Secure Data Access Control for Fog Computing Based on Multi-Authority Attribute-Based Signcryption with Computation Outsourcing and Attribute Revocation

Nowadays, fog computing provides computation, storage, and application services to end users in the Internet of Things. One of the major concerns in fog computing systems is how fine-grained access control can be imposed. As a logical combination of attribute-based encryption and attribute-based signature, Attribute-based Signcryption (ABSC) can provide confidentiality and anonymous authentication for sensitive data and is more efficient than traditional “encrypt-then-sign” or “sign-then-encrypt” strategy. Thus, ABSC is suitable for fine-grained access control in a semi-trusted cloud environment and is gaining more and more attention recently. However, in many existing ABSC systems, the computation cost required for the end users in signcryption and designcryption is linear with the complexity of signing and encryption access policy. Moreover, only a single authority that is responsible for attribute management and key generation exists in the previous proposed ABSC schemes, whereas in reality, mostly, different authorities monitor different attributes of the user. In this paper, we propose OMDAC-ABSC, a novel data access control scheme based on Ciphertext-Policy ABSC, to provide data confidentiality, fine-grained control, and anonymous authentication in a multi-authority fog computing system. The signcryption and designcryption overhead for the user is significantly reduced by outsourcing the undesirable computation operations to fog nodes. The proposed scheme is proven to be secure in the standard model and can provide attribute revocation and public verifiability. The security analysis, asymptotic complexity comparison, and implementation results indicate that our construction can balance the security goals with practical efficiency in computation.


Introduction
With the rapid development of cloud computing, more people are coming to prefer moving both the large burden of data storage and computation overhead to cloud servers in a cost-effective manner [1]. However, the advance of the Internet of Things (IoTs) has posed a challenge to the centralized cloud computing system due to its geo-distribution, location awareness, and low latency requirements. To solve the problem, Cisco proposed the concept of fog computing in 2014, where a layer consisting of fog devices (such as routers, access points, and IP video cameras) bridges between the cloud server and end users [2]. In a fog computing system, the fog devices, termed as fog nodes, are distributed and implemented at the edge of networks [3]. Since fog nodes are much closer to end users than the cloud server and have plentiful computing resources and wireless authentication and efficient computation outsourcing is still a challenge since ABSC schemes contain both of the signing and encryption protocols. The second problem is multi-authority. In traditional ABSC schemes, as in [12][13][14][15], a central authority is responsible for attribute management and key generation. However, in many applications, the predicate embedded in the ciphertext or signature can be written over attributes issued by different trust domains and authorities. For example, the health data uploaded by "Alice" may contain the encryption predicate as "(Doctor ∨ Researcher) ∨ Female". Since only a hospital can authorize a person the attribute "Doctor" and only a research organization can certify that a person is a "Researcher", it is not practical to authorize access right to a person by a single authority. Therefore, it is necessary to distribute attribute management and secret key generation from a single central authority over many authorities. Some multi-authority ABE schemes for fog computing, as in [17], have been proposed, whereas constructing multi-authority ABSC scheme with outsourcing capability is still a blank. The third one is attribute revocation. For example, when the attributes of a doctor are updated from A = {Institution = Hospital ∧ Role = Doctor ∧ Gender = Female} to B = {Institution = Hospital ∧ Gender = Female}, her access rights should be modified accordingly. Attribute revocation is not trivial and straightforward in ABE schemes. However, it has not been taken into account in multi-authority ABSC schemes with outsourcing capability.
The problem of designing a multi-authority data access control scheme based on ABSC with signcryption and designcryption outsourcing capabilities and attribute revocation for fog computing system, has received very little attention so far, although some schemes based on Multi-Authority ABE (MA-ABE) and ABS (MA-ABS) for cloud storage setting have been proposed, as in [21][22][23][24][25][26]. Meng et al. [27] proposed a decentralized KP-ABSC scheme for secure data sharing in the cloud. However, the scheme is just a combination of identity signature and MA-ABE, and only supports the threshold predicate. It also does not provide any security definition or computation outsourcing. Hong et al. [28] proposed a KP-ABSC scheme with outsourced designcryption and key exposure protection. However, the computation overhead of signcryption increases with the complexity of the predicate, and since the verification and decryption both have to be performed on the user side, the number of pairing operations evaluated on the user side is proportional to the sum of the required attributes, which is not acceptable to IoT devices. Moreover, the scheme in [28] does not support multi authorities and attribute revocation. We focus on CP-ABSC in access control application, as CP primitives are more suitable for the data owner to choose the predicate to determine who can access the sensitive data [14].

Contributions
In this paper, we propose OMDAC-ABSC, a novel data access control scheme for fog computing system based on Multi-Authority CP-ABSC (MACP-ABSC) supporting the computation outsourcing for both signcryptor (data owner) and designcryptor (data user). To the best of our knowledge, OMDAC-ABSC is the first scheme that significantly reduces computation burden from both data owners and data users in the multi-authority ABSC setting. Public verifiability, expressiveness and attribute revocation are also considered in our scheme. The main contributions can be summarized as follows: (1) We propose a data access control scheme OMDAC-ABSC for fog computing system, in which fog nodes serve as a bridge between the cloud server and end users. In our scheme, heavy signcryption and designcryption operations can be outsourced from end users (e.g., tablet computers and smartphones) to fog nodes. In signcryption phase, the fog nodes are in charge of generating part of the ciphertext. In designcryption phase, the fog nodes can perform the partial decryption without degrading the data confidentiality, and the data user only requires a constant number of exponentiations to decrypt the ciphertext. Additionally, unlike other existing works such as [27,28], our scheme supports public verification, since the verification mechanism does not require the plaintext message or the data owner's public key. Thus the verification algorithm can be performed by any trusted party, which alleviates the computation burden of the end user. Therefore, our construction is efficient from computation point of view. (2) Unlike some existing ABE schemes for fog computing such as [16,18,19] and ABSC schemes such as [15,27,28], the proposed OMDAC-ABSC scheme is more expressiveness and supports any monotone Boolean function predicates represented by monotone span programs (MSP) for both signing and encryption. Moreover, we remove the limitation that the labeling functions ρ in signing and encryption predicates should be injective functions. (3) Our OMDAC-ABSC scheme is proven to be secure in the standard model. We also formally prove that our construction satisfies the properties of signcryptor privacy and collusion resistance. (4) We also consider the attribute revocation in our OMDAC-ABSC scheme. In attribute revocation phase, the authority supervising the revoked attribute only distributes the update keys to the non-revoked users and the cloud server to update the corresponding components. It is also proved that our scheme guarantees both the forward and backward revocation security.

Paper Organization
The remainder of this paper is organized as follows: in Section 2, we discuss some related works. Then in Section 3, we review the necessary notations and cryptographic background that are used throughout the paper. In Section 4, we give the definition of our scheme and the security requirements. The details of the scheme and the security proof are elaborated in Sections 5 and 6, respectively. Section 7 is dedicated to discussing the functionality and performance of the scheme. Finally, we conclude this paper in Section 8.

Access Control Schemes Based on ABE
ABE was first introduced by Sahai and Waters [9]. In ABE, a data owner can share sensitive data with others according to predicates (or access policies). Several works on ABE have been presented to address data access control in untrusted cloud servers. Recently, the ABE scheme was adopted in fog-computing systems to guarantee confidentiality and fine-grained access control. Heavy computations of encryption or decryption are outsourced to fog nodes to improve the efficiency. In [16], an anonymous user authentication in ciphertext update phase was realized, whereas the scheme only supports AND-gate predicate. Zuo et al. [18] proposed a CCA-secure ABE scheme with decryption outsourcing. However, the encryption phase of the scheme in [18] incurs heavy computation cost. Additionally, the scheme in [18] is only provably secure in the random oracle model and only supports the AND-gate encryption predicate. Zhang et al. [19] presented an ABE-based access control scheme for fog computing with outsourced encryption and decryption. Although the computation operations (pairings and exponentiations) for users to encrypt and decrypt are irrelevant to the complexity of predicate, the scheme only supports threshold encryption predicate, and requires both the cloud server and fog nodes to be trusted. Lounis et al. [29] proposed a cloud-based architecture for medical wireless sensor networks, in which the resource-constrained end devices outsource the costly computations to the trusted gateway. However, the decryption phase incurs heavy computation cost. Xiao et al. [30] constructed a fine-grained hybrid scheme for fog computing with the advantages of efficient data search and access authorization through online/offline encryption, delegation of search task and decryption to fog nodes, and provable security. Mao et al. [20] proposed an ABE scheme with verifiable outsourced decryption, whereas it incurs a heavy computation overhead in encryption phase. Li et al. [31] also proposed a fully verifiable ABE scheme with outsourcing capability. However, Liao et al. [32] showed that the verification mechanism proposed in [31] is not always correct.
In many ABE schemes, the attribute universe is assumed to be managed by a single authority. In reality, however, users' attributes may be monitored by different authorities. To track this problem, MA-ABE scheme was proposed by Chase et al. [33]. In MA-ABE, the attribute universe is divided into multiple disjoint sets, and each authority controls one of these attribute sets. The user can successfully decrypt the ciphertext if and only if the user possesses at least a pre-specified number of attributes from each authority. Furthermore, Chase et al. [34] proposed an improved MA-ABE scheme to remove the fully trusted central authority by adopting a Pseudo Random Function (PRF) and a secure 2-party anonymous secret-key-issuing protocol. However, the multiple authorities must cooperate with each other, and the number of authorities must be determined in the initialization phase. Recently, many distributed access control schemes based on MA-ABE have been proposed, such as [21][22][23][24][25][26]35,36]. Han et al. [21] proposed a privacy-preserving decentralized CP-ABE based access scheme (PPDCP-ABE) to protect the user's privacy. However, PPDCP-ABE cannot resist collusion attack or support anonymous authentication. Rui et al. [22] constructed a MA-ABE scheme with secure attribute-level immediate attribute revocation. The scheme is only provably secure under the random oracle model. Lewko et al. [23] proposed a decentralized attribute-based encryption using the dual system encryption methodology. The secret keys of the user are tied to his global identity in order to resist collusion attack. However, the scheme realizes the security in random oracle model using the composite-order bilinear group, which incurs great computation overhead. Sourya et al. [25] proposed a decentralized data sharing scheme with outsourced decryption and user revocation. They also proposed a decentralized data sharing scheme where multiple attribute authorities distribute secret keys to the user [24]. In [26], the authors outsourced the main computation overhead in a decryption algorithm to the cloud. However, the security cannot be guaranteed if the revoked user eavesdrops to obtain the update keys and retrieves the ability to decrypt as a non-revoked user. To implement multi-authority ABE in fog computing system, Fan et al. [17] proposed a VO-MAACS scheme with verification mechanism. Although the encryption and decryption algorithms are outsourced, the scheme cannot support anonymous authentication and attribute revocation, and does not have security proof. Jung et al. [35] presented an anonymous privilege control scheme to address data and identity privacy in multi-authority cloud storage system. To guarantee the confidentiality of user's identity information, the scheme in [35] decomposes the central authority to multiple ones while preserving tolerance to compromise attack on the authorities. However, the security is realized in random oracle model, and the encryption predicate is the AND gate. In [36], the authors constructed a multi-authority data access control scheme with decryption outsourcing and attribute-level user revocation. The scheme supports any monotone encryption predicate and is adaptively secure in the standard model. Nevertheless, the scheme in [36] needs to deal with large composite-order group elements and thus incurs heavy computation overhead.

Attribute-Based Signature and Multi-Authority Attribute-Based Signature
ABS was first introduced by Maji et al. [37]. Due to their anonymity and authentication properties, many ABS schemes have been proposed. Like ABE, to overcome the drawback that only a single authority exists in the system, the concept of MA-ABS was introduced in [38]. In MA-ABS, there are multiple authorities and each authority controls one of disjoint attribute sets. The user is able to successfully sign the plaintext if he/she possesses a pre-specified number of attributes from multiple authorities.

Access Control Schemes Based on ABSC
ABSC scheme, first introduced by Gagné et al. [10], is a logical combination of ABE and ABS and can support many practical properties, including confidentiality, fine-grained access control, and authentication. Recently, many data access control schemes based on ABSC have been proposed, as in [11][12][13][14][15]27,28]. Y. Sreenivasa [11] proposed a Key-Policy attribute-based signcryption scheme that supports any monotone Boolean function and constant size ciphertext. However, the message confidentiality and unforgeability of the scheme against selectively adversary are proven in the random oracle model. Chen et al. [12] focused on the joint security of signature and encryption schemes and presented a CP-ABSC scheme in the joint security setting. However, it cannot support public verifiability since plaintext is required in verification mechanism. Liu et al. [13] proposed a secure PHR data access control scheme based on CP-ABE [39] and ABS [37]. However, it is only provably secure in a random oracle model. In [14], the authors constructed a CP-ABSC based access control scheme with public verifiability, but the scheme does not support computation outsourcing. Yu et al. [15] proposed the hybrid access policy ABSC scheme that supports KP-ABS and CP-ABE. The size of the ciphertext is constant, and the scheme realizes security in the standard model. Nevertheless, it only supports the threshold predicate in the encryption phase. Moreover, the above ABSC schemes only have a single authority and cannot be applied in the multi-authority system.

Preliminaries
By a R ← A, we denote that a is selected randomly from A. |A| denotes the cardinality of a finite set A. Z p denotes a finite field with prime order p, and Z * p stands for Z p \{0}. y ← A(x) denotes that y is computed by running algorithm A with input x.
denotes the ith element of the vector → a . A function : Z → R is negligible if, for any z ∈ Z, there exists a k such that (x) < 1/x z when x > k. We use s and e as superscripts for signing and encryption, respectively. Pr[E] denotes the probability of an event E occurring. For an unambiguous presentation of the paper, we define the important notations used in our scheme in the Appendix A. Definition 1. Bilinear maps [22]: Let G and G T be two cyclic groups with the prime order p, and g ∈ G be the generator of G. Then the bilinear map e : G × G → G T can be defined as follows: There is an efficient algorithm to compute the map e.
GG 1 k → (e, p, G, G T ) takes as input a security parameter 1 k and outputs a bilinear group (e, p, G, G T ) with prime order p and a bilinear map e : G × G → G T .

Definition 2.
Decisional Bilinear Diffie-Hellman (BDH) Assumption [22]: Let g be a generator of G with prime order p and a, b, c ∈ Z * p be randomly chosen. Given a vector → Y = g, g a , g b , g c , the decisional BDH assumption holds if no PPT adversary A can distinguish Definition 3. Decisional q-Parallel Bilinear Diffie-Hellman Exponent (q-PBDHE) Assumption [21]: Definition 4. Monotone Span Program (MSP) [11]: Assume {v 1 , v 2 , . . . , v m } is a set of variables. An MSP is a labeled matrix Ω(M ×n , ρ), where M is an × n matrix over Z p and ρ is the labeling function Lemma 1 [14].
If Ω → x = 0, then there exists a vector Definition 5. Predicates [14]: Assume U is the universe of attributes. A predicate over U is a monotone Boolean function whose inputs are associated with the attributes of U. Let W ⊂ U is a subset of attributes.
Suppose R is a predicate and L R is the set of attributes utilized in R. Then the corresponding MSP for R is a labeled matrix Lemma 2 [14]. If R(W) = 0, then there exists a vector Otherwise, V = → 0 and the predicate is an AND gate. In our construction, we consider the signing and encryption predicates consisting of both AND and OR gates.

Scheme and Security Definitions
Our OMDAC-ABSC scheme consists of a multi-authority attribute-based signcryption (MACP-ABSC) scheme.

Multi-Authority Attribute-Based Signcryption
The MACP-ABSC scheme consists of the following five algorithms: GlobalSetup 1 k . Taking as input a security parameter 1 k , the algorithm outputs the public parameters PP. It also generates the public key PK uid for the user with identity uid.
AuthoritySetup(PP). It takes as input PP and outputs the public key and secret key pairs {PK, SK} for the authority.
SecretKeyGen PP, PK aid , SK aid , PK uid , U . Taking as input PP, {PK aid , SK aid } of authority AA aid , user's public key PK uid and attribute set U = U d ∪ U s , where U d denotes the set of decryption attributes, and U s is the set of signing attributes. U d ∩ U s = ∅. The algorithm outputs the secret signing and decryption keys SK uid,aid = SK s uid,aid , SK d uid,aid for the user.

High-Level Overview of OMDAC-ABSC Scheme
Based on MACP-ABSC scheme, we propose OMDAC-ABSC scheme, a novel data access control scheme for fog computing system supporting the computation outsourcing for both signcryptor and designcryptor.

Scheme Description
As shown in Figure 1, our OMDAC-ABSC scheme has five types of entities: the global certificate authority (CA), cloud server, users (including signcryptors and designcryptors), independent attribute authorities (AAs) and fog nodes.

High-Level Overview of OMDAC-ABSC Scheme
Based on MACP-ABSC scheme, we propose OMDAC-ABSC scheme, a novel data access control scheme for fog computing system supporting the computation outsourcing for both signcryptor and designcryptor.

Scheme Description
As shown in Figure 1, our OMDAC-ABSC scheme has five types of entities: the global certificate authority (CA), cloud server, users (including signcryptors and designcryptors), independent attribute authorities (AAs) and fog nodes. Global Certificate Authority: The global certificate authority (CA) is fully trusted in the system and generates the public parameters for the system. CA is also responsible for the users' and authorities' registrations. However, CA is not involved in any attribute management and the creations of the secret keys that are associated with attributes. With the help of CA, we can improve the privacy of our scheme by realizing the identity authentication and preventing authorities from forging a virtual user to decrypt the ciphertext. In secret key generation phase, the attribute authority verifies user's certification using the verification key of CA and then generates the secret key for the user. In designcryption phase, the cloud server can verify user's identifier and return the ciphertext to the fog node if the user is valid.
Cloud Server: The cloud server is a semi-trusted party and also provides data storage and data access service to users. Since our scheme supports public verification, the cloud server can verify that the ciphertext is valid and is signcrypted by the data owner whose attributes satisfy the signing predicates contained in the ciphertext. If the ciphertext is not valid, the cloud server can reject it. Global Certificate Authority: The global certificate authority (CA) is fully trusted in the system and generates the public parameters for the system. CA is also responsible for the users' and authorities' registrations. However, CA is not involved in any attribute management and the creations of the secret keys that are associated with attributes. With the help of CA, we can improve the privacy of our scheme by realizing the identity authentication and preventing authorities from forging a virtual user to decrypt the ciphertext. In secret key generation phase, the attribute authority verifies user's certification using the verification key of CA and then generates the secret key for the user. In designcryption phase, the cloud server can verify user's identifier and return the ciphertext to the fog node if the user is valid.
Cloud Server: The cloud server is a semi-trusted party and also provides data storage and data access service to users. Since our scheme supports public verification, the cloud server can verify that the ciphertext is valid and is signcrypted by the data owner whose attributes satisfy the signing predicates contained in the ciphertext. If the ciphertext is not valid, the cloud server can reject it.
User: Users who are attached to fog nodes and equipped with IoT devices in our system include the signcryptor and designcryptor. When the signcryptor signcrypts a message, he/she can select the signing and encryption predicates over the attributes from multiple authorities and outsource the resulting ciphertext to the cloud server. We assume that the ciphertext implicitly contains the signing and encryption predicates. Only legally registered users can endorse the data, and only users satisfying the encryption predicate can decrypt the data.
Attribute Authority: The authority can initialize itself to setup its public and secret keys. To compute the secret keys for users, the authority verifies the user's identity and generates the secret keys according to the user's attributes.
Fog Node: Fog nodes, deployed at the edge of the network, offer a variety of services, such as low latency, location awareness, and real-time applications. Each of them is linked to the cloud server. Fog nodes are also in charge of part of signcryption and designcryption computations. Note that in designcryption phase, only if the data user's attributes satisfy the encryption predicate will the fog nodes partially designcrypt the ciphertext with the proxy secret keys.
The work flow of OMDAC-ABSC scheme is shown in Figure 2. The scheme consists of the following six phases. User: Users who are attached to fog nodes and equipped with IoT devices in our system include the signcryptor and designcryptor. When the signcryptor signcrypts a message, he/she can select the signing and encryption predicates over the attributes from multiple authorities and outsource the resulting ciphertext to the cloud server. We assume that the ciphertext implicitly contains the signing and encryption predicates. Only legally registered users can endorse the data, and only users satisfying the encryption predicate can decrypt the data.
Attribute Authority: The authority can initialize itself to setup its public and secret keys. To compute the secret keys for users, the authority verifies the user's identity and generates the secret keys according to the user's attributes.
Fog Node: Fog nodes, deployed at the edge of the network, offer a variety of services, such as low latency, location awareness, and real-time applications. Each of them is linked to the cloud server. Fog nodes are also in charge of part of signcryption and designcryption computations. Note that in designcryption phase, only if the data user's attributes satisfy the encryption predicate will the fog nodes partially designcrypt the ciphertext with the proxy secret keys.
The work flow of OMDAC-ABSC scheme is shown in Figure 2. The scheme consists of the following six phases.  (1) System Initialization In this phase, CA generates the public parameters for the system, and also accepts the registrations of the attribute authorities and the users. The initialization phase contains the following six algorithms: GlobalSetup1 1 k . This algorithm is run by CA. Taking as input the security parameter 1 k , the algorithm outputs the public parameters PP.
UserReg(PP). This algorithm is run by CA and data user. Taking as input the public parameters, CA assigns the global identity uid and partial public key PPK uid to the user.
AuthorityReg(PP). This algorithm is run by CA and the attribute authority. Taking as input the public parameters, CA assigns the global identity aid and partial public key PPK aid for the attribute authority.
UserSetup(PP, PPK uid ). Given the global identity uid, public parameters PP, and partial public key PPK uid , the data user runs UserSetup(PP, PPK uid ) to initialize himself/herself. The algorithm outputs the public key PK uid and secret key SK uid for the user. Additionally, the public key certificate cert(uid) generated by CA is sent to the user for identity authentication.
AuthoritySetup(PP, PPK aid ). Given the global identity aid, public parameters PP, and partial public key PPK aid , the attribute authority runs AuthoritySetup(PP, PPK aid ) to initialize itself. The algorithm outputs the public key PK aid , PK 1 uid,aid and secret key SK aid for the attribute authority AA aid .
GlobalSetup2 1 k , PP, PK aid , PK 1 uid,aid U uid ∈S U ,AA aid ∈S A . This algorithm is run by CA to end the system initialization phase. Taking as input the public parameters PP and authorities' public keys PK aid , PK 1 uid,aid U uid ∈S U ,AA aid ∈S A , CA generates the public key PK uid,aid for each pair of user U uid and authority AA aid .
(2) Secret Key Generation After system initialization, the attribute authority AA aid can verify the user's identity using the public key certificate cert(uid) and then run SecretKeyGen PP, PK aid , SK aid , PK uid , U algorithm to compute the secret signing and decryption keys for the valid user according to the user's attribute set U.
SecretKeyGen PP, PK aid , SK aid , PK uid , U . The algorithm intakes the public parameters PP, the public key and secret key pair {PK aid , SK aid } of the authority AA aid , the public key PK uid and user's attribute set U, outputs the user's secret signing and decryption keys SK uid,aid = SK s uid,aid , SK d uid,aid . (

3) Proxy Secret Key Generation
In this phase, the data user runs PxSecretKeyGen(SK uid , SK uid,aid ) algorithm to compute the proxy secret signing and decryption keys PSK uid,aid = PSK s uid,aid , PSK d uid,aid and then sends PSK uid,aid to the fog nodes to outsource the signcryption and designcryption computation overhead.
PxSecretKeyGen(SK uid , SK uid,aid ). Taking as input the secret key SK uid and secret signing and decryption keys SK uid,aid , this algorithm outputs the proxy secret signing and decryption keys PSK uid,aid = PSK s uid,aid , PSK d uid,aid . PSK uid,aid are sent to the fog nodes.

(4) Data Signcryption
To achieve high efficiency, the signcryptor first encrypts the plaintext with a random content key by applying a symmetric encryption algorithm. Then the signcryptor defines the signing and encryption predicates R s and R e , and signcrypts the content secret key with the following two algorithms: Fog_Signcryption PP, PSK s uid,k k∈I s A , PK uid , R s , R e . This algorithm is performed in the fog nodes. Taking as input the public parameters PP, proxy secret signing key PSK s uid,k of the attribute authority AA k whose attributes are selected for signing, the public key PK uid of signcryptor, the signing and encryption predicates R s , R e , the algorithm outputs part of the ciphertext CT . User_Signcryption M, PP, {PK aid } aid∈I e A , SK uid , CT . This algorithm intakes the message to be signcrypted, the public parameters PP, the public key PK aid of attribute authorities whose attributes are selected for encryption, secret key SK uid of signcryptor and partial ciphertext CT , outputs the ciphertext CT and sends CT to the cloud server. FullDecryption(PP, CT p , SK uid ) performed by the user. I s A (resp. I e A ) denotes the set of the indexes of the authorities involved in signing (resp. encryption). Note that I s A (resp. I e A ) can be obtained from R s (resp. R e ) which is implicitly contained in CT.
Veri f y(PP, CT). This algorithm takes as input the public parameters PP and ciphertext CT, outputs ⊥ if CT contains an invalid signature corresponding to the signing predicate R s embedded in CT. Otherwise, proceed Decryption PP, CT, PK uid , PSK uid,k k∈I e A , SK uid algorithm as follows: Decryption PP, CT, PK uid , PSK uid,k k∈I e A , SK uid . This algorithm contains two sub-algorithms: PartialDecryption PP, CT, PK uid , PSK d uid,k k∈I e A . This algorithm intakes the public parameters PP, the ciphertext CT, the public key PK uid of the user and the proxy secret decryption key PSK d uid,k , outputs the partial decryption result CT p and returns CT p to the user.
FullDecryption(PP, CT p , SK uid ). Taking as input the public parameters PP, the partial decryption result CT p and secret key SK uid , the algorithm outputs the final plaintext M or ⊥.

(6) Attribute revocation
In this phase, suppose the attribute x of the user U is revoked from AA k . After randomly chooses a new attribute version key, the authority AA k distributes the update keys implicitly containing the latest attribute version key to the non-revoked users and cloud server respectively. Only the x-related components of secret keys and ciphertext will be updated.
UpSecretKeyGen(PK uid , SK k , SK uid,k ). This algorithm is run by attribute authority AA k . The algorithm intakes the public key PK uid of non-revoked user U uid , the secret key of AA k , outputs the signing and decryption update keys sUK uid,x , dUK uid,x , and ciphertext update keys cUK, sUK.
U pSecretKey(SK uid,k , sUK uid,x , dUK uid,x ). This algorithm is run by the non-revoked user U uid . Taking as input the secret signing and decryption key SK uid,k , and the signing and decryption update keys sUK uid,x , dUK uid,x , the algorithm outputs the updated secret signing and decryption keys.
U pCiphertext(CT, cUK, sUK). This algorithm is run by the cloud server. Taking as input the ciphertext tagged with the revoked attribute, and the ciphertext update keys cUK, sUK, the algorithm outputs the updated ciphertext.

Threat Assumption
Assume CA is fully trusted. The authorities can honestly issue the secret keys for the user and will not collude with the user to access the sensitive data. However, the authorities can be corrupted and disclose the information sent from the data user to the adversary. The fog nodes can also be corrupted and leak the information such as proxy secret keys to the adversary. The cloud server is semi-trusted. It will execute the protocol in general but will leak the signcrypted data to some malicious users and get illegal access privileges. The data users (including the signcryptor and designcryptor) are malicious and can collude with other users and even the cloud server and fog nodes to sign or decrypt the unauthorized data.

Security Requirements
Following [12,14], the confidentiality, unforgeability and signcryptor privacy of OMDAC-ABSC scheme are presented in Definitions 8-10 as follows by defining the security games between a challenger and an adversary A. Then in Definitions 11 and 12, we provide the definitions of collusion resistance and attribute revocation security. The scheme is T, q sk , q psk , q SC , q DS , -IND-sEP-CCA2 secure if for any PPT adversary A which runs in time at most T and makes at most q sk SecretKey queries, q psk Proxy SecretKey queries, q SC Signcryption queries, and q DS DeSigncryption queries, the advantage Adv I ND−sEP−CCA2 A of A in the following game with a challenger C is at most .
Init. A specifies the space of attributes and the set of corrupted authorities. A submits the challenge encryption predicate R * e = (M * e , ρ * e ) over encryption attributes that will be used to encrypt the challenge ciphertext. Note that the adversary cannot decrypt the challenge ciphertext with any secret decryption keys queried from SecretKey queries and the keys directly generated from the corrupted authorities.
Setup. The challenger runs the algorithms in system initialization phase to generate the public parameters, and the pairs of public key and the secret key of the attribute authorities. Then the challenger sends the public keys to the adversary. For the corrupted authorities, the challenger sends the secret keys to the adversary. Phase 1. In this phase, the challenger C answers the queries from A as follows: SecretKey query O sk U, AA k , uid . A can adaptively query the secret key for a user U with identity uid and a set of attributes U = U d ∪ U s to the authority AA k . U d does not satisfy R * e together with any keys that can be obtained from corrupted authorities. The challenger runs SecretKeyGen and returns the secret key to the adversary.
Proxy SecretKey query O psk U, AA k , uid . A can adaptively query the proxy secret key for a user U with identity uid. The challenger runs PxSecretKeyGen and returns the proxy secret key to the adversary.
Signcryption query O SC (M, R s , R e ). Upon receiving a message M ∈ G T , signing and encryption predicts R s , R e , the challenger C selects a signing attribute set U s such that R s U s = 1 and returns the ciphertext to the adversary.
DeSigncryption query O DS CT, U d . A submits a ciphertext CT, and a decryption attribute set U d . C returns the plaintext to A if R e U d = 1 and CT contains a valid signature corresponding to the signing predicate R s , where R e and R s are implicitly contained in CT.
Challenge. A submits two messages M 0 , M 1 with the same length and signing predicate R * s = (M * s , ρ * s ) to the challenger. C selects a signing attribute set U s satisfying R * s U s = 1. The challenger randomly chooses a bit ∈ {0, 1} and runs the Signcryption algorithm to signcrypt the message M and returns the ciphertext CT * to A as the challenge ciphertext. Phase 2. Phase 1 is repeated. In this phase, A cannot issue O DS with the challenge ciphertext CT * obtained in Challenge phase and attribute set U d such that R * e U d = 1.

Guess. A outputs a guess bit on .
A wins the game if = .
The advantage of A is defined by Adv I ND−sEP−CCA2
The proposed scheme is T, q sk , q psk , q SC , q DS , -EUF-sSP-CMA secure if for any PPT adversary A which runs in time at most T and makes at most q sk SecretKey queries, q psk Proxy SecretKey queries, q SC Signcryption queries, and q DS DeSigncryption queries, the advantage Adv EUF−sSP−CMA A of A in the following game with a challenger C is at most .
Init. A specifies the space of attributes and a set of corrupted authorities, and then submits the challenge signing predicate R * s = (M * s , ρ * s ) over signing attributes that will be used to forge the ciphertext. Note that the adversary cannot sign the plaintext under the signing predicate R * s with any secret signing keys queried from SecretKey queries and the keys directly generated from the corrupted authorities.
Setup, Proxy SecretKey query, Signcryption query and DeSigncryption query are the same as Definition 8.
SecretKey query O sk U, AA k , uid . A can adaptively query the secret key for a user U with a set of attributes U = U d ∪ U s to the authority AA k . U s does not satisfy R * s together with any keys that can be obtained from corrupted authorities. The challenger runs SecretKeyGen and returns the secret key to the adversary.
Forgery. A outputs the forgery ciphertext CT * for the selective signing predicate R * s and an arbitrary encryption predicate R * e . A wins the game if CT * is a valid ciphertext and A has never issued O SC (M, R * s , R * e ). The advantage of A is defined as Adv EUF−sSP−CMA Note that in our scheme, the fog nodes can be corrupted. In this case, the proxy secret keys sent from the users might be obtained by the adversary. This kind of attack is captured by the proxy secret key query O psk U, AA k , uid , which makes the access control scheme proven secure in our security model have a wider spectrum of applications.

Definition 10. Signcryptor Privacy.
It is required that the signature of the proposed scheme reveals nothing about the attributes of the data owner except that the attributes satisfy the signing predicate. We define signcryptor privacy as a game between a challenger C and an adversary A.
Assume the public parameters PP and public and secret key pairs {PK k , SK k } I A of attribute authorities are given to A. A submits two signing attribute sets U s 0 , U s 1 satisfying R s U s 0 = R s U s 1 = 1 to the challenger. The challenger then chooses a bit R ← {0, 1} and signcrypts the plaintext M with the signing and encryption predicates R s , R e , and secret signing key SK s, uid,k for U s . C sends the ciphertext CT to A. A then outputs a guess bit on . A wins the game if = . We say OMDAC-ABSC scheme satisfies signcryptor privacy if for any adversary A, Definition 11. Collusion Resistance.
OMDAC-ABSC scheme is secure against collusion attack of two or more communication entities (e.g., data users, fog nodes, and cloud server) if there does not exist a set of polynomial time adversaries that can sign the plaintext (collusion resistance of signing) or decrypt the ciphertext (collusion resistance of decryption) by cooperating with each other when none of adversaries is authorized to sign or decrypt the data.

Definition 12. Suppose the attribute x is revoked.
Forward Security. If x is the signing attribute, then OMDAC-ABSC scheme supports forward revocation security if the newly joined user can successfully sign the plaintext with the x-corresponding signing attribute set. Otherwise, the forward revocation security guarantees if each newly joined user can decrypt x-corresponding ciphertext if the decryption attributes of the user satisfy the encryption predicate contained in the ciphertext.
Backward Security. If x is the signing attribute, then OMDAC-ABSC scheme supports backward revocation security if the updated ciphertext cannot be reversed back to the non-revoked state while maintaining the verification algorithm holds. Otherwise, the backward revocation security guarantees if the attribute revoked user cannot decrypt the x-corresponding ciphertext as a non-revoked user.

Construction of OMDAC-ABSC Scheme
In this section, we propose the construction of OMDAC-ABSC scheme in detail. The notations of the scheme are listed in Appendix A.

System Setup 1
GlobalSetup1 1 k . Taking as input a security parameter 1 k , the algorithm outputs the public parameters PP as follows.
(1) Generate a bilinear group GG 1 k → (e, p, G, G T ), where the prime p is the order of group G.
Let g, θ be the random generators of G. Randomly select γ 1 , (2) CA generates a pair of keys {sk CA , vk CA } for signing and verification in identity authentication.
CA selects a unique identity number uid and sends PPK uid = g s uid , g d uid , V s uid i i∈[ m ] as the partial public key to user. s uid and d uid are kept secret in the system. AuthorityReg(PP). CA verifies the identity information of the authority then runs this algorithm to register the authority. CA selects a unique identity number aid ∈ [1, N A ], then selects α aid and publishes the partial public key PPK aid = ∆ aid = e(g, g) α aid to AA aid .
UserSetup(PP, PPK uid ). Given the global identity uid, the user runs UserSetup(PP, PPK uid ) to initialize itself and compute the public key PK uid and secret key SK uid as follows.
3. CA sets cert(uid) = Sign sk CA (uid, PK uid ) as the public key certificate.
AuthoritySetup(PP, PPK aid ). Each authority AA aid runs this algorithm to initialize itself and compute the public key PK aid , PK 1 uid,aid and secret key SK aid as follows: Taking as input the public parameters PP and authorities' public keys {PK aid , PK 1 uid,aid } U uid ∈S U ,AA aid ∈S A , CA generates the public key PK uid,aid for each pair of user U uid and authority AA aid as follows: For U uid ∈ S U , AA aid ∈ S A , PK uid,aid = {PK 1 uid,aid , PK 2 uid,aid , PK 3 uid,aid }, where PK 2 uid,aid = (PK 1 uid,aid ) α aid Z d uid aid = g α aid /(γ aid z uid ) θ d uid /γ aid and PK 3 uid,aid = X α aid aid Y s uid aid = g α aid /β aid θ s uid /β aid .

Secret Key Generation
AA aid runs the secret key generation algorithm SecretKeyGen to generate the secret signing and decryption keys for the user U uid .
SecretKeyGen(PP, PK aid , SK aid , PK uid , U). AA aid first verifies the user's cert(uid) with verification key vk CA . If the user is a legal user, AA aid computes the user's secret signing and decryption keys SK uid,aid = {SK s uid,aid , SK d uid,aid } as:

Proxy Secret Key Generation
Each user U uid runs the PxSecretKeyGen(SK uid , SK uid,aid ) to generate the proxy secret key PSK uid,aid = PSK s uid,aid , PSK d uid,aid as: The transformed secret keys PSK uid,aid are sent to the fog node.

Data Signcryption
The data owner first encrypts the data component with a content secret key k by using symmetric encryption algorithm En k , then it runs Signcryption to signcrypt the secret key. Signcryption contains two phases: fog signcrypt Fog_Signcryption and user signcrypt User_Signcryption.
is the signing predicate (resp. encryption predicate) over all the attributes selected from the set of attribute authorities I s A (resp. I e A ), where M s (resp. M e ) is a s × n s , s ≤ m (resp. e × n e ) matrix with row labeling function ρ s : [ s ] → Z p (resp. ρ e : [ e ] → Z p ). Note that we remove the limitation that ρ s (resp. ρ e ) should be an injective function (i.e., an attribute can associate with more than one rows of M s (resp. M e )). Let M i s (resp. M i e ) be the ith row of the matrix M s (resp. M e ). Assume the signing attribute set is U s and R s U s = 1. The algorithm contains two phases as follows: (1) Fog_Signcryption PP, PSK s uid,k k∈I s A , PK uid , R s , R e . This algorithm is performed in the fog node FD as follows: • The algorithm randomly chooses s uid R ← Z * p and re-randomize the proxy secret key PSK s uid,aid as • The fog node randomly picks w R ← Z * p .

Data Designcryption
If the owner's attributes satisfy the signing predicate implicitly contained in the ciphertext, then any party can successfully verify the ciphertext (public verifiability). If the receiver's decryption attributes satisfy the encryption predicates embedded in the ciphertext, then the decryption phase can be launched to access the plaintext.
DeSigncryption PP, CT, PK uid , PSK d uid,k k∈I e A , SK uid . Assume that thre tt is a predefined time threshold for designcryption and tt is the current time. If tt − tt > thre tt or R e U d = 1, the algorithm returns ⊥. Otherwise, the algorithm performs as follows. Note that I s A (resp. I e A ) can be obtained from the implicitly contained predicate R s (resp. R e ).
Veri f y(PP, CT). This verification algorithm can be performed in FD or other trusted third party since it only takes the ciphertext and public parameter PP as the input.
The algorithm samples {τ 2 , τ 3 , . . . , τ n s } R ← Z * p and computes i = (1, Then the algorithm checks the validity of the ciphertext using the following equation: If it is invalid, return ⊥, otherwise, proceed Decryption PP, CT, PK uid , PSK uid,k k∈I e A , SK uid algorithm as follows: If the user's attributes satisfy the encryption predicate, the cloud server sends the ciphertext to the FD. FD chooses a set of constants Then it computes: , where I A k is defined as I A k = i : ρ e (i) ∈ AA k . FD sends CT p = {C 0 , CT x } to the user.
• FullDecryption(PP, CT p , SK uid ). This algorithm is performed on the user side. After receiving CT p , the data user recovers the message M as:

Correctness
Assume the identity of signcryptor (data owner) is do. If tt − tt ≤ thre tt and R e U d = 1, then the ciphertext can be verified and decrypted as explained subsequently.
This demonstrates the correctness of Veri f y algorithm. Assume the identity of designcryptor (data user) is uid.
This exhibits the correctness of Decryption algorithm.

Attribute Revocation
Suppose the attribute x of user U is revoked from AA k .
UpSecretKeyGen(PK uid , SK k , SK uid,k ). AA k randomly chooses a new attribute version key ϕ x R ← Z p and computes the updated attribute public key A x = g ϕ x . AA j sets dUK uid,x = g d uid (ϕ x −ϕ x ) , sUK uid,x = g s uid (ϕ x −ϕ x ) for the non-revoked users to update their secret decryption and signing keys.
If there exists i such that ρ e (i) = x, namely the attribute x of AA k is selected as the encryption attribute, then AA k queries D i where ρ e (i) = x. Then it computes cUK = cUK i = D i , and sets sgUK = ⊥.
Otherwise, if x is selected as the signing attribute, AA k sets cUK = ⊥ and sgUK = ∏ L i=1 S 1,i ϕ x −ϕ x , where L is the set consisting of all the rows that ρ s (i) = x.
AA k sends ciphertext update keys cUK, sUK to the cloud server to update the corresponding ciphertext.
U pSecretKey(SK uid,k , sUK uid,x , dUK uid,x ). Upon receiving the update keys sUK uid,x and dUK uid,x , the non-revoked user U uid = U then update his/her secret signing key or decryption key as follows: (CT, cUK, sUK). Upon receiving cUK, sUK, the cloud server updates the ciphertext to contain the latest attribute version key as follows: and sgUK = ⊥, the server randomly chooses Otherwise, the cloud server updates the signature component S 2 as: Correctness of Attribute Revocation.
By running U pSecretKey(SK uid,k , sUK uid,x , dUK uid,x ), the secret signing and decryption keys of non-revoked user U uid are associated with the new attribute version key ϕ x , which is the same as the updated ciphertext components For verification, since the updated signature component

Security Analysis
In this section, we state the security of our OMDAC-ABSC scheme in the following theorems. In Theorems 1 and 2, we prove the message confidentiality and ciphertext unforgeability of our scheme respectively. In Theorem 3 we demonstrate the signcryptor privacy. Then in Theorems 4 and 5, we analyze the collusion resistance and revocation security.
Throughout this section, assume T e is the cost time for one exponentiation in group G or G T , and T p is the cost time for one pairing operation. e,m , n e,m , s,m , n s,m are the maximum values of { e , n e , s , n s }. Suppose that the Hash functions H 1 , H 2 , H 3 are collision resistant.

Message Confidentiality
Based on the security model defined in Definition 8 and Theorem 1, we can prove that our proposed scheme guarantees the message confidentiality under the hardness of the q-PBDHE assumption.

Theorem 1.
If an adversary A can break T, q sk , q psk , q SC , q DS , -IND-sEP-CCA2 security of our scheme, then there is an algorithm B that can solve the q-PBDHE assumption with an advantage = 1 2 − q DS p in a time T = T +O e,m n e,m u m + n e,m + U e,m n 2 e,m q sk + U + s,m q psk + U + l + s,m + e,m q SC + q DS T e + O(q DS )T p .
Proof. Assume A can T, q sk , q psk , q SC , q DS , break our scheme, we will construct the algorithm B as follows: B is given with the q-PBDHE challenge instance → Y. The challenger C runs GG 1 k → (e, p, G, G T ) to generate the bilinear group and chooses ∈ {0, 1}. If = 0, C sends → Y, Ω = e(g, g) a q+1 w to B; otherwise it sends Init. The same as defined in Definition 8. Assume R * e = (M * e , ρ * e ) is the challenge encryption access structure over all the attributes selected from the set of authorities I * e A . Assume M * e is a * e × n * e matrix and n * e ≤ q. Setup. The adversary chooses a set S A ⊂ S A consisting of the corrupted authorities, and sends S A to the simulator B. For each uncorrupted authority AA k ∈ S A − S A , B randomly chooses α k R ← Z p and implicitly sets α k = α k + a q+1 . B publishes ∆ k = e(g, g) α k = e g a , g a q e(g, g) α k .

For the authority
This assignment describes that A x = g ϕ x for each signing attribute as the signing attributes are different from encryption attributes. B sends PK k = X k , Y k , Z k , {A x } x∈ AA k to A. For the authority AA k ∈ S A , B generates the public keys and secret keys of AA k as in the real scheme and sends both the public keys and secret keys to A.

Phase 1.
SecretKey query O sk U, AA k , uid . A adaptively queries the secret keys for the attribute set U = U d ∪ U s with identity uid to the authority AA k . U d does not satisfy R * e together with any keys that can be obtained from corrupted authorities.
B checks the list L sk that whether the entry uid, U, PK uid , SK uid , PK uid,k , SK uid,k exists. If it does, B sends SK uid and SK uid,k to the adversary and publishes the public key PK uid and PK uid,k .
(1) Otherwise, B randomly picks d uid , s uid , z uid from Z * p and chooses a vector g ( f i a q−i+1 )/z uid , g s uid = g s uid g −a q , and computes g 1/z uid , θ z uid , g z uid , {g s uid v i } i∈[ s,m ] as the public key PK uid . Then B computes Proxy SecretKey query O psk U, AA k , uid . B checks the list L sk that whether the entry uid, U, PK uid , SK uid , PK uid,k , SK uid,k exists. If it does not exist, B issues O sk U, AA k , uid query to compute SK uid and SK uid,k , and then runs PxSecretKeyGen(SK uid , SK uid,k ) and returns PSK uid,k to A. Otherwise, B directly performs PxSecretKeyGen(SK uid , SK uid,k ) and returns PSK uid,k to A.
Signcryption query O SC (M, R s , R e ). A submits a message M ∈ G T , signing and encryption predicts R s = (M s , ρ s ), R e = (M e , ρ e ). B selects a signing attribute set U s such that R s U s = 1. Otherwise, if R * e U d = 1, assume π = H 1 (C 1 = g w 1 ), where w 1 is the secret value chosen to generate CT in signcryption phase. Then for k ∈ I e A , B compute e g α k , Challenge. A submits two messages M 0 , M 1 with the same length and signing predicate R * s = (M * s , ρ * s ) to B. Assume I * s A is the set which consists of the indexes of the authorities whose attributes are associated with rows of M * s and M * s is a * s × n * s matrix. B choosesˆ ∈ {0, 1}. B selects a signing attribute set U s satisfying R * s U s = 1 and an arbitrary identity uid A .
Finally, B sends the challenge ciphertext CT * = C 0 , C 1 , Phase 2. Phase 1 is repeated. In this phase, A cannot issue DeSigncryption query with the challenge ciphertext CT * and attribute set U d such that R * e U d = 1.
Guess. A outputs his guess onˆ . If =ˆ , B outputs 0 and guess that Ω = e(g, g) a q+1 w ; otherwise, B outputs 1 to indicate that Ω is a random element in G T .
If A issues DeSigncryption query with the ciphertext satisfying C 1 = g w , then the simulation aborts. The probability is at most q DS p . If = 0, Ω = e(g, g) a q+1 w and B does not abort, then CT * is a valid ciphertext of M 0 . In this case, we have Pr =ˆ = 0 > 1 2 + − q DS p . If Ω is a random element in G T , then C 0 is a random element and A cannot obtain Mˆ , namely the advantage in this case is Pr =ˆ = 1 = 1 2 . Therefore, the advantage of B which can break the q-PBDHE assumption is at least 1 2 − q DS p . The runtime of B is at most T = T + O e,m n e,m u m + n e,m + U e,m n 2 e,m q sk + U + s,m q psk + U + l + s,m + e,m q SC + q DS T e + O(q DS )T p .

Ciphertext Unforgeability
Based on the security model defined in Definition 9 and Theorem 2, we can prove that our proposed scheme guarantees the ciphertext unforgeability under the hardness of the q-PBDHE assumption.

Theorem 2.
If an adversary A can break T, q sk , q psk , q SC , q DS , -EUF-sSP-CMA security of our scheme, then there is an algorithm B that can solve the q-PBDHE assumption with an advantage = 8(l+1)q SC in a time T = T + O s,m n s,m u m + n s,m + U s,m n 2 s,m q sk + U + s,m q psk + (l + e,m + s,m + e,m n e,m )q SC + e,m q DS T e + O( e,m q DS )T p .
Proof. Assume A can T, q sk , q psk , q SC , q DS , break our basic scheme, we will construct the algorithm B as follows: B is given with the q-PBDHE challenge instance → Y. The challenger C runs GG 1 k → (e, p, G, G T ) to generate the bilinear group and chooses ∈ {0, 1}. If = 0, C sends → Y, Ω = e(g, g) a q+1 w to B; otherwise it sends Init. The same as defined in Definition 9. Assume R * s = (M * s , ρ * s ) is the challenge signing access structure over all the attributes selected from the involved set of authorities I * s A . M * s is a * s × n * s matrix and n * s ≤ q. Setup. The adversary chooses a set of S A ⊂ S A consisting of the corrupted authorities, and sends S A to the simulator B.
For each uncorrupted authority AA k ∈ S A − S A , B randomly chooses α k R ← Z p and implicitly sets α k = α k + a q+1 . B publishes ∆ k = e(g, g) α k = e g a , g a q e(g, g) α k . .
This assignment describes that A x = g ϕ x for each encryption attribute as the signing attributes are different from encryption attributes. B sends For the authority AA k ∈ S A , B generates the public keys and secret keys of AA k as in the real scheme and sends both the public keys and secret keys to A.
SecretKey query O sk U, AA k , uid . A adaptively queries the secret keys for the attribute set U = U d ∪ U s with identity uid to the authority AA k . U s does not satisfy R * s together with any keys that can be obtained from corrupted authorities.
Proxy SecretKey query O psk U, AA k , uid . The same as Theorem 1.
Signcryption query O SC (M, R s , R e ). A submits a message M ∈ G T , signing and encryption predicts R s = (M s , ρ s ), R e = (M e , ρ e ). B selects a signing attribute set U s such that R s U s = 1. B performs as follows: (1) It first computes a vector → a = (a 1 , a 2 , . . . , a s (2) B randomly chooses s uid R ← Z * p and computes S 1,i = g a i s uid +b i i∈[ s ] .
Then B selects r 1 , r 2 , . . . , r Forgery. A submits a valid ciphertext CT * for the challenge signing predicate R * s and an encryption predicate R e . If M ← DeSigncryption(PP, CT * , PK, SK) and A has never issued O SC (M, R * s , R e ). B performs as follows: (2) If CT * is a valid ciphertext, then H 3 (C 0 , C 1 , C 3 , R * s , R e ) = β and π = H 1 (C 1 ). Then and then break the q-PBDHE assumption by computing e g a q+1 , g w . Let E 1 be the event that L → c = 0 in some Signcryption query and E 2 be the event that m = 0 + ∑ l i=1 b i i in the forgery phase. Then we have

Signcryptor Privacy
Based on the security model defined in Definition 10, we prove that our scheme guarantees signcryptor privacy in Theorem 3.
If the challenger uses SK s,1 uid,k , and sets w 0 = w 1 , , S 1

1,i i∈[ s ]
, S 1 2 , tt , then it can generate CT 0 with SK s,0 uid,k and CT 1 = CT 0 . Therefore, A can only outputs a random guess and the probability is at most 1 2 .

High-Level Overview
In our scheme, the secret keys of each user are associated the random elements d uid , s uid picked by CA which are difficult for each user, fog node, authority and cloud server to compute or learn. Therefore, the colluders such as the user, fog node, and cloud server cannot selectively replace or convert the components of the secret keys under the discrete logarithm assumption. Additionally, since uid chosen by CA is globally unique in the system and d uid and s uid are kept secret, secret keys generated from different authorities for the same uid can be tied together for signcryption and designcryption, and the secret keys generated for different users cannot be combined.
Let S c denote the set of colluders, and U d is the combined decryption attribute set of S c .
Recall that the message M is blinded by ∏ k∈I e A ∆ k w = ∏ k∈I e A e(g, g) α k w . It is infeasible to directly reconstruct ∏ k∈I e A e(g, g) α k w due to the blindness of α k and the hardness of discrete logarithm assumption.
Thus the colluders have to compute ∏ k∈I e A e K d uid,k , C 1 and have to cancel the redundant element e(θ, g) wN e A d uid = ∏ k∈I e A e(g, g) whd uid , where θ = g h . Due to BDH assumption, the only way to cancel e(θ, g) wN e A d uid is to compute in PartialDecryption algorithm, which means F d uid,ρ e (i) = A d uid ρ e (i) with the same d uid holds for all ρ e (i) ∈ U d . However, since the colluders are individually unauthorized for decryption, none of the colluders holds A d uid ρ e (i) for all ρ e (i) ∈ U d simultaneously. Moreover, since the secret key cannot be replaced, converted or combined, A d uid ρ e (i) U uid ∈S c ,ρ e (i)∈ U d are associated with different d uid . Hence the colluders cannot successfully decrypt the ciphertext even though U d satisfies the encrypt predicate defined in the ciphertext. Specifically, according to Theorems 1 and 2, we can prove that our scheme guarantees the collusion resistance under q-PBDHE assumption in Theorem 4.

Theorem 4. The proposed data access control scheme is collusion resistance.
Proof. For the designcryptor, we state that the security game defined in Definition 9 implies the collusion resistance. Suppose that S c denotes the set of colluders who are unauthorized for decryption and U d = ∪ U d i i∈S c . If the colluders can decrypt CT * when R * e U d = 1, then the algorithm B which can solve the q-PBDHE assumption can be constructed as follows.
In the initialization phase, the challenger sets R * e as the selected challenge encryption predicate. In O sk , A queries for the secret decryption key corresponding to the colluder's individual attribute set U d i . Since the colluders are individually unauthorized for decryption, we have R * e U d i = 0, which satisfies the constraint of O sk defined in Definition 8. Then in challenge phase, the challenger encrypts Mˆ under R * e . If the colluders can decrypt the ciphertext, then A can guess the bitˆ , and thus B can solve the q-PBDHE assumption with non-negligible probability.
Similarly, for the signcryptor, the Theorem 2 guarantees that no colluders such as users, fog nodes or cloud server can generate the signature by combining their information if they are individually unauthorized to sign the plaintext. Otherwise, the colluders can build an adversary and output a forgery to win the game in Definition 9 and break q-PBDHE assumption.
Therefore, the colluding users, fog nodes, and cloud server cannot sign or decrypt the data, and our OMDAC-ABSC scheme guarantees collusion resistance.

Revocation Security
Assume the attribute x of U is revoked from AA k . AA k issues the update secret keys dUK x = g d uid (ϕ x −ϕ x ) , sUK x = g s uid (ϕ x −ϕ x ) and sends the keys to the non-revoked users. dUK x and sUK x are associated with the secret value d uid , s uid chosen by CA and attribute version key ϕ x , ϕ x chosen by AA k . Therefore, due to the blindness of d uid , s uid , ϕ x , and ϕ x , the revoked user U cannot update his/her secret signing or decryption key, even though he/she can corrupt some attribute authorities (not the authority AA k corresponding to x) or collude with the non-revoked user.
Theorem 5. Our OMDAC-ABSC scheme guarantees the forward and backward revocation security.

Proof.
Forward Security. If there exists i such that ρ s (i) = x, the newly joined user can sign the plaintext and generate the signature component S 2 associated with A x , which is the same as the updated attribute public key of AA k . Thus the Veri f y algorithm holds if user's signing attributes satisfy the signing predicate. Otherwise, the newly joined user's secret decryption keys are all associated with A x , which is the same as that in the components C 2,i . Thus the newly joined user can decrypt ciphertext if his/her attribute set satisfies the embedded encryption predicate.
Backward security. If there exists i such that ρ s (i) = x, and the revoked user reverse the signature component S 2 back to the non-revoked state which is associated with A x , then the Veri f y algorithm cannot hold since the attribute public key of AA k has been updated to A x .
Otherwise, assume CT old denotes the ciphertext which is updated from CT old in attribute revocation phase, we have −(r i +r i ) and D i = g r i +r i . It is hard for the revoked user to cancel cUK i and g r i since they are associated with the values ϕ x , ϕ x which are secretly chosen by AA k and r i randomly picked by cloud server. Therefore, the revoked user cannot reverse the CT old back to CT old . For the ciphertext CT new which is uploaded after the attribute revocation phase, we have −r i for i such that ρ e (i) = x. The revoked user cannot transform these components into the ones associated with A ρ e (i) due to the blindness of the attribute version keys ϕ x , ϕ x chosen by AA k and random element r i picked by fog node. Therefore, our OMDAC-ABSC scheme guarantees the forward and backward revocation security.

Security and Functionality
In this subsection, we detail the comprehensive security and functionality comparison among the proposed scheme and some MA-ABE schemes [21][22][23][24][25][26], CP-ABSC schemes [12][13][14][15] and ABE based schemes used for fog computing [16][17][18][19][20] in Tables 1-3. Therein, represents the capability to achieve the corresponding index, whereas denotes the opposite. MBF represents monotone Boolean function, and TG represents the threshold gate.   Tables 1-3 show that our scheme supports many useful properties, such as multi-authority, collusion resistance, computation outsourcing, anonymous authentication, expressiveness, public verifiability and attribute revocation. Our scheme also realizes the security in the standard model.

Asymptotic Complexity and Performance
This section numerically analyzes the asymptotic complexity and performance of the proposed OMDAC-ABSC scheme against some MACP-ABE schemes [21,22,[24][25][26], CP-ABSC schemes [12][13][14][15], and ABE based schemes [16][17][18][19][20] used for fog computing in terms of the size of secret key, ciphertext and update key, and computation overhead (exponentiations and pairing computations) of Signcryption, DeSigncryption and U pCiphertext algorithms. We focus on the computation overhead on the user side because of the limited computation resources. For simplicity, in asymptotic complexity analysis we ignore the cost time of Hash functions and operations in Z p . Table 4 summarizes the notations used in this section.

Notations
Meaning Running time required for one exponentiation in G and G T .   Table 5 details the storage comparison on MACP-ABE schemes. It is clear that the size of the secret decryption key in our OMDAC-ABSC is larger than that in [24,25] due to the components K d uid,k k∈I A . Table 5 also illustrates that the size of ciphertext in our scheme is larger than that in [21,22,26], and has the advantage over [25]. Since our scheme supports public verification of signcryptor's attributes, the ciphertext contains the signature components {S 1,i } i∈[ s ] , S 2 , which result in a reducing (1 + l s )|G| of storage overhead. Although the scheme in [24] can also verify the data owner's attributes, it requires 2 + 2l s signature group elements and is not publicly verifiable since it needs the plaintext message in verification algorithm. Additionally, both of our scheme and [25] requires the data owner to compute the ciphertext components C 2,i , D i i∈[ e ] when performing User_Signcryption algorithm. This cost is 2l e Z p . For attribute revocation, it is apparent that our scheme and [22] incur relatively the same storage overhead. Compared with [26], our scheme requires the attribute authority supervising the revoked attribute x to compute the ciphertext update key cUK = D i

Asymptotic Complexity
when x is selected as an encryption attribute, and thus incurs at most l e group elements, whereas the scheme [26] only sends ϕ x − ϕ x to the cloud. However, as shown in [22], DAC-MACS [26] cannot guarantee backward revocation security. Table 6 shows the computation overhead comparison of Signcryption and Decryption algorithms on the user side and U pCiphertext algorithm on the cloud. From the table, we can see that the encryption and decryption cost of our scheme are both irrelevant to the number of attributes. In data signcryption phase, our scheme asks fog nodes to compute and generate part of the ciphertext which is associated with the signing and encryption predicates. Thus the signcryption cost of data owner can be reduced as T e G T + 3T e G in encryption and (l s + l + 2)T e G in signing. In decryption phase, our scheme only incurs the cost of one exponentiation in G T . Hence the performance of ours is better than most schemes except for [25]. To guarantee the CCA security in the standard model (see Theorem 1), our scheme requires the data owner to compute the components C 1 and C 3 , which results in a slight reducing 3T e G of computation efficiency compared with [25]. However, our scheme performs better than [25] with respect to attribute revocation. Moreover, the DAC-MACS scheme in [26] only incurs the cost of l e exponentiations in G in ciphertext update phase, while our scheme incurs twice this cost. The reason is that we re-randomize C 2,i and D i in U pCiphertext algorithm to realize the backward revocation security.
If we set N A = 1, then the proposed scheme is a traditional CP-ABSC scheme. In Table 7, we compare the asymptotic complexity of OMDAC-ABSC with CP-ABSC schemes [12][13][14][15]. As seen from Table 7, the size of the secret key is linear to the size of the attribute universe, which is not different between our scheme and others. Our scheme incurs a slight reducing l e |G| + 2l e Z p of storage overhead than other schemes on the ciphertext. The reason is that we add to realize the attribute revocation and outsourced encryption, which are not considered in other schemes. Meanwhile, the ciphertext in our scheme consists of l s + 1 group elements for verification, while that in [12] is 2l s + 2. Table 7 also indicates that our scheme incurs less computation overhead of DeSigncryption on the user side than do the other schemes since most costly job of decryption is outsourced to fog nodes. Compared with [14], our construction requires 3 + l s pairing operations in total in decryption (user side) and verification, whereas in [14], (5 + l s ) pairings are needed. Moreover, since our scheme supports public verifiability, the verification algorithm can be performed by a trusted intermediate party. Thus the user can recover the plaintext within one exponentiation in G T . In contrast, the schemes in [12,13,15] are not publicly verifiable, and thus incur large amount of computation overhead in verification and decryption on the user side. In [12,13], the number of pairings is linear to the number of attributes. In [15], although the size of ciphertext is only 6|G|, eight pairings are required to recover the plaintext. Table 8 details the storage and computation overhead comparison of our scheme and some ABE based data access control schemes for fog computing. Since the schemes in [16,[18][19][20] do not support multi-authority, we set N A = 1 in our scheme for comparison. It is illustrated that the size of secret decryption key in OMDAC-ABSC is less than that in others. Since our scheme enables any trusted third party to verify the data owner's attributes, the ciphertext contains the signature components {S 1,i } i∈[ s ] , S 2 , which result in a reducing (1 + l s )|G| of storage overhead on the cloud side. For encryption, on the user side, our scheme incurs 3T e G to compute C 1 and C 3 and thus is less efficient than [17]. However, our scheme guarantees the CCA security, which is not considered in [17]. For decryption, on the user side, our scheme and [17] both incurs less computation overhead than other schemes since the two schemes only require one exponentiation in G T . Therefore, our scheme is efficient from a computation point of view.     We implement the whole architectures of MACP-ABE schemes [21,22,[24][25][26], CP-ABSC schemes [12][13][14][15] and our scheme with Pairing-based Cryptography (PBC) library version 0.5.14 on an Ubuntu system 14.04 with a 2.6 GHz processor and 4G RAM. We employ 160-bit Type A elliptic curve group constructed on y 2 = x 3 + x over a 512-bit finite field. The computation cost for one pairing operation is 2.9 ms, and that of exponentiation on G and G T are 0.7 and 0.2 ms, respectively. Each value in Figures 3-8 is the mean of 10 simulation trials.                        Assume that 1 and ℓ ℓ . Figures 7 and 8 describe the comparison of computation overhead of and algorithms among the schemes [12][13][14][15] and ours. It is clear that our algorithm incurs less computation overhead than other schemes because of the outsourced signcryption. Since our scheme and Y. Sreenivasa's scheme [14] are publicly verifiable,     Moreover, we simulate the schemes in [16][17][18][19][20] and our scheme on an android phone (MEIZU m1 note platform with an ARM Cortex A53-based processor MT6752@1.7 GHz, Android 5.1, and 2GB RAM) as user's IoT device and a laptop (2.6 GHz processor, Ubuntu system 14.04, and 4G RAM) as the fog node. The underlying curve for pairings is also Type A curve in JPBC 2.0.0 [18], where the running time for pairing is 6 ms in Ubuntu system and 175 ms in Android. For comparison, we set 1 in our scheme and do not consider the signing protocol since the schemes in [16,[18][19][20] do not support multi-authority and the schemes in [16][17][18][19][20] do not support attribute-based signature. Figures 9 and 10 show the comparison of computation overhead of encryption algorithm and Figures 11 and 12 show the comparison of decryption algorithm. The results are the average number of 10 runs. In Figure 9 we only compare the cost time of encryption on fog node between ours and the schemes in [16,17,19] since the schemes in [18,20] do not support encryption outsourcing. It is illustrated in Figure 10 that the computation time of encryption algorithm on data owner in our scheme is basically the same as that in [17], and is smaller than that in [18,20] because of the encryption outsourcing. Compared with [16,19], the encryption algorithm in our scheme incurs slightly more computation overhead since our scheme requires the data owner to sample , , ∈ ℓ and perform one Hash function (we do not take into account the Hash functions and here since they are involved in signing protocol). However, the encryption time is approximately 0.14-0.8 s, which is acceptable to the end users.     Moreover, we simulate the schemes in [16][17][18][19][20] and our scheme on an android phone (MEIZU m1 note platform with an ARM Cortex A53-based processor MT6752@1.7 GHz, Android 5.1, and 2GB RAM) as user's IoT device and a laptop (2.6 GHz processor, Ubuntu system 14.04, and 4G RAM) as the fog node. The underlying curve for pairings is also Type A curve in JPBC 2.0.0 [18], where the running time for pairing is 6 ms in Ubuntu system and 175 ms in Android. For comparison, we set 1 in our scheme and do not consider the signing protocol since the schemes in [16,[18][19][20] do not support multi-authority and the schemes in [16][17][18][19][20] do not support attribute-based signature. Figures 9 and 10 show the comparison of computation overhead of encryption algorithm and Figures 11 and 12 show the comparison of decryption algorithm. The results are the average number of 10 runs. In Figure 9 we only compare the cost time of encryption on fog node between ours and the schemes in [16,17,19] since the schemes in [18,20] do not support encryption outsourcing. It is illustrated in Figure 10 that the computation time of encryption algorithm on data owner in our scheme is basically the same as that in [17], and is smaller than that in [18,20] because of the encryption outsourcing. Compared with [16,19], the encryption algorithm in our scheme incurs slightly more computation overhead since our scheme requires the data owner to sample , , ∈ ℓ and perform one Hash function (we do not take into account the Hash functions and here since they are involved in signing protocol). However, the encryption time is approximately 0.14-0.8 s, which is acceptable to the end users.   For simplicity, suppose each user holds the same number of attributes N AA from each authority Then, in signcryption we set l e = l s = N AA × N A , and thus the comparison of computation overhead of Signcryption (without signing) and Decryption algorithms on the user side between our scheme and [21,22,[24][25][26] can be conducted according to parameters N A and N AA . We also generate the signing and encryption predicates as AND-gate in the form of (a 1 and a 2 and . . . and a l s ) and (a 1 and a 2 and . . . and a l e ). In Figures 3 and 5, we set N A = 10, while in Figures 4 and 6, we assume N AA = 10. During the comparison between our scheme and the ones in [21,22,[24][25][26], we do not take into account the signing protocol since the schemes in [21,22,25,26] do not support attribute-based signature. Figures 3 and 4 show that the encryption algorithm in our scheme is more efficient than that in [21,22,24,26]. The reason is that the most costly job of encryption has been outsourced to the fog nodes. Although our scheme incurs more computation overhead than the one in [25], we realize CCA security in the standard model and attribute-level revocation. Figures 5 and 6 give the comparison of decryption time on the user side. It is illustrated that the performance of our scheme is relatively the same as that of [22,25,26], and is better than that of [21,24] because our scheme only incurs one exponentiation and one multiplication in G T .
Assume that N A = 1 and e = s = N AA . Figures 7 and 8 describe the comparison of computation overhead of Signcryption and DeSigncryption algorithms among the schemes [12][13][14][15] and ours. It is clear that our Signcryption algorithm incurs less computation overhead than other schemes because of the outsourced signcryption. Since our scheme and Y. Sreenivasa's scheme [14] are publicly verifiable, the Veri f y(PP, CT) algorithm can be outsourced to a trusted party, and then our scheme needs only one exponentiation and one multiplication in G T on the user side to recover the plaintext message.
Moreover, we simulate the schemes in [16][17][18][19][20] and our scheme on an android phone (MEIZU m1 note platform with an ARM Cortex A53-based processor MT6752@1.7 GHz, Android 5.1, and 2 GB RAM) as user's IoT device and a laptop (2.6 GHz processor, Ubuntu system 14.04, and 4G RAM) as the fog node. The underlying curve for pairings is also Type A curve in JPBC 2.0.0 [18], where the running time for pairing is 6 ms in Ubuntu system and 175 ms in Android. For comparison, we set N A = 1 in our scheme and do not consider the signing protocol since the schemes in [16,[18][19][20] do not support multi-authority and the schemes in [16][17][18][19][20] do not support attribute-based signature. Figures 9 and 10 show the comparison of computation overhead of encryption algorithm and Figures 11 and 12 show the comparison of decryption algorithm. The results are the average number of 10 runs. In Figure 9 we only compare the cost time of encryption on fog node between ours and the schemes in [16,17,19] since the schemes in [18,20] do not support encryption outsourcing.
It is illustrated in Figure 10 that the computation time of encryption algorithm on data owner in our scheme is basically the same as that in [17], and is smaller than that in [18,20] because of the encryption outsourcing. Compared with [16,19], the encryption algorithm in our scheme incurs slightly more computation overhead since our scheme requires the data owner to sample C 2,i , D i i∈[ e ] and perform one Hash function π = H 1 (C 1 ) (we do not take into account the Hash functions H 2 and H 3 here since they are involved in signing protocol). However, the encryption time is approximately 0.14-0.8 s, which is acceptable to the end users.    Figure 11 indicates that on the fog node side, the decryption algorithm of our scheme incurs more computation overhead than the schemes in [16,[18][19][20]. However, Figure 12 shows that our scheme performs better than other schemes except for [17] in efficiency of decryption time on the user side. This is because our scheme outsources the most computation-consuming job of decryption to the fog node and only incurs the cost of one exponentiation and one multiplication in on the user side. In Figure 11, the decryption time of our scheme one the fog node is      Figure 11 indicates that on the fog node side, the decryption algorithm of our scheme incurs more computation overhead than the schemes in [16,[18][19][20]. However, Figure 12 shows that our scheme performs better than other schemes except for [17] in efficiency of decryption time on the user side. This is because our scheme outsources the most computation-consuming job of decryption to the fog node and only incurs the cost of one exponentiation and one multiplication in    Figure 11 indicates that on the fog node side, the decryption algorithm of our scheme incurs more computation overhead than the schemes in [16,[18][19][20]. However, Figure 12 shows that our scheme performs better than other schemes except for [17] in efficiency of decryption time on the user side. This is because our scheme outsources the most computation-consuming job of decryption to the fog node and only incurs the cost of one exponentiation and one multiplication in G T on the user side. In Figure 11, the decryption time of our scheme one the fog node is approximately 0.1-1 s, which increases almost linearly with the number of attributes.  Figure 11 indicates that on the fog node side, the decryption algorithm of our scheme incurs more computation overhead than the schemes in [16,[18][19][20]. However, Figure 12 shows that our scheme performs better than other schemes except for [17] in efficiency of decryption time on the user side. This is because our scheme outsources the most computation-consuming job of decryption to the fog node and only incurs the cost of one exponentiation and one multiplication in on the user side. In Figure 11, the decryption time of our scheme one the fog node is approximately 0.1-1 s, which increases almost linearly with the number of attributes. However it is shown in Figure 12 that the running time of algorithm is nearly 0.03 s, which is acceptable for the end user. Since our scheme is public verifiable, the verification can be performed on any trusted third party and does not increase the computation burden of the user. Additionally, Huang et al. [16] and Zhang et al. [19] only support threshold access policy, while our scheme supports any monotone Boolean function. Overall, our scheme performs well in encryption and decryption on the user side and supports additional useful properties such as multi authorities, anonymous authentication, and public verifiability.   However it is shown in Figure 12 that the running time of FullDecryption algorithm is nearly 0.03 s, which is acceptable for the end user. Since our scheme is public verifiable, the verification can be performed on any trusted third party and does not increase the computation burden of the user. Additionally, Huang et al. [16] and Zhang et al. [19] only support threshold access policy, while our scheme supports any monotone Boolean function. Overall, our scheme performs well in encryption and decryption on the user side and supports additional useful properties such as multi authorities, anonymous authentication, and public verifiability.

Conclusions
In this paper, we proposed OMDAC-ABSC scheme for data sharing in fog computing system. The proposed scheme realizes the security in the standard model and supports many practical properties, such as confidentiality, fine-grained access control, anonymous authentication, attribute revocation, and public verifiability. The heavy computation operations of the signcryption and designcryption algorithms are outsourced to the fog nodes making our scheme more efficient and more suitable for fog computing than the existing ABSC schemes. The security analysis, asymptotic complexity, and performance comparisons indicate that our construction hits a good balance between the security and overhead efficiency.
One problem with outsourced decryption is to verify that whether the partial decryption performed by fog nodes is correct. In ABE scheme, verifiable outsourcing has been adopted to overcome this problem, as in [17,[30][31][32]. A similar technique can be used in our ABSC construction to address verifiable outsourcing, which will be our future work. Moreover, realizing a fully secure MACP-ABSC based access control scheme instead of a selectively secure scheme will be another challenge.

Conclusions
In this paper, we proposed OMDAC-ABSC scheme for data sharing in fog computing system. The proposed scheme realizes the security in the standard model and supports many practical properties, such as confidentiality, fine-grained access control, anonymous authentication, attribute revocation, and public verifiability. The heavy computation operations of the signcryption and designcryption algorithms are outsourced to the fog nodes making our scheme more efficient and more suitable for fog computing than the existing ABSC schemes. The security analysis, asymptotic complexity, and performance comparisons indicate that our construction hits a good balance between the security and overhead efficiency.
One problem with outsourced decryption is to verify that whether the partial decryption performed by fog nodes is correct. In ABE scheme, verifiable outsourcing has been adopted to overcome this problem, as in [17,[30][31][32]. A similar technique can be used in our ABSC construction to address verifiable outsourcing, which will be our future work. Moreover, realizing a fully secure MACP-ABSC based access control scheme instead of a selectively secure scheme will be another challenge.
Author Contributions: Q.X. and C.T. conceived the scheme. Q.X. designed the scheme, analyzed the data and wrote the paper. W.Z. and F.C. performed the experiments. Z.F. and Y.X. modified the manuscript.

Conflicts of Interest:
The authors declare no conflict of interest. The funding sponsors had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, and in the decision to publish the results.   Secret key of the authority AA aid . PK uid,aid = PK 1 uid,aid , PK 2 uid,aid , PK 3

uid,aid
Public key for each pair of user U uid and authority AA aid .   Partial ciphertext computed by fog node in designcryption.