# Efficient Revocable Attribute-Based Encryption with Data Integrity and Key Escrow-Free

^{1}

^{2}

^{3}

^{4}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Related Works

**Data integrity:**Under the new access policy, when the CSP performs the revocation operation to generate the ciphertext, the user can check whether the plaintext corresponding to the new ciphertext is the same as the original encrypted plaintext.**Key-escrow free**: Attribute authority was introduced, and a secure 2PC protocol is executed between the key authority and the attribute authority to generate the user’s private key. Neither side can get the complete private key, which solved the key escrow problem.**Security and efficiency**: Based on the assumption of decisional q-PBDHE, our scheme is secure under chosen plaintext attacks. Performance analysis illustrates the practicability and effectiveness of the proposed scheme.

#### 1.2. Organization

## 2. Preliminaries

**Bilinear maps**The bilinear map $e:G\times G\to {G}_{T}$ has the following properties:

- Bilinear: $\forall a,b\in G,u,v\in {Z}_{p}^{\ast}$, $e\left({a}^{u},{b}^{v}\right)=e{\left(a,b\right)}^{uv}$ holds.
- Non-degeneracy: $e\left(a,b\right)\ne 1$.
- Computability: $e\left(a,b\right)$ can be effectively calculated.

**Access policy**The set $A\subseteq {2}^{\left\{{P}_{1},{P}_{2},\cdots ,{P}_{n}\right\}}$ is called monotonous if $B\in A$ and $B\subseteq C$, we have $C\in A$. The access policy is the monotone set $A$ in all non-empty subsets for P, i.e., $A\subseteq {2}^{\left\{{P}_{1},{P}_{2},\cdots ,{P}_{n}\right\}}\backslash \{\varnothing \}$. The sets are referred to as the authorization sets, otherwise, the sets are referred to as the unauthorized sets.

**Linear secret sharing scheme (LSSS)**A linear secret sharing scheme $\mathsf{\Pi}$ on ${Z}_{p}$ meets the following two conditions:

- Each participant’s share is the component of the vector on ${Z}_{p}$.
- Define a share generating matrix ${M}_{m\times n}$ and for all $j\in \left[1,m\right]$, we define a function $\rho (j):\left\{1,\cdots ,m\right\}\to \{{P}_{1},{P}_{2},\cdots ,{P}_{n}\}$, where $1,2,\cdots ,m$ is the number of rows in ${M}_{m\times n}$. Randomly choosing vector $\overrightarrow{u}=\left(r,{u}_{2},\cdots ,{u}_{n}\right)$, where $r\in {Z}_{p}$ is a secret shared value, ${u}_{2},\cdots {u}_{n}\in {Z}_{p}$ was picked randomly. $M\xb7\overrightarrow{u}$ represents $m$ secret share values shared according to $\mathsf{\Pi}$.

**Discrete logarithm assumption (DL)**Let $G$ be a group of prime order $p$, and $g$ be a generator. The DL assumption says, that given $\left(g,{g}^{\phi}\right)$ for randomly chosen $\phi \in {Z}_{p}^{\ast}$, for the PPT algorithm $\mathcal{A}$, $\mathrm{Pr}\left[A(g,{g}^{\phi})=\phi \right]\le \epsilon $ is negligible.

**Decisional q-Parallel Bilinear Diffie-Hellman Exponent assumption (q-PBDHE)**Let $a,{d}_{1},\cdots ,{d}_{q},r\in {Z}_{p}$ be chosen randomly, and $e:G\times G\to {G}_{T}$ be a bilinear map. Given tuple:

## 3. System Model

**DO**: The DO sets an access policy for the data, generates file ciphertext using a combination of symmetric encryption (AES) and the CP-ABE algorithm, and finally sends the complete ciphertext to the CSP.

**CSP**: The CSP stores ciphertext uploaded by the DO and performs the revocation operation.

**DU**: The DU downloads ciphertext from the CSP. If the attributes of the DU match the access policy embedded in the ciphertext, he or she can decrypt the data to obtain plaintext.

**KA/AA**: The KA and AA are responsible for system initialization and generating user private keys.

#### 3.1. Formal Definition

- (1)
- $Setup\_KA(\lambda ,\mathrm{U})\to (Para{m}_{1},MS{K}_{1})$. This algorithm generates the public key $Para{m}_{1}$ and private key $MS{K}_{1}$ of the KA according to the security parameter $\lambda $ and system attribute set $\mathrm{U}$.
- (2)
- $Setup\_AA(Para{m}_{1})\to (Para{m}_{2},MS{K}_{2})$. This algorithm generates the public key $Para{m}_{2}$ and private key $MS{K}_{2}$ of the AA according to $Para{m}_{1}$.
- (3)
- $Keygen(MS{K}_{1},MS{K}_{2},Param,\mathbb{S})\to SK$. This algorithm generates the user’s private key $SK$ through a secure 2PC protocol.
- (4)
- $Encrypt(Param,F,({M}_{m\times n},\rho ))\to CT$. This algorithm encrypts data files $F$ and uploads the ciphertext to the CSP.
- (5)
- $Decryp{t}_{or}(SK,CT)\to F$. This algorithm inputs $SK$ and $CT$, and outputs a shared data file $F$ or a special symbol $\perp $.
- (6)
- $Revoke(CT,({\overline{M}}_{\overline{m}\times \overline{n}},\overline{\rho}))\to C{T}^{\prime}$. This algorithm inputs $CT$ and a revocation access policy $({\overline{M}}_{\overline{m}\times \overline{n}},\overline{\rho})$, and it outputs a revoked ciphertext $C{T}^{\prime}$.
- (7)
- $Decryp{t}_{re}(S{K}^{\prime},CT,C{T}^{\prime})\to F$. This algorithm inputs updated private key $S{K}^{\prime}$, $CT$ and $C{T}^{\prime}$, and outputs a shared data file $F$ or a special symbol $\perp $.

#### 3.2. Security Model

**Game-I**and

**Game-II**) between adversary $\mathcal{A}$ and challenger $\mathcal{C}$.

**Game-I**describes a security game under selective plaintext attack.

- Initialization: $\mathcal{A}$ chooses a challenge access policy $({M}^{\ast}{}_{{m}^{\ast}\times {n}^{\ast}},{\rho}^{\ast})$ and sends it to challenger $\mathcal{C}$.
- Setup: $\mathcal{C}$ executes the $Setup$ algorithm to obtain the master public key $Param$ and returns it to $\mathcal{A}$.
- Private key query phase 1: $\mathcal{A}$ chooses a user attribute set $\mathbb{S}$, which requires that $\mathbb{S}$ cannot meet $({M}^{\ast}{}_{{m}^{\ast}\times {n}^{\ast}},{\rho}^{\ast})$. $\mathcal{C}$ runs the $Keygen$, and generates the private key $SK$ and returns it to $\mathcal{A}$.
- Challenge: $\mathcal{A}$ chooses two data files ${F}_{0}$ and ${F}_{1}$ of equal length to $\mathcal{C}$. $\mathcal{C}$ chooses $\theta \in \left\{0,1\right\}$ randomly and encrypts ${F}_{\theta}$ to get the challenge ciphertext $C{T}^{\ast}$. $\mathcal{C}$ returns the ciphertext $C{T}^{\ast}$ to $\mathcal{A}$.
- Private key query phase 2: Similar to the previous stage, $\mathcal{C}$ continues to answer $\mathcal{A}$’s query.
- Guess: $\mathcal{A}$ outputs its guess ${\theta}^{\prime}\in \left\{0,1\right\}$ for $\theta $.

**Definition 1.**

**Game-II**describes a security game under data integrity attack.

- Setup: $\mathcal{C}$ executes $Setup$ algorithm to get public parameter $Param$ and returns it to $\mathcal{A}$.
- Private key query phase 1: $\mathcal{A}$ can perform the key extraction query on the user attribute set $\mathbb{S}$. $\mathcal{C}$ returns $SK$ to $\mathcal{A}$ by executing the $Keygen$ algorithm.
- Challenge: $\mathcal{A}$ sends the data file $F$ and a challenge access policy $\left({M}_{m\times n},\rho \right)$ to $\mathcal{C}$. Then $\mathcal{C}$ sends challenge ciphertext $CT$ to $\mathcal{A}$ by executing the $Encrypt$ algorithm.
- Private key query phase 2: Similar with the previous stage, $\mathcal{C}$ continues to answer $\mathcal{A}$’s query.
- Guess: $\mathcal{A}$ outputs attribute set ${\mathbb{S}}^{\prime}$ and revoked ciphertext $C{T}^{\prime}$. $\mathcal{A}$ wins the integrity game if ${\mathit{Dec}}_{re}\left(S{K}_{{\mathbb{S}}^{\prime}},CT,C{T}^{\prime}\right)\notin \{F,\perp \}$.

**Definition 2.**

## 4. Our RABE Construction

- (1)
- $Setup\_KA(\lambda ,\mathrm{U})\to (Para{m}_{1},MS{K}_{1})$. This algorithm inputs system security parameter $\lambda $, and attribute set $\mathrm{U}$, generates two cyclic groups $G$, ${G}_{T}$ with prime order $p$ and bilinear map $e:G\times G\to {G}_{T}$. Let $g$ be a generator in $G$. The KA randomly selects $g,\mu ,\nu \in G$, $a,b,{\alpha}_{1}\in {Z}_{p}^{\ast}$, hash function $\hat{H}:{G}_{T}\to {Z}_{p}^{\ast}$ and ${h}_{1},{h}_{2},\cdots ,{h}_{\left|\mathrm{U}\right|}$, then the algorithm outputs$$Para{m}_{1}=\left(G,{G}_{T},e,g,{g}^{a},\mu ,\nu ,\left\{{h}_{i}|i=1,2,\cdots ,\left|\mathrm{U}\right|\right\},{g}^{b},{E}^{{\alpha}_{1}},\widehat{H}\right),MS{K}_{1}=\left({\alpha}_{1},b\right).$$
- (2)
- $Setup\_AA(Para{m}_{1})\to (Para{m}_{2},MS{K}_{2})$. The AA selects ${\alpha}_{2}\in {Z}_{p}^{\ast}$ randomly, outputs $Para{m}_{2}=\left({E}^{{\alpha}_{2}}\right)$, $MS{K}_{2}=\left({\alpha}_{2}\right)$. The AA keeps $MS{K}_{2}$ secretly and publishes $Para{m}_{2}$. Then we have$$Param=\left(G,{G}_{T},e,g,{g}^{a},\mu ,\nu ,\left\{{h}_{i}|i=1,2,\cdots ,\left|\mathrm{U}\right|\right\},{g}^{b},{E}^{\alpha},\widehat{H}\right),MSK=({\alpha}_{1},{\alpha}_{2},b),$$
- (3)
- $KeyGen(MS{K}_{1},MS{K}_{2},Param,\mathbb{S})\to SK$. In this algorithm, the KA and the AA use the secure 2PC protocol to generate the user’s private key. Firstly, the KA inputs $\left({\alpha}_{1},b\right)$, the AA inputs ${\alpha}_{2}$, the protocol computes $\omega =({\alpha}_{1}+{\alpha}_{2})b$ and returns $\omega $ to the AA, where the KA does not know ${\alpha}_{2}$ and the AA does not know $\left({\alpha}_{1},b\right)$, then the AA and the KA interact to generate $S{K}_{2}$:
- The AA selects ${t}_{1}\in {Z}_{p}^{\ast}$ at random, the AA computes ${X}_{1}={g}^{\omega /{t}_{1}}={g}^{({\alpha}_{1}+{\alpha}_{2})b/{t}_{1}}$, and generates the knowledge proof of $\omega ,{t}_{1}$, then sends ${X}_{1}$ and $PoK(\omega ,{t}_{1})$ to the KA.
- The KA selects $s,\tau \in {Z}_{p}^{\ast}$ at random, computes ${T}_{1}={X}_{1}{}^{\tau /b}={g}^{({\alpha}_{1}+{\alpha}_{2})\tau /{t}_{1}}$, ${T}_{2}={g}^{s\tau \xb7a}$, then transmits ${T}_{1},{T}_{2}$ and $PoK(\tau ,s,b)$ to the AA.
- The AA selects ${t}_{2}\in {Z}_{p}^{\ast}$ at random, computes ${X}_{2}={({T}_{1}{}^{{t}_{1}}{T}_{2})}^{{t}_{2}}={({g}^{({\alpha}_{1}+{\alpha}_{2})\tau}{g}^{s\tau a})}^{{t}_{2}}$, then sends ${X}_{2}$ and $PoK({t}_{2})$ to KA.
- The KA computes ${T}_{3}={X}_{2}{}^{1/\tau}={({g}^{({\alpha}_{1}+{\alpha}_{2})}{g}^{sa})}^{{t}_{2}}$, sends $PoK(\tau )$ and ${T}_{3}$ to the AA.
- The AA calculates $D={T}_{3}{}^{1/{t}_{2}}={g}^{\alpha}{g}^{sa}$, and then the AA transmits $S{K}_{2}=\left\{D={g}^{\alpha}{g}^{sa}\right\}$ to the DU.
- The KA computes ${D}_{0}={g}^{s},{D}_{x}={h}_{x}{}^{s},\forall x\in \mathbb{S}$ and sends $S{K}_{1}=\left\{{D}_{0}={g}^{s},{D}_{x}={h}_{x}{}^{s}\right\}$ to the DU.
- The DU’s final private key is $SK=\left\{D={g}^{\alpha}{g}^{sa},{D}_{0}={g}^{s},{D}_{x}={h}_{x}{}^{s}(\forall x\in \mathbb{S})\right\}$. The above protocol is illustrated in Figure 2.

- (4)
- $Encrypt(Param,F,({M}_{m\times n},\rho ))\to CT$. This algorithm inputs the shared data file $F$, $Param=\left(G,{G}_{T},e,g,{g}^{a},\mu ,\nu ,\left\{{h}_{i}|i=1,2,\cdots ,\left|\mathrm{U}\right|\right\},{g}^{b},{E}^{\alpha},\widehat{H}\right)$ and access policy $({M}_{m\times n},\rho )$, for each row of ${M}_{m\times n}$, the function $\rho $ associates rows of ${M}_{m\times n}$ to attributes, which is $\rho :\left\{1,2,\cdots ,m\right\}\to \mathrm{U}$. The algorithm encrypts the file $F$ using the AES algorithm, then gets the shared data ciphertext $CF=En{c}_{ck}(F)$, where $ck$ is a symmetric key. The DO selects a vector $\overrightarrow{u}=(r,{u}_{2},\cdots ,{u}_{n})\in {Z}_{p}^{\ast}$, ${c}_{j}\in {Z}_{p}$ randomly, computes ${\zeta}_{j}=\overrightarrow{u}\xb7{M}_{j}$, $j\in \left[1,m\right]$. Then$${C}_{1}=ck\xb7{E}^{\alpha r},{C}_{2}={g}^{r},{C}_{3,j}={h}_{\rho (j)}^{-{c}_{j}}{g}^{a{\zeta}_{j}},{C}_{4,j}={g}^{{c}_{j}},\forall j\in \left[1,m\right],{C}_{5}={\mu}^{\widehat{H}(F)}{\nu}^{\widehat{H}(ck)},$$
- (5)
- $Decryp{t}_{or}(SK,CT)\to F$. The DU runs the algorithm and decrypts the ciphertext $CT$. The algorithm inputs private key $SK=\left\{D,{D}_{0},{D}_{x}(\forall x\in \mathbb{S})\right\}$, $CT=\left\{CF,C\right\}$. If the attribute set $\mathbb{S}$ satisfies $\left({M}_{m\times n},\rho \right)$, lets $Q=\left\{j:\rho (j)\in \mathbb{S}\right\}\subset \left\{1,\cdots ,m\right\}$, calculates the constant ${\left\{{\eta}_{j}\right\}}_{j\in Q}$ such that ${\Sigma}_{j\in Q}{\eta}_{j}{M}_{j}=\left(1,0,0,\cdots ,0\right)$, the algorithm computes$$ck={C}_{1}/\frac{e(D,{C}_{2})}{{({\mathsf{\Pi}}_{j\in Q}e({D}_{0},{C}_{3,j})\xb7e({D}_{\rho (j)},{C}_{4,j}))}^{{\eta}_{j}}}.$$
- (6)
- $Revoke(CT,({\overline{M}}_{\overline{m}\times \overline{n}},\overline{\rho}))\to C{T}^{\prime}$. The CSP runs the algorithm. It inputs $CT=\left\{CF,C\right\}$, a revocation access policy $({\overline{M}}_{\overline{m}\times \overline{n}},\overline{\rho})$, and for each row of ${\overline{M}}_{\overline{m}\times \overline{n}}$, defines the function $\overline{\rho}:\left\{1,2,\cdots ,\overline{m}\right\}\to \mathrm{U}$. It outputs a revoked ciphertext $C{T}^{\prime}$ under a revoked access policy $\left({{M}^{\prime}}_{{m}^{\prime}\times {n}^{\prime}},{\rho}^{\prime}\right)$, where ${\rho}^{\prime}:\left\{1,2,\cdots ,{m}^{\prime}\right\}\to \mathrm{U}$, ${m}^{\prime}=m+\overline{m}$, ${n}^{\prime}=n+\overline{n}$. Then, it randomly selects $\tilde{\overrightarrow{u}}=(\tilde{r},{\tilde{u}}_{2},\cdots ,{\tilde{u}}_{{n}^{\prime}})\in {Z}_{p}^{{n}^{\prime}}$ and ${\tilde{c}}_{j}\in {Z}_{p}$ for each $j\in [1,{m}^{\prime}]$, computes ${\tilde{\zeta}}_{j}=\tilde{\overrightarrow{u}}\xb7{M}_{j}{}^{\prime}$, $j\in [1,{m}^{\prime}]$. The algorithm computes $\widehat{C}$:$${L}_{1}={C}_{1},{L}_{2}={C}_{2},{L}_{3,j}={C}_{3,j},{L}_{4,j}={C}_{4,j},j\in \left[1,m\right],{L}_{3,j}={1}_{G},{L}_{4,j}={1}_{G},j\in \left[m+1,{m}^{\prime}\right],$$$${K}_{1}={E}^{\alpha \tilde{r}},{K}_{2}={g}^{\tilde{r}},{K}_{3,j}={g}^{a{\tilde{\zeta}}_{j}}{h}_{\rho (j)}^{-{\tilde{c}}_{j}},{K}_{4,j}={g}^{{\tilde{c}}_{j}},\forall j\in \left[1,{m}^{\prime}\right].$$$${C}_{1}^{\prime}={L}_{1}\xb7{K}_{1},{C}_{2}^{\prime}={L}_{2}\xb7{K}_{2},{C}_{3,j}^{\prime}={L}_{3,j}\xb7{K}_{3,j},{C}_{4,j}^{\prime}={L}_{4,j}\xb7{K}_{4,j},\forall j\in \left[1,{m}^{\prime}\right],{C}_{5}^{\prime}={C}_{5}.$$
- (7)
- $Decryp{t}_{re}(S{K}^{\prime},CT,C{T}^{\prime})\to F$. The algorithm inputs $S{K}^{\prime}$, $CT=\left\{CF,C\right\}$ and $C{T}^{\prime}=\left\{{C}^{\prime},CF\right\}$, verifies whether ${C}_{5}^{\prime}={C}_{5}$, if not, outputs $\perp $. Then, if the set of attribute ${\mathbb{S}}^{\prime}$ of $S{K}^{\prime}$ meets $\left({M}^{\prime},{\rho}^{\prime}\right)$, let ${Q}^{\prime}=\left\{j:{\rho}^{\prime}(j)\in {\mathbb{S}}^{\prime}\right\}\subset \left\{1,\cdots ,{m}^{\prime}\right\}$, and there is a constant ${\left\{{\eta}_{j}^{\prime}\right\}}_{j\in {Q}^{\prime}}$ such that ${\Sigma}_{j\in {Q}^{\prime}}{\eta}_{j}^{\prime}\xb7{M}_{j}^{\prime}=\left(1,0,0,\cdots ,0\right)$. Then the DU computes:$$ck={C}_{1}^{\prime}/\frac{e(D,{C}_{2}^{\prime})}{{({\mathsf{\Pi}}_{j\in {Q}^{\prime}}e({D}_{0},{C}_{3,j}^{\prime})\xb7e({D}_{{\rho}^{\prime}(j)},{C}_{4,j}^{\prime}))}^{{\eta}_{j}^{\prime}}},$$

## 5. Scheme Analysis

#### 5.1. Correctness Analysis

#### 5.2. Security Analysis

**Theorem 1.**

**Proof.**

- Init. $\mathcal{S}$ picks a bilinear map $e:G\times G\to {G}_{T}$, and $a,{d}_{1},\cdots ,{d}_{q},r\in {Z}_{p}$ randomly. $\mathcal{S}$ exposes:$$\begin{array}{c}\overrightarrow{y}=\{g,{g}^{r},{g}^{a},\cdots ,{g}^{{a}^{q}},{g}^{a}{}^{{}^{q+2}},\cdots ,{g}^{a}{}^{{}^{2q}},\\ {\forall}_{1\le i\le q}{g}^{r\xb7{d}_{i}},{g}^{a/{d}_{i}},\cdots ,{g}^{{a}^{q}/{d}_{i}},{g}^{{a}^{q+2}/{d}_{i}},\cdots ,{g}^{{a}^{2q}/{d}_{i}}\\ {\forall}_{1\le i,l\le q,l\ne i}{g}^{a\xb7r\xb7{d}_{l}/{d}_{i}},\cdots ,{g}^{{a}^{q}\xb7r\xb7{d}_{l}/{d}_{i}}\}.\end{array}$$
- Setup. $\mathcal{S}$ picks ${\alpha}^{\prime}\in {Z}_{p}$ randomly, computes ${E}^{\alpha}={E}^{a\xb7{a}^{q}}\xb7{E}^{{\alpha}^{\prime}}$. This implicitly sets $\alpha ={\alpha}^{\prime}+{a}^{q+1}$. $\mathcal{S}$ orchestrates group element ${h}_{1},{h}_{2},\cdots ,{h}_{\left|\mathrm{U}\right|}$ as follows: For attributes $1\le x\le \left|\mathrm{U}\right|$, $\mathcal{S}$ chooses a value ${w}_{x}$ at random, let $Y$ be the set of $j$ such that ${\rho}^{\ast}(j)=x$. $\mathcal{S}$ sets ${h}_{x}$ as$${h}_{x}={g}^{{w}_{x}}{\displaystyle \prod _{j\in Y}{\displaystyle \prod _{1\le k\le {n}^{\ast}}{g}^{\frac{{a}^{k}{M}_{j,k}^{\ast}}{{d}_{j}}}}}.$$$$Param=\left\{G,{G}_{T},e,g,{g}^{a},\mu ,\nu ,\left\{{h}_{x}|1\le x\le \left|\mathrm{U}\right|\right\},{g}^{b},{E}^{\alpha},\widehat{H}\right\}$$
- Private key query phase 1. $\mathcal{A}$ submits attribute set $\mathbb{S}$, where $\mathbb{S}$ does not satisfy ${M}^{\ast}{}_{{m}^{\ast}\times {n}^{\ast}}$. Simulator $\mathcal{S}$ chooses $t\in {Z}_{p}$ at random and finds the vector $\overrightarrow{\eta}=\left({\eta}_{1},{\eta}_{2},\cdots ,{\eta}_{{n}^{\ast}}\right)\in {Z}_{p}^{n\ast}$ such that ${\eta}_{1}=-1$. For $\left\{j:{\rho}^{\ast}(j)\in \mathbb{S}\right\}$, we have $\overrightarrow{\eta}\xb7{M}_{j}^{\ast}=0$. $\mathcal{S}$ computes$${D}_{0}={g}^{t}{{\displaystyle \prod _{1\le j\le {n}^{\ast}}^{}\left({g}^{{a}^{q+1-j}}\right)}}^{{\eta}_{j}}={g}^{s},$$$$s=t+{\eta}_{1}{a}^{q}+{\eta}_{2}{a}^{q-1}+{\eta}_{{n}^{\ast}}{a}^{q-({n}^{\ast}-1)}.$$$$D={g}^{{\alpha}^{\prime}}{g}^{at}{{\displaystyle \prod _{j=2}^{{n}^{\ast}}\left({g}^{{a}^{q+2-j}}\right)}}^{{\eta}_{j}}.$$$${D}_{x}={D}_{0}{}^{{w}_{x}}{{\displaystyle \prod _{j\in Y}{\displaystyle \prod _{i=1}^{n\ast}\left({g}^{({a}^{i}/{d}_{j})t}{\displaystyle \prod _{\begin{array}{l}l=1,\cdots ,n\ast \\ l\ne i\end{array}}{({g}^{{a}^{q+1+i-l}/{d}_{j}})}^{{\eta}_{l}}}\right)}}}^{{M}_{j,i}^{\ast}}.$$
- Challenge. $\mathcal{A}$ selects two messages ${F}_{0}$ and ${F}_{1}$ of equal length. Simulator $\mathcal{S}$ chooses a coin $\theta \in \left\{0,1\right\}$ randomly and encrypts the file ${F}_{\theta}$ using the AES algorithm to generate the shared data ciphertext $CF=En{c}_{ck}({F}_{\theta})$, where $ck$ is a symmetric key, then ${C}_{1}=ck\xb7Z\xb7e({g}^{r},{g}^{{\alpha}^{\prime}}),{C}_{2}={g}^{r}$. $\mathcal{S}$ chooses$$\overrightarrow{u}=(r,ra+{u}_{2}^{\prime},r{a}^{2}+{u}_{3}^{\prime},\cdots ,r{a}^{n-1}+{u}_{{n}^{\ast}}^{\prime})\in {Z}_{p}^{n\ast},$$$$\{\begin{array}{l}{C}_{3,j}={h}_{{\rho}^{\ast}(j)}^{{t}_{j}^{\prime}}{\left({g}^{{d}_{j}\xb7r}\right)}^{-{w}_{{\rho}^{\ast}(j)}}\left({\displaystyle \prod _{2\le i\le {n}^{\ast}}^{}{\left({g}^{a}\right)}^{{M}_{j,i}^{\ast}{y}_{i}^{\prime}}}\right)\xb7\left({{\displaystyle \prod _{l\in {R}_{j}}{\displaystyle \prod _{1\le i\le {n}^{\ast}}^{}\left({g}^{{a}^{i}\xb7r\xb7\left({d}_{j}/{d}_{l}\right)}\right)}}}^{{M}_{l,i}^{\ast}}\right)\\ {C}_{4,j}={g}^{-r{d}_{j}}{g}^{{t}_{j}^{\prime}}\end{array},$$
- Private key query phase 2. Similar with the previous stage, $\mathcal{S}$ continues to answer $\mathcal{A}$’s query.
- Guess. $\mathcal{A}$ outputs guess ${\theta}^{\prime}\in \left\{0,1\right\}$ of $\theta $. $\mathcal{S}$ outputs ${\sigma}^{\prime}=0$ when ${\theta}^{\prime}=\theta $, it means $T\in {\mathbb{F}}_{q-PBDHE}$; $\mathcal{S}$ outputs ${\sigma}^{\prime}=1$ when ${\theta}^{\prime}\ne \theta $, it means $T\in {\mathbb{R}}_{q-PBDHE}$.When $\sigma =1$, $\mathcal{A}$ does not obtain any information from $\theta $, so $\mathrm{Pr}\left[{\theta}^{\prime}\ne \theta |\sigma =1\right]=\frac{1}{2}$.When ${\theta}^{\prime}\ne \theta $, $\mathcal{S}$ guesses ${\sigma}^{\prime}=1$, $\mathrm{Pr}\left[{\sigma}^{\prime}=\sigma |\sigma =1\right]=\frac{1}{2}$.When $\sigma =0$, $\mathcal{A}$ knows the ciphertext of ${F}_{\theta}$, because the advantage of $\mathcal{A}$ is $\epsilon $, $\mathrm{Pr}\left[{\theta}^{\prime}=\theta |\sigma =0\right]=\frac{1}{2}+\epsilon $. When ${\theta}^{\prime}=\theta $, $\mathcal{S}$ guesses ${\sigma}^{\prime}=0$, $\mathrm{Pr}\left[{\sigma}^{\prime}=\sigma |\sigma =0\right]=\frac{1}{2}+\epsilon $.The advantages of $\mathcal{S}$ obtained from the above are$$\frac{1}{2}\mathrm{Pr}\left[{\sigma}^{\prime}=\sigma |\sigma =0\right]-\frac{1}{2}\mathrm{Pr}\left[{\sigma}^{\prime}=\sigma |\sigma =1\right]=\frac{1}{2}\left(\frac{1}{2}+\epsilon \right)-\frac{1}{2}\times \frac{1}{2}=\frac{\epsilon}{2}.$$

**Theorem 2.**

**Proof.**

- Setup. $\mathcal{S}$ obtains a discrete logarithmic tuple $\left(G,{G}_{T},p,g,{g}^{\phi}\right)$, and $\mathcal{S}$ attempts to compute the value $\phi $. $\mathcal{S}$ generates public parameters through the following steps. $\mathcal{S}$ sets a bilinear map $e:G\times G\to {G}_{T}$, selects ${h}_{1},\cdots ,{h}_{\left|\mathrm{U}\right|}\in G$, $\alpha ,a,b,\gamma \in {Z}_{p}$, and computes ${g}^{a},{g}^{b}$, ${E}^{\alpha}$, $\mu ={g}^{\phi},\nu ={g}^{\gamma}$. $\mathcal{S}$ picks hash function $\widehat{H}:{G}_{T}\to {Z}_{p}$ at random, and returns$$Param=\left(G,{G}_{T},e,g,{g}^{a},\mu ,\nu ,\left\{{h}_{i}|i=1,2,\cdots ,\left|\mathrm{U}\right|\right\},{g}^{b},{E}^{\alpha},\widehat{H}\right)$$
- Private key query phase 1. $\mathcal{S}$ selects an attribute set $\mathbb{S}$, and executes $KeyGen(MSK,Param,\mathbb{S})\to SK$ and returns $SK$ to $\mathcal{A}$.
- Challenge. $\mathcal{A}$ submits $F$ and a challenge access policy $(M,\rho )$ to $\mathcal{S}$. $\mathcal{S}$ execute $Encrypt(Param,F,({M}_{m\times n},\rho ))$$\to CT=\left\{CF,C\right\}$, where ${C}_{5}={\mu}^{\widehat{H}(F)}{\nu}^{\widehat{H}(ck)}$, $CF=Enc(F,ck)$, $C=(({M}_{m\times n},\rho ),{C}_{1},{C}_{2},$ ${C}_{3,j},{C}_{4,j},{C}_{5},j\in \left[1,m\right])$. $\mathcal{S}$ returns $CT$ to $\mathcal{A}$.
- Private key query phase 2. Similar to the previous stage, $\mathcal{S}$ continues to answer $\mathcal{A}$’s query.
- Output. $\mathcal{A}$ outputs a revoked ciphertext $C{T}^{\prime}=\left\{C{F}^{\prime},{C}^{\prime}\right\}$, where $C{F}^{\prime}=Enc({F}^{\prime},c{k}^{\prime})$, ${C}^{\prime}=\left(({{M}^{\prime}}_{{m}^{\prime}\times {n}^{\prime}},{\rho}^{\prime}),{C}_{1}^{\prime},{C}_{2}^{\prime},{C}_{3,j}^{\prime},{C}_{4,j}^{\prime},{C}_{5}^{\prime},j\in \left[1,{m}^{\prime}\right]\right)$. $\mathcal{A}$ wins if ${F}^{\prime}\notin \left\{F,\perp \right\}$ and ${C}_{5}={C}_{5}^{\prime}$.

## 6. Performance Analysis

#### 6.1. Functional Analysis

#### 6.2. Computation Analysis

#### 6.3. Experimental Analysis

## 7. Conclusions and Prospect

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## Appendix A

- (1)
- $Setup(\lambda ,\mathrm{U}):$ The authority center generates a bilinear pairing tuple $\left(e,G,{G}_{T},g,p\right)$. Chooses random value $g,{h}_{1},{h}_{2},\cdots ,{h}_{U},\varphi ,\phi \in G,\alpha ,a\in {Z}_{p}^{\ast}$ and a hash function $H:{G}_{T}\to {Z}_{p}^{\ast}$. Sets the master secret key $msk={g}^{\alpha}$ and public parameters$$PP=\left(e,G,{G}_{T},g,{h}_{1},\cdots ,{h}_{U},\varphi ,\phi ,{g}^{a},e{\left(g,g\right)}^{\alpha},H\right)$$
- (2)
- $KeyGen\left(msk,Att\right)$: The authority center chooses a random value $s\in {Z}_{p}^{\ast}$, and computes $sk=\left\{Att,K={g}^{\alpha}{g}^{as},{K}_{0}={g}^{s},\forall x\in Att,{K}_{x}={h}_{x}{}^{s}\right\}$.
- (3)
- $Enc\left(m,\left(M,f\right)\right)$: On input a message m and an access policy $\left(M,f\right)$, $M$ is an $t\times k$ matrix and $f$ associates each row of $M$ to an attribute. The algorithm selects two random vectors $\overrightarrow{\mu}=(r,{y}_{2},\cdots ,{y}_{k})\in {Z}_{p}^{k}$ and $\overrightarrow{v}=(\overrightarrow{r},{\overrightarrow{y}}_{2},\cdots ,{\overrightarrow{y}}_{k})\in {Z}_{p}^{k}$. For each row ${M}_{j}$ of $M$, computes ${\lambda}_{j}=\overrightarrow{\mu}\xb7{M}_{j}$ and ${\overrightarrow{\lambda}}_{j}=\overrightarrow{v}\xb7{M}_{j}$, $j\in \left[1,t\right]$. Randomly chooses ${r}_{j},{\overrightarrow{r}}_{j}\in {Z}_{p}$ for each $j\in \left[1,t\right]$ and ${m}^{\prime}\in {G}_{T}$. Then computes ${C}_{1}=m\xb7e{\left(g,g\right)}^{\alpha r},{C}_{2}={g}^{r},{C}_{3,j}={g}^{a{\lambda}_{j}}{h}_{f(j)}^{-{r}_{j}},{C}_{4,j}={g}^{{r}_{j}},\forall j\in \left[1,t\right]$. ${D}_{1}={m}^{\prime}\xb7e{\left(g,g\right)}^{\alpha \overline{r}},$ ${D}_{2}={g}^{\overline{r}},$ ${D}_{3,j}={g}^{a{\overline{\lambda}}_{j}}{h}_{f(j)}^{-{\overline{r}}_{j}},{C}_{4,j}={g}^{{\overline{r}}_{j}},\forall j\in \left[1,t\right],\overline{C}={\varphi}^{H\left(m\right)}{\phi}^{H\left({m}^{\prime}\right)}$.Outputs the ciphertext as $CT=\left((M,f),{C}_{1},{C}_{2},{C}_{3,j},{C}_{4,j},{D}_{1},{D}_{2},{D}_{3,j},{D}_{4,j},\overline{C},\right),j\in \left[1,t\right]$.
- (4)
- $Dec\left(sk,CT\right)$: On input a secret key $sk=\left\{Att,K,{K}_{0},{K}_{x}\right\}$ and a ciphertext $CT=\left((M,f),{C}_{1},{C}_{2},{C}_{3,j},{C}_{4,j},{D}_{1},{D}_{2},{D}_{3,j},{D}_{4,j},\overline{C},\right)$, the recipient first checks whether $R\left(Att,\left(M,f\right)\right)=1$. If $R\left(Att,\left(M,f\right)\right)\ne 1$, outputs an error symbol $\perp $. Otherwise, finds the set $T\subset \left\{1,\cdots ,t\right\}$ and $T=\left\{j:f(j)\in Att\right\}$. Computes constant element ${\theta}_{j}\in {Z}_{p}^{\ast}$, such that ${\Sigma}_{j\in T}{\theta}_{j}{M}_{j}=\left(1,0,0,\cdots ,0\right)$. Then the recipient computes$$\begin{array}{c}m={C}_{1}/\frac{e(K,{C}_{2})}{{({\mathsf{\Pi}}_{j\in T}e({K}_{0},{C}_{3,j})\xb7e({K}_{f(j)},{C}_{4,j}))}^{{\theta}_{j}}}\mathrm{and}\\ {m}^{\prime}={D}_{1}/\frac{e(K,{D}_{2})}{{({\mathsf{\Pi}}_{j\in T}e({K}_{0},{D}_{3,j})\xb7e({K}_{f(j)},{D}_{4,j}))}^{{\theta}_{j}}}.\end{array}$$
- (5)
- $Revoke(CT,(\tilde{M},\tilde{f}))$: On input a ciphertext $CT$ and a revocation access policy $(\tilde{M},\tilde{f})$, where $M$ and $\tilde{M}$ are $t\times k$ and $\tilde{t}\times \tilde{k}$ matrixes, outputs a revoked ciphertext for access policy $({M}^{\prime},{f}^{\prime})$. Sets $({M}^{\prime},{f}^{\prime})$ as$${M}^{\prime}=\left(\begin{array}{cc}M& -{c}_{1}|0\\ 0& \tilde{M}\end{array}\right),{f}^{\prime}(j)=\{\begin{array}{l}f(j),j\le t\\ \tilde{f}(j-t),j>t\end{array},$$$$\{\begin{array}{l}{C}_{3,j}^{\u2033}={C}_{3,j},{C}_{4,j}^{\u2033}={C}_{4,j},j\in \left[1,t\right]\\ {C}_{3,j}^{\u2033}={1}_{G},{C}_{4,j}^{\u2033}={1}_{G},j\in \left[t+1,{t}^{\prime}\right]\end{array}$$Then selects a random vector ${\overrightarrow{\mu}}^{\u2034}=({r}^{\u2034},{y}_{2}^{\u2034},\cdots ,{y}_{k}^{\u2034})\in {Z}_{p}^{{k}^{\prime}}$. For each row ${M}_{j}^{\prime}$ of ${M}^{\prime}$, computes ${\lambda}_{j}^{\u2034}={\overrightarrow{\mu}}^{\u2034}\xb7{M}_{j}^{\prime}$, $j\in \left[1,{t}^{\prime}\right]$. Randomly chooses ${r}_{j}^{\u2034}\in {Z}_{p}$ for each $j\in \left[1,{t}^{\prime}\right]$. Then computes a random ciphertext $C{T}^{\u2034}$ as$${C}_{1}^{\u2034}=e{(g,g)}^{\alpha {r}^{\u2034}},{C}_{2}^{\u2034}={g}^{{r}^{\u2034}},{C}_{3,j}^{\u2034}={g}^{a{\lambda}_{j}^{\u2034}}{h}_{f(j)}^{-{r}_{j}^{\u2034}},{C}_{4,j}^{\u2034}={g}^{{r}_{j}^{\u2034}},\forall j\in \left[1,{t}^{\prime}\right].$$Then, computes$${C}_{1}^{\prime}={C}_{1}^{\u2033}\xb7{C}_{1}^{\u2034},{C}_{2}^{\prime}={C}_{2}^{\u2033}\xb7{C}_{2}^{\u2034},{C}_{3,j}^{\prime}={C}_{3,j}^{\u2033}\xb7{C}_{3,j}^{\u2034},{C}_{4,j}^{\prime}={C}_{4,j}^{\u2033}\xb7{C}_{4,j}^{\u2034},\forall j\in \left[1,{t}^{\prime}\right].$$The value ${D}_{1}^{\prime},{D}_{2}^{\prime},{D}_{3,j}^{\prime},{D}_{4,j}^{\prime},j\in \left[1,{t}^{\prime}\right]$ can be computed in the same manner. Sets ${\overline{C}}^{\prime}=\overline{C}$. Finally, outputs the revoked ciphertext$$C{T}^{\prime}=\left(({M}^{\prime},{\rho}^{\prime}),{C}_{1}^{\prime},{C}_{2}^{\prime},{C}_{3,j}^{\prime},{C}_{4,j}^{\prime},{D}_{1}^{\prime},{D}_{2}^{\prime},{D}_{3,j}^{\prime},{D}_{4,j}^{\prime},{\overline{C}}^{\prime},j\in \left[1,{t}^{\prime}\right]\right).$$
- (6)
- $De{c}_{re}(s{k}^{\prime},CT,C{T}^{\prime})$: On input a secret $s{k}^{\prime}$ of attribute set $At{t}^{\prime}$, an original ciphertext $CT=\left((M,f),{C}_{1},{C}_{2},{C}_{3,j},{C}_{4,j},{D}_{1},{D}_{2},{D}_{3,j},{D}_{4,j},\overline{C},\right)$ and a revoked ciphertext $C{T}^{\prime}=\left(({M}^{\prime},{\rho}^{\prime}),{C}_{1}^{\prime},{C}_{2}^{\prime},{C}_{3,j}^{\prime},{C}_{4,j}^{\prime},{D}_{1}^{\prime},{D}_{2}^{\prime},{D}_{3,j}^{\prime},{D}_{4,j}^{\prime},{\overline{C}}^{\prime}\right)$, it verifies whether ${\overline{C}}^{\prime}=\overline{C}$. If not, outputs an error symbol $\perp $ and abort. Then, it checks whether $R\left(At{t}^{\prime},\left({M}^{\prime},{f}^{\prime}\right)\right)=1$. If $R\left(At{t}^{\prime},\left({M}^{\prime},{f}^{\prime}\right)\right)\ne 1$, outputs an error symbol $\perp $ and abort. Otherwise, finds the set ${T}^{\prime}\subset \left\{1,\cdots ,{t}^{\prime}\right\}$ and ${T}^{\prime}=\left\{j:{f}^{\prime}(j)\in At{t}^{\prime}\right\}$.Computes constant element ${\theta}_{j}^{\prime}\in {Z}_{p}^{\ast}$, such that ${\Sigma}_{j\in {T}^{\prime}}{\theta}_{j}^{\prime}{M}_{j}^{\prime}=\left(1,0,0,\cdots ,0\right)$. Then, it computes$$m={C}_{1}^{\prime}/\frac{e(K,{C}_{2}^{\prime})}{{({\mathsf{\Pi}}_{j\in {T}^{\prime}}e({K}_{0},{C}_{3,j}^{\prime})\xb7e({K}_{{f}^{\prime}(j)},{C}_{4,j}^{\prime}))}^{{\theta}_{j}^{\prime}}},$$$${m}^{\prime}={D}_{1}^{\prime}/\frac{e(K,{D}_{2}^{\prime})}{{({\mathsf{\Pi}}_{j\in {T}^{\prime}}e({K}_{0},{D}_{3,j}^{\prime})\xb7e({K}_{{f}^{\prime}(j)},{D}_{4,j}^{\prime}))}^{{{\theta}^{\prime}}_{j}}}.$$

## References

- Zhang, L.; Xiong, H.; Huang, Q.; Li, J.; Choo, K.; Li, J. Cryptographic Solutions for Cloud Storage: Challenges and Research Opportunities. IEEE Trans. Serv. Comput.
**2022**, 15, 567–587. [Google Scholar] [CrossRef] - Kang, Z.; Li, J.; Shen, J.; Han, J.; Zuo, Y.; Zhang, Y. TFS-ABS: Traceable and Forward-Secure Attribute-based Signature Scheme with Constant-Size. IEEE Trans. Knowl. Data Eng.
**2023**, 35, 9514–9530. [Google Scholar] [CrossRef] - Chen, Y.; Li, J.; Liu, C.; Han, J.; Zhang, Y.; Yi, P. Efficient Attribute Based Server-Aided Verification Signature. Trans. Serv. Comput.
**2022**, 15, 3224–3232. [Google Scholar] [CrossRef] - Sahai, A.; Waters, B. Fuzzy Identity-Based Encryption. In Proceedings of the International Conference on Theory and Applications of Cryptographic Techniques (EUROCRYPT), Aarhus, Denmark, 22–26 May 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 457–473. [Google Scholar]
- Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-Policy Attribute-Based Encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP’07), Berkeley, CA, USA, 20–23 May 2007; pp. 321–334. [Google Scholar]
- Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, USA, 30 October–3 November 2006; ACM: New York, NY, USA, 2006; pp. 89–98. [Google Scholar]
- Li, J.; Yao, W.; Han, J.; Zhang, Y.; Shen, J. User Collusion Avoidance CP-ABE with Efficient Attribute Revocation for Cloud Storage. IEEE Syst. J.
**2018**, 12, 1767–1777. [Google Scholar] [CrossRef] - Pirretti, M.; Traynor, P.; McDaniel, P.; Waters, B. Secure Attribute-Based Systems. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, USA, 30 October–3 November 2006; ACM: New York, NY, USA, 2006; pp. 99–112. [Google Scholar]
- Li, J.; Yao, W.; Zhang, Y.; Qian, H.; Han, J. Flexible and Fine-Grained Attribute-Based Data Storage in Cloud Computing. IEEE Trans. Serv. Comput.
**2017**, 10, 785–796. [Google Scholar] [CrossRef] - Liu, J.K.; Yuen, T.H.; Zhang, P.; Liang, K. Time-based Direct Revocable Ciphertext-Policy Attribute-Based Encryption with Short Revocation List. In Proceedings of the 16th International Conference on Applied Cryptography and Network Security (ACNS), Leuven, Belgium, 2–4 July 2018; Springer: Cham, Switzerland, 2018; pp. 516–534. [Google Scholar]
- Xiang, G.; Li, B.; Fu, X.; Xia, M.; Ke, W. An Attribute Revocable CP-ABE Scheme. In Proceedings of the 2019 Seventh International Conference on Advanced Cloud and Big Data (CBD), Suzhou, China, 21–22 September 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 198–203. [Google Scholar]
- Lan, C.; Wang, C.; Li, H.; Liu, L. Comments on “Attribute-Based Data Sharing Scheme Revisited in Cloud Computing”. IEEE Trans. Inf. Forensics Secur.
**2021**, 16, 2579–2580. [Google Scholar] [CrossRef] - Xiong, H.; Huang, X.; Yang, M.; Wang, L.; Yu, S. Unbounded and Efficient Revocable Attribute-Based Encryption with Adaptive Security for Cloud-Assisted Internet of Things. IEEE Int. Things J.
**2022**, 9, 3097–3111. [Google Scholar] [CrossRef] - Lan, C.; Liu, L.; Wang, C.; Li, H. An efficient and revocable attribute-based data sharing scheme with rich expression and escrow freedom. Inf. Sci.
**2023**, 624, 435–450. [Google Scholar] [CrossRef] - Sahai, A.; Seyalioglu, H.; Waters, B. Dynamic credentials and ciphertext delegation for attribute-based encryption. In Proceedings of the 32nd Annual International Cryptology Conference (CRYPTO), Santa Barbara, CA, USA, 19–23 August 2012; Springer: Berlin/Heidelberg, Germany, 2012; pp. 199–217. [Google Scholar]
- Qin, B.; Zhao, Q.; Zheng, D.; Cui, H. (Dual) server-aided revocable attribute-based encryption with decryption key exposure resistance. Inf. Sci.
**2019**, 490, 74–92. [Google Scholar] [CrossRef] - Kim, J.; Susilo, W.; Baek, J.; Nepal, S.; Liu, D. Ciphertext-delegatable CP-ABE for a Dynamic Credential: A Modular Approach. In Proceedings of the Australasian Conference on Information Security and Privacy (ACISP), Christchurch, New Zealand, 3–5 July 2019; Springer: Cham, Switzerland, 2019; pp. 3–20. [Google Scholar]
- Ma, J.; Wang, M.; Xiong, J.; Hu, Y. CP-ABE-based secure and verifiable data deletion in cloud. Secur. Commun. Netw.
**2021**, 2021, 1–14. [Google Scholar] [CrossRef] - Han, D.; Pan, N.; Li, K. A Traceable and Revocable Ciphertext-policy Attribute-based Encryption Scheme Based on Privacy Protection. IEEE Trans. Dependable Secur. Comput.
**2022**, 19, 316–327. [Google Scholar] [CrossRef] - Deng, S.; Yang, G.; Dong, W.; Xia, M. Flexible revocation in ciphertext-policy attribute-based encryption with verifiable ciphertext delegation. Multimed. Tools Appl.
**2023**, 82, 22251–22274. [Google Scholar] [CrossRef] - Ge, C.; Susilo, W.; Baek, J.; Liu, Z.; Xia, J.; Fang, L. Revocable Attribute-Based Encryption with Data Integrity in Clouds. IEEE Trans. Depend. Secure Comput.
**2021**, 19, 2864–2872. [Google Scholar] [CrossRef] - Waters, B. Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization. In Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography (PKC), Taormina, Italy, 6–9 March 2011; Springer: Berlin/Heidelberg, Germany, 2011; pp. 53–70. [Google Scholar]
- Chase, M.; Chow, S. Improving privacy and security in multi-authority attribute-based encryption. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), Chicago, IL, USA, 9–13 November 2009; ACM: New York, NY, USA, 2009; pp. 121–130. [Google Scholar]
- Varri, U.; Pasupuleti, S.; Kadambari, K.V. Key-Escrow Free Attribute-Based Multi-Keyword Search with Dynamic Policy Update in Cloud Computing. In Proceedings of the 2020 20th IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing (CCGRID), Melbourne, VIC, Australia, 11–14 May 2020; IEEE: Piscataway, NJ, USA, 2020; pp. 450–458. [Google Scholar]
- Hur, J. Improving Security and Efficiency in Attribute-Based Data Sharing. IEEE Trans. Knowl. Data Eng.
**2013**, 25, 2271–2282. [Google Scholar] [CrossRef] - Zhang, R.; Li, J.; Lu, Y.; Han, J.; Zhang, Y. Key escrow-free attribute-based encryption with user revocation. Inf. Sci.
**2022**, 600, 59–72. [Google Scholar] [CrossRef] - Chen, N.; Li, J.; Zhang, Y.; Guo, Y. Efficient CP-ABE Scheme with Shared Decryption in Cloud Storage. IEEE Trans. Comput.
**2022**, 71, 175–184. [Google Scholar] [CrossRef] - Li, J.; Zhang, Y.; Ning, J.; Huang, X.; Poh, G.; Wang, D. Attribute Based Encryption with Privacy Protection and Accountability for CloudIoT. IEEE Trans. Cloud Comput.
**2022**, 10, 762–773. [Google Scholar] [CrossRef] - Banerjee, S.; Roy, S.; Odelu, V.; Das, A.; Chattopadhyay, S.; Rodrigues, J.; Park, Y. Multi-Authority CP-ABE-Based user access control scheme with constant-size key and ciphertext for IOT deployment. J. Inf. Secur. Appl.
**2020**, 53, 102503. [Google Scholar] [CrossRef] - Reena Catherine, A.; Shajin Nargunam, A. Multi authority ciphertext-policy attribute-based encryption for security enhancement in cloud storage unit. Sustain. Energy Technol. Assess.
**2022**, 53, 102556. [Google Scholar] [CrossRef] - Guo, Y.; Lu, Z.; Ge, H.; Li, J. Revocable Blockchain-Aided Attribute-Based Encryption with Escrow-Free in Cloud Storage. IEEE Trans. Comput.
**2023**, 72, 1901–1912. [Google Scholar] [CrossRef]

**Figure 3.**Setup time when the number of attributes increases [21].

**Figure 4.**Key generation time when the number of attributes increases [21].

**Figure 5.**Encryption time when the number of attributes increases [21].

**Figure 6.**Original decryption time when the number of attributes increases [21].

**Figure 7.**Revocation time when the number of attributes increases [21].

**Figure 8.**Decryption time after revoking user when the number of attributes increases [21].

Symbol | Description |
---|---|

$G,{G}_{T}$ | Two multiplicative cyclic groups with prime order $p$ |

$g$ | A generator in $G$ |

$\mathrm{U}$ | Collection of all system attributes |

$\left|\mathrm{U}\right|$ | The number of elements of the set $\mathrm{U}$ |

$\mathbb{S}$ | Collection of user attributes |

$\mathbb{S}\subseteq \mathrm{U}$ | $\mathbb{S}$ is a subset of $\mathrm{U}$ |

PPT | Probabilistic polynomial time |

2PC | Two-party computing |

$Param$ | Public parameters |

$MSK$ | Master key |

$SK$ | User private key |

$CT$ | Ciphertext |

$P=\{{P}_{1},{P}_{2},\cdots ,{P}_{n}\}$ | Participant set |

${M}_{m\times n}$ | A matrix with $m$ rows and $n$ columns |

${M}_{j}$ | The $j$-th row of $M$ |

$\left({M}_{m\times n},\rho \right)$ | Access policy |

$\left[1,m\right]$ | A set of $1,2,\cdots ,m$ |

Scheme | Integrity | Key-Escrow Free | User Revocation | Access Policy |
---|---|---|---|---|

[21] | √ | × | √ | LSSS |

[24] | × | √ | × | LSSS |

[26] | × | √ | √ | Tree |

Ours | √ | √ | √ | LSSS |

Scheme | Key Generation | Encryption | Decryption | Revocation |
---|---|---|---|---|

[21] | $(u+3){E}_{1}$ | $(6m+4){E}_{1}+2{E}_{T}+2P$ | $10{E}_{T}+10P$ | $(12m+6){E}_{1}+4{E}_{T}+4P$ |

[24] | $(u+3){E}_{1}$ | $(4m+1){E}_{1}+{E}_{T}+P$ | $5{E}_{T}+5P$ | $\u2014$ |

[26] | $(2u+8){E}_{1}$ | $(2y+4){E}_{1}+2{E}_{T}+2P$ | $8{E}_{T}+8P$ | $(2y+4){E}_{1}+2{E}_{T}+2P$ |

Ours | $(u+3){E}_{1}$ | $(3m+3){E}_{1}+{E}_{T}+P$ | $5{E}_{T}+5P$ | $(6m+4){E}_{1}+2{E}_{T}+2P$ |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Huang, M.; Liu, Y.; Yang, B.; Zhao, Y.; Zhang, M.
Efficient Revocable Attribute-Based Encryption with Data Integrity and Key Escrow-Free. *Information* **2024**, *15*, 32.
https://doi.org/10.3390/info15010032

**AMA Style**

Huang M, Liu Y, Yang B, Zhao Y, Zhang M.
Efficient Revocable Attribute-Based Encryption with Data Integrity and Key Escrow-Free. *Information*. 2024; 15(1):32.
https://doi.org/10.3390/info15010032

**Chicago/Turabian Style**

Huang, Meijuan, Yutian Liu, Bo Yang, Yanqi Zhao, and Mingrui Zhang.
2024. "Efficient Revocable Attribute-Based Encryption with Data Integrity and Key Escrow-Free" *Information* 15, no. 1: 32.
https://doi.org/10.3390/info15010032