Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls for IoT

Devices in the Internet of Things (IoT) usually use cloud storage and cloud computing to save storage and computing cost. Therefore, the efficient realization of one-to-many communication of data on the premise of ensuring the security of cloud storage data is a challenge. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) can not only protect the security of data in the cloud and achieve one-to-many communication but also achieve fine-grained access control for data. However, the single-authority CP-ABE faces the crisis of single point of failure. In order to improve security, the Multi-Authority CP-ABE (MA-CP-ABE) is adopted. Although there are provably-secure MA-CP-ABE schemes, Edward Snowden’s research shows that provably-secure cryptographic schemes are vulnerable to backdoor attacks, resulting in secret disclosure, and thus threatening security. In addition, ABE requires huge computational overhead in key generation, encryption and decryption, which increase with the increase in the number of attributes and the complexity of the access structure, and there are a large number of resource-constrained devices in the IoT. To mitigate this issue, we construct the Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls (OO-MA-CP-ABE-CRFs) scheme. This scheme not only uses Cryptographic Reverse Firewall (CRF) to resist backdoor attacks but also uses online/offline key generation, online/offline encryption and outsourcing encryption technology to optimize the efficiency of the MA-CP-ABE scheme with reverse firewall, reducing the storage and computing cost of users. Finally, the security of the OO-MA-CP-ABE-CRFs scheme is proved, and the experimental results indicate that the scheme is efficient and practical.


Introduction
With the increasing number of terminal devices connected to the Internet of Things (IoT), the data to be processed increase exponentially. At the same time, with the widespread use of cloud computing and cloud storage technologies, the data from IoT devices were uploaded to the cloud for storage and processing. Considering that the dishonest cloud seriously threatens the privacy and security of data, it is necessary to encrypt the data before cloud storage. Attribute-Based Encryption (ABE) can not only protect data privacy but also realize fine-grained access control to data. ABE was originally proposed by Sahai and Waters, which can be classified as Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE), respectively. In the CP-ABE (KP-ABE) scheme, the user's private key (ciphertext) is associated with its attributes, and the ciphertext (private key) is associated with the access structure. Only when the attributes of the user meet the access structure of the ciphertext can the user use the private key to recover the plaintext correctly. Because users can use CP-ABE to specify flexible access structures for ciphertext, they can achieve fine-grained access control for ciphertext, so CP-ABE has been widely used in cloud computing [1][2][3][4][5][6]. Because the user's private key (1) We propose a new MA-CP-ABE-CRF scheme, which not only avoids the crisis of single point of failure of single-authority ABE but also provides flexible access control for ciphertext data. In addition, four CRFs are used to re-randomize key parameters. This allows the MA-CP-ABE scheme to maintain functionality and resist ex-filtration even if it is compromised by unexpected attacks. (2) In order to make the scheme suitable for IoT, we have adopted online/offline key generation, online/offline encryption, and outsourcing decryption technologies to improve the computational efficiency of the scheme. These technologies are not only adopted by users and attribute authority but also by the four CRFs, which can significantly improve the efficiency of the scheme. Compared with other studies in terms of computational and storage overhead, our scheme has obvious advantages. (3) We have theoretically analyzed and proven the correctness and security of the OO-MA-CP-ABE-CRFs scheme, including CPA security, weak security reservation, and weak demonstration resistance. These security guarantees that devices in IOT are secure even when attacked by backdoors.
The rest of this article is organized as follows. Section 2 discusses the related work. Section 3 presents the preliminaries. Section 4 describes the proposed OO-MA-CP-ABE-CRFs scheme. Section 5 presents the performance analysis of the proposed scheme. Section 6 presents a real-world application of the proposed scheme. Finally, Section 7 concludes this work.

Related Work
This section mainly summarizes the related works on ABE, CRF and online/offline cryptography.

Attribute-Based Encryption
ABE was originally proposed by Sahai and Waters on the basis of Fuzzy Identity-Based Encryption (FIBE) [15]. Goyal et al. [16] extended FIBE technology to ABE technology and defined two types of ABE, called KP-ABE and CP-ABE, respectively. The complete framework of the first anti-collusion CP-ABE scheme was proposed by Bethencourt et al. [17]. Since CP-ABE can customize access control policies by data owners, it is widely used in various cloud scenarios due to the advantages of fine-grained access control. Because the single-authority ABE scheme has a series of negative effects such as heavy computing burden, single point of failure crisis, and excessive central authority, Chase [18] constructed an MA-ABE scheme to solve such problems. Chase et al. [19] further protect user privacy by eliminating the trusted central authority to prevent information from being concentrated on specific users. Lin et al. [20] proposed a threshold-based multi-authority FIBE scheme that can be extended to MA-ABE. Qian et al. [21] proposed an MA-ABE scheme supporting attribute revocation and dynamic policy updates to meet the privacy security requirements of patients in the personal health record (PHR) system.

Cryptographic Reverse Firewall
Due to the influence of Snowden's ex-filtration incident, Mironov et al. [13] introduced the concept of a CRF, which aims to intercept and update the receiving and sending messages of the client in time to prevent malicious adversary in the system. Zhou et al. [22] proposed an IBE-based CRF scheme. Chen et al. [23] rely on the malleable smooth projective hash function with key malleability and element re-randomizability to construct multiple CRF-based cryptographic protocols. Zhou et al. [24] designed a single-round CL-PKE-CRF protocol with low communication overhead. Zhou et al. [25] proposed a searchable public key encryption scheme based on CRF, which can resist various attack methods without a secure channel, thereby fully guaranteeing the user's information security. Ma et al. [26] designed an online/offline CP-ABE-CRF scheme, which effectively reduces the computational overhead while resisting secret ex-filtration, and further ensures the practicability of the scheme on lightweight devices. Hong et al. [27] constructed an MA-KP-ABE-CRF scheme, which supports a non-monotonic access structure.

Online/Offline Cryptography
It is also worth noting that not only does the CRF framework bring a lot of computing overhead, but most of the ABE scheme design process itself generally has expensive computing operations. Many researchers use online/offline technology to solve this problem. Khan et al. [28] entrusted the heaviest computing operations to the offline stage through online/offline technology, which reduced computing overhead, and designed an online/offline-aided attribute-based multi-keyword search scheme. In order to reduce the communication overhead in the verification phase, Ali et al. [29] designed a verifiable online/offline multi-keyword search scheme. For fields such as smart grids with high security and timeliness, Zhang et al. [30] outsourced a large number of calculations to the encryption and decryption server, reducing the calculation overhead of the client, and constructed outsourcing attributed-based ranked searchable encryption. In order to further reduce the computational burden of data owners and clients, Shao et al. [31] based on the online/offline MA-ABE scheme combined with key conversion technology to outsource the complex operation of the decryption stage to the proxy server.

Preliminaries
This introduces preliminaries of the OO-MA-CP-ABE-CRFs scheme.

Bilinear Groups
Let G, G T be two multiplicative cyclic groups with a prime order of p. Among them, g is the generator of the group G, and the bilinear map e : G × G → G T has the following three properties: (1) Bilinearity: For any P, Q ∈ G and a, b ∈ Z * p , it can calculate; e(P a , Q b ) = e(P, Q) ab . (2) Non-degeneracy: If P, Q ∈ G is assumed, then e(P, Q) = 1 is established; (3) Computability: For any P, Q ∈ G, there exists an efficient algorithm to compute e(P, Q).
q−type assumption. The challenger first calls parameters of bilinear pairings p, G, G T , e, and picks a random group element g ∈ G and random exponents a, s, b 1 , b 2 , . . . , b q ← Z q . Then, the challenger sends the following terms to the adversary. g, g s , q]withj = j Finally, the challenger flips a random coin b ∈ {0, 1}, sets T = e(g, g) sa q+1 if b = 0 and otherwise T ∈ G T is a random term, and sends T to attacker. The attacker outputs a guess b ∈ {0, 1} for b. The advantage of the attacker in the game is | Pr We say that the q−type assumption holds if all probabilistic polynomial time attackers have at most a negligible advantage in the above security game.

Linear Secret Sharing Schemes
Assuming that {P 1 , P 2 , . . . , P n } is a set of participants, if B ∈ A and B ⊆ C have C ∈ A, then we say that the set A ⊆ 2 {P 1 ,P 2 ,...,P n } is monotonous for any B and C. A monotonic access structure is the set of all non-empty subsets of {P 1 , P 2 , . . . , P n }, namely A ⊆ 2 {P 1 ,P 2 ,...,P n } \{∅}. For this reason, sets in A are called authorized sets, whereas sets not in A are called non-authorized sets.
A linear secret sharing scheme Π with a set of parties is linear on Z p , the following conditions need to be satisfied: (1) The shares of each party constitute a vector over Z p ; (2) There exists a share-generating matrix M with l rows and n columns for scheme Π.
Furthermore, there exists a function ρ that maps each row of the matrix M to an associated party. For example, each row i ∈ [l] of the matrix is closely related to ρ(i), where [l] = 1, . . . , l. For column vector v = (s, r 2 , . . . , r n ), we choose s from Z p as the secret value that needs to be shared, and r 2 , . . . , r n ∈ Z p are randomly selected.
M v represents a vector composed of l elements, and each element is the secret share generated by the scheme Π for s. The share (M v) i belongs to party ρ(i).

Cryptographic Reverse Firewall
The CRF was originally proposed by Mironov and Stephens Davidowitz to provide a strong security backing for modern cryptographic algorithms to avoid the threat of backdoors. CRF acts as a function of message interception and parameter update in the entire cryptographic system. Deploying a cryptographic scheme that correctly implements CRF can effectively ensure that the scheme can still retain its security even if it runs on an infected machine. Appendix A provides more details about CRF.

System Model
As shown in Figure 1, the scheme includes five participants and corresponding reverse firewalls. They are the global identity authority (GA), attribute authorities (AA), the cloud service provider (CSP), the data owner (DO) and the data user (DU). Among them, the CRF of GA is W GA , the CRF of AA is W AA , the CRF of DO is W DO , and the CRF of DU is W DU . . Global. Setup (4) . GA. Setup (13) .GAKeyGen.on (12) .GAKeyGen.off (11) GA.KeyGen.off (14) AA.KeyGen.off (7) Encrypt.off (9) . Encrypt.off (16) . KeyGen. off
(2) If the process is corrupted, then W GA randomizes the GP, obtains and broadcasts GP globally. (3) GA outputs its own public/private key pair (GPK, GMK) by GP . (4) If the process is compromised, W GA outputs the updated public/private key pair (GPK , GMK ), and returns it to GA. (5) AA outputs its own public/private key pair (APK k , AMK k ). (6) If the process is compromised, W AA ouputs the updated public/private key pair APK k , AMK k .

Security Model
We define the security model of the OO-MA-CP-ABE-CRFs scheme based on the security model [26,27]. Similar to [26,27], it is assumed that GA, AA, DO and DC are fully trusted, and the CSP is semi-trusted. Because the algorithms (Global.Setup, GASetup, AASetup, GA.KeyGen.off, GA.KeyGen.on, AA.KeyGen.off, AA.KeyGen.on, Encrypt.off, Encrypt.on and KeyGen.ran) in the scheme still maintain functionality after implanting malicious trapdoors, so it is necessary to consider that these algorithms may be compromised without the knowledge of the executor. In addition, considering that W DO and W DU are curious about the user's data, we assume that W DO and W DU are semi-trusted. Since W GA , W AA have access to the decryption key of the user, it is assumed that W GA , W AA are completely trusted. Additionally, all CRFs are considered trusted zones and cannot be tampered with by any outsiders.
The CPA security game for OO-MA-CP-ABE-CRFs is played by a challenger C and an adversary A.
Initialization: Adversary A sends the access structure A * and the functionality maintaining algorithms to challenger C.
Setup: The Setup algorithm is executed by challenger C. The updated global public parameter GP , updated public key GPK and APK k of the authority are sent to the adversary A.
Phase 1: The adversary A can adaptively query the Key Generation Oracle (KGO). A queries for attribute set S i and user identity GID, which requires that S i does not satisfy the challenge policy A * , i = 1, 2, · · · , q. The challenge C replies to adversary with user's updated decryption key (ugsk , uask S GID ), and updated conversion key TK .
Challenge: Adversary A sends two equal-length plaintexts m 0 , m 1 to C. C selects a random bit b ∈ {0, 1}, and sends the updated ciphertext CT b to the adversary A, where CT b is the ciphertext of m b under access structure A * .

Phase 2:
The process is the same as Phase 1.

Guess:
The adversary A outputs a guess b ∈ {0, 1} for b. The advantage of A in the game is | Pr The OO-MA-CP-ABE-CRFs is CPA secure if all probabilistic polynomial time (PPT) adversaries have at most a negligible advantage in the above security game.

OO-MA-CP-ABE-CRFs
In this section, we first construct a basic OO-MA-CP-ABE scheme based on [32]. The random of the ciphertext and key in this scheme is all re-randomized. Then, based on this basic OO-MA-CP-ABE scheme, we construct an OO-MA-CP-ABE-CRFs scheme, and finally, prove the security of the constructed scheme.

Basic Construction of OO-MA-CP-ABE Scheme
In order to make the basic OO-MA-CP-ABE scheme suitable for constructing the CRF framework, we construct a concessive OO-MA-CP-ABE scheme, which can be divided into four phases and contains a total of 11 algorithms.
(1) Initialization phase. GA and AA perform initialization. Global.Setup(λ, U) → GP. GA chooses a security parameter λ and describes a tuple (G, G T , p, e), where G and G T are two cyclic multiplicative groups of large prime order p and e : (G × G) → G T is a bilinear map. Let g be a generator of G. GA randomly chooses h, u, v, w ← G and outputs the global system parameters GP = (g, h, u, v, w).
(2) Encryption phase. DO encrypts plaintext offline and online.
Encrypt.off(GP, GPK, APK) → CT o f f . The algorithm takes GP, GPK, APK = ∪ k∈[K] APK k as input, and the DO randomly chooses s ← Z p , t j ← Z p , j ∈ [J], J is used by DO to determine the size of the offline ciphertext pool. It calculates Km = GPK s = e(g, g) αs , On input public parameters PK, an intermediate ciphertext IT, a plaintext m and an LSSS access structure A = (M, ρ), where M is an l × n(l ≤ N ) matrix. DO randomly chooses y 2 , . . . , y n ← Z p , sets y = (s, y 2 , · · · , y n ) T , and obtains λ = (λ 1 , λ 2 , · · · , λ l ) T = M y. In addition, for j ∈ [l], suppose ρ(j) corresponds to an attribute controlled by AA k . DO sets C = m · Km, C 0 = C 0 , (3) Key generation phase. GA and AA generate decryption keys offline and online for the user.
GA.KeyGen.off(GP, GMK) → ugsk. GA randomly chooses r ← Z p , calculates It should be noted that the decryption key of the user GID is (ugsk, uask on ).
(4) Decryption phase. For outsourcing decryption, DU generates a conversion key and a retrieval key. CSP performs outsourcing decryption by conversion key, and DU performs final decryption by retrieval key.
Decrypt.out(TK, CT) → TCT. On input, a conversion key TK for the attribute set S GID and a ciphertext CT for access structure A. The CSP judges whether S GID satisfies A, if not, then it returns ⊥. Otherwise, CSP calculates 3 ), and outputs decrypted transformed ciphertext TCT = (C, B). 11 Decrypt.user(RK, TCT) → m. The algorithm is executed by DU, inputs a retrieval key RK and the transformed ciphertext TCT, and finally decrypts C (B) τ = e(g,g) αs ·m (e(g,g αs τ )) τ to obtain the plaintext m. Proof. The form of user key SK and ciphertext CT in the scheme is the same as that in [32]. Therefore, the modification does not affect the security proof. Furthermore, the key-blinding technique in [33] is used. The proof is similar to [33], so it is omitted.

Construction of OO-MA-CP-ABE-CRFs
We propose the OO-MA-CP-ABE-CRFs based on the above basic construction, which can resist the exfiltration of secret information from arbitrarily compromised functional-maintaining algorithms executed by the GA, AA, DO and DU. The structure of OO-MA-CP-ABE-CRFs is specifically as follows.
(1) Initialization phase. GA, AA, W GA and W GA perform initialization. Before broadcasting GP ← Setup(˘, U) to other participants, GA first sends GP to W GA for the algorithm W GA . Global.Setup.
W GA .Global.Setup(GP) → GP . After receiving GP, W GA randomly selects a, b, c, d, e ← Z p and calculates g = g a , u = u b , h = h c , w = w d , v = v e . The algorithm outputs GP = (g , u , h , w , v ) and broadcasts GP to all members of the system.
When GA receives the updated global public parameter GP , it runs algorithm GA.Setup(GP ) to obtain (GPK, GMK) and sends it to W GA , and W GA performs the algorithm W GA .GA.Setup.
(2) Encryption phase. DO and W DO encrypt plaintext offline and online. The DO runs Encrypt.off(GP , GPK , APK ) and Encrypt.on(GP , APK A , m, A, CT o f f ) to obtain the ciphertext CT A of the message m under the access structure A, and sends CT A to W DO before uploading CT A to the CSP. W DO performs the following algorithms.
After obtaining (TK, RK) ← KeyGen.ran(ugsk , uask on,S GID ), DU sends TK to W DU for the algorithm W DU .TKUpdate. W DU .TKUpdate(TK) → (TK , β). W DU randomly selects β ← Z p and calculates Proof. We prove the security of our construction via the following parts.

FUNCTIONALITY MAINTAINING.
If the user attribute set S GID satisfies the access policy A, then there is
Assuming that adversary A can break the CPA security of the OO-MA-CP-ABE-CRFs scheme with a non-negligible advantage , we can construct a PPT simulator B to break the CPA security of the basic OO-MA-CP-ABE scheme with the same advantage . In the OO-MA-CP-ABE-CRFs scheme, simulator B plays the role of a challenger, interacting with adversary A. Let C be the challenger in the OO-MA-CP-ABE scheme.
Initialization: B receives the access structure A * and the functionality maintaining algorithms from A , and sends them to C.
Setup: B receives GP = (g, h, u, v, w), GPK and APK k = (û,ĥ) from the C, randomly selects a, b, c, d, e, f ,α k ← Z p , calculates g = g a , u = u , and passes GP , GPK and APK k to A. Phase 1: B receives the key query about S and GID from A, passes them to C and obtains ugsk = (K 0 , β , and passes (ugsk , uask S GID ), and TK to A.

Guess:
The adversary A outputs a guess b ∈ {0, 1} for b. Then, B outputs the same guess b . Thus, if A has advantage in the OO-MA-CP-ABE-CRFs experiment, then B breaks the OO-MA-CP-ABE scheme with the same probability .
It is also known from the Theorem 1 of [32] that if an adversary breaks the scheme of [32] with a non-negligible advantage , a simulator can be constructed to break the q−type assumption in G with the same advantage . Therefore, if A has advantage in breaking our OO-MA-CP-ABE-CRFs scheme, then a simulator can be constructed to break the q−type assumption in G with the same advantage .

WEAK SECURITY PRESERVATION AND WEAK EXFILTRATION RESISTANCE.
According to the CPA security of the OO-MA-CP-ABE-CRFs scheme, the CRFs W GA , W AA , W DO and W DU corresponding to GA, AA, DO and DU always maintain weak preserve security. On the other hand, the proof of the CPA security further demonstrates that reverse firewalls W GA , W AA , W DO and W DU have weak resist exfiltration.
Combining the above discussion, the proof is completed.

Performance Evaluations
In order to compare our scheme with other schemes, we conduct a detailed analysis of property and performance analysis.

Property Comparison
We choose schemes [26,32,[34][35][36][37] to compare with our scheme. These schemes are CP-ABE schemes that support the LSSS access structure. It can be seen from Table 1 that the scheme [37] only supports online/offline encryption (OO Encrypt). The scheme [26] supports online/offline key generation(OO KeyGen), OO Encrypt and CRF. However, the schemes [26,37] are not multi-authority. The schemes [32,[34][35][36] are multi-authority, but the scheme [32] only supports OO KeyGen and OO Encrypt without CRF. The scheme [36] also only supports OO Encrypt. Only our scheme meets all the above properties, so it is more suitable for IoT.

Performance Analysis
In order to simulate the time cost of computing operations, Table 2 lists the complexity analysis of system setup, key generation, encryption, and decryption. We define P as a bilinear pairing operation, E as an exponentiation operation, and M as a multiplication operation. We use K, S, l and I to represent the number of attribute authorities, the number of user attributes, the number of rows in the LSSS matrix, and the row set of the LSSS matrix used for decryption. We consider the time cost of user key generation, user encryption and user decryption. Although CRFs are added to our scheme, and CRFs also generate keys and perform encryption, the time cost of this part does not belong to users, so the additional cost caused by CRFs can be ignored. In addition, considering that the offline phase does not affect the actual cost of the online part of the user in the actual scenario, we only consider the time cost of the online phase in the efficiency analysis.

Schemes System Setup Online User Key Generation Online User Encryption User Decryption
As shown in Table 3, we show the storage cost of our scheme and schemes [26,32,[34][35][36], respectively, in the public parameters, ciphertext and user decryption key, where |G| is the number of elements in group G, |G T | is the number of elements in group G T . Because these schemes are CP-ABE schemes, the size of l is proportional to the size of the ciphertext, and the size of S is proportional to the size of the user decryption key. Compared to [36], our scheme has better storage cost for public parameters, ciphertext and user decryption key. Compared with [26,32,34,35], the storage cost of ciphertext and the user decryption key is approximately equal. Table 3. Comparison of storage cost.
In the experiment, we imported the PBC module and selected the parameter value "SS512", type A curve to generate the prime order bilinear group G. We further try to perform 1000 repeated experiments and take the average to estimate the running time of bilinear pairing operation, exponentiation operation and multiplication operation in G, respectively. The results show that the average time cost of the bilinear pairing operation is 2.05 ms, the average time cost of the exponentiation operation is 2.80 ms, and the average time cost of the multiplication operation is 2.82 ms. The source code can be obtained at https://github.com/abcde123411/OO-MA-CP-ABE-CRF (accessed on 2 April 2023. Finally, we present the results in Table 4. In order to show the computational time cost and the storage cost of our scheme and other schemes, we make a comparison with Zhang et al. scheme [32] (ZZLL), Ma et al. scheme [26] (MZYS), Xie et al. scheme [34] (XRHS), Zhang et al. scheme [35] (ZGWW) and Zhang et al. scheme [36] (ZZWM). By analyzing the calculation overhead of the online user key generation phase, user decryption phase and the storage overhead of ciphertexts and keys in the system, there is a slight difference between the ZZWM scheme [36] and other schemes. In addition, we let the number of attribute authorities K be 1, the number of users N and the depth d is 0, Z p is equal to G to facilitate unified comparison, as shown in Figures 2 and 3. In Figure 2a, the curve of MZYS scheme [26] coincides with that of our scheme, which shows that the time cost of our scheme in the key generation phase is the same as that of MZYS scheme [26], which has obvious advantages over XRHS scheme [34] and ZZWM scheme [36]. In Figure 2b, the curve of MZYS scheme [26] coincides with that of our scheme. With the help of outsourced decryption technology, the time overhead of our scheme in the decryption phase is very considerable. As can be seen from Table 3, since the ciphertext storage cost of each scheme contains a constant G T , we can ignore it in the analysis of the storage cost of ciphertext. As shown in Figure 3a, the curves of MZYS scheme [26], ZZLL scheme [32] and ZZWM scheme [36] coincide with that of our scheme, which shows that the ciphertext storage cost of our scheme is equivalent to that of [26,32,36]. As shown in Figure 3b, the curves of XRHS scheme [34], ZGWW scheme [35] and ZZWM scheme [36] are coincident, and the curves of MZYS scheme [26] and ZZLL scheme [32] coincide with that of our scheme, which shows that the secret key storage cost of our scheme is equivalent to that MZYS scheme [26] and ZZLL scheme [32].

Real-World Application
In this section, we will provide a detailed description of the practical application of our OO-MA-CP-ABE-CRFs scheme in the e-health system, as shown in Figure 4, which shows the true practical value of the scheme. The following steps are required.  (1) Patients and doctors need to register in the system. The superior management organization of the university and affiliated hospital executes algorithm Global.Setup to generate system global parameters and send them to registered users.
(2) Given that malicious adversaries may threaten the security of the system through backdoor attacks, the CRF corresponding to the superior management organization executes algorithm W GA .Global.Setup to randomize the system's global parameters and broadcasts the updated results across the network.
(3) The superior management organization executes the algorithm GA.Setup to generate the public/private key pair.
(4) The CRF of the superior management organization runs the algorithm W GA .GA.Setup to update the public/private key pair, and returns the results to the superior management organization.
(5) The school and hospital, as attribute authorities in the system, respectively, execute the algorithm AA.Setup to generate their own public/private key pair. (6) To prevent this process from being compromised, the CRFs of the school and hospital execute the algorithm W AA .Setup to randomize their respective public and private key pair. (7) Considering that most patients usually use resource-constrained mobile devices, some computational operations are performed in the Encrypt.off algorithm. This will ensure that mobile device resources are not excessively consumed when performing online encryption operations.
(8) Patient sets access control policies and executes the algorithm Encrypt.on to encrypt Electronic Medical Records (EMR).
(9) If the encryption process is compromised, the patient's EMR may be compromised, directly endangering the privacy and security of the patient. To avoid this situation, the CRF of the patient executes the algorithm W DO .Encrypt.off to generate intermediate ciphertext offline. (10) The CRF of the patient executes the algorithm W DO .Encrypt.on to update the ciphertext and stores the results in the CSP. (11) The superior management organization executes the algorithm GA.KeyGen.off offline to generate a portion of the decryption key for registered users. (12) The CRF of the superior management organization executes the algorithm W GA .GAKeyGen.off in the offline phase to generate an intermediate conversion key. (13) The CRF of the superior management organization executes the algorithm W GA .GAKeyGen.on to generate a portion of the updated decryption key and sends the result to the doctor. (14) School and hospital execute the algorithm AA.KeyGen.off in the offline phase to provide pre-computing services for the decryption key generation of doctors.
(15) The school and affiliated hospital execute the algorithm AA.KeyGen.on to generate the corresponding decryption key for the doctor based on their attribute set. (16) Considering the backdoor attacks, the CRFs of the school and hospital execute the algorithm W AA .KeyGen.off to update a portion of the decryption key offline. (17) The CRF of the school and hospital execute the algorithm W AA .KeyGen.on to update the doctor's decryption key online and send the result to the doctor.
(18) Because we use outsourced decryption, the doctor executes the algorithm KeyGen.ran to generate a conversion key and a recovery key. (19) If the conversion key is compromised, it may cause serious consequences. To this end, the CRF of the doctor executes the algorithm W DU .TKUpdate to randomize the conversion key, and sends the updated result to the CSP. (20) The CSP executes the algorithm Decrypt.out to pre-decrypt and obtain the transformed ciphertext.
(21) The doctor's CRF executes the algorithm W DU .Decrypt to partially decrypt transformed ciphertext.
(22) Doctors execute the algorithm Decrypt.user, and only authorized doctors can successfully obtain the patient's EMR.

Conclusions
To solve the problem of data privacy security in IoT, we propose an OO-MA-CP-ABE-CRFs scheme. This scheme can not only protect the security of data but also achieve fine-grained access control of data. In addition, our scheme uses multi-authority technology to further reduce the trust of a single authority, uses CRF technology, which can effectively resist the ex-filtration of secret information, fully protect the privacy and security of users, and adopt online/offline and outsourcing decryption technology to reduce users' storage and computing cost. The security proof and experimental comparison of the scheme show that our scheme is more suitable for data sharing for IoT.
Although the OO-MA-CP-ABE-CRFs scheme implements multi-authority, it requires a global identity authority. In future work, we will study how to remove the global identity authority so that each attribute authority has equal status. We can consider introducing a user's identity or blockchain to achieve this. In addition, in order to make this scheme suitable for resource-constrained IOT devices, we need to further optimize the efficiency of the encryption algorithm. We can consider adopting techniques such as obfuscation encryption and reducing the size of ciphertext.  ∪ i∈[K] U k , U i ∩ U j = ∅, i = j. Finally, it outputs the public/private key pair (APK k , AMK k ) of attribute authority AA k .
(6) W AA .Setup(GP , APK k ,AMK k ) → (APK k ,AMK k ). This algorithm is run by the reverse firewall W AA of the attribute authority AA k . It inputs GP , APK k , AMK k and ouputs the updated parameters APK k , AMK k . (18) KeyGen.ran(ugsk , uask on,S GID ) → (TK, RK). This algorithm is run by DU. Input ugsk , uask on,S GID , and output a conversion key TK and a retrieval key RK. (19) W DU .TKUpdate(TK) → (TK , β). This algorithm is run by the reverse firewall W DU of DU, which inputs TK, outputs an updated conversion key TK and a corresponding random β. (20) Decrypt.out(TK , CT ) → TCT. This algorithm is run by CSP. Input TK , CT and output the transformed ciphertext TCT.
(21) W DU .Decrypt(TCT, β) → TCT . This algorithm is run by the reverse firewall W DU of DU, which inputs the transformed ciphertext TCT, a random β and outputs an updated transformed ciphertext TCT .
(22) Decrypt.user(RK, TCT ) → m. This algorithm is run by the data user DU, which inputs a retrieval key RK, the updated transformed ciphertext TCT and outputs the plaintext m.
Correctness: For the fixed universe description U, the security parameter λ, the access structure space A = (M, ρ) and the message m, the correctness property requires that for all Setup