A Data Hierarchical Encryption Scheme Based on Attribute Hiding under Multiple Authorization Centers

Abstract

The data hierarchical Ciphertext-Policy Attribute-Based Encryption (CP-ABE) scheme implements multiple hierarchical data encryption of a single access policy, which reduces the computation and storage overhead. However, existing data hierarchical CP-ABE schemes have some problems, such as the leakage of personal privacy information through access policies or user attributes in plaintext form, and these schemes grant enough privileges to a single authorization center. If the authorization center is untrusted or attacked, keys can be used to illegally access data, which is the key escrow problem. To solve these problems, we propose an Attribute Hiding and Multiple Authorization Centers-based Data Hierarchical Encryption Scheme (AH-MAC-DHE). Firstly, we propose an Attribute Convergence Hiding Mechanism (ACHM). This mechanism solves the problem of personal privacy information leakage by hiding access policies and user attributes. Secondly, we design Privilege-Dispersed Multiple Authorization Centers (PD-MAC). PD-MAC solves the problem of key escrow by dispersing the privileges of the single authorization center to the user authorization center and attribute authorization center. Finally, we prove that AH-MAC-DHE is secure under the decisional q-parallel Bilinear Diffie-Hellman Exponent (BDHE) assumption, which also satisfies anti-collusion and privacy security. The experimental results indicate that compared with existing schemes, AH-MAC-DHE performs well.

1. Introduction

With the rapid development of the Internet, the amount of data continues to increase, and the users’ demand for storage devices has also increased. This brings unprecedented opportunities and challenges to the development of cloud storage. Cloud storage is widely used in large-scale data sharing due to its high capacity and convenient data management [1,2]. However, data owners store data in plaintext form in the cloud storage server, which can be accessed by attackers through illegal means. This may cause data owners to lose control of data to a certain extent. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) [3] is a solution. CP-ABE allows the data owner to encrypt data by setting an access policy through a set of attributes and embed the access policy in the ciphertext while the user attributes are embedded in the key. The data can be successfully decrypted for access only if the user attributes satisfy the access policy. This makes CP-ABE ideal for data sharing in cloud storage.

The shared data stored by data owners in the cloud storage server usually has hierarchical structures [4,5], as shown in Figure 1. However, CP-ABE did not consider this characteristic. The following uses the Personal Health Record (PHR) as an example [6]. A patient divides PHR information into personal data $m_1$ and medical data $m_2$, and shares them securely in the cloud storage. The patient first defines the access structure of $m_1$ as $A_1=\left(\mathrm{Cardiologist}\mathrm{AND}\left(\mathrm{Central}\mathrm{hospital}\mathrm{AND}\left(\mathrm{Professor}\mathrm{OR}\mathrm{Researcher}\right)\right)\right)$. This structure indicates that only cardiologists with professor or researcher status at the central hospital can access $m_1$. Then, the patient defines the access structure of $m_2$ as $A_2=\left(\mathrm{Central}\mathrm{hospital}\mathrm{AND}\left(\mathrm{Professor}\mathrm{OR}\mathrm{Researcher}\right)\right)$. This structure indicates that only the professors or researchers at the central hospital can access $m_2$. Obviously, the access structure $A_2$ is a part of $A_1$, which means that there is a hierarchical relationship between the access structures of $m_1$ and $m_2$. And the access structure hierarchy of $m_1$ is higher than the access structure of $m_2$. When the patient uses $A_1$ to encrypt $m_1$ and $m_2$ into one ciphertext, this data hierarchical encryption method will reduce computation and storage overhead. However, existing CP-ABE schemes only require the patient to satisfy the requirement of data hierarchical encryption by generating multiple ciphertexts. This may cause the system to bear a large computation and storage burden.

Therefore, researchers have proposed the data hierarchical CP-ABE schemes for efficient access control of hierarchical data [7,8,9,10]. More specifically, to achieve efficient access control of hierarchical data, most of the existing work concentrated on collecting multiple access tree structures into a single access tree structure [7,8,9]. Some others proposed to implement the hierarchical access structure using linear secret sharing [10]. To ensure the secure and efficient application of data hierarchical CP-ABE in cloud storage, it still needs to be considered that access policies or user attributes in plaintext form can pose a great threat to the leakage of privacy information [11,12]. The attacker can infer some privacy information from the access policies embedded in the ciphertexts and user attributes sent to the authorization center [13,14]. Meanwhile, the above schemes [7,8,9,10] only used a single authorization center to generate and manage keys. When the authorization center is untrusted or attacked, keys can be used to illegally access data, which may pose a risk to data security. Therefore, it is necessary to design an attribute hiding and multiple authorization centers-based data hierarchical encryption scheme.

Access Policy and User Attribute Hiding: Most of the existing works focused on policy-hidden CP-ABE schemes while ignoring user attribute hiding. Policy-hidden CP-ABE schemes are classified as fully hidden [15] and partially hidden [16,17], where a fully hidden access policy ensures better privacy and a partially hidden access policy provides better computational efficiency. Zhang et al. [17] proposed an efficient hierarchical data access control for resource-limited users in cloud-based e-Health (HPEH), which protected the privacy of access policies by hiding only the attribute values instead of the attribute names to achieve partially hidden access policies. In HPEH, users send user attributes in plaintext form to the authorization center to obtain keys. However, user attributes in plaintext form may lead to the leakage of privacy information, so it is not enough to just hide access policies. Meanwhile, HPEH used an access tree structure, which led to low efficiency. As a result, it is urgent to ensure the protection of access policies and user attributes concurrently while realizing the efficient sharing of hierarchical data.

Multiple Authorization Centers: In existing data hierarchical CP-ABE schemes [7,8,9,10], a single authorization center is usually required to distribute and manage keys. Obviously, the trustworthiness of data access control strongly depends on the single authorization center. However, the single authorization center is often assumed to be trusted, which is impractical in reality, and the single authorization center can lead to problems with key escrow and single points of failure. Sandhia et al. [18] proposed a multi-authority-based file hierarchy hidden CP-ABE scheme (MA-FH-CP-ABE), which achieved partially hidden by generating a weighted access policy by an authentication authority while introducing the trusted authority to collaborate with the authentication authority to complete the key distribution and authorization. However, it was difficult to balance the permissions division of authorized authorities. The trusted authority tended to obtain more key generation permissions, thus increasing the risk of user key leakage. Therefore, there is an urgent need to design a multiple authorization centers scheme with balanced privileges.

In summary, we propose the AH-MAC-DHE to solve the problems of high computational overhead of hierarchical data, privacy leakage of access policies and user attributes, and key escrow at a single authorization center. The main contributions include the following:

• We propose an Attribute Convergence Hiding Mechanism (ACHM) to hide access policies and user attributes. This mechanism can effectively improve the security of personal privacy information by generating hidden attributes instead of original attributes.
• We design Privilege-Dispersed Multiple Authorization Centers (PD-MAC), which assign the privileges owned by a single authorization center to the user authorization center and attribute authorization center, respectively. This prevents the single authorization center from having sufficient privileges to access data, thereby effectively improving data security.
• We propose an Attribute Hiding and Multiple Authorization Centers-based Data Hierarchical Encryption Scheme (AH-MAC-DHE) to solve the problems of privacy protection for hierarchical data-oriented. The security analysis shows that AH-MAC-DHE can successfully resist the Chosen Plaintext Attack (CPA) under the decisional q-parallel Bilinear Diffie-Hellman Exponent (BDHE) assumption, which also satisfies anti-collusion and privacy security. The performance analysis shows that AH-MAC-DHE has high efficiency while improving security.

The rest of the paper is organized as follows. We will review some related work and introduce relevant background knowledge that we use in Section 2 and Section 3, respectively. Then, we introduce the core technology and system definition in Section 4. In Section 5, we show the detailed process and corresponding algorithms of AH-MAC-DHE. Afterward, we introduce the security analysis and performance analysis in Section 6 and Section 7, respectively. Finally, we conclude the paper and present our future work in Section 8.

2. Related Work

In 2005, Sahai and Water [19] first proposed Attribute-Based Encryption (ABE). ABE can be categorized into Key-Policy Attribute-Based Encryption (KP-ABE) and Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Goyal et al. [20] proposed KP-ABE in 2006, in which ciphertexts were associated with attributes and keys were associated with access policies. Subsequently, Bethencourt et al. [3] proposed CP-ABE in 2007. CP-ABE differs from KP-ABE in that keys are associated with attributes, while ciphertexts are associated with access policies. CP-ABE implemented fine-grained access control by using access trees to represent arbitrary access structures, which made it widely used in areas such as healthcare [21], vehicular ad-hoc networks [22], and agriculture [23]. Subsequently, researchers conducted corresponding research on CP-ABE from aspects such as efficiency [24,25], privacy protection [26,27], and multiple authorization [28,29].

2.1. Data Hierarchical CP-ABE

When sharing multiple data with hierarchical structures, data hierarchical CP-ABE can encrypt the multiple data into a single ciphertext, which can reduce computation and storage overhead. In 2014, Wang et al. [7] first proposed a data hierarchical access control scheme that realized multilevel data sharing under a single access policy. In 2016, Wang et al. [8] proposed an efficient data hierarchical encryption scheme (FH-CP-ABE). FH-CP-ABE integrated multiple access tree structures into a single multilevel access tree structure, which had higher efficiency than CP-ABE. In 2019, Chandrasekaran et al. [30] proposed an efficient asymmetric data hierarchical CP-ABE scheme, which used optimized Tate pairing to improve encryption and decryption efficiency. However, the above schemes need to traverse the access tree structure when performing access control, which will result in them being inefficient. Therefore, in 2020, He et al. [10] proposed an efficient attribute-based hierarchical data access control scheme (AHAC). AHAC used a linear secret-sharing matrix to encrypt data from multiple hierarchical access structures into a complete ciphertext. The private key generation time and storage overhead of AHAC is only 25% of FH-CP-ABE. However, the above schemes did not consider problems of access policies or user attributes leakage of privacy information, as well as the key escrow problem.

2.2. Attribute Hidden CP-ABE

In CP-ABE, access policies or user attributes usually carry privacy information [12,31]. Attribute-hidden CP-ABE can prevent access policies or user attributes publicized from leakage of privacy information. In 2008, Nishide et al. [32] first proposed an attribute-based encryption scheme with partially hidden access policies to prevent leakage of privacy information. Subsequently, researchers have successively proposed policy-hidden CP-ABE schemes [16,33,34]. In 2016, Yang et al. [33] proposed an efficient fine-grained privacy-preserving big data access control scheme, which employed an Attribute Bloom Filter (ABF) fuzzy access structure to achieve complete hiding of access policies. The same year, Cui et al. [16] proposed an expressive CP-ABE scheme with partially hidden access structures in prime-order groups, which achieved the partially hidden access structure by performing a “linear splitting” technique on various portions of a ciphertext and re-randomize the key components on each attribute. In 2018, Cui et al. [34] revisited the scheme given in the literature [16] to improve efficiency by removing the commitment scheme without weakening security. However, the above schemes only hid access policies, and the publicly available user attributes will lead to the leakage of users’ privacy information. Therefore, in 2018, Han et al. [13] proposed an efficient and robust attribute-based encryption scheme by using the Oblivious Transfer to protect users’ privacy information. In 2022, Dai et al. [14] proposed a verifiable data-sharing scheme (HAPPS), which hid attributes and access policies during the authorization process to prevent the leakage of privacy information. However, the above schemes only encrypt a single piece of data at a time. When sharing multiple data with hierarchical structures, a large amount of computation and storage overhead will be unavoidable.

2.3. Multiple Authorization CP-ABE

In CP-ABE, users’ private keys are usually generated and managed by a single authorization center. Multiple authorization CP-ABE can prevent the single authorization center from having sufficient privileges to access data. In 2007, Chase [35] proposed the first multi-authorization scheme, which used a trusted central authority to manage multiple attribute authorization centers for distributing users’ private keys. Subsequently, Lewko and Waters [36] proposed a decentralized ABE scheme in 2011. This scheme removed the trusted central authority in the Chase scheme [35] by using multiple attribute authorization centers to jointly generate and manage users’ private keys. However, untrusted attribute authorization centers can collect user attributes, which will pose a threat to users’ privacy information. In 2019, Liang et al. [37] proposed a decentralized CP-ABE scheme that effectively protected users’ privacy information, but incurred significant computational overhead. In 2022, Sandhia et al. [38] replaced complex bilinear in ECC with simple scalar multiplication and proposed an MA-CP-ABE scheme for cloud data sharing using Elliptic Curve Cryptography (ECC), which can effectively reduce computational time. In 2023, Xie et al. [39] proposed an improved multi-authority attribute access control scheme based on blockchain and ECC, which ensured data security protection while reducing users’ consumption of computing resources. However, the computation and storage overhead of the above schemes have yet to be reduced when sharing multiple hierarchical data.

3. Preliminaries

3.1. Bilinear Map

Let 𝔾 and ${\mathbb{G}}_T$ be two multiplicative cyclic groups with the same prime order $p$, $g$ is the generator of 𝔾, the bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ has the following three theorems.

• Bilinearity: For $\forall a,b\in {\mathbb{Z}}_p,x,y\in \mathbb{G}$, it has $e\left(x^a,y^b\right)=e{\left(x,y\right)}^{ab}$.
• Non-degeneracy: There $\exists x,y\in \mathbb{G}$, satisfy $e\left(x,y\right)\ne 1$.
• Computability: For $\forall x,y\in \mathbb{G}$, it can efficiently calculate $e\left(x,y\right)$.

3.2. Linear Secret-Sharing Scheme (LSSS)

LSSS [40] uses a standard technique [41] to convert access trees defined by Boolean formula into LSSS sharing matrices to enhance access control for multi-party requirements. Assume that a secret sharing scheme $\Pi$ on a multi-party set $P$ is linearly described on ${\mathbb{Z}}_p$, which needs to be satisfied:

• The shares of all participants can form a vector on ${\mathbb{Z}}_p$.
• There exists a linear secret shared structure $\left(M,\rho \right)$, where $M$ denotes a shared generating matrix of $l$ rows and $n$ columns. For all $i=1,2,\dots ,l$, the $i$th row of $M$ is $M_i$. Let the function $\rho$ define the row $i$ where the participant is located as $\rho \left(i\right)$. For the secret value $s$ to be shared, select random numbers $r_2,\dots ,r_n\in {\mathbb{Z}}_p$, and construct a column vector $\overrightarrow{v}=\left(s,r_2,\dots ,r_n\right)$. Then, compute the secret share of $s$ as ${\lambda }_i=\left(M_i·\overrightarrow{v}\right)$, where ${\lambda }_i$ is a part of $\rho \left(i\right)$.

In particular, LSSS has the property of linear reconstruction: assume that $\Pi$ denotes an LSSS with access structure $A$ and $S\in A$ is an arbitrary set of authorizations. Define $I\subset \left\{1,\dots ,l\right\}$, where $I=\left\{i:\rho \left(i\right)\in S\right\}$. If $\left\{{\lambda }_i\right\}$ is an effective secret share of secret $s$ and there exists a set of constants ${\left\{{\omega }_i\in {\mathbb{Z}}_p\right\}}_{i\in I}$ satisfying that ${\displaystyle {\sum }_{i\in I}{\omega }_i{M}_i=}\left(1,0,\dots ,0\right)$ holds, then ${\displaystyle {\sum }_{i\in I}{\omega }_i{\lambda }_i=s}$ naturally holds.

For the data hierarchical LSSS [10], a column vector $\overrightarrow{v}=\left(s_1,\dots ,s_j,\dots ,s_n\right)$ is randomly generated, where $s_j\in {\mathbb{Z}}_p$ is the $j$th secret is to be recovered, corresponding to the non-leaf node in the access tree structure. When the secret is restored, if the set of attributes owned by the user satisfies the partial access structure, then ${\left\{{\omega }_i\in {\mathbb{Z}}_p\right\}}_{i\in I}$ holds under a polynomial that satisfies ${\displaystyle {\sum }_{i\in I}{\omega }_{i,j}{M}_i^{\mathrm{T}}={\epsilon }_j}$, where ${\epsilon }_j$ is a row vector of length $n$, the $j$th element is 1, and the remaining elements are 0. After that, $s_j={\displaystyle {\sum }_{i\in I}{\omega }_{i,j}{\lambda }_i}$ can be obtained by calculation.

3.3. Edwards-Curve Digital Signature Algorithm (EdDSA)

EdDSA [42] is a deterministic signature algorithm based on the Edwards25519 curve. The basic parameters of the Edwards25519 curve are noted as $PP=\left(q,F_q,c,d,B,n,H_1,H_2\right)$, where $q=2^{255}-19$ is characteristic of $F_q$. The parameters $c,d\in F_q$ define the Edwards curve $E_{c,d}{:\mathrm{cx}}^2+y^2=1+d{\mathrm{x}}^2{y}^2$. Define a point $B$ as the base point $B\in E_{c,d}\left(F_q\right)$ of the curve. The prime number $n$ represents the order of the base point $B$, which satisfies $nB=0$ and $2^{3}n=\#E_{c,d}$. Let $H_1:{\left\{0,1\right\}}^K\to {\left\{0,1\right\}}^n$ and $H_2:{\left\{0,1\right\}}^{*}\to Z_n$ be cryptographic hash functions, where $K$ is the smallest positive integer. The parameter $b^{\prime }$ is arbitrarily selected to satisfy $2^{b^{\prime }-1}>q$, and the fixed value of $b^{\prime }$ in the Edwards25519 curve is 256.

3.4. Zero-Knowledge Proof (ZKP)

To protect privacy information from leakage, the user applies the ZKP to prove ownership of the attribute set $S$ to the attribute authorization center. Similar to the scheme [43], we assume that $S$ can be written in public form $g^S$ without revealing the secret. To do so, we apply the efficient non-interactive ZKP (NIZKP) [44] proposed by Schnorr as follows:

• The user, as a prover, selects $\omega \in {}_{R}Z{}_p^{*}$, then computes $w=g^{\omega }\left(\mathrm{mod}p\right)$, $c=H\left(a,g^S\right)$, and $z=\left(cS+\omega \right)\mathrm{mod}q$. The user sends the zero-knowledge proof $ZKP=\left\{w,g^S,z,c\right\}$ to the attribute authorization center, where $p\ge 2^{512}$ and $q\ge 2^{140}$ are sufficiently large prime numbers and $g$ is an integer in $Z_p$ whose order is $q$.
• The attribute authorization center, as a verifier, first calculates $c^{\prime }=H\left(w,g^S\right)$, then checks if $w$ is equal to $g^z·g^{-S·c^{\prime }}\left(\mathrm{mod}p\right)$.

4. Scheme Definition

In this section, the specific constructions of Hierarchical Access Control and ACHM are first given. Then, AH-MAC-DHE is proposed to solve the problem of privacy protection for hierarchical data-oriented.

4.1. Hierarchical Access Control Based on LSSS

In Hierarchical Access Control, multiple access structures with hierarchical relationships can be integrated into a single access structure. As shown in Figure 2, $A_1$ and $A_2$ represent the access structures of $m_1$ and $m_2$, where the access structure of $A_1$ contains $A_2$. Thus, they can be integrated into a single access structure $A$. As shown in Figure 3, the attributes of User 1 satisfy the entire access structure and can decrypt all data. The attributes of User 2 satisfy the partial access structure; only the data associated with this part can be decrypted.

The hierarchical access tree $A$ in Figure 3 is expressed as $\left(\mathrm{Cardiologist}\mathrm{AND}\left(\mathrm{Central}\mathrm{hospital}\mathrm{AND}\left(\mathrm{Professor}\mathrm{OR}\mathrm{Researcher}\right)\right)\right)$ using the Boolean formula, which is converted into the LSSS matrix as:

$$M=\left(\begin{array}{ccc}1& 1& 0\\ \begin{array}{c}0\\ 0\end{array}& \begin{array}{c}-1\\ 0\end{array}& \begin{array}{c}1\\ -1\end{array}\\ 0& 0& -1\end{array}\right).$$

(1)

Next, we give an example of how to use the LSSS matrix to achieve hierarchical access control. When encrypting, a column vector $\overrightarrow{v}=\left(s_1,s_2,s_3\right)=\left(2,5,3\right)$ is randomly selected, where $s_1,s_2,s_3$ are secrets assigned to the non-leaf nodes in Figure 3, and $\lambda$ can be calculated by Formula (2).

$$\lambda =M·\overrightarrow{v}=\left(\begin{array}{ccc}1& 1& 0\\ \begin{array}{c}0\\ 0\end{array}& \begin{array}{c}-1\\ 0\end{array}& \begin{array}{c}1\\ -1\end{array}\\ 0& 0& -1\end{array}\right)·\left(\begin{array}{c}2\\ 5\\ 3\end{array}\right)=\left(\begin{array}{c}7\\ \begin{array}{c}-2\\ -3\end{array}\\ -3\end{array}\right)$$

(2)

From LSSS, we know $s_j={\displaystyle {\sum }_{i\in I}{\omega }_{i,j}{\lambda }_i={\omega }_j^{\mathrm{T}}{\lambda }_A}$, where $I=\left\{i:\rho \left(i\right)\in \mathrm{S}\right\}$, $\rho \left(i\right)$ can convert the $i$th into the attribute represented by this row, and $S$ is the user’s attribute set. Obviously, we must get ${\omega }_j$ if we want to get $s_j$. Then we make the following Formula (3) derivation:

$$s_j=s_j^{\mathrm{T}}={\lambda }_A^{\mathrm{T}}{\omega }_j={\left(M_A·{\overrightarrow{v}}^{\mathrm{T}}\right)}^{\mathrm{T}}{\omega }_j=\overrightarrow{v}·\left(M_A^{\mathrm{T}}{\omega }_j\right)\mathrm{where}{M}_A={\left(\begin{array}{c}{M}_1\\ \begin{array}{c}\begin{array}{c}⋮\\ M_i\end{array}\\ ⋮\end{array}\\ M_l\end{array}\right)}_{i\in I}.$$

(3)

We make $M_A^{\mathrm{T}}{\omega }_j={\epsilon }_j$, so $s_j=\overrightarrow{v}·{\epsilon }_j$. Then, we can compute ${\epsilon }_j$ as a row vector whose length is $n$, the $j$th element is 1, and the remaining elements are 0.

When decrypting, if a user only has the attributes central hospital and professor, he only satisfies the partial access structure. Then he can get ${\omega }_3$, ${\omega }_2$ by Formulas (4) and (5):

$$M_A^{\mathrm{T}}{\omega }_3=\left(\begin{array}{cc}\begin{array}{c}0\\ -1\end{array}& \begin{array}{c}0\\ 0\end{array}\\ 1& -1\end{array}\right)·{\omega }_3={\epsilon }_3=\left(\begin{array}{c}0\\ 0\\ 1\end{array}\right),$$

(4)

$$M_A^{\mathrm{T}}{\omega }_2=\left(\begin{array}{cc}\begin{array}{c}0\\ -1\end{array}& \begin{array}{c}0\\ 0\end{array}\\ 1& -1\end{array}\right)·{\omega }_2={\epsilon }_2=\left(\begin{array}{c}0\\ 1\\ 0\end{array}\right).$$

(5)

Thus, ${\omega }_3=\left(\begin{array}{c}0\\ -1\end{array}\right),{\omega }_2=\left(\begin{array}{c}-1\\ -1\end{array}\right)$. Finally, the user can get $s_3$ and $s_2$ from Formulas (6) and (7):

$$s_3={\omega }_3^{\mathrm{T}}{\lambda }_A=\left(\begin{array}{cc}0& -1\end{array}\right)·\left(\begin{array}{c}-2\\ -3\end{array}\right)=3,$$

(6)

$$s_2={\omega }_2^{\mathrm{T}}{\lambda }_A=\left(\begin{array}{cc}-1& -1\end{array}\right)·\left(\begin{array}{c}-2\\ -3\end{array}\right)=5.$$

(7)

Similarly, if a user has three attributes: cardiologist, central hospital, and professor. Then, he satisfies the entire access structure, and all the secrets $s_1,s_2,s_3$ can be calculated through the above steps.

4.2. Attribute Convergence Hiding Mechanism Based on Convergent Encryption

In the Attribute Convergence Hiding Mechanism, access policies and user attributes can be generated as hidden access policies and hidden user attributes. As shown in Figure 4, we can hide the attributes in the access policy and user attributes, where the specific values corresponding to the hidden attributes are represented as “*”, “**”, etc.

Convergent encryption uses a hash value of the plaintext as the convergence key so that the plaintext and the ciphertext have a unique mapping relationship. Convergent encryption can ensure that different users encrypt the same data and the final ciphertext is the same. We propose the Attribute Convergence Hiding Mechanism based on this idea. The hidden access policy and user attributes can be used normally for decryption only if the attributes in the access policy are the same as the user attributes; otherwise, they cannot be decrypted.

We use SM3 [45] and SM4 [46] algorithms to implement the Attribute Convergence Hiding Mechanism, which contains the following three algorithms:

• ${\mathrm{KeyGen}}_{SM3}\left(S_i\right)\to \left(k_i\right)$: The algorithm inputs the attribute $S_i$, and outputs the convergent key $k_i$.
• ${\mathrm{Enc}}_{SM4}\left(k_i,S_i\right)\to \left(c_i\right)$: The algorithm inputs the convergent key $k_i$ and attribute $S_i$, and outputs the convergent ciphertext $c_i$.
• ${\mathrm{Hidden}}_{SM3}\left(c_i\right)\to \left(S_{C{H}_i}\right)$: The algorithm inputs the convergent ciphertext $c_i$, and outputs the hidden attribute $S_{C{H}_i}$.

4.3. Model Definition

The system model consists of five main entities, which are the User Authorization Center (UAC), Attribute Authorization Center (AAC), Cloud Service Provider (CSP), Data Owner (DO), and User, as shown in Figure 5. The detailed definition is as follows:

• UAC: The entity is semi-trusted. It performs the corresponding operation honestly but wants to collect as much sensitive content as possible from the performed operation. UAC is responsible for generating the global unique identifier $GID$ for all users, and generating the partial public key $P{K}_1$ and UAC master key $MS{K}_1$. When UAC successfully verifies the signature information generated by AAC and $GID$, the partial private key $S{K}_1$ is generated for the user.
• AAC: The entity is semi-trusted. It is responsible for verifying whether the user owns the attribute set and generating the partial private key $S{K}_2$ for the user. To decentralize the authority of a single authorization center, AAC interacts with UAC through EdDSA to jointly generate the user’s private key $SK$ for the user.
• CSP: The entity is semi-trusted and responsible for providing ciphertext storage and sharing services.
• DO: DO has a large amount of data that needs to be stored and shared in the cloud. DO is responsible for hiding the access policy and encrypting multiple hierarchical data, then uploading the generated ciphertexts to the CSP.
• User: User needs to access a large amount of data in the cloud. User is responsible for generating the zero-knowledge proof for the user attributes he owns and hiding the user attributes. If the user attributes only satisfy the partial access structure, User can only decrypt the data related to this partial.

4.4. Algorithm Definition

AH-MAC-DHE consists of seven algorithms, which are described as follows:

1

Setup

(1)

$\mathrm{UAC}.\mathrm{Setup}\left(1^{\gamma }\right)\to \left(P{K}_1,MS{K}_1\right)$: The algorithm is executed by UAC. The input is the security parameter $1^{\gamma }$ and the outputs are the partial public key $P{K}_1$ and UAC master key $MS{K}_1$.

(2)

$\mathrm{AAC}.\mathrm{Setup}\left(P{K}_1\right)\to \left(P{K}_2,MS{K}_2,P{K}_{ZKP}\right)$: The algorithm is executed by AAC. The input is the partial public key $P{K}_1$ and the outputs are the partial public key $P{K}_2$, AAC master key $MS{K}_2$, and zero-knowledge proof public key $P{K}_{ZKP}$.

UAC and AAC, respectively, generate the partial public key. Finally, UAC synthesizes the public key $PK$, where $PK=P{K}_1+P{K}_2$.

2

$\mathrm{ZKPGen}\left(P{K}_{ZKP},S\right)\to \left(ZKP\right)$: The algorithm is executed by User. The inputs are the zero-knowledge proof public key $P{K}_{ZKP}$ and attribute set $S$, and the output is the zero-knowledge proof $ZKP$.

3

Attribute Convergent Hiding

(1)

$\mathrm{User}.\mathrm{ConHid}\left(S\right)\to \left(S_{CH}\right)$: The algorithm is executed by User. The input is the attribute set $S$ and the output is the hidden attribute set $S_{CH}$.

(2)

$\mathrm{DO}.\mathrm{ConHid}\left(A\right)\to \left(T\right)$: The algorithm is executed by DO. The input is the access structure $A$ and the output is the hidden access structure $T$.

4

$\mathrm{SignGen}\left(PP,PK,P{K}_{ZKP},MS{K}_2,GID,ZKP\right)\to \left(Sign\right)$: The algorithm is executed by AAC. The inputs are the Edwards25519 curve parameter $PP$, public key $PK$, zero-knowledge proof public key $P{K}_{ZKP}$, AAC master key $MS{K}_2$, user’s global unique identifier $GID$, and zero-knowledge proof $ZKP$, and the output is the signature information $Sign$.

5

Key Generation

(1)

$\mathrm{UAC}.\mathrm{KeyGen}\left(PP,MS{K}_1,Sign\right)\to \left(S{K}_1\right)$: The algorithm is executed by UAC. The inputs are the Edwards25519 curve parameter $PP$, UAC master key $MS{K}_1$, and signature information $Sign$, and the output is the partial private key $S{K}_1$.

(2)

$\mathrm{AAC}.\mathrm{KeyGen}\left(PK,S_{CH}\right)\to \left(S{K}_2\right)$: The algorithm is executed by AAC. The inputs are the public key $PK$ and user’s hidden attribute set $S_{CH}$, and the output is the partial private key $S{K}_2$.

When User obtains the partial private key sent by UAC and AAC, User obtains the user’s private key $SK$ by combination, where $SK=S{K}_1+S{K}_2$.

6

Encryption

(1)

$\mathrm{SM}4.\mathrm{Encryption}\left(\left\{m_j,j\in \left(1,n\right)\right\},CK\right)\to \left(CT\right)$: The algorithm is executed by DO. The inputs are the data set $\left\{m_j,j\in \left(1,n\right)\right\}$ and symmetric key set $CK$, and the output is the data ciphertext $CT$.

(2)

$\mathrm{DHE}.\mathrm{Encryption}\left(PK,T,CK\right)\to \left(C{T}_{SM4}\right)$: The algorithm is executed by DO. The inputs are the public key $PK$, hidden access structure $T$, and symmetric key set $CK$, and the output is the symmetric key ciphertext $C{T}_{SM4}$.

7

Decryption

(1)

$\mathrm{DHE}.\mathrm{Decryption}\left(PK,SK,C{T}_{SM4}\right)\to \left(c{k^{\prime }}_j\right)$: The algorithm is executed by User. The inputs are the public key $PK$, user’s private key $SK$, and symmetric key ciphertext $C{T}_{SM4}$, and the output is the hierarchical symmetric key $c{k^{\prime }}_j$ of layer $j$.

(2)

$\mathrm{SM}4.\mathrm{Decryption}\left(c{k^{\prime }}_j,CT\right)\to \left(\left\{m_j,j\in \left(1,n\right)\right\}\right)$: The algorithm is executed by User. The inputs are the hierarchical symmetric key $c{k^{\prime }}_j$ of layer $j$ and data ciphertext $CT$, and the output is the data set $\left\{m_j,j\in \left(1,n\right)\right\}$.

5. Scheme Structure

AH-MAC-DHE can be divided into six phases, as shown in Figure 6. The structure of AH-MAC-DHE is as follows.

• Setup
  The Setup phase contains $\mathrm{UAC}.\mathrm{Setup}$ and $\mathrm{AAC}.\mathrm{Setup}$ algorithms, which are executed by UAC and AAC, respectively.

  (1)

  $\mathrm{UAC}.\mathrm{Setup}\left(1^{\gamma }\right)\to \left(P{K}_1,MS{K}_1\right)$: The algorithm is executed by UAC, which first inputs the security parameter $1^{\gamma }$ to generate two multiplicative cyclic groups 𝔾 and ${\mathbb{G}}_T$ with the same prime order $p$, where $g$ is the generator of group 𝔾. Then, UAC defines a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ and a hash function $H:{\left\{0,1\right\}}^{*}\to \mathbb{G}$. Finally, it selects a random number ${\alpha }_1\in {\mathbb{Z}}_p$ to generate the partial public key $P{K}_1$ and UAC master key $MS{K}_1$, where $MS{K}_1$ is only owned by UAC.

  $$P{K}_1=\left(e,\mathbb{G},{\mathbb{G}}_T,p,g,e{\left(g,g\right)}^{{\alpha }_1},H\right)$$

  (8)

  $$MS{K}_1=\left(g^{{\alpha }_1}\right)$$

  (9)

  (2)

  $\mathrm{AAC}.\mathrm{Setup}\left(P{K}_1\right)\to \left(P{K}_2,MS{K}_2,P{K}_{ZKP}\right)$: The algorithm is executed by AAC. AAC first inputs the partial public key $P{K}_1$ and selects two random numbers ${\alpha }_2,\beta \in {\mathbb{Z}}_p$. Then, AAC generates public parameters $p_{ZKP}$ and $q_{ZKP}$, and selects a random number $g_{ZKP}\in Z_{p_{ZKP}}$, where $p_{ZKP}\ge 2^{512}$ and $q_{ZKP}\ge 2^{140}$. Furthermore, AAC defines a hash function $H_{ZKP}{\left\{0,1\right\}}^{*}\to Z_{p_{ZKP}}$. Finally, it generates the partial public key $P{K}_2$, AAC master key $MS{K}_2$ and zero-knowledge proof public key $P{K}_{ZKP}$, where $MS{K}_2$ is only owned by AAC.

  $$P{K}_2=\left(e{\left(g,g\right)}^{{\alpha }_2},h=g^{\beta }\right)$$

  (10)

  $$MS{K}_2=\left(g^{{\alpha }_2},\beta \right)$$

  (11)

  $$P{K}_{ZKP}=\left(p_{ZKP},q_{ZKP},g_{ZKP},H_{ZKP}\right)$$

  (12)

  AAC sends $P{K}_2$ to UAC, UAC synthesizes the public key $PK$, and $PK$ is as follows:

  $$PK=\left(e,\mathbb{G},{\mathbb{G}}_T,p,g,e{\left(g,g\right)}^{{\alpha }_1+{\alpha }_2},H,h\right)$$

  (13)
• ZKP generation and attributes hidden
  The phase contains $\mathrm{ZKPGen}$ and $\mathrm{User}.\mathrm{ConHid}$ algorithms, which are executed by User.

  (1)

  $\mathrm{ZKPGen}\left(P{K}_{ZKP},S\right)\to \left(ZKP\right)$: User inputs the zero-knowledge proof public key $P{K}_{ZKP}$ and attribute set $S$. First, User selects a random number $\omega \in {}_{R}Z{}_{p_{ZKP}}^{*}$ and calculates $g_{ZKP}^S$, $w=g_{ZKP}^{\omega }\left(\mathrm{mod}{p}_{ZKP}\right)$, $c=H_{ZKP}\left(w,g_{ZKP}^S\right)$ and $z=\left(cS+\omega \right)\mathrm{mod}{q}_{ZKP}$. Then, User obtains the zero-knowledge proof $ZKP$.

  $$ZKP=\left(w,g_{ZKP}^S,z,c\right)$$

  (14)

  (2)

  $\mathrm{User}.\mathrm{ConHid}\left(S\right)\to \left(S_{CH}\right)$: User first inputs the attribute set $S$, and generates a convergence key $k_i$ for each attribute in $S$. Then, User uses $k_i$ to encrypt the corresponding attribute to generate a convergent ciphertext $c_i$, and uses the SM3 algorithm to encrypt $c_i$ to generate a hidden attribute $S_{C{H}_i}$. Finally, User outputs the hidden attribute set $S_{CH}$.

• EdDSA signature generation
  $\mathrm{SignGen}\left(PP,PK,P{K}_{ZKP},MS{K}_2,GID,ZKP\right)\to \left(Sign\right)$: The algorithm is executed by AAC, which inputs the Edwards25519 curve parameter $PP$, public key $PK$, zero-knowledge proof public key $P{K}_{ZKP}$, AAC master key $MS{K}_2$, user’s global unique identifier $GID$, and zero-knowledge proof $ZKP$. AAC first verifies whether the user owns the attribute set $S$, calculates $c^{\prime }=H_{ZKP}\left(w,g_{ZKP}^S\right)$, and then AAC checks whether $w$ is equal to $g_{ZKP}^z·g_{ZKP}^{-S·c^{\prime }}\left(\mathrm{mod}{p}_{ZKP}\right)$. When the verification is successful, AAC binds a random number $t\in {\mathbb{Z}}_p$ to $GID$ and calculates $d=g^{{\alpha }_2}·g^{\beta t}$.
  Then, AAC arbitrarily selects a random string $\phi$ of $b^{\prime }$ bits as the private key of EdDSA, and calculates $H_1\left(\phi \right)=\left(h_0,h_1,\dots ,h_{2^{b^{\prime }-1}}\right)$, let $a=\left(h_0,h_1,\dots ,h_{b^{\prime }-1}\right)$, $b=\left(h_{b^{\prime }},h_{b^{\prime }+1},\dots ,h_{2^{b^{\prime }-1}}\right)$. AAC uses $a$ to calculate the integer $x=\left(2^{b^{\prime }-2}+{\displaystyle {\sum }_{i=3}^{b^{\prime }-3}{2}^i·h_i}\right)\mathrm{mod}{n}_{Ed}$ as the signature auxiliary private key and calculates the signature public key $A_{Ed}=xB$, where $B$ is the base point of the curve. AAC calculates the hash value $e_{Ed}=H_2\left(GID\parallel d\right)$ of message $\left(GID\parallel d\right)$. Then, AAC calculates $r=H_2\left(b,e_{Ed}\right)\mathrm{mod}{n}_{Ed}$, $R=rB$, $h_{Ed}=H_2\left(R,A_{Ed},e_{Ed}\right)\mathrm{mod}{n}_{Ed}$ and $s_{Ed}=\left(r+h_{Ed}x\right)\mathrm{mod}{n}_{Ed}$ in turn, where $r$ is the ephemeral key. AAC outputs the signature information $Sign$, where the signature of the message is $\sigma =\left(R,s_{Ed}\right)$.

  $$Sign=\left(GID,d,\sigma ,A_{Ed}\right)$$

  (15)
• Private key generation
  The private key generation phase is divided into two algorithms, $\mathrm{UAC}.\mathrm{KeyGen}$ and $\mathrm{AAC}.\mathrm{KeyGen}$, which are executed by UAC and AAC, respectively.

  (1)

  $\mathrm{UAC}.\mathrm{KeyGen}\left(PP,MS{K}_1,Sign\right)\to \left(S{K}_1\right)$: The algorithm is executed by UAC, which inputs the Edwards25519 curve parameter $PP$, UAC master key $MS{K}_1$, and signature information $Sign$. UAC first calculates $h_{Ed}=H_2\left(R,A_{Ed},e_{Ed}\right)\mathrm{mod}{n}_{Ed}$, and verifies whether the equation $s_{Ed}B=R+h_{Ed}{A}_{Ed}$ is true. If the equation is true, $\sigma$ is a valid signature; otherwise, it is invalid. Then, UAC judges whether the user is legal through $GID$. When $\sigma$ and $GID$ are correct, UAC calculates $Q=g^{{\alpha }_1}·d$, and sends the generated partial private key $S{K}_1$ to the user.

  $$S{K}_1=\left(Q=g^{{\alpha }_1+{\alpha }_2}·g^{\beta t}\right)$$

  (16)

  (2)

  $\mathrm{AAC}.\mathrm{KeyGen}\left(PK,S_{CH}\right)\to \left(S{K}_2\right)$: The algorithm is executed by AAC, and inputs the public key $PK$ and user’s hidden attribute set $S_{CH}$. First, AAC calculates $g^t$, binds each hidden attribute in $S_{CH}$ to the random number $t$ corresponding to $GID$, and calculates $H{\left(i\right)}^t$. Then, AAC outputs the partial private key $S{K}_2$, and sends $S{K}_2$ to the user.

  $$S{K}_2=\left(L=g^t,\forall i\in S_{CH}:K_i=H{\left(i\right)}^t\right)$$

  (17)

  After the user obtains part of the private key sent by UAC and AAC, the user’s private key $SK$ is obtained through a combination.

  $$SK=\left(Q,L,\forall i\in S_{CH}:K_i\right)$$

  (18)
• Encryption
  The encryption phase includes $\mathrm{DO}.\mathrm{ConHid}$, $\mathrm{SM}4.\mathrm{Encryption}$ and $\mathrm{DHE}.\mathrm{Encryption}$ algorithms, which are executed by DO.

  (1)

  $\mathrm{DO}.\mathrm{ConHid}\left(A\right)\to \left(T\right)$: DO first inputs the access structure $A$, and generates a convergence key $k_i$ for each attribute in $A$. Then, DO uses $k_i$ to encrypt the corresponding attribute to generate a convergent ciphertext $c_i$, and uses the SM3 algorithm to encrypt $c_i$ to generate a hidden attribute to replace the original attribute in $A$. Finally, DO outputs the hidden access structure $T$.

  (2)

  $\mathrm{SM}4.\mathrm{Encryption}\left(\left\{m_j,j\in \left(1,n\right)\right\},CK\right)\to \left(CT\right)$: DO inputs the data set $\left\{m_j,j\in \left(1,n\right)\right\}$ and randomly generates $n$ symmetric keys $CK=\left\{c{k}_1,\dots ,c{k}_n\right\}$ used to encrypt data in the data set. Then, DO outputs the data ciphertext $CT$.

  (3)

  $\mathrm{DHE}.\mathrm{Encryption}\left(PK,T,CK\right)\to \left(C{T}_{SM4}\right)$: DO inputs the public key $PK$, hidden access structure $T$, and symmetric key set $CK$. First, DO randomly selects a secret value $s_j\in {\mathbb{Z}}_p$ for each hierarchical symmetric key and generates a column vector $\overrightarrow{v}=\left(s_1,\dots ,s_j,\dots ,s_n\right)$. Then, DO calculates $C_j^{*}=c{k^{\prime }}_{j}e{\left(g,g\right)}^{\alpha s_j}$ and ${C^{\prime }}_j=g^{s_j},j\in \left(1,n\right)$ at different hierarchies, where $\alpha ={\alpha }_1+{\alpha }_2$ and $c{k^{\prime }}_j$ are the hierarchical symmetric key of layer $j$ obtained by aggregating the symmetric keys of layer $j$ and below layer $j$. The symmetric key aggregation is shown below:

  $$\begin{array}{c}c{k^{\prime }}_n=c{k}_n,\\ c{k^{\prime }}_{n-1}=c{k}_{n-1}\cup c{k^{\prime }}_n,\\ ⋮\\ c{k^{\prime }}_1=c{k}_1\cup c{k^{\prime }}_2.\end{array}$$

  (19)

  $n$ is the lowest layer symmetric key. The lower layer symmetric key will be aggregated with the upper layer symmetric key to generate a new hierarchical symmetric key.

  Subsequently, DO defines the LSSS matrix $M$ with a mapping function $\rho \left(i\right)$. The dimension of $M$ is $l\times n$, which represents the hidden access structure $T$. Each row in $M$ is associated with attribute $i$ via $\rho \left(i\right)$. DO generates random numbers ${\tau }_1,\dots ,{\tau }_l\in {\mathbb{Z}}_p$ for each attribute in $\rho \left(i\right),i\in \left(1,l\right)$. DO first calculates ${\lambda }_i=M_i\overrightarrow{v}$, and then calculates the relevant parameters $C_i=g^{\beta {\lambda }_i}{H}_{\rho \left(i\right)}^{-{\tau }_i}$ and $D_i=g^{{\tau }_i}$ of the attribute.
  Finally, the symmetric key ciphertext $C{T}_{SM4}$ is shown below:

  $$C{T}_{SM4}=\left(\left(M,\rho \right),C_j^{*},{C^{\prime }}_j,C_i,D_i,j\in (1,n),i\in \left(1,l\right)\right).$$

  (20)
• Decryption
  The decryption phase includes $\mathrm{DHE}.\mathrm{Decryption}$ and $\mathrm{SM}4.\mathrm{Decryption}$ algorithms, which are executed by User.

  (1)

  $\mathrm{DHE}.\mathrm{Decryption}\left(PK,SK,C{T}_{SM4}\right)\to \left(c{k^{\prime }}_j\right)$: User inputs the public key $PK$, user’s private key $SK$, and symmetric key ciphertext $C{T}_{SM4}$. For each $j\in \left(1,n\right)$, User computes ${\omega }_{i,j}$ from ${\displaystyle {\sum }_{i\in I}{\omega }_{i,j}{M}_i^{\mathrm{T}}={\epsilon }_j}$. When ${\omega }_{i,j}$ is obtained, calculate:

  $$\begin{array}{l}{F}_j=\frac{e\left({C^{\prime }}_j,Q\right)}{{\displaystyle {\prod }_{i\in I,j}{\left(e\left(C_i,L\right)e\left(D_i,K_{\rho \left(i\right)}\right)\right)}^{{\omega }_{i,j}}}}\\ =\frac{e\left(g^{s_j},g^{\alpha }{g}^{\beta t}\right)}{{\displaystyle {\prod }_{i\in I,j}{\left(e\left(g^{\beta {\lambda }_i},g^t\right)e\left(g^{\beta {\lambda }_i},H_{\rho \left(i\right)}^{-{\tau }_i}\right)e\left(g^{{\tau }_i},H_{\rho \left(i\right)}^t\right)\right)}^{{\omega }_{i,j}}}}\\ =\frac{e{\left(g,g\right)}^{\alpha s_j}e{\left(g,g\right)}^{\beta s_{j}t}}{{\displaystyle {\prod }_{i\in I,j}e{\left(g,g\right)}^{t\beta {\lambda }_i{\omega }_{i,j}}}}\\ =e{\left(g,g\right)}^{\alpha s_j}.\end{array}$$

  (21)

  User decrypts $C_j^{*}$ to recover the hierarchical symmetric key $c{k^{\prime }}_j$ of layer $j$. The subsequent decryption process stops when $c{k^{\prime }}_j$ is successfully decrypted.

  $$\frac{C_j^{*}}{F_j}=\frac{c{k^{\prime }}_{j}e{\left(g,g\right)}^{\alpha s_j}}{e{\left(g,g\right)}^{\alpha s_j}}=c{k^{\prime }}_j$$

  (22)

  If ${\omega }_{i,j}$ cannot be calculated, outputs $c{k^{\prime }}_j=NULL$.

  (2)

  $\mathrm{SM}4.\mathrm{Decryption}\left(c{k^{\prime }}_j,CT\right)\to \left(\left\{m_j,j\in \left(1,n\right)\right\}\right)$: User inputs the hierarchical symmetric key $c{k^{\prime }}_j$ of layer $j$ and data ciphertext $CT$ to decrypt and obtains the data below layer $j$ and layer $j$.

6. Security Analysis

In this section, the Chosen Plaintext Attack (CPA) security game for AH-MAC-DHE is given first. Then, a formal security proof is provided based on the decisional q-parallel BDHE assumption. Finally, it is shown that AH-MAC-DHE satisfies anti-collusion and privacy security.

6.1. CPA Security Game for AH-MAC-DHE

In AH-MAC-DHE, $SK$ represents the user’s private key associated with the set of hidden attributes. The hidden access structure $T$ is associated with symmetric key ciphertext $C{T}_{SM4}$. In CPA, the challenge hidden access structure $T^{*}$ is chosen arbitrarily by the adversary 𝒜. If the hidden attribute set of users does not satisfy $T^{*}$, 𝒜 can require all $SK$. We consider the CPA, which can be represented as a game between 𝒜 and challenger $𝒞$. It is noted that the channel for exchanging information is completely secure.

• Initialization: The challenging hidden access structure $T^{*}$ is chosen by 𝒜, in which $T^{*}$ is submitted to $𝒞$.
• Setup: $𝒞$ executes the Setup algorithm and transmits the public key $PK$ to 𝒜.
• Query phase 1: First, 𝒜 generates a zero-knowledge proof $ZKP$ of the attribute set $S$, and sends the hidden attribute set $S_{CH}$, where $S_{CH}$ does not satisfy the $T^{*}$. Then, $𝒞$ runs the SignGen algorithm to generate signature information $Sign$. In addition, $𝒞$ runs the KeyGen algorithm to obtain the user’s private key $SK$, and sends it to 𝒜.
• Challenge: In this phase, 𝒜 first submits two data ${\text{ℳ}}_0$ and ${\text{ℳ}}_1$ with the same length. Then, 𝒜 sends these two data to $𝒞$. $𝒞$ randomly selects $\theta \in \left\{0,1\right\}$, runs the Encryption algorithm, and sends the obtained $C{T}_{SM4}$ to 𝒜.
• Query phase 2: 𝒜 requests to obtain $SK$, which is the same as Query phase 1.
• Guessing phase: 𝒜 outputs the guess value ${\theta }^{\prime }\in \left\{0,1\right\}$ for judgment. If $\theta ={\theta }^{\prime }$, 𝒜 wins the security game. In this game, the probability of 𝒜 winning the security game is $Ad{v}_{𝒜}\left(1^{\gamma }\right)=\left|\mathrm{Pr}\left[\theta ={\theta }^{\prime }\right]-\frac{1}{2}\right|$.

Definition 1.

The proposed scheme can be defined as secure against the CPA if no probabilistic polynomial-time (PPT) adversaries have a nonnegligible advantage in the aforementioned game.

6.2. Security Proof for AH-MAC-DHE

The decisional q-parallel BDHE assumes the following. Based on the security parameter, the challenger selects two groups 𝔾 and ${\mathbb{G}}_T$, where $g$ is the generator of 𝔾, and the two groups are the prime order $p$. Let $\beta ,s_j,b_1,\dots ,b_q\in {\mathbb{Z}}_p$ be obtained arbitrarily. An adversary can be obtained for the following data:

$$\overrightarrow{y}=\left\{\begin{array}{c}g,g^{s_j},g^{\beta },\dots ,g^{\left({\beta }^q\right)},,g^{\left({\beta }^{q+2}\right)},\dots ,g^{\left({\beta }^{2q}\right)}\\ {\forall }_{1\le f\le q}{g}^{s_j·b_f},g^{\beta /b_f},\dots ,g^{\left({\beta }^q/b_f\right)},g^{\left({\beta }^{q+2}/b_f\right)},\dots ,g^{\left({\beta }^{2q}/b_f\right)}\\ {\forall }_{1\le f,k\le q,k\ne f}{g}^{\beta s_j{b}_k/b_f},\dots ,g^{{\beta }^q{s}_j{b}_k/b_f}\end{array}\right\}.$$

(23)

It is difficult to distinguish $e{\left(g,g\right)}^{{\beta }^{q+1}{s}_j}\in {\mathbb{G}}_T$ from a random element in ${\mathbb{G}}_T$. An algorithm $ℬ$ can guess $z\in \left\{0,1\right\}$ with the advantage $\epsilon$ in resolving the decisional q-parallel BDHE when

$$\left|\mathrm{Pr}\left[ℬ\left(\overrightarrow{y},T=e{\left(g,g\right)}^{{\beta }^{q+1}{s}_j}\right)=0\right]-\mathrm{Pr}\left[ℬ\left(\overrightarrow{y},T=R\right)=0\right]\right|\ge \epsilon .$$

(24)

Definition 2.

We say that the decisional q-parallel BDHE assumption holds if no polytime algorithm has a nonnegligible advantage in solving the decisional q-parallel BDHE problem.

Theorem 1.

Assume that the decisional q-parallel BDHE assumption holds. Then, there is no polynomial-time adversary that can selectively break AH-MAC-DHE with a challenge concealment access structure of size $l^{*}\times n^{*}$, where $l^{*},n^{*}\le q$.

Proof. 

Suppose that the adversary 𝒜 can break AH-MAC-DHE with nonnegligible advantage $\epsilon =Ad{v}_{𝒜}$ in the CPA security game. We assume it chooses a challenge matrix $M^{*}$ with at most $q$ in both dimensions. It can be seen from the above that AH-MAC-DHE will stop decrypting after successfully decrypting the hierarchical symmetric key. For the convenience of discussion, take the highest hierarchy as an example to prove the security of AH-MAC-DHE. The security of the low hierarchy is the same as that of the high hierarchy. We show how to build a simulator $ℬ$ that differentiates between decisional q-parallel BDHE assumption, where challenger $𝒞$ is played by $ℬ$. □

• Initialization: The challenging hidden access structure $\left(M^{*},{\rho }^{*}\right)$ is chosen by 𝒜, which $\left(M^{*},{\rho }^{*}\right)$ is submitted to $ℬ$.
• Setup: $ℬ$ randomly selects ${\alpha }_1,{\alpha }_2\in {\mathbb{Z}}_p$, let ${\alpha }^{\prime }={\alpha }_1+{\alpha }_2$. Subsequently, $ℬ$ implicitly sets $\alpha ={\alpha }^{\prime }+{\beta }^{q+1}$ by letting $e{\left(g,g\right)}^{\alpha }=e\left(g^{\beta },g^{{\beta }^q}\right)e{\left(g,g\right)}^{{\alpha }^{\prime }}$. $ℬ$ defines a hash function $H:{\left\{0,1\right\}}^{*}\to \mathbb{G}$ as a random oracle $H\left(x\right)$. Let $X$ denote the set of index $i$ such that ${\rho }^{*}\left(i\right)=x$. For each attribute $x$, chooses a random value $z_x$, $ℬ$ defines $H\left(x\right)=g^{z_x}{\displaystyle \prod _{i\in X}{g}^{\beta M_{i,1}^{*}/b_i}·g^{{\beta }^2{M}_{i,2}^{*}/b_i}\cdots g^{{\beta }^n{M}_{i,n}^{*}/b_i}}$, and when $X=\varnothing$, then $H\left(x\right)=g^{z_x}$.
• Query phase 1: In this phase, $ℬ$ provides 𝒜 with arbitrary user’s private key generation. Suppose $ℬ$ is given a hidden attribute set $S_{CH}$ to generate a private key, where $S_{CH}$ does not satisfy the challenge matrix $M^{*}$.
  $ℬ$ first randomly selects $r\in {\mathbb{Z}}_p$, and then finds a vector ${\overrightarrow{\omega }}_j=\left({\omega }_{1,j},\dots ,{\omega }_{n^{*},j}\right)\in {\mathbb{Z}}_p^{n^{*}}$ that satisfies ${\displaystyle {\sum }_{i\in I}{\omega }_{i,j}{M}_i^{*}{}^{\mathrm{T}}}={\epsilon }_j$ in polynomial time, where $j\in \left(1,n^{*}\right)$ is the hierarchy height of decryption, ${\epsilon }_j$ is a row vector of length $n^{*}$, the $j$th element is 1, and the rest are 0.
  $ℬ$ implicitly defines $t$ as $r+{\omega }_{1,j}{\beta }^q+{\omega }_{2,j}{\beta }^{q-1}+\cdots +{\omega }_{n^{*},j}{\beta }^1$ and defines $L$ as:

  $$L=g^r{\displaystyle {\prod }_{i=1,\dots ,n^{*}}{\left(g^{{\beta }^{q+1-i}}\right)}^{{\omega }_{i,j}}}=g^t.$$

  (25)
  Then, from the definition of $t$, $ℬ$ can define $Q$ as:

  $$Q=g^{{\alpha }^{\prime }}{g}^{\beta r}{\displaystyle \prod _{i=2,\dots ,n^{*}}{\left(g^{{\beta }^{q+2-i}}\right)}^{{\omega }_{i,j}}}.$$

  (26)
  Finally, $ℬ$ computes $K_x$ as:

  $$K_x=L^{z_x}{{\displaystyle \prod _{i\in X}{\displaystyle \prod _{f=1,\dots ,n^{*}}\left(g^{\left({\beta }^f/b_i\right)r}{\displaystyle \prod _{\begin{array}{c}k=1,\dots ,n^{*}\\ k\ne f\end{array}}{\left(g^{{\beta }^{q+1+f-k}/b_i}\right)}^{{\omega }_{k,j}}}\right)}}}^{M_{i,f}^{*}}.$$

  (27)
• Challenge: 𝒜 first gives $ℬ$ two pieces of data ${\text{ℳ}}_0$ and ${\text{ℳ}}_1$ with the same length. Then, $ℬ$ flips coin $\theta$, $C_j^{*}={\text{ℳ}}_{\theta }T·e\left(g^{s_j},g^{{\alpha }^{\prime }}\right)$ and ${C^{\prime }}_j=g^{s_j}$ are generated.
  $ℬ$ randomly selects ${y^{\prime }}_2,\dots ,{y^{\prime }}_{n^{*}}$ and uses the vector $\overrightarrow{v}=\left(s_j,s_j\beta +{y^{\prime }}_2,s_j{\beta }^2+{y^{\prime }}_3,\dots ,s_j{\beta }^{n-1}+{y^{\prime }}_{n^{*}}\right)\in {\mathbb{Z}}_p$ to share the secret. Also, $ℬ$ randomly selects ${{\tau }^{\prime }}_1,\dots ,{{\tau }^{\prime }}_l$.
  For $i=1,\dots ,n^{*}$, $ℬ$ defines $R_i$ to be the set of all $k\ne i$ such that ${\rho }^{*}\left(i\right)={\rho }^{*}\left(k\right)$, then generates the ciphertext component:

  $$D_i=g^{-{{\tau }^{\prime }}_i}{g}^{s_j{b}_i},$$

  (28)

  $$C_i=H{\left({\rho }^{*}\left(i\right)\right)}^{{{\tau }^{\prime }}_i}\left({\displaystyle \prod _{f=2,\dots ,n^{*}}{\left(g^{\beta }\right)}^{M_{i,f}^{*}{y^{\prime }}_f}}\right){\left(g^{b_i·s_j}\right)}^{-z_{{\rho }^{*}(i)}}\left({\displaystyle \prod _{k\in R_i}{\displaystyle \prod _{f=1,\dots ,n^{*}}{\left(g^{{\beta }^f·s_j·\left(b_i/b_k\right)}\right)}^{M_{k,f}^{*}}}}\right).$$

  (29)
• Query phase 2: Same as Query phase 1.
• Guess: 𝒜 needs to output a guess ${\theta }^{\prime }$. When $\theta ={\theta }^{\prime }$, $T=e{\left(g,g\right)}^{{\beta }^{q+1}{s}_j}$, and $ℬ$ returns 1 to suggest that he thinks $T$ is a random element in the group ${\mathbb{G}}_T$. If $T=e{\left(g,g\right)}^{abc}$ the challenge ciphertext is a valid ciphertext, in which the advantage is $\epsilon$,

  $$\left|\mathrm{Pr}\left[ℬ\left(\overrightarrow{y},T=e{\left(g,g\right)}^{{\beta }^{q+1}{s}_j}\right)=0\right]=\frac{1}{2}+\epsilon \right|.$$

  (30)

If $T$ is a random element on group ${\mathbb{G}}_T$, then the challenge ciphertext is a completely random ciphertext. 𝒜 has $\mathrm{Pr}\left[ℬ\left(\overrightarrow{y},T=R\right)=0\right]=\frac{1}{2}$, so $ℬ$ has significant advantages in the decisional q-parallel BDHE game.

In brief, the advantage of $ℬ$ can be described as follows:

$$\begin{array}{l}Ad{v}_{ℬ}=\frac{1}{2}\mathrm{Pr}\left[ℬ\left(\overrightarrow{y},T=e{(g,g)}^{{\beta }^{q+1}{s}_j}\right)=0\right]+\frac{1}{2}\mathrm{Pr}\left[ℬ\left(\overrightarrow{y},T=R\right)=0\right]-\frac{1}{2}\\ =\frac{1}{2}·\left(\frac{1}{2}+\epsilon \right)+\frac{1}{2}·\frac{1}{2}-\frac{1}{2}\\ =\frac{\epsilon }{2}.\end{array}$$

(31)

So, we can prove AH-MAC-DHE that is CPA secure under the decisional q-parallel BDHE assumption.

6.3. Anti-Collusion

Any number of AACs may conspire to launch a key escrow attack in an attempt to access data. In AH-MAC-DHE, the authority to generate users’ private keys is distributed to UAC and AAC. When decrypting, AAC needs to have both partial private keys generated by UAC and AAC in order to successfully decrypt the ciphertext. Therefore, multiple AACs cannot access data through the partial private key $S{K}_2$ owned by the combination. Similarly, UAC cannot use the generated partial private key $S{K}_1$ to access data.

Any number of users may launch a collusion attack in an attempt to obtain data. If certain legitimate users with different privileges want to jointly decrypt the contents of a ciphertext that does not belong to them, they must devise a method to obtain the value of $e{\left(g,g\right)}^{\alpha s_j}$. However, in MAC-AH-DHE, the AAC chooses a random element $t$ for each user and collaborates with the UAC to use $t$ to generate a user private key for each user. When users decrypt the ciphertext, $e{\left(g,g\right)}^{\alpha s_j}$ needs to be calculated first, which requires that the users’ private keys of different users need to contain the same $t$. Therefore, multiple users cannot enhance the decryption capability by integrating users’ private keys because users’ private keys of different users have different $t$ values.

In summary, AH-MAC-DHE can effectively resist key escrow attacks and collusion attacks.

6.4. Privacy Security

Attackers may infer the privacy information of data owners through access policies. In the private key generation phase, the semi-trusted AAC can infer the privacy information of users through attributes uploaded by users. In AH-MAC-DHE, both access policies and user attributes need to be hidden through the ACHM. For example, in PHR, the patient sets an access structure for personal information as $\left(\mathrm{Cardiologist}\mathrm{AND}\left(\mathrm{Central}\mathrm{hospital}\mathrm{AND}\left(\mathrm{Professor}\mathrm{OR}\mathrm{Researcher}\right)\right)\right)$. The patient uses ACHM to set the access structure to $\left(*\mathrm{AND}\left(**\mathrm{AND}\left(***\mathrm{OR}****\right)\right)\right)$, where the specific value is replaced by “*”. Meanwhile, the doctor uses ACHM to hide attributes $\left\{\mathrm{Cardiologist},\mathrm{Central}\mathrm{hospital},\mathrm{Professor}\right\}$ as $\left\{*,**,***\right\}$ for generating the user’s private key. Attackers and semi-trusted AAC can only obtain a string of meaningless values and cannot infer personal privacy information through access policies and user attributes. Regarding the attribute anonymity of users to attribute authorization centers, users use Schnorr’s NIZKP to prove the possession of attributes without revealing the attributes.

Therefore, AH-MAC-DHE can effectively protect the security of data owners’ and users’ privacy information.

7. Performance Analysis

In this section, we will compare the functional and performance differences between AH-MAC-DHE and existing schemes. Firstly, AH-MAC-DHE is compared with the schemes in [3,7,8,9,10,13,14,18], through functional analysis. Then, AH-MAC-DHE is compared with the schemes in [3,10,14] through theoretical analysis. Finally, we evaluate the differences between AH-MAC-DHE and the schemes in [3,10,14] in terms of time overhead, private key, and ciphertext storage overhead.

7.1. Functional Analysis

AH-MAC-DHE implements data hierarchical encryption based on LSSS and solves the problems of access policies or user attributes leakage of privacy information and the existence of key escrow. As shown in

Table 1. Scheme function comparison.

Scheme	Multiple Authorization	Access Structure	Hierarchical Encryption	Hidden Access Policy	Hidden User Attributes
[3]	×	Tree	×	×	×
[7,8,9]	×	Tree	√	×	×
[10]	×	LSSS	√	×	×
[13]	×	LSSS	×	√	√
[14]	√	Tree	×	√	√
[18]	√	Tree	√	√	×
Ours	√	LSSS	√	√	√

, compared with the schemes in [3,7,8,9,13,14,18], AH-MAC-DHE can provide efficient data hierarchical encryption. Compared with the schemes in [3,7,8,9,10,18], AH-MAC-DHE provides more secure protection of personal privacy information. Compared with the schemes in [3,7,8,9,10,13], AH-MAC-DHE provides more secure protection of users’ private keys. Therefore, compared with existing schemes, AH-MAC-DHE has good security and high performance.

7.2. Theoretical Analysis

The parameters used in the theoretical analysis and meanings are shown in

Table 2. Parameter definition.

Parameter	Definition
$\mu$	The collection of attributes in the domain.
$S_u\in \mu$	The attributes contained in the user’s private key.
$S_A\in \mu$	The attributes contained in the access structure $A$.
$n$	Number of hierarchical levels of the access structure.
$E_0$	The cost of exponential operations on 𝔾.
$E_T$	The cost of exponential operations on ${\mathbb{G}}_T$.
$M_0$	The cost of multiplication on 𝔾.
$M_T$	The cost of multiplication on ${\mathbb{G}}_T$.
$P$	The cost of pairing operations on 𝔾.
$l_0$	The size of the element in 𝔾.
$l_T$	The size of the element in ${\mathbb{G}}_T$.

. Since the order of magnitude of the hash operation time is much lower than that of other main operations and has no obvious impact, the hash operation time is ignored. As shown in

Table 3. Compare the performance of four algorithms.

Scheme	CP-ABE [3]	AHAC [10]	HAPPS [14]	Ours
Setup time	$2E_0+E_T+P$	$2E_0+E_T+P$	$E_0+E_T+P$	$3E_0+2E_T+2P+M_T$
Private key generation time	$\left(2+2S_u\right)E_0+\left(S_u+1\right)M_0$	$\left(2+S_u\right)E_0+M_0$	$2S_u{E}_0+S_u{M}_0$	$\left(2+S_u\right)E_0+2M_0$
Encryption time	$\begin{array}{c}\left(2S_A+1\right)n{E}_0\\ +n{E}_T+n{M}_T\end{array}$	$\begin{array}{c}\left(3S_A+n\right)E_0+n{E}_T\\ +n{M}_T+S_A{M}_0\end{array}$	$\begin{array}{c}3S_A{E}_0+\left(2S_A+n\right)E_T\\ +\left(S_A+n\right)M_T+S_A{M}_0+P\end{array}$	$\begin{array}{c}\left(3S_A+n\right)E_0+n{E}_T\\ +n{M}_T+S_A{M}_0\end{array}$
Decryption time	$\begin{array}{c}n{S}_A{E}_T+n{M}_T\\ +\left(2S_A+1\right)nP\end{array}$	$\begin{array}{c}{S}_A{E}_T+M_T\\ +\left(2S_A+1\right)P\end{array}$	$\begin{array}{c}n{S}_A{E}_T+\left(S_A+1\right)n{M}_T\\ +2n{S}_{A}P\end{array}$	$\begin{array}{c}{S}_A{E}_T+M_T\\ +\left(2S_A+1\right)P\end{array}$
Private key storage	$\left(2S_u+1\right)l_0$	$\left(2+S_u\right)l_0$	$S_u{l}_0$	$\left(2+S_u\right)l_0$
Ciphertext storage	$\left(2S_A+1\right)n{l}_0+n{l}_T$	$\left(2S_A+n\right)l_0+n{l}_T$	$3n{S}_A{l}_0+n{l}_T$	$\left(2S_A+n\right)l_0+n{l}_T$

, the performance of four CP-ABE algorithms is compared through theoretical analysis. In the Setup phase, since AH-MAC-DHE distributes the authority of a single authorization center to UAC and AAC, this will result in slightly higher computational overhead than other schemes. In the private key generation phase, AH-MAC-DHE at least reduces the computational overhead of $S_u{M}_0$ compared with the schemes in [3,14]. In the encryption phase, the computational overhead is related to the number of hierarchies $n$ and the number of attributes $S_A$ of the access structure. AH-MAC-DHE and [10] schemes implement data hierarchical encryption based on LSSS to provide higher efficiency. Therefore, when the number of hierarchies $n$ increases, the computational overhead at this phase remains unchanged, much smaller than the other two schemes. In the decryption phase, compared with the schemes in [3,14], since AH-MAC-DHE can obtain all plaintexts only once by decryption, the computational overhead of $n\left(E_T+M_T+P\right)$ is at least reduced.

In terms of storage, compare the overhead of private key and ciphertext storage in the four schemes. It can be seen that AH-MAC-DHE only has $2l_0$ more private key storage overhead than the scheme in [14]. However, the private key storage overhead of the document [3] scheme is $S_u{l}_0$ more than that of other schemes. Since the schemes in [3,14] did not implement data hierarchical encryption, this will result in a storage overhead that will grow linearly with $n$, much higher than that of AH-MAC-DHE.

In summary, the overall computational overhead and storage overhead of AH-MAC-DHE are much lower than the schemes in [3,14]. Meanwhile, AH-MAC-DHE has similar computation and storage overhead to the scheme in [10] while providing higher security.

7.3. Experiment Analysis

7.3.1. Experimental Environment

In this section, AH-MAC-DHE is compared and experimented with the schemes in [3,10,14]. The private key generation, encryption, and decryption time overhead, as well as the private key and ciphertext storage overhead, are comparatively analyzed for the four schemes. All experiments are implemented in Java, based on the JPBC library on the 160-bit elliptic hyperbolic group constructed by a 512-bit A-type hypersingular curve $y^2=x^3+x$. The experimental environment is a 64-bit Windows 11 operating system, Intel Core i7-11700 CPU 2.50 GHZ, and 16 GB RAM. To make a more accurate comparison, the four schemes are all experimented with two hierarchical data levels. The number of attributes grows from 5 to 50 in units of 5, and the number of hierarchical data levels grows from 2 to 8 in units of 1. All experimental results were averaged over 10 experiments to make them more accurate.

7.3.2. Computational Overhead Test

As the number of attributes increases, the private key generation time of the four schemes is shown in Figure 7. The time overhead of AH-MAC-DHE in the phase of private key generation is significantly smaller than the schemes in [3,14]. Although hiding user attributes will generate additional time overhead, AH-MAC-DHE improves computing efficiency by designing PD-MAC to jointly generate the user’s private key for the user. Therefore, the private key generation efficiency of AH-MAC-DHE is slightly higher than that of the scheme in [10].

As the number of attributes increases, the encryption and decryption time overhead of the four schemes at two hierarchical data levels are shown in Figure 8a,b. From the figures, it can be seen that the encryption and decryption time overhead of AH-MAC-DHE is always less than the schemes in [3,14]. Because AH-MAC-DHE hides access policies, this will lead to the encryption time overhead of AH-MAC-DHE being slightly higher than the scheme in [10]. When the number of attributes is 50, the encryption time of AH-MAC-DHE is only 132 ms longer than the scheme in [10]. But AH-MAC-DHE provides higher security, so it is worth sacrificing this part of the calculation overhead.

Figure 9a,b show the time overhead of encryption and decryption in the case of fixed attribute number $N=30$ at different hierarchical data levels. AH-MAC-DHE and the scheme in [10] encryption and decryption time overhead remain unchanged with the increase of data hierarchies. Meanwhile, the schemes in [3,14] encryption and decryption time overhead increase linearly, much higher than AH-MAC-DHE.

7.3.3. Storage Overhead Test

As the number of attributes increases, the storage cost of the private key of the four schemes is shown in Figure 10. Since AH-MAC-DHE hides user attributes, the storage overhead of AH-MAC-DHE is slightly higher than the schemes in [10,14]. At the number of attributes 50, the storage overhead grows by 2.9 KB and 3.5 KB compared to the schemes in [10,14], respectively. This part of the storage overhead growth is within acceptable limits.

As the number of attributes increases, the storage cost of ciphertext with two hierarchical data levels is shown in Figure 11a. The storage overhead of the schemes in [3,14] is about twice that of AH-MAC-DHE and [10]. Figure 11b shows the ciphertext storage overhead in the case of fixed attribute number $N=30$ at different hierarchical data levels. It can be seen that the ciphertext storage overhead of AH-MAC-DHE increases slightly with the increase of the data level, while the ciphertext storage overhead of the schemes in [3,14] rises sharply.

In summary, the time overhead of private key generation, encryption, and decryption, as well as the overall storage overhead of AH-MAC-DHE, is significantly smaller than the schemes in the schemes in [3,14]. Although AH-MAC-DHE is slightly higher than the scheme in [10] in terms of storage overhead, AH-MAC-DHE protects privacy information as well as the user’s private key. Therefore, it is acceptable to sacrifice a small amount of storage space for more secure data sharing.

8. Conclusions

We propose AH-MAC-DHE to solve the problems that the existing data hierarchical CP-ABE schemes can not avoid, such as access policies or user attributes leakage of personal privacy information, and the existence of key escrow. Firstly, we propose the ACHM to hide access policies and user attributes to solve the problem of privacy information leakage. Secondly, to further improve the security of data, the key escrow problem is solved by designing the PD-MAC. In addition, the security analysis and performance analysis show that AH-MAC-DHE has higher security and higher performance compared to existing schemes.

In fact, AH-MAC-DHE can be widely used in modern healthcare, government organizations, and other related areas with hierarchical data. However, devices in the application areas may be very limited in computational power. Hence, computational limitation is a critical matter that can be evaluated in the future. Meanwhile, to provide better decentralization, we will combine blockchain technology in our future work to establish a set of on-chain hierarchical data security sharing systems to achieve reliable sharing of on-chain hierarchical data. In addition, we also plan to implement dynamic updating of access policies and user attributes in the data hierarchical CP-ABE scheme through blockchain technology to improve practicality and performance. The above future directions may have great research value and impact in this area.