A Lightweight CP-ABE Scheme with Direct Attribute Revocation for Vehicular Ad Hoc Network

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) technology provides a new solution to address the security and fine-grained access control of traffic information in vehicular ad hoc networks (VANETs). However, in most CP-ABE schemes for VANETs, attribute revocation suffers from high system consumption and complex revocation operations, as well as from high computational overhead and low efficiency due to the use of bilinear pairwise operations. Based on this, this paper proposes a lightweight CP-ABE scheme that supports direct attribute revocation in VANETs. The scheme implements an agent-based direct attribute revocation mechanism by separating dynamic and static attributes of vehicle terminals, which reduces system consumption and simplifies the revocation operation process. The scheme uses scalar multiplication on elliptic curves instead of bilinear pairing operations and uses computational outsourcing techniques to reduce the terminal decryption cost and improve the efficiency of the scheme. The security and performance analysis shows that the overall efficiency of our scheme is better than the existing schemes under the premise of ensuring data confidentiality and integrity.


Introduction
A vehicular ad hoc network (VANET) [1] is a vast interactive network that carries important traffic information such as vehicle location, speed and route. It usually consists of an on-board unit (OBU) installed in the vehicle and a roadside unit (RSU) widely deployed at the roadside, and it aims to provide a comprehensive service platform for various applications. The widespread deployment of VANETs largely depends on a secure and reliable mechanism to provide effective data services in the transport system. Among many security issues, ensuring data integrity and confidentiality is the most important [2].
To ensure the confidentiality of data transmission in VANETs and to prevent data leakage and tampering, it is necessary to establish an effective access control scheme to ensure that data can only be accessed by authorized personnel. Compared to rolebased access control [3,4], Ciphertext-Policy Attribute-Based Encryption (CP-ABE) [5,6] can provide more flexible and dynamic fine-grained access control. In 2005, Sahai and Waters [7] first proposed the concept of fuzzy identity-based encryption using bilinear pairing knowledge, and then further extended the concept of attribute-based encryption (ABE). An identity is considered as a set of descriptive attributes. ABE schemes are mainly divided into two categories: Key Policy Attribute-Based Encryption (KP-ABE) schemes and CP-ABE schemes. In 2006, Goyal et al. [8] proposed the first practical KP-ABE scheme, wherein the ciphertext is associated with a set of attributes and the user's decryption key is associated with a monotonic tree access structure. In 2007, Bethencour et al. [9] introduced the tree access structure into the ciphertext and proposed the first CP-ABE scheme, wherein the user's decryption key is associated with the attribute and the ciphertext is associated with the tree access structure. Subsequently, researchers conducted research on the revocability [10,11], computational outsourcing [12,13], multi-authority [14] and traceability [15] of the CP-ABE scheme, so the CP-ABE technology has become an important research direction to solve the access control of storage ciphertext. However, due to the use of bilinear pairing operations in most CP-ABE schemes, the overall efficiency of the scheme is reduced, which severely limits its use in IoT terminals with limited computational resources. Odelu et al. [16] and Ding et al. [17] proposed a CP-ABE scheme based on Elliptic Curve Cryptography (ECC). Compared to the bilinear pairing operation, the simple scalar multiplication over the elliptic curve used in the scheme has the advantages of lower computational overhead and higher efficiency.
In order to identify how to apply CP-ABE technology to VANETs to ensure the security of traffic information, researchers have proposed many schemes. Huang and Verma introduced CP-ABE technology to VANET, and proposed the first CP-ABE-based security policy implementation scheme in VANETs in [18], wherein different road conditions are considered as attributes, and the transmitted data are encrypted and protected in combination with a data access control strategy, but the effect of user and attribute revocation on the system is not considered in this scheme. Horng et al. [19] proposed an effective data access control CP-ABE scheme, wherein user and attribute revocation is provided by timestamp attributes, and cloud computing nodes are used to share the computational load of encryption and decryption. However, this scheme needs to re-encrypt the ciphertext in the process of user and attribute revocation and does not verify the data integrity in the process of outsourcing decryption. Aiming at the problem of limited computational resources of the vehicle terminal, Xia et al. [20] proposed a CP-ABE delegation scheme that allows the RSU to perform most of the computations to improve the decryption efficiency of the vehicle. Similarly, the scheme did not consider the impact of user and attribute revocation on the system, and the data integrity was not verified during the delegation decryption process. In order to adapt to the highly dynamic environment of VANETs and solve the data leakage and damage caused by outsourced data, Zhang et al. [21] proposed the concept of revocation with auditable users based on the CP-ABE algorithm, and used online/offline and verifiable outsourcing technology to improve the efficiency and ensure the correctness of the decryption. However, in the process of user revocation, the ciphertext and private keys of all non-revoked users need to be updated. Wang et al. [22] proposed a dynamic fine-grained access control scheme based on attribute encryption to solve this problem. However, the length of the ciphertext in this scheme is proportional to the number of authorized users, and the ciphertext must be updated when some authorized users are revoked or added.
However, the CP-ABE schemes in the aforementioned VANETs suffer from two problems. First, in terms of attribute revocation, most schemes implement attribute revocation by re-encrypting the ciphertext and updating the private keys of all unrevoked users, which is indirect revocation [23,24]. However, due to the high-speed mobility of vehicle terminals, dynamic attributes such as city, street and direction of travel are frequently updated and revoked, so using the indirect revocation mechanism will greatly increase the consumption of the system. Second, because the scheme uses bilinear pairing operations, it increases the computational overhead and reduces the overall efficiency, which is not suitable for use in vehicle terminals with limited computational resources. To solve the above two problems, this paper proposes a lightweight CP-ABE scheme that supports direct attribute revocation in VANETs. The main work is as follows: (1) Aiming at the problem that using an indirect revocation mechanism to realize attribute revocation leads to large system consumption and complicated operation, by separating the static and dynamic attributes of the vehicle terminal, our scheme establishes a two-level decryption architecture of RSU and OBU and realizes the direct revocation of attributes based on an RSU agent, reducing system consumption due to frequent updating and revoking attributes. (2) To address the problem of excessive computational overhead due to the use of bilinear pairing operations, our scheme is based on elliptic curve cryptography, using scalar multiplication instead of complex bilinear pairing operations, and outsourcing the decryption operations originally belonging to OBU to RSU to reduce computational costs and improve overall efficiency. (3) The security analysis proves that our scheme is secure under a chosen plaintext attack.
Theoretical and simulation experiments prove that our scheme is more efficient and less computationally expensive than the existing schemes.
The remainder of this paper is organized as follows: Section 2 briefly introduces the relevant knowledge covered in this paper. Section 3 presents the system model of our scheme and the specific implementation of the algorithm. Section 4 presents the security analysis of the scheme. Section 5 presents the performance analysis of our scheme. Finally, Section 6 concludes this work.

Elliptic Curve Discrete Logarithm Problem
Elliptic curve cryptography is a public key cryptosystem based on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP). The ECDLP problem is described as follows: Given two points P, G ∈ G E , where G is the generator elliptic curve group G E , with order q, k ∈ Z * q cannot be obtained within a polynomial-time algorithm such that P = kG.

Access Structure
Let P = {P 1 , · · · , P n } denote the set of participants such that 2 P = {A|A ⊆ {P 1 , · · · , P n }}. The set A ⊆ 2 P is monotone if and only if for any subset B, C ⊆ P, C ∈ A if B ∈ A and B ⊆ C. A is said to be an access structure if A is a non-empty subset of P = {P 1 , · · · , P n }, i.e.,A ⊆ 2 {P 1 ,··· ,P n } \{∅}. For any set D, D is an authorized set if D ∈ A, otherwise it is a non-authorized set.

Linear Secret Sharing Scheme
Suppose the set of participants is P = {P 1 , · · · , P n }; if ∏ satisfies the following conditions, then ∏ is a linear secret sharing scheme (LSSS) defined on P.
(1) The secret shares held by each participant form a vector over Z p .
(2) Each ∏ corresponds to a generator matrix M(l × n), and ρ : {1, 2, · · · , l} → P maps each row (i = 1, 2, · · · , l) of M to a participant ρ(i), where ρ is an injective function. Consider the vector v = (s, y 2 , · · · , y n ), where s ∈ Z p is the secret value and y 2 , · · · , y n ∈ Z * p are randomly chosen, the l shares of the secret value s can be recorded as Mv, where λ i = (Mv) i is the i-th share of the secret value s, and belongs to ρ(i). For any authorized set S of the access structure A, i.e., S ∈ A, define I = {i : ρ(i) ∈ S}. Then, there exists a polynomial-time algorithm that computes a coefficient w i ∈ Z p i∈I such that ∑ i∈I w i M i = (1, 0, · · · , 0) based on the matrix M. Thus, the secret value s = ∑ i∈I w i M i ·v = ∑ i∈I w i λ i can be obtained. For non-authorized sets, the above coefficient does not exist and the secret value s cannot be obtained.

Decisional Diffie-Hellman Assumption
The definition of the decisional Diffie-Hellman (DDH) assumption on the elliptic curve is as follows: Suppose G q is a cyclic group with a large prime number q as the order and G as the generator, a, b, c are three random numbers selected from Z p . if the tuple R = (G, aG, bG, abG) and D = (G, aG, bG, cG) are computationally indistinguishable, then it is called the DDH assumption. Attacker A has advantage ε in distinguishing the DDH assumption of tuple R and D, if

Adv DDH
The DDH assumption holds if there is no polynomial-time algorithm to solve the DDH problem with non-negligible advantage.

System Mode
In order to provide an efficient attribute revocation mechanism for VANETs, we propose a lightweight CP-ABE scheme with direct attribute revocation. The system model consists of five types of different entities: the Trust Authority (TA), the Cloud Service Providers (CSPs), the Application Service Providers (ASPs), the Roadside Units (RSUs), and the Onboard Units (OBUs), as shown in Figure 1.
Suppose G q is a cyclic group with a large prime number q as the order and G as the generator, a,b,c are three random numbers selected from Z p . if the tuple R  (G,aG,bG,abG) and D  (G,aG,bG,cG) are computationally indistinguishable, then it is called the DDH assumption. Attacker has advantage  in distinguishing the DDH assumption of tuple R and D , if (1) Definition 1. The DDH assumption holds if there is no polynomial-time algorithm to solve the DDH problem with non-negligible advantage.

System Mode
In order to provide an efficient attribute revocation mechanism for VANETs, we propose a lightweight CP-ABE scheme with direct attribute revocation. The system model consists of five types of different entities: the Trust Authority (TA), the Cloud Service Providers (CSPs), the Application Service Providers (ASPs), the Roadside Units (RSUs), and the Onboard Units (OBUs), as shown in Figure 1. (1) TA: The TA is a fully trusted server with high computing power, regulated by government authorities and always online. The TA is responsible for initializing system parameters and generating system public and master keys. The TA generates attribute keys for all attributes defined by the system and publishes their public keys. The attributes defined by the system are divided into static and dynamic attributes. Among them, static attributes include vehicle type, make, registration number and company, etc., which will not change in a short time for the OBU; dynamic attributes include the current driving city, street and driving direction, etc., which will change frequently for the OBU. The TA is responsible for RSU and OBU registration, binds the unique user identity identifier UID_RSU or UID_OBU for the user, and generates the user decryption key according to its attributes. In addition, the TA will also generate a certificate for the OBU to authenticate with the RSU. (2) CSPs: The CSPs have abundant storage space, store encrypted data uploaded by ASPs or OBUs and send encrypted data to authorized entities according to the request. In the scheme design of this paper, the CSP is honest but curious, i.e., it will honestly perform related tasks and additionally infer private information. (1) TA: The TA is a fully trusted server with high computing power, regulated by government authorities and always online. The TA is responsible for initializing system parameters and generating system public and master keys. The TA generates attribute keys for all attributes defined by the system and publishes their public keys. The attributes defined by the system are divided into static and dynamic attributes. Among them, static attributes include vehicle type, make, registration number and company, etc., which will not change in a short time for the OBU; dynamic attributes include the current driving city, street and driving direction, etc., which will change frequently for the OBU. The TA is responsible for RSU and OBU registration, binds the unique user identity identifier UID_RSU or UID_OBU for the user, and generates the user decryption key according to its attributes. In addition, the TA will also generate a certificate for the OBU to authenticate with the RSU. (2) CSPs: The CSPs have abundant storage space, store encrypted data uploaded by ASPs or OBUs and send encrypted data to authorized entities according to the request. In the scheme design of this paper, the CSP is honest but curious, i.e., it will honestly perform related tasks and additionally infer private information.
(3) ASPs: The ASPs are responsible for providing applications or services to vehicles, such as GPS service providers who can collect traffic data provided by vehicles from CSPs and then process the collected data to serve different users through different GPS services. Alternatively, if a taxi company only wants to provide services to its vehicles in a certain area, it can encrypt the application data according to its own defined access policy and upload it to the CSP.
(4) RSUs: The RSUs are widely deployed at roadsides and intersections, have relatively abundant computing and storage space and are regulated by government departments. When the local traffic management department deploys the RSU, it will apply to the TA for the unique identity UID_RSU and the attribute decryption key according to the attributes such as the deployed city, road and lane direction. (5) OBUs: When the vehicle production is completed, the company will apply to the TA for the unique identity UID_OBU, attribute decryption key and digital certificate for OBU through the local traffic management department according to its vehicle type, brand and registration number.

Specific Implementation
To reduce system consumption and simplify revocation operations, we establish a two-stage decryption architecture and use an RSU proxy to implement attribute direct revocation. To reduce the computational overhead, we use scalar multiplication based on elliptic curves for encryption and decryption computations. In addition, to further reduce the consumption of computational resources of the OBU, we outsource the decryption operation originally belonging to the OBU to the RSU and increase the verification of data integrity. Specifically, our proposed lightweight CP-ABE scheme supporting direct attribute revocation in VANETs consists of the following six algorithms: Setup, TASetup, KeyGen, TransKeyGen, Encrypt and Decrypt. The system flowchart is shown in Figure 2. A detailed description of the above algorithms is given below: (3) ASPs: The ASPs are responsible for providing applications or services to vehicles, such as GPS service providers who can collect traffic data provided by vehicles from CSPs and then process the collected data to serve different users through different GPS services. Alternatively, if a taxi company only wants to provide services to its vehicles in a certain area, it can encrypt the application data according to its own defined access policy and upload it to the CSP. (4) RSUs: The RSUs are widely deployed at roadsides and intersections, have relatively abundant computing and storage space and are regulated by government departments. When the local traffic management department deploys the RSU, it will apply to the TA for the unique identity UID_RSU and the attribute decryption key according to the attributes such as the deployed city, road and lane direction. (5) OBUs: When the vehicle production is completed, the company will apply to the TA for the unique identity UID_OBU, attribute decryption key and digital certificate for OBU through the local traffic management department according to its vehicle type, brand and registration number.

Specific Implementation
To reduce system consumption and simplify revocation operations, we establish a two-stage decryption architecture and use an RSU proxy to implement attribute direct revocation. To reduce the computational overhead, we use scalar multiplication based on elliptic curves for encryption and decryption computations. In addition, to further reduce the consumption of computational resources of the OBU, we outsource the decryption operation originally belonging to the OBU to the RSU and increase the verification of data integrity. Specifically, our proposed lightweight CP-ABE scheme supporting direct attribute revocation in VANETs consists of the following six algorithms: Setup, TASetup, Key-Gen, TransKeyGen, Encrypt and Decrypt. The system flowchart is shown in Figure 2. A detailed description of the above algorithms is given below:

Setup
Setup(λ) → params : This algorithm takes the security parameter λ as input and outputs the system public parameter params = {GF(q), E, G, U, H}, where GF(q) represents a finite field with prime number q as the order, E represents an elliptic curve selected on the finite field, G is a base point selected on the elliptic curve E with p as the order, U = {a 1 , a 2 , · · · , a m } represents a set of attributes and H : {0, 1} → Z * p is a hash function selected by the system to map the user identity U ID to the elements in Z * p .

TASetup
TASetup(params, U) → (PK, MSK, ASK, APK) : This algorithm takes the system public parameter params and the system attribute set U as input and takes the system public key PK, the system master private key MSK, the attribute private key ASK and the attribute public key APK as output. The TA randomly selects element n from Z * p as the master private key and calculates nG as the public key, namely PK = nG, MSK = n. For each attribute a i ∈ U defined in the system, the TA will randomly select k i ∈ Z * p as the attribute private key and use k i G as the attribute public key PK a i , namely ASK = {k i }, APK = {PK a i }.

KeyGen
KeyGen(params, MSK, S, U ID) → SK i,U ID : This algorithm is run by the TA, takes the system public parameter params, the system master private key MSK, the user attribute set S and the user unique identity U ID as input and outputs the user private key SK i,U ID associated with user identity and attributes. In order to facilitate the distinction, this paper records the user private key applied for by RSU as SK i,U ID_RSU , and the user private key applied by OBU as SK i,U ID_OBU . In addition, when OBU applies to the TA for the attribute decryption key, the TA will also generate the digital authentication certificate Cert OBU according to the static attribute set S owned by the OBU, attribute validity period and identity, etc., for access authentication with RSU. When the TA generates the corresponding attribute decryption private key for the user, it will bind the attribute private key k i of the attribute a i possessed by the user with the user identity U ID, namely SK i,U ID = k i + H(U ID)n. When the OBU applies for the attribute decryption key from the TA, the TA will update the digital authentication certificate Cert OBU , adding a new static attribute owned by the OBU and the validity period of the attribute to it.

TransKeyGen
TransKeyGen(params, SK i,U ID_OBU ) → (AK i,U ID_OBU , TK) : The algorithm is run by OBU, takes the system public parameters params and the decryption key SK i,U ID_OBU obtained from TA as input and outputs the proxy decryption key AK i,U ID_OBU and the converted key TK. When the OBU receives the relevant attribute decryption key, it will randomly select an element t from Z * p to calculate the proxy decryption key and converted key, namely AK i,U ID_OBU = SK i,U ID_OBU − t, TK = t.

Encrypt
Encrypt(params, M, (A s , ρ s ), (A d , ρ d )) → CT : The algorithm is run by the data owner ASP or OBU, takes the system public parameter params, message M and static and dynamic attribute access control structure (A s , ρ s ), (A d , ρ d ) as input, and outputs ciphertext CT. The data owner creates the static attribute LSSS access structure (A s , ρ s ) and the dynamic attribute LSSS access structure (A d , ρ d ) according to the defined access control strategy, where A s and A d represent the access control matrix of l s × m s and l d × m d , respectively, and ρ s (x) and ρ d (x) represent each row in the access matrix the corresponding attributes. Next, the data owner randomly selects two elements s, d ∈ Z * p for static and dynamic attribute encryption, respectively, where s x and d x in sG = (s x , s y ) and dG = (d x , d y ) are, respectively, used as symmetric keys to perform symmetric encryption and decryption of data, while s y and d y are used for data integrity verification. The specific process of data encryption is as follows: (1) Static attribute encryption: First, the data owner uses s x as a symmetric key to encrypt data M, that is, C M s = Enc(M, s x ), and uses s y as a key to obtain the message authentication code of data M, that is, MAC M s = HMAC(M, s y ). Then, it randomly selects two vectors v s , u s ∈ Z m s p , where the first element of v s is s, and the first element of u s is 1, and calculates λ x s = A x s · v s and ω x s = A x s · u s , respectively, where A x s represents the x-th row of the matrix A s . Next, it calculates C x s ,1 = λ x s G + ω x s PK ρ s (x) , C x s ,2 = ω x s G. Finally, the ciphertext encrypted by the static attribute is computed as (2) Dynamic attribute encryption: Similar to the static attribute encryption process. First, the data owner uses d x as a symmetric key to encrypt data C M s , that is, C M s_d = Enc(C M s , d x ), and uses d y as a key to obtain the message authentication code of data C M s , that is, MAC M s_d = HMAC(C M s , d y ). Then, it randomly selects two vectors v d , u d ∈ Z m d p , where the first element of v d is d, and the difference from static attribute encryption is that the first element of u d is 0, and calculates λ Finally, the ciphertext encrypted by the dynamic attribute is computed as After encryption of static attributes and dynamic attributes, the encrypted ciphertext of data M is finally computed as

Decrypt
When the OBU requests to access data, it will send the digital certificate Cert OBU to the RSU for identity authentication. After the RSU obtains Cert OBU , it will judge whether the identity of the OBU is valid and obtain the valid static attribute set owned by the OBU according to the user attributes and attribute validity period contained in Cert OBU . After the identity authentication is passed, the RSU will submit the corresponding data access request to the CSP. After the RSU receives the ciphertext sent by the CSP, it will judge whether it meets the access policy preset by the data owner according to its own dynamic attribute set and the obtained the OBU static attribute set, and then decrypt the ciphertext if it is satisfied. The specific decryption process is as follows: The data decryption consists of two parts, namely the data outsourcing decryption algorithm RSU.Decrypt run by RSU and the data local decryption algorithm OBU.Decrypt run by OBU.
(1) RSU.Decrypt(params, CT, SK i,U ID_RSU , AK i,U ID_OBU ) → CT : The algorithm takes the system public parameter params, the ciphertext CT, the user private key SK i,U ID_RSU of RSU and the proxy decryption key AK i,U ID_OBU provided by OBU as input, and outputs the converted ciphertext CT . The algorithm consists of two stages.
(a) First, the RSU uses its own key SK i,U ID_RSU to decrypt the ciphertext CT encrypted by the dynamic attribute access control structure and verify the integrity of the data. Using SK i,U ID_RSU , C x d ,1 and C x d ,2 to calculate, RSU can be obtained as where since the first element of v d is d and the first element of u d is 0, After obtaining dG = (d x , d y ), the symmetric key d x and the key d for data integrity verification can be obtained. RSU uses d x to perform symmetric decryption can obtain the data C M s , and uses the key d y to calculate whether HMAC(C M s , d y ) is equal to MAC M s_d contained in the ciphertext CT to judge whether the data integrity of the ciphertext is maliciously damaged during data transmission and storage.
(b) The second stage is that RSU obtains the decryption key of relevant attributes from the proxy decryption key AK i,U ID_OBU provided by OBU according to the obtained OBU effective static attribute set, and then decrypts the part encrypted by the static attribute access control structure in the ciphertext CT, obtains the converted ciphertext CT and sends it to the OBU. Using AK i,U ID_OBU , C x s ,1 and C x s ,2 to calculate, RSU can be obtained as: where since the first element of v s is s and the first element of u s is 1, Finally, the converted ciphertext obtained by RSU is CT = {C M s , MAC M s , C}.
(2) OBU.Decrypt(params, CT , TK) → M : The algorithm takes the system public parameter params, the converted ciphertext CT and the converted key TK as input, and outputs the original data information M. After the OBU obtains CT , it can be calculated by using PK and TK as After obtaining sG = (s x , s y ), the symmetric key s x and the key s y for data integrity verification can be obtained. OBU uses the symmetric key s x to perform symmetric decryption can obtain the data M and uses the key s y to calculate whether HMAC(M, s y ) is equal to MAC M s . If they are equal, it means that the data M obtained by OBU decryption has not been maliciously tampered with.

Direct Revocation
(1) User revocation: In the scheme proposed in this paper, for the user revocation of an OBU, the local traffic management department can initiate a user revocation request to the TA, and the TA will add the certificate Cert OBU of the OBU user to the certificate revocation list (CRL) to make the RSU reject the access authentication of the OBU user. the RSU, the RSU can obtain the valid static attribute set of the OBU and then obtain the decryption key of the valid attribute from the proxy decryption key AK i,U ID_OBU . If a static attribute has expired, the valid static attribute set obtained by the RSU will not contain that attribute. When a static attribute has not expired but still needs to be revoked, the local traffic management department can initiate an attribute revocation request to the TA, and the TA will modify the certificate Cert OBU of the OBU user and delete the attribute from Cert OBU . The effective static attribute set obtained by the RSU will also not contain this attribute, thereby realizing the direct revocation of the static attribute.

Security Discussion
The scheme proposed in this paper has anti-collusion security, forward security and correctness of outsourced decryption.
(1) Anti-collusion security: In the scheme proposed in this paper, the user keys distributed from TA to OBU are all bound to their unique identities. Therefore, even if multiple users who do not meet the access structure collude with each other to share keys, due to their different identities, it is impossible to eliminate redundant elements by combination to obtain the hidden secret value, thus ensuring that the scheme has anti-collusion security. (2) Forward security: For a given user revocation, the TA adds the certificate of the OBU to the CRL so that the OBU cannot be connected to the RSU and the decryption of the ciphertext cannot be completed by the RSU. For a particular attribute, the direct revocation of the attribute can be realized based on the RSU proxy. The above two revocation methods ensure the forward security of the proposed scheme. (3) Correctness of outsourced decryption: In the scheme proposed in this paper, OBU can calculate the keys s x and s y after obtaining sG, and then use the key s x to obtain the data M, use the key s y to calculate HMAC(M, s y ) and compare it with the MAC M s contained in the converted ciphertext to judge the correctness of the outsourced decryption.

Security Model
The security model of the scheme proposed in this paper is defined based on the game between the challenger and the attacker, specifically described as (1) Initialization: The TA first runs the Setup and TASetup algorithms to generate the system public parameters params, public key PK and attribute public key APK to provide to the attacker. The attacker then selects a set of challenge access structures {(A s , ρ s ), (A d , ρ d )} to send to the challenger. Definition 2. If any polynomial time attacker cannot win with a non-negligible advantage in the game process, the scheme proposed in this paper is indistinguishable under chosen plaintext attack, which is called IND-CPA security.

Security Analysis
Theorem 1. If the DDH assumption under elliptic curves holds, an attacker who does not have polynomial time can break the scheme in this paper with a non-negligible advantage.
Proof. Suppose there is a polynomial time attacker A who can break the scheme in this paper with a non-negligible advantage ε > 0 under the security model defined in this paper, then challenger B can solve the DDH problem with a ε 2 advantage. The proof process is as follows: Let G p be a cyclic group with a large prime number p as the order and a base point G on the elliptic curve E as the generator. Challenger B selects two random numbers a, b from Z p , randomly selects an element R from G p , and randomly selects β ∈ {0, 1}. If β = 0, challenger B makes the tuple (G, aG, bG, Z) = (G, aG, bG, abG); otherwise, let the tuple (G, aG, bG, Z) = (G, aG, bG, R). Finally, challenger B sends the tuple (G, aG, bG, Z) to simulator C. Simulator C will replace challenger B to interact with attacker A.
(1) Initialization: Simulator C first runs the Setup and TASetup algorithms to generate system public parameters params, master private key MSK = n, system public key PK = nG, attribute private key k i and attribute public key PK a i = k i G for each attribute a i . Then, simulator C provides params, PK and PK a i to attacker A. Otherwise, the simulator C randomly selects h ∈ Z * p , calculates SK i,U ID = k i a + h as a response and stores the element ((a i , U ID), SK i,U ID ) in the list H.
(3) Challenge: Attacker A submits two randomly selected messages M 0 and M 1 of equal length to Simulator C. Simulator C first randomly selects β ∈ {0, 1}. Then, Simulator C randomly selects two elements s, d ∈ Z * p , uses s x as a symmetric key to encrypt data M β to obtain C M s , uses s y as a key to obtain the message authentication code MAC M s of data M β , uses d x as a symmetric key to encrypt data C M s to obtain C M s_d and uses d y as a key to obtain the message authentication code MAC M s_d of data C M s . Next, simulator C randomly selects four vectors v s , u s ∈ Z m s p and v d , u d ∈ Z m d p , where the first element of v s is s, the first element of u s is 1, the first element of v d is d, and the first element of u d is 0, and calculates λ The simulator C generates the challenge ciphertext CT of the information M β and sends it to the attacker A.
(4) Phase 2: Similar to Phase 1. (5) Guess: Attacker A outputs the guess result β of β. If β = β, simulator C outputs 0 to indicate that the guess result is Z = abG. Otherwise, simulator C outputs 1 to indicate that the guess result is Z = R.
indicating that the challenge ciphertext CT is encrypted under the challenge access structure submitted by attacker A. Since the advantage of attacker A is ε, the probability that attacker A correctly guesses β in this case is If Z = R, since R is randomly selected, the probability that attacker A correctly guesses β in this case is In summary, the advantage of Simulator C is The above proof shows that the scheme proposed in this paper satisfies IND-CPA security under the DDH assumption. Table 1 shows the functional comparison of our scheme with other schemes. As can be seen from the table, the schemes in references [16,17] and our scheme use scalar multiplication on elliptic curves, while the schemes in references [18,20] are based on bilinear pairing for data encryption and decryption operations. Compared to the schemes in [16][17][18]20], our scheme use computational outsourcing techniques to reduce the computational burden of decryption for the user. Compared to the schemes in [16][17][18]20], our scheme adds data integrity verification to verify whether the ciphertext is maliciously corrupted during transmission, storage and computational outsourcing.  Table 2 shows the computational overhead of our scheme compared to other schemes in terms of user encryption, user decryption and outsourced decryption. The descriptors used in the table are as follows: E c , E g , E T and E p denote the computational overhead of scalar multiplication of elliptic curves, the computational overhead of exponential operations in bilinear group G, the computational overhead of exponential operations in G T and the computational overhead of bilinear pairwise operations, respectively. H is the computational overhead of the hash function. L is the number of attributes contained in the access control structure. M is the minimum number of attributes required to decrypt the ciphertext. N is the number of all attributes contained in the system. ω is the number of attributes in the AND gate structure. As can be seen from the table, compared to the schemes in [16][17][18]20], our scheme makes the computational overhead in the user decryption process stable by using computational outsourcing. Our scheme requires less computational overhead in the outsourcing process compared to the scheme in [20].

Experiment Analysis
Our experimental environment uses a 2.6 GHz Intel Core i7 processor, Ubuntu Linux 16.04.7 system. The experimental code is written based on the charm-crypto framework and python 3.7 and uses a 160-bit elliptic curve group in a supersingular curve y 2 = x 3 + x based on a 512-bit finite field. A comparison of the time required to perform various operations in this environment is shown in Table 3. The experimental results are the average of 30 rounds of experiments. Figures 3-6, respectively, show the calculation time comparison between our scheme and the schemes in [18] and [20] in the process of key generation, user encryption, user decryption and outsourced decryption.  Figures 3-6, respectively, show the calculation time comparison between our scheme and the schemes in [18] and [20] in the process of key generation, user encryption, user decryption and outsourced decryption.   It can be seen from Figure 3 that the key generation time in the schemes of [18] and [20] grows with the increase in user attributes, but the key generation time in our scheme is almost constant. It can be seen from Figure 4 that the user encryption time in the schemes of [18,20] and our scheme grows with the increase in attributes in the access control policy, but the encryption time in our scheme is relatively small.   It can be seen from Figure 3 that the key generation time in the schemes of [18] and [20] grows with the increase in user attributes, but the key generation time in our scheme is almost constant. It can be seen from Figure 4 that the user encryption time in the schemes of [18,20] and our scheme grows with the increase in attributes in the access control policy, but the encryption time in our scheme is relatively small.  From Figure 5, we can see that the data decryption time of the scheme in [18] increases with the number of attributes. However, the scheme in [20] and our scheme use computation outsourcing technology, so the data decryption time does not increase due to the complexity of the access policy. Additionally, compared to the scheme in [20], our scheme requires less decryption time and is more efficient. It can be seen from Figure 6 that the outsourced decryption time of the scheme in [20] and our scheme increases with the increase in the number of attributes, but the outsourced decryption time of our scheme is shorter than that of the scheme in [20], and with the increase in the number of attributes, the time difference between the two schemes gradually increases. This is because the scalar multiplication used in our scheme has the characteristics of low computational overhead and high efficiency compared to the bilinear pairing operation used in [20].  From Figure 5, we can see that the data decryption time of the scheme in [18] increases with the number of attributes. However, the scheme in [20] and our scheme use computation outsourcing technology, so the data decryption time does not increase due to the complexity of the access policy. Additionally, compared to the scheme in [20], our scheme requires less decryption time and is more efficient. It can be seen from Figure 6 [20] and our scheme in terms of outsourced decryption time.

Conclusions
In this paper, we propose a lightweight CP-ABE scheme that supports direct attribute revocation. The scheme establishes a two-step decryption architecture for RSU and OBU by separating dynamic and static attributes of in-vehicle terminals and achieves efficient attribute revocation without re-encrypting the ciphertext and modifying the private key of unrevoked users to reduce system consumption. The scheme is based on elliptic curve cryptography and uses scalar multiplication to perform data computation, which improves the overall efficiency and reduces the computational overhead. A fixed ciphertext length can effectively reduce the communication resource consumption in the VANET environment, but in our scheme, the ciphertext length increases with the number of attributes in the access control policy. Therefore, in future work, we will further improve the scheme in terms of ciphertext length fixing.