Multiauthority Ciphertext Policy-Attribute-Based Encryption (MA-CP-ABE) with Revocation and Computation Outsourcing for Resource-Constraint Devices

Abstract

Fog computing accredits by utilizing the network edge while still rendering the possibility to interact with the cloud. Nevertheless, the features of fog computing are encountering several security challenges. The security of end users and/or fog servers brings a significant dilemma in implementing fog computing. The computational power of the resources constrains Internet of Things (IoT) devices in the fog-computing environment. Therefore, an attacker can easily attack. The traditional methods like attribute-based encryption (ABE) techniques are inappropriate for resource-constraint devices with protracted computing and limited computational capabilities. In this regard, we investigate a multiauthority ciphertext policy-attribute-based encryption (MA-CP-ABE) method that enables multiauthority attribute revocation and computation outsourcing. Moreover, the encryption and decryption processes of resource-constraint IoT devices are outsourced to the fog nodes. In this way, it also reduces the computational burden of the resource-constraint IoT devices. Hence, we propose MA-CP-ABE for encryption and decryption, attribute revocation and outsourcing by reducing the computational burden and securing the system. We compare the computational offloading approach with the existing techniques to prove that the proposed approach outperforms the existing approaches. The proposed method reduces the operation time for the encryption and decryption process. We outsource cryptography operations to the fog node, reducing the end user’s computational cost. Eventually, simulated outcomes are used to assess the algorithm’s computational cost.

1. Introduction

Fog computing is a promising computational framework extending cloud computing to the network’s edge for a smooth interconnection between cloud computing and resource-constraint devices [1,2,3,4]. The primary benefit of fog computing is the delivery of robust capabilities to resource-constraint devices in terms of processing and storage while being closer to end devices [5]. Security concerns have yet to be resolved regardless of the advantages of fog computing [6]. This includes data protection and access control for devices with limited resources [7]. Resource-constrained devices are more susceptible and unreliable because fog nodes are considered on the edge of the network and are inexpensive as compared to cloud servers.

The novel proposed solution to these issues is to encrypt the information before uploading it to the fog node. As a result, the attribute-based encryption (ABE) notion is a one-to-many cryptographic approach [8]. The traditional ABE is an encryption process depending on multiple attributes of the private and public keys [9]. However, the scheme is inappropriate for end devices due to limited computational resources, complex management and high computational times [10,11,12]. Nevertheless, the encryptor may not be required to recognize the end user’s precise details and only needs to embed the attribute into the ciphertext. End users decrypt information only if their attributes match the access structure. The procedure enables access control over data encryption between secret keys and ciphertext via access policies and assigned attributes.

In this regard, the ciphertext policy-attribute-based encryption (CP-ABE) allows data owners to establish the access policy for various end-user attributes to decrypt the ciphertext. For instance, ciphertext validity can be ensured by public verification, and valid ciphertexts must be stored or transmitted. In the primitive process, end users in the fogs generated private keys from multiple authorities whose geographical locations or functions might differentiate. Another cryptographic primitive process known as server-aided revocable bilateral ABE can be used to secure and lightweight bilateral access control systems. This includes fine-grained data users and data-owner access control simultaneously, outsourced data source identification, server-aided user revocation and data decryption with exponentiation computation. Moreover, the CP-ABE can verify the outsourcing of encryption and decryption to any untrusted encryption and decryption service provider. This allows us to outsource encryption and decryption processes by using modular exponentiation for the single untrusted server to generate the transformation of keys.

The existing CP-ABE-based solutions, however, primarily concentrate on how end users can manage secured data access. Few works considered the access control requirements of fog nodes from resource-constraint devices. However, several instances of end-user equipment access to the network makes end-user management extremely difficult. Also, the encryption and decryption operations of CP-ABE require several exponentiations modules directly related to the number of attributes. This poses a fundamental problem for end users to access and change the data on resource-constrained gadgets, having a limited storage capacity and computation.

We propose the MA-CP-ABE technique to enable attribute revoking and computation outsourcing for resource-constraint devices in fog computing. The contributions of this work are summed up below:

• We propose a multiauthority ciphertext policy-attribute-based encryption (MA-CP-ABE) scheme that enables multiauthority attribute revocation and computation outsourcing. In this regard, we propose a seven-layer reference model, i.e., edge node, communication, edge computing, data accumulation, data abstraction, applications, users and centers.
• We investigate an attribute-revocation scheme by exploiting MA-CP-ABE. The proposed scheme realizes instant attribute revocation with the attribute-group key’s help as well as ensures fine-grained access control. In this way, it also reduces the computational burden of the resource-constraint IoT devices. Hence, we propose 11 MA-CP-ABE for encryption and decryption, attribute revocation and outsourcing by reducing the computational burden and securing the system.
• We provide a security analysis to validate the proposed CP-ABE approach. We also compare our results with [13,14] in terms of the computational cost. Simulation findings show that our procedure outperforms the works in [13,14]. The proposed method reduces the operation time for the encryption and decryption process. We outsource cryptography operations to the fog node, reducing the end user’s computational cost.

This paper is organized as follows: We illustrate the introduction, contributions and related works in Section 1. Section 2 illustrates the preliminaries of the work that include the system model and step-by-step process of the algorithm. The thread model is described in Section 3. Section 4 and Section 5 describe the proposed scheme and performance analysis, respectively. Finally, the paper is concluded in Section 6.

2. Literature Work

In CP-ABE, the end user is affiliated with a collection of attributes during the encryption process in the access policy [15]. Researchers have proposed several CP-ABE systems and diverse techniques over decades [16]. The following approaches were proposed for improving the efficiency and reducing the computational overhead. The summary of related work in terms of the methodology and approaches is depicted in

Table 1. Summary of related work.

Ref	Methodology	ABE	MA-ABE	AR-ABE	O-ABE
[17]	CP-ABE	✓	×	×	✓
[18]	KP-ABE	✓	×	×	×
[19]	ABE	✓	×	×	×
[20]	ABE	✓	×	×	×
[21]	ABE	✓	×	×	✓
[22]	Fully policy-hidden CP-ABE	✓	×	×	✓
[23]	Hierarchy CP-ABE	✓	×	×	✓
[24]	ABE	✓	×	×	✓
[25]	CP-ABE	✓	×	×	✓
[26]	CP-MA-ABE	✓	✓	×	×
[13]	MA-ABE	✓	✓	×	×
[27]	MA-ABE	✓	✓	×	×
[28]	MA-ABE	✓	✓	×	×
[29]	Chase’s scheme	✓	✓	×	×
[30]	MA-ABE	✓	✓	×	×
[31]	MA-ABE	✓	✓	×	×
[32]	ABE	✓	×	✓	×
[33]	Proxy Re-encryption	✓	×	✓	×
[34]	Access control policies	✓	×	✓	×
[35]	MR-ABE	✓	×	✓	×
[14]	CA-CP-ABE	✓	×	✓	×
[36]	AR-ABE	✓	×	✓	×
[37]	AR-ABE	✓	×	✓	×
[38]	Privacy protection	✓	×	×	✓
[39]	CPA and RCCA	✓	×	×	✓
[40]	ABE and CCA	✓	×	×	✓
[41]	CP-ABE	✓	×	×	✓
[42]	Fine-grained access control	✓	×	×	✓
[43]	FS-PKSE	✓	×	×	✓
[44]	MA-ABE	✓	✓	×	✓
Our Method	MA-CP-ABE	✓	✓	✓	✓

.

2.1. Attribute-Based Encryption (ABE)

The authors of [18] developed the key-policy attribute-based encryption (KP-ABE) method. The KP-ABE method illustrated that the ciphertext is presented in the set of attributes and secret keys. The authors of [19] presented an ABE method concerning the location of access control. The authors formulated the problem of attacks on secret keys to impede the applications of KP-ABE. The technique was further investigated in [20] to improve ABE’s efficiency by exploiting overlooked facts, i.e., the hierarchical links among the attributes in access control. The authors of [17] investigated the attribute-based broadcast encryption. The authors tried to solve an efficient, constant, private-key ciphertext-policy ABBE scheme for fast decryption. In [21], the authors considered a key-exchange protocol based on CP-ABE to establish authentic and confidential communications. Furthermore, the authors of [22] proposed a fully policy-hidden CP-ABE scheme constructed on the linear secret-sharing-scheme access structure and prime-order groups for public cloud data sharing. In [23], an extended file hierarchy CP-ABE scheme is proposed to encrypt multiple files on the same access level. The authors provide secure and flexible access control for users in cloud storage. The authors of [24] proposed an ABE scheme with adaptive security for cloud-assisted IoTs. The authors achieved access control, revocability and adaptive security under formal-decision linear assumptions. Finally, the authors of [25] proposed CP-ABE with arithmetic span programs to reduce the unnecessary cost of defining the access policy. The proposed scheme prevents the revoked user from accessing the newly generated data and the old data that can be accessed.

However, the reported results are limited only to fog servers, and there is no security achievement for resource-constraint devices. Moreover, the authors did not describe multiauthority and attribute-revocation problems in the works above.

2.2. Multiauthority Attribute-Based Encryption (MA-ABE)

In [26], the authors proposed CP-ABE without a central entity to disseminate the keys to end users. In [13], the authors proposed MA-ABE, which delivered a fine-grained access-control policy over the encrypted data to achieve data privacy. The authors aimed to solve the revocation of attributes to improve the end user’s appropriate access in a timely and efficient manner. The authors of [27] suggested an MA-ABE access-control approach to allow an infinite attribute universe while providing an effective decryption outsourcing strategy. In [28], the authors proposed Chase’s scheme to allow encryptors to determine the number of attributes required for each ciphertext from related attribute authorities.

The authors of [29] worked in a secure MA-ABE scheme to minimize the computation and storage burden on resource-limited devices in cloud systems. In addition, the authors of [30] proposed robust generic MA-ABE management systems to overcome the challenges of cloud storage services. The authors used the digital identity of the users to prevent collusion between system users. Finally, the authors of [31] proposed MA-ABE to allow the authorization process to be performed only once, even over policies from multiple authorities, and they improved the scalability.

Although the above schemes are essential to implement, they failed to achieve the proposed techniques’ effectiveness and practicality. Additionally, the above procedures did not consider ABE’s combined effect of multiauthority, attribute revocation and outsourcing. Moreover, these works did not consider simultaneously implementing encryption, decryption outsourcing or attribute revocation. In addition, the attribute that permitted the key distribution of a particular number of attributes is not generally addressed during most of the work implementation.

2.3. Attribute-Revocation Attribute-Based Encryption (AR-ABE)

The ABE approaches focused on implementing abundant access strategies and neglected the attribute revocation in the encryption mechanism [32]. For example, the authors of [33] introduced the re-encryption method into attribute revocation. The proposed scheme deals with data outsourcing and enforces authorization policies and policy updates. The authors of [34] suggested the notion of access-control policies and end-user revocation capabilities. The system produces the group keys to the revocation list in this case. The authors of [35] provided the MR-ABE by utilizing the attribute-group key under certain error assumptions to solve the attribute revocation and granting problems. However, due to the high computational overhead, the system is inappropriate for resource-constraint devices. The authors of [14] proposed collision avoidance CP-ABE and attribute revocation for cloud storage. Finally, the authors of [31] considered security requirements for an AR-ABE to prove confidentiality and integrity.

An outsourcing architecture in the above may lead to attribute and end-user revocation problems. In addition, the proposed solutions mentioned above are unsuitable for fog-computing and resource-constraint devices due to their high computational complexity. Moreover, the techniques lack information about data outsourcing for the resource-constraint devices and the multiauthority approach.

2.4. Outsourced Attribute-Based Encryption (O-ABE)

Based on outsourcing, the authors of [37] introduced a privacy-protection strategy for O-ABE that enables mobile devices to outsource encryption and decryption procedures without leaking information to cloud service providers. The authors of [38] proposed a generic construction of chosen plaintext attack (CPA) and replayable chosen ciphertext attack (RCCA) ABE systems to verify the outsourced decryption. However, the authors only considered the outsourcing mechanism for decryption operations and ignored encryption operations. A CCA mechanism is also proposed in [39] for ABE with outsourced decryption operations. Nevertheless, the authors did not consider outsourcing encryption operations in CCA. The method is not practical for resource-constraint devices in fog computing. Keeping fog computing in the discussion, the authors of [40] proposed CP-ABE-based access control to support outsourcing and attribute revocations. In another article [41], the authors proposed outsourcing cryptography to fog nodes for resource-constraint devices. The authors of [42] proposed fine-grained access control, encryption, outsourced decryption, user revocation and ciphertext verification. The authors used a revocation mechanism utilizing the chameleon hash function for the IoMT ecosystem. Furthermore, the authors of [43] proposed a forward secure public key searchable encryption (FS-PKSE) scheme in which a cloud server cannot learn any information about an encrypted data file that contains keywords.

2.5. Comparison to Our Previous Works

In most of the above works, the authors only consider either encryption outsourcing or decryption outsourcing. The authors fail to achieve both encryption and decryption outsourcing simultaneously. Moreover, the authors only considered outsourcing and did not consider multiauthority and attribute revocations.

In addition to the above existing works, we depicted the significant differences between this research work and [44]. In this version, the secret keys are produced dynamically by introducing the attribute-group keys and not only by attribute revocation. Hence, in [44], the secret keys are only produced with the help of attribute revocation and not by attribute-group keys. We provide the challenge game by the attacker and prove that the proposed scheme can tackle the attacker’s challenge. Therefore, the work in [44] did not show any security challenge, which is the main limitation of the previous work.

This work is an extension of our conference paper [45]. In [45], we only considered the security analysis of the proposed work. In this extended work, we extensively work on the computational analysis of our proposed work, which was the major deficiency of our previous work. In contrast, we simulate the results of the computing overhead of the key-generation algorithms, computing overhead of the encryption algorithm and computing overhead of the decryption algorithm. Moreover, in this work, we included the threat model that practically represents the implementation of this research work.

The current version achieved all the processes of encryption/decryption, multiauthority attribute revocation and outsourcing computation based on ciphertext policies. On the other side, the previous work has a limited encryption and decryption process. In this regard, our simulation results in the previous version are limited to certain parameters, i.e., the time of decryption, encryption and key generation with the number of attributes. Keeping this view, we compared the results with up-to-date and more-relevant schemes, i.e., CP-ABE and MA-ABE, respectively. We extended our results not only to the time of decryption, encryption and key generation with the number of attributes but also to the time of decryption, encryption and key generation with the number of attributes per attribute authority.

3. Preliminaries

3.1. Network System

Figure 1 shows the system model, and the notations are summarized in Table 2. In this work, we consider the cloud and fog layers as trusted entities. On the other hand, the end user’s layer is untrusted entities. System-parameter generation, system security-level determination, attribute center work, the scheduling of fog-computing resources, the processing of end-user access authentication requests and key generation are all tasks that fall under the purview of the cloud service provider. Fog nodes communicate with end users, the authentication of users, the outsourcing of data encryption and assuring that legitimate end users can decrypt the information by fulfilling the specific attribute requirements. The data owner encrypts the plaintext with his private key so that unauthentic users cannot decrypt the ciphertext. When the access user makes an access request, it will first check whether the ciphertext can be correctly decrypted or not. The fog node is designated for outsourcing decryption if it can be correctly decrypted. After receiving decrypted ciphertexts from the fog node, the user decrypts the ciphertext to obtain the plaintext. Consequently, we discuss the functionality of each entity:

• Central Authority (CA): Is the system’s global authorized certificate authority. It accepts all end users and the attribute authorities in the system to be registered. The CA establishes a specific global end-user identity (uid) and a unique attribute authority identity (aid) in the network for each end user. In this proposed method, the CA is responsible for the registration requests from both end users and AAs. However, it is not involved in attribute operations and private keys. Hence, the system is still secure if there is an attack on the CA. This is because the CA cannot leak the end user’s private information.
• Attribute Authority (AA): Is accountable for entitling and revoking the end users’ attributes according to the attribute identity (aid). Each attribute authority (AA) produced its public key and provided attribute-related secret keys according to the end users. When the AA is attacked, it only affects the security of its related attributes and cannot affect the system’s security. Consequently, the overall network is more secure than the approach used in a single authorization center.
• Cloud Service Provider (CSP): Leverages the storage of data and key management. When an attribute-revocation event occurs, the revoked end user’s access is averted to re-encrypt the ciphertext.
• Fog Node: Undertakes the encryption and decryption. The data owner and end users outsource the cryptography process to fog nodes, thus reducing the computation burden of the end users.
• Data Owners (DOs): Are defined by an $a_p$ for that data that require the encryption. They also leverage the targeted end users and the scope of the authorized end users.
• End users: We consider the object of the attribute revocation as the end users. When end users want to access the data, they can download them and decrypt them through fog nodes from the cloud-server provider. Users can view the data that adhered to the access policies. Thus, unauthorized and unattributed end users cannot access the data, thereby controlling fine-grained information.

Table 2. Notation and description.

Notation	Description
$\mathcal{CT}$	Ciphertext
m	Plaintext
g	Key Generator
$\mathcal{G}$, ${\mathcal{G}}_T$	Multiplication Cyclic Classes
$\mathcal{A}$	Adversary/opponent
x	Attribute
$a_p$	Access policy
$u^{\ast }$	Revocation attribute
$Enc.$	Encryption
$Dec.$	Decryption
$PreEnc.$	Pre-encryption
$PreDec.$	Predecryption
$CA$	Central authority
$AA$	Attribute authority
$CSP$	Cloud service provider
$DO$	Data owners
$GP$	Global parameters
$\lambda$	Security parameter
$aid$	Authority identity
$uid$	Uder Identity
$DK$	Symmetric key
$SE$	Symmetric encryption
Y	Set of attributes contained in the $a_p$
$AP{K}_{aid}$	Authority public key
$AS{K}_{aid}$	Authority secret key
$AGK$	Attribute-group key
${\mathbb{Z}}_p$	Integer ring of order
p	Prime numbers
$OSK$	Outsourcing private (secret) key
$S={}_{uid,aid}$	Set of end user’s attributes
$SS{K}_{s,uid,aid}$	End user’s $uid$ secret key
$KE{K}_{TRE{E}_x}$	Binary State Tree
$AID$	Collection of AAs
$UID$	Global Identification Collection
⊥	Invalid output
$R_1$	Communication Radius

Table 2. Notation and description.

Notation	Description
$\mathcal{CT}$	Ciphertext
m	Plaintext
g	Key Generator
$\mathcal{G}$, ${\mathcal{G}}_T$	Multiplication Cyclic Classes
$\mathcal{A}$	Adversary/opponent
x	Attribute
$a_p$	Access policy
$u^{\ast }$	Revocation attribute
$Enc.$	Encryption
$Dec.$	Decryption
$PreEnc.$	Pre-encryption
$PreDec.$	Predecryption
$CA$	Central authority
$AA$	Attribute authority
$CSP$	Cloud service provider
$DO$	Data owners
$GP$	Global parameters
$\lambda$	Security parameter
$aid$	Authority identity
$uid$	Uder Identity
$DK$	Symmetric key
$SE$	Symmetric encryption
Y	Set of attributes contained in the $a_p$
$AP{K}_{aid}$	Authority public key
$AS{K}_{aid}$	Authority secret key
$AGK$	Attribute-group key
${\mathbb{Z}}_p$	Integer ring of order
p	Prime numbers
$OSK$	Outsourcing private (secret) key
$S={}_{uid,aid}$	Set of end user’s attributes
$SS{K}_{s,uid,aid}$	End user’s $uid$ secret key
$KE{K}_{TRE{E}_x}$	Binary State Tree
$AID$	Collection of AAs
$UID$	Global Identification Collection
⊥	Invalid output
$R_1$	Communication Radius

Figure 1. System model.

Figure 1. System model.

3.2. Step-by-Step Process

This process is summarized in Table 3. The overall workflow of this paper is also illustrated in Figure 2, and the details are given below:

• $GlobalSetup\left(\lambda \right)\to GP$: The $GlobalSetup$ runs by the central authority, $CA$. It requires no input other than the security parameter, $\lambda$. It delivers the outputs of the global public parameters, $GP$.
• $AASetup\left(GP,aid\right)\to \left(AP{K}_{aid},AS{K}_{aid}\right)$: The $AASetup$ runs by each attribute authority, $AA$. It considers the $GP$ and authority identity, $aid$, as the inputs. The output of $AASetup$ is the public and secret key pair $\left(AP{K}_{aid},AS{K}_{aid}\right)$.
• $SKGen\left(GP,AS{K}_{aid},uid,S_{uid,aid}\right)\to S{K}_{S,uid,aid}$: The $SKGen$ runs by each $AA$. It requires the $GP$, authority secret key $AS{K}_{aid}$, end-user identity $uid$ and a set of the end user’s attributes $S_{uid,aid}$ entitled by the $aid$ as the inputs. It outputs the secret key $SS{K}_{S,uid,aid}$ for the end-user $uid$.
• $AttrGroupKey\left(aid,x\right)\to \left(KE{K}_{TRE{E}_x},AGK\right)$: The $AttrGroupKey$ runs by each $AA$. It takes the $aid$ and attributes x as the inputs. It outputs $KE{K}_{TRE{E}_x}$ and the attribute-group key $AGK$ for x.
• $FogEnc.\left(\mathcal{A},GP,{\left\{APK\right\}}_{aid}\right)\to {\mathcal{CT}}_{out}^1$: The $FogEnc$. runs by the fog nodes. It takes $a_p$, the $GP$ and a set of authority public keys $AP{K}_{aid}$ as the inputs. It outputs the ciphertext ${\mathcal{CT}}_{out}^1$.
• $DOEnc.\left(m,\mathcal{A},GP,{\left\{APK\right\}}_{aid}\right)\to \mathcal{CT}$: The $DOEnc.$ run by the data owners. It obtains the message m, $a_p$, $GP$ and $AP{K}_{aid}$ as the inputs. It outputs the ciphertext $\mathcal{CT}$.
• $ReEnc\left(\mathcal{CT},\left\{AGK\right\}\right)\to {\mathcal{CT}}^{{}^{\prime }}$: The $Re.Enc.$ runs by $CSP$. It takes the ciphertext $\mathcal{CT}$ and a set of attribute-group keys $AGK$ as the inputs and outputs the re-encrypted ${\mathcal{CT}}^{{}^{\prime }}$.
• $PreDec\left(uid,\left\{AGK\right\},\left\{S{K}_{S,uid,aid}\right\}\right)\to \left(S{K}_{S,uid,aid}^{{}^{\prime }},OS{K}_{S,uid},{\mathcal{CT}}^{{}^{″}}\right)$: The $PreDec.$ runs by the end users. It takes the $uid$, $AGK$ and a set of the end users’ secret keys $S{K}_{S,uid,aid}$ as the inputs. It outputs $S{K}_{S,uid,aid}^{{}^{\prime }}$ and $OS{K}_{S,uid}$.
• $Fog.Dec\left({\mathcal{CT}}^{\prime },GP,OS{K}_{S,uid}\right)\to {\mathcal{CT}}_{out}^2$: The $FogDec.$ runs by fog nodes. It takes ${\mathcal{CT}}^{\prime }$, $GP$ and outsourcing private keys $OS{K}_{S,uid}$ as the inputs. It outputs a partially decrypted ciphertext ${\mathcal{CT}}_{out}$.
• $End-user.Dec\left({\mathcal{CT}}_{out}^2,uid,S{K}_{S,uid,aid}^{{}^{\prime }}\right)\to \left(m/\perp \right)$: The $end-userDec.$ runs by the end users. It takes the partially decrypted ciphertext ${\mathcal{CT}}_{out}^2$, end-user identity $uid$ and the key $S{K}_{S,uid,aid}$ as the inputs. If the attributes of the end-user $uid$ are satisfied, then the access structure $\mathcal{A}$ embedded in the ciphertext outputs m. Otherwise, it outputs ⊥.
• $KeyUpdate$: End users run the $KeyUpdate$ algorithm. It outputs a new attribute-group key $AG{K}_x^{{}^{\prime }}$ for the revoked attribute x.
• $CTUpdate\left({\mathcal{CT}}^{{}^{\prime }},x,AG{K}_x^{{}^{\prime }}\right)\to {\mathcal{CT}}^{\ast }$: The $CTUpdate$ runs by $CSP$. It takes $C{T}^{{}^{\prime }}$, x and $AG{K}_x^{{}^{\prime }}$ as the inputs. It delivers the updated ciphertext ${\mathcal{CT}}^{\ast }$ as the output. In the scenario of attribute revocation, $CSP$ operates the algorithm to change the ciphertext.

Table 3. Step-by-step process for different parameters in the proposed algorithm.

Step #	Parameter	Process by	Input Taken	Output Delivered
Step # 1	$GlobalSetup\left(\lambda \right)\to GP$	Central authority ($CA$)	Security parameter ($\lambda$)	Global public parameters
Step # 2	$AASetup\left(GP,aid\right)\to \left(AP{K}_{aid},AS{K}_{aid}\right)$	Attribute authority $\left(AA\right)$	Global parameters $\left(GP\right)$ and authority identity $\left(aid\right)$	Authority’s public/secret key pair $\left(AP{K}_{aid},AS{K}_{aid}\right)$
Step # 3	$SKGen(GP,AS{K}_{aid},$$uid,S_{uid,aid})\to S{K}_{S,uid,aid}$	Attribute authority $\left(AA\right)$	Global parameters $\left(GP\right)$, authority secret key $\left(AS{K}_{aid}\right)$, end-user identity $\left(uid\right)$ and set of end user’s attributes $\left(S_{uid,aid}\right)$	Secret key $\left(SS{K}_{S,uid,aid}\right)$ for end user $\left(uid\right)$
Step # 4	$AttrGroupKey(aid,x)\to (KE{K}_{TRE{E}_x},AGK)$	Attribute authority $\left(AA\right)$	Authority identity $\left(aid\right)$ and attribute $\left(x\right)$	Binary State Tree $KE{K}_{TRE{E}_x}$ and attribute-group key $AGK$ for attribute x
Step # 5	$Fog.Enc(\mathcal{A},GP,{\left\{APK\right\}}_{aid})$$\to {\mathcal{CT}}_{out}^1$	Fog nodes	Authority identity $\left(aid\right)$ and attribute $\left(x\right)$	Ciphertext ${\mathcal{CT}}_{out}^1$
Step # 6	$DO.Enc(m,\mathcal{A},GP,{\left\{APK\right\}}_{aid})$$\to \mathcal{CT}$	Data owners	Message m, access policy $\left(a_p\right)$, global parameters $\left(GP\right)$ and set of authority public keys $\left(AP{K}_{aid}\right)$	$\mathcal{CT}$
Step # 7	$ReEnc(\mathcal{CT},\left\{AGK\right\})\to {\mathcal{CT}}^{{}^{\prime }}$	$CSP$	Ciphertext $\left(\mathcal{CT}\right)$ and set of attribute-group keys $\left(AGK\right)$	Re-encryption ciphertext ${\mathcal{CT}}^{{}^{\prime }}$
Step # 8	$PreDec(uid,\{AGK\},$$\left\{S{K}_{S,uid,aid}\right\})\to (S{K}_{S,uid,aid}^{{}^{\prime }},OS{K}_{S,uid},{\mathcal{CT}}^{{}^{″}})$	End users	End-user identity $\left(uid\right)$, set of attribute-group keys $\left(AGK\right)$ and set of end user’s secret keys $\left(S{K}_{S,uid,aid}\right)$	$S{K}_{S,uid,aid}^{{}^{\prime }}$ and $OS{K}_{S,uid}$
Step # 9	$Fog.Dec({\mathcal{CT}}^{\prime },GP,OS{K}_{S,uid})$$\to {\mathcal{CT}}_{out}^2$	Fog nodes	Ciphertext $\left({\mathcal{CT}}^{\prime }\right)$, global parameters $\left(GP\right)$ and key $\left(OS{K}_{S,uid}\right)$	Partially decrypted ciphertext $\left({\mathcal{CT}}_{out}\right)$
Step # 10	$end-user.Dec$$({\mathcal{CT}}_{out}^2,uid,S{K}_{S,uid,aid}^{{}^{\prime }})\to (m/\perp )$	End users	Partially decrypted ciphertext $\left({\mathcal{CT}}_{out}^2\right)$, end-user identity $\left(uid\right)$ and key $\left(S{K}_{S,uid,aid}\right)$	Message $\left(m\right)$ or ⊥
Step # 11	$KeyUpdate$	End users	Revoked attribute $\left(x\right)$	Attribute-group key $\left(AG{K}_x^{{}^{\prime }}\right)$
Step # 12	$CTUpdate\left({\mathcal{CT}}^{{}^{\prime }},x,AG{K}_x^{{}^{\prime }}\right)\to {\mathcal{CT}}^{\ast }$	$CSP$	Ciphertext $\left({\mathcal{CT}}^{{}^{\prime }}\right)$, revoked attribute x and attribute-group key $\left(AG{K}_x^{{}^{\prime }}\right)$	${\mathcal{CT}}^{\ast }$

Table 3. Step-by-step process for different parameters in the proposed algorithm.

Step #	Parameter	Process by	Input Taken	Output Delivered
Step # 1	$GlobalSetup\left(\lambda \right)\to GP$	Central authority ($CA$)	Security parameter ($\lambda$)	Global public parameters
Step # 2	$AASetup\left(GP,aid\right)\to \left(AP{K}_{aid},AS{K}_{aid}\right)$	Attribute authority $\left(AA\right)$	Global parameters $\left(GP\right)$ and authority identity $\left(aid\right)$	Authority’s public/secret key pair $\left(AP{K}_{aid},AS{K}_{aid}\right)$
Step # 3	$SKGen(GP,AS{K}_{aid},$$uid,S_{uid,aid})\to S{K}_{S,uid,aid}$	Attribute authority $\left(AA\right)$	Global parameters $\left(GP\right)$, authority secret key $\left(AS{K}_{aid}\right)$, end-user identity $\left(uid\right)$ and set of end user’s attributes $\left(S_{uid,aid}\right)$	Secret key $\left(SS{K}_{S,uid,aid}\right)$ for end user $\left(uid\right)$
Step # 4	$AttrGroupKey(aid,x)\to (KE{K}_{TRE{E}_x},AGK)$	Attribute authority $\left(AA\right)$	Authority identity $\left(aid\right)$ and attribute $\left(x\right)$	Binary State Tree $KE{K}_{TRE{E}_x}$ and attribute-group key $AGK$ for attribute x
Step # 5	$Fog.Enc(\mathcal{A},GP,{\left\{APK\right\}}_{aid})$$\to {\mathcal{CT}}_{out}^1$	Fog nodes	Authority identity $\left(aid\right)$ and attribute $\left(x\right)$	Ciphertext ${\mathcal{CT}}_{out}^1$
Step # 6	$DO.Enc(m,\mathcal{A},GP,{\left\{APK\right\}}_{aid})$$\to \mathcal{CT}$	Data owners	Message m, access policy $\left(a_p\right)$, global parameters $\left(GP\right)$ and set of authority public keys $\left(AP{K}_{aid}\right)$	$\mathcal{CT}$
Step # 7	$ReEnc(\mathcal{CT},\left\{AGK\right\})\to {\mathcal{CT}}^{{}^{\prime }}$	$CSP$	Ciphertext $\left(\mathcal{CT}\right)$ and set of attribute-group keys $\left(AGK\right)$	Re-encryption ciphertext ${\mathcal{CT}}^{{}^{\prime }}$
Step # 8	$PreDec(uid,\{AGK\},$$\left\{S{K}_{S,uid,aid}\right\})\to (S{K}_{S,uid,aid}^{{}^{\prime }},OS{K}_{S,uid},{\mathcal{CT}}^{{}^{″}})$	End users	End-user identity $\left(uid\right)$, set of attribute-group keys $\left(AGK\right)$ and set of end user’s secret keys $\left(S{K}_{S,uid,aid}\right)$	$S{K}_{S,uid,aid}^{{}^{\prime }}$ and $OS{K}_{S,uid}$
Step # 9	$Fog.Dec({\mathcal{CT}}^{\prime },GP,OS{K}_{S,uid})$$\to {\mathcal{CT}}_{out}^2$	Fog nodes	Ciphertext $\left({\mathcal{CT}}^{\prime }\right)$, global parameters $\left(GP\right)$ and key $\left(OS{K}_{S,uid}\right)$	Partially decrypted ciphertext $\left({\mathcal{CT}}_{out}\right)$
Step # 10	$end-user.Dec$$({\mathcal{CT}}_{out}^2,uid,S{K}_{S,uid,aid}^{{}^{\prime }})\to (m/\perp )$	End users	Partially decrypted ciphertext $\left({\mathcal{CT}}_{out}^2\right)$, end-user identity $\left(uid\right)$ and key $\left(S{K}_{S,uid,aid}\right)$	Message $\left(m\right)$ or ⊥
Step # 11	$KeyUpdate$	End users	Revoked attribute $\left(x\right)$	Attribute-group key $\left(AG{K}_x^{{}^{\prime }}\right)$
Step # 12	$CTUpdate\left({\mathcal{CT}}^{{}^{\prime }},x,AG{K}_x^{{}^{\prime }}\right)\to {\mathcal{CT}}^{\ast }$	$CSP$	Ciphertext $\left({\mathcal{CT}}^{{}^{\prime }}\right)$, revoked attribute x and attribute-group key $\left(AG{K}_x^{{}^{\prime }}\right)$	${\mathcal{CT}}^{\ast }$

Figure 2. Workflow of our proposed scheme.

Figure 2. Workflow of our proposed scheme.

4. Threat Model

We illustrate the threat model as a game between attacker $\mathcal{A}$ and challenger $\mathcal{C}$ [39]. The model consists of the following six steps:

• Initialization:
  The attacker $\mathcal{A}$ chooses $a_p$ = $\left({\mathcal{M}}^{\ast },{\rho }^{\ast }\right)$ and the challenge-revocation attribute $u^{\ast }$. Here, ${\mathcal{M}}^{\ast }$ is the matrix, i.e., ${\mathcal{M}}^{\ast }=l^{\ast }\times n^{\ast },n^{\ast }\le q$. The $a_p$ is the access policy. The l in the matrix ${\mathcal{M}}^{\ast }$ is the number of the attributes contained in the access policy while n reflects the amount of computation required for secret reconstruction. The $\rho$ is the function that maps each row of m to an attribute $\rho$.
• Setup: The $\mathcal{C}$ executes the $GlobalSetup\left(\lambda \right)\to GP$ to attain the global parameters ($GP$) and offers the $GP$ to the opponent $\mathcal{A}$. $AID$ represent the collection of $AAs$.
• Phase 1: The opponent $\mathcal{A}$ wants to corrupt the $AI{D}_C\subset AID$ authorities, so the remaining authorities ($AID-AI{D}_C$) are not corrupted. The opponent $\mathcal{A}$ flags the subsequent queries. $\mathcal{A}$ demands the public keys of its authority ${\left\{AP{K}_{aid}\right\}}_{aid\in \left(AID-AI{D}_C\right)}$ for noncorrupt authorities from $\mathcal{C}$. For corrupt authorities $AI{D}_C$, $\mathcal{A}$ can create the corresponding ${\left\{AP{K}_{aid}\right\}}_{aid\in AI{D}_C}$ by himself. Hence, $\mathcal{A}$ uses secret key queries by using $\left(uid,S_{uid,aid}\right)$ against $\mathcal{C}$ by using a secret key-generation $SKGen$ algorithm. Here, $gid$ indicates the end user’s identity, and $Suid,aid$ indicates a set of $aid$ attributes.
  $\mathcal{A}$ transmits messages $m_0$, $m_1$, equal in size and in the range of $\left\{\left({\mathcal{M}}_1^{\ast },{\rho }_1^{\ast }\right),\dots ,\left({\mathcal{M}}_q^{\ast },{\rho }_q^{\ast }\right)\right\}$, to $\mathcal{C}$. Thus, $\mathcal{A}$ provides an updated secret key query by sending $\left(uid,S_{uid,aid}\right)$ and a revoked attribute u. Therefore, $\mathcal{A}$ delivers UKeyGen Query by considering $m_0$, $m_1$ and $\left({\mathcal{M}}_i^{\ast },{\rho }_i^{\ast }\right),\left({\mathcal{M}}_j^{\ast },{\rho }_j^{\ast }\right)$$\forall i\ne j\&i,j\in \left[1,q\right]$.
• Challenge
  • $\mathcal{C}$ chooses random bits, i.e., $b\in \left\{0,1\right\}$, and responds to the attacker’s query.
  • In all authentic authorities $aid\in \left(AID-AI{D}_C\right)$, $\mathcal{C}$ executes $AASetup\left(aid\right)\to \left(AP{K}_{aid},AS{K}_{aid}\right)$ to obtain public and secret keys. Therefore, $\mathcal{C}$ deliver the $AP{K}_{aid}$ to $\mathcal{A}$.
  • For $x\in S_{uid,aid}$ and $aid\in \left(AID-AI{D}_C\right)$, $\mathcal{C}$ executes AttrKeyGen and transmits $S{K}_{S,uid,aid}$ to $\mathcal{A}$. Consequently, $\mathcal{C}$ computes $Attr-GroupKey-Gen.\left(aid,x\right)\to \left(KE{K}_{TRE{E}_x},AGK\right)$ and transmits $PAT{H}_{uid}$ to the end-user $uid$, having $x\in S_{uid,aid}$. Note that $PAT{H}_{uid}$ is $KE{K}_{TRE{E}_x}$, as shown in Figure 3.
  • $\mathcal{C}$ encrypts $m_b$ for $\left({\mathcal{M}}_1^{\ast },p_1^{\ast }\right),\dots ,\left({\mathcal{M}}_q^{\ast },p_q^{\ast }\right)$ and sends ciphertexts $\left\{{\mathcal{CT}}_1^{{}^{\prime }},\dots ,{\mathcal{CT}}_q^{{}^{\prime }}\right\}$ to $\mathcal{A}$.
  • For the inputs $\left(uid,S_{uid,aid},u\right)$, $\mathcal{C}$ provides the $SecretKey$ query on $\left(uid,S_{uid,aid}\right)$ and creates the secret key $S{K}_{S,uid,aid}$. As a result, $\mathcal{C}$ calculates the KeyUpdate, i.e., $S{K}_{S,uid,aid}^{{}^{\prime }}$, and transmits it to $\mathcal{A}$.
  • For the challenging messages $m_0$, $m_1$ and corresponding access policies $\left({\mathcal{M}}_i^{\ast },{\rho }_i^{\ast }\right)$, $\left({\mathcal{M}}_j^{\ast },{\rho }_j^{\ast }\right)$, $\mathcal{C}$ computes $Encrypt\left(m_b,\left({\mathcal{M}}_i^{\ast },{\rho }_i^{\ast }\right),GP,AP{K}_{aid}\right)$. At first, it produces the encryption information $EnInfo\left(mb\right)$ of message $m_b$, and $\mathcal{C}$ runs $UKeyGen$ and transmits the updated key $U{K}_{m_b}$ to $\mathcal{A}$.
• Phase 2: Same as Phase 1.
• Guess:$\mathcal{A}$ calculates a guess $b^{{}^{\prime }}$ of b. In the above game, the benefit of the adversary is $Pr\left[b^{{}^{\prime }}=b\right]-{\displaystyle \frac{1}{2}}$. If all PPT adversaries have a marginal advantage in the aforesaid security game, our technique is nonadaptively secure in the ROM [38].

5. Our Methodology

The proposed methodology includes 6 steps, i.e., Setups, Key-Gen., $(Enc.)$, $(Re-Enc.)$, $(Dec.)$ and $u^{\ast }$.

• Global Initialization ($GlobalSetup$)
  The $CA$ selects the bilinear map that is $e:\mathcal{G}\ast \mathcal{G}\to {\mathcal{G}}_T$, which corresponds to the security parameter, i.e., $\lambda$, where $\mathcal{G}$ and ${\mathcal{G}}_T$ are multiplicative cyclic classes of p (p is any prime number). $\mathcal{G}$ is considered the generator and U represents the attributes’ set. The $AID$ is depicted in all attributes. The $UID$ represents the collection of global identification for all end users. Function $\mathcal{H}$ corresponds to $uid\in UID$, which is the end-user identities of the components of $\mathcal{G}$. Function $\mathcal{F}$ corresponds to the attributes of end users to $\mathcal{G}$ components. Note that $\mathcal{H}$ and $\mathcal{F}$ are the mapping functions. $\mathcal{T}$ is an object authority representation of the users’ attributes. Thus, the dimension of the $GP$ is given as

  $$\begin{array}{c}\hfill GP=\left(\mathcal{G},{\mathcal{G}}_T,p,g,e,U,AID,UID,\mathcal{H},\mathcal{F},\mathcal{T}\right).\end{array}$$

  (1)
• Attribute Authority Initialization ($AASetup$)
  For $aid\in AID$, $AA$ chooses 2 random numbers ${\alpha }_{aid},{\beta }_{aid}\in {\mathbb{Z}}_p$ ($Z_p$ must be an integer ring of order p). The public and secret keys are generated as illustrated below:

  $$\begin{array}{c}\hfill AP{K}_{aid}=\left(e{\left(g,g\right)}^{{\alpha }_{aid}},g^{{\beta }_{aid}}\right),\end{array}$$

  (2)

  $$\begin{array}{c}\hfill AS{K}_{aid}=\left({\alpha }_{aid},{\beta }_{aid}\right).\end{array}$$

  (3)
• Key-Gen.
  The key generation includes the process of generating private and attribute-group keys. For example, the method of Key-Gen is described as follows.
• End-user Private Key Generation ($SKGen$)$S_{uid,aid}$ is considered as a set of the end users’ attributes $uid$. In all attributes $i\in S_{uid,aid}$, the $AA$ nominates a random number, i.e., $t_i\in {\mathbb{Z}}_p$. It executes $K_{uid,i}=g^{{\alpha }_{aid}}\mathcal{H}{\left(uid\right)}^{{\beta }_{aid}}\mathcal{F}{\left(i\right)}^{t_i}$ and $K_{uid,i}^{{}^{\prime }}=g^{t_i}$. Finally, the end user generates the private key, i.e.,

  $$\begin{array}{c}\hfill S{K}_{S,uid,aid}=\left.\left({\left\{\left.\begin{array}{c}{K}_{uid,i},K_{uid,i}^{{}^{\prime }}\hfill \end{array}\right\}\right.}_{i\in S_{uid,aid}}\right.\right).\end{array}$$

  (4)
• Attribute-Group-Key Generation ($Attr-GroupKey-Gen.$)
  The $AA$ generates a $KEK$ tree for all users [46]. In the $KEK$ tree, a node generates a random number while a leaf node represents the end user. In this regard, the $uid$ finds a path, i.e., $PAT{H}_t$, from the leaf node towards the root node. For instance, the path key of $u_2$ is $PAT{H}_2=\left\{v_9,v_4,v_2,v_1\right\}$. Therefore, the $aid$ chooses random numbers $AG{K}_x\in {\mathbb{Z}}_p$ as attribute-group keys. $CSP$ utilizes the path key to encrypt the group key during the Re-Enc. step.
• Encryption (Enc.) In this step, the data owner and fog nodes execute the encryption process. The data owner requires $a_p=\left(\mathcal{M},\rho \right)$. The amount of computation expected for secret restoration is n, and the function $\rho$ maps each row. The data owner transmits the $a_p=\left(\mathcal{M},\rho \right)$ to the fog node.
• Fog Node Encryption ($FogEnc.$) The fog node selects a random number $\{r_1,\dots ,r_l\}\in {\mathbb{Z}}_p$ and two vectors, i.e., $z={\left(0,z_2,\dots ,z_n\right)}^{\mathcal{T}}$ and $v={\left(s,v_2,\dots ,v_n\right)}^{\mathcal{T}}$, which is randomly considered. The $s\in {\mathbb{Z}}_p^{\ast }$ is a secret to be shared. Then, it calculates ${\lambda }_i={\mathcal{M}}_{i}v$ and $w_i={\mathcal{M}}_i\times z$, $\forall i\in l$. The $\rho$ (function) maps each row ${\mathcal{M}}_i$ to the authority to provide $\rho \left(i\right)$. It executes ${\mathcal{C}}_{1,i}=e{\left(g,g\right)}^{{\lambda }_i}e{\left(g,g\right)}^{{\alpha }_{\delta \left(i\right)}{r}_i}$, ${\mathcal{C}}_{2,i}=g^{-r_i}$, ${\mathcal{C}}_{3,i}=g^{{\beta }_{\delta \left(i\right)}{r}_i}{g}^{w_i}$ and ${\mathcal{C}}_{4,i}=\mathcal{F}{\left(\rho \left(i\right)\right)}^{r_i}$. The ciphertext is calculated as

  $$\begin{array}{c}\hfill {\mathcal{CT}}_{out}^1=\left(\mathcal{A},{\left\{{\mathcal{C}}_{1,i},{\mathcal{C}}_{2,i},{\mathcal{C}}_{3,i},{\mathcal{C}}_{4,i}\right\}}_{i\in \left[l\right]}\right).\end{array}$$

  (5)
• Data-owner Encryption $(DOEnc.)$
  The $DO$ select $DK\in {\mathbb{Z}}_p$ and encrypt m by using $SE$, i.e., $\mathcal{C}=S{E}_{DK}\left(m\right)$. They also compute ${\mathcal{C}}_O=DK·e{\left(g,g\right)}^s$. Hence, the $DO$ deliver the ciphertext $\mathcal{CT}$, i.e.,

  $$\begin{array}{c}\hfill \mathcal{CT}=\left(\mathcal{A},\mathcal{C},{\mathcal{C}}_O,{\left\{{\mathcal{C}}_{1,i},{\mathcal{C}}_{2,i},{\mathcal{C}}_{3,i},{\mathcal{C}}_{4,i}\right\}}_{i\in \left[l\right]}\right).\end{array}$$

  (6)
  The fog node receives $\mathcal{CT}$ from the $DO$ to upload to the $CSP$ for re-encryption.
• Re-Encryption (Re-Enc.) In this process, the $AG{K}_{\rho \left(i\right)}$ is utilized to re-encrypt the $\mathcal{CT}$ for $\rho \left(i\right)$ related to the $\mathcal{CT}$ of the $\mathcal{A}$. In the Re-Enc., the ${\mathcal{CT}}^{{}^{\prime }}$ becomes

  $$\begin{array}{c}\hfill {\mathcal{CT}}^{\prime }=\mathcal{A},\mathcal{C},{\mathcal{C}}_O,\left\{{\mathcal{C}}_{1,i},{\mathcal{C}}_{2,i},{\mathcal{C}}_{3,i},{\mathcal{C}}_{4,i}^{{}^{\prime }}={\left({\mathcal{C}}_{4,i}\right)}^{AG{K}_{\rho \left(i\right)}}\right\},\end{array}$$

  (7)

  where $i\in \left[l\right]$. In the $KEK$ tree, $CSP$ selects the minimum root node coverage set $KEK\left(G_i\right)$ that covers the leaf nodes to the set of the end user.
  For instance, $G_i=\left\{\left.u_1,u_2,u_3,u_4,u_7,u_8\right\}\right.$ and $KEK\left(G_i\right)=\left.\left\{KE{K}_2,KE{K}_7\right.\right\}$. Lastly, the information of the header is created as

  $$\begin{array}{c}\hfill Hdr=\left(\forall y\in Y:{\left\{E_K\left(AG{K}_{\rho \left(y\right)}\right)\right\}}_{u\in KEK\left(G_y\right)}\right),\end{array}$$

  (8)

  where Y is the set of attributes in $a_p$ and $E_K\left(AG{K}_{\rho \left(y\right)}\right)$ is a symmetric encryption, i.e., $SE$ = $E_K\left(AG{K}_{\rho \left(y\right)}\right)$.
• Decryption (Dec.) The decryption involves predecryption, fog node decryption and end-user decryption.
• Predecryption ($Pre-Dec.$) If the ($a_p$) is not satisfied by the attribute set of the end user, i.e., $S_{uid}\ni a_p$, then the end user’s output is ⊥ (⊥ is an invalid output). Alternatively, the users decrypt the information by intersecting the path key and the minimum root node coverage to obtain an attribute-group key. It utilizes the attribute-group-key $AG{K}_{\rho \left(i\right)}$ to compute $K_{uid,\rho \left(i\right)}^{\ast }={\left(K_{uid,\rho \left(i\right)}^{{}^{\prime }}\right)}^{1/AG{K}_{\rho \left(i\right)}}$. Lastly, the end user upgrades the private (secret) key as follows:

  $$\begin{array}{c}\hfill S{K}_{S,uid,aid}^{{}^{\prime }}={\left\{K_{uid,\rho \left(i\right)},K_{uid,\rho \left(i\right)}^{\ast }\right\}}_{\rho \left(i\right)\in S_{uid,aid}}.\end{array}$$

  (9)
  The end user randomly chooses from the set of $z\in {\mathbb{Z}}_p$, computes $K_{uid,\rho \left(i\right)}^1={\left(K_{uid,\rho \left(i\right)}\right)}^{1/z}$ and $K_{uid,\rho \left(i\right)}^2={\left(K_{uid,\rho \left(i\right)}^{\ast }\right)}^{1/z}$ and creates outsourcing private keys as given in (10):

  $$\begin{array}{c}\hfill OS{K}_{S,uid}={\left\{K_{uid,\rho \left(i\right)}^1,K_{uid,\rho \left(i\right)}^2\right\}}_{\rho \left(i\right)\in S_{uid}}.\end{array}$$

  (10)
  Next, the end user computes ${\mathcal{C}}_{1,i}^{{}^{\prime }}={\mathcal{C}}_{1,i}^{1/z}$ and ${\mathcal{C}}_{3,i}^{{}^{\prime }}={\mathcal{C}}_{3,i}^{1/z}$ and alters the ciphertext as

  $$\begin{array}{c}\hfill {\mathcal{CT}}^{{}^{″}}=\left(\mathcal{A},\mathcal{C},{\mathcal{C}}_O,{\left\{{\mathcal{C}}_{1,i}^{{}^{\prime }},{\mathcal{C}}_{2,i},{\mathcal{C}}_{3,i}^{{}^{\prime }},{\mathcal{C}}_{4,i}^{{}^{\prime }}\right\}}_{i\in \left[l\right]}\right),\end{array}$$

  (11)

  where $\left[l\right]=\left\{1,2,\dots ,l\right\}$. Hence, $OSK$ and ${\mathcal{CT}}^{{}^{″}}$ are sent to the fog node.
• Fog Node Decryption $(Fog-Dec.)$
  The sets of fog nodes are $I=\left\{x:\rho \left(x\right)\in S_{uid}\right\}$ and they compute the constants ${\left\{c_x\in {\mathbb{Z}}_p\right\}}_{x\in l}$, i.e., ${\sum }_{x\in I}{c}_x{\mathcal{M}}_x=\left(1,0,\dots ,0\right)$, which is illustrated in (12) [45]:

  $$\begin{array}{cc}\hfill B& =\prod _{x\in I}\left({\mathcal{C}}_{1,x}^{{}^{\prime }}·e\left(K_{uid,\rho \left(i\right)}^1,{\mathcal{C}}_{2,x}\right)·e\left(\mathcal{H}\left(uid\right),{\mathcal{C}}_{3,x}^{{}^{\prime }}\right)\right.\hfill \\ \hfill & {\left.·e\left(K_{uid,\rho \left(i\right)}^2,{\mathcal{C}}_{4,x}^{{}^{\prime }}\right)\right)}^{c_x},\hfill \\ \hfill & =\prod _{x\in I}{\left(e{\left(g,g\right)}^{{\lambda }_x/z}e{\left(\mathcal{H}\left(uid\right),g\right)}^{w_x/z}\right)}^{c_x},\hfill \\ \hfill & =e{\left(g,g\right)}^{s/z}.\hfill \end{array}$$

  (12)
  As a result, the fog node transmits the ciphertext ${\mathcal{CT}}_{out}^2=\left\{\mathcal{A},\mathcal{C},{\mathcal{C}}_O,B\right\}$ to the end user.
• End-user Decryption $(end-user-Dec.)$
  After the end user obtains the ciphertext ${\mathcal{CT}}_{out}^2$ from the fog node, it computes

  $$\begin{array}{c}\hfill DK=C_o/B^z={\mathcal{C}}_O/{\left(e{\left(g,g\right)}^{s/z}\right)}^z.\end{array}$$

  (13)
  The end users now decrypt the plaintext m by utilizing the symmetric key $DK$:

  $${\mathcal{CT}}^{\ast }=\left.\begin{array}{c}\hfill \left(\begin{array}{c}\mathcal{A},\mathcal{C}=S{E}_{DK}\left(m\right),{\mathcal{C}}_O=DK·e{\left(g,g\right)}^{s^{{}^{\prime }}},{\left.\begin{array}{c}\hfill \left\{\begin{array}{c}{\mathcal{C}}_{1,i}=e{\left(g,g\right)}^{{\lambda }_i^{{}^{\prime }}}e{\left(g,g\right)}^{{\alpha }_{\delta \left(i\right)}{r}_i^{{}^{\prime }}},\hfill \\ {\mathcal{C}}_{2,i}=g^{r_i^{{}^{\prime }}},\hfill \\ {\mathcal{C}}_{3,i}=g^{{\beta }_{\delta \left(i\right)}{r}_i^{{}^{\prime }}}{g}^{w_i^{{}^{\prime }}},\hfill \\ {\mathcal{C}}_{4,i}=\mathcal{F}{\left(\rho {\left(i\right)}^{r_i^{{}^{\prime }}}\right)}^{AG{K}_u^{{}^{\prime }}}\hfill \end{array}\right.\end{array}\right\}}_{i\in l}\hfill \end{array}\right.\end{array}\right).$$

  (14)
• Attribute Revocation The attribute-revocation algorithm includes the attribute-group key and ciphertext update algorithms. The proposed method is nonadaptively secure in ROM [38]. It is to be noted that the $CSP$ is semitrusted in our work. Since the attribute revocation means that the end user’s attributes have changed, the data owner defines the access policy. Therefore, the attribute revocation will not change the access policy. Consequently, the system is secure. Following this concept, the ciphertext with the policy with “A and B” or “A and C” can be unchanged if “B” is revoked. For example, there are two end users, i.e., Alice and Bob. The attribute set of Alice is {A, B}, and the attribute set of Bob is {A, C}. If “B” is revoked, Alice cannot access the data, but Bob will access the data.
• Attribute-Group-Key Update $(Key-Update)$
  Suppose the end-user attribute x is revoked. In that case, the $AA$ finds the updated attribute-group key $AG{K}_x^{{}^{\prime }}\in {\mathbb{Z}}_p$ for attribute x and transmits the updated attribute-group key by updating the attribute end-user group to $CSP$.
• Ciphertext Update $(\mathcal{CT}-Update)$ When $CSP$ achieves a revocation request, it selects a random $r_1^{{}^{\prime }},\dots ,r_l^{{}^{\prime }}\in {\mathbb{Z}}_p$, $v^{{}^{\prime }}={\left(s^{{}^{\prime }},v_2^{{}^{\prime }},\dots ,v_n^{{}^{\prime }}\right)}^{\mathcal{T}}$ and $z^{{}^{\prime }}={\left(0,z_2^{{}^{\prime }},\dots ,z_n^{{}^{\prime }}\right)}^{\mathcal{T}}$ and recalculates ${\lambda }_i^{{}^{\prime }}={\mathcal{M}}_i{v}^{{}^{\prime }}$ and $w_i^{{}^{\prime }}={\mathcal{M}}_i{z}^{{}^{\prime }}$. Consequently, it updates the ciphertext as given in (14).
  Finally, the header information is regenerated as follows:

  $$\begin{array}{c}\hfill Hdr=\left(\forall y\in Y:{\left\{\left.E_K\left(AG{K}_{\rho \left(y\right)}^{{}^{\prime }}\right)\right\}\right.}_{u\in KEK\left(G_y\right)}\right).\end{array}$$

  (15)

6. Security and Performance Analysis

This section consists of a security analysis to prove the proposed security model. In addition, this section also discusses the computational and energy consumption analysis.

6.1. Security Analysis

We assume a probabilistic polynomial-time adversary $\mathcal{A}$ to break the proposed methodology with a non-negligible advantage. In this regard, we created a simulator $\mathcal{B}$ that can break the decisional q-parallel bilinear Diffie–Hellman exponent by $\frac{\epsilon }{2}$. $\mathcal{C}$ first selects $\mathcal{G}$ and ${\mathcal{G}}_T$ and $e:\mathcal{G}\ast \mathcal{G}\to {\mathcal{G}}_T$. The $\mathcal{C}$ tosses a uniform coin and chooses the random number (in bits) $v\in \left(0,1\right)$, given that $\overrightarrow{y}=\left(g,g_1,\dots ,g_q,g_{q+2},\dots ,g_{2q},g_s\right)$. If $v=1$, the $\mathcal{C}$ orders $\mathcal{T}=\widehat{e}{(g,g)}^{a^{q+1}s}$; otherwise, $\mathcal{T}=Z$. The Z is randomly chosen from ${\mathcal{G}}_T$. Further details are given below.

• Initialization:$\mathcal{A}$ selects $\left({\mathcal{M}}^{\ast },{\rho }^{\ast }\right)$ and $u^{\ast }$.
• Setup: The simulator $\mathcal{B}$ accepts $GP$, i.e., $GP=\left(\mathcal{G},{\mathcal{G}}_T,p,g,e,U,AID,UID,\mathcal{H},\mathcal{F},\mathcal{T}\right)$ from the $\mathcal{C}$, and delivers to $\mathcal{A}$. The adversary $\mathcal{A}$ obtains a set of corrupt authorities $AI{D}_C\subset AID$ and the remaining noncorrupt authorities $AI{D}_N=\left(AID-AI{D}_C\right)$. As a result, $\mathcal{B}$ accepts the data from $\mathcal{A}$ and transmits them to $\mathcal{C}$.
• Phase 1: For noncorrupt authorities $AI{D}_N$, $\mathcal{C}$ transmits the authorized public keys to $\mathcal{B}$, which are then transmitted to $\mathcal{A}$. Consider the secret key query $\left(uid,S_{uid,aid}\right)$ from $\mathcal{A}$, where $uid\in UID$, $S_{uid,aid}\in U$. $\mathcal{B}$ transmits it to $\mathcal{C}$ and attains the private key $S{K}_{S,uid,aid}={\left\{\left.\begin{array}{c}{K}_{uid,i},K_{uid,i}^{{}^{\prime }}\hfill \end{array}\right\}\right.}_{i\in S_{uid,aid}}$. For each attribute $x\in S_{uid,aid}$, $\mathcal{B}$ executes Attr-Group Key-Gen. in order to generate a Binary State Tree and an attribute-group key. Here, it is important to see that $PAT{H}_{u}id$ is included in the tree. Finally, $\beta$ transmits $S{K}_{S,uid,aid}$ and $PAT{H}_{uid}$ to $\mathcal{A}$.
• Challenge:$\mathcal{A}$ sends $\left(m_0,m_1\right)$ of equal length and $a_p$, i.e., $\left\{\left({\mathcal{M}}_1^{\ast },p_1^{\ast }\right),\dots ,\left({\mathcal{M}}_q^{\ast },p_q^{\ast }\right)\right\}$ to $\mathcal{B}$. Thus, $\mathcal{B}$ sends to $\mathcal{C}$. Thus, $\mathcal{C}$ tosses a random coin, i.e., $b\in \left\{0,1\right\}$, and encrypts $m_b$. $\mathcal{C}$ sends the challenge ciphertext $\left\{C{T}_1,\dots ,C{T}_q\right\}$ to $\mathcal{B}$. Then, $\mathcal{B}$ runs the $Attr-GroupKey-Gen.$ and re-encrypts the ciphertext as $C{T}_i^{\ast }$. Finally, $\mathcal{B}$ sends the ciphertext $\left\{{\mathcal{CT}}_q^{\ast },\dots ,{\mathcal{CT}}_q^{\ast }\right\}$ to $\mathcal{A}$.
  Furthermore, we consider a scenario where $\mathcal{A}$ delivers the updated query of the secret key to submit $\left(uid,S_{uid,aid}\right)$ and revoke the attribute u. However, each $uid$ is an unrevoked end user having attribute u. As a result, $\mathcal{B}$ computes the secret key query to obtain $S{K}_{S,uid,aid}$ from $\mathcal{C}$ and computes the process, i.e., $KeyUpdate(uid,S{K}_{S,uid,aid},u,$$AG{K}_u^{{}^{\prime }})\to S{K}_{S,uid,aid}^{{}^{\prime }}$ to transmit the updated secret key $S{K}_{S,uid,aid}^{{}^{\prime }}$ to $\mathcal{A}$.
  The $\mathcal{A}$ can also make the $UkeyGen.$ query for the challenge messages $\left(m_0,m_1\right)$ between two access policies, i.e., $\left({\mathcal{M}}_i^{\ast },{\rho }_i^{\ast }\right)$ and $\left({\mathcal{M}}_j^{\ast },{\rho }_j^{\ast }\right)$, $\forall i\ne j$ & $i,j\in \left[1,q\right]$. B sends the request to $\mathcal{C}$. Since only one $m_b$ is selected by $\mathcal{C}$ in the encryption stage, we assume that the random encryption numbers are the same in encrypting $m_0$ and $m_1$. Thus, $\mathcal{C}$ runs the $UKeyGen$ and returns the same update key $U{K}_{m_b}$ that will hide the data. Finally, $\mathcal{B}$ transmits $U{K}_{m_b}$ to $\mathcal{A}$.
• Phase 2: This phase has the same process as mentioned in Phase 1.
• Guess: The attacker finally outputs a guess $b^{{}^{\prime }}$ of b. If $b^{{}^{\prime }}=b$, $\mathcal{B}$ provides the output 0 so that $\mathcal{T}=e{(g,g)}^{a^{q+1}}$. Contrarily, it provides output 1 to show that it believes $\mathcal{T}$ is a random-group element in ${\mathcal{G}}_T$. Here, $\mathcal{T}$ is a tuple. Thus, $\mathcal{B}$ implies $Pr\left[\mathcal{B}\left(\overrightarrow{y},\mathcal{T}=e{(g,g)}^{a^{q+1}s}\right)=0\right]=\frac{1}{2}+Ad{v}_{\mathcal{A}}$. Moreover, the $\mathcal{T}$ is a random-group element, and the message $m_c$ is completely hidden from the adversary at $Pr\left[\mathcal{B}\left(\overrightarrow{y},\mathcal{T}=e{(g,g)}^{a^{q+1}s}\right)=0\right]=\frac{1}{2}$. Hence, $\mathcal{B}$ plays the decisional q-parallel bilinear Diffie–Hellman exponent game with a non-negligible advantage.
• Anticollision: Furthermore, in this research work, the attribute authority produces the private keys with respect to the end users. The private keys are related to $t_i$, and each end user has a special connection. Therefore, combining components in different private keys is pointless. Assume that the access need is met by combining two or more end users with distinct attributes. End users cannot evaluate $\mathcal{B}=e{\left(g,g\right)}^{s/z}$ in the decryption process. This technique in our work is considered as anticollision.

6.2. Computational Analysis

Exponential and bilinear pairing operations take up the majority of the execution time. Since the multiplication operation can be ignored, the exponential and bilinear pairing operations are investigated. In addition,

Table 4. Computational complexity of different algorithms.

Algorithm	Computational Complexity
GlobalSetup	O(1)P
AASetup	O(1)E
Key-Gen.	O($n_k$)E
Enc	O($n_c$)E
Dec	O($n_d$)E + O($n_d$)P
KeyUpdate	O($n_r$)E
CTUpdate	O($n_c$)E

shows the computational complexity of the algorithms. The description for the symbols is written in

Table 5. Description of Table 4’s computational complexity notations.

Notation	Description
E	Exponential operation
P	Pairing operation
$n_c$	Access policy attributes
$n_d$	Decryption attributes
$n_k$	End users’ attributes
$n_r$	Revoked attributes

.

We used the Ubuntu 16.04 operating system with a Core i5 Intel processor with 2.40 GHz and Charm encryption library packages from Stanford-based pairing cryptography [47]. The simulation experiment corresponds to the elliptic curve ($y^2=x^3+x$) with symmetrical bilinear pairings (SS512). We compare our method with the schemes in [13,14]. The attributes are chosen between 2 and 20. We also considered five fog servers and twenty end users. The communication range between the fog servers and end users is 100 m. The path loss factor is considered as four.

In the first experiment, we determine the computing overhead of the Key-Gen. algorithm based on the number of attribute authority (AA) figures and the number of attributes per attribute authority (AA) figure, as shown in Figure 4a and Figure 4b, respectively. The proposed scheme is compared with the other two methods, i.e., the collision-avoidance CP-ABE scheme [14] and ABE-based attribute revocation [13]. As shown in Figure 4a,b, the operation time of the Key-Gen. exhibits a linear growth relationship in all three schemes due to the increase in the number of attributes and number of attributes/AA. As a result, the operating time of our proposed method outperforms the collision-avoidance CP-ABE scheme [14]. Nevertheless, the operation time is slightly higher than the scheme [13]. Our scheme generates group-key attributes in the Key-Gen. process. Therefore, the proposed scheme and ABE-based attribute-revocation scheme [13] are close to each other.

We further analyze the proposed work’s computing overhead in terms of the encryption algorithm based on the number of attribute authority (AA) figures and attributes per attribute authority (AA) figure. As shown in Figure 5a,b, the encryption time increases linearly in the case of collusion-avoidance CP-ABE [14] and ABE-based attribute revocation [13], respectively. However, the running time for the encryption operation remains constant. It is found that the encryption time is less than 0.5 s even if the number of AA figures and number of attributes/AA increases. This constant value is due to the outsourcing process of encryption. Hence, this work outperforms [13,14].

We also find out the computing overhead of the decryption algorithm versus the number of AA figures and number of attributes/AA, as shown in Figure 6a,b. As observed from Figure 6a, the operation time of the decryption algorithm of the collision-avoidance CP-ABE scheme [14] improves with the number of AA figures. Similarly, the operation time of the decryption algorithm of the collision-avoidance CP-ABE scheme [14] also increases with the number of attributes/AA, as depicted in Figure 6b. The computing time of the decryption process in our proposed scheme remains constant, even if the number of AA figures and number of attributes/AA increases, as pointed out in Figure 6a,b. This constant value that does not increase linearly is due to outsourcing the decryption operation to the fog nodes. The end-user decryption needs only one division and power operation to obtain and use the end-user key to solve the final data. The linear secret-sharing scheme (LSSS) matrix calculation is not involved in end-user decryption, i.e., the part about attributes is not involved [48,49]. Therefore, the decryption time does not increase with the number of AA figures and number of attribute/AA. The ABE-based attribute revocation remains constant, even if the number of AA figures and number of attributes/AA increase. The reason is that the scheme in [13] also proposed an outsourcing mechanism to fog nodes in the decryption operation.

Finally, we compare the attribute-revocation algorithm’s computational overhead between the ciphertext update ($CTUpdate$) and key update ($KeyUpdate$). The comparison is depicted in Figure 7. It can be readily seen from Figure 7 that the revocation algorithm’s operation time increases with the number of attributes to be revoked. The $CTUpdate$ time is longer than the $KeyUpdate$ time. The reason is that only the attribute-group key needs to be updated. However, the entire ciphertext must be updated when the key is updated. However, in both cases, the computational time is lower than 0.6 s to ensure the attribute revocation’s efficiency in our proposed scheme.

7. Conclusions

This work investigates the MA-ABE technique that helps attribute revocation and computation outsourcing for resource-constraint devices in fog computing. We proposed a cloud-fog-terminal network system and an attribute-revocation technique based on multiauthority ciphertext policy-attribute-based encryption (MA-CP-ABE). The secret keys are generated dynamically by introducing the attribute-group key. The proposed method reduces the operation time for the encryption and decryption process. We outsource cryptography operations to the fog node, reducing the end user’s computational cost. Eventually, simulated outcomes are used to assess the algorithm’s computational cost.

Energy consumption is the energy consumed when transmitting data from end devices to fog nodes. It is a matter of fact that with the increase in the data size, the energy consumption of the encryption and decryption algorithms will increase. Hence, energy consumption is a critical matter that can be evaluated in the future. We also plan to design a CP-MA-ABE scheme with conditional privacy that supports the revocation mechanism. We also intend to design a handover scheme that reduces the overhead caused by re-encryption and decryption. The aforementioned futuristic directions will have a lot of study value and impact in this area.