Secure Data Access Control for Fog Computing Based on Multi-Authority Attribute-Based Signcryption with Computation Outsourcing and Attribute Revocation

Abstract

Nowadays, fog computing provides computation, storage, and application services to end users in the Internet of Things. One of the major concerns in fog computing systems is how fine-grained access control can be imposed. As a logical combination of attribute-based encryption and attribute-based signature, Attribute-based Signcryption (ABSC) can provide confidentiality and anonymous authentication for sensitive data and is more efficient than traditional “encrypt-then-sign” or “sign-then-encrypt” strategy. Thus, ABSC is suitable for fine-grained access control in a semi-trusted cloud environment and is gaining more and more attention recently. However, in many existing ABSC systems, the computation cost required for the end users in signcryption and designcryption is linear with the complexity of signing and encryption access policy. Moreover, only a single authority that is responsible for attribute management and key generation exists in the previous proposed ABSC schemes, whereas in reality, mostly, different authorities monitor different attributes of the user. In this paper, we propose OMDAC-ABSC, a novel data access control scheme based on Ciphertext-Policy ABSC, to provide data confidentiality, fine-grained control, and anonymous authentication in a multi-authority fog computing system. The signcryption and designcryption overhead for the user is significantly reduced by outsourcing the undesirable computation operations to fog nodes. The proposed scheme is proven to be secure in the standard model and can provide attribute revocation and public verifiability. The security analysis, asymptotic complexity comparison, and implementation results indicate that our construction can balance the security goals with practical efficiency in computation.

1. Introduction

With the rapid development of cloud computing, more people are coming to prefer moving both the large burden of data storage and computation overhead to cloud servers in a cost-effective manner [1]. However, the advance of the Internet of Things (IoTs) has posed a challenge to the centralized cloud computing system due to its geo-distribution, location awareness, and low latency requirements. To solve the problem, Cisco proposed the concept of fog computing in 2014, where a layer consisting of fog devices (such as routers, access points, and IP video cameras) bridges between the cloud server and end users [2]. In a fog computing system, the fog devices, termed as fog nodes, are distributed and implemented at the edge of networks [3]. Since fog nodes are much closer to end users than the cloud server and have plentiful computing resources and wireless communication facility, some of the computing tasks can be outsourced to fog nodes from the nearby end user, which alleviates the computation burden of the users and significantly improve the efficiency. Thus, the fog computing paradigm can be applied in many real-time and geographically distributed applications, such as wireless sensors, smart grids and health fog applications [4].

However, there are still various challenging obstacles in fog computing systems, such as the privacy and security of users’ data [5,6]. Traditionally, a cloud server is not fully trusted by the data owner in cloud computing system, and the data uploaded may contain sensitive information; hence, the data should be encrypted before outsourcing to the cloud. In accord with cloud computing, message confidentiality should also be considered in fog computing systems. Moreover, since the fog nodes are more easily compromised than cloud servers [6], it is required that fog nodes should alleviate the computation burden of end devices without degrading the privacy in fog computing systems. In addition to confidentiality, data owners may wish to impose fine-grained access control such that only users with certain attributes have access to the data [7]. For example, in a health fog system, which combines the advantage of both the fog computing and original cloud-based healthcare services [8], personal health records usually contain abundant sensitive information, such as weight, heart rate, and blood type. After gathering by sensors, the personal health record may be uploaded to the cloud for the user’s individual needs or to perform real-time analytics. To ensure the privacy of the health data, an access control system should guarantee that only the users authorized by the data owner can access the data. For instance, to analyze whether the blood pressure is normal, the owner “Alice” wants to share her health data to users with attributes “Institution = Hospital ∧ Role = Doctor ∧ Gender = Female”. One of the effective techniques to address this fine-grained access requirement is attribute-based encryption (ABE) [9]. It realizes the confidentiality and access control on data based on encryption under an access policy defined over the set of attributes.

Besides the confidentiality and fine-grained access control, it is also necessary to provide anonymity authentication for data sharing between users in the access control mechanism. For instance, the owner “Alice”, aged 20, would like to encrypt and store some sensitive health information in the cloud but does not want to be recognized. When a data user, such as the doctor or researcher, accesses the data, he/she can verify that the data is actually uploaded by a patient with certain credentials such as “Gender = Female ∧ Age ∈ [18,30]” without knowing the patient’s real identity “Alice” or her real age.

A feasible and promising solution is the Attribute Based Signcryption (ABSC) scheme, which takes advantages of Attribute-Based Encryption (ABE) and Attribute-Based Signature (ABS), and is more efficient than do the traditional “encrypt-then-sign” or “sign-then-encrypt” strategies. ABSC employs ABE to provide confidentiality and fine-grained access control, and uses ABS to achieve authentication without revealing the data owner’s sensitive attributes. Traditionally, ABE can be classified into two categories: Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE). In KP-ABE, the secret key is associated with an access structure (predicate), and the message is encrypted with a set of attributes. While in CP-ABE, predicate is assigned to the plaintext message. Similarly, ABS has two categories: Signature-Policy ABS (SP-ABS) wherein the predicate is embedded in the signature, and Key-Policy ABS (KP-ABS) wherein the predicate is associated with the secret key. The Ciphertext-Policy ABSC (CP-ABSC) [10] supports CP-ABE and SP-ABS, and the Key-Policy ABSC (KP-ABSC) [11] supports KP-ABE and KP-ABS. Recently, many data access control schemes based on ABSC have been proposed, as in [12,13,14,15]. Although some of them are efficient, three problems must be considered when implementing ABSC scheme in fog computing environment. The first one is performance. The traditional ABSC scheme is typically computationally intensive. In particular, the cost of signcryption and designcryption on the user side are proportional to the complexity of predicates. One possible strategy to alleviate the computation overhead required on end user is to outsource the most computation-consuming job of signcryption and designcryption to the fog node. Although many ABE schemes with outsourcing encryption and decryption, as in [16,17,18,19,20], have been proposed in recent years for secure data sharing in fog computing system, realizing ABSC scheme with anonymous authentication and efficient computation outsourcing is still a challenge since ABSC schemes contain both of the signing and encryption protocols. The second problem is multi-authority. In traditional ABSC schemes, as in [12,13,14,15], a central authority is responsible for attribute management and key generation. However, in many applications, the predicate embedded in the ciphertext or signature can be written over attributes issued by different trust domains and authorities. For example, the health data uploaded by “Alice” may contain the encryption predicate as “(Doctor ∨ Researcher) ∨ Female”. Since only a hospital can authorize a person the attribute “Doctor” and only a research organization can certify that a person is a “Researcher”, it is not practical to authorize access right to a person by a single authority. Therefore, it is necessary to distribute attribute management and secret key generation from a single central authority over many authorities. Some multi-authority ABE schemes for fog computing, as in [17], have been proposed, whereas constructing multi-authority ABSC scheme with outsourcing capability is still a blank. The third one is attribute revocation. For example, when the attributes of a doctor are updated from A = {Institution = Hospital ∧ Role = Doctor ∧ Gender = Female} to B = {Institution = Hospital ∧ Gender = Female}, her access rights should be modified accordingly. Attribute revocation is not trivial and straightforward in ABE schemes. However, it has not been taken into account in multi-authority ABSC schemes with outsourcing capability.

The problem of designing a multi-authority data access control scheme based on ABSC with signcryption and designcryption outsourcing capabilities and attribute revocation for fog computing system, has received very little attention so far, although some schemes based on Multi-Authority ABE (MA-ABE) and ABS (MA-ABS) for cloud storage setting have been proposed, as in [21,22,23,24,25,26]. Meng et al. [27] proposed a decentralized KP-ABSC scheme for secure data sharing in the cloud. However, the scheme is just a combination of identity signature and MA-ABE, and only supports the threshold predicate. It also does not provide any security definition or computation outsourcing. Hong et al. [28] proposed a KP-ABSC scheme with outsourced designcryption and key exposure protection. However, the computation overhead of signcryption increases with the complexity of the predicate, and since the verification and decryption both have to be performed on the user side, the number of pairing operations evaluated on the user side is proportional to the sum of the required attributes, which is not acceptable to IoT devices. Moreover, the scheme in [28] does not support multi authorities and attribute revocation. We focus on CP-ABSC in access control application, as CP primitives are more suitable for the data owner to choose the predicate to determine who can access the sensitive data [14].

1.1. Contributions

In this paper, we propose OMDAC-ABSC, a novel data access control scheme for fog computing system based on Multi-Authority CP-ABSC (MACP-ABSC) supporting the computation outsourcing for both signcryptor (data owner) and designcryptor (data user). To the best of our knowledge, OMDAC-ABSC is the first scheme that significantly reduces computation burden from both data owners and data users in the multi-authority ABSC setting. Public verifiability, expressiveness and attribute revocation are also considered in our scheme. The main contributions can be summarized as follows:

(1)

We propose a data access control scheme OMDAC-ABSC for fog computing system, in which fog nodes serve as a bridge between the cloud server and end users. In our scheme, heavy signcryption and designcryption operations can be outsourced from end users (e.g., tablet computers and smartphones) to fog nodes. In signcryption phase, the fog nodes are in charge of generating part of the ciphertext. In designcryption phase, the fog nodes can perform the partial decryption without degrading the data confidentiality, and the data user only requires a constant number of exponentiations to decrypt the ciphertext. Additionally, unlike other existing works such as [27,28], our scheme supports public verification, since the verification mechanism does not require the plaintext message or the data owner’s public key. Thus the verification algorithm can be performed by any trusted party, which alleviates the computation burden of the end user. Therefore, our construction is efficient from computation point of view.

(2)

Unlike some existing ABE schemes for fog computing such as [16,18,19] and ABSC schemes such as [15,27,28], the proposed OMDAC-ABSC scheme is more expressiveness and supports any monotone Boolean function predicates represented by monotone span programs (MSP) for both signing and encryption. Moreover, we remove the limitation that the labeling functions ρ in signing and encryption predicates should be injective functions.

(3)

Our OMDAC-ABSC scheme is proven to be secure in the standard model. We also formally prove that our construction satisfies the properties of signcryptor privacy and collusion resistance.

(4)

We also consider the attribute revocation in our OMDAC-ABSC scheme. In attribute revocation phase, the authority supervising the revoked attribute only distributes the update keys to the non-revoked users and the cloud server to update the corresponding components. It is also proved that our scheme guarantees both the forward and backward revocation security.

1.2. Paper Organization

The remainder of this paper is organized as follows: in Section 2, we discuss some related works. Then in Section 3, we review the necessary notations and cryptographic background that are used throughout the paper. In Section 4, we give the definition of our scheme and the security requirements. The details of the scheme and the security proof are elaborated in Section 5 and Section 6, respectively. Section 7 is dedicated to discussing the functionality and performance of the scheme. Finally, we conclude this paper in Section 8.

2. Related Works

2.1. Access Control Schemes Based on ABE

ABE was first introduced by Sahai and Waters [9]. In ABE, a data owner can share sensitive data with others according to predicates (or access policies). Several works on ABE have been presented to address data access control in untrusted cloud servers. Recently, the ABE scheme was adopted in fog-computing systems to guarantee confidentiality and fine-grained access control. Heavy computations of encryption or decryption are outsourced to fog nodes to improve the efficiency. In [16], an anonymous user authentication in ciphertext update phase was realized, whereas the scheme only supports AND-gate predicate. Zuo et al. [18] proposed a CCA-secure ABE scheme with decryption outsourcing. However, the encryption phase of the scheme in [18] incurs heavy computation cost. Additionally, the scheme in [18] is only provably secure in the random oracle model and only supports the AND-gate encryption predicate. Zhang et al. [19] presented an ABE- based access control scheme for fog computing with outsourced encryption and decryption. Although the computation operations (pairings and exponentiations) for users to encrypt and decrypt are irrelevant to the complexity of predicate, the scheme only supports threshold encryption predicate, and requires both the cloud server and fog nodes to be trusted. Lounis et al. [29] proposed a cloud-based architecture for medical wireless sensor networks, in which the resource-constrained end devices outsource the costly computations to the trusted gateway. However, the decryption phase incurs heavy computation cost. Xiao et al. [30] constructed a fine-grained hybrid scheme for fog computing with the advantages of efficient data search and access authorization through online/offline encryption, delegation of search task and decryption to fog nodes, and provable security. Mao et al. [20] proposed an ABE scheme with verifiable outsourced decryption, whereas it incurs a heavy computation overhead in encryption phase. Li et al. [31] also proposed a fully verifiable ABE scheme with outsourcing capability. However, Liao et al. [32] showed that the verification mechanism proposed in [31] is not always correct.

In many ABE schemes, the attribute universe is assumed to be managed by a single authority. In reality, however, users’ attributes may be monitored by different authorities. To track this problem, MA-ABE scheme was proposed by Chase et al. [33]. In MA-ABE, the attribute universe is divided into multiple disjoint sets, and each authority controls one of these attribute sets. The user can successfully decrypt the ciphertext if and only if the user possesses at least a pre-specified number of attributes from each authority. Furthermore, Chase et al. [34] proposed an improved MA-ABE scheme to remove the fully trusted central authority by adopting a Pseudo Random Function (PRF) and a secure 2-party anonymous secret-key-issuing protocol. However, the multiple authorities must cooperate with each other, and the number of authorities must be determined in the initialization phase. Recently, many distributed access control schemes based on MA-ABE have been proposed, such as [21,22,23,24,25,26,35,36]. Han et al. [21] proposed a privacy-preserving decentralized CP-ABE based access scheme (PPDCP-ABE) to protect the user’s privacy. However, PPDCP-ABE cannot resist collusion attack or support anonymous authentication. Rui et al. [22] constructed a MA-ABE scheme with secure attribute-level immediate attribute revocation. The scheme is only provably secure under the random oracle model. Lewko et al. [23] proposed a decentralized attribute-based encryption using the dual system encryption methodology. The secret keys of the user are tied to his global identity in order to resist collusion attack. However, the scheme realizes the security in random oracle model using the composite-order bilinear group, which incurs great computation overhead. Sourya et al. [25] proposed a decentralized data sharing scheme with outsourced decryption and user revocation. They also proposed a decentralized data sharing scheme where multiple attribute authorities distribute secret keys to the user [24]. In [26], the authors outsourced the main computation overhead in a decryption algorithm to the cloud. However, the security cannot be guaranteed if the revoked user eavesdrops to obtain the update keys and retrieves the ability to decrypt as a non-revoked user. To implement multi-authority ABE in fog computing system, Fan et al. [17] proposed a VO-MAACS scheme with verification mechanism. Although the encryption and decryption algorithms are outsourced, the scheme cannot support anonymous authentication and attribute revocation, and does not have security proof. Jung et al. [35] presented an anonymous privilege control scheme to address data and identity privacy in multi-authority cloud storage system. To guarantee the confidentiality of user’s identity information, the scheme in [35] decomposes the central authority to multiple ones while preserving tolerance to compromise attack on the authorities. However, the security is realized in random oracle model, and the encryption predicate is the AND gate. In [36], the authors constructed a multi-authority data access control scheme with decryption outsourcing and attribute-level user revocation. The scheme supports any monotone encryption predicate and is adaptively secure in the standard model. Nevertheless, the scheme in [36] needs to deal with large composite-order group elements and thus incurs heavy computation overhead.

2.2. Attribute-Based Signature and Multi-Authority Attribute-Based Signature

ABS was first introduced by Maji et al. [37]. Due to their anonymity and authentication properties, many ABS schemes have been proposed. Like ABE, to overcome the drawback that only a single authority exists in the system, the concept of MA-ABS was introduced in [38]. In MA-ABS, there are multiple authorities and each authority controls one of disjoint attribute sets. The user is able to successfully sign the plaintext if he/she possesses a pre-specified number of attributes from multiple authorities.

2.3. Access Control Schemes Based on ABSC

ABSC scheme, first introduced by Gagné et al. [10], is a logical combination of ABE and ABS and can support many practical properties, including confidentiality, fine-grained access control, and authentication. Recently, many data access control schemes based on ABSC have been proposed, as in [11,12,13,14,15,27,28]. Y. Sreenivasa [11] proposed a Key-Policy attribute-based signcryption scheme that supports any monotone Boolean function and constant size ciphertext. However, the message confidentiality and unforgeability of the scheme against selectively adversary are proven in the random oracle model. Chen et al. [12] focused on the joint security of signature and encryption schemes and presented a CP-ABSC scheme in the joint security setting. However, it cannot support public verifiability since plaintext is required in verification mechanism. Liu et al. [13] proposed a secure PHR data access control scheme based on CP-ABE [39] and ABS [37]. However, it is only provably secure in a random oracle model. In [14], the authors constructed a CP-ABSC based access control scheme with public verifiability, but the scheme does not support computation outsourcing. Yu et al. [15] proposed the hybrid access policy ABSC scheme that supports KP-ABS and CP-ABE. The size of the ciphertext is constant, and the scheme realizes security in the standard model. Nevertheless, it only supports the threshold predicate in the encryption phase. Moreover, the above ABSC schemes only have a single authority and cannot be applied in the multi-authority system.

3. Preliminaries

By $a\stackrel{R}{\leftarrow }A$, we denote that $a$ is selected randomly from $A$. $\left|A\right|$ denotes the cardinality of a finite set $A$. ${\mathbb{Z}}_{\mathrm{p}}$ denotes a finite field with prime order $p$, and ${\mathbb{Z}}_p^{*}$ stands for ${\mathbb{Z}}_p\backslash \left\{0\right\}$. $y\leftarrow A\left(x\right)$ denotes that $y$ is computed by running algorithm $A$ with input $x$. $\left[n\right]$ represents the set $\left\{1,2,\dots ,n\right\}$. ${\overrightarrow{a}}^{\left(i\right)}$ denotes the $i$th element of the vector $\overrightarrow{a}$. A function $ϵ: \mathbb{Z}\to R$ is negligible if, for any $z\in \mathbb{Z}$, there exists a $k$ such that $ϵ\left(x\right)<1/x^z$ when $x>k$. We use $s$ and $e$ as superscripts for signing and encryption, respectively. $Pr\left[E\right]$ denotes the probability of an event $E$ occurring. For an unambiguous presentation of the paper, we define the important notations used in our scheme in the Appendix A.

Definition 1.

Bilinear maps [22]: Let $\mathbb{G}$ and ${\mathbb{G}}_T$ be two cyclic groups with the prime order $p$, and $g\in \mathbb{G}$ be the generator of $\mathbb{G}$. Then the bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ can be defined as follows:

• Bilinear. For all $u,v\in \mathbb{G}$, $a,b\in {\mathbb{Z}}_p$, $e\left(u^a,v^b\right)=e{\left(u,v\right)}^{ab}$.
• Non-degenerate. $e\left(g,g\right)\ne 1$.
• Computable. There is an efficient algorithm to compute the map $e$.

$\mathcal{G}\mathcal{G}\left(1^k\right)\to \left(e,p,\mathbb{G},{\mathbb{G}}_T\right)$ takes as input a security parameter $1^k$ and outputs a bilinear group $\left(e,p,\mathbb{G},{\mathbb{G}}_T\right)$ with prime order $p$ and a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$.

Definition 2.

Decisional Bilinear Diffie-Hellman (BDH) Assumption [22]: Let $g$ be a generator of $\mathbb{G}$ with prime order $p$ and $a,b,c\in {\mathbb{Z}}_p^{*}$ be randomly chosen. Given a vector $\overrightarrow{\mathcal{Y}}=\left(g,g^a,g^b,g^c\right)$, the decisional BDH assumption holds if no PPT adversary $\mathcal{A}$ can distinguish $\left(\overrightarrow{\mathcal{Y}},\Omega =e{\left(g,g\right)}^{abc}\right)$ from $\left(\overrightarrow{\mathcal{Y}},\Omega \stackrel{R}{\leftarrow }{\mathbb{G}}_T\right)$ with the advantage $Ad{v}_{\mathcal{A}}=\left|Pr\left[\mathcal{A}\left(\overrightarrow{\mathcal{Y}},\Omega =e{\left(g,g\right)}^{abc}\right)=1\right]-Pr\left[\mathcal{A}\left(\overrightarrow{\mathcal{Y}},\Omega \stackrel{R}{\leftarrow }{\mathbb{G}}_T\right)=1\right]\right|\ge ϵ\left(k\right)$.

Definition 3.

Decisional q-Parallel Bilinear Diffie-Hellman Exponent (q-PBDHE) Assumption [21]: Suppose that $a,w,b_1,b_2,\dots ,b_q\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, $\mathcal{G}\mathcal{G}\left(1^k\right)\to \left(e,p,\mathbb{G},{\mathbb{G}}_T\right)$ and $g$ is a generator of $\mathbb{G}$. Given $\overrightarrow{\mathcal{Y}}=\left(g,g^w,g^a,\dots ,g^{a^q},g^{a^{q+2}},\dots ,g^{a^{2q}},\forall 1\le j\le q,g^{w{b}_j},g^{\frac{a}{b_j}},\dots ,g^{\frac{a^q}{b_j}},g^{\frac{a^{q+2}}{b_j}}\dots ,g^{\frac{a^{2q}}{b_j}},\forall 1\le j,k\le q,k\ne j,g^{\frac{aw{b}_k}{b_j}},\dots ,g^{\frac{a^{q}w{b}_k}{b_j}}\right)$, the decisional q-PBDHE assumption holds if no PPT adversary $\mathcal{A}$ can distinguish $\left(\overrightarrow{\mathcal{Y}},\Omega =e{\left(g,g\right)}^{a^{q+1}w}\right)$ from $\left(\overrightarrow{\mathcal{Y}},\Omega \stackrel{R}{\leftarrow }{\mathbb{G}}_T\right)$ with the advantage $Ad{v}_{\mathcal{A}}=\left|Pr\left[\mathcal{A}\left(\overrightarrow{\mathcal{Y}},\Omega =e{\left(g,g\right)}^{a^{q+1}w}\right)=1\right]-Pr\left[\mathcal{A}\left(\overrightarrow{\mathcal{Y}},\Omega \stackrel{R}{\leftarrow }{\mathbb{G}}_T\right)=1\right]\right|\ge ϵ\left(k\right)$.

Definition 4.

Monotone Span Program (MSP) [11]: Assume $\left\{v_1,v_2,\dots ,v_m\right\}$ is a set of variables. An MSP is a labeled matrix $\Omega ≔\left(M_{\ell \times n},\rho \right)$, where $M$ is an $\ell \times n$ matrix over ${\mathbb{Z}}_p$ and $\rho$ is the labeling function $\rho :\left[\ell \right]\to \left\{v_1,v_2,\dots ,v_m\right\}$.

Let $\overrightarrow{x}=\left(x_1,x_2,\dots ,x_m\right)\in {\left\{0,1\right\}}^m$ and $X_{\mu }=\left\{i\in \left[\ell \right]:\left[\rho \left(i\right)=v_j\right]\wedge \left[x_j=\mu \right]\right\}$ where $\mu \in \left\{0,1\right\}$. $X_1\cup X_0=\left[\ell \right]$. Let $M^i$ be the $i$th row of $M$. We denote $\Omega \left(\overrightarrow{x}\right)=1$ if $\Omega$ accepts the input $\overrightarrow{x}$. Likewise, $\Omega \left(\overrightarrow{x}\right)=0$ means $\Omega$ rejects $\overrightarrow{x}$. Then $\Omega \left(\overrightarrow{x}\right)=1\iff \left[\exists \left(a_1,a_2,\dots ,a_{\ell }\right)\in {\mathbb{Z}}_p^{\ell } such that {\sum }_{i\in \left[\ell \right]}{a}_i{M}^i=\overrightarrow{1}\right]$ where $a_i=0$ for all $i\in X_0$.

An MSP $\Omega$ computes a monotone Boolean function $\mathcal{R}: {\left\{0,1\right\}}^m\to \left\{0,1\right\}$ if $\Omega \left(\overrightarrow{x}\right)=1$ for all $\overrightarrow{x}\in \left\{\overrightarrow{x}: \mathcal{R}\left(\overrightarrow{x}\right)=1\right\}$.

Lemma 1

[14].If $\Omega \left(\overrightarrow{x}\right)=0$, then there exists a vector $\overrightarrow{\omega }=\left({\omega }_1,{\omega }_2,\dots ,{\omega }_n\right)\in {\mathbb{Z}}_p^n$ with ${\omega }_1=-1$ such that $\overrightarrow{\omega }{M}^i=0$ for all $i\in X_1$.

Definition 5.

Predicates [14]: Assume $U$ is the universe of attributes. A predicate over $U$ is a monotone Boolean function whose inputs are associated with the attributes of $U$. Let $W\subset U$ is a subset of attributes. A predicate $\mathcal{R}$ accepts $W\subset U$ if $\mathcal{R}\left(W\right)=1$. If $W$ does not satisfy $\mathcal{R}$ then $\mathcal{R}\left(W\right)=0$. A predicate $\mathcal{R}$ is said to be monotone, if $\mathcal{R}\left(W\right)=1\Rightarrow \mathcal{R}\left(C\right)=1$ for every attribute set $C\supset W$.

Suppose $\mathcal{R}$ is a predicate and $L_{\mathcal{R}}$ is the set of attributes utilized in $\mathcal{R}$. Then the corresponding MSP for $\mathcal{R}$ is a labeled matrix $\Omega ≔\left(M_{\ell \times n},\rho \right)$, where $\rho :\left[\ell \right]\to L_{\mathcal{R}}$.

Define $X_1=\left\{i\in \left[\ell \right]:\left[\rho \left(i\right)=a\right]\wedge \left[a\in W\right]\right\}$ and $X_0=\left\{i\in \left[\ell \right]:\left[\rho \left(i\right)=a\right]\wedge \left[a\notin W\right]\right\}$. $X_1\cup X_0=\left[\ell \right]$. Then

$\mathcal{R}\left(W\right)=1\iff \Omega \left(W\right)=1\iff \left[\exists \left(a_1,a_2,\dots ,a_{\ell }\right)\in {\mathbb{Z}}_p^{\ell } such that {\sum }_{i\in \left[\ell \right]}{a}_i{M}^i=\overrightarrow{1} and a_i=0 \forall i,\rho \left(i\right)\notin W \right]$.

Lemma 2

[14].If $\mathcal{R}\left(W\right)=0$, then there exists a vector $\overrightarrow{\omega }=\left({\omega }_1,{\omega }_2,\dots ,{\omega }_n\right)\in {\mathbb{Z}}_p^n$ with ${\omega }_1=-1$ such that $\overrightarrow{\omega }{M}^i=0$ for all $i$ where $\rho \left(i\right)\in W$.

Definition 6

[14].Let $M_{\ell \times n}$ be a matrix of size $\ell \times n$ over a field $\mathbb{F}$. $rank\left(M\right)$ is rank of $M_{\ell \times n}$. If $rank\left(M\right)<\ell$, then $\mathbb{V}=\left\{\left(b_1,b_2,\dots ,b_{\ell }\right)\in {\mathbb{F}}^{\ell }:{\sum }_{i\in \left[\ell \right]}{b}_i{M}^i=\overrightarrow{0}\right\}$ contains a polynomial number of vectors $\left(b_1,b_2,\dots ,b_{\ell }\right)$, and the predicate for which MSP is $\Omega ≔\left(M_{\ell \times n},\rho \right)$ consists of both AND and OR gates. Otherwise, $\mathbb{V}=\left\{\overrightarrow{0}\right\}$ and the predicate is an AND gate. In our construction, we consider the signing and encryption predicates consisting of both AND and OR gates.

4. Scheme and Security Definitions

Our OMDAC-ABSC scheme consists of a multi-authority attribute-based signcryption (MACP-ABSC) scheme.

4.1. Multi-Authority Attribute-Based Signcryption

The MACP-ABSC scheme consists of the following five algorithms:

$GlobalSetup \left(1^k\right)$. Taking as input a security parameter $1^k$, the algorithm outputs the public parameters $PP$. It also generates the public key $P{K}_{uid}$ for the user with identity $uid$.

$AuthoritySetup\left(PP\right)$. It takes as input $PP$ and outputs the public key and secret key pairs $\left\{PK,SK\right\}$ for the authority.

$SecretKeyGen\left(PP,P{K}_{aid},S{K}_{aid},P{K}_{uid},\tilde{U}\right)$. Taking as input $PP$, $\left\{P{K}_{aid},S{K}_{aid}\right\}$ of authority $A{A}_{aid}$, user’s public key $P{K}_{uid}$ and attribute set $\tilde{U}=\widetilde{U^d}\cup \widetilde{U^s}$, where $\widetilde{U^d}$ denotes the set of decryption attributes, and $\widetilde{U^s}$ is the set of signing attributes. $\widetilde{U^d}\cap \widetilde{U^s}=\varnothing .$ The algorithm outputs the secret signing and decryption keys $S{K}_{uid,aid}=\left\{S{K}_{uid,aid}^s,S{K}_{uid,aid}^d\right\}$ for the user.

$Signcryption\left(\mathcal{M},PP,{\mathcal{R}}_s,{\mathcal{R}}_e,{\left\{S{K}_{do,k}^s\right\}}_{k\in I}\right)$. Taking as input the plaintext $\mathcal{M}$, public parameters $PP$, signing and encryption predicates ${\mathcal{R}}_s,{\mathcal{R}}_e$, and the set of signcryptor’s secret signing keys ${\left\{S{K}_{do,k}^s\right\}}_{k\in I}$, where $I$ is the set of involved authorities in signcryption and $do$ is signcryptor’s identity. The algorithm outputs the ciphertext $CT$.

$DeSigncryption\left(PP,CT,P{K}_{du},{\left\{S{K}_{uid,k}^d\right\}}_{k\in I}\right)$. This algorithm intakes the public parameters $PP$, ciphertext $CT$, public key $P{K}_{du}$ of the data user $U_{du}$ (designcryptor), and the set of designcryptor’s secret decryption keys ${\left\{S{K}_{uid,k}^d\right\}}_{k\in I}$, outputs the plaintext $\mathcal{M}$ or $\perp$.

Definition 7.

Assume the signcryptor is denoted by $U_{do}$ and designcryptor is denoted by $U_{du}$. We say that the MACP-ABSC scheme is correct if ${\mathcal{R}}_s\left(\widetilde{U_{du}^s}\right)=1,{\mathcal{R}}_e\left(\widetilde{U_{du}^d}\right)=1$, then $Pr\left[\mathcal{M}\leftarrow DeSigncryption\left(PP,CT,P{K}_{du},{\left\{S{K}_{du,k}^d\right\}}_{k\in I}\right)\right]=1$, where $\left\{PP,P{K}_{do}P{K}_{du}\right\}\leftarrow GlobalSetup\left(1^k\right)$, $\left\{P{K}_k,S{K}_k\right\}\leftarrow AuthoritySetup\left(PP\right)$, $S{K}_{do,k}^s\leftarrow SecretKeyGen\left(PP,P{K}_k,S{K}_k,P{K}_{do},\widetilde{U_{do}}\right)$, $S{K}_{du,k}^d\leftarrow SecretKeyGen\left(PP,P{K}_k,S{K}_k,P{K}_{du},\widetilde{U_{du}}\right)$, $CT\leftarrow Signcryption\left(\mathcal{M},PP,{\mathcal{R}}_s,{\mathcal{R}}_e,{\left\{S{K}_{do,k}^s\right\}}_{k\in I}\right)$.

4.2. High-Level Overview of OMDAC-ABSC Scheme

Based on MACP-ABSC scheme, we propose OMDAC-ABSC scheme, a novel data access control scheme for fog computing system supporting the computation outsourcing for both signcryptor and designcryptor.

4.2.1. Scheme Description

As shown in Figure 1, our OMDAC-ABSC scheme has five types of entities: the global certificate authority (CA), cloud server, users (including signcryptors and designcryptors), independent attribute authorities (AAs) and fog nodes.

Figure 1. System Architecture.

Global Certificate Authority: The global certificate authority (CA) is fully trusted in the system and generates the public parameters for the system. CA is also responsible for the users’ and authorities’ registrations. However, CA is not involved in any attribute management and the creations of the secret keys that are associated with attributes. With the help of CA, we can improve the privacy of our scheme by realizing the identity authentication and preventing authorities from forging a virtual user to decrypt the ciphertext. In secret key generation phase, the attribute authority verifies user’s certification using the verification key of CA and then generates the secret key for the user. In designcryption phase, the cloud server can verify user’s identifier and return the ciphertext to the fog node if the user is valid.

Cloud Server: The cloud server is a semi-trusted party and also provides data storage and data access service to users. Since our scheme supports public verification, the cloud server can verify that the ciphertext is valid and is signcrypted by the data owner whose attributes satisfy the signing predicates contained in the ciphertext. If the ciphertext is not valid, the cloud server can reject it.

User: Users who are attached to fog nodes and equipped with IoT devices in our system include the signcryptor and designcryptor. When the signcryptor signcrypts a message, he/she can select the signing and encryption predicates over the attributes from multiple authorities and outsource the resulting ciphertext to the cloud server. We assume that the ciphertext implicitly contains the signing and encryption predicates. Only legally registered users can endorse the data, and only users satisfying the encryption predicate can decrypt the data.

Attribute Authority: The authority can initialize itself to setup its public and secret keys. To compute the secret keys for users, the authority verifies the user’s identity and generates the secret keys according to the user’s attributes.

Fog Node: Fog nodes, deployed at the edge of the network, offer a variety of services, such as low latency, location awareness, and real-time applications. Each of them is linked to the cloud server. Fog nodes are also in charge of part of signcryption and designcryption computations. Note that in designcryption phase, only if the data user’s attributes satisfy the encryption predicate will the fog nodes partially designcrypt the ciphertext with the proxy secret keys.

The work flow of OMDAC-ABSC scheme is shown in Figure 2. The scheme consists of the following six phases.

Figure 2. Work flow of OMDAC-ABSC scheme.

(1) System Initialization

In this phase, CA generates the public parameters for the system, and also accepts the registrations of the attribute authorities and the users. The initialization phase contains the following six algorithms:

$GlobalSetup1\left(1^k\right)$. This algorithm is run by CA. Taking as input the security parameter $1^k$, the algorithm outputs the public parameters $PP$.

$UserReg\left(PP\right)$. This algorithm is run by CA and data user. Taking as input the public parameters, CA assigns the global identity $uid$ and partial public key $PP{K}_{uid}$ to the user.

$AuthorityReg\left(PP\right)$. This algorithm is run by CA and the attribute authority. Taking as input the public parameters, CA assigns the global identity $aid$ and partial public key $PP{K}_{aid}$ for the attribute authority.

$UserSetup\left(PP,PP{K}_{uid}\right)$. Given the global identity $uid$, public parameters $PP$, and partial public key $PP{K}_{uid}$, the data user runs $UserSetup\left(PP,PP{K}_{uid}\right)$ to initialize himself/herself. The algorithm outputs the public key $P{K}_{uid}$ and secret key $S{K}_{uid}$ for the user. Additionally, the public key certificate $cert\left(uid\right)$ generated by CA is sent to the user for identity authentication.

$AuthoritySetup\left(PP,PP{K}_{aid}\right)$. Given the global identity $aid$, public parameters $PP$, and partial public key $PP{K}_{aid}$, the attribute authority runs $AuthoritySetup\left(PP,PP{K}_{aid}\right)$ to initialize itself. The algorithm outputs the public key $P{K}_{aid },P{K}_{uid,aid}^1$ and secret key $S{K}_{aid }$ for the attribute authority $A{A}_{aid}$.

$GlobalSetup2\left(1^k,PP, {\left\{P{K}_{aid},P{K}_{uid,aid}^1\right\}}_{U_{uid}\in S_U,A{A}_{aid}\in S_A}\right)$. This algorithm is run by CA to end the system initialization phase. Taking as input the public parameters $PP$ and authorities’ public keys ${\left\{P{K}_{aid},P{K}_{uid,aid}^1\right\}}_{U_{uid}\in S_U,A{A}_{aid}\in S_A}$, CA generates the public key $P{K}_{uid,aid}$ for each pair of user $U_{uid}$ and authority $A{A}_{aid}$.

(2) Secret Key Generation

After system initialization, the attribute authority $A{A}_{aid}$ can verify the user’s identity using the public key certificate $cert\left(uid\right)$ and then run $SecretKeyGen\left(PP,P{K}_{aid},S{K}_{aid},P{K}_{uid},\tilde{U}\right)$ algorithm to compute the secret signing and decryption keys for the valid user according to the user’s attribute set $\tilde{U}$.

$SecretKeyGen\left(PP,P{K}_{aid},S{K}_{aid},P{K}_{uid},\tilde{U}\right)$. The algorithm intakes the public parameters $PP$, the public key and secret key pair $\left\{P{K}_{aid},S{K}_{aid}\right\}$ of the authority $A{A}_{aid}$, the public key $P{K}_{uid}$ and user’s attribute set $\tilde{U}$, outputs the user’s secret signing and decryption keys $S{K}_{uid,aid}=\left\{S{K}_{uid,aid}^s,S{K}_{uid,aid}^d\right\}$.

(3) Proxy Secret Key Generation

In this phase, the data user runs $PxSecretKeyGen\left(S{K}_{uid},S{K}_{uid,aid}\right)$ algorithm to compute the proxy secret signing and decryption keys $PS{K}_{uid,aid}=\left\{PS{K}_{uid,aid}^s,PS{K}_{uid,aid}^d\right\}$ and then sends $PS{K}_{uid,aid}$ to the fog nodes to outsource the signcryption and designcryption computation overhead.

$PxSecretKeyGen\left(S{K}_{uid},S{K}_{uid,aid}\right)$. Taking as input the secret key $S{K}_{uid}$ and secret signing and decryption keys $S{K}_{uid,aid}$, this algorithm outputs the proxy secret signing and decryption keys $PS{K}_{uid,aid}=\left\{PS{K}_{uid,aid}^s,PS{K}_{uid,aid}^d\right\}$. $PS{K}_{uid,aid}$ are sent to the fog nodes.

(4) Data Signcryption

To achieve high efficiency, the signcryptor first encrypts the plaintext with a random content key by applying a symmetric encryption algorithm. Then the signcryptor defines the signing and encryption predicates ${\mathcal{R}}_s$ and ${\mathcal{R}}_e$, and signcrypts the content secret key with the following two algorithms:

$Fog\_Signcryption\left(PP,{\left\{PS{K}_{uid,k}^s\right\}}_{k\in I_A^s},P{K}_{uid},{\mathcal{R}}_s,{\mathcal{R}}_e\right)$. This algorithm is performed in the fog nodes. Taking as input the public parameters $PP$, proxy secret signing key $PS{K}_{uid,k}^s$ of the attribute authority $A{A}_k$ whose attributes are selected for signing, the public key $P{K}_{uid}$ of signcryptor, the signing and encryption predicates ${\mathcal{R}}_s,{\mathcal{R}}_e$, the algorithm outputs part of the ciphertext $C{T}^{\prime }$.

$User\_Signcryption\left(\mathcal{M},PP,{\left\{P{K}_{aid}\right\}}_{aid\in I_A^e},S{K}_{uid},C{T}^{\prime }\right)$. This algorithm intakes the message to be signcrypted, the public parameters $PP$, the public key $P{K}_{aid}$ of attribute authorities whose attributes are selected for encryption, secret key $S{K}_{uid}$ of signcryptor and partial ciphertext $C{T}^{\prime }$, outputs the ciphertext $CT$ and sends $CT$ to the cloud server.

(5) Data Designcryption

When the user queries the ciphertext, the cloud server verifies the user’s identifier and returns the ciphertext to the fog node if the user is valid. If the decryption attribute set $\widetilde{U^d}$ satisfies the encryption predicate ${\mathcal{R}}_e$ embedded in ciphertext, the data user can obtain the plaintext by running $DeSigncryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}^d\right\}}_{k\in I_A^e},S{K}_{uid}\right)$ algorithm which includes the following three sub-algorithms: $Verify\left(PP,CT\right)$ run by any trusted party (public verifiability), $PartialDecryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}^d\right\}}_{k\in I_A^e}\right)$ run by fog nodes and $FullDecryption\left(PP,C{T}^p,S{K}_{uid}\right)$ performed by the user. $I_A^s$ (resp. $I_A^e$) denotes the set of the indexes of the authorities involved in signing (resp. encryption). Note that $I_A^s$ (resp. $I_A^e$) can be obtained from ${\mathcal{R}}_s$ (resp. ${\mathcal{R}}_e$) which is implicitly contained in $CT$.

$Verify\left(PP,CT\right)$. This algorithm takes as input the public parameters $PP$ and ciphertext $CT$, outputs $\perp$ if $CT$ contains an invalid signature corresponding to the signing predicate ${\mathcal{R}}_s$ embedded in $CT$. Otherwise, proceed $Decryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}\right\}}_{k\in I_A^e},S{K}_{uid}\right)$ algorithm as follows:

$Decryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}\right\}}_{k\in I_A^e},S{K}_{uid}\right)$. This algorithm contains two sub-algorithms:

$PartialDecryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}^d\right\}}_{k\in I_A^e}\right)$. This algorithm intakes the public parameters $PP$, the ciphertext $CT$, the public key $P{K}_{uid}$ of the user and the proxy secret decryption key $PS{K}_{uid,k}^d$, outputs the partial decryption result $C{T}^p$ and returns $C{T}^p$ to the user.

$FullDecryption\left(PP,C{T}^p,S{K}_{uid}\right)$. Taking as input the public parameters $PP$, the partial decryption result $C{T}^p$ and secret key $S{K}_{uid}$, the algorithm outputs the final plaintext $\mathcal{M}$ or $\perp$.

(6) Attribute revocation

In this phase, suppose the attribute $x$ of the user $U$ is revoked from $A{A}_k$. After randomly chooses a new attribute version key, the authority $A{A}_k$ distributes the update keys implicitly containing the latest attribute version key to the non-revoked users and cloud server respectively. Only the $x$-related components of secret keys and ciphertext will be updated.

$UpSecretKeyGen\left(P{K}_{uid},S{K}_k,S{K}_{uid,k}\right)$. This algorithm is run by attribute authority $A{A}_k$. The algorithm intakes the public key $P{K}_{uid}$ of non-revoked user $U_{uid}$, the secret key of $A{A}_k$, outputs the signing and decryption update keys $sU{K}_{uid,x},dU{K}_{uid,x}$, and ciphertext update keys $cUK,sUK$.

$UpSecretKey\left(S{K}_{uid,k},sU{K}_{uid,x},dU{K}_{uid,x}\right)$. This algorithm is run by the non-revoked user $U_{uid}$. Taking as input the secret signing and decryption key $S{K}_{uid,k}$, and the signing and decryption update keys $sU{K}_{uid,x},dU{K}_{uid,x}$, the algorithm outputs the updated secret signing and decryption keys.

$UpCiphertext\left(CT,cUK,sUK\right)$. This algorithm is run by the cloud server. Taking as input the ciphertext tagged with the revoked attribute, and the ciphertext update keys $cUK,sUK$, the algorithm outputs the updated ciphertext.

4.2.2. Threat Assumption

Assume CA is fully trusted. The authorities can honestly issue the secret keys for the user and will not collude with the user to access the sensitive data. However, the authorities can be corrupted and disclose the information sent from the data user to the adversary. The fog nodes can also be corrupted and leak the information such as proxy secret keys to the adversary. The cloud server is semi-trusted. It will execute the protocol in general but will leak the signcrypted data to some malicious users and get illegal access privileges. The data users (including the signcryptor and designcryptor) are malicious and can collude with other users and even the cloud server and fog nodes to sign or decrypt the unauthorized data.

4.2.3. Security Requirements

Following [12,14], the confidentiality, unforgeability and signcryptor privacy of OMDAC-ABSC scheme are presented in Definitions 8, 9 and 10 as follows by defining the security games between a challenger and an adversary $\mathcal{A}$. Then in Definition 11 and Definition 12, we provide the definitions of collusion resistance and attribute revocation security.

Definition 8.

Indistinguishability of ciphertext under selective encryption predicate and adaptively chosen ciphertext attack (IND-sEP-CCA2).

The scheme is $\left(T,q_{sk},q_{psk},q_{SC},q_{DS},ϵ\right)$-IND-sEP-CCA2 secure if for any PPT adversary $\mathcal{A}$ which runs in time at most $T$ and makes at most $q_{sk}$ $SecretKey$ queries, $q_{psk}$ $Proxy SecretKey$ queries, $q_{SC}$ $Signcryption$ queries, and $q_{DS}$ $DeSigncryption$ queries, the advantage $Ad{v}_{\mathcal{A}}^{IND-sEP-CCA2}$ of $\mathcal{A}$ in the following game with a challenger $\mathcal{C}$ is at most $ϵ$.

$Init$. $\mathcal{A}$ specifies the space of attributes and the set of corrupted authorities. $\mathcal{A}$ submits the challenge encryption predicate ${\mathcal{R}}_e^{*}=\left({\mathrm{M}}_e^{*},{\rho }_e^{*}\right)$ over encryption attributes that will be used to encrypt the challenge ciphertext. Note that the adversary cannot decrypt the challenge ciphertext with any secret decryption keys queried from $SecretKey$ queries and the keys directly generated from the corrupted authorities.

$Setup$. The challenger runs the algorithms in system initialization phase to generate the public parameters, and the pairs of public key and the secret key of the attribute authorities. Then the challenger sends the public keys to the adversary. For the corrupted authorities, the challenger sends the secret keys to the adversary.

Phase 1. In this phase, the challenger $\mathcal{C}$ answers the queries from $\mathcal{A}$ as follows:

$SecretKey query {\mathcal{O}}^{sk}\left(\tilde{U},A{A}_k,uid\right)$. $\mathcal{A}$ can adaptively query the secret key for a user $U$ with identity $uid$ and a set of attributes $\tilde{U}=\widetilde{U^d}\cup \widetilde{U^s}$ to the authority $A{A}_k$. $\widetilde{U^d}$ does not satisfy ${\mathcal{R}}_e^{*}$ together with any keys that can be obtained from corrupted authorities. The challenger runs $SecretKeyGen$ and returns the secret key to the adversary.

$Proxy SecretKey query {\mathcal{O}}^{psk}\left(\tilde{U},A{A}_k,uid\right)$. $\mathcal{A}$ can adaptively query the proxy secret key for a user $U$ with identity $uid$. The challenger runs $PxSecretKeyGen$ and returns the proxy secret key to the adversary.

$Signcryption query {\mathcal{O}}^{SC}\left(\mathcal{M},{\mathcal{R}}_s,{\mathcal{R}}_e\right)$. Upon receiving a message $\mathcal{M}\in {\mathbb{G}}_T$, signing and encryption predicts ${\mathcal{R}}_s,{\mathcal{R}}_e$, the challenger $\mathcal{C}$ selects a signing attribute set $\widetilde{U^s}$ such that ${\mathcal{R}}_s\left(\widetilde{U^s}\right)=1$ and returns the ciphertext to the adversary.

$DeSigncryption query {\mathcal{O}}^{DS}\left(CT,\widetilde{U^d}\right)$. $\mathcal{A}$ submits a ciphertext $CT$, and a decryption attribute set $\widetilde{U^d}$. $\mathcal{C}$ returns the plaintext to $\mathcal{A}$ if ${\mathcal{R}}_e\left(\widetilde{U^d}\right)=1$ and $CT$ contains a valid signature corresponding to the signing predicate ${\mathcal{R}}_s$, where ${\mathcal{R}}_e$ and ${\mathcal{R}}_s$ are implicitly contained in $CT$.

$Challenge$. $\mathcal{A}$ submits two messages ${\mathcal{M}}_0,{\mathcal{M}}_1$ with the same length and signing predicate ${\mathcal{R}}_s^{*}=\left({\mathrm{M}}_s^{*},{\rho }_s^{*}\right)$ to the challenger. $\mathcal{C}$ selects a signing attribute set $\widetilde{U^s}$ satisfying ${\mathcal{R}}_s^{*}\left(\widetilde{U^s}\right)=1$. The challenger randomly chooses a bit $𝒷\in \left\{0,1\right\}$ and runs the $Signcryption$ algorithm to signcrypt the message ${\mathcal{M}}_{𝒷}$ and returns the ciphertext $C{T}^{*}$ to $\mathcal{A}$ as the challenge ciphertext.

Phase 2. Phase 1 is repeated. In this phase, $\mathcal{A}$ cannot issue ${\mathcal{O}}^{DS}$ with the challenge ciphertext $C{T}^{*}$ obtained in Challenge phase and attribute set $\widetilde{U^d}$ such that ${\mathcal{R}}_e^{*}\left(\widetilde{U^d}\right)=1$.

$Guess$. $\mathcal{A}$ outputs a guess bit ${𝒷}^{\prime }$ on $𝒷$. $\mathcal{A}$ wins the game if ${𝒷}^{\prime }=𝒷$.

The advantage of $\mathcal{A}$ is defined by $Ad{v}_{\mathcal{A}}^{IND-sEP-CCA2}=\left|Pr\left[{𝒷}^{\prime }=𝒷\right]-1/2\right|$.

Definition 9.

Existential unforgeability under selective signing predicate and adaptively chosen message attack (EUF-sSP-CMA).

The proposed scheme is $\left(T,q_{sk},q_{psk},q_{SC},q_{DS},ϵ\right)$-EUF-sSP-CMA secure if for any PPT adversary $\mathcal{A}$ which runs in time at most $T$ and makes at most $q_{sk}$ $SecretKey$ queries, $q_{psk}$ $Proxy SecretKey$ queries, $q_{SC}$ $Signcryption$ queries, and $q_{DS}$ $DeSigncryption$ queries, the advantage $Ad{v}_{\mathcal{A}}^{EUF-sSP-CMA}$ of $\mathcal{A}$ in the following game with a challenger $\mathcal{C}$ is at most $ϵ$.

$Init$. $\mathcal{A}$ specifies the space of attributes and a set of corrupted authorities, and then submits the challenge signing predicate ${\mathcal{R}}_s^{*}=\left({\mathrm{M}}_s^{*},{\rho }_s^{*}\right)$ over signing attributes that will be used to forge the ciphertext. Note that the adversary cannot sign the plaintext under the signing predicate ${\mathcal{R}}_s^{*}$ with any secret signing keys queried from $SecretKey$ queries and the keys directly generated from the corrupted authorities.

$Setup,ProxySecretKeyquery,Signcryptionquery$ and $DeSigncryptionquery$ are the same as Definition 8.

$SecretKey query {\mathcal{O}}^{sk}\left(\tilde{U},A{A}_k,uid\right)$. $\mathcal{A}$ can adaptively query the secret key for a user $U$ with a set of attributes $\tilde{U}=\widetilde{U^d}\cup \widetilde{U^s}$ to the authority $A{A}_k$. $\widetilde{U^s}$ does not satisfy ${\mathcal{R}}_s^{*}$ together with any keys that can be obtained from corrupted authorities. The challenger runs $SecretKeyGen$ and returns the secret key to the adversary.

$Forgery$. $\mathcal{A}$ outputs the forgery ciphertext $C{T}^{*}$ for the selective signing predicate ${\mathcal{R}}_s^{*}$ and an arbitrary encryption predicate ${\mathcal{R}}_e^{*}$.

$\mathcal{A}$ wins the game if $C{T}^{*}$ is a valid ciphertext and $\mathcal{A}$ has never issued ${\mathcal{O}}^{SC}\left(\mathcal{M},{\mathcal{R}}_s^{*},{\mathcal{R}}_e^{*}\right)$. The advantage of $\mathcal{A}$ is defined as $Ad{v}_{\mathcal{A}}^{EUF-sSP-CMA}=Pr\left[\mathcal{A} \mathrm{wins}\right]$.

Note that in our scheme, the fog nodes can be corrupted. In this case, the proxy secret keys sent from the users might be obtained by the adversary. This kind of attack is captured by the proxy secret key query ${\mathcal{O}}^{psk}\left(\tilde{U},A{A}_k,uid\right)$, which makes the access control scheme proven secure in our security model have a wider spectrum of applications.

Definition 10.

Signcryptor Privacy.

It is required that the signature of the proposed scheme reveals nothing about the attributes of the data owner except that the attributes satisfy the signing predicate. We define signcryptor privacy as a game between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

Assume the public parameters $PP$ and public and secret key pairs ${\left\{P{K}_k,S{K}_k\right\}}_{I_A}$ of attribute authorities are given to $\mathcal{A}$. $\mathcal{A}$ submits two signing attribute sets $\widetilde{U_0^s},\widetilde{U_1^s}$ satisfying ${\mathcal{R}}_s\left(\widetilde{U_0^s}\right)={\mathcal{R}}_s\left(\widetilde{U_1^s}\right)=1$ to the challenger. The challenger then chooses a bit $𝒷\stackrel{R}{\leftarrow }\left\{0,1\right\}$ and signcrypts the plaintext $\mathcal{M}$ with the signing and encryption predicates ${\mathcal{R}}_s,{\mathcal{R}}_e$, and secret signing key $S{K}_{uid,k}^{s,𝒷}$ for $\widetilde{U_{𝒷}^s}$. $\mathcal{C}$ sends the ciphertext $C{T}_{𝒷}$ to $\mathcal{A}$. $\mathcal{A}$ then outputs a guess bit ${𝒷}^{\prime }$ on $𝒷$. $\mathcal{A}$ wins the game if ${𝒷}^{\prime }=𝒷$. We say OMDAC-ABSC scheme satisfies signcryptor privacy if for any adversary $\mathcal{A}$,

$$Pr[{𝒷}^{\prime }=𝒷 : \begin{array}{l}PP\leftarrow GlobalSetup1\left(1^k\right)\\ {\left\{P{K}_k,S{K}_k\right\}}_{I_A}\leftarrow AuthoritySetup\left(PP,PP{K}_k\right)\\ \left(\widetilde{U_0^s},\widetilde{U_1^s},\mathcal{M},{\mathcal{R}}_s,{\mathcal{R}}_e\right)\leftarrow \mathcal{A}\left(PP,{\left\{P{K}_k,S{K}_k\right\}}_{I_A}\right)\\ {\mathcal{R}}_s\left(\widetilde{U_0^s}\right)=1={\mathcal{R}}_s\left(\widetilde{U_1^s}\right)\\ 𝒷\stackrel{R}{\leftarrow }\left\{0,1\right\}\\ C{T}_{𝒷}\leftarrow \mathcal{C}\left(\mathcal{M},PP,{\mathcal{R}}_s,{\mathcal{R}}_e,\widetilde{U_{𝒷}^s},{\left\{S{K}_{uid,k}^{s,𝒷}\right\}}_{k\in I_A^s}\right)\\ {𝒷}^{\prime }\leftarrow \mathcal{A}\left(PP,C{T}_{𝒷},{\left\{P{K}_k,S{K}_k\right\}}_{I_A}\right)\end{array}]=\frac{1}{2}$$

Definition 11.

Collusion Resistance.

OMDAC-ABSC scheme is secure against collusion attack of two or more communication entities (e.g., data users, fog nodes, and cloud server) if there does not exist a set of polynomial time adversaries that can sign the plaintext (collusion resistance of signing) or decrypt the ciphertext (collusion resistance of decryption) by cooperating with each other when none of adversaries is authorized to sign or decrypt the data.

Definition 12.

Suppose the attribute $x$ is revoked.

Forward Security. If $x$ is the signing attribute, then OMDAC-ABSC scheme supports forward revocation security if the newly joined user can successfully sign the plaintext with the $x$-corresponding signing attribute set. Otherwise, the forward revocation security guarantees if each newly joined user can decrypt $x$-corresponding ciphertext if the decryption attributes of the user satisfy the encryption predicate contained in the ciphertext.

Backward Security. If $x$ is the signing attribute, then OMDAC-ABSC scheme supports backward revocation security if the updated ciphertext cannot be reversed back to the non-revoked state while maintaining the verification algorithm holds. Otherwise, the backward revocation security guarantees if the attribute revoked user cannot decrypt the $x$-corresponding ciphertext as a non-revoked user.

5. Construction of OMDAC-ABSC Scheme

In this section, we propose the construction of OMDAC-ABSC scheme in detail. The notations of the scheme are listed in Appendix A.

5.1. System Initialization

5.1.1. System Setup 1

$GlobalSetup1\left(1^k\right)$. Taking as input a security parameter $1^k$, the algorithm outputs the public parameters $PP$ as follows.

(1)

Generate a bilinear group $\mathcal{G}\mathcal{G}\left(1^k\right)\to \left(e,p,\mathbb{G},{\mathbb{G}}_T\right)$, where the prime $p$ is the order of group $\mathbb{G}$. Let $g,\theta$ be the random generators of $\mathbb{G}$. Randomly select ${\gamma }_1,{\gamma }_2, \left\{k_0,k_1,\dots ,k_l\right\},\left\{V_1,V_2\dots ,V_{{\ell }_m}\right\}$ from $\mathbb{G}$. Choose three cryptographic collision resistant hash functions $H_1: \mathbb{G}\to {\mathbb{Z}}_p^{*}$, $H_2: {\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^l$ and $H_3: {\left\{0,1\right\}}^{*}\to {\mathbb{Z}}_p^{*}$.

(2)

CA generates a pair of keys $\left\{s{k}_{CA},v{k}_{CA}\right\}$ for signing and verification in identity authentication.

(3)

Output $PP=\left\{g,\theta ,{\gamma }_1,{\gamma }_2, \left\{k_0,k_1,\dots ,k_l\right\},\left\{V_1,V_2\dots ,V_{{\ell }_m}\right\}\right\}$ as the system public parameter. CA accepts both user registration $UserReg\left(PP\right)$ and authority registration $AuthorityReg\left(PP\right)$.

$UserReg\left(PP\right)$. CA verifies user $U$’s identity information then runs this algorithm to register $U$. CA selects a unique identity number $uid$ and sends $PP{K}_{uid}=\left\{g^{s_{uid}},g^{d_{uid}},{\left\{V_i^{s_{uid}}\right\}}_{i\in \left[{\ell }_m\right]}\right\}$ as the partial public key to user. $s_{uid}$ and $d_{uid}$ are kept secret in the system.

$AuthorityReg\left(PP\right)$. CA verifies the identity information of the authority then runs this algorithm to register the authority. CA selects a unique identity number $aid\in \left[1,N_A\right]$, then selects ${\alpha }_{aid}$ and publishes the partial public key $PP{K}_{aid}={\Delta }_{aid}=e{\left(g,g\right)}^{{\alpha }_{aid}}$ to $A{A}_{aid}$.

$UserSetup\left(PP,PP{K}_{uid}\right)$. Given the global identity $uid$, the user runs $UserSetup\left(PP,PP{K}_{uid}\right)$ to initialize itself and compute the public key $P{K}_{uid}$ and secret key $S{K}_{uid}$ as follows.

• Set $S{K}_{uid}=z_{uid}$ where $z_{uid}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$.
• Set $P{K}_{uid}=\left\{g^{s_{uid}},g^{d_{uid}},g^{1/z_{uid}},{\theta }^{z_{uid}},g^{z_{uid}},{\left\{V_i^{s_{uid}}\right\}}_{i\in \left[{\ell }_m\right]}\right\}$.
• CA sets $cert\left(uid\right)=Sig{n}_{s{k}_{CA}}\left(uid,P{K}_{uid}\right)$ as the public key certificate.

$AuthoritySetup\left(PP,PP{K}_{aid}\right)$. Each authority $A{A}_{aid}$ runs this algorithm to initialize itself and compute the public key $P{K}_{aid},P{K}_{uid,aid}^1$ and secret key $S{K}_{aid}$ as follows:

(1)

Set $S{K}_{aid}=\{{\beta }_{aid},{\gamma }_{aid},{\{{\phi }_x\}}_{x\in \widetilde{A{A}_{aid}}}\}$, where ${\beta }_{aid},{\gamma }_{aid},{\phi }_x\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$.

(2)

Set $P{K}_{aid}=\left\{{\Delta }_{aid},X_{aid},Y_{aid},Z_{aid},{\left\{A_x\right\}}_{x\in \widetilde{A{A}_{aid}}}\right\}$, where $A_x=g^{{\phi }_x},X_{aid}=g^{1/{\beta }_{aid}},Y_{aid}={\theta }^{1/{\beta }_{aid}},Z_{aid}={\theta }^{1/{\gamma }_{aid}}$.

(3)

Set $P{K}_{uid,aid}^1=g^{1/\left({\gamma }_{aid}{z}_{uid}\right)}$ for each user $U_{uid}\in S_U$.

5.1.2. System Setup 2

$GlobalSetup2\left(1^k,PP,{\{P{K}_{aid},P{K}_{uid,aid}^1\}}_{U_{uid}\in S_U,A{A}_{aid}\in S_A}\right)$. Taking as input the public parameters $PP$ and authorities’ public keys ${\{P{K}_{aid},P{K}_{uid,aid}^1\}}_{U_{uid}\in S_U,A{A}_{aid}\in S_A}$, CA generates the public key $P{K}_{uid,aid}$ for each pair of user $U_{uid}$ and authority $A{A}_{aid}$ as follows:

For $U_{uid}\in S_U,A{A}_{aid}\in S_A$, $P{K}_{uid,aid}=\{P{K}_{uid,aid}^1,P{K}_{uid,aid}^2,P{K}_{uid,aid}^3\}$, where $P{K}_{uid,aid}^2={(P{K}_{uid,aid}^1)}^{{\alpha }_{aid}}{Z}_{aid}^{d_{uid}}=g^{{\alpha }_{aid}/({\gamma }_{aid}{z}_{uid})}{\theta }^{d_{uid}/{\gamma }_{aid}}$ and $P{K}_{uid,aid}^3=X_{aid}^{{\alpha }_{aid}}{Y}_{aid}^{s_{uid}}=g^{{\alpha }_{aid}/{\beta }_{aid}}{\theta }^{s_{uid}/{\beta }_{aid}}$.

5.2. Secret Key Generation

$A{A}_{aid}$ runs the secret key generation algorithm $SecretKeyGen$ to generate the secret signing and decryption keys for the user $U_{uid}$.

$SecretKeyGen(PP,P{K}_{aid},S{K}_{aid},P{K}_{uid},\tilde{U})$. $A{A}_{aid}$ first verifies the user’s $cert(uid)$ with verification key $v{k}_{CA}$. If the user is a legal user, $A{A}_{aid}$ computes the user’s secret signing and decryption keys $S{K}_{uid,aid}=\{S{K}_{uid,aid}^s,S{K}_{uid,aid}^d\}$ as:

(1)

$S{K}_{uid,aid}^s=\{K_{uid,aid}^s={(P{K}_{uid,aid}^3)}^{{\beta }_{aid}}=g^{{\alpha }_{aid}}{\theta }^{s_{uid}},{\{F_{uid,x}^s={(g^{s_{uid}})}^{{\phi }_x}=A_x^{s_{uid}}\}}_{x\in \widetilde{U^s}\cap \widetilde{A{A}_{aid}}}\}$.

(2)

$S{K}_{uid,aid}^d=\{K_{uid,aid}^d={(P{K}_{uid,aid}^2)}^{{\gamma }_{aid}}=g^{{\alpha }_{aid}/z_{uid}}{\theta }^{d_{uid}},{\{F_{uid,x}^d={(g^{d_{uid}})}^{{\phi }_x}=A_x^{d_{uid}}\}}_{x\in \widetilde{U^d}\cap \widetilde{A{A}_{aid}}}\}$.

5.3. Proxy Secret Key Generation

Each user $U_{uid}$ runs the $PxSecretKeyGen\left(S{K}_{uid},S{K}_{uid,aid}\right)$ to generate the proxy secret key $PS{K}_{uid,aid}=\left\{PS{K}_{uid,aid}^s,PS{K}_{uid,aid}^d\right\}$ as:

(1)

$PS{K}_{uid,aid}^s=\left\{P{S}_{uid,aid}={\left(K_{uid,aid}^s\right)}^{z_{uid}},P{V}_{uid}=g^{z_{uid}{s}_{uid}},{\left\{P{F}_{uid,x}^1={\left(F_{uid,x}^s\right)}^{z_{uid}},P{F}_{uid,x}^2={\left(A_x\right)}^{z_{uid}}\right\}}_{x\in \widetilde{U^s}\cap \widetilde{A{A}_{aid}}},{\left\{V_i^{z_{uid}},V_i^{s_{uid}{z}_{uid}}\right\}}_{i\in \left[{\ell }_m\right]}\right\}$.

(2)

$PS{K}_{uid,aid}^d=S{K}_{uid,aid}^d$.

The transformed secret keys $\left\{PS{K}_{uid,aid}\right\}$ are sent to the fog node.

5.4. Data Signcryption

The data owner first encrypts the data component with a content secret key $k$ by using symmetric encryption algorithm $E{n}_k$, then it runs $Signcryption$ to signcrypt the secret key. $Signcryption$ contains two phases: fog signcrypt $Fog\_Signcryption$ and user signcrypt $User\_Signcryption$.

$Signcryption\left(ℳ,PP,{\left\{PS{K}_{uid,k}^s\right\}}_{k\in I_A^s},P{K}_{uid},{\left\{P{K}_{aid}\right\}}_{aid\in I_A^e},S{K}_{uid},{ℛ}_s,{ℛ}_e\right)$. Assume that ${ℛ}_s≔\left({\mathrm{M}}_s,{\rho }_s\right)$ (resp. ${ℛ}_{e,j}≔\left({\mathrm{M}}_e,{\rho }_e\right)$) is the signing predicate (resp. encryption predicate) over all the attributes selected from the set of attribute authorities $I_A^s$ (resp. $I_A^e$), where ${\mathrm{M}}_s$ (resp. ${\mathrm{M}}_e$) is a ${\ell }_s\times n_s$, ${\ell }_s\le {\ell }_m$ (resp. ${\ell }_e\times n_e$) matrix with row labeling function ${\rho }_s:\left[{\ell }_s\right]\to {\mathbb{Z}}_p$ (resp. ${\rho }_e:\left[{\ell }_e\right]\to {\mathbb{Z}}_p$). Note that we remove the limitation that ${\rho }_s$ (resp. ${\rho }_e$) should be an injective function (i.e., an attribute can associate with more than one rows of ${\mathrm{M}}_s$ (resp. ${\mathrm{M}}_e$)). Let ${\mathrm{M}}_s^i$ (resp. ${\mathrm{M}}_e^i$) be the $i$th row of the matrix ${\mathrm{M}}_s$ (resp. ${\mathrm{M}}_e$). Assume the signing attribute set is $\widetilde{U^s}$ and ${ℛ}_s\left(\widetilde{U^s}\right)=1$. The algorithm contains two phases as follows:

(1)

$Fog\_Signcryption\left(PP,{\left\{PS{K}_{uid,k}^s\right\}}_{k\in I_A^s},P{K}_{uid},{ℛ}_s,{ℛ}_e\right)$. This algorithm is performed in the fog node FD as follows:

• It first computes a vector $\overrightarrow{a}=\left(a_1,a_2,\dots ,a_{{\ell }_s}\right)\in {\mathbb{Z}}_p^{{\ell }_s}$ such that $\overrightarrow{a}\cdot {\mathrm{M}}_s=\overrightarrow{1}$ since ${ℛ}_s\left(\widetilde{U^s}\right)=1$. Note that $a_i=0$ for all $i$ where ${\rho }_s\left(i\right)\notin \widetilde{U^s}$. Then the algorithm chooses $\overrightarrow{b}=\left(b_1,b_2,\dots ,b_{{\ell }_s}\right)\in {\mathbb{Z}}_p^{{\ell }_s}$ such that ${\sum }_{i\in \left[{\ell }_s\right]}{b}_i{\mathrm{M}}_s^i=\overrightarrow{0}$.
• The algorithm randomly chooses $s_{uid}^{\prime }\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{*}$ and re-randomize the proxy secret key $PS{K}_{uid,aid}^s$ as
  $P{S}_{uid,k}=P{S}_{uid,k}{\left({\theta }^{z_{uid}}\right)}^{s_{uid}^{\prime }}=g^{{\alpha }_k{z}_{uid}}{\theta }^{z_{uid}{s}_{uid}^{″}}$,
  $P{V}_{uid}=P{V}_{uid}{\left(g^{z_{uid}}\right)}^{s_{uid}^{\prime }}=g^{z_{uid}{s}_{uid}^{″}}$,
  ${\left\{P{F}_{uid,x}=P{F}_{uid,x}^1{\left(P{F}_{uid,x}^2\right)}^{s_{uid}^{\prime }}=A_x^{z_{uid}{s}_{uid}^{″}}\right\}}_{x\in \widetilde{U^s}}$,
  $V_i^{z_{uid}{s}_{uid}^{″}}=V_i^{s_{uid}{z}_{uid}}{\left(V_i^{z_{uid}}\right)}^{s_{uid}^{\prime }}$, where $s_{uid}^{″}=s_{uid}+s_{uid}^{\prime }$.
• The fog node randomly picks $w^{\prime }\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{*}$. Then it selects $\left\{r_1^{\prime },r_2^{\prime },\dots ,r_{{\ell }_e}^{\prime }\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, $\left\{{\lambda }_1^{\prime },{\lambda }_2^{\prime },\dots ,{\lambda }_{{\ell }_e}^{\prime }\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, and computes the following terms: ${\left\{C_{2,i}^{\prime }={\theta }^{{\lambda }_i^{\prime }}{A}_{{\rho }_e\left(i\right)}^{-r_i^{\prime }},D_i^{\prime }=g^{r_i^{\prime }}\right\}}_{i\in \left[{\ell }_e\right]}$, ${\left\{S_{1,i}^{\prime }=P{V}_{uid}^{a_i}{g}^{z_{uid}{b}_i}=g^{z_{uid}\left(a_i{s}_{uid}^{″}+b_i\right)}\right\}}_{i\in \left[{\ell }_s\right]}$. $S_2^{\prime }=\left({\prod }_{I_A^s}P{S}_{uid,k}\right)\left({\prod }_{i\in \left[{\ell }_s\right]}{\left(P{F}_{uid,{\rho }_s\left(i\right)}{V}_i^{z_{uid}{s}_{uid}^{″}}\right)}^{a_i}{\left(P{F}_{uid,{\rho }_s\left(i\right)}^2{V}_i^{z_{uid}}\right)}^{b_i}\right)$.

FD outputs the partially signcrypted ciphertext $C{T}^{\prime }=\left\{w^{\prime },{\left\{C_{2,i}^{\prime },D_i^{\prime },{\lambda }_i^{\prime },r_i^{\prime }\right\}}_{i\in \left[{\ell }_e\right]},{\left\{S_{1,i}^{\prime }\right\}}_{i\in \left[{\ell }_s\right]},S_2^{\prime }\right\}$ to the user.

(2)

$User\_Signcryption\left(ℳ,PP,{\left\{P{K}_{aid}\right\}}_{aid\in I_A^e},S{K}_{uid},C{T}^{\prime }\right)$. The user randomly picks $w\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{*}$ and $\left\{r_1,r_2,\dots ,r_{{\ell }_e}\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$. Then the user computes ${\lambda }_i={\mathrm{M}}_e^i\overrightarrow{\epsilon }$ where $\overrightarrow{\epsilon }=\left(w,{\epsilon }_2,\dots ,{\epsilon }_{n_e}\right)\in {\mathbb{Z}}_p^{n_e}$. The algorithm computes the following terms:

$C_0=ℳ{\prod }_{k\in I_A^e}{\Delta }_k{}^w$, $C_1=g^w$, ${\left\{C_{2,i}^{″}={\lambda }_i-{\lambda }_i^{\prime },D_i^{″}=r_i-r_i^{\prime }\right\}}_{i\in \left[{\ell }_e\right]}$, $\pi =H_1\left(C_1\right)$, $C_3={\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^w$, ${\left\{S_{1,i}={\left(S_{1,i}^{\prime }\right)}^{1/z_{uid}}\right\}}_{i\in \left[{\ell }_s\right]}$, $H_2\left({\prod }_{i\in \left[{\ell }_s\right]}{S}_{1,i},tt,{ℛ}_s,{ℛ}_e\right)=\left(c_1,c_2,\dots ,c_l\right)\in {\left\{0,1\right\}}^l$, $H_3\left(C_0,C_1,C_3,{ℛ}_s,{ℛ}_e\right)=\beta$ and $S_2={\left(S_2^{\prime }\right)}^{1/z_{uid}}{\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i}\right)}^w{C}_3^{\beta }$.

The ciphertext is $CT=\left\{C_0,C_1,{\left\{C_{2,i}^{\prime },C_{2,i}^{″},D_i^{\prime },D_i^{″}\right\}}_{i\in \left[{\ell }_e\right]},{\left\{S_{1,i}\right\}}_{i\in \left[{\ell }_s\right]},S_2,tt\right\}$.

5.5. Data Designcryption

If the owner’s attributes satisfy the signing predicate implicitly contained in the ciphertext, then any party can successfully verify the ciphertext (public verifiability). If the receiver’s decryption attributes satisfy the encryption predicates embedded in the ciphertext, then the decryption phase can be launched to access the plaintext.

$DeSigncryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}^d\right\}}_{k\in I_A^e},S{K}_{uid}\right)$. Assume that $thr{e}_{tt}$ is a predefined time threshold for designcryption and $\widetilde{tt}$ is the current time. If $\left|\widetilde{tt}-tt\right|>thr{e}_{tt}$ or ${ℛ}_e\left(\widetilde{U^d}\right)\ne 1$, the algorithm returns $\perp$. Otherwise, the algorithm performs as follows. Note that $I_A^s$ (resp. $I_A^e$) can be obtained from the implicitly contained predicate ${ℛ}_s$ (resp. ${ℛ}_e$).

$Verify\left(PP,CT\right)$. This verification algorithm can be performed in FD or other trusted third party since it only takes the ciphertext and public parameter $PP$ as the input.

The algorithm samples $\left\{{\tau }_2,{\tau }_3,\dots ,{\tau }_{n_s}\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{*}$ and computes ${\varpi }_i=\left(1,{\tau }_2,{\tau }_3,\dots ,{\tau }_{n_s}\right)\cdot {\mathrm{M}}_s^i$, where $i\in \left[{\ell }_s\right]$. $H_1\left(C_1\right)=\pi$ and $H_2\left({\prod }_{i\in \left[{\ell }_s\right]}{S}_{1,i},tt,{ℛ}_s,{ℛ}_e\right)=\left(c_1,c_2,\dots ,c_l\right)$, and $H_3\left(C_0,C_1,C_3,{ℛ}_s,{ℛ}_e\right)=\beta$. Then the algorithm checks the validity of the ciphertext using the following equation:

${\prod }_{I_A^s}{\Delta }_k=\frac{e\left(S_2,g\right)}{e\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i},C_1\right)e\left({\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{\beta },C_1\right)\left({\prod }_{i=1}^{{\ell }_s}e\left(A_{{\rho }_s\left(i\right)}{V}_i{\theta }^{{\varpi }_i{N}_A^s},S_{1,i}\right)\right)}$, where $N_A^s=\left|I_A^s\right|$.

If it is invalid, return $\perp$, otherwise, proceed $Decryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}\right\}}_{k\in I_A^e},S{K}_{uid}\right)$ algorithm as follows:

• $PartialDecryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}^d\right\}}_{k\in I_A^e}\right)$. If the user’s attributes satisfy the encryption predicate, the cloud server sends the ciphertext to the FD. FD chooses a set of constants $\overrightarrow{\sigma }=\left({\sigma }_1,{\sigma }_2,\dots ,{\sigma }_{{\ell }_e}\right)\in {\mathbb{Z}}_p^{{\ell }_e}$ such that ${\sum }_{i=1}^{{\ell }_e}{\sigma }_i{\mathrm{M}}_e^i=\overrightarrow{1}$, where ${\sigma }_i=0$ for all $i$ where ${\rho }_e\left(i\right)\notin \widetilde{U^d}$. Then it computes: $C{T}_x=\frac{{\prod }_{k\in I_A^e}e\left(K_{uid,k}^d,C_1\right)}{{\prod }_{k\in I_A^e}{\prod }_{i\in I_{A_k}}{\left[e\left(C_{2,i}^{\prime }{\theta }^{C_{2,i}^{″}}{A}_{{\rho }_e\left(i\right)}^{-D_i^{″}},g^{d_{uid}}\right)e\left(D_i^{\prime }{g}^{D_i^{″}},F_{uid,{\rho }_e\left(i\right)}^d\right)\right]}^{{\sigma }_i{N}_A^e}}$, where $I_{A_k}$ is defined as $I_{A_k}=\left\{i:{\rho }_e\left(i\right)\in \widetilde{A{A}_k}\right\}$. FD sends $C{T}^p=\left\{C_0,C{T}_x\right\}$ to the user.
• $FullDecryption\left(PP,C{T}^p,S{K}_{uid}\right)$. This algorithm is performed on the user side. After receiving $C{T}^p$, the data user recovers the message $ℳ$ as: $ℳ=\frac{C_0}{{\left(C{T}_x\right)}^{z_{uid}}}$.

Correctness

Assume the identity of signcryptor (data owner) is $do$. If $\left|\widetilde{tt}-tt\right|\le thr{e}_{tt}$ and ${ℛ}_e\left(\widetilde{U^d}\right)=1$, then the ciphertext can be verified and decrypted as explained subsequently.

$$\begin{array}{l}{S}_2={\left(S_2^{\prime }\right)}^{1/z_{do}}{\left(k_0{\displaystyle \prod _{i=1}^l}{k}_i{}^{b_i}\right)}^w{C}_3^{\beta }\\ =\left({\displaystyle \prod _{I_A^s}}{g}^{{\alpha }_k}{\theta }^{s_{do}^{″}}\right)\left({\displaystyle \prod _{i\in \left[{\ell }_s\right]}}{\left(A_{{\rho }_s\left(i\right)}^{s_{do}^{″}}{V}_i^{s_{do}^{″}}\right)}^{a_i}{\left(A_{{\rho }_s\left(i\right)}{V}_i\right)}^{b_i}\right){\left(k_0{\displaystyle \prod _{i=1}^l}{k}_i{}^{c_i}\right)}^w{\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{w\beta }\\ =\left({\displaystyle \prod _{I_A^s}}{g}^{{\alpha }_k}\right){\theta }^{s_{do}^{″}{N}_A^s}\left({\displaystyle \prod _{i\in \left[{\ell }_s\right]}}{\left(A_{{\rho }_s\left(i\right)}{V}_i\right)}^{a_i{s}_{do}^{″}+b_i}\right){\left(k_0{\displaystyle \prod _{i=1}^l}{k}_i{}^{c_i}\right)}^w{\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{w\beta }\end{array}$$

Since $\overrightarrow{a}\cdot {\mathrm{M}}_s=\overrightarrow{1}$ and ${\sum }_{i\in \left[{\ell }_s\right]}{b}_i{\mathrm{M}}_s^i=\overrightarrow{0}$, we have

${\sum }_{i=1}^{{\ell }_s}{\varpi }_i\left(s_{do}^{″}{a}_i+b_i\right)={\sum }_{i=1}^{{\ell }_s}\left(1,{\tau }_2,{\tau }_3,\dots ,{\tau }_{n_s}\right)\cdot {\mathrm{M}}_s^i\left(s_{do}^{″}{a}_i+b_i\right)=\left(1,{\tau }_2,{\tau }_3,\dots ,{\tau }_{n_s}\right)s_{do}^{″}{\sum }_{i=1}^{{\ell }_s}{\mathrm{M}}_s^i{a}_i+\left(1,{\tau }_2,{\tau }_3,\dots ,{\tau }_{n_s}\right){\sum }_{i=1}^{{\ell }_s}{\mathrm{M}}_s^i{b}_i=s_{do}^{″}$. Thus we have

$$\begin{array}{l}\frac{e\left(S_2,g\right)}{e\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i},C_1\right)e\left({\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{\beta },C_1\right)\left({\prod }_{i=1}^{{\ell }_s}e\left(A_{{\rho }_s\left(i\right)}{V}_i{\theta }^{{\varpi }_i{N}_A^s},S_{1,i}\right)\right)}\\ =\frac{e(\left(\prod _{I_A^s}{g}^{{\alpha }_k}\right){\theta }^{s_{do}^{″}{N}_A^s}\left(\prod _{i\in \left[{\ell }_s\right]}{\left(A_{{\rho }_s\left(i\right)}{V}_i\right)}^{a_i{s}_{do}^{″}+b_i}\right){\left(k_0\prod _{i=1}^l{k}_i{}^{c_i}\right)}^w{\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{w\beta },g)}{e\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i},g^w\right)e\left({\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{\beta },g^w\right)\left({\prod }_{i=1}^{{\ell }_s}e\left(A_{{\rho }_s\left(i\right)}{V}_i,g^{a_i{s}_{do}^{″}+b_i}\right)\right){\left({\prod }_{i=1}^{{\ell }_s}e\left({\theta }^{{\varpi }_i},g^{a_i{s}_{do}^{″}+b_i}\right)\right)}^{N_A^s}}\\ =\frac{e\left(\left({\prod }_{I_A^s}{g}^{{\alpha }_k}\right){\theta }^{s_{do}^{″}{N}_A^s},g\right)}{{\left(e{\left(\theta ,g\right)}^{s_{do}^{″}}\right)}^{N_A^s}}={\displaystyle \prod _{I_A^s}}{\Delta }_k\end{array}$$

This demonstrates the correctness of $Verify$ algorithm. Assume the identity of designcryptor (data user) is $uid$. If ${\sum }_{i=1}^{{\ell }_e}{\sigma }_i{\lambda }_i=w$, then

$$\begin{array}{l}{\displaystyle \prod _{k\in I_A^e}\prod _{i\in I_{A_k}}}{\left[e\left(C_{2,i}^{\prime }{\theta }^{C_{2,i}^{″}}{A}_{{\rho }_e\left(i\right)}^{-D_i^{″}},g^{d_{uid}}\right)e\left(D_i^{\prime }{g}^{D_i^{″}},F_{uid,{\rho }_e\left(i\right)}^d\right)\right]}^{{\sigma }_i{N}_A^e}\\ ={\displaystyle \prod _{k\in I_A^e}\prod _{i\in I_{A_k}}}{\left[e\left({\theta }^{{\lambda }_i}{A}_{{\rho }_e\left(i\right)}^{-r_i},g^{d_{uid}}\right)e\left(g^{r_i},F_{uid,{\rho }_e\left(i\right)}^d\right)\right]}^{{\sigma }_i{N}_A^e}\\ ={\displaystyle \prod _{k\in I_A^e}\prod _{i\in I_{A_k}}}{\left[e\left({\theta }^{{\lambda }_i},g^{d_{uid}}\right)\right]}^{{\sigma }_i{N}_A^e}=e{\left(\theta ,g\right)}^{w{N}_A^e{d}_{uid}}\end{array}$$

Hence $C{T}_x=\frac{{\prod }_{k\in I_A}e\left(K_{uid,k}^d,C_1\right)}{{\prod }_{k\in I_A^e}{\prod }_{i\in I_{A_k}}{\left[e\left(C_{2,i}^{\prime }{\theta }^{C_{2,i}^{″}}{A}_{{\rho }_e\left(i\right)}^{-D_i^{″}},g^{d_{uid}}\right)e\left(D_i^{\prime }{g}^{D_i^{″}},F_{uid,{\rho }_e\left(i\right)}^d\right)\right]}^{{\sigma }_i{N}_A^e}}=\frac{{\prod }_{k\in I_A^e}e\left(g^{{\alpha }_k/z_{uid}}{\theta }^{d_{uid}},g^w\right)}{e{\left(\theta ,g\right)}^{w{N}_A^e{d}_{uid}}}={\prod }_{k\in I_A^e}e{\left(g^{{\alpha }_k},g\right)}^{w/z_{uid}}={\prod }_{k\in I_A^e}{\Delta }_k{}^{w/z_{uid}}$ and $\frac{C_0}{{\left(C{T}_x\right)}^{z_{uid}}}=\frac{ℳ{\prod }_{k\in I_A^e}{\Delta }_k{}^w}{{\prod }_{k\in I_A^e}{\Delta }_k{}^w}=ℳ$. This exhibits the correctness of $Decryption$ algorithm.

5.6. Attribute Revocation

Suppose the attribute $x$ of user $U$ is revoked from $A{A}_k$.

$UpSecretKeyGen\left(P{K}_{uid},S{K}_k,S{K}_{uid,k}\right)$. $A{A}_k$ randomly chooses a new attribute version key ${\phi }_x^{\prime }\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and computes the updated attribute public key $A_x^{\prime }=g^{{\phi }_x^{\prime }}$. $A{A}_j$ sets $dU{K}_{uid,x}=g^{d_{uid}\left({\phi }_x^{\prime }-{\phi }_x\right)},sU{K}_{uid,x}=g^{s_{uid}\left({\phi }_x^{\prime }-{\phi }_x\right)}$ for the non-revoked users to update their secret decryption and signing keys.

If there exists $i$ such that ${\rho }_e\left(i\right)=x$, namely the attribute $x$ of $A{A}_k$ is selected as the encryption attribute, then $A{A}_k$ queries $D_i^{\prime }$ where ${\rho }_e\left(i\right)=x$. Then it computes $cUK={\left\{cU{K}_i={\left(D_i^{\prime }\right)}^{{\phi }_x-{\phi }_x^{\prime }}\right\}}_{{\rho }_e\left(i\right)=x}$, and sets $sgUK=\perp$.

Otherwise, if $x$ is selected as the signing attribute, $A{A}_k$ sets $cUK=\perp$ and $sgUK={\prod }_{i=1}^{ℒ}{S}_{1,i}{}^{{\phi }_x^{\prime }-{\phi }_x}$, where $ℒ$ is the set consisting of all the rows that ${\rho }_s\left(i\right)=x$.

$A{A}_k$ sends ciphertext update keys $cUK,sUK$ to the cloud server to update the corresponding ciphertext.

$UpSecretKey\left(S{K}_{uid,k},sU{K}_{uid,x},dU{K}_{uid,x}\right)$. Upon receiving the update keys $sU{K}_{uid,x}$ and $dU{K}_{uid,x}$, the non-revoked user $U_{uid}\ne U$ then update his/her secret signing key or decryption key as follows:

If $x\in \widetilde{U^s}$, $F_{uid,x}^s{}^{\prime }=F_{uid,x}^{s}sU{K}_{uid,x}={\left(A_x^{\prime }\right)}^{s_{uid}}$.

If $x\in \widetilde{U^d}$, $F_{uid,x}^d{}^{\prime }=F_{uid,x}^{d}dU{K}_{uid,x}={\left(A_x^{\prime }\right)}^{d_{uid}}$.

$UpCiphertext\left(CT,cUK,sUK\right)$. Upon receiving $cUK,sUK$, the cloud server updates the ciphertext to contain the latest attribute version key as follows:

If $cUK={\left\{cU{K}_i={\left(D_i^{\prime }\right)}^{{\phi }_x-{\phi }_x^{\prime }}\right\}}_{{\rho }_e\left(i\right)=x}$ and $sgUK=\perp$, the server randomly chooses ${\left\{r_i^{″}\in {\mathbb{Z}}_p\right\}}_{{\rho }_e\left(i\right)=x}$ and computes $C_{2,i}^{\prime }=C_{2,i}^{\prime }cU{K}_i{A}_{{\rho }_e\left(i\right)}^{\prime }{}^{-r_i^{″}}={\theta }^{{\lambda }_i^{\prime }}{A}_{{\rho }_e\left(i\right)}^{\prime }{}^{-\left(r_i^{\prime }+r_i^{″}\right)}$.

$D_i^{\prime }=D_i^{\prime }{g}^{r_i^{″}}=g^{r_i^{\prime }+r_i^{″}}$, where ${\rho }_e\left(i\right)=x$.

Otherwise, the cloud server updates the signature component $S_2$ as: $S_2=S_{2}sgUK=\left({\prod }_{I_A^s}{g}^{{\alpha }_k}{\theta }^{s_{do}^{″}}\right)\left({\prod }_{i\in \left[{\ell }_s\right]}{\left(A_{{\rho }_s\left(i\right)}{V}_i\right)}^{a_i{s}_{do}^{″}+b_i}\right){\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i}\right)}^w{C}_3^{\beta }sgUK=\left({\prod }_{I_A^s}{g}^{{\alpha }_k}{\theta }^{s_{do}^{″}}\right)\left({\prod }_{i\in \left[{\ell }_s\right]\backslash ℒ}{\left(A_{{\rho }_s\left(i\right)}\right)}^{a_i{s}_{do}^{″}+b_i}\right)\left({\prod }_{i\in ℒ}{\left(A_{{\rho }_s\left(i\right)}^{\prime }\right)}^{a_i{s}_{do}^{″}+b_i}\right)\left({\prod }_{i\in \left[{\ell }_s\right]}{V}_i^{a_i{s}_{do}^{″}+b_i}\right){\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i}\right)}^w{C}_3^{\beta }$

Correctness of Attribute Revocation.

By running $UpSecretKey\left(S{K}_{uid,k},sU{K}_{uid,x},dU{K}_{uid,x}\right)$, the secret signing and decryption keys of non-revoked user $U_{uid}$ are associated with the new attribute version key ${\phi }_x^{\prime }$, which is the same as the updated ciphertext components ${\left\{C_{2,i}^{\prime }={\theta }^{{\lambda }_i^{\prime }}{A}_{{\rho }_e\left(i\right)}^{\prime }{}^{-\left(r_i^{\prime }+r_i^{″}\right)}\right\}}_{{\rho }_e\left(i\right)=x}$ or $S_2=\left({\prod }_{I_A^s}{g}^{{\alpha }_k}{\theta }^{s_{do}^{″}}\right)\left({\prod }_{i\in \left[{\ell }_s\right]ℒ}{\left(A_{{\rho }_s\left(i\right)}\right)}^{a_i{s}_{do}^{″}+b_i}\right)\left({\prod }_{i\in ℒ}{\left(A_{{\rho }_s\left(i\right)}^{\prime }\right)}^{a_i{s}_{do}^{″}+b_i}\right)\left({\prod }_{i\in \left[{\ell }_s\right]}{V}_i^{a_i{s}_{do}^{″}+b_i}\right){\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i}\right)}^w{C}_3^{\beta }$.

For verification, since the updated signature component $S_2$ is associated with $A_{{\rho }_s\left(i\right)}^{\prime }$ for $i$ such that ${\rho }_s\left(i\right)=x$, we have $\frac{e\left(S_2,g\right)}{e\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i},C_1\right)e\left({\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{\beta },C_1\right)\left({\prod }_{i\in \left[{\ell }_s\right]ℒ}e\left(A_{{\rho }_s\left(i\right)},S_{1,i}\right)\right)\left({\prod }_{i\in ℒ}e\left(A_{{\rho }_s\left(i\right)}^{\prime },S_{1,i}\right)\right)\left({\prod }_{i\in \left[{\ell }_s\right]}e\left(V_i{\theta }^{{\varpi }_i{N}_A^s},S_{1,i}\right)\right)}={\prod }_{I_A^s}{\Delta }_k$, which exhibits the correctness of $Verify$ algorithm.

Additionally, the operations $C_{2,i}^{\prime }=C_{2,i}^{\prime }cU{K}_i{A}_{{\rho }_e\left(i\right)}^{\prime }{}^{-r_i^{″}}$ and $D_i^{\prime }=D_i^{\prime }{g}^{r_i^{″}}=g^{r_i^{\prime }+r_i^{″}}$ are equivalent to assigning a new random number $r_i^{\prime }+r_i^{″}$ to the corresponding components of ciphertext. Then in $PartialDecryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}^d\right\}}_{k\in I_A^e}\right)$ algorithm, we have $e\left(C_{2,i}^{\prime }{\theta }^{C_{2,i}^{″}}{A}_{{\rho }_e\left(i\right)}^{\prime }{}^{-D_i^{″}},g^{d_{uid}}\right)e\left(D_i^{\prime }{g}^{D_i^{″}},F_{uid,{\rho }_e\left(i\right)}^d\right)=e\left({\theta }^{{\lambda }_i}{A}_{{\rho }_e\left(i\right)}^{\prime }{}^{-r_i-r_i^{″}},g^{d_{uid}}\right)e\left(g^{r_i+r_i^{″}},{\left(A_{{\rho }_e\left(i\right)}^{\prime }\right)}^{d_{uid}}\right)=e\left({\theta }^{{\lambda }_i},g^{d_{uid}}\right)$ for $i$ such that ${\rho }_e\left(i\right)=x$, which exhibits the correctness of $Decryption$ algorithm.

6. Security Analysis

In this section, we state the security of our OMDAC-ABSC scheme in the following theorems. In Theorems 1 and 2, we prove the message confidentiality and ciphertext unforgeability of our scheme respectively. In Theorem 3 we demonstrate the signcryptor privacy. Then in Theorems 4 and 5, we analyze the collusion resistance and revocation security.

Throughout this section, assume $T^e$ is the cost time for one exponentiation in group $\mathbb{G}$ or ${\mathbb{G}}_T$, and $T^p$ is the cost time for one pairing operation. ${\ell }_{e,m},n_{e,m},{\ell }_{s,m},n_{s,m}$ are the maximum values of $\left\{{\ell }_e,n_e,{\ell }_s,n_s\right\}$. Suppose that the Hash functions $H_1,H_2,H_3$ are collision resistant.

6.1. Message Confidentiality

Based on the security model defined in Definition 8 and Theorem 1, we can prove that our proposed scheme guarantees the message confidentiality under the hardness of the q-PBDHE assumption.

Theorem 1.

If an adversary $\mathcal{A}$ can break $\left(T,q_{sk},q_{psk},q_{SC},q_{DS},ϵ\right)$-IND-sEP-CCA2 security of our scheme, then there is an algorithm $ℬ$ that can solve the q-PBDHE assumption with an advantage ${ϵ}^{\prime }=\frac{1}{2}ϵ-\frac{q_{DS}}{p}$ in a time $T^{\prime }=T+O\left({\ell }_{e,m}{n}_{e,m}{u}_m+\left(n_{e,m}+\left|\tilde{U}\right|{\ell }_{e,m}{n}_{e,m}^2\right)q_{sk}+\left(\left|\tilde{U}\right|+{\ell }_{s,m}\right)q_{psk}+\left(\left|\tilde{U}\right|+l+{\ell }_{s,m}+{\ell }_{e,m}\right)q_{SC}+q_{DS}\right)T^e+O\left(q_{DS}\right)T^p$.

Proof. 

Assume $\mathcal{A}$ can $\left(T,q_{sk},q_{psk},q_{SC},q_{DS},ϵ\right)$ break our scheme, we will construct the algorithm $ℬ$ as follows: $ℬ$ is given with the q-PBDHE challenge instance $\overrightarrow{\mathcal{Y}}$. The challenger $\mathcal{C}$ runs $\mathcal{G}\mathcal{G}\left(1^k\right)\to \left(e,p,\mathbb{G},{\mathbb{G}}_T\right)$ to generate the bilinear group and chooses $𝒷\in \left\{0,1\right\}$. If $𝒷=0$, $\mathcal{C}$ sends $\left(\overrightarrow{\mathcal{Y}},\Omega =e{\left(g,g\right)}^{a^{q+1}w}\right)$ to $ℬ$; otherwise it sends $\left(\overrightarrow{\mathcal{Y}},\Omega \stackrel{R}{\leftarrow }{\mathbb{G}}_T\right)$ to $ℬ$.

$Init$. The same as defined in Definition 8. Assume ${ℛ}_e^{*}=\left({\mathrm{M}}_e^{*},{\rho }_e^{*}\right)$ is the challenge encryption access structure over all the attributes selected from the set of authorities $I_A^{*e}$. Assume ${\mathrm{M}}_e^{*}$ is a ${\ell }_e^{*}\times n_e^{*}$ matrix and $n_e^{*}\le q$.

$Setup$. The adversary chooses a set $S_A^{\prime }\subset S_A$ consisting of the corrupted authorities, and sends $S_A^{\prime }$ to the simulator $ℬ$. For each uncorrupted authority $A{A}_k\in S_A-S_A^{\prime }$, $ℬ$ randomly chooses ${\alpha }_k^{\prime }\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and implicitly sets ${\alpha }_k={\alpha }_k^{\prime }+a^{q+1}$. $ℬ$ publishes ${\Delta }_k=e{\left(g,g\right)}^{{\alpha }_k}=e\left(g^a,g^{a^q}\right)e{\left(g,g\right)}^{{\alpha }_k^{\prime }}$.

Let $\psi \stackrel{R}{\leftarrow }{\mathbb{Z}}_p,\theta =g^a,\left\{{𝓀}_0,{𝓀}_1,\dots ,{𝓀}_l\right\},\left\{v_1,v_2\dots ,v_{{\ell }_{s,m}}\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p,{\left\{k_i=g^{{𝓀}_i}\right\}}_{i\in \left[l\right]},{\left\{V_i=g^{v_i}\right\}}_{i\in \left[{\ell }_{s,m}\right]}$. ${\gamma }_1=g^{\psi }{\left(g^{a^q}\right)}^{-1},{\gamma }_2={\left(g^{a^q}\right)}^{\frac{1}{{\pi }^{*}}}$, where ${\pi }^{*}=H_1\left(g^w\right)$.

$ℬ$ sends $PP=\left\{e,p,\mathbb{G},{\mathbb{G}}_T,g,\theta ,{\gamma }_1,{\gamma }_2,\left\{k_0,k_1,\dots ,k_l\right\},\left\{V_1,V_2\dots ,V_{{\ell }_{s,m}}\right\},H_1,H_2,H_3\right\}$ to $\mathcal{A}$. $ℬ$ initializes the empty list $L_{sk}$.

For the authority $A{A}_k\in S_A-S_A^{\prime }$, $ℬ$ chooses ${\beta }_k,{\gamma }_k\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and sets $X_k=g^{1/{\beta }_k},Y_k={\theta }^{1/{\beta }_k},Z_k={\theta }^{1/{\gamma }_k}$. Let $\mathcal{X}$ be the set consisting of the indexes $i\in \left[{\ell }_e^{*}\right]$ with ${\rho }_e^{*}\left(i\right)=x\in \widetilde{A{A}_k}$. For the attribute $x$ where $\mathcal{X}\ne \varnothing$, $ℬ$ chooses ${\phi }_x\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and computes $A_x=g^{{\phi }_x}{\prod }_{i\in \mathcal{X}}{\prod }_{k\in \left[n_e^{*}\right]}{g}^{\frac{a^k{\mathrm{M}}_e^{*\left(i,k\right)}}{b_i}}$, where ${\mathrm{M}}_e^{*\left(i,k\right)}$ is the $\left(i,k\right)$th element of ${\mathrm{M}}_e^{*}$. If $\mathcal{X}=\varnothing$, $ℬ$ chooses ${\phi }_x\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and computes $A_x=g^{{\phi }_x}$. This assignment describes that $A_x=g^{{\phi }_x}$ for each signing attribute as the signing attributes are different from encryption attributes. $ℬ$ sends $P{K}_k=\left\{X_k,Y_k,Z_k,{\left\{A_x\right\}}_{x\in \widetilde{A{A}_k}}\right\}$ to $\mathcal{A}$. For the authority $A{A}_k\in S_A^{\prime }$, $ℬ$ generates the public keys and secret keys of $A{A}_k$ as in the real scheme and sends both the public keys and secret keys to $\mathcal{A}$.

Phase 1.

$SecretKey query {\mathcal{O}}^{sk}\left(\tilde{U},A{A}_k,uid\right)$. $\mathcal{A}$ adaptively queries the secret keys for the attribute set $\tilde{U}=\widetilde{U^d}\cup \widetilde{U^s}$ with identity $\mathrm{uid}$ to the authority $A{A}_k$. $\widetilde{U^d}$ does not satisfy ${ℛ}_e^{*}$ together with any keys that can be obtained from corrupted authorities.

$ℬ$ checks the list $L_{sk}$ that whether the entry $\left(uid,\tilde{U},P{K}_{uid},S{K}_{uid},P{K}_{uid,k}, S{K}_{uid,k}\right)$ exists. If it does, $ℬ$ sends $S{K}_{uid}$ and $S{K}_{uid,k}$ to the adversary and publishes the public key $P{K}_{uid}$ and $P{K}_{uid,k}$.

(1)

Otherwise, $ℬ$ randomly picks $d_{uid}^{\prime },s_{uid}^{\prime },z_{uid}$ from ${\mathbb{Z}}_p^{*}$ and chooses a vector $\overrightarrow{f}=\left(f_1,f_2,\dots ,f_{n_e^{*}}\right)\in {\mathbb{Z}}_p^{n_e^{*}}$ such that $f=-1$ and $\overrightarrow{f}{\mathrm{M}}_e^{*i}=0$ for all ${\rho }_e^{*}\left(i\right)\in \widetilde{U^d}$ since ${ℛ}_e^{*}\left(\widetilde{U^d}\right)=0$. $ℬ$ sets $g^{d_{uid}}=g^{d_{uid}^{\prime }}{\prod }_{i=1}^{n_e^{*}}{g}^{\left(f_i{a}^{q-i+1}\right)/z_{uid}}$, $g^{s_{uid}}=g^{s_{uid}^{\prime }}{g}^{-a^q}$, and computes $g^{1/z_{uid}},{\theta }^{z_{uid}},g^{z_{uid}},{\left\{g^{s_{uid}{v}_i}\right\}}_{i\in \left[{\ell }_{s,m}\right]}$ as the public key $P{K}_{uid}$. Then $ℬ$ computes

$P{K}_{uid,k}=\left\{P{K}_{uid,k}^1=g^{1/\left({\gamma }_k{z}_{uid}\right)},P{K}_{uid,k}^2=g^{{\alpha }_k/\left({\gamma }_k{z}_{uid}\right)}{\theta }^{d_{uid}/{\gamma }_k}={\left(g^{\frac{{\alpha }_k^{\prime }}{z_{uid}}}{g}^{a{d}_{uid}^{\prime }}{g}^{\sum _2^{n_e^{*}}{f}_i{a}^{q-i+2}/z_{uid}}\right)}^{\frac{1}{{\gamma }_k}},P{K}_{uid,k}^3=g^{{\alpha }_k/{\beta }_k}{\theta }^{s_{uid}/{\beta }_k}={\left(g^{{\alpha }_k^{\prime }}{g}^{a{s}_{uid}^{\prime }}\right)}^{\frac{1}{{\beta }_k}}\right\}$, and sets $S{K}_{uid,k}$ as $K_{uid,k}^d={\left(P{K}_{uid,k}^2\right)}^{{\gamma }_k}=g^{\frac{{\alpha }_k^{\prime }}{z_{uid}}}{g}^{a{d}_{uid}^{\prime }}{g}^{{\sum }_2^{n_e^{*}}{f}_i{a}^{q-i+2}/z_{uid}},K_{uid,k}^s={\left(P{K}_{uid,k}^3\right)}^{{\beta }_k}=g^{{\alpha }_k^{\prime }}{g}^{a{s}_{uid}^{\prime }},{\left\{F_{uid,x}^s={\left(g^{s_{uid}^{\prime }}{g}^{-a^q}\right)}^{{\phi }_x}\right\}}_{x\in \widetilde{U^s}\cap \widetilde{A{A}_k}}$. For the attribute $x\in \widetilde{U^d}\cap \widetilde{A{A}_k}$ such that $\mathcal{X}=\varnothing$, $ℬ$ computes $F_{uid,x}^d={\left(g^{d_{uid}}\right)}^{{\phi }_x}$. Otherwise, $F_{uid,x}^d=g^{d_{uid}{\phi }_x}{\prod }_{i\in \mathcal{X}}{\prod }_{k\in \left[n_e^{*}\right]}{\left(g^{\frac{d_{uid}^{\prime }{a}^k}{b_i}}{\prod }_{j=1,k\ne j}^{n_e^{*}}{g}^{\frac{f_j{a}^{q+k-j+1}}{z_{uid}{b}_i}}\right)}^{{\mathrm{M}}_e^{*\left(i,k\right)}}$. $ℬ$ sends $S{K}_{uid}=z_{uid}$ and $S{K}_{uid,k}$ to the adversary and publishes the public key $P{K}_{uid}$ and $P{K}_{uid,k}$. $ℬ$ inserts $\left(uid,\tilde{U},P{K}_{uid},S{K}_{uid},P{K}_{uid,k}, S{K}_{uid,k}\right)$ into $L_{sk}$.

$ProxySecretKeyquery{\mathcal{O}}^{psk}\left(\tilde{U},A{A}_k,uid\right)$. $ℬ$ checks the list $L_{sk}$ that whether the entry $\left(uid,\tilde{U},P{K}_{uid},S{K}_{uid},P{K}_{uid,k},S{K}_{uid,k}\right)$ exists. If it does not exist, $ℬ$ issues ${\mathcal{O}}^{sk}\left(\tilde{U},A{A}_k,uid\right)$ query to compute $S{K}_{uid}$ and $S{K}_{uid,k}$, and then runs $PxSecretKeyGen\left(S{K}_{uid},S{K}_{uid,k}\right)$ and returns $PS{K}_{uid,k}$ to $\mathcal{A}$. Otherwise, $ℬ$ directly performs $PxSecretKeyGen\left(S{K}_{uid},S{K}_{uid,k}\right)$ and returns $PS{K}_{uid,k}$ to $\mathcal{A}$.

$Signcryptionquery{\mathcal{O}}^{SC}\left(ℳ,{ℛ}_s,{ℛ}_e\right)$. $\mathcal{A}$ submits a message $ℳ\in {\mathbb{G}}_T$, signing and encryption predicts ${ℛ}_s=\left({\mathrm{M}}_s,{\rho }_s\right),{ℛ}_e=\left({\mathrm{M}}_e,{\rho }_e\right)$. $ℬ$ selects a signing attribute set $\widetilde{U^s}$ such that ${ℛ}_s\left(\widetilde{U^s}\right)=1$. For each $k\in I_A^s$, $ℬ$ computes the secret signing key $S{K}_{uid,k}^s$ and $P{K}_{uid},S{K}_{uid}$ from ${\mathcal{O}}^{sk}\left(\tilde{U},A{A}_k,uid\right)$, and $PS{K}_{uid,k}^s\leftarrow PxSecretKeyGen\left(S{K}_{uid},S{K}_{uid,k}^s\right)$, where $uid$ is an arbitrary identity. Then $ℬ$ returns the ciphertext $CT\leftarrow Signcryption\left(ℳ,PP,{\left\{PS{K}_{uid,k}^s\right\}}_{k\in I_A^s},P{K}_{uid},{\left\{P{K}_k\right\}}_{k\in I_A^e},S{K}_{uid},{ℛ}_s,{ℛ}_e\right)$ to $\mathcal{A}$.

$DeSigncryptionquery{\mathcal{O}}^{DS}\left(CT,\widetilde{U^d}\right)$. If $\left|tt-\overline{tt}\right|>thr{e}_{tt}$ or ${ℛ}_e\left(\widetilde{U^d}\right)=0$, then $ℬ$ returns $\perp$. If $C_1=g^s$, $ℬ$ aborts. If $Verify$ algorithm is invalid, $ℬ$ returns $\perp$.Otherwise, $ℬ$ carries out the following steps.

Assume the encryption predicate contained in $CT$ is ${ℛ}_e$ and $I_A^e$ is the set which consists of the indexes of the authorities whose attributes are associated with rows of ${\mathrm{M}}_e$.

If $\widetilde{U^d}$ does not satisfy the challenge encryption predicate ${ℛ}_e^{*}$, then $ℬ$ can obtain $S{K}_{uid}$ and secret decryption key $S{K}_{uid,k}^d$ from ${\mathcal{O}}^{sk}\left(\tilde{U},A{A}_k,uid\right)$, and $PS{K}_{uid,k}^d\leftarrow PxSecretKeyGen\left(S{K}_{uid},S{K}_{uid,k}^d\right)$. $ℬ$ returns the output of $DeSigncryption\left(PP,CT,P{K}_{uid},{\left\{PS{K}_{uid,k}^d\right\}}_{k\in I_A},S{K}_{uid}\right)$ to $\mathcal{A}$.

Otherwise, if ${ℛ}_e^{*}\left(\widetilde{U^d}\right)=1$, assume $\pi =H_1\left(C_1=g^{w_1}\right)$, where $w_1$ is the secret value chosen to generate $CT$ in signcryption phase. Then for $k\in I_A^e$, $ℬ$ compute $e\left(g^{{\alpha }_k^{\prime }},C_1\right)e{\left(\frac{C_3}{C_1^{\psi }},g^a\right)}^{{\left(\frac{\pi }{{\pi }^{*}}-1\right)}^{-1}}=e\left(g^{{\alpha }_k^{\prime }},g^{w_1}\right)e{\left(\frac{{\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{w_1}}{g^{s_x\psi }},g^a\right)}^{{\left(\frac{\pi }{{\pi }^{*}}-1\right)}^{-1}}=e\left(g^{{\alpha }_k^{\prime }},g^{w_1}\right)e{\left(\frac{{\left(g^{\psi }{\left(g^{a^q}\right)}^{-1}{\left(g^{a^q}\right)}^{\frac{\pi }{{\pi }^{*}}}\right)}^{w_1}}{g^{w_1\psi }},g^a\right)}^{{\left(\frac{{\pi }_j}{{\pi }^{*}}-1\right)}^{-1}}=e\left(g^{{\alpha }_k^{\prime }},g^{w_1}\right)e\left(g^{a^q},g^{a{w}_1}\right)={\Delta }_k^{w_1}$. Thus $ℬ$ can return $ℳ=\frac{C_0}{{\prod }_{k\in I_A^e}{\Delta }_k^{w_1}}$ to $\mathcal{A}$.

$Challenge$. $\mathcal{A}$ submits two messages ${ℳ}_0,{ℳ}_1$ with the same length and signing predicate ${ℛ}_s^{*}=\left({\mathrm{M}}_s^{*},{\rho }_s^{*}\right)$ to $ℬ$. Assume $I_A^{*s}$ is the set which consists of the indexes of the authorities whose attributes are associated with rows of ${\mathrm{M}}_s^{*}$ and ${\mathrm{M}}_s^{*}$ is a ${\ell }_s^{*}\times n_s^{*}$ matrix. $ℬ$ chooses $\widehat{𝒷}\in \left\{0,1\right\}$. $ℬ$ selects a signing attribute set $\widetilde{U^s}$ satisfying ${ℛ}_s^{*}\left(\widetilde{U^s}\right)=1$ and an arbitrary identity $ui{d}_{\mathcal{A}}$.

Let $\overrightarrow{a}=\left(a_1,a_2,\dots ,a_{{\ell }_s^{*}}\right)\in {\mathbb{Z}}_p^{{\ell }_s^{*}}$ such that $\overrightarrow{a}\cdot {\mathrm{M}}_s^{*}=\overrightarrow{1}$, $\overrightarrow{b}=\left(b_1,b_2,\dots ,b_{{\ell }_s^{*}}\right)\in {\mathbb{Z}}_p^{{\ell }_s^{*}}$ such that ${\sum }_{i\in \left[{\ell }_s^{*}\right]}{b}_i{\mathrm{M}}_s^{*i}=\overrightarrow{0}$. Implicitly set $s_{ui{d}_{\mathcal{A}}}=s_{ui{d}_{\mathcal{A}}}^{″}-a^q$. Then compute the challenge ciphertext as follows:

Let $\overrightarrow{\epsilon }=\left(w,wa+{\epsilon }_2,\dots ,s{a}^{n_e^{*}-1}+{\epsilon }_{n_e^{*}}\right)\in {\mathbb{Z}}_p^{n_e^{*}}$ and implicitly sets $r_i=r_i^{\prime }+w{b}_i$ for all $i\in \left[{\ell }_e^{*}\right]$. Select $\left\{r_1^{″},r_2^{″},\dots ,r_{{\ell }_e^{*}}^{″}\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, $\left\{{\lambda }_1^{\prime },{\lambda }_2^{\prime },\dots ,{\lambda }_{{\ell }_e^{*}}^{\prime }\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$.

$C_0={ℳ}_{\widehat{𝒷}}{\prod }_{k\in I_A^{*e}}\Omega e{\left(g^w,g\right)}^{{\alpha }_k^{\prime }}$, $C_1=g^w$.

$C_{2,i}^{\prime }=g^{a\left({\lambda }_i-{\lambda }_i^{\prime }\right)}{A}_{{\rho }_e^{*}\left(i\right)}{}^{-\left(r_i-r_i^{″}\right)}=A_{{\rho }_e^{*}\left(i\right)}{}^{-\left(r_i^{\prime }-r_i^{″}\right)}{g}^{-w{b}_i{\phi }_{{\rho }_e^{*}\left(i\right)}}{g}^{-a{\lambda }_i^{\prime }}{\prod }_{k=2}^{n_e^{*}}{g}^{a{\epsilon }_k{\mathrm{M}}_e^{*\left(i,k\right)}}{\prod }_{l\in \mathcal{X}\backslash i}{\prod }_{k\in \left[n_e^{*}\right]}{g}^{\frac{-w{a}^k{b}_i{\mathrm{M}}_e^{*\left(l,k\right)}}{b_l}}$, $C_{2,i}^{″}={\lambda }_i^{\prime }$.

$D_i^{\prime }=g^{r_i-r_i^{″}}=g^{r_i^{\prime }-r_i^{″}}{g}^{w{b}_i}$, $D_i^{″}=r_i^{″}$. $C_3=g^{\psi w}$.

$S_{1,i}=g^{a_i{s}_{ui{d}_{\mathcal{A}}}+b_i}=g^{a_i\left(s_{ui{d}_{\mathcal{A}}}^{″}-a^q\right)+b_i}$,

$S_2=\left({\prod }_{I_A^{*s}}{g}^{{\alpha }_k^{\prime }}{g}^{a{s}_{ui{d}_{\mathcal{A}}}^{″}}\right)\left({\prod }_{i\in \left[{\ell }_s\right]}{\left(g^{{\phi }_{{\rho }_s^{*}\left(i\right)}+v_i}\right)}^{a_i\left(s_{ui{d}_{\mathcal{A}}}^{″}-a^q\right)+b_i}\right){\left(g^w\right)}^{{𝓀}_0+{\sum }_{i=1}^l{𝓀}_i{c}_i+\psi {\beta }^{*}}$, where $H_2\left({\prod }_{i\in \left[{\ell }_s\right]}{S}_{1,i},tt,{ℛ}_s,{ℛ}_e\right)=\left(c_1,c_2,\dots ,c_l\right)$ and $H_3\left(C_0,C_1,C_3,{ℛ}_s,{ℛ}_e\right)={\beta }^{*}$.

Finally, $ℬ$ sends the challenge ciphertext $C{T}^{*}=\left\{C_0,C_1,{\left\{C_{2,i}^{\prime },C_{2,i}^{″},D_i^{\prime },D_i^{″}\right\}}_{i\in \left[{\ell }_e^{*}\right]},{\left\{S_{1,i}\right\}}_{i\in \left[{\ell }_s^{*}\right]},S_2,tt\right\}$ to $\mathcal{A}$.

Phase 2. Phase 1 is repeated. In this phase, $\mathcal{A}$ cannot issue $DeSigncryption query$ with the challenge ciphertext $C{T}^{*}$ and attribute set $\widetilde{U_d}$ such that ${ℛ}_e^{*}\left(\widetilde{U^d} \right)=1$.

$Guess$. $\mathcal{A}$ outputs his guess $\widetilde{𝒷}$ on $\widehat{𝒷}$. If $\widetilde{𝒷}=\widehat{𝒷}$, $ℬ$ outputs 0 and guess that $\Omega =e{\left(g,g\right)}^{a^{q+1}w}$; otherwise, $ℬ$ outputs 1 to indicate that $\Omega$ is a random element in ${\mathbb{G}}_{\mathrm{T}}$.

If $\mathcal{A}$ issues $DeSigncryption query$ with the ciphertext satisfying $C_1=g^w$, then the simulation aborts. The probability is at most $\frac{q_{DS}}{p}$. If $𝒷=0$, $\Omega =e{\left(g,g\right)}^{a^{q+1}w}$ and $ℬ$ does not abort, then $C{T}^{*}$ is a valid ciphertext of ${ℳ}_0$. In this case, we have $Pr\left[\widetilde{𝒷}=\widehat{𝒷}|𝒷=0\right]>\frac{1}{2}+ϵ-\frac{q_{DS}}{p}$. If $\Omega$ is a random element in ${\mathbb{G}}_T$, then $C_0$ is a random element and $\mathcal{A}$ cannot obtain ${ℳ}_{\widehat{𝒷}}$, namely the advantage in this case is $Pr\left[\widetilde{𝒷}\ne \widehat{𝒷}|𝒷=1\right]=\frac{1}{2}$. Therefore, the advantage of $ℬ$ which can break the q-PBDHE assumption is at least $\frac{1}{2}ϵ-\frac{q_{DS}}{p}$. The runtime of $ℬ$ is at most $T^{\prime }=T+O\left({\ell }_{e,m}{n}_{e,m}{u}_m+\left(n_{e,m}+\left|\tilde{U}\right|{\ell }_{e,m}{n}_{e,m}^2\right)q_{sk}+\left(\left|\tilde{U}\right|+{\ell }_{s,m}\right)q_{psk}+\left(\left|\tilde{U}\right|+l+{\ell }_{s,m}+{\ell }_{e,m}\right)q_{SC}+q_{DS}\right)T^e+O\left(q_{DS}\right)T^p$. □

6.2. Ciphertext Unforgeability

Based on the security model defined in Definition 9 and Theorem 2, we can prove that our proposed scheme guarantees the ciphertext unforgeability under the hardness of the q-PBDHE assumption.

Theorem 2.

If an adversary $\mathcal{A}$ can break $\left(T,q_{sk},q_{psk},q_{SC},q_{DS},ϵ\right)$-EUF-sSP-CMA security of our scheme, then there is an algorithm $ℬ$ that can solve the q-PBDHE assumption with an advantage ${ϵ}^{\prime }=\frac{ϵ}{8\left(l+1\right)q_{SC}}$ in a time $T^{\prime }=T+O\left({\ell }_{s,m}{n}_{s,m}{u}_m+\left(n_{s,m}+\left|\tilde{U}\right|{\ell }_{s,m}{n}_{s,m}^2\right)q_{sk}+\left(\left|\tilde{U}\right|+{\ell }_{s,m}\right)q_{psk}+\left(l+{\ell }_{e,m}+{\ell }_{s,m}+{\ell }_{e,m}{n}_{e,m}\right)q_{SC}+{\ell }_{e,m}{q}_{DS}\right)T^e+O\left({\ell }_{e,m}{q}_{DS}\right)T^p$.

Proof. 

Assume $\mathcal{A}$ can $\left(T,q_{sk},q_{psk},q_{SC},q_{DS},ϵ\right)$ break our basic scheme, we will construct the algorithm $ℬ$ as follows: $ℬ$ is given with the q-PBDHE challenge instance $\overrightarrow{\mathcal{Y}}$. The challenger $\mathcal{C}$ runs $\mathcal{G}\mathcal{G}\left(1^k\right)\to \left(e,p,\mathbb{G},{\mathbb{G}}_T\right)$ to generate the bilinear group and chooses $𝒷\in \left\{0,1\right\}$. If $𝒷=0$, $\mathcal{C}$ sends $\left(\overrightarrow{\mathcal{Y}},\Omega =e{\left(g,g\right)}^{a^{q+1}w}\right)$ to $ℬ$; otherwise it sends $\left(\overrightarrow{\mathcal{Y}},\Omega \stackrel{R}{\leftarrow }{\mathbb{G}}_T\right)$ to $ℬ$.

$Init$. The same as defined in Definition 9. Assume ${ℛ}_s^{*}=\left({\mathrm{M}}_s^{*},{\rho }_s^{*}\right)$ is the challenge signing access structure over all the attributes selected from the involved set of authorities $I_A^{*s}$. ${\mathrm{M}}_s^{*}$ is a ${\ell }_s^{*}\times n_s^{*}$ matrix and $n_s^{*}\le q$.

$Setup$. The adversary chooses a set of $S_A^{\prime }\subset S_A$ consisting of the corrupted authorities, and sends $S_A^{\prime }$ to the simulator $ℬ$.

For each uncorrupted authority $A{A}_k\in S_A-S_A^{\prime }$, $ℬ$ randomly chooses ${\alpha }_k^{\prime }\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and implicitly sets ${\alpha }_k={\alpha }_k^{\prime }+a^{q+1}$. $ℬ$ publishes ${\Delta }_k=e{\left(g,g\right)}^{{\alpha }_k}=e\left(g^a,g^{a^q}\right)e{\left(g,g\right)}^{{\alpha }_k^{\prime }}$.

Let ${\sigma }_1,{\sigma }_2\stackrel{R}{\leftarrow }{\mathbb{Z}}_p,\theta =g^a$. $ℬ$ chooses $m\stackrel{R}{\leftarrow }\left\{0,1,\dots ,l\right\},{\varrho }_0,{\varrho }_1,\dots ,{\varrho }_l\stackrel{R}{\leftarrow }\left\{0,1,\dots ,\varpi -1\right\},{\sigma }_1,{\sigma }_2,{𝓀}_0,{𝓀}_1,\dots ,{𝓀}_l\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{*}$. Set $k_0={\left(g^{a^q}\right)}^{{\varrho }_0-\varpi m}{g}^{{𝓀}_0}$ and ${\left\{k_i={\left(g^{a^q}\right)}^{{\varrho }_i}{g}^{{𝓀}_i}\right\}}_{i\in \left[l\right]}$. ${\gamma }_1=g^{{\sigma }_1},{\gamma }_2=g^{{\sigma }_2}$. For $i\in \left[{\ell }_s^{*}\right]$, $V_i={\prod }_{l\in \mathcal{X}\backslash i}{\prod }_{k\in \left[n_s^{*}\right]}{g}^{a^k{\mathrm{M}}_s^{*\left(l,k\right)}{N}_A^{*s}}$ where $N_A^{*s}=\left|I_A^{*s}\right|$. For $i\in \left[{\ell }_s^{*}+1,{\ell }_{s,m}\right]$, $V_i=g^{v_i}$ where $v_i\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$.

Assume $\varpi =4q_{SC}$ and $\varpi \left(l+1\right)<p$. $ℬ$ defines two functions $L_1\left(\overrightarrow{c}\right)=p-\varpi m+{\varrho }_0+{\sum }_{i=1}^l{c}_i{\varrho }_i$ and $L_2\left(\overrightarrow{c}\right)={𝒷}_0+{\sum }_{i=1}^l{c}_i{𝒷}_i$ for each $\overrightarrow{c}=\left(c_1,c_2,\dots ,c_l\right)\in {\left\{0,1\right\}}^l$. Thus $k_0{\prod }_{i=1}^l{k}_i{}^{c_i}={\left(g^{a^q}\right)}^{L_1\left(\overrightarrow{c}\right)}{g}^{L_2\left(\overrightarrow{c}\right)}$. Let $L\left(\overrightarrow{c}\right)=\{\begin{array}{c}0, {\varrho }_0+{\sum }_{i=1}^l{c}_i{\varrho }_i=0 mod \varpi \\ 1, otherwise\end{array}$. Then $L\left(\overrightarrow{c}\right)=1$ implies $L_1\left(\overrightarrow{c}\right)\ne 0modp$.

$ℬ$ sends $PP=\left\{e,p,\mathbb{G},{\mathbb{G}}_T,g,\theta ,{\gamma }_1,{\gamma }_2,\left\{k_0,k_1,\dots ,k_l\right\},\left\{V_1,V_2\dots ,V_{{\ell }_{s,m}}\right\},H_1,H_2,H_3\right\}$ to $\mathcal{A}$. $ℬ$ initializes the empty list $L_{sk}$.

For the authority $A{A}_k\in S_A-S_A^{\prime }$, $ℬ$ chooses ${\beta }_k,{\gamma }_k\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and sets $X_k=g^{1/{\beta }_k},Y_k={\theta }^{1/{\beta }_k},Z_k={\theta }^{1/{\gamma }_k}$. Let $\mathcal{X}$ be the set consisting of the indexes $i\in \left[{\ell }_s^{*}\right]$ with ${\rho }_s^{*}\left(i\right)=x\in \widetilde{A{A}_k}$. For the attribute $x$ where $\mathcal{X}\ne \varnothing$, $ℬ$ chooses ${\phi }_x\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and computes $A_x=g^{{\phi }_x}{\prod }_{i\in \mathcal{X}}{\prod }_{k\in \left[n_s^{*}\right]}{g}^{-a^k{\mathrm{M}}_s^{*\left(i,k\right)}{N}_A^{*s}}$. If $\mathcal{X}=\varnothing$, $ℬ$ chooses ${\phi }_x\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$ and computes $A_x=g^{{\phi }_x}$. This assignment describes that $A_x=g^{{\phi }_x}$ for each encryption attribute as the signing attributes are different from encryption attributes. $ℬ$ sends $P{K}_k=\left\{X_k,Y_k,Z_k,{\left\{A_x\right\}}_{x\in \widetilde{A{A}_k}}\right\}$ to $\mathcal{A}$. For the authority $A{A}_k\in S_A^{\prime }$, $ℬ$ generates the public keys and secret keys of $A{A}_k$ as in the real scheme and sends both the public keys and secret keys to $\mathcal{A}$.

$SecretKey query {\mathcal{O}}^{sk}\left(\tilde{U},A{A}_k,uid\right)$. $\mathcal{A}$ adaptively queries the secret keys for the attribute set $\tilde{U}=\widetilde{U^d}\cup \widetilde{U^s}$ with identity $uid$ to the authority $A{A}_k$. $\widetilde{U^s}$ does not satisfy ${ℛ}_s^{*}$ together with any keys that can be obtained from corrupted authorities.

(1)

$ℬ$ checks the list $L_{sk}$ that whether the entry $\left(uid,\tilde{U},P{K}_{uid},S{K}_{uid},P{K}_{uid,k}, S{K}_{uid,k}\right)$ exists. If it does, $ℬ$ sends $S{K}_{uid}$ and $S{K}_{uid,k}$ to the adversary and publishes the public key $P{K}_{uid}$ and $P{K}_{uid,k}$.

(2)

Otherwise, $ℬ$ randomly picks $d_{uid}^{\prime },s_{uid}^{\prime },z_{uid}$ from ${\mathbb{Z}}_p^{*}$ and chooses a vector $\overrightarrow{f}=\left(f_1,f_2,\dots ,f_{n_s^{*}}\right)\in {\mathbb{Z}}_p^{n_s^{*}}$ such that $f=-1$ and $\overrightarrow{f}{\mathrm{M}}_s^{*i}=0$ for all ${\rho }_s^{*}\left(i\right)\in \widetilde{U^s}$. since ${ℛ}_s^{*}\left(\widetilde{U^s}\right)=0$. $ℬ$ computes $g^{d_{uid}}=g^{d_{uid}^{\prime }}{g}^{-a^q/z_{uid}}$, $g^{s_{uid}}=g^{s_{uid}^{\prime }}{\prod }_{i=1}^{n_s^{*}}{g}^{f_i{a}^{q-i+1}}$, and ${\left\{V_i^{s_{uid}}=g^{s_{uid}{v}_i}\right\}}_{i\in \left[{\ell }_s^{*}+1,{\ell }_{s,m}\right]}$. For $i\in \left[{\ell }_s^{*}\right]$, $V_i^{s_{uid}}=V_i^{s_{uid}^{\prime }}{\prod }_{l\in \mathcal{X}i}{\prod }_{k\in \left[n_s^{*}\right]}{\left({\prod }_{j=1,k\ne j}^{n_s^{*}}{g}^{f_j{a}^{q+k-j+1}}\right)}^{{\mathrm{M}}_s^{*\left(l,k\right)}{N}_A^{*s}}$. Set $P{K}_{uid}=\left\{g^{s_{uid}},g^{d_{uid}},g^{1/z_{uid}},{\theta }^{z_{uid}},g^{z_{uid}},{\left\{V_i^{s_{uid}}\right\}}_{i\in \left[{\ell }_{s,m}\right]}\right\}$ and $P{K}_{uid,k}=\{P{K}_{uid,k}^1=g^{1/\left({\gamma }_k{z}_{uid}\right)},P{K}_{uid,k}^2=g^{{\alpha }_k/\left({\gamma }_k{z}_{uid}\right)}{\theta }^{d_{uid}/{\gamma }_k}={\left(g^{\frac{{\alpha }_k^{\prime }}{z_{uid}}}{g}^{a{d}_{uid}^{\prime }}\right)}^{\frac{1}{{\gamma }_k}},P{K}_{uid,k}^3=g^{{\alpha }_k/{\beta }_k}{\theta }^{s_{uid}/{\beta }_k}={\left(g^{{\alpha }_k^{\prime }}{g}^{a{s}_{uid}^{\prime }}{g}^{{\sum }_2^{n_s^{*}}{f}_i{a}^{q-i+2}}\right)}^{\frac{1}{{\beta }_k}}\}$. Then $ℬ$ sets . For the attribute $x\in \widetilde{U^s}\cap \widetilde{A{A}_k}$ such that $\mathcal{X}=\varnothing$, $ℬ$ computes $F_{uid,x}^s={\left(g^{s_{uid}}\right)}^{{\phi }_x}$. Otherwise, $F_{uid,x}^s=g^{s_{uid}{\phi }_x}{\prod }_{i\in \mathcal{X}}{\prod }_{k\in \left[n_s^{*}\right]}{\left(g^{-s_{uid}^{\prime }{a}^k}{\prod }_{j=1,k\ne j}^{n_s^{*}}{g}^{-f_j{a}^{q+k-j+1}}\right)}^{{\mathrm{M}}_s^{*\left(i,k\right)}{N}_A^s}$. $ℬ$ sends $S{K}_{uid}=z_{uid}$ and $S{K}_{uid,k}$ to the adversary and publishes the public key $P{K}_{uid}$ and $P{K}_{uid,k}$. $ℬ$ inserts $\left(uid,\tilde{U},P{K}_{uid},S{K}_{uid},P{K}_{uid,k}, S{K}_{uid,k}\right)$ into $L_{sk}$.

$ProxySecretKeyquery{\mathcal{O}}^{psk}\left(\tilde{U},A{A}_k,uid\right)$. The same as Theorem 1.

$Signcryptionquery{\mathcal{O}}^{SC}\left(ℳ,{ℛ}_s,{ℛ}_e\right)$. $\mathcal{A}$ submits a message $ℳ\in {\mathbb{G}}_T$, signing and encryption predicts ${ℛ}_s=\left({\mathrm{M}}_s,{\rho }_s\right),{ℛ}_e=\left({\mathrm{M}}_e,{\rho }_e\right)$. $ℬ$ selects a signing attribute set $\widetilde{U^s}$ such that ${ℛ}_s\left(\widetilde{U^s}\right)=1$. $ℬ$ performs as follows:

(1)

It first computes a vector $\overrightarrow{a}=\left(a_1,a_2,\dots ,a_{{\ell }_s}\right)\in {\mathbb{Z}}_p^{{\ell }_s}$ such that $\overrightarrow{a}\cdot {\mathrm{M}}_s=\overrightarrow{1}$. Then $ℬ$ chooses $\overrightarrow{b}=\left(b_1,b_2,\dots ,b_{{\ell }_s}\right)\in {\mathbb{Z}}_p^{{\ell }_s}$ such that ${\sum }_{i\in \left[{\ell }_s\right]}{b}_i{\mathrm{M}}_s^i=\overrightarrow{0}$.

(2)

$ℬ$ randomly chooses $s_{uid}^{\prime }\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{*}$ and computes ${\left\{S_{1,i}=g^{a_i{s}_{uid}^{\prime }+b_i}\right\}}_{i\in \left[{\ell }_s\right]}$.

(3)

Assume $H_2\left({\prod }_{i\in \left[{\ell }_s\right]}{S}_{1,i},tt,{ℛ}_s,{ℛ}_e\right)=\left(c_1,c_2,\dots ,c_l\right)=\overrightarrow{c}\in {\left\{0,1\right\}}^l$. If $L\left(\overrightarrow{c}\right)=0$, $ℬ$ aborts. Otherwise, $ℬ$ implicitly sets $w_{\mathcal{A}}=w_1-\frac{a{N}_A^s}{L_1\left(\overrightarrow{c}\right)}$ where $w_1\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{*}$. Then $C_0=ℳ{\prod }_{k\in I_A^e}{\Delta }_k{}^{w_{\mathcal{A}}}$, $C_1=g^{w_{\mathcal{A}}}=g^{w_1}{\left(g^a\right)}^{-\frac{N_A^s}{L_1\left(\overrightarrow{c}\right)}}$, $C_3={\left(g^{{\sigma }_1}{g}^{\pi {\sigma }_2}\right)}^{w_{\mathcal{A}}}$, where ${\Delta }_k{}^{w_{\mathcal{A}}}={\Delta }_k{}^{w_1}{\left(e\left(g^{a^2},g^{a^q}\right)e\left(g^{{\alpha }_k^{\prime }},g^a\right)\right)}^{-N_A^s/L_1\left(\overrightarrow{c}\right)}$ and $\pi =H_1\left(C_1\right)$.

(4)

$ℬ$ chooses $\left\{r_1,r_2,\dots ,r_{{\ell }_e}\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, $\overrightarrow{\epsilon }=\left(w_1-\frac{a{N}_A^s}{L_1\left(\overrightarrow{c}\right)},{\epsilon }_2,\dots ,{\epsilon }_{n_e}\right)\in {\mathbb{Z}}_p^{n_e}$, ${\lambda }_i={\mathrm{M}}_e^i\overrightarrow{\epsilon }$. Then $ℬ$ selects $\left\{r_1^{\prime },r_2^{\prime },\dots ,r_{{\ell }_e}^{\prime }\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$, $\left\{{\lambda }_1^{\prime },{\lambda }_2^{\prime },\dots ,{\lambda }_{{\ell }_e}^{\prime }\right\}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p$. For $i\in \left[{\ell }_e\right]$, $ℬ$ computes $C_{2,i}^{\prime }=g^{a\left({\lambda }_i-{\lambda }_i^{\prime }\right)}{A}_{{\rho }_e\left(i\right)}{}^{-\left(r_i-r_i^{\prime }\right)}=g^{a\left(\left(w_1-\frac{a{N}_A^s}{L_1\left(\overrightarrow{c}\right)}\right){\mathrm{M}}_e^{\left(i,1\right)}+{\sum }_{j=2}^{n_e^{*}}{\epsilon }_j{\mathrm{M}}_e^{\left(i,j\right)}-{\lambda }_i^{\prime }\right)}{g}^{-{\phi }_{{\rho }_e\left(i\right)}\left(r_i-r_i^{\prime }\right)}$, $C_{2,i}^{″}={\lambda }_i^{\prime }$, $D_i^{\prime }=g^{r_i-r_i^{\prime }}$, $D_i^{″}=r_i^{\prime }$.

(5)

$ℬ$ computes $H_3\left(C_0,C_1,C_3,{ℛ}_s,{ℛ}_e\right)=\beta$, $S_2=\left({\prod }_{I_A^s}{g}^{{\alpha }_k}\right){\theta }^{s_{uid}^{\prime }{N}_A^s}\left({\prod }_{i\in \left[{\ell }_s\right]}{\left(A_{{\rho }_s\left(i\right)}{V}_i\right)}^{a_i{s}_{uid}^{\prime }+b_i}\right){\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i}\right)}^{w_{\mathcal{A}}}{\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{w_{\mathcal{A}}\beta }=\left({\prod }_{I_A^s}{g}^{{\alpha }_k^{\prime }+a^{q+1}}\right){\theta }^{s_{uid}^{\prime }{N}_A^s}{C}_3^{\beta }{\left({\left(g^{a^q}\right)}^{L_1\left(\overrightarrow{c}\right)}{g}^{L_2\left(\overrightarrow{c}\right)}\right)}^{w_1-\frac{a{N}_A^s}{L_1\left(\overrightarrow{c}\right)}}\left({\prod }_{i=1}^{{\ell }_s}{\left(A_{{\rho }_s\left(i\right)}{V}_i\right)}^{a_i{s}_{uid}^{\prime }+b_i}\right)=\left({\prod }_{I_A^s}{g}^{{\alpha }_k^{\prime }}\right)g^{a^{q+1}{N}_A^s}{\theta }^{s_{uid}^{\prime }{N}_A^s}{C}_3^{\beta }{\left({\left(g^{a^q}\right)}^{L_1\left(\overrightarrow{c}\right)}{g}^{L_2\left(\overrightarrow{c}\right)}\right)}^{w_1}{\left(g^{a{N}_A^s}\right)}^{\frac{-L_2\left(\overrightarrow{c}\right)}{L_1\left(\overrightarrow{c}\right)}}{g}^{-a^{q+1}{N}_A^s}\left({\prod }_{i=1}^{{\ell }_s}{\left(A_{{\rho }_s\left(i\right)}{V}_i\right)}^{a_i{s}_{uid}^{\prime }+b_i}\right)=\left({\prod }_{I_A^s}{g}^{{\alpha }_k^{\prime }}\right){\theta }^{s_{uid}^{\prime }{N}_A^s}{C}_3^{\beta }{\left({\left(g^{a^q}\right)}^{L_1\left(\overrightarrow{c}\right)}{g}^{L_2\left(\overrightarrow{c}\right)}\right)}^{w_1}{\left(g^{a{N}_A^s}\right)}^{\frac{-L_2\left(\overrightarrow{c}\right)}{L_1\left(\overrightarrow{c}\right)}}\left({\prod }_{i=1}^{{\ell }_s}{\left(A_{{\rho }_s\left(i\right)}{V}_i\right)}^{a_i{s}_{uid}^{\prime }+b_i}\right)$. Finally, $ℬ$ sends $CT=\left\{C_0,C_1,{\left\{C_{2,i}^{\prime },C_{2,i}^{″},D_i^{\prime },D_i^{″}\right\}}_{i\in \left[{\ell }_e\right]},{\left\{S_{1,i}\right\}}_{i\in \left[{\ell }_s\right]},S_2,tt\right\}$ to $\mathcal{A}$.

$DeSigncryptionquery{\mathcal{O}}^{DS}\left(CT,\widetilde{U^d}\right)$. If $\left|tt-\overline{tt}\right|>thr{e}_{tt}$ or ${ℛ}_e\left(\widetilde{U^d}\right)=0$, then $ℬ$ returns $\perp$. Otherwise, $ℬ$ issues the ${\mathcal{O}}^{\mathrm{sk}}$ query to get the secret decryption key and returns the output of $DeSigncryption$ to $\mathcal{A}$.

$Forgery$. $\mathcal{A}$ submits a valid ciphertext $C{T}^{*}$ for the challenge signing predicate ${ℛ}_s^{*}$ and an encryption predicate ${ℛ}_e$. If $ℳ\leftarrow DeSigncryption\left(PP,C{T}^{*},PK,SK\right)$ and $\mathcal{A}$ has never issued ${\mathcal{O}}^{\mathrm{SC}}\left(ℳ,{ℛ}_{\mathrm{s}}^{*},{ℛ}_{\mathrm{e}}\right)$. $ℬ$ performs as follows:

(1)

$ℬ$ computes $H_2\left({\prod }_{i\in \left[{\ell }_s^{*}\right]}{S}_{1,i},tt,{ℛ}_s^{*},{ℛ}_e\right)=\left(c_1,c_2,\dots ,c_l\right)=\overrightarrow{c}\in {\left\{0,1\right\}}^l$. If $\varpi m\ne {\varrho }_0+{\sum }_{i=1}^l{c}_i{\varrho }_i$, $ℬ$ aborts. Otherwise, $L_1\left(\overrightarrow{c}\right)=0 mod p$.

(2)

If $C{T}^{*}$ is a valid ciphertext, then $H_3\left(C_0,C_1,C_3,{ℛ}_s^{*},{ℛ}_e\right)=\beta$ and $\pi =H_1\left(C_1\right)$. Then

$S_2=\left({\prod }_{I_A^{*s}}{g}^{{\alpha }_k}\right){\theta }^{s_{uid}^{″}{N}_A^{*s}}\left({\prod }_{i\in \left[{\ell }_s^{*}\right]}{\left(A_{{\rho }_s^{*}\left(i\right)}{V}_i\right)}^{a_i{s}_{uid}^{″}+b_i}\right){\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i}\right)}^w{\left({\gamma }_1{\gamma }_2{}^{\pi }\right)}^{w\beta }=\left({\prod }_{I_A^{*s}}{g}^{{\alpha }_k^{\prime }+a^{q+1}}\right){\theta }^{s_{uid}^{″}{N}_A^{*s}}{C}_1^{L_2\left(\overrightarrow{c}\right)+\beta \left({\sigma }_1+\pi {\sigma }_2\right)}\left({\prod }_{i=1}^{{\ell }_s^{*}}{\left(g^{{\phi }_{{\rho }_s^{*}\left(i\right)}}{\prod }_{j\in \left[n_s^{*}\right]}{g}^{-a^j{\mathrm{M}}_s^{*\left(i,j\right)}{N}_A^{*s}}\right)}^{a_i{s}_{uid}^{″}+b_i}\right)=\left({\prod }_{I_A^{*s}}{g}^{{\alpha }_k^{\prime }}\right)g^{N_A^{*s}{a}^{q+1}}{\theta }^{s_{uid}^{″}{N}_A^{*s}}{C}_1^{L_2\left(\overrightarrow{c}\right)+\beta \left({\sigma }_1+\pi {\sigma }_2\right)}{\prod }_{i=1}^{{\ell }_s^{*}}{S}_{1,i}{}^{{\phi }_{{\rho }_s^{*}\left(i\right)}}{g}^{N_A^{*s}\left({\sum }_{i\in \left[{\ell }_s^{*}\right]}{\sum }_{j\in \left[n_s^{*}\right]}-a^j{\mathrm{M}}_s^{*\left(i,j\right)}\left(a_i{s}_{uid}^{″}+b_i\right)\right)}=\left({\prod }_{I_A^{*s}}{g}^{{\alpha }_k^{\prime }}\right)g^{N_A^{*s}{a}^{q+1}}{\theta }^{s_{uid}^{″}{N}_A^{*s}}{C}_1^{L_2\left(\overrightarrow{c}\right)+\beta \left({\sigma }_1+\pi {\sigma }_2\right)}{\prod }_{i=1}^{{\ell }_s^{*}}{S}_{1,i}{}^{{\phi }_{{\rho }_s^{*}\left(i\right)}}{\theta }^{-s_{uid}^{″}{N}_A^{*s}}=\left({\prod }_{I_A^{*s}}{g}^{{\alpha }_k^{\prime }}\right)g^{N_A^{*s}{a}^{q+1}}{C}_1^{L_2\left(\overrightarrow{c}\right)+\beta \left({\sigma }_1+\pi {\sigma }_2\right)}{\prod }_{i=1}^{{\ell }_s^{*}}{S}_{1,i}{}^{{\phi }_{{\rho }_s^{*}\left(i\right)}}$, where $\overrightarrow{a}\cdot {\mathrm{M}}_s^{*}=\overrightarrow{1},\overrightarrow{b}\cdot {\mathrm{M}}_s^{*}=\overrightarrow{0}$ and ${\sum }_{i\in \left[{\ell }_s^{*}\right]}{\sum }_{j\in \left[n_s^{*}\right]}-a^j{\mathrm{M}}_s^{*\left(i,j\right)}\left(a_i{s}_{uid}^{″}+b_i\right)=-a{s}_{uid}^{″}$.

Thus, $ℬ$ can calculate $g^{a^{q+1}}={\left(\frac{S_2}{\left({\prod }_{I_A^{*s}}{g}^{{\alpha }_k^{\prime }}\right)C_1^{L_2\left(\overrightarrow{c}\right)+\beta \left({\sigma }_1+\pi {\sigma }_2\right)}{\prod }_{i=1}^{{\ell }_s^{*}}{S}_{1,i}{}^{{\phi }_{{\rho }_s^{*}\left(i\right)}}}\right)}^{1/N_A^{*s}}$ and then break the q-PBDHE assumption by computing $e\left(g^{a^{q+1}},g^w\right)$. Let $E_1$ be the event that $L\left(\overrightarrow{c}\right)=0$ in some $Signcryptionquery$ and $E_2$ be the event that $\varpi m\ne {\varrho }_0+{\sum }_{i=1}^l{b}_i{\varrho }_i$ in the forgery phase. Then we have $Pr\left[\neg E_1\wedge \neg E_2\right]=\frac{1}{\left(l+1\right)\varpi }\left(1-\frac{2q_{SC}}{\varpi }\right)$. If $\varpi =4q_{SC}$, then $Pr\left[\neg E_1\wedge \neg E_2\right]=\frac{1}{8\left(l+1\right)q_{SC}}$. Thus the advantage of $ℬ$ solving the q-PBDHE assumption is at least $\mathcal{A}d{v}_{ℬ}\ge \frac{ϵ}{8\left(l+1\right)q_{SC}}$. The runtime of $ℬ$ is at most $T^{\prime }=T+O\left({\ell }_{s,m}{n}_{s,m}{u}_m+\left(n_{s,m}+\left|\tilde{U}\right|{\ell }_{s,m}{n}_{s,m}^2\right)q_{sk}+\left(\left|\tilde{U}\right|+{\ell }_{s,m}\right)q_{psk}+\left(l+{\ell }_{e,m}+{\ell }_{s,m}+{\ell }_{e,m}{n}_{e,m}\right)q_{SC}+{\ell }_{e,m}{q}_{DS}\right)T^e+O\left({\ell }_{e,m}{q}_{DS}\right)T^p$. □

6.3. Signcryptor Privacy

Based on the security model defined in Definition 10, we prove that our scheme guarantees signcryptor privacy in Theorem 3.

Theorem 3.

Our scheme guarantees the signcryptor privacy.

Proof. 

The challenger sends $PP,PK,{\left\{P{K}_k,S{K}_k\right\}}_{I_A}$ to the adversary $\mathcal{A}$. Then $\mathcal{A}$ outputs two signing attribute sets $\widetilde{U_0^s},\widetilde{U_1^s}$ satisfying ${ℛ}_s\left(\widetilde{U_0^s}\right)=1={ℛ}_s\left(\widetilde{U_1^s}\right)$. The challenger selects $𝒷\stackrel{R}{\leftarrow }\left\{0,1\right\}$ and computes $C{T}_{𝒷}$ with the secret signing key $S{K}_{uid,k}^{s,𝒷}\leftarrow SecretKeyGen\left(PP,P{K}_k,S{K}_k,P{K}_{uid},\widetilde{U_{𝒷}^s}\right)$. Note that both the challenger and $\mathcal{A}$ can compute $S{K}_{uid,k}^{s,𝒷}$ for $\widetilde{U_{𝒷}^s}$, where $k\in I_A$. Specifically, $K_{uid,k}^{s,𝒷}=g^{{\alpha }_k}{\theta }^{s_{uid}^{𝒷}},F_{uid,x}^{s,𝒷}=A_x^{s_{uid}^{𝒷}}$, where $s_{uid}^{𝒷}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{*}$.

If the challenger uses $S{K}_{uid,k}^{s,0}$, then it can generate the ciphertext $C{T}_0=\left\{C_0,C_1^0,{\left\{C_{2,i}^{\prime 0},C_{2,i}^{″0},D_i^{\prime 0},D_i^{″0}\right\}}_{i\in \left[{\ell }_e\right]},{\left\{S_{1,i}^0\right\}}_{i\in \left[{\ell }_s\right]},S_2^0,tt\right\}$ as follows.

$C_1^0=g^{w_0}$, $C_3^0={\left({\gamma }_1{\gamma }_2{}^{{\pi }_0}\right)}^{w_0}$ where ${\pi }_0=H_1\left(C_1^0\right)$.

${\left\{C_{2,i}^{\prime 0}={\theta }^{{\lambda }_i^{\prime 0}}{A}_{{\rho }_e\left(i\right)}^{-r_i^{\prime 0}},D_i^{\prime 0}=g^{r_i^{\prime 0}},C_{2,i}^{″0}={\lambda }_i^0-{\lambda }_i^{\prime 0},D_i^{″0}=r_i-r_i^{\prime 0}\right\}}_{i\in \left[{\ell }_e\right]}$, ${\left\{S_{1,i}^0=g^{a_i^0{s}_{uid}^{″0}+b_i^0}\right\}}_{i\in \left[{\ell }_s\right]}$.

$H_2\left({\prod }_{i\in \left[{\ell }_s\right]}{S}_{1,i}^0,tt,{ℛ}_s,{ℛ}_e\right)=\left(c_1,c_2,\dots ,c_l\right)\in {\left\{0,1\right\}}^l$. $H_3\left(C_0,C_1^0,C_3^0,{ℛ}_s,{ℛ}_e\right)=\beta$.

$S_2^0=\left({\prod }_{I_A^s}{g}^{{\alpha }_k}\right){\theta }^{s_{uid}^{″0}{N}_A^s}\left({\prod }_{i\in \left[{\ell }_s\right]}{\left(A_{{\rho }_s\left(i\right)}{V}_i\right)}^{v_i^0{s}_{uid}^{″0}+t_i^0}\right){\left(k_0{\prod }_{i=1}^l{k}_i{}^{c_i}\right)}^{w_0}{\left(C_3^0\right)}^{\beta }$, where $s_{uid}^{″0}=s_{uid}^0+s_{uid}^{\prime 0}$ and $s_{uid}^{\prime 0}\stackrel{R}{\leftarrow }{\mathbb{Z}}_p^{*}$.

If the challenger uses $S{K}_{uid,k}^{s,1}$, and sets $w_0=w_1,{\lambda }_i^{\prime 0}={\lambda }_i^{\prime 1},r_i^0=r_i^1,r_i^{\prime 0}=r_i^{\prime 1},s_{uid}^{\prime 1}=s_{uid}^{″0}-s_{uid}^1$, then ${\lambda }_i^0={\lambda }_i^1$, $s_{uid}^{″0}=s_{uid}^{″1}=s_{uid}^{″}$. Thus $C_1^0=C_1^1,{\pi }_0={\pi }_1,C_{2,i}^{\prime 0}=C_{2,i}^{\prime 1},C_{2,i}^{″0}=C_{2,i}^{″1},C_3^0=C_3^1,D_i^{\prime 0}=D_i^{\prime 1},D_i^{″0}=D_i^{″1}$. The challenger sets $\overrightarrow{a^1}\cdot {\mathrm{M}}_s=\overrightarrow{1}$ and sets $b_i^1=\left(a_i^0-a_i^1\right)s_{uid}^{″}+b_i^0$. Then $\overrightarrow{b^1}\cdot {\mathrm{M}}_s=\overrightarrow{0}$ and $a_i^0{s}_{uid}^{″}+b_i^0=a_i^1{s}_{uid}^{″}+b_i^1$. Hence $S_{1,i}^0=S_{1,i}^1,S_2^0=S_2^1$, and $C{T}_0=C{T}_1$.

Similarly, if the challenger firstly uses $S{K}_{uid,k}^{s,1}$ to generate $C{T}_1=\left\{C_0,C_1^1,{\left\{C_{2,i}^{\prime 1},C_{2,i}^{″1},D_i^{\prime 1},D_i^{″1}\right\}}_{i\in \left[{\ell }_e\right]},{\left\{S_{1,i}^1\right\}}_{i\in \left[{\ell }_s\right]},S_2^1,tt\right\}$, then it can generate $C{T}_0$ with $S{K}_{uid,k}^{s,0}$ and $C{T}_1=C{T}_0$. Therefore, $\mathcal{A}$ can only outputs a random guess ${𝒷}^{\prime }$ and the probability is at most $\frac{1}{2}$. □

6.4. Collusion Resistance

High-Level Overview

In our scheme, the secret keys of each user are associated the random elements $d_{uid},s_{uid}$ picked by CA which are difficult for each user, fog node, authority and cloud server to compute or learn. Therefore, the colluders such as the user, fog node, and cloud server cannot selectively replace or convert the components of the secret keys under the discrete logarithm assumption. Additionally, since $uid$ chosen by CA is globally unique in the system and $d_{uid}$ and $s_{uid}$ are kept secret, secret keys generated from different authorities for the same $uid$ can be tied together for signcryption and designcryption, and the secret keys generated for different users cannot be combined.

Let $S_c$ denote the set of colluders, and $\widetilde{U^d}$ is the combined decryption attribute set of $S_c$. Recall that the message $ℳ$ is blinded by ${\prod }_{k\in I_A^e}{\Delta }_k{}^w={\prod }_{k\in I_A^e}e{\left(g,g\right)}^{{\alpha }_{k}w}$. It is infeasible to directly reconstruct ${\prod }_{k\in I_A^e}e{\left(g,g\right)}^{{\alpha }_{k}w}$ due to the blindness of ${\alpha }_k$ and the hardness of discrete logarithm assumption. Thus the colluders have to compute ${\prod }_{k\in I_A^e}e\left(K_{uid,k}^d,C_1\right)$ and have to cancel the redundant element $e{\left(\theta ,g\right)}^{w{N}_A^e{d}_{uid}}={\prod }_{k\in I_A^e}e{\left(g,g\right)}^{wh{d}_{uid}}$, where $\theta =g^h$. Due to BDH assumption, the only way to cancel $e{\left(\theta ,g\right)}^{w{N}_A^e{d}_{uid}}$ is to compute the denominator ${\prod }_{k\in I_A^e}{\prod }_{i\in I_{A_k}}{\left[e\left(C_{2,i}^{\prime }{\theta }^{C_{2,i}^{″}}{A}_{{\rho }_e\left(i\right)}^{-D_i^{″}},g^{d_{uid}}\right)e\left(D_i^{\prime }{g}^{D_i^{″}},F_{uid,{\rho }_e\left(i\right)}^d\right)\right]}^{{\sigma }_i{N}_A^e}$ in $PartialDecryption$ algorithm, which means $F_{uid,{\rho }_e\left(i\right)}^d=A_{{\rho }_e\left(i\right)}^{d_{uid}}$ with the same $d_{uid}$ holds for all ${\rho }_e\left(i\right)\in \widetilde{U^d}$. However, since the colluders are individually unauthorized for decryption, none of the colluders holds $A_{{\rho }_e\left(i\right)}^{d_{uid}}$ for all ${\rho }_e\left(i\right)\in \widetilde{U^d}$ simultaneously. Moreover, since the secret key cannot be replaced, converted or combined, ${\left\{A_{{\rho }_e\left(i\right)}^{d_{uid}}\right\}}_{U_{uid}\in S_c,{\rho }_e\left(i\right)\in \widetilde{U^d}}$ are associated with different $d_{uid}$. Hence the colluders cannot successfully decrypt the ciphertext even though $\widetilde{U^d}$ satisfies the encrypt predicate defined in the ciphertext. Specifically, according to Theorems 1 and 2, we can prove that our scheme guarantees the collusion resistance under q-PBDHE assumption in Theorem 4.

Theorem 4.

The proposed data access control scheme is collusion resistance.

Proof. 

For the designcryptor, we state that the security game defined in Definition 9 implies the collusion resistance. Suppose that $S_c$ denotes the set of colluders who are unauthorized for decryption and $\widetilde{U^d}=\cup {\left\{\widetilde{U_i^d}\right\}}_{i\in S_c}$. If the colluders can decrypt $C{T}^{*}$ when ${ℛ}_e^{*}\left(\widetilde{U^d}\right)=1$, then the algorithm $ℬ$ which can solve the q-PBDHE assumption can be constructed as follows.

In the initialization phase, the challenger sets ${ℛ}_e^{*}$ as the selected challenge encryption predicate. In ${\mathcal{O}}^{sk}$, $\mathcal{A}$ queries for the secret decryption key corresponding to the colluder’s individual attribute set $\widetilde{U_i^d}$. Since the colluders are individually unauthorized for decryption, we have ${ℛ}_e^{*}\left(\widetilde{U_i^d}\right)=0$, which satisfies the constraint of ${\mathcal{O}}^{sk}$ defined in Definition 8. Then in challenge phase, the challenger encrypts ${ℳ}_{\widehat{𝒷}}$ under ${ℛ}_e^{*}$. If the colluders can decrypt the ciphertext, then $\mathcal{A}$ can guess the bit $\widehat{𝒷}$, and thus $ℬ$ can solve the q-PBDHE assumption with non-negligible probability.

Similarly, for the signcryptor, the Theorem 2 guarantees that no colluders such as users, fog nodes or cloud server can generate the signature by combining their information if they are individually unauthorized to sign the plaintext. Otherwise, the colluders can build an adversary and output a forgery to win the game in Definition 9 and break q-PBDHE assumption.

Therefore, the colluding users, fog nodes, and cloud server cannot sign or decrypt the data, and our OMDAC-ABSC scheme guarantees collusion resistance. □

6.5. Revocation Security

Assume the attribute $x$ of $U$ is revoked from $A{A}_k$. $A{A}_k$ issues the update secret keys $dU{K}_x=g^{d_{uid}\left({\phi }_x^{\prime }-{\phi }_x\right)},sU{K}_x=g^{s_{uid}\left({\phi }_x^{\prime }-{\phi }_x\right)}$ and sends the keys to the non-revoked users. $dU{K}_x$ and $sU{K}_x$ are associated with the secret value $d_{uid},s_{uid}$ chosen by CA and attribute version key ${\phi }_x^{\prime },{\phi }_x$ chosen by $A{A}_k$. Therefore, due to the blindness of $d_{uid},s_{uid},{\phi }_x^{\prime }$, and ${\phi }_x$, the revoked user $U$ cannot update his/her secret signing or decryption key, even though he/she can corrupt some attribute authorities (not the authority $A{A}_k$ corresponding to $x$) or collude with the non-revoked user.

Theorem 5.

Our OMDAC-ABSC scheme guarantees the forward and backward revocation security.

Proof. 

 

Forward Security. If there exists $i$ such that ${\rho }_s\left(i\right)=x$, the newly joined user can sign the plaintext and generate the signature component $S_2$ associated with $A_x^{\prime }$, which is the same as the updated attribute public key of $A{A}_k$. Thus the $Verify$ algorithm holds if user’s signing attributes satisfy the signing predicate. Otherwise, the newly joined user’s secret decryption keys are all associated with $A_x^{\prime }$, which is the same as that in the components $C_{2,i}^{\prime }$. Thus the newly joined user can decrypt ciphertext if his/her attribute set satisfies the embedded encryption predicate.

Backward security. If there exists $i$ such that ${\rho }_s\left(i\right)=x$, and the revoked user reverse the signature component $S_2$ back to the non-revoked state which is associated with $A_x$, then the $Verify$ algorithm cannot hold since the attribute public key of $A{A}_k$ has been updated to $A_x^{\prime }$.

Otherwise, assume $C{T}_{old}^{\prime }$ denotes the ciphertext which is updated from $C{T}_{old}$ in attribute revocation phase, we have $C_{2,i}^{\prime }={\theta }^{{\lambda }_i^{\prime }}{A}_{{\rho }_e\left(i\right)}^{\prime }{}^{-\left(r_i^{\prime }+r_i^{″}\right)}$ and $D_i^{\prime }=g^{r_i^{\prime }+r_i^{″}}$. It is hard for the revoked user to cancel $cU{K}_i$ and $g^{r_i^{″}}$ since they are associated with the values ${\phi }_x^{\prime },{\phi }_x$ which are secretly chosen by $A{A}_k$ and $r_i^{″}$ randomly picked by cloud server. Therefore, the revoked user cannot reverse the $C{T}_{old}^{\prime }$ back to $C{T}_{old}$.

For the ciphertext $C{T}_{new}$ which is uploaded after the attribute revocation phase, we have $C_{2,i}^{\prime }={\theta }^{{\lambda }_i^{\prime }}{A}_{{\rho }_e\left(i\right)}^{\prime }{}^{-r_i^{\prime }}$ for $i$ such that ${\rho }_e\left(i\right)=x$. The revoked user cannot transform these components into the ones associated with $A_{{\rho }_e\left(i\right)}$ due to the blindness of the attribute version keys ${\phi }_x^{\prime },{\phi }_x$ chosen by $A{A}_k$ and random element $r_i^{\prime }$ picked by fog node. Therefore, our OMDAC-ABSC scheme guarantees the forward and backward revocation security. □

7. Scheme Analysis

7.1. Security and Functionality

In this subsection, we detail the comprehensive security and functionality comparison among the proposed scheme and some MA-ABE schemes [21,22,23,24,25,26], CP-ABSC schemes [12,13,14,15] and ABE based schemes used for fog computing [16,17,18,19,20] in Table 1, Table 2 and Table 3. Therein, ✓ represents the capability to achieve the corresponding index, whereas ⨯ denotes the opposite. MBF represents monotone Boolean function, and TG represents the threshold gate.

Table 1. Security and Functionality Comparison of MACP-ABE Schemes.

Schemes	[21]	[22]	[23]	[24]	[25]	[26]	Ours
Collusion Resistance	⨯	✓	✓	✓	✓	✓	✓
Standard Model	✓	⨯	⨯	⨯	⨯	⨯	✓
Encryption Predicate	MBF	MBF	MBF	MBF	MBF	MBF	MBF
Encryption Outsourcing	⨯	⨯	⨯	⨯	✓	⨯	✓
Decryption Outsourcing	⨯	✓	⨯	⨯	✓	✓	✓
Anonymous Authentication	⨯	⨯	⨯	✓	⨯	⨯	✓
Attribute Revocation	⨯	✓	⨯	⨯	⨯	✓	✓

Table 2. Security and Functionality Comparison of CP-ABSC Schemes.

Schemes	[12]	[13]	[14]	[15]	Ours
Collusion Resistance	✓	✓	✓	✓	✓
Standard Model	✓	⨯	✓	⨯	✓
Signcryptor Privacy	✓	✓	✓	⨯	✓
Signing Predicate	MBF	MBF	MBF	MBF	MBF
Encryption Predicate	MBF	MBF	MBF	TG	MBF
Signcryption Outsourcing	⨯	⨯	⨯	⨯	✓
Designcryption Outsourcing	⨯	⨯	⨯	⨯	✓
Multi-Authority	⨯	⨯	⨯	⨯	✓
Public Verifiability	⨯	⨯	✓	✓	✓
Attribute Revocation	⨯	⨯	⨯	⨯	✓

Table 3. Security and Functionality Comparison of ABE based Schemes for Fog Computing.

Schemes	[16]	[17]	[18]	[19]	[20]	Ours
Collusion Resistance	✓	✓	✓	✓	✓	✓
Standard Model	⨯	⨯	⨯	✓	✓	✓
Encryption Predicate	TG	MBF	TG	TG	MBF	MBF
Encryption Outsourcing	✓	✓	⨯	✓	⨯	✓
Decryption Outsourcing	✓	✓	✓	✓	✓	✓
Multi-Authority	⨯	✓	⨯	⨯	⨯	✓
Anonymous Authentication	✓	⨯	⨯	⨯	⨯	✓
Attribute Revocation	⨯	⨯	⨯	✓	⨯	✓

Table 1, Table 2 and Table 3 show that our scheme supports many useful properties, such as multi-authority, collusion resistance, computation outsourcing, anonymous authentication, expressiveness, public verifiability and attribute revocation. Our scheme also realizes the security in the standard model.

7.2. Asymptotic Complexity and Performance

This section numerically analyzes the asymptotic complexity and performance of the proposed OMDAC-ABSC scheme against some MACP-ABE schemes [21,22,24,25,26], CP-ABSC schemes [12,13,14,15], and ABE based schemes [16,17,18,19,20] used for fog computing in terms of the size of secret key, ciphertext and update key, and computation overhead (exponentiations and pairing computations) of $Signcryption$, $DeSigncryption$ and $UpCiphertext$ algorithms. We focus on the computation overhead on the user side because of the limited computation resources. For simplicity, in asymptotic complexity analysis we ignore the cost time of Hash functions and operations in ${\mathbb{Z}}_p$. Table 4 summarizes the notations used in this section.

Table 4. Notations.

Notations	Meaning
$T_{\mathbb{G}}^e/T_{{\mathbb{G}}_T}^e$	Running time required for one exponentiation in $\mathbb{G}$ and ${\mathbb{G}}_{\mathrm{T}}$.
$T^p$	Running time for one pairing operation.
$N_A$	Number of involved authorities.
$\left|\mathbb{G}\right|/\left|{\mathbb{G}}_T\right|/\left|{\mathbb{Z}}_p\right|$	Size of the element in $\mathbb{G}$, ${\mathbb{G}}_{\mathrm{T}}$, and ${\mathbb{Z}}_{\mathrm{p}}$.
$l_e /l_s$	Number of required attributes in decryption and verification.
$\left|\widetilde{U^d}\right|$	Number of decryption attributes.
$\left|\tilde{U}\right|$	Number of signing and decryption attributes.
$S$	Least interior nodes satisfying the access policy tree.

7.2.1. Asymptotic Complexity

Table 5 details the storage comparison on MACP-ABE schemes. It is clear that the size of the secret decryption key in our OMDAC-ABSC is larger than that in [24,25] due to the components ${\left\{K_{uid,k}^d\right\}}_{k\in I_A}$. Table 5 also illustrates that the size of ciphertext in our scheme is larger than that in [21,22,26], and has the advantage over [25]. Since our scheme supports public verification of signcryptor’s attributes, the ciphertext contains the signature components ${\left\{S_{1,i}\right\}}_{i\in \left[{\ell }_s\right]},S_2$, which result in a reducing $\left(1+l_s\right)\left|\mathbb{G}\right|$ of storage overhead. Although the scheme in [24] can also verify the data owner’s attributes, it requires $2+2l_s$ signature group elements and is not publicly verifiable since it needs the plaintext message in verification algorithm. Additionally, both of our scheme and [25] requires the data owner to compute the ciphertext components ${\left\{C_{2,i}^{″},D_i^{″}\right\}}_{i\in \left[{\ell }_e\right]}$ when performing $User\_Signcryption$ algorithm. This cost is $2l_e\left|{\mathbb{Z}}_p\right|$.

Table 5. Storage Comparison of MACP-ABE based Schemes.

Schemes	Secret Decryption Key	Ciphertext	Update Key
			Secret Key Update	Ciphertext Update Key
[21]	$\left(6N_A+\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(3N_A+2l_e\right)\left|\mathbb{G}\right|$	-	-
[22]	$\left(2+2\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(3+N_A+3l_e\right)\left|\mathbb{G}\right|$	$2\left|\mathbb{G}\right|$	$l_e\left|\mathbb{G}\right|$
[24]	$\left|\widetilde{U^d}\right|\left|\mathbb{G}\right|$	$\left(l_e+1\right)\left|{\mathbb{G}}_T\right|+\left(2+2l_e+2l_s\right)\left|\mathbb{G}\right|$	-	$l_e\left|{\mathbb{G}}_T\right|$
[25]	$\left|\widetilde{U^d}\right|\left|\mathbb{G}\right|$	$\left(3l_e+1\right)\left|{\mathbb{G}}_T\right|+4l_e\left|\mathbb{G}\right|+2l_e\left|{\mathbb{Z}}_p\right|$	$\left(2\left|\mathbb{G}\right|+\left|{\mathbb{G}}_T\right|\right)l_e$	$l_e\left|{\mathbb{G}}_T\right|$
[26]	$\left(2N_A+\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(1+3l_e\right)\left|\mathbb{G}\right|$	$\left|\mathbb{G}\right|$	$\left|{\mathbb{Z}}_p\right|$
Ours	$\left(N_A+\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(2+2l_e+l_s\right)\left|\mathbb{G}\right|+2l_e\left|{\mathbb{Z}}_p\right|$	$\left|\mathbb{G}\right|$	$l_e\left|\mathbb{G}\right|$

For attribute revocation, it is apparent that our scheme and [22] incur relatively the same storage overhead. Compared with [26], our scheme requires the attribute authority supervising the revoked attribute $x$ to compute the ciphertext update key $cUK={\left\{{\left(D_i^{\prime }\right)}^{{\phi }_x-{\phi }_x^{\prime }}\right\}}_{{\rho }_e\left(i\right)=x}$ when $x$ is selected as an encryption attribute, and thus incurs at most $l_e$ group elements, whereas the scheme [26] only sends ${\phi }_x-{\phi }_x^{\prime }$ to the cloud. However, as shown in [22], DAC-MACS [26] cannot guarantee backward revocation security.

Table 6 shows the computation overhead comparison of $Signcryption$ and $Decryption$ algorithms on the user side and $UpCiphertext$ algorithm on the cloud. From the table, we can see that the encryption and decryption cost of our scheme are both irrelevant to the number of attributes. In data signcryption phase, our scheme asks fog nodes to compute and generate part of the ciphertext which is associated with the signing and encryption predicates. Thus the signcryption cost of data owner can be reduced as $T_{{\mathbb{G}}_T}^e+3T_{\mathbb{G}}^e$ in encryption and $\left(l_s+l+2\right)T_{\mathbb{G}}^e$ in signing. In decryption phase, our scheme only incurs the cost of one exponentiation in ${\mathbb{G}}_T$. Hence the performance of ours is better than most schemes except for [25]. To guarantee the CCA security in the standard model (see Theorem 1), our scheme requires the data owner to compute the components $C_1$ and $C_3$, which results in a slight reducing $3T_{\mathbb{G}}^e$ of computation efficiency compared with [25]. However, our scheme performs better than [25] with respect to attribute revocation. Moreover, the DAC-MACS scheme in [26] only incurs the cost of $l_e$ exponentiations in $\mathbb{G}$ in ciphertext update phase, while our scheme incurs twice this cost. The reason is that we re-randomize $C_{2,i}^{\prime }$ and $D_i^{\prime }$ in $UpCiphertext$ algorithm to realize the backward revocation security.

Table 6. Time Comparison of Signcryption, Decryption and UpCiphertext.

Schemes	Signcryption (User Side)		Decryption (User Side)	UpCiphertext
	Encryption	Signing
[21]	$N_A{T}_{{\mathbb{G}}_T}^e+\left(3N_A+3l_e\right)T_{\mathbb{G}}^e$	-	$\left(4N_A+2l_e\right)T^p+\left(N_A+l_e\right)T_{{\mathbb{G}}_T}^e$	-
[22]	$2N_A{T}_{{\mathbb{G}}_T}^e+\left(3+N_A+4l_e\right)T_{\mathbb{G}}^e$	-	$T_{{\mathbb{G}}_T}^e$	$2l_e{T}_{\mathbb{G}}^e$
[24]	$\left(1+2l_e\right)T_{{\mathbb{G}}_T}^e+3l_e{T}_{\mathbb{G}}^e$	$\left(2+3l_s+2l_s{n}_s\right)T_{\mathbb{G}}^e$	$2l_e{T}^p$	$\left(1+2l_e\right)T^p$
[25]	$T_{{\mathbb{G}}_T}^e$	-	$2T_{{\mathbb{G}}_T}^e$	$l_e{T}^p$
[26]	$N_A{T}_{{\mathbb{G}}_T}^e+\left(1+5l_e\right)T_{\mathbb{G}}^e$	-	$T_{{\mathbb{G}}_T}^e$	$l_e{T}_{\mathbb{G}}^e$
Ours	$T_{{\mathbb{G}}_T}^e+3T_{\mathbb{G}}^e$	$\left(l_s+l+2\right)T_{\mathbb{G}}^e$	$T_{{\mathbb{G}}_T}^e$	$2l_e{T}_{\mathbb{G}}^e$

If we set $N_A=1$, then the proposed scheme is a traditional CP-ABSC scheme. In Table 7, we compare the asymptotic complexity of OMDAC-ABSC with CP-ABSC schemes [12,13,14,15]. As seen from Table 7, the size of the secret key is linear to the size of the attribute universe, which is not different between our scheme and others. Our scheme incurs a slight reducing $l_e\left|\mathbb{G}\right|+2l_e\left|{\mathbb{Z}}_p\right|$ of storage overhead than other schemes on the ciphertext. The reason is that we add ${\left\{C_{2,i}^{″},D_i^{\prime },D_i^{″}\right\}}_{i\in \left[{\ell }_e\right]}$ to realize the attribute revocation and outsourced encryption, which are not considered in other schemes. Meanwhile, the ciphertext in our scheme consists of $l_s+1$ group elements for verification, while that in [12] is $2l_s+2$. Table 7 also indicates that our scheme incurs less computation overhead of $DeSigncryption$ on the user side than do the other schemes since most costly job of decryption is outsourced to fog nodes. Compared with [14], our construction requires $3+l_s$ pairing operations in total in decryption (user side) and verification, whereas in [14], $\left(5+l_s\right)$ pairings are needed. Moreover, since our scheme supports public verifiability, the verification algorithm can be performed by a trusted intermediate party. Thus the user can recover the plaintext within one exponentiation in ${\mathbb{G}}_T$. In contrast, the schemes in [12,13,15] are not publicly verifiable, and thus incur large amount of computation overhead in verification and decryption on the user side. In [12,13], the number of pairings is linear to the number of attributes. In [15], although the size of ciphertext is only $6\left|\mathbb{G}\right|$, eight pairings are required to recover the plaintext.

Table 7. Asymptotic Complexity Comparison of CP-ABSC based schemes.

Schemes	Secret Key	Ciphertext	DeSigncryption
			Verification	Decryption (User Side)
[12]	$\left(4+\left|\tilde{U}\right|\right)\left|\mathbb{G}\right|$	$\left(\begin{array}{c}4+l_e\\ +2l_s\end{array}\right)\left|\mathbb{G}\right|$	$\left(2+2l_s\right)T^p+\left(2l_s+3\right)T_{\mathbb{G}}^e$	$\left(2+2l_e\right)T^p+l_e{T}_{{\mathbb{G}}_T}^e$
[13]	$\left(4+\left|\tilde{U}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(\begin{array}{c}5+l_e\\ +l_s+\\ n_s\end{array}\right)\left|\mathbb{G}\right|$	$\left(6+l_s{n}_s+2l_s\right)T^p+l_s{T}_{{\mathbb{G}}_T}^e+2l_s{n}_s{T}_{\mathbb{G}}^e$	$2l_e{T}^p+l_e{T}_{{\mathbb{G}}_T}^e$
[14]	$\left(4+\left|\tilde{U}\right|\right)\left|\mathbb{G}\right|$	$\left(\begin{array}{c}5+l_e\\ +l_s\end{array}\right)\left|\mathbb{G}\right|$	$\left(3+l_s\right)T^p+\left(l_s+l+1\right)T_{\mathbb{G}}^e$	$2T^p+3l_e{T}_{\mathbb{G}}^e$
[15]	$\left(6l_e+3l_s\right)\left|\mathbb{G}\right|$	$6\left|\mathbb{G}\right|$	$6T^p$	$2T^p+\left(4l_e+4l_e^2\right)T_{\mathbb{G}}^e$
Ours	$\left(2+\left|\tilde{U}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(2+2l_e+l_s\right)\left|\mathbb{G}\right|+2l_e\left|{\mathbb{Z}}_p\right|$	$\left(3+l_s\right)T^p+\left(l_s+l+1\right)T_{\mathbb{G}}^e$	$T_{{\mathbb{G}}_T}^e$

Table 8 details the storage and computation overhead comparison of our scheme and some ABE based data access control schemes for fog computing. Since the schemes in [16,18,19,20] do not support multi-authority, we set $N_A=1$ in our scheme for comparison. It is illustrated that the size of secret decryption key in OMDAC-ABSC is less than that in others. Since our scheme enables any trusted third party to verify the data owner’s attributes, the ciphertext contains the signature components ${\left\{S_{1,i}\right\}}_{i\in \left[{\ell }_s\right]},S_2$, which result in a reducing $\left(1+l_s\right)\left|\mathbb{G}\right|$ of storage overhead on the cloud side. For encryption, on the user side, our scheme incurs $3T_{\mathbb{G}}^e$ to compute $C_1$ and $C_3$ and thus is less efficient than [17]. However, our scheme guarantees the CCA security, which is not considered in [17]. For decryption, on the user side, our scheme and [17] both incurs less computation overhead than other schemes since the two schemes only require one exponentiation in ${\mathbb{G}}_T$. Therefore, our scheme is efficient from a computation point of view.

Table 8. Storage and Computation Overhead Comparison of ABE based Schemes for Fog Computing.

Schemes	Secret Decryption Key	Ciphertext	Encryption		Decryption
			Fog Node	User	Fog Node	User
[16]	$\left(2+2\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(3+2\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left(2+2\left|\widetilde{U^d}\right|\right)T_{\mathbb{G}}^e$	$T_{{\mathbb{G}}_T}^e+3T_{\mathbb{G}}^e$	$\left(2\left|\widetilde{U^d}\right|+4\right)T^p+\left(2S+2\right)T_{{\mathbb{G}}_T}^e$	$T^p$
[17]	$\left(2+\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(1+2l_e\right)\left|\mathbb{G}\right|+\left(2+2l_e\right)\left|{\mathbb{Z}}_p\right|$	$4l_e{T}_{\mathbb{G}}^e+T_{\mathbb{G}}^e$	$T_{{\mathbb{G}}_T}^e$	$\left(1+2l_e\right)T^p+\left(1+7l_e\right)T_{\mathbb{G}}^e$	$T_{{\mathbb{G}}_T}^e$
[18]	$\left(1+2\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left(2+\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|+2l\left|{\mathbb{Z}}_p\right|$	-	$T_{{\mathbb{G}}_T}^e+\left(2+\left|\widetilde{U^d}\right|\right)T_{\mathbb{G}}^e$	$\left(3+3\left|\widetilde{U^d}\right|\right)T^p$	$4T_{{\mathbb{G}}_T}^e$
[19]	$\left(3+\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(3+\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left(2+\left|\widetilde{U^d}\right|\right)T_{\mathbb{G}}^e$	$2T_{{\mathbb{G}}_T}^e+4T_{\mathbb{G}}^e$	$\left(\left|\widetilde{U^d}\right|+2\right)T^p+\left(2S+2\right)T_{{\mathbb{G}}_T}^e$	$T^p$
[20]	$\left(2+\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left(2+2l_e\right)\left|\mathbb{G}\right|+l\left|{\mathbb{Z}}_p\right|$	-	$T_{{\mathbb{G}}_T}^e+\left(3+3l_e\right)T_{\mathbb{G}}^e$	$\left(1+2l_e\right)T^p+l_e{T}_{{\mathbb{G}}_T}^e$	$T_{{\mathbb{G}}_T}^e+2T_{\mathbb{G}}^e$
Ours	$\left(1+\left|\widetilde{U^d}\right|\right)\left|\mathbb{G}\right|$	$\left|{\mathbb{G}}_T\right|+\left(2+2l_e+l_s\right)\left|\mathbb{G}\right|+2l_e\left|{\mathbb{Z}}_p\right|$	$3l_e{T}_{\mathbb{G}}^e$	$T_{{\mathbb{G}}_T}^e+3T_{\mathbb{G}}^e$	$\left(1+2l_e\right)T^p+l_e{T}_{{\mathbb{G}}_T}^e+3l_e{T}_{\mathbb{G}}^e$	$T_{{\mathbb{G}}_T}^e$

7.2.2. Performance

We implement the whole architectures of MACP-ABE schemes [21,22,24,25,26], CP-ABSC schemes [12,13,14,15] and our scheme with Pairing-based Cryptography (PBC) library version 0.5.14 on an Ubuntu system 14.04 with a 2.6 GHz processor and 4G RAM. We employ 160-bit Type A elliptic curve group constructed on $y^2=x^3+x$ over a 512-bit finite field. The computation cost for one pairing operation is 2.9 ms, and that of exponentiation on $\mathbb{G}$ and ${\mathbb{G}}_{\mathrm{T}}$ are 0.7 and 0.2 ms, respectively. Each value in Figure 3, Figure 4, Figure 5, Figure 6, Figure 7 and Figure 8 is the mean of 10 simulation trials.

Figure 3. Encryption (user side).

Figure 4. Encryption (user side).

Figure 5. Decryption (user side).

Figure 6. Decryption (user side).

Figure 7. Signcryption (user side).

Figure 8. Designcryption (user side).

For simplicity, suppose each user holds the same number of attributes $N_{AA}$ from each authority and $\left|\widetilde{A{A}_k}\right|=\left|\widetilde{A{A}_k}\cap \widetilde{U^d}\right|=N_{AA}$, where $k\in \left[N_A\right]$. $N_A^e=N_A^s=N_A$. Then, in signcryption we set $l_e=l_s=N_{AA}\times N_A$, and thus the comparison of computation overhead of $Signcryption$ (without signing) and $Decryption$ algorithms on the user side between our scheme and [21,22,24,25,26] can be conducted according to parameters $N_A$ and $N_{AA}$. We also generate the signing and encryption predicates as AND-gate in the form of $\left(a_1 \mathrm{and} a_2 \mathrm{and}\dots \mathrm{and} a_{l_s}\right)$ and $\left(a_1 \mathrm{and} a_2 \mathrm{and}\dots \mathrm{and} a_{l_e}\right)$. In Figure 3 and Figure 5, we set $N_A=10$, while in Figure 4 and Figure 6, we assume $N_{AA}=10$. During the comparison between our scheme and the ones in [21,22,24,25,26], we do not take into account the signing protocol since the schemes in [21,22,25,26] do not support attribute-based signature.

Figure 3 and Figure 4 show that the encryption algorithm in our scheme is more efficient than that in [21,22,24,26]. The reason is that the most costly job of encryption has been outsourced to the fog nodes. Although our scheme incurs more computation overhead than the one in [25], we realize CCA security in the standard model and attribute-level revocation. Figure 5 and Figure 6 give the comparison of decryption time on the user side. It is illustrated that the performance of our scheme is relatively the same as that of [22,25,26], and is better than that of [21,24] because our scheme only incurs one exponentiation and one multiplication in ${\mathbb{G}}_T$.

Assume that $N_A=1$ and ${\ell }_e={\ell }_s=N_{AA}$. Figure 7 and Figure 8 describe the comparison of computation overhead of $Signcryption$ and $DeSigncryption$ algorithms among the schemes [12,13,14,15] and ours. It is clear that our $Signcryption$ algorithm incurs less computation overhead than other schemes because of the outsourced signcryption. Since our scheme and Y. Sreenivasa’s scheme [14] are publicly verifiable, the $Verify\left(PP,CT\right)$ algorithm can be outsourced to a trusted party, and then our scheme needs only one exponentiation and one multiplication in ${\mathbb{G}}_T$ on the user side to recover the plaintext message.

Moreover, we simulate the schemes in [16,17,18,19,20] and our scheme on an android phone (MEIZU m1 note platform with an ARM Cortex A53-based processor MT6752@1.7 GHz, Android 5.1, and 2GB RAM) as user’s IoT device and a laptop (2.6 GHz processor, Ubuntu system 14.04, and 4G RAM) as the fog node. The underlying curve for pairings is also Type A curve in JPBC 2.0.0 [18], where the running time for pairing is 6 ms in Ubuntu system and 175 ms in Android. For comparison, we set $N_A=1$ in our scheme and do not consider the signing protocol since the schemes in [16,18,19,20] do not support multi-authority and the schemes in [16,17,18,19,20] do not support attribute-based signature. Figure 9 and Figure 10 show the comparison of computation overhead of encryption algorithm and Figure 11 and Figure 12 show the comparison of decryption algorithm. The results are the average number of 10 runs. In Figure 9 we only compare the cost time of encryption on fog node between ours and the schemes in [16,17,19] since the schemes in [18,20] do not support encryption outsourcing.

Figure 9. Encryption (fog node side).

Figure 10. Encryption (user side).

Figure 11. Decryption (fog node side).

Figure 12. Decryption (user side).

It is illustrated in Figure 10 that the computation time of encryption algorithm on data owner in our scheme is basically the same as that in [17], and is smaller than that in [18,20] because of the encryption outsourcing. Compared with [16,19], the encryption algorithm in our scheme incurs slightly more computation overhead since our scheme requires the data owner to sample ${\left\{C_{2,i}^{″},D_i^{″}\right\}}_{i\in \left[{\ell }_e\right]}$ and perform one Hash function $\pi =H_1\left(C_1\right)$ (we do not take into account the Hash functions $H_2$ and $H_3$ here since they are involved in signing protocol). However, the encryption time is approximately 0.14–0.8 s, which is acceptable to the end users.

Figure 11 indicates that on the fog node side, the decryption algorithm of our scheme incurs more computation overhead than the schemes in [16,18,19,20]. However, Figure 12 shows that our scheme performs better than other schemes except for [17] in efficiency of decryption time on the user side. This is because our scheme outsources the most computation-consuming job of decryption to the fog node and only incurs the cost of one exponentiation and one multiplication in ${\mathbb{G}}_T$ on the user side. In Figure 11, the decryption time of our scheme one the fog node is approximately 0.1–1 s, which increases almost linearly with the number of attributes.

However it is shown in Figure 12 that the running time of $FullDecryption$ algorithm is nearly 0.03 s, which is acceptable for the end user. Since our scheme is public verifiable, the verification can be performed on any trusted third party and does not increase the computation burden of the user. Additionally, Huang et al. [16] and Zhang et al. [19] only support threshold access policy, while our scheme supports any monotone Boolean function. Overall, our scheme performs well in encryption and decryption on the user side and supports additional useful properties such as multi authorities, anonymous authentication, and public verifiability.

8. Conclusions

In this paper, we proposed OMDAC-ABSC scheme for data sharing in fog computing system. The proposed scheme realizes the security in the standard model and supports many practical properties, such as confidentiality, fine-grained access control, anonymous authentication, attribute revocation, and public verifiability. The heavy computation operations of the signcryption and designcryption algorithms are outsourced to the fog nodes making our scheme more efficient and more suitable for fog computing than the existing ABSC schemes. The security analysis, asymptotic complexity, and performance comparisons indicate that our construction hits a good balance between the security and overhead efficiency.

One problem with outsourced decryption is to verify that whether the partial decryption performed by fog nodes is correct. In ABE scheme, verifiable outsourcing has been adopted to overcome this problem, as in [17,30,31,32]. A similar technique can be used in our ABSC construction to address verifiable outsourcing, which will be our future work. Moreover, realizing a fully secure MACP-ABSC based access control scheme instead of a selectively secure scheme will be another challenge.