{{\prod }_{j\in I}{T_j}^{w_j}}=\frac{e({g^{\prime }}^{\frac{{\alpha }^{\prime }}{\tau \beta }}{w^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{g^{\prime }}^{s^{\prime }})}{{\prod }_{j\in I}{e(g^{\prime },w^{\prime })}^{\frac{r^{\prime }{{\lambda }_j}^{\prime }}{\tau \beta }}}\hfill \\ =\frac{e({g^{\prime }}^{\frac{{\alpha }^{\prime }}{\tau \beta }}{w^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{g^{\prime }}^{s^{\prime }})}{e{(g^{\prime },w^{\prime })}^{\frac{r^{\prime }{s}^{\prime }}{\tau \beta }}}=\frac{e({g^{\prime }}^{\frac{{\alpha }^{\prime }}{\tau \beta }},{g^{\prime }}^{s^{\prime }})·e({w^{\prime }}^{\frac{r^{\prime }}{\tau \beta }},{g^{\prime }}^{s^{\prime }})}{e{(g^{\prime },w^{\prime })}^{\frac{r^{\prime }{s}^{\prime }}{\tau \beta }}}\hfill \\ =e({g^{\prime }}^{\frac{{\alpha }^{\prime }}{\tau \beta }},{g^{\prime }}^{s^{\prime }})=e{(g^{\prime },g^{\prime })}^{\frac{{\alpha }^{\prime }{s}^{\prime }}{\tau \beta }},\hfill \end{array}$$

and then compute $\frac{{\widehat{C}}^{\prime }}{{\left(B^{\beta }\right)}^{\tau }}=\frac{e{(g^{\prime },g^{\prime })}^{{\alpha }^{\prime }{s}^{\prime }}·m}{{\left(e(g^{\prime },{g^{\prime }}^{\frac{{\alpha }^{\prime }{s}^{\prime }}{\tau }})\right)}^{\tau }}$ to obtain the plaintext m.

CPA-SECURE.

For any tampered implementation on the GA, AA, DO and DU that maintains functionality, we prove the CPA security of the constructed OO-MA-CP-ABE-CRFs with tampered algorithms Global.$\mathrm{Setu}{\mathrm{p}}^{*}$, $\mathrm{GASetu}{\mathrm{p}}^{*}$, $\mathrm{AASetu}{\mathrm{p}}^{*}$, $\mathrm{GAKeyGen}.\mathrm{of}{\mathrm{f}}^{*}$, $\mathrm{GAKeyGen}.\mathrm{o}{\mathrm{n}}^{*}$, $\mathrm{AAKeyGen}.\mathrm{of}{\mathrm{f}}^{*}$, $\mathrm{AAKeyGen}.\mathrm{o}{\mathrm{n}}^{*}$, $\mathrm{KeyGen}.\mathrm{ra}{\mathrm{n}}^{*}$, $\mathrm{Encrypt}{.\mathrm{off}}^{*}$ and $\mathrm{Encrypt}.\mathrm{o}{\mathrm{n}}^{*}$.

Assuming that adversary $\mathcal{A}$ can break the CPA security of the OO-MA-CP-ABE-CRFs scheme with a non-negligible advantage $ϵ$, we can construct a PPT simulator $\mathcal{B}$ to break the CPA security of the basic OO-MA-CP-ABE scheme with the same advantage $ϵ$. In the OO-MA-CP-ABE-CRFs scheme, simulator $\mathcal{B}$ plays the role of a challenger, interacting with adversary $\mathcal{A}$. Let $\mathcal{C}$ be the challenger in the OO-MA-CP-ABE scheme.

Initialization: $\mathcal{B}$ receives the access structure ${\mathbb{A}}^{*}$ and the functionality maintaining algorithms from $\mathcal{A}$, and sends them to $\mathcal{C}$.

Setup: $\mathcal{B}$ receives $GP=(g,h,u,v,w)$, $GPK$ and $AP{K}_k=(\widehat{u},\widehat{h})$ from the $\mathcal{C}$, randomly selects $a,b,c,d,e,f,{\tilde{\alpha }}_k\leftarrow {\mathbb{Z}}_p$, calculates $g^{\prime }=g^a$, $u^{\prime }=u^b$, $h^{\prime }=h^c$, $w^{\prime }=w^d$, $v^{\prime }=v^e$, $u^{\prime {\tilde{\alpha }}_k}$, $h^{\prime {\tilde{\alpha }}_k}$, let $G{P}^{\prime }=(g^{\prime },u^{\prime },h^{\prime },w^{\prime },v^{\prime })$, $GP{K}^{\prime }=GPK·e{(g^{\prime },g^{\prime })}^f$, $AP{K_k}^{\prime }=(\widehat{u}·u^{\prime {\tilde{\alpha }}_k},\widehat{h}·h^{\prime {\tilde{\alpha }}_k})$, and passes $G{P}^{\prime }$, $GP{K}^{\prime }$ and $AP{K_k}^{\prime }$ to $\mathcal{A}$.

Phase 1: $\mathcal{B}$ receives the key query about S and $GID$ from $\mathcal{A}$, passes them to $\mathcal{C}$ and obtains $ugsk=(K_0,K_3,D)$, $uas{k}_{S_{GID}}=\{K_{i,1},K_{i,2}\}$, $TK$. Then, $\mathcal{B}$ randomly selects $\tilde{r},{\tilde{r}}_i,\beta \leftarrow {\mathbb{Z}}_p$, $i\in \left[\left|S_{GID,k}\right|\right]$, calculates ${\widehat{K}}_0={g^{\prime }}^f{w^{\prime }}^{\tilde{r}}$, ${\widehat{K}}_3={g^{\prime }}^{\tilde{r}}$, $\widehat{D}={v^{\prime }}^{-\tilde{r}}$, ${\widehat{K}}_{i,1}={g^{\prime }}^{\frac{{\tilde{r}}_i}{{{\alpha }_k}^{\prime }}}$, ${\widehat{K}}_{i,2}={h^{\prime }}^{{\tilde{r}}_i}$, lets $ugs{k}^{\prime }=({\widehat{K}}_0^{\prime },{\widehat{K}}_3^{\prime },{\widehat{D}}^{\prime })=({\widehat{K}}_0·K_0,{\widehat{K}}_3·K_3,\widehat{D}·D)$, $uas{k}_{on,S_{GID}}^{\prime }=\left\{{\widehat{K}}_{i,1}^{\prime },{\widehat{K}}_{i,2}^{\prime }\right\}=({\widehat{K}}_{i,1}^{\prime }=K_{i,1}·{\widehat{K}}_{i,1},{\widehat{K}}_{i,2}^{\prime }=K_{i,2}·{\widehat{K}}_{i,2}·{\left({u^{\prime }}^{att{r}_i}\right)}^{{\tilde{r}}_i})$, $T{K}^{\prime }=T{K}^{\frac{1}{\beta }}$, and passes $(ugs{k}^{\prime },uas{k}_{S_{GID}}^{\prime })$, and $T{K}^{\prime }$ to $\mathcal{A}$.

Challenge: $\mathcal{B}$ sends two equal-length plaintexts $m_0$, $m_1$ to $\mathcal{C}$ and receives a challenge ciphertext $C{T}_{\mathbb{A}}=(C,C_0,\left\{C_{j,1},C_{j,2},C_{j,3}{\}}_{j\in \left[l\right]}\right)$. Then, $\mathcal{B}$ randomly selects $\tilde{s}\leftarrow {\mathbb{Z}}_p$, ${\tilde{t}}_j\leftarrow {\mathbb{Z}}_p$, $j\in \left[J\right]$,${y_i}^{\prime }\leftarrow {\mathbb{Z}}_p$, $i\in \left[n\right]$, calculates $\widehat{K}m=e{(g^{\prime },g^{\prime })}^{{\alpha }^{\prime }\tilde{s}}$, ${\widehat{C}}_0={g^{\prime }}^{\tilde{s}}$, ${\widehat{C}}_{j,1}={{\widehat{h}}^{\prime }}^{-{\tilde{t}}_j}$, ${\widehat{C}}_{j,2}={g^{\prime }}^{{\tilde{t}}_j}$, ${\widehat{C}}_{j,3}={v^{\prime }}^{{\tilde{t}}_j}$, lets $C{T}^{\prime }=(\mathbb{A},{\widehat{C}}^{\prime },{\widehat{C}}_0^{\prime },{\left\{{\widehat{C}}_{j,1}^{\prime },{\widehat{C}}_{j,2}^{\prime },{\widehat{C}}_{j,3}^{\prime }\right\}}_{j\in \left[l\right]})$, where ${\widehat{C}}^{\prime }=C·\widehat{K}m$, ${\widehat{C}}_0^{\prime }=C_0·{\widehat{C}}_0$, ${\widehat{C}}_{j,1}^{\prime }=C_{j,1}·{\widehat{C}}_{j,1}·{{\widehat{u}}^{\prime }}^{-\rho \left(j\right){\tilde{t}}_j}$, ${\widehat{C}}_{j,2}^{\prime }=C_{j,2}·{\widehat{C}}_{j,2}$, ${\widehat{C}}_{j,3}^{\prime }=C_{j,3}·{\widehat{C}}_{j,3}·{w^{\prime }}^{{\tilde{\lambda }}_j}$, ${\stackrel{\rightharpoonup }{y}}^{\prime }={(\tilde{s},{y_2}^{\prime },\cdots ,{y_n}^{\prime })}^T$, $\stackrel{\rightharpoonup }{{\lambda }^{\prime }}={({\tilde{\lambda }}_1,\cdots ,{\tilde{\lambda }}_l)}^T=M{\stackrel{\rightharpoonup }{y}}^{\prime }$ and passes $C{T}_b^{\prime }$ to $\mathcal{A}$.

Phase 2: The process is the same as Phase 1.

Guess: The adversary $\mathcal{A}$ outputs a guess $b^{\prime }\in \{0,1\}$ for b. Then, $\mathcal{B}$ outputs the same guess $b^{\prime }$. Thus, if $\mathcal{A}$ has advantage $ϵ$ in the OO-MA-CP-ABE-CRFs experiment, then $\mathcal{B}$ breaks the OO-MA-CP-ABE scheme with the same probability $ϵ$.

It is also known from the Theorem 1 of [32] that if an adversary breaks the scheme of [32] with a non-negligible advantage $ϵ$, a simulator can be constructed to break the $q-$type assumption in $\mathbb{G}$ with the same advantage $ϵ$. Therefore, if $\mathcal{A}$ has advantage $ϵ$ in breaking our OO-MA-CP-ABE-CRFs scheme, then a simulator can be constructed to break the $q-$type assumption in $\mathbb{G}$ with the same advantage $ϵ$.

WEAK SECURITY PRESERVATION AND WEAK EXFILTRATION RESISTANCE.

According to the CPA security of the OO-MA-CP-ABE-CRFs scheme, the CRFs ${\mathcal{W}}_{\mathrm{GA}}$, ${\mathcal{W}}_{\mathrm{AA}}$, ${\mathcal{W}}_{\mathrm{DO}}$ and ${\mathcal{W}}_{\mathrm{DU}}$ corresponding to GA, AA, DO and DU always maintain weak preserve security. On the other hand, the proof of the CPA security further demonstrates that reverse firewalls ${\mathcal{W}}_{\mathrm{GA}}$, ${\mathcal{W}}_{\mathrm{AA}}$, ${\mathcal{W}}_{\mathrm{DO}}$ and ${\mathcal{W}}_{\mathrm{DU}}$ have weak resist exfiltration.

Combining the above discussion, the proof is completed.

5. Performance Evaluations

In order to compare our scheme with other schemes, we conduct a detailed analysis of property and performance analysis.

5.1. Property Comparison

We choose schemes [26,32,34,35,36,37] to compare with our scheme. These schemes are CP-ABE schemes that support the LSSS access structure. It can be seen from

Table 1. Comparison of properties.

Schemes	Multi-Authority	Online/Offline Key Generation	Online/Offline Encryption	CRF
[26]	×	✓	✓	✓
[37]	×	×	✓	×
[32]	✓	✓	✓	×
[34]	✓	×	×	×
[35]	✓	×	×	×
[36]	✓	×	✓	×
Proposed	✓	✓	✓	✓

The symbol ✓ represents that the scheme has this property, while the symbol × represents that the scheme does not have this property.

that the scheme [37] only supports online/offline encryption (OO Encrypt). The scheme [26] supports online/offline key generation(OO KeyGen), OO Encrypt and CRF. However, the schemes [26,37] are not multi-authority. The schemes [32,34,35,36] are multi-authority, but the scheme [32] only supports OO KeyGen and OO Encrypt without CRF. The scheme [36] also only supports OO Encrypt. Only our scheme meets all the above properties, so it is more suitable for IoT.

5.2. Performance Analysis

In order to simulate the time cost of computing operations,

Table 2. Comparison of computational cost.

Schemes	System Setup	Online User Key Generation	Online User Encryption	User Decryption
[32]	$1\mathrm{P}+(2K+1)\mathrm{E}$	$3\left|S\right|\mathrm{E}+\left|S\right|\mathrm{M}$	$1\mathrm{M}$	$\left(3\right|I|+1)\mathrm{P}+3\left|I\right|\mathrm{E}+\left(5\right|I|+1)\mathrm{M}$
[26]	$1\mathrm{P}+7\mathrm{E}$	$\left|S\right|\mathrm{E}+\left|\mathrm{S}\right|\mathrm{M}$	$(2l+1)\mathrm{M}$$+2l\mathrm{E}$	$1\mathrm{E}+1\mathrm{M}$
[34]	$1\mathrm{P}+3\mathrm{E}$	$\left(\right|S|+2)\mathrm{E}+1\mathrm{M}$	$(1l+1)\mathrm{M}+(3l+2)\mathrm{E}$	$\left(2\right|I|+1)\mathrm{P}+2\left|I\right|\mathrm{E}+\left(1\right|I|+1)\mathrm{M}$
[35]	$1\mathrm{P}+(2K-1)\mathrm{E}$	$\left(3\right|S|+1)\mathrm{E}$	$l\mathrm{P}+(l+3)\mathrm{E}$	$3\mathrm{P}+4\mathrm{E}$
[36]	$\left(\right|U|+2N-1)\mathrm{E}$	$(6K+S)\mathrm{E}+K\mathrm{M}$	$(N^{\prime }+1)\mathrm{E}+(l+1)\mathrm{M}$	$1\mathrm{E}+1\mathrm{M}$
Proposed	$1\mathrm{P}+(4K+6)\mathrm{E}+1\mathrm{M}$	$\left|S\right|\mathrm{E}+\left|\mathrm{S}\right|\mathrm{M}$	$(2l+1)\mathrm{M}$$+2l\mathrm{E}$	$1\mathrm{E}+1\mathrm{M}$

lists the complexity analysis of system setup, key generation, encryption, and decryption. We define P as a bilinear pairing operation, E as an exponentiation operation, and M as a multiplication operation. We use K, S, l and I to represent the number of attribute authorities, the number of user attributes, the number of rows in the LSSS matrix, and the row set of the LSSS matrix used for decryption. We consider the time cost of user key generation, user encryption and user decryption. Although CRFs are added to our scheme, and CRFs also generate keys and perform encryption, the time cost of this part does not belong to users, so the additional cost caused by CRFs can be ignored. In addition, considering that the offline phase does not affect the actual cost of the online part of the user in the actual scenario, we only consider the time cost of the online phase in the efficiency analysis.

As shown in

Table 3. Comparison of storage cost.

Schemes	Public Parameters	Ciphertext	User Decryption Key
[32]	$(2K+5)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(3l+1)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(2S+2)\left|\mathbb{G}\right|$
[26]	$5\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(3l+1)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(2S+3)\left|\mathbb{G}\right|$
[34]	$3\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(2l+1)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(S+2)\left|\mathbb{G}\right|$
[35]	$\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(l+2)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(S+2)\left|\mathbb{G}\right|$
[36]	$(2K+|U|+2N+2)\left|\mathbb{G}\right|+K|{\mathbb{G}}_T|$	$(3l+\frac{N}{2}+1)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$((4+d)K+S)\left|\mathbb{G}\right|+2K|{\mathbb{Z}}_p|$
Proposed	$(2K+5)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(3l+1)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(2S+3)\left|\mathbb{G}\right|$

, we show the storage cost of our scheme and schemes [26,32,34,35,36], respectively, in the public parameters, ciphertext and user decryption key, where $\left|\mathbb{G}\right|$ is the number of elements in group $\mathbb{G}$, |${\mathbb{G}}_T$| is the number of elements in group ${\mathbb{G}}_T$. Because these schemes are CP-ABE schemes, the size of l is proportional to the size of the ciphertext, and the size of S is proportional to the size of the user decryption key. Compared to [36], our scheme has better storage cost for public parameters, ciphertext and user decryption key. Compared with [26,32,34,35], the storage cost of ciphertext and the user decryption key is approximately equal.

It is worth noting that we implement the simulation of the algorithm by deploying the Charm-Crypto cryptographic library based on the Python language development framework in the Ubuntu system. The experimental environment is Ubuntu 18.04.6, 12th Gen Intel(R) Core(TM) i7-12700H 4-core 2.30 GHz processor and 4 GB of RAM.

In the experiment, we imported the PBC module and selected the parameter value “SS512”, type A curve to generate the prime order bilinear group $\mathbb{G}$. We further try to perform 1000 repeated experiments and take the average to estimate the running time of bilinear pairing operation, exponentiation operation and multiplication operation in $\mathbb{G}$, respectively. The results show that the average time cost of the bilinear pairing operation is 2.05 ms, the average time cost of the exponentiation operation is 2.80 ms, and the average time cost of the multiplication operation is 2.82 ms. The source code can be obtained at https://github.com/abcde123411/OO-MA-CP-ABE-CRF (accessed on 2 April 2023. Finally, we present the results in

Table 4. Time cost of sub-operations.

Operation	Time Cost
bilinear pairing operation	2.05 ms
exponentiation in $\mathbb{G}$	2.80 ms
multiplication in $\mathbb{G}$	2.82 ms

.

In order to show the computational time cost and the storage cost of our scheme and other schemes, we make a comparison with Zhang et al. scheme [32] (ZZLL), Ma et al. scheme [26] (MZYS), Xie et al. scheme [34] (XRHS), Zhang et al. scheme [35] (ZGWW) and Zhang et al. scheme [36] (ZZWM). By analyzing the calculation overhead of the online user key generation phase, user decryption phase and the storage overhead of ciphertexts and keys in the system, there is a slight difference between the ZZWM scheme [36] and other schemes. In addition, we let the number of attribute authorities K be 1, the number of users N and the depth d is 0, ${\mathbb{Z}}_p$ is equal to $\mathbb{G}$ to facilitate unified comparison, as shown in Figure 2 and Figure 3.

In Figure 2a, the curve of MZYS scheme [26] coincides with that of our scheme, which shows that the time cost of our scheme in the key generation phase is the same as that of MZYS scheme [26], which has obvious advantages over XRHS scheme [34] and ZZWM scheme [36]. In Figure 2b, the curve of MZYS scheme [26] coincides with that of our scheme. With the help of outsourced decryption technology, the time overhead of our scheme in the decryption phase is very considerable.

As can be seen from Table 3, since the ciphertext storage cost of each scheme contains a constant ${\mathbb{G}}_T$, we can ignore it in the analysis of the storage cost of ciphertext. As shown in Figure 3a, the curves of MZYS scheme [26], ZZLL scheme [32] and ZZWM scheme [36] coincide with that of our scheme, which shows that the ciphertext storage cost of our scheme is equivalent to that of [26,32,36]. As shown in Figure 3b, the curves of XRHS scheme [34], ZGWW scheme [35] and ZZWM scheme [36] are coincident, and the curves of MZYS scheme [26] and ZZLL scheme [32] coincide with that of our scheme, which shows that the secret key storage cost of our scheme is equivalent to that MZYS scheme [26] and ZZLL scheme [32].

6. Real-World Application

In this section, we will provide a detailed description of the practical application of our OO-MA-CP-ABE-CRFs scheme in the e-health system, as shown in Figure 4, which shows the true practical value of the scheme. The following steps are required.

(1) Patients and doctors need to register in the system. The superior management organization of the university and affiliated hospital executes algorithm Global.$\mathrm{Setup}$ to generate system global parameters and send them to registered users.

(2) Given that malicious adversaries may threaten the security of the system through backdoor attacks, the CRF corresponding to the superior management organization executes algorithm ${\mathcal{W}}_{\mathrm{GA}}$.Global.$\mathrm{Setup}$ to randomize the system’s global parameters and broadcasts the updated results across the network.

(3) The superior management organization executes the algorithm $\mathrm{GA}.\mathrm{Setup}$ to generate the public/private key pair.

(4) The CRF of the superior management organization runs the algorithm ${\mathcal{W}}_{\mathrm{GA}}.\mathrm{GA}.\mathrm{Setup}$ to update the public/private key pair, and returns the results to the superior management organization.

(5) The school and hospital, as attribute authorities in the system, respectively, execute the algorithm $\mathrm{AA}.\mathrm{Setup}$ to generate their own public/private key pair.

(6) To prevent this process from being compromised, the CRFs of the school and hospital execute the algorithm ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{Setup}$ to randomize their respective public and private key pair.

(7) Considering that most patients usually use resource-constrained mobile devices, some computational operations are performed in the $\mathrm{Encrypt}.\mathrm{off}$ algorithm. This will ensure that mobile device resources are not excessively consumed when performing online encryption operations.

(8) Patient sets access control policies and executes the algorithm $\mathrm{Encrypt}.\mathrm{on}$ to encrypt Electronic Medical Records (EMR).

(9) If the encryption process is compromised, the patient’s EMR may be compromised, directly endangering the privacy and security of the patient. To avoid this situation, the CRF of the patient executes the algorithm ${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{off}$ to generate intermediate ciphertext offline.

(10) The CRF of the patient executes the algorithm ${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{on}$ to update the ciphertext and stores the results in the CSP.

(11) The superior management organization executes the algorithm $\mathrm{GA}.\mathrm{KeyGen}.\mathrm{off}$ offline to generate a portion of the decryption key for registered users.

(12) The CRF of the superior management organization executes the algorithm

${\mathcal{W}}_{\mathrm{GA}}.\mathrm{GAKeyGen}.\mathrm{off}$ in the offline phase to generate an intermediate conversion key.

(13) The CRF of the superior management organization executes the algorithm

${\mathcal{W}}_{\mathrm{GA}}.\mathrm{GAKeyGen}.\mathrm{on}$ to generate a portion of the updated decryption key and sends the result to the doctor.

(14) School and hospital execute the algorithm $\mathrm{AA}.\mathrm{KeyGen}.\mathrm{off}$ in the offline phase to provide pre-computing services for the decryption key generation of doctors.

(15) The school and affiliated hospital execute the algorithm $\mathrm{AA}.\mathrm{KeyGen}.\mathrm{on}$ to generate the corresponding decryption key for the doctor based on their attribute set.

(16) Considering the backdoor attacks, the CRFs of the school and hospital execute the algorithm ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{off}$ to update a portion of the decryption key offline.

(17) The CRF of the school and hospital execute the algorithm ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{on}$ to update the doctor’s decryption key online and send the result to the doctor.

(18) Because we use outsourced decryption, the doctor executes the algorithm $\mathrm{KeyGen}.\mathrm{ran}$ to generate a conversion key and a recovery key.

(19) If the conversion key is compromised, it may cause serious consequences. To this end, the CRF of the doctor executes the algorithm ${\mathcal{W}}_{DU}.\mathrm{TKUpdate}$ to randomize the conversion key, and sends the updated result to the CSP.

(20) The CSP executes the algorithm $\mathrm{Decrypt}.\mathrm{out}$ to pre-decrypt and obtain the transformed ciphertext.

(21) The doctor’s CRF executes the algorithm ${\mathcal{W}}_{DU}.\mathrm{Decrypt}$ to partially decrypt transformed ciphertext.

(22) Doctors execute the algorithm $\mathrm{Decrypt}.\mathrm{user}$, and only authorized doctors can successfully obtain the patient’s EMR.

7. Conclusions

To solve the problem of data privacy security in IoT, we propose an OO-MA-CP-ABE-CRFs scheme. This scheme can not only protect the security of data but also achieve fine-grained access control of data. In addition, our scheme uses multi-authority technology to further reduce the trust of a single authority, uses CRF technology, which can effectively resist the ex-filtration of secret information, fully protect the privacy and security of users, and adopt online/offline and outsourcing decryption technology to reduce users’ storage and computing cost. The security proof and experimental comparison of the scheme show that our scheme is more suitable for data sharing for IoT.

Although the OO-MA-CP-ABE-CRFs scheme implements multi-authority, it requires a global identity authority. In future work, we will study how to remove the global identity authority so that each attribute authority has equal status. We can consider introducing a user’s identity or blockchain to achieve this. In addition, in order to make this scheme suitable for resource-constrained IOT devices, we need to further optimize the efficiency of the encryption algorithm. We can consider adopting techniques such as obfuscation encryption and reducing the size of ciphertext.